Why is debugging IAM policies and auth issues such complete dogshit on AWS? Seriously, if you want to be a competitor, focus on this.<p>I've wasted hours trying to work out why I get an unauthorised error, and the official docs say to manually pick your way through the 8 or so different policies that might apply (SCPs, IAM, resource policies, etc). Yeah right.<p>When you eventually find the page showing how to use Athena with Cloudtrail, you discover half the requests are inexplicably missing. And even though error messages include a request ID, you can't easily query for them, if it's even possible. Maybe it is and I just haven't discovered the right athena incantation. They should make it easy to just query by request ID and get clear messages telling you what policy denied the request.<p>It's a total train wreck from start to finish. I guess by keeping such a shitshow they sell more support contracts though.
And this is why I hate having to deal with AWS. Learning this stuff isn't technical knowledge, it's <i>product</i> knowledge.<p>I read the TCP/IP illustrated series cover to cover and learned that stuff cold, and this was useful knowledge to me for decades.<p>However I always find myself resisting learning this AWS stuff, which is just as complex in its own way too. This diagram makes me feel that if the goal was to simplify things, then I'm not sure how successful they were at that.
If they offered just normal global addressing + firewalling, most of this complexity would just go away.<p>We easily forget what the internet at the IP level is about and what problems its end-to-end architecture solves.<p>AWS instructed "Well-Architected (TM)" networking is really just profitable cargo cult thinking leading to complexity, mazes of 10.x networks all alike peppered by address conflicts, kludgey proxies etc when you try to get them to talk to each other, less actual security (complexity is the enemy of security), and vendor lock-in.
I think the mindmap drawn can be simplified further down into a couple of networking concepts, then most of the relationships and arrows go away, and the AWS concepts can be mapped to other clouds, and even your own home network.<p><a href="https://news.ycombinator.com/item?id=18925350">https://news.ycombinator.com/item?id=18925350</a> is an excellent visualization of the basics. Start with what a network is, what’s inside and what’s outside, and the mental model becomes way easier. Then the AWS features make a lot of sense even w/o all the details.
I remember the heady early days of the cloud when AWS networking was simple.<p>Even then, I saw this coming, of course. There's no way to "be everything for everybody" without also duplicating the insanity that is legacy IPv4 data centre networking.<p>Just recently, I wanted to do something conceptually simple in Azure: <i>NOT</i> have the storage account with our database backups "on the Internet" for the world to poke and prod at will.<p>So simple! Just turn on the firewall... and <i>oh boy</i>...<p>You can whitelist only subnets. Individual subnets. One. At. A. Time. Not virtual networks. Definitely not "all" of your virtual networks, which works elsewhere perfectly fine.<p>Okay, fine, there's a Private Endpoint feature as well. Sure, it kills performance and costs extra, but there's nothing wrong with having this cost money, right? After all, flipping the address in some config of a software-defined-network (SDN) from "public" to "private" is <i>hard work</i> and the gremlins in the cloud need to be compensated.<p>Then, err... uh-oh. It doesn't actually work! You need to override DNS to make your clients discover it. So you plug it into your AD domain. Now your PaaS services can't access it.<p>Okay fine, you create a private DNS zone (which costs more money), link it to a hub network, link a DNS Resolver service to it (which costs more money), then set up a bazillion rules so that your AD domain still works, and then...<p>... where was I again? I started this a week ago.<p>Oh yeah, I just wanted to make sure Russian hackers can't access our backups if a storage key leaks.<p>Maybe next week I can update the subscription templates to re-deploy all the virtual networks with the updated DNS settings.<p>Not idempotent, you say? Maybe next year they'll have a preview?<p>Never mind, I hope the Russians won't get mad at us in the next few months...
This is very cool. I feel like the Google Cloud documentation does a relatively good job introducing all such complexity as you need it, but I've never seen such a complete overview for it.<p>(I did have to go through some effort to view the image. On the page it's too small and it's not clickable, then opening it in a new tab does some imgur-like bullshit where you don't get the image but a useless page where it is still small. I had to download the image to view it.)
This is amazing. Thanks. This also highlights how powerful mind maps / diagrams are when learning cloud products (or other concepts). I used them a lot when studying for my AWS certs and it's amazing how better my mind started understanding interlinked services when presented in a map vs a series of pages, even though I was writing extensive notes. Ofc, YMMV we all learn differently.
I don't understand all of the hate in this thread. Most of the networking systems provided by AWS are as-needed. It may not be elegant, but it gets the job done. Plus a lot of the AWS-specific components map directly to real networking concepts: AZ: cage; VPC: VLAN; PL: cross-account p2p VPN (more or less). Most everything else are normal networking constructs that you would see in a typical large-scale environment.<p>The company I work for has a fairly complex global network, connected at many of our PoPs to AWS via DX. We utilize all of what you see in this diagram and each component serves a well-defined purpose.<p>If this diagram looks overly complex to you, it's likely because you either aren't utilizing all of these, or at least not for their intended purpose, or you aren't a network engineer.
Can someone actually read the image? I'm on desktop and I can't get it in a readable resolution. <a href="https://miparnisariblog.files.wordpress.com/2023/03/aws-networking-1.png" rel="nofollow noreferrer">https://miparnisariblog.files.wordpress.com/2023/03/aws-netw...</a> is still a web page and the image is, sure, larger, but no more legible. :(
This seems so crazily complex! I know only GCP of the three large Cloud vendors, where networking sure isn’t trivial, but still somewhat straightforward and consistent.<p>Can someone with more multi-Cloud experience chime in and comment on how the big three compare in terms of it being easy or complex to set up internal and external communication?
I honestly don't know how anyone can use AWS properly without some kind of IAC. For me its terraform and I swear AWS will update one small thing and we end up chasing down the most frustrating issues in the infrastructure.<p>Its made all that much worse how awful their documentation is on most of their services too.
Does anyone remember early AWS networking?<p>- Flat! Yes, you shared with other AWS customers. Was great to make sure security was turned on (you could watch folks scanning internally at least that's my memory). This made it dirt simple, anything could connect with anything, even cross account.<p>- EC2 instances were the key items in the flat network (they switched to things like interfaces now which add lots of possible complexity - diagram is missing this).<p>- One private one public IP address (if desired). Simples.<p>The whole security story with all the layered possible permissions is crazy now. And the org->account model is clunky with a root account login. I think GCP get's this part better with its project model FWIW. That said, I don't discount what AWS provides.
your diagram is actually insanely useful. they churn out a lot of products but as a user - things are very broken and documentation cannot keep up with it
There is a major flaw in placement of the EC2 instance in this diagram.<p>Each EC2 instance has 1 or more Network Interfaces, where each Network Interface resides in 1 subnet and can have multiple public and private IP addresses. The diagram currently suggests that an EC2 instance is located in a single subnet — it’s not. Each Network Interface connected to an EC2 instance is only required to be in the same Availability Zone where the instance was launched.
I had a skim through and I think AWS Cloud WAN is missing: <a href="https://aws.amazon.com/cloud-wan/" rel="nofollow noreferrer">https://aws.amazon.com/cloud-wan/</a><p>It's like a layer on some of these concepts, but also its own thing that could sit alongside. You can connect AWS and non-AWS things into a network and segment them and define where traffic can flow from/to.
any1 else having trouble to get that diagram to a viewable size?<p>if i "open image in new tab", i get another wp site that zooms everything but the image.
It already went way too far and consider, the outcome will impact all of us. Now we have to ask an Artifical Intelligence to simplify the complexity of getting a footstep in a Cloud Hosting Platform like Google, Amazon or Microsoft. I don't know if this is desireable.
It’s interesting to see how they are piling up complexity as the time passes. Sad to discover new features varnished by marketing terms that on the technical side attempt to fix the problems arised from previous solutions and narrow and struggle the ways to use them.
All these comments plus the new frameworks coming out like SST just go to show most people want a simpler interface to AWS services. I wonder if AWS will provide this themselves or if we’ll always need 3rd parties to do so.
AWS copilot has been very useful for me. It's their cli that tries to simplify integration (and give useful defaults) when you are setting up these services.<p>I recommend it for anyone who is starting getting into AWS.
The cloud is a big sham. It's a lot more expensive than real hardware, without the control, and with the requirement to go through a maze if inane virtual layers.<p>It's also comically slow and inefficient.
Nice diagram putting it all together. The proliferation of networking features in VPC over the years has been significant and at times confusing, and I work on VPC ;-)
Incidental, but when did this start that some websites when clicking the link for "open image in new tab" (<a href="https://miparnisariblog.files.wordpress.com/2023/03/aws-networking-1.png" rel="nofollow noreferrer">https://miparnisariblog.files.wordpress.com/2023/03/aws-netw...</a>) actually return a new html page showing some useless bullshit around the image, so that I have to download it to actually view it large? This is super annoying. Breaking the default behavior of the browser on purpose is just user-hostile behavior.