A Surprise AWS Bill

That&#x27;s a whole lot of text for &quot;I had a 14 GiB VM image publicly linked and people discovered it&quot;, and none of it has much to do with AWS or Cloudflare.<p>Presumably the author would do much better with a VM or something from OVH, they&#x27;ll just shut you off or limit you before it becomes a problem (not that they would care about 30 TiB).

From the article:<p>&gt; Cloudflare was the least helpful service I could have imagined given the circumstances. A long term user and on and off customer thinks they were attacked for two days and you don’t lift a finger?<p>&gt; File this under, “Things I should’ve known but didn’t.” Did you know that “The maximum file size Cloudflare’s CDN caches is 512MB for Free, Pro, and Business customers and 5GB for Enterprise customers.” That’s right, Cloudflare saw requests for a 13.7 GB file and sent them straight to origin every time BY DESIGN.<p>I don&#x27;t really see how Cloudflare has much blame here. He&#x27;s an &quot;on and off customer&quot; which I&#x27;m guessing means currently &quot;off&quot;. They only cache a limited number of file extensions (qcow2 isn&#x27;t one of them), and it&#x27;s all documented.<p>AWS always seems pretty generous in resolving these cases at least.

Off topic but on the same line. One of the most annoying things about being a consumer in the US is the ubiquitous unknown-until-last-minute pricing.<p>You rent a car, you don&#x27;t know what the total is going to be. You go to the hospital, you don&#x27;t know how much you&#x27;re going to have to pay. You book a hotel and don&#x27;t know the total until you check out. You go to a restaurant and even if you order just one thing and saw the exact price on the menu, that&#x27;s not going to be the total. You go to the grocery store, see all the prices on the items, add them up, and then when you go pay, surprise!

&gt; Now that I’m aware of the 512 MB file limit at Cloudflare, I am moving other larger files in that bucket to archive.org for now (and will add them to my supported Causes).<p>...<p>&gt; I don’t feel like archive.org should be my site’s dumping ground since it can turn a profit if it gets popular. archive.org is a stop-gap for two files for the time being.<p>I&#x27;m trying to understand... he has decided to burden a charity with his distribution expenses?

Summary:<p>He published a 14GB file and one day there were 2700 downloads resulting in ~30 Terrabyte of traffic.<p>He had the file behind CloudFlare, but since CloudFlare does not cache files larger then 512MB, all the traffic went to his S3 bucket and Amazon billed him $2700 for that.

CloudFlare&#x27;s TOS is clear on using the service to serve up 13.7GB files.<p><a href="https:&#x2F;&#x2F;www.cloudflare.com&#x2F;terms&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.cloudflare.com&#x2F;terms&#x2F;</a><p>2.8 Limitation on Serving Non-HTML Content<p>[...] Use of the Service for serving video (unless purchased separately as a Paid Service) or a disproportionate percentage of pictures, audio files, or other non-HTML content, is prohibited.<p>So 500MB limit or not, the author is already violating CloudFlare&#x27;s terms of service.

Amazon gets away with high bandwidth pricing because almost all their customers are businesses with high revenue per byte served. If you want to serve large assets economically you have to look elsewhere.<p>Bandwidth on Oracle Cloud is $0.0085&#x2F;GB with the first 10TB free each month, so this would have cost only $170. Alternatively bandwidth on Backblaze B2 costs $0.01&#x2F;GB, but is free out to Cloudflare, so this traffic would have been completely free.

The fact that the cloud allows hobbyists, small businesses, and massive enterprises ~equal access to services is amazing.<p>However it means sometimes things like this happen where a product’s incentives (serve any content at any cost) are wildly misaligned with a huge percentage of users needs (I’d rather my site, or preferably just the costly resource, be down than pay $2k).<p>There’s endless tuning non-enterprises can do to get our ideal behavior: but that’s the difference between pre-cloud and post-cloud computing. It used to take monumental effort to build high scale high availability systems. Your $5&#x2F;mo Dreamhost site would just die under load instead of charging you thousands. Now enterprise use cases are supported by default and it takes careful tuning to opt out.

I think the main problem is that there isn’t an easy way to set a <i>hard</i> monthly limit on these services.<p>I use a bunch of “freemium” services like S3 and Google Maps API and I’ve never paid a penny. I use them <i>because</i> they don’t cost a penny for my very limited usage, but I’m not looking forward to the day I mistakenly and disastrously exceed their free tier.

This is the nightmare scenario with a personal AWS account. AWS billing setup makes it impossible to know that there is a giant bill until after the fact. I wish there was some way to limit the bill and just have everything shut down at that point for hobby projects.

AWS is an amazing service and in our past been very accommodating for surprises as long as it seems we know what we are doing and are going to mitigate the cause. I’ve rarely seen this allegiance to the “customer” by an enterprise company. They really do care and they figured out the recipe to make caring scale.<p>What’s odd is the touch points are cold. Ticket system support, phone call back etc. it feels like it’s going to be robotic canned replies but they figured out a way to make the people on the other side smart enough to understand the issue, empowered enough to do something about it, empathetic enough to want to resolve things “fairly”.

Cloud services need to have cost caps, plain and simple. This isn&#x27;t cloudlflares fault, it&#x27;s Amazon&#x27;s, and it&#x27;s the authors. Cloudflare should be detecting overall data transfer, but there&#x27;s plenty of cases where terabytes of traffic is entirely expected. We know Amazon won&#x27;t fix their service, so perhaps cloudflare could impliment bandwidth limits.

I have said it over and over and will repeat it happily:<p>IF your Services doesn&#x27;t has a proper limit, you do make yourself suddenly liable to a much higher risk than before and you have to be aware of this.<p>It is the same shit when you rent a car: Do NEVER rent a Car without proper insurance.<p>I&#x27;m working with GCP professionally and i have used AWS in the prev company. I do ask my manager if i can use it to try a few things out and its fine but i will not put my credit card behind an account with unlimited cost risk (its limited probably but you know what i mean).<p>And its not even simple; Everything costs you money. Storing data, receiving data, pushing data, making api requests etc.<p>And what i find always quite surprising: How often people, even on hn, present simple file based apis where you can upload images and edit them or upload files and download them again or offering free services and that with AWS as a backend.<p>I just might be to long in this industry to see all those pitfalls of exploits and risks everywhere but i have the feeling that obvious respect against cloud service billing is neglected by most.

When I was first looking at aws, I received a billing prediction alert that was ridiculous high. I could not find the culprit (I only had an ec2 instance and some other random services I looked into). In the end I deleted my account, to avoid this unexplainable billing. Next day, I got an email saying I erroneously got the alert. Damage was already done, but at that time, I was only exploring what the cloud had to offer, so no real damage done.... until a couple years later when I had to do some real aws for my work. Because I deleted&#x2F;disabled my account, I cannot reopen an account with the same email address.

Everything is always crystal clear in hindsight, that being said I always tell my clients to set up billing alarms as one of their first tasks when getting started on AWS. <a href="https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;AmazonCloudWatch&#x2F;latest&#x2F;monitoring&#x2F;monitor_estimated_charges_with_cloudwatch.html" rel="nofollow">https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;AmazonCloudWatch&#x2F;latest&#x2F;monitori...</a>

It’s always frustrated me how it’s not possible to set a quota and turn off services at quota.<p>Logistically I know this is hard for water or power, but it should be feasible for cloud computing. But I think this is an area where it’s not in AWS’ interest to set up that kind of billing control.

I think it is underestimated how complicated it is to deal with cloud services. You can do a lot with minimal training and doc reading. But these wholes in the formal understanding of how everything operates creates these kinds of vulnerabilities.<p>Everything can have side effects in the cloud. You can set up a cheap EC2 type T feet, and without managing your cpu usage, be charged a fair amount in unlimited burst credits (which is the default for terraform for instance).<p>You can quickly setup a WordPress instance with cloudfront and a invalidation Plug-in and be charged 6000 USD unadvertedly (<a href="https:&#x2F;&#x2F;wordpress.org&#x2F;support&#x2F;topic&#x2F;amazon-cloudfront-invalidations&#x2F;" rel="nofollow">https:&#x2F;&#x2F;wordpress.org&#x2F;support&#x2F;topic&#x2F;amazon-cloudfront-invali...</a>)<p>You can set up lambda triggers and quickly do a proof of concept for an app, but forget to correctly dimension your mem usage and be charged more than you need.<p>Cloud requires careful policy and topology consideration. There are many simple blocks that forms a complex mesh with opaque observability of potential vulnerabilities in both access and billing. Cloud is nice but it requires time and care. And with the shared responsibility model, you are responsible for that.

Saw the mention of PTSD and running towards danger and immediately thought, “oh nice hopefully I’ve found a kindred spirit”. This matters because I share little in common with my peers in this field. So I read Chris’ About page and...<p>Do any other (combat) veterans smell something wrong with an Air Force Tech Controller (3C2X1) making statements like <i>”like back in the old days, when something would go bang or boom, and I’d run towards it”</i> in a civilian venue? You know exactly what I mean, and we see it all the time.<p>If you aren’t a veteran, especially with a job even remotely related to “running towards things that go boom” please just give us some space on this one. Thanks.

AWS bills are un-auditable. I&#x27;m convinced every org is being over-charged for bugs in their billing and tracking software. I&#x27;ve asked on multiple occasions where charges randomly started appearing (despite no infra changes), which weren&#x27;t there the month before, and no one was able to answer on the AWS support side.

Summary:<p>1. The big cloud providers charge enormously for outgoing bandwidth. Most of us know this, but unfortunately it bites people a lot. 2. If you host big files on these clouds with no limits or warnings, it&#x27;s just a matter of time before this happens to you.<p>This is why I don&#x27;t run hobby things on these clouds. Any hobby project may have backends and services running on them, but NEVER anything user-accessible such a webserver, S3&#x2F;GCS bucket, or similar. It&#x27;s just too much of a &quot;click here to bankrupt me&quot;.<p>For a business it&#x27;s a different matter. You are making money, and you&#x27;re spending money to do so. You still need to have a DDoS plan for your outgoing traffic, but it&#x27;s much easier to solve these problems if you have revenue. Revenue buys time and people.

Nicely written article. Interesting and one should definitely be aware of how certain services are charged before using them. This would be a good lesson for all of us :)<p>On a different note, Recently I was looking to learn AWS concepts through online courses. After so much of research I finally found this e-book on Gumroad which is written by Daniel Vassallo who has worked in AWS team for 10+ years. I found this e-book very helpful as a beginner.<p>This book covers most of the topics that you need to learn to get started:<p>If someone is interested, here&#x27;s the link: <a href="https:&#x2F;&#x2F;gumroad.com&#x2F;a&#x2F;238777459&#x2F;MsVlG" rel="nofollow">https:&#x2F;&#x2F;gumroad.com&#x2F;a&#x2F;238777459&#x2F;MsVlG</a><p>I highly recommend buying this e-book if you think AWS documentation is overwhelming.

This is the reason I liked Azure as I used it few years back. One could set like a prepaid plan, and there was no way to overspend it accidentally.<p>Of course it is not ideal for companies who need their services be available for all cost, but for home users it&#x27;s a nice guarantee.

Not directly related to S3 traffic bill, but overall cloud cost management. Maybe some are unintentional, but still very painful. My experience with AWS &amp; GCP.<p>- AWS CloudWatch: expensive service, virtually unusable, hard to turn it off.<p>- AWS overall: finding and cleaning up resources is messy. The order of creating &amp; cleanup is not same. Closing an account is a painful process. GCP Project structure is way easier.<p>- AWS EKS: You create a cluster, then a node group. Deleting a cluster fails if there is a node group. You go ahead to delete a node group, it complains because of &quot;dependencies&quot;. While you&#x27;re randomly looking for a &quot;dependency&quot; the $ clock is still ticking. You should delete the network interface before you could delete the node group, and only then the cluster. This does not sense because if the network interface was created implicitly by the node group, i should not be responsible for deleting the network interface. There should be a symmetry in create&#x2F;delete operations.<p>- GCP GKE: You create a cluster, then delete it. Cluster gets deleted - kudos, usability much better then with AWS EKS. But it turns out lots of LoadBalancers and Firewall rules are left over and still appear on the cloud bill. Those are implicitly created and should be cleaned up implicitly by GKE.

Maybe missed it, but I didn&#x27;t see which plan he was using with Cloudflare, in context of his comments about their support.

I asked AWS to set a limit on my spending. They said that they did not want to do that &quot;not to break my business&quot;.<p>I want them to - I do not care if my site is offline vs. having to pay a huge bill. That should be a choice.<p>So I moved away from AWS. It is crazy that companies agree to such a racket (not the pricing - but the fact that you cannot set a limit).<p>I considered to use a virtual card with a limit on it - they could not grab more than the limit and just sue me across the pound or remove my account. But I refuse to play these games with a company who does not give a shit about billing.

I think this is a very common occurrence!<p>A good alternative to this ever-present risk is to use a dedicated virtual private server that is unmetered. This would make mistakes like this (and yes, it is a mistake - it is his fault he didn&#x27;t read the cloudfare details and publicly served a large VM image) impossible.<p>Here is my referral code for the one I use[1]:<p><a href="https:&#x2F;&#x2F;crm.vpscheap.net&#x2F;aff.php?aff=15" rel="nofollow">https:&#x2F;&#x2F;crm.vpscheap.net&#x2F;aff.php?aff=15</a><p>This also (especially) applies to startups that might suddenly take off at any moment (but don&#x27;t expect to.) AWS is a ticking time bomb of unexpected charges. You never know what the Internet will bring you. Go for an unmetered VPS and have 1 single well-defined charge that doesn&#x27;t change. That&#x27;s what I do on my side projects.<p>[1] I previously asked Dan, the moderator here, if I can share in this way and he said it&#x27;s okay. I don&#x27;t have other affiliation with that company and have found it good. The last time I posted this I got 80 visitors and no complaints (and got upvotes), so I figure it is a good resource for people.

&gt; Moving it back to AWS from GCP bumped the AWS bill to an average of $23&#x2F;month. Not too bad given the site’s traffic.<p>I&#x27;ve checked the traffic, it was 2.3k users for entire June, like 75 user per day at average. It is effectively nothing, why author thinks it&#x27;s okay to pay 1 cent per user per month to hosting provider? $5&#x2F;mo VPS can handle two orders of magnitude more.

This is why billing alerts are mega important to setup

This is why I&#x27;m deathly afraid of using any major cloud provider.<p>External traffic is effectively unlimited, and a number of possible reasons (popularity, misconfigured script pulling something in a loop, someone intentionally generating traffic to hurt me) have the possibility to throw me into arbitrary amounts of debt, with the only recourse being hope that the cloud provider will be merciful.<p>Even if I have alerts set up: someone pulling 10 Gbit&#x2F;s can generate over 100 TB per day, at $80-100 per TB. If I don&#x27;t check my e-mails for weekend, I can be $30k in the hole before I notice.

I racked up a $120K+ Google Cloud bill via an unsupervised and poorly-coded script which used the geo coding API. It didn’t take much to get Google to waive it. This happens all the time I’m sure

For a private person it&#x27;s much better to use something like a private vm or a dedicated server, from Vultr or 1984hosting (Iceland) you can get a vm for just 2.50$ (only IPv6) or 5$ (IPv4 and 6) or a dedicated server from Hetzner, OVH, Scaleway (Arm64) for like 30$, some have unlimited traffic (mostly the dedicated servers) with a 1Gbit connection. NEVER use stuff you have to pay without knowing whats coming (count&#x27;s for private use an small business)

DigitalOcean&#x27;s S3 offering probably would&#x27;ve kept this bill down a bit. Probably about $300 versus $2000.<p><a href="https:&#x2F;&#x2F;www.digitalocean.com&#x2F;docs&#x2F;spaces&#x2F;#bandwidth" rel="nofollow">https:&#x2F;&#x2F;www.digitalocean.com&#x2F;docs&#x2F;spaces&#x2F;#bandwidth</a><p>Digital Ocean may not be the best cloud platform but it&#x27;s fairly cost effective.

Can someone argue that the complexity of the cloud does not easily surpass the time and effort of just setting it up yourself? And for once all of that time and effort into setting it up is actually valuable and you get much better insights into your own operations.<p>And the alternative is paying someone to lock you into their ecosystem.<p>Are we really <i>that</i> lazy?

I had a $190,000 AWS bill for an account only used for static S3 hosting.<p>And guess what, I didn&#x27;t write a blog post about it. I just went to support, said remove the charges, they identified the services that created the issue so I could kill them, and they removed the charge.<p>Look at that, no fan fare. I had no emotion about it whatsoever. Maturity.

Good reminder to everyone including myself to use services that have budget alerts or spike protection. And to stay away from aws, even 23$ for static website hosting is a bit too much in 2020. At fairly priced hosting without fancy name, 30tb traffic can cost &lt;10$

Much better incident:<p><a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;aws&#x2F;comments&#x2F;g1ve18&#x2F;i_am_charged_60k_on_aws_without_using_anything&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;aws&#x2F;comments&#x2F;g1ve18&#x2F;i_am_charged_60...</a>

Copying a 12GB file and sharing it publicly on S3 (how does AWS make money with S3, anyone care to answer?). I agree it’s expensive, maybe outreagously expensive. It’s great he got a refund! Not so many would be that lucky. And we can all learn

The article shows again the importance of reaching out to AWS support for issues like this, they would rather have a long term customer then a one time score, they are really forgiving of one time mistakes.

&gt; Praise Twitter for at least its ability to draw attention to things. I am not sure this would’ve ended up as well as it did without it.<p>This is another bad aspect of these stories.

I wonder if aws would have given the same refund if the author wasn’t a cloud evangelist with a twitter following highly relevant to aws.

Am I reading this wrong or the site&#x27;s traffic is almost always under 1000 page views per day ?<p>Why would you need AWS or Cloudflare to serve that ?

It would&#x27;ve literally been cheaper to burn that file to a few thousand DVDs and mail them to individual people.<p>Nice pricing AWS.

So what do you do if you want to host a file on the Internet but don&#x27;t have $2000USD kicking around?

The title is a clickbait.

How&#x27;s Linode on this sort of thing?

TL;DR: Don&#x27;t leave 10+ GB VM images open to the world on S3 unless you want pay everybody&#x27;s bandwidth bills when they spin up a new instance using them. And set up billing alerts!

&gt; The primary motivation was that Google had so intertwined GSuite and GCP IAM that it became overly confusing.<p>Glad I’m not the only one confused by this.

Does Amazon not have... logging?