AWS News – March Round Up
With the endless flood of new products, features and changes from AWS and its surrounding ecosystem, it can be easy to miss an update. Our monthly round up highlights major AWS news, announcements, product updates and behind the scenes changes we think are most relevant.
AWS got fiesty in March, announcing a few features that are setting off some consternation throughout the community. And continuing with the recent trend, there’s also an absolute ton of features that simply make daily life in AWS more pleasant.
Advanced Request Routing for ALBs
ALBs do a lot these days, going beyond just host/path routing and getting into fun use cases like authentication, health checks and service discovery. Advanced Request Routing (ARR) extends these capabilities, allowing you to make routing decisions based on HTTP headers, query string parameters and source IP address.
There’s a lot you can do with ARR and with ALB rules in general. One of the most important things you can do is run up your bill, so use rules selectively for APIs and other high volume endpoints. With that in mind, there are some good use cases to consider:
- Delegate users to different target groups based on browser type
- Drop unwanted/unexpected traffic, such as unsupported HTTP methods
- Detect dynamic vs static traffic based on URL patterns and route appropriately
Again, be sure to be mindful of cost, as the pricing for ALBs is hardly straightforward for certain use cases. In the past, it was difficult to create so many rules that this was the dimension that drove your ALB costs. However, they can become the significant cost factor if you get carried away with ARR.
It is only a matter of time before there is a fully functional ALB-only ingress controller for Kubernetes that allows you to take advantage of these rules, perhaps without even realizing it. CloudWatch Metrics can keep an eye on your rule evaluations for you, along with the other metrics that go into the LCU calculation.
S3 Glacier Deep Archive Has Arrived
Glacier Deep Archive is a new storage class for S3, similar to Glacier–but cheaper. A lot cheaper. Think $12/TB/month cheap. Deep Archive was announced at AWS reInvent but was slow to be released, perhaps because users in preview were busy uploading petabytes of data because, who cares, it’s practically free.
There’s really no good reason not to use Deep Archive. But be sure to understand the implications of putting your data there. It is now possible to create object lifecycle rules in S3 that automatically rotate your content into Deep Archive with no further action on your part. This is handy but also painful if you need to get your data back in a hurry–the guidance is currently 12 hours for most restores, and you should expect that to be roughly accurate. Back when Glacier was originally announced, restore times ended up being far faster than initially estimated. Given the way Deep Archive works, such miracles are less likely.
It is worth mentioning for people who’s IT infrastructure spans more than just the usual 2 generations of tech, Glacier Deep Archive integrates with Tape Gateway. So, you can push backups straight from your legacy tape backup product into an ultra low cost, ultra durable object store. Storage Gateway has supported VLT for a while, but with Deep Glacier, it becomes far more appetizing as a way to permanently kill tape.
Open Distro for ElasticSearch and Why You Care
AWS announced a fork-not-a-fork of ElasticSearch, Open Distro for ElasticSearch. There’s some argument about whether this fork is a fork or not, but we’re staying out of it. What is clear is that this fork represents a monumental moment for how public cloud giants expropriate and monetize the open source projects backed by other commercial entities.
Earlier this year, AWS announced DocumentDB, a closed source managed service that is compatible with and presumably derived from MongoDB, much to the annoyance of MongoDB’s CEO but not really to anyone else. In doing so, they correctly cited difficulty in properly running MongoDB in a secure, reliable, and properly backed up manner.
In this announcement, AWS–who has had their own similar closed source fork of ElasticSearch for years–correctly cited difficulty in properly running ElasticSearch without potentially running afoul of licensing restrictions as the reason why ElasticSearch needed to be forked. So, if your open source software is excellent and widely loved (e.g., ElasticSearch), AWS will stymie your attempts to monetize it by making open source versions of the commercial enhancements you were trying to sell. If your open source software is complicated to use and utterly insecure out of the box (e.g., MongoDB), AWS will stymie your attempts to monetize it by making a closed source version that addresses the usability issues your commercially hosted platform was built to solve.
AWS is firing a hell of a warning shot to pretty much everybody attempting to monetize an OSS product. You could argue that this is bad for the community. But we’ve been baffled for years now at the features Elastic allows in the open source repo compared to what they hold back for commercial distribution. And for everything great about MongoDB, it is far too easy to set up and far too difficult to run correctly. Gaps like that are dangerous and lead innocent users into future pitfalls.
AWS can’t make a habit of open and closed forking depending on what suits its interests best, but so long as it does so selective and when there is alignment with customers, this will be a powerful check that forces OSS peddlers to keep their own monetization strategies closely aligned with the community as well as their prospective customer base.
EKS Now Supports Windows and Kubernetes 1.12
EKS has come a long way from its initial release less than a year ago (after a frustratingly long 6-month preview period). In the last few weeks, AWS has announced support for Kubernetes 1.12 and Windows (preview only).
AWS has taken some flak lately for being slow to adopt Kubernetes releases, but whereas AWS got off to a fairly anemic start with EKS, they seem to be working at a reasonable pace now. Simply put, Kubernetes is putting out new releases at breakneck speeds, deprecating old releases obnoxiously soon, and not necessarily maintaining consistent quality levels. Both Kops and AWS alike sat on their 1.12 releases for a bit, waiting on bug fixes each project considered deal breakers.
Google is going to continue to lead with GKE as the reference cloud implementation, but the quality of their Kubernetes implementation does not make the other rough edges of their offering compelling. Meanwhile, AWS continues to incrementally improve, delivering a stable, featureful product.
Here’s some of the more useful features added since release:
- Ability to upgrade clusters via CloudFormation and CLI
- Native integration with AWS AppMesh, a managed distribution of Envoy
- Support for v1.11 and v1.12
- VPC Endpoints for private API access
- Enhanced cluster and node group creation processes
- Added a ton of regions
There’s still more to be done. We’d like to see native pod IAM profiles instead of having to rely on kube2iam, meaningful CloudWatch integration, faster cluster creation times, and a less expensive control plane. But, there’s much to like with EKS. It is stable, integrates well with other AWS products, and has a solid networking model that makes pods a first class citizen within the overall infrastructure.
AWS Config Enhancements
AWS announced support for Remediations in AWS Config this month. Remediation through AWS Config has long been possible by tying CloudWatch events and Lambdas to your rules. This is handy, because the old method was perhaps just a little bit tedious for smaller accounts without a strong governance process.
Remediations are a great way to enforce policies that prevent the sort of mistakes that sink you. The go-to AWS example is avoiding public S3 buckets and objects, but you can also avoid Internet-connected databases, overly permissive security groups, etc. Config Rules are an important way to monitor the resources across your AWS account(s). Remediation takes that a step further, with a way to take immediate action for high-value issues.
AWS also announced Advanced Queries for AWS Config. Advanced queries allow you to search based on the attributes of the resource, regardless of resource type. In a single query, you can retrieve all EC2 instances of a given type, all resources using a particular tag, or even all resources in a particular state.
- AWS now supports multiple accounts for Direct Connect Gateways. This can vastly ease the process of interconnecting organizations when using a multi-account strategy. Note that the VPCs connected to the DCG must all be linked to a common payer account.
- AWS allows you to schedule instance events. For those who aren’t familiar, instance events are scheduled when AWS needs to do maintenance on the underlying hardware for your instance, typically a simple reboot. Customers have the opportunity to take that action sooner to better control availability of their instances. This feature allows you to pick the time without having to do it yourself. But, don’t use it. Reboot your critical servers yourself, put servers that can die at any time in an Autoscale Group, and seriously consider whether or not a server that can be rebooted “whenever after hours” needs to be running after hours in the first place.
- AWS App Mesh is now generally available. App Mesh is a managed Envoy deployment designed for people who could benefit from a service proxy but who do not necessarily have the time to go deep on how Envoy works. App Mesh is relatively straightforward to use, and it integrates with multiple AWS services, EKS included.
- AWS Transfer for SFTP supports PrivateLink. One day, AWS will just release services with PrivateLink support in the first place, rather than being constantly surprised by how much customers value this functionality after release. In the meantime, a huge dealbreaker for many people who use internal SFTP data transfer processes was just eliminated.
- AWS announced Event Fork Pipelines. Don’t yawn. These tools use AWS SAM and allow you to hook serverless functions together via events. Wiring Lambdas together used to be one of the thornier issues in event-driven serverless architectures. Less so now.
- After a long preview, RDS now supports PostgreSQL 11. We’re not sure why this spent so long in preview, but presumably it was for good reason.
- Sort of without an official announcement, AWS now allows pen testing without prior approval on 8 core products. It’s probably reasonable that they did not make a huge announcement about this one, but it’s also a welcome change.
- Redshift supports automatic concurrency scaling. This is neat but also potentially expensive.