Things You Should Know About AWS

130 点作者 jpmc超过 11 年前

13 条评论

falcolas超过 11 年前

> Stripe your RDS disks for better performanceThis is a fun hack to perform, but it opens you up to another problem: latency on any of the striped EBS volumes will lag out the entire striped array.Attempts to mitigate this problem (including setting up raid 10) work in the short term, but it really is easier to just purchase a guaranteed iops volume if you want to run a database on EC2.

评论 #6679106 未加载

评论 #6679442 未加载

vosper超过 11 年前

This is great and all, but I'd love to see a community wiki / discussion area for AWS tips, tricks, and gotchas. Something like Quora crossed with Wikipedia, just for AWS.Is anyone aware of such a thing? If not, any advice for starting one?

评论 #6677185 未加载

评论 #6678270 未加载

评论 #6679433 未加载

talonx超过 11 年前

These are more "tricks on optimizing AWS usage" than things to know "about" AWS.

jwilliams超过 11 年前

"9) Use Virtual Private Cloud (VPC) from the start"This is now a no-brainer. New registrations in certain zones will kick you into a basic VPC from the get-go.The only inbound should be via an ELB (HTTP/HTTPS) and an non-DNS-resolvable SSH bastion/NAT host (m1.small is more than enough). Your bastion is the only host that is on the public Internet.Setting up a bastion is reasonably straight-forward. There is an AMI that will do it all for you. Just make sure you've got "src/dst check" turned off in the EC2 panel for that server. Just that tip can save you hours of hair-tearing.Outbound is via the bastion, which you can lock down to certain protocols via VPC security groups. I limit to HTTPS (no HTTP!).The bastion should use ssh keys only (no username/password). Put in place fail2ban on the bastion. You can also add a firewall rule that backs off multiple fails SSH attempts. This all but nukes brute-force attacks. Also, make sure you patch regularly.I go as far as to have separate keys for the bastion and then the hosts, but sensible policies should apply here (e.g. passphrase on your keys please).Keep the bastion superuser login to a very select group. You can quickly remove employees' access by taking them out of the bastion. If you're in panic mode, you can turn off the bastion and isolate your network until you can regroup (similarly with the ELB for web-based attacks).This is a pretty sound foundation for a secure setup.

评论 #6680930 未加载

评论 #6680091 未加载

oakwhiz超过 11 年前

>Use ZFS and RAIDZ with EBSThat's a really cool idea, and I'm curious to see what kind of performance losses will occur during normal usage.

leftnode超过 11 年前

What is the 'aws' command in example #2? Is that a Ruby/Python/other script released by Amazon or a 3rd party?

评论 #6677144 未加载

ademarre超过 11 年前

I don't hear enough people talking about vendor lock-in with AWS, or any other cloud provider for that matter. Too many of us are building our company's infrastructure on AWS with little regard for the cost of switching.I try to stick with Amazon's IaaS offerings, only employing PaaS products when they offer considerable advantages over anything I could roll economically on bare infrastructure.Ask yourself, "in terms of time or money, what would it cost me if this cloud product were discontinued without notice?"AWS might lose a patent battle, get shut down by the government, or get crippled by hackers or a long-term service interruption. If that happened, how long would you be down while you struggle to get up and running at another provider? What if Amazon raises their prices to the point where you want to change cloud providers? Would the cost of switching be prohibitive?

anan0s超过 11 年前

Actually I was wondering if there is any experience/benchmarks about Amazon high-performance instances.anyone already used this ?

评论 #6676932 未加载

ebaxt超过 11 年前

An important gotcha regarding Cloudformation - there is no way to recover from a failed rollback (except maybe to contact amazon support). So it's basically only safe for initial setup of resources.

评论 #6679065 未加载

ideaoverload超过 11 年前

Description of noisy neighbor problem #6 lacks some depth.AWS noisy neighbors problem is very often misunderstood. CPU steal time under linux does NOT mean that somebody is stealing your CPU. It simply means that you wanted to use CPU and hypervisor has given it to another instance. This may happen because you have exceeded your quota or scheduling algorithm selected another pending instance at this very moment and it would give CPU back to you a bit later. In the end in both cases your instance gets fair share.Great detailed explanations of steal time: <a href="https://support.cloud.engineyard.com/entries/22806937-Explanation-of-Steal-Time" rel="nofollow">https://support.cloud.engineyard.com/entries/22806937-Explan...</a> and: <a href="http://www.stackdriver.com/understanding-cpu-steal-experiment/" rel="nofollow">http://www.stackdriver.com/understanding-cpu-steal-experimen...</a>. The latter article is mentioned by OP but seems to be not fully read/understood.Why does killing and restarting instance help? It likely moves instance to different hardware node with less active neighbors. When your neighbor is not active your instance can use CPU idle cycles of your neighbor! You sort of become the noisy one. Still hypervisor would prevent it once neighbor starts to fully utilize his CPU quota and you are back to square one.Amazon does not oversubscribe CPU according to their CTO: <a href="http://itknowledgeexchange.techtarget.com/cloud-computing/amazon-does-not-oversubscribe/" rel="nofollow">http://itknowledgeexchange.techtarget.com/cloud-computing/am...</a>Amazon specifically states that t1.micro instances do not guarantee CPU performance: "Micro instances are a very low-cost instance option, providing a small amount of CPU resources. Micro instances may opportunistically increase CPU capacity in short bursts when additional cycles are available. They are well suited for lower throughput applications and websites that require additional compute cycles periodically, but are not appropriate for applications that require sustained CPU performance."While CPU sharing is pretty well documented noisy neighbor problem still exists for network and disk resources being shared by multiple instances on the same hardware node. The only way to detect these problems is to track network throughput/loss rate for network and IO stats for disk.You are guaranteed to avoid noisy neighbors CPU problem by using AWS dedicated instances: <a href="http://aws.amazon.com/dedicated-instances/" rel="nofollow">http://aws.amazon.com/dedicated-instances/</a>I work for APM ( Application Performance Management) vendor , I have no business praising AWS.[Edit:spelling and clarity][Edit2: changed CPU scheduling description]

评论 #6679420 未加载

评论 #6680919 未加载

评论 #6677768 未加载

darkarmani超过 11 年前

Does anyone understand the point they are making in #9 about VPC?Are they suggesting using HAProxy in your public subnet and ELBs in your private subnets? Is this their reference to avoiding using a NAT box (actually PAT)? Don't you still need a HAProxy box in each of your AZs?

评论 #6678401 未加载

victor_haydin超过 11 年前

One more nice post about this topic: <a href="http://www.elekslabs.com/2013/11/aws-10-things-youre-probably-doing.html" rel="nofollow">http://www.elekslabs.com/2013/11/aws-10-things-youre-probabl...</a>

simonebrunozzi超过 11 年前

It looks like that this post has been partly inspired by a recent presentation that I made: <a href="http://www.slideshare.net/simone.brunozzi/5-thingsyoudontknowaboutaws" rel="nofollow">http://www.slideshare.net/simone.brunozzi/5-thingsyoudontkno...</a>