Welcome to the 24th issue of Last Week in AWS.
Next week I’ll be giving a new talk, Terrible Ideas in AWS Lambda at DevOps Days Boston. If you’ll be around and would like to attend, feel free to register to attend with a 25% discount. I hope to see some of you there! (I’m not sure if it’ll be recorded– if so, I’ll include a link in a future issue.)
Community Contributions
A great discussion (with data) about whether AWS Lambda can deliver on its promise of continuous scaling.
Much kerfuffle has been made over the past week about Amazon’s announcement that it’s looking for a second headquarters. Various cities are now working overtime to lure the company, to the tune of gargantuan tax breaks. We’ll see how this evolves over the next few years, I suspect.
According to a survey by Global Knowledge, an AWS certification can boost your salary by 26%. I’m generally opposed to certifications, but I recognize that not everyone shares my bias. If this survey is accurate, it’s a potentially lucrative investment for people looking to move into AWS oriented roles without experience.
Choice Cuts From the AWS Blog
Now Create and Manage AWS IAM Roles More Easily with the Updated IAM Console | AWS Security Blog – The UI for the IAM console has been updated, because random UX changes to things that control the security of your entire production environment are of course no big deal and can be rolled out by surprise.
Smart Budgeting Using Lambda and Service Catalog | AWS Management Tools Blog – I don’t normally link against the AWS Management Tools blog, but this article neatly solves a billing problem in a way I haven’t seen discussed anywhere else. Atypically for this blog, the solution doesn’t include a bunch of “throw away GitHub, Jenkins, and 15 other components of your toolchains as a prerequisite for what we’re about to suggest…”
Amazon Route 53 Announces Support For DNS Query Logging – Now you can log every DNS request you get to CloudTrail. Now you can forget you’re consuming CloudTrail logs with Splunk, right up until the moment your Splunk sales representative calls you to let you know there’s now a yacht named after you.
Amazon EC2 Systems Manager Adds Raspbian OS and Raspberry Pi Support – You can now use EC2 Systems Manager to manage Raspberry Pis. This means– wait, what did I just type? Is someone having a laugh at my expense?
Announcing improved networking performance for Amazon EC2 instances – Select instance types now get a maximum bandwidth of 25Gbps, which is just ridiculous speed– but it pales next to the potential ridiculous nature of the bill. At full speed, one 25Gbps link to the internet will cost you 17.5¢ per second in AWS. That’s $630 an hour theoretical max in data transfer from us-east-1 outbound.
New Network Load Balancer – Effortless Scaling to Millions of Requests per Second AWS has launched a new Load Balancer class– designed to operate at the network level, it’s capable of handling massive traffic. More on this in today’s tip– but the real magic behind the launch of NLB is that someone on the AWS side apparently screwed up, and tipped off the CloudFormation team in advance; I can’t recall a product launch with CloudFormation support on day one in recent memory. Somewhere, a CloudFormation TPM at AWS is weeping tears of gratitude.
Amazon VPC NAT Gateways now support Amazon CloudWatch Monitoring and Resource Tagging – You can now get metrics and cost data from your NAT gateways, but Well Actually, you really should forget NAT entirely and be using IPv6 for everything everywhere instead because– TECHNICAL DIFFICULTIES. PLEASE STAND BY.
Tools
Using ephemeral keys with MFA enabled is a great security position to take, but it’s not exactly convenient. go-aws-mfa attempts to alleviate that pain by automating the “generate temporary credentials” portion.
A wrapper for Terraform that supports environments. This makes it a lot safer to test things out in Terraform without worrying about blowing away something you care about.
Tip of the Week
The new Network Load Balancers are pretty fancy for a few specific use cases. One use case that I’m a particular fan of involves termination of large numbers of SSL certificates. Historically, you had to provision one ALB or ELB for each domain. This became horribly expensive to scale out– not to mention that “a thousand load balancers in front of an instance” is a fantastic way to have the health checks pummel your instances to death.
All of that goes away with the new NLBs. Teach nginx what to do with the arriving connection, and you’re set. Your security groups still work the same way, and the origination IP appears to the instance as the client’s address, not the load balancer’s.
Today, they support TCP only, but they’re still remarkably flexible in a way that ALBs and ELBs never were.
…and that’s what happened Last Week in AWS.