|
22 Eargesplitten posted:I asked if we had a contractual RPO or RTO for our customers and haven't heard back yet. I'm also not sure how far back we might be contracted to be able to retrieve something. I'm going to need to get answers to that for sure. It's also worth mentioning that depending on the nature of your company and where it does business, there may be various regulations you need to follow related to backups. Who can access them, whether they're encrypted at all times (and who can decrypt them), who has access to restore to production and how, retention period, where they're stored, whether they contain PII or credit card data, auditing of success/failure and documentation of what is to be done when a job fails, etc etc. This is a conversation to have with your manager, or with legal/finance if they glaze over when you ask about it. Getting kinda offtopic for the AWS thread, though.
|
#
?
May 18, 2022 15:47
|
|
|
|
| # ? Apr 19, 2024 05:17 |
|
|
Yeah, I posted in here initially because I felt like I was trying to reinvent the wheel because I know I'm looking at an inefficient mess but I'm using to working with auto-replicating DR rather than backups, and I wasn't sure if AWS had a recommended WAF way to do them or something.
|
|
#
?
May 18, 2022 16:08
|
|
|
22 Eargesplitten posted:I asked if we had a contractual RPO or RTO for our customers and haven't heard back yet. I'm also not sure how far back we might be contracted to be able to retrieve something. I'm going to need to get answers to that for sure. Definitely have the answers before you change anything. Everyone has to be on the same page with their expectations before the “whoops!” comes. Arguments about data retention non-decisions while your data center is on fire are horrible to experience (source: me). Edit: also, store no more data than necessary to meet all your obligations. You might think you are helping people, but when that random lawsuit pops up you (and your company) will regret every kilobyte of stored data that gets subpoenaed. Agrikk fucked around with this message at 20:19 on May 18, 2022 |
|
#
?
May 18, 2022 20:16
|
|
|
Speaking of databases, I just did some learning on Aurora Provisioned and Aurora Serverless. For those who support and/or deployed solutions using those, what are your thoughts on current performance and their future? With the current Serverless push, do you think Aurora Serverless will become more and more popular? Or do they become obscenely expensive with real world use?
|
|
#
?
May 19, 2022 16:03
|
|
|
Haha, I kept failing to deploy via ElasticBeanstalk with the new preview Publish to AWS tool in visual studio so much that the product owner wants me to show their engineers why I am such an abject failure at using their tool. I'll get a $50 Amazon voucher for embarrassing myself in front of them though, so at least I got that going for me. It is mostly due to VS saving new text files encoded as UTF-8 BOM and doing CRLF for eol. Of course the error messages are not that useful, e.g. you get a "File can't be found" message if the eol is set to CRLF instead of just LF in your configuration files.
|
|
#
?
May 20, 2022 02:08
|
|
|
ledge posted:e.g. you get a "File can't be found" message if the eol is set to CRLF instead of just LF in your configuration files. Hahahaha
|
|
#
?
May 20, 2022 03:12
|
|
|
Hughmoris posted:Speaking of databases, I just did some learning on Aurora Provisioned and Aurora Serverless. I used V1 before, it's pretty neat in its ability to scale down to 0 and use Data API to run queries with no concern about connection lifetime. Like you're on Dynamo DB, but with relational model. If it's completely suspended it'll take 30 second to awake though, and it needs a window in write operations to scale. It also scales drastically, doubling or halving its power. Also no multi-availability zone or read replicas. V2 is touted as being scaled better in granularity and speed, and takes multi-availability zone and read replicas features from provisioned instances. But guess what features aren't in V2? Scaling down to 0 and data API. It's a provisioned instance that now scales automatically, not really a continuation of Aurora Serverless V1. Also the price comparison - if you have db.r6g.large(on-demand) vs 8 ACU serverless then v1 has to run at about 50% load and v2 only at 25% to match cost. And don't forget that without data API you'll have to manage connections or use RDS proxy with extra cost. And if you're buying a reserved instance for years in advance it's even more, something like 25% load for v1 and 10% for v2. With what they offer now it's hard to justify using Aurora Serverless v2, while V1 was a great pick for saving on development and test DBs just for the suspend feature. For it to make sense your usage should be looking like one huge peak and then mostly idle the rest of the day so the average is low. Pyromancer fucked around with this message at 10:19 on May 20, 2022 |
|
#
?
May 20, 2022 10:09
|
|
|
I’ve not used aurora but big query has been great for my rarely used use case. I need to query these govt data sets totaling about 2TB across 50ish tables. It ends up costing me like $2 to do it but compared to the business value and the fact I only need to it a few times a month it’s an absolute steal, especially given it’s features. Need to query the upper() with a regex? No problem. User defined functions? Yep.
|
|
#
?
May 20, 2022 10:48
|
|
|
ledge posted:It is mostly due to VS saving new text files encoded as UTF-8 BOM and doing CRLF for eol. Of course the error messages are not that useful, e.g. you get a "File can't be found" message if the eol is set to CRLF instead of just LF in your configuration files.  jesuswell, after squatting in azure land i'm back in aws for a mobile app project. api gateway + api key + mtls w/lambda proxy to a c# minimal api (arm64 !!!) that reads from an on-prem db. it's cool. shits gonna have CONUS wide access and cost nearly nothing lol
|
|
#
?
May 21, 2022 04:05
|
|
|
Pyromancer posted:Good Aurora stuff. Thanks! I think I have a decent grasp on the RDS knowledge needed for the SAA certification, and hope to sit for it in the next week or two. Hopefully, having that on the resume will open up new opportunities for work.
|
|
#
?
May 21, 2022 20:59
|
|
|
Hughmoris posted:Thanks! I am now a certified AWS Solutions Architect - Associate!  Now, to figure out my next steps. My current position has me loosely related to data and security work. So, maybe committing to better learning the AWS Databases, Data Analytics, or Security domains? The end goal being a position where I get to solve interesting problems and make lots of money.
|
|
#
?
May 24, 2022 14:01
|
|
|
Hughmoris posted:I am now a certified AWS Solutions Architect - Associate! Databases and security are probably the most relevant in my experience, but you can obviously make anything work. you really do need to understand databases eventually, and security’s important for obvious reasons. I’ll also take a moment here to recommend “Designing Data Intensive Applications”, which I’ve still only managed to make it a third of the way through bc it’s dense as hell, but it really does teach you some foundational principles underlying your data storage and retrieval options. Not relevant to AWS certs, but deeply relevant to understanding the data needs of any given service. The Iron Rose fucked around with this message at 21:38 on May 24, 2022 |
|
#
?
May 24, 2022 17:32
|
|
Cat Army 
|
The Iron Rose posted:Databases and security are probably the most relevant in my experience, but you can obviously make anything work. Thanks for the insight. I've heard good things of DDIA, might have to start poking through it.
|
|
#
?
May 24, 2022 21:22
|
|
|
Am I correct in stating that to use a GUI with Amazon RDS (e.g. SSMS, MySQL Workbench), I either need to make the RDS Instance publicly accessible OR connect via AWS VPN or Direct Connect? I created an RDS MySQL database and turned Publicly Available to OFF, then had a heck of a time connecting to it. Eventually created an EC2 in the same VPC and used that as a jumper and I can now connect to the db thru the CLI. I'm hesitant to turn on public accessibility because I feel like exposing your DB to the internet is bad practice.
|
|
#
?
May 30, 2022 19:47
|
|
|
Yes. A bastion host gets you into the vpc, and then either manage directly from the bastion host or double hop onto another ec2 server for management And/Or direct connect / vpn / workspaces Edit: not just gui management. You couldn't read from or write to it with SQL statements unless you had network connectivity. That's either public access (bad), vpc access, or dx/vpn
|
|
#
?
May 30, 2022 20:05
|
|
|
Hughmoris posted:Am I correct in stating that to use a GUI with Amazon RDS (e.g. SSMS, MySQL Workbench), I either need to make the RDS Instance publicly accessible OR connect via AWS VPN or Direct Connect? Yeah you pretty much nailed it. For a GUI, CLI, or other third party to access your database, it will need network connectivity somehow. There's a plethora of options: * Make it publicly available (probably a bad idea security-wise) * Create a t2.micro EC2 instance inside the VPC your database lives in (or otherwise has routeability to that VPC), and tunnel traffic through SSH. * Get a VPN connection into a VPC with connectivity to the database * Set up DirectConnect if you've got a corporate network and need to peer it with your AWS VPCs anyway. * Create an EC2 instance running HAProxy that has a public IP and a security group with IP ACLs on it, only permitting certain IPs to access it. SSH tunneling is probably the most common for GUIs, especially since SREs hate running VPN services. The HAProxy solution is used a lot for granting access to third party SaaS tools like Mode and Tableau since it's easy to re-use for both your MySQL and Redshift databases.
|
|
#
?
May 30, 2022 20:06
|
|
|
Hughmoris posted:Am I correct in stating that to use a GUI with Amazon RDS (e.g. SSMS, MySQL Workbench), I either need to make the RDS Instance publicly accessible OR connect via AWS VPN or Direct Connect? You’re right that putting a database on a public IP isn’t a great idea. You could set up the security group to only allow your home IP or something but mistakes happen, and it would be annoying to update it every time your IP changes. Setting up a very locked down “bastion host” like you did to ssh tunnel through to your private resources is a decent option. Edit: lol I see this was already answered multiple times as I wrote this up
|
|
#
?
May 30, 2022 20:13
|
|
|
if you're using, or can use, aurora serverless, you don't need a proxy or a bastion and you can use the "data API": https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html
|
|
#
?
May 30, 2022 20:15
|
|
|
There’s options to be able to run queries against your instance with IAM based authentication or to run queries from a container or lambda within the private subnet of the DB. Another alternative instead of bastion hosts is to use ngrok to setup a reverse proxy to the database or other service through a reverse tunnel that’s publicly routed. It’s similarly to the network pathing of solutions like Gravitational Teleport this way.
|
|
#
?
May 30, 2022 21:24
|
|
|
Thanks for the ideas/tips. I'm definitely going to work some Lambdas in to the mix. I'm thinking of using Lambda to hit the USGS Earthquake API and insert quakes to the RDS every hour. This is a personal project just to get more familiar with actually building stuff, and the learning that comes from multiple attempts to get something to work.
|
|
#
?
May 31, 2022 00:23
|
|
|
I feel like I'm fighting a dumb battle here. Is there any reason to restrict accounts to an availability zone via SCPs? I argued that we should be absolutely restricting what regions we operate in, but that AZ's should be open for developers to pick and choose from. And that one accounts AZ wont be another accounts AZ anyway so if this is some cute attempt to get lower latency between resources its a dumb way to go about it.
|
|
#
?
May 31, 2022 20:56
|
|
|
There are some per-AZ types of charge in AWS, and inter-AZ traffic costs more, but overall no that is a stupid waste of time entirely. At least try to restrict to a subset of the "true AZs" regardless of account-letter mapping because it can cause problems for some types of peering (esp. PrivateLink), the peering tech can rely on both sides of the relationship existing in the same AZ.
|
|
#
?
May 31, 2022 21:44
|
|
|
12 rats tied together posted:if you're using, or can use, aurora serverless, you don't need a proxy or a bastion and you can use the "data API": https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html Aurora Serverless v1  There's enough differences between v1 and v2 that I don't understand why they didn't just release it as a separate product.
|
|
#
?
Jun 1, 2022 03:45
|
|
|
(so they can sunset development on the one that scales to 0)
|
|
#
?
Jun 1, 2022 09:00
|
|
|
ledge posted:Haha, I kept failing to deploy via ElasticBeanstalk with the new preview Publish to AWS tool in visual studio so much that the product owner wants me to show their engineers why I am such an abject failure at using their tool. I'll get a $50 Amazon voucher for embarrassing myself in front of them though, so at least I got that going for me. Just had the meeting with the SDK guys to show them this and they actually found it useful! They plan to at least add this as a gotcha in their documentation and hopefully to update the deployment tool to check the elasticbeanstalk deployment config files and automatically change their encoding and eol to be unix compliant when they zip up the build before uploading it. So that's a win. Still waiting for the $50 voucher though.
|
|
#
?
Jun 1, 2022 10:49
|
|
|
Hughmoris posted:Thanks for the ideas/tips. I'm definitely going to work some Lambdas in to the mix. I'm thinking of using Lambda to hit the USGS Earthquake API and insert quakes to the RDS every hour. Then you can put quicksight in front of it and make really cool global maps of earthquakes. After about 60 days all of the major fault lines delineating the major plates can be traced based on the earthquakes that dot the borders. My head exploded when I saw the plots appear on the map of the earth. :nerd: edit: If you want, I have 3.3 million earthquake events stored in 30,000 csv files dating back to Jan 1, 1960 that I'd be willing to zip up and put somewhere if you wanted all the historical data as well as current stuff. Agrikk fucked around with this message at 03:58 on Jun 2, 2022 |
|
#
?
Jun 2, 2022 03:49
|
|
|
Agrikk posted:Then you can put quicksight in front of it and make really cool global maps of earthquakes. All that old data would be sweet. I'm going to try and get the foundation of this idea stood up first and I'll take you up on that offer if I get far enough along. This morning I was able to successfully create a Lambda that inserts data into my RDS instance. I wasn't able to connect Lambda -> RDS for the longest time but finally got it working.The biggest challenge that I've faced with AWS since starting is understanding the networking needed for a given project. VPCs and subnets and SGs etc...  Next up, figuring out how to securely store my RDS credentials in KMS and have Lambda pull them as needed.
|
|
#
?
Jun 2, 2022 18:39
|
|
|
I tried doing an earthquake tracker too, but I wanted to see if I could do the ETL with Glue. Turns out I couldn't, so I gave up.
|
|
#
?
Jun 2, 2022 18:49
|
|
|
Happiness Commando posted:I tried doing an earthquake tracker too, but I wanted to see if I could do the ETL with Glue. Yeah, I want to try and incorporate some sort of ETL for this project but I'm not sure what. Current state is all quake data residing in a MySQL RDS. I've poked around Glue a couple of times. I stopped because the jobs were costing money, and I was mangling the jobs resulting in duplicate data. 
|
|
#
?
Jun 2, 2022 18:55
|
|
|
I'm ripping my hair out and need some AWS VPC help. I have a Lambda. The goal is for the Lambda to get info from a USGS Earthquake API and write to RDS. When I configure my Lambda to use my Earthquake VPC, it appears it is unable to reach the internet. The Earthquake API request never completes and the Lambda just times out. If I remove any VPC association from my Lambda config, it can make the Earthquake API call just fine. I've tried every which way to configure my Earthquake VPC and SGs but have had zero luck. Any advice? Hughmoris fucked around with this message at 15:38 on Jun 3, 2022 |
|
#
?
Jun 3, 2022 15:34
|
|
|
Hughmoris posted:I'm ripping my hair out and need some AWS VPC help. Theres so much that could be going on here. Can you post some screenshots/code of your VPC setup?
|
|
#
?
Jun 3, 2022 15:50
|
|
|
Hughmoris posted:I'm ripping my hair out and need some AWS VPC help. probably something messed up in your route tables or NAT gateway. When I was doing something similar I followed this guide to get it all sorted (it's to get a Lambda coming from a static IP address, but it goes over setting up the NAT gateway and routes): https://medium.com/cloud-prodigy/aws-lambda-with-static-ip-address-c82e3043c2ed
|
|
#
?
Jun 3, 2022 16:02
|
|
|
Just-In-Timeberlake posted:probably something messed up in your route tables or NAT gateway. It's probably this. I went about setting this up recently, and opted for some free AMI NAT appliances over the NAT gateway option for routing Lambda traffic out of private subnets (it's cheaper and I don't need the bandwidth / scale for what I'm doing at the moment). Assuming your Lambda is in a private subnet, you will need to create a routing table, and add an entry for the 0.0.0.0 route to the ENI of the NAT Appliance that lives in a public subnet, which has a 0.0.0.0 route to your IGW. Disable the source/destination check on the appliance to allow it to route traffic not intended for it, and it all works pretty smoothly.
|
|
#
?
Jun 3, 2022 16:41
|
|
|
Hughmoris posted:I'm ripping my hair out and need some AWS VPC help. Test it with VPC Reachability Analyzer.
|
|
#
?
Jun 3, 2022 16:42
|
|
|
I got it working, still unsure of what was blocking me. To get working: I created a NAT gateway, configured it properly for my private subnet. Associated my Lambda with said private subnet, created a new SG specifically for the Lambda allowing all inbound/outbound traffic, and it works! I saw that VPC Reachability Analyzer button. I need to watch some YouTube to see how to operate it.
|
|
#
?
Jun 3, 2022 16:48
|
|
|
Sounds like your VPCs default route didnt have a way out to the internet.
|
|
#
?
Jun 3, 2022 16:53
|
|
|
BaseballPCHiker posted:Sounds like your VPCs default route didnt have a way out to the internet. Yeah, very likely. I took a big step back and broke for lunch (hotdogs!) and rethought it. I realized I was greatly overthinking what I needed my Lambda to do. Came back and redesigned it, now the whole pipeline is working: Lambda -> EarthquakeAPI Data -> RDS.
|
|
#
?
Jun 3, 2022 17:40
|
|
|
for the love of god do not use AWS’ managed gateway service. It’s insanely expensive and you can do the same thing for a fraction of the price by running your own NAT instances.
|
|
#
?
Jun 3, 2022 18:14
|
|
|
The Iron Rose posted:for the love of god do not use AWS’ managed gateway service. It’s insanely expensive and you can do the same thing for a fraction of the price by running your own NAT instances. counterpoint: I'm not paying for it so I give no fucks.
|
|
#
?
Jun 3, 2022 18:15
|
|
|
|
| # ? Apr 19, 2024 05:17 |
|
|
The Iron Rose posted:for the love of god do not use AWS’ managed gateway service. It’s insanely expensive and you can do the same thing for a fraction of the price by running your own NAT instances. corey quinn alt spotted
|
|
#
?
Jun 3, 2022 18:24
|
|