AWS mistakes to avoid

Full disclosure: I work for Linode and I am super biased. This is my own opinion etc etc<p>Perhaps the first AWS mistake you might make is... using AWS? Even before I started at Linode, I thought it was terrible. It&#x27;s extremely, unreasonably pricey. The UI is terrible. Their offerings are availble elsewhere. I started MediaCrush, a now-defunct media hosting website, on AWS. After a while, we switched to dedicated hosting (really sexy servers). We were looking at $250 a month and scaled up to millions of visitors per day! I ran our bandwidth and CPU usage and such numbers through the AWS price calculator a while ago - over $20,000 per month. AWS is a racket. It seems to me like the easiest way to burn through your new startup&#x27;s seed money real fast.<p>Edit: not trying to sell you on Linode, just disclosing that I work there. There are lots of options, just do the research before you reach for AWS.

You know what I&#x27;ve realized that&#x27;s really important. More AWS tutorials is really needed. There&#x27;s numerous of new programmers who want to learn AWS, but can&#x27;t finish building anything because they get buried in documentation.<p>I find there are a lot of high-level abstracted tutorials, but for the new services, there aren&#x27;t a lot of detailed tutorials.<p>For instance, an implemented cognito-&gt;gateway-&gt;lambda-&gt;dynamodb is really hard for a newbie to do.

<i>&gt; There is no reason - beside manually managed infrastructure - to not decrease the instance size (number of machines or c3.xlarge to c3.large) if you realize that your EC2 instances are underutilized.</i><p>CPU&#x2F;Memory aren&#x27;t the only measures of underutilization. If you require high instantaneous bandwidth throughput, then the networking capacity available to your instance roughly increases with the size of your instance. This includes both EBS as well as other Network traffic.<p>Table with Low&#x2F;Medium&#x2F;High: <a href="https:&#x2F;&#x2F;aws.amazon.com&#x2F;ec2&#x2F;instance-types&#x2F;#instance-type-matrix" rel="nofollow">https:&#x2F;&#x2F;aws.amazon.com&#x2F;ec2&#x2F;instance-types&#x2F;#instance-type-mat...</a><p>Example benchmark with c3 instances: <a href="http:&#x2F;&#x2F;blog.flux7.com&#x2F;blogs&#x2F;benchmarks&#x2F;benchmarking-network-performance-analysis-of-c3-instances-using-iperf-tool" rel="nofollow">http:&#x2F;&#x2F;blog.flux7.com&#x2F;blogs&#x2F;benchmarks&#x2F;benchmarking-network-...</a><p>If you&#x27;re more concerned with just EBS network throughput, check out the table on this page instead: <a href="https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;AWSEC2&#x2F;latest&#x2F;UserGuide&#x2F;ebs-ec2-config.html" rel="nofollow">https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;AWSEC2&#x2F;latest&#x2F;UserGuide&#x2F;ebs-ec2-...</a>

I&#x27;d like to add, if using Elastic Beanstalk, don&#x27;t directly attach an RDS instance when creating the environment. If you do, you won&#x27;t be able to destroy your environment without also deleting the RDS instance. Instead, create the RDS instance separately, and just add the proper security group for the environment to be able to access the host. Then you can easily create a new eb environment with any config changes (there are some config changes you can&#x27;t make to an eb environment without creating a new one from scratch) and then connect to your existing db.

Another, somewhat obvious one:<p>Be extremely careful when using public customized AMIs, a lot of times ~&#x2F;.ssh&#x2F;authorized_hosts contains public keys and this is obviously a huge security problem

I like CloudFormation. Unfortunately it is very unwieldy to write CloudFormation templates directly, and we&#x27;re not about to start using the AWS CFN GUI editor!<p>It seems like the assembly of the AWS ecosystem.<p>Does anyone else have a favourite hammer for this particular nail? I&#x27;d love to have something better than our home-baked solution, but I&#x27;m yet to find anything which doesn&#x27;t introduce other flaws, such as an incomplete implementation (missing parameters or resource types) or ultimately making a leaky abstraction on top of CloudFormation somehow.<p>I ended up brewing a reasonably straightforward solution using Python as a (minimal) DSL which emits JSON. Its primary purpose is to support <i>the whole</i> of the CFN ecosystem (not just implement some small part of EC2, for instance) while also not trying to be too clever.<p>It has about 50-100 lines of python which implements helper functions such as ref(), join() and load_user_data(), and not many other things. There is an almost 1-to-1 correspondence between the generated CFN configuration and the python source. As a bonus it checks for a few common mistakes like broken refs or parameters which aren&#x27;t used.<p>I have heard that similar solutions have been reinvented in a few places, including the BBC. But I&#x27;m yet to see a good public solution!

Also, dont use Dynamo unless you have a really good reason. &quot;It scales better than MySQL&quot; is not a good reason.<p>Have fun migrating data and re-indexing constantly!

My huge recommendation is to put production instances in a completely seperate region than development and staging instances. I actually just discovered that you can limit IAM API keys to a specific region, you just need to create a custom policy. The following policy is an example:<p><pre><code> { &quot;Version&quot;: &quot;2012-10-17&quot;, &quot;Statement&quot;: [ { &quot;Sid&quot;: &quot;SOME-ID-HERE&quot;, &quot;Effect&quot;: &quot;Allow&quot;, &quot;Action&quot;: [ &quot;ec2:*&quot; ], &quot;Condition&quot;: { &quot;StringEquals&quot;: { &quot;ec2:Region&quot;: &quot;us-west-2&quot; } }, &quot;Resource&quot;: [ &quot;*&quot; ] } ] }</code></pre>

The biggest mistake I&#x27;ve seen with AWS (and committed myself), is not reading the manuals for the services you&#x27;re using. While some people complain about the AWS manuals not being complete, there is still a lot of good information in there that you might miss if you&#x27;re just clicking through the console.

I wonder if AWS is a good location to run a VoIP server. VoIP is a real time application that is very prone to jitter, latency and packet loss. I&#x27;m concerned about &quot;noisy neighbors&quot; and decreased network performance at AWS.<p>Does anybody have experience with running a VoIP (e. g. Asterisk) on AWS?

I second the recommendation to use CloudFormation + packer + ELBs + auto scaling groups for web applications whenever possible, it just makes everything so easy and automatic. Of course, there&#x27;s a learning curve and you pay a premium for all that automation, but in my experience it has been usually worth it so far.

I wonder when Amazon is going to invest their ungodly earnings into UX. Their UI is absolutely terrible and I shudder every time I have to log into it. Is it purposely built that way to confuse people who don&#x27;t belong in there?

Use OpsWorks if possible. It&#x27;s free and provides a simple interface that allows you to deploy&#x2F;upgrade your apps automatically and monitors your instances automatically using CloudWatch.

Check out <a href="http:&#x2F;&#x2F;convox.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;convox.com&#x2F;</a> (YC S15) for an alternative to avoiding manual infrastructure.

So I&#x27;d modify these a bit. We run a very large AWS infrastructure as a engineering team (no dedicated ops).<p>1. Use CloudFormation only for infrastructure that largely doesn&#x27;t change. Like VPC&#x27;s, subnets&#x2F; internet gateways etc. Do not use it for your instances &#x2F; databases etc, I can&#x27;t recommend that enough, you&#x27;ll get into a place where updating them is risky. We have a regional migration (like database migrations) that runs in each region we deploy to that sets up ASG, RDS etc. It allows us control over how things change. If we need to change a launch conf etc.<p>2. Use auto-scaling groups in your stateless front ends that don&#x27;t have really bursty loads, it isn&#x27;t responsive enough for really sharp spikes (though not much is). Otherwise do your own cluster management if you can (though you should probably default to autoscaling if you can&#x27;t make a strong case not to use it).<p>3. Use different accounts for dev &#x2F; qa &#x2F; prod etc. Not just different regions. Force yourself to put in the correct automation to bootstrap yourself into a new account &#x2F; region (we run in 5 regions in prod, and 3 in qa, and having automation is a lifesaver).<p>4. Don&#x27;t use ip addresses for things if you can help it, just create a private hosted zone in Route53 and map it that way.<p>5. Use instance roles, and in dev force devs to put their credentials in a place where they get picked up by the provider chain, don&#x27;t get into a place where you are copying creds everywhere, assume they&#x27;ll get picked up from the environment.<p>6. Don&#x27;t use DynamoDB (or any non-relational store) until oyu have to (even though it is great), RDS is a great service and you should stick with it as long as you can (you can make it scale a long way with the correct architecture and bumping instance sizes is easy). IMO a relational store is more flexible than others since you (at least with postgres) get transactional guarantees on DDL operations, so it makes it easier to build in correct migration logic.<p>6. If you are using cloudformation, use troposphere: <a href="https:&#x2F;&#x2F;github.com&#x2F;cloudtools&#x2F;troposphere" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;cloudtools&#x2F;troposphere</a><p>7. Understand what instances need internet access and which ones don&#x27;t, so you can either give them public ips, or put in a NAT. Sometimes security teams get grumpy (for good reason) when you open up machines that don&#x27;t need to be to the internet, even if its just outbound.<p>8. Set up ELB logging, and pay attention to CloudTrail.<p>9. We use Cloudwatch Logs, it has its warts (and its a bit expensive), but it&#x27;s better than a lot of the infrastructure you see out there (we don&#x27;t generally index our logs, we just need them to be able to be viewed in a browser and exported for grep). It&#x27;s also easy to get started with, just make sure your date formats are correct.<p>10. By default, stripe yourself across AZs if possible (and its almost always possible). Don&#x27;t leave it for later, take the pain up front, you&#x27;ll be happy about it later.<p>11. Don&#x27;t try and be multi-region if you can at first, just replicate your infrastructure into different regions (other than users &#x2F; accounts etc.). People get hung up on being able to flip back and forth between regions, and its usually not necessary.<p>edit: Track everything in cloudwatch, everything.

I work in a team that uses quite a lot of AWS for various reasons beyond cost. We also use various other clouds too, depending on needs of a specific project or situation. Our experience with cloud is that it is a journey. Obviously, coupled with DevOps tooling, it’d allowed us to deal with environment requirements at the speed of software, i.e. Infrastructure as Code and all. One thing we find ourselves doing over and over is changing the infrastructure, either because requirements change, new cloud services are launched and its useful to us or simply because we find more efficient ways of running cloud resources (Trusted Advisor helps).<p>We’d built a tool called Liquid Sky (<a href="https:&#x2F;&#x2F;liquidsky.singtel-labs.com" rel="nofollow">https:&#x2F;&#x2F;liquidsky.singtel-labs.com</a>) to help us keep track of the cost impact of the changes we make constantly. I did mention that we use cloud for reasons beyond cost, but we definitely still want to know that we’re sensible and maximise cost efficiency as well, its just another (important) factor. Because we change our cloud resources so frequently, we didn’t want to make it a very rigid process when dealing with the sensibilities of cloud cost. Hence, we’d built Liquid Sky in a way that gives our engineers the freedom to explore better way of running things on the cloud while keeping cost in check as well as keeping the team (including cost guardians) in the loop.

Nice article, I am working in a small company (Beintoo) dice september 2015 and we use AWS here. I think is a very interesting set if products and you can build any kind of business. For sure the advices given in the article are really useful, in fact I will apply them at my job place.<p>About comparison with other services, I was working in Deloitte Analytics before, managing the cloud services provided by IBM Softlayer. You cannot compare them, AWS offers many more and I was not really satisfied with SoftLayer, for example I had a problem with a network upgrade they did on January 2014 and I have lost a lot of data, with poor support to restore it. Also the starting price of 25$ per month is really expensive. AWS is far more mature and interesting.<p>Then for my own servers I use CloudAtCost cause is cheaper but if I run a business for sure I would go with AWS. If you gain money, is not that expensive and if you stick with Amazon advices and philosophy is very reliable.

I&#x27;ll add one that was especially common for people coming off the year of free tier a couple years ago. I&#x27;m not sure that AWS has changed it yet.<p>6. Not starting a box&#x2F;instance&#x2F;database and forgetting it&#x27;s running until you receive the bill after your free tier expires.

I warmly recommend the Serverless framework for building basic web applications on AWS. It handles CloudFormation details for you, but lets you customize them if needed. Not suitable for every possible app though.

This might be the wrong place to ask, but I&#x27;m curious how people feel Azure stacks up to AWS? The services seem comparable (maybe even nicer), but I&#x27;m unclear how it compares on cost.

I don&#x27;t get all the complaints about AWS prices. I just spun up a 60 node Spark cluster with over 5TB of memory, processed 100B data records, and spent $5.50!

As there&#x27;s too much push to Terraform, which I personally dislike due to many opinionated features and the marketing push to cover as many services as possible and not do one thing and do it great (AWS), you can look at Bazaarvoice&#x27;s CloudFormation Ruby DSL [0].<p>[0]: <a href="https:&#x2F;&#x2F;github.com&#x2F;bazaarvoice&#x2F;cloudformation-ruby-dsl" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;bazaarvoice&#x2F;cloudformation-ruby-dsl</a>

Personally never quite got the appeal for EC2. You&#x27;re basically replicating what you would be doing on physical servers anyway. The real productivity gains come from using a fully managed PaaS (Heroku, Azure Web Apps, Google App Engine, OpenShift etc.) where there is no maintenance and scaling and redundancy is taken care for you. Granted those are even more expensive but they are the only ones that provide any kind of value.

I find IAM particularly difficult to use - I feel like there should be a button to create a user&#x2F;group that can do only X, Y, Z. I realise policy templates get most of the way there but I still had to go and read the syntax for them because DescribeRegions wasn&#x27;t in the list I needed.<p>I&#x27;m also not sure how to make the jump from exporting AWS_ACCESS_KEY_ID and having my instances automatically request the permissions they need - STS?

I&#x27;d like to add two more:<p><pre><code> 1) Not giving out your access and secret keys in scripts&#x2F;buckets. 2) Always using IAM roles with your EC2</code></pre>

What are the current ways to make creating CloudFormation templates not so painful?

From the article: &quot;The biggest problem with Auto Scaling Groups is that people assume that they are about auto scaling which they are not!&quot;<p>Hmm... Then maybe the biggest problem with them is actually that they are misnamed?

Has anyone tried the Trusted Advisor feature out? Have you found it worth the 3-10% on top of existing monthly usage?

Something major is missing:<p>Running Demand instances instead of Reserved

&gt; <i>There is no reason why you should manage your infrastructure manually. It&#x27;s unprofessional! It&#x27;s a mess!</i><p>Nonsense. Cloudformation has it&#x27;s issues. It takes time to learn and implement. The templates can break, requiring the stack to be destroyed and remade. In the sample in the article, the database is in the same template as everything else - what fun that will be when an update breaks the template and you have to reapply the stack (which destroys the existing database).<p>Cloudformation is good, but it comes with caveats, and the idea that you should <i>only</i> manage an AWS stack with CF is utter tripe. As with everything, it depends on your use case.<p>Also weird is the article&#x27;s demand of using autoscaling groups to monitor single instances. Why not just monitor them directly with cloudwatch?<p>&gt; <i>There is no reason - beside manually managed infrastructure - to not decrease the instance size (number of machines or c3.xlarge to c3.large) if you realize that your EC2 instances are underutilized.</i><p>This is wrong, too. Autoscaling takes time to scale up, and it scales up in stages. If you get sudden traffic, autoscaling can take too long. Again, it&#x27;s about knowing your use case. Unfortunately for us, we can get sudden traffic when one of our clients does a media release and they don&#x27;t tell us ahead of time, The five or so minutes it takes for instances to trigger the warning, start up a new set, and then attach these to a load balancer is too long for this particular use case, so we just have to run with a certain amount of excess capacity.<p>Autoscaling is awesome, but this article is <i>way</i> too didactic in it&#x27;s No True Scotsman approach.

I attended aws workshop, several years ago, there I realized, that this vast ecosystem of infrastructure services require a popularisation effort of similar scale. And not just in plain English. IAM that days was not very clearly understandable, search supported only ascii and was not really documented, now that ecosystem is in order of magnitude larger and more complex. And efforts like cloudonaut&#x27;s should be greatly appreciated. For the greater public good. Thank you, man!