AWS News – January Round Up
With the endless flood of new products, features and changes from AWS and its surrounding ecosystem, it can be easy to miss an update. Our monthly round up highlights major AWS news, announcements, product updates and behind the scenes changes we think are most relevant.
January brought a lot of fun announcements, and even one that turned out to be quite controversial. Aside from big new features, AWS continues its recent trend of augmenting existing services in ways that make every day life easier. This makes us happy.
AWS Backup is cool–and an SEO nightmare for every company that offers their own AWS backup service. It’s fairly straightforward, so rather than regurgitate its features–it does everything you expect it would do–we’re going to talk about a couple of key points.
AWS Backup supports the following services:
- Storage Gateway
In all cases except EFS, the existing snapshot mechanism is used, meaning you’ll have efficient full and incremental backups. Presumably, EFS backups use the incremental EFS-to-EFS backup strategy, though that’s not confirmed yet.
AWS Backup supports manual resource assignment and tag-based strategies. Tag-based strategies let you drop tags on your resources that then automatically group them into your desired backup policy. Pretend manual assignment doesn’t exist. Use tags.
Monitoring is integrated with SNS, not CloudWatch. Unfortunately, this must be configured through the CLI for now. Be sure to tie in to a monitored SNS topic so that you know when your backups fail.
And, Have a Backup to The Backup
Snapshots are perfect representations of imperfect data, oblivious to its own contents. File-based restore is not an option, and identifying when a key piece of data may have gone missing can range from tedious to unfeasible. There is still a place for catalog-based backups and data exports. If AWS Backup is your only backup strategy, you don’t actually have a backup strategy.
Keep in mind that your admins can delete your backups just as easily as the resources being backed up. Human error is by far the most common reason for a restore from backup. Use an RBAC vault policy and consider organizational SCPs to protect that vault policy from tampering. Hopefully, AWS will add cross-account backup support in the future.
Go Forth and Backup
Pricing is higher than S3 data storage alone, roughly the same as EBS snapshot storage. And at the moment, only EFS backups can be transitioned to Glacier (be mindful of this as the UI strongly implies your snapshot backups will transition). But, AWS Backup is still well worth it overall, even considering that existing backup strategies need to be revisited.
Read Jeff Barr’s blog post for a walk through of setting it up manually. Which is how you’ll be setting it up, because CloudFormation and Terraform support is not yet available. We’ll do a follow up blog post once meaningful automation is possible.
AWS MongoDB.. err.. AWS DocumentDB
AWS announced a managed MongoDB “compatible” solution, which is code for they forked Mongo, made modifications, and did not contribute them back to the open source community. A lot of people got angry about this, including the CEO of MongoDB after his company’s stock price tanked on the news. But, his company also makes a commercial product built on top of a fork of Mongo. Open source is open source, and trying to create a social contract that effectively rewrites the actual license is not in anyone’s best interests.
Besides, DocumentDB will almost certainly cater to smaller users that would not have become MongoDB customers anyway. DocumentDB is a big win for people who want to use MongoDB but don’t want to necessarily become experts in it because it is only serving a part of their application. This is an important consideration, because MongoDB is a lot easier to get up and running than it is to get tuned and configured properly for performance.
Read the announcement here.
You get an SLA, you get an SLA, everyone gets an SLA..
In a plethora of announcements, AWS rolled out 99.9% availability SLAs for:
- Kinesis Firehose, Data Streams and Video Streams
- EKS and ECR (ECS itself already had an SLA)
- API Gateway
AWS SLAs are a complicated thing. First and foremost, it’s critical to understand that 99.9% isn’t spectacular, and prior to this announcement, these services were actually worse than that. An application composed of dependencies with 99.9% availability is not itself 99.9% available. The SLAs also don’t have a lot of financial meat on them, and at the end of the day, if your app is down, a tiny credit on your bill is not going to make your customers any happier.
SLAs are a good thing, though. AWS defines their SLAs very rigorously (unlike pretty much the rest of the universe), and putting a 99.9% availability target on a service means a lot. While AWS has taken a public beating over the years on service availability, the reality is that it has always operated as well as Amazon has told us to expect it to operate. It’s up to us to understand how their services are built when running in production.
- Windows Server 2019 AMIs are finally available. We are not sure why it took 3 months, but we’re glad it’s here now.
- Fargate pricing dropped 20% for compute and 65% for memory. AWS credits Firecracker for this happy development.
- SQS supports VPC endpoints now. This keeps your traffic from routing over the open Internet when pushing and pulling messages. There’s some debate over the impact of endpoints given that you aren’t technically traversing the actual Internet so much as a larger part of AWS’ network. But, endpoints do cut your data transfer bill a bit and improve performance. And, you can more granularly define your IAM policies for additional protection. It’s good to see AWS rolling out endpoint support for a number of services recently.
- NLBs added support for TLS. This is a somewhat surprising announcement, given how low level of a network primitive NLBs are. But, it is great news. NLBs still continue to preserve source IP address in spite of the TLS termination. Also buried in the announcement is new support for access logging.
- CodePipeline can now push to S3. This is handy for media and static content publication pipelines. Angular developers rejoice.