First, I saw in the billing section how much I pay for NAT Gateway, I need to understand exactly what I'm paying for, I suspect that the git checkout (we use GitHub) from our instances takes the most of the cost, but I need some way to prove / see exactly the traffic I pay for, is it possible? If so, how?
NAT gateway does not publish any information about how much data is processed by source/destination. You can deduce it by searching VPC flow logs. This documentation may be useful.
Related
I'm new to AWS wolrd. My purpose is to find as soon as possible in case of problems using Elastic Load Balancer logs top ips from requests, if possible who they are or some inspection on it. I only found paid services. Does anyone know a free application or maybe a website that analyzes AWS ELB logs?
Completely free solution isn't available as I know. Btw, there are cheap solutions.
You can monitor your load balancer by "Access logs", "CloudWatch metrics", "Request tracing" and "CloudTrail logs".
I don't understand exactly what you want, but there are some possible solutions.
If you're afraid of being attacked and you need immediate protection (against security scans, DDoS etc), you can use AWS's own services. "AWS Shield Standard" is automatically included at no extra cost. Btw, "For added protection against DDoS attacks, AWS offers AWS Shield Advanced". https://docs.aws.amazon.com/shield/
WAF is also good against attacks. You can create rules, rule-actions etc. Sadly it's not completely free. It runs "pay-as-you-use" style. https://aws.amazon.com/waf/pricing/
you can store the access log in S3 and analyse it later, but this can be costly in the end (and it's not real time)
you can analyse your log records with Lambda function. In this case, you need to use some NoSQL or something to store states or logics. (Lambda and DynamoDB is "pay-as-you-use" style and cheap, but not for free)
Keep in mind that:
The load balancer and lambda also increments the corresponding CloudWatch metric (it's cheap, but not for free)
You will pay for the outgoing data transfer. I mean from AWS to internet 1TB/month/account is always free (through CloudFront): https://aws.amazon.com/free/
you should use AWS's own services if you want a cheap and good solution
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.
But keep in mind that access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.
There are many complex and paid application that returns information regard access log but i advise you a simple, easy to use website that i use when i want to see top requester on our load balancer.
Website is https://vegalog.net
You shoud only upload your log file taken from S3 bucket and it returns to you a report with top requester, who they are (using whois function), response time and other useful informations.
I was starting a neptune database from this base stack
https://s3.amazonaws.com/aws-neptune-customer-samples/v2/cloudformation-templates/neptune-base-stack.json
However now i am wondering why a NAT Gateway and also an Internet Gateway are started in this stack? are they required for updates within Neptune? This seems like a huge security risk.
On top of that these gateways are not cheap.
I would be happy for an explanation on this
The answer is no, it's not required, AWS just sneaked some unecessary costly ressources into the template..
Anyways if you want to use the updated template without NAT and IG GWs use this one that i just created https://neptune-stack-custom.s3.eu-central-1.amazonaws.com/base.json
I'm creating my application with the as much serverless as possible premise.
Long story short, 2 services cannot be implemented as lambda functions, hence I bet on ECS tasks with EC2 autoscaling groups, due to GPU requirements, etc.
After doing my homework on the Lambda + VPC resources lesson I was shocked there's no easy and pleasant way to expose VPC services extension of AWS services. So the official approach stands for incorporating a lambda function into a VPC plus establishing a NAT gateway/instance or VPC endpoints in order to reach the internet and AWS services. Moreover, I can read this is not recommended and should be treated as the final solution. It slows down lambda and increases cold starts.
Generally, I need access to the internet and reach other AWS services from the lambda, which must make requests to ECS tasks. Those tasks are crucial contributors to my flow I'd like them to be easily callable from lambda functions. I'm not sure if VPC lambdas would make sense if I need to pay for NAT, which is comparatively expensive. Maybe I missed something.
Is it possible to avoid incorporating lambdas into VPC and still be able to call ECS services? If not, what is the best way to cuts costs related to NAT?
I'd appreciate any form of help.
I'm working on a series of tutorials that rely on AWS EC2 instances. I'd like to give users a chance to play around with a limited AWS environment.
DescribeInstances is the only endpoint I need for that. However, I'd like to make sure that the possibility of someone spamming that endpoint with thousands/millions of requests won't incur thousand dollar charges on my account.
I tried asking someone at work about it, and they said they've never been charged for Describe requests. However, I'd like some more confirmation on that, which is why I'm asking this question.
NOTE: I've tried asking AWS support, but they are very slow to respond.
The Amazon EC2 pricing page has no mention of request-based charges. This differs from other services (for example, Amazon S3) that does specifically mention a request charge.
Therefore, it would seem that there is no per-request charge for Amazon EC2.
We have an EC2 instance which for security reasons has no Internet access. But at the same time, the code running on that server needs to call some Lambda functions. It seems to me these two requirements are contradictory since without Internet access, the code can not call Lambda functions.
Does anyone have any suggestion on what are my options without sacrificing the security aspect of the project?
You won't be able to reach the AWS API's generally without internet access. Two exceptions are S3 and DynamoDB where you can create VPC endpoints and keep it completely on a private network. Some services can also be exposed through PrivateLink, but Lambda is not yet one of them.
You can learn more about those here: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
Depending on your security requirements, you might be able to use a NAT Gateway (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html) or an Egress-Only Internet Gateway (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/egress-only-internet-gateway.html)
Those would provide access from the instance to the internet, but without the reverse being true. In many cases, this will provide enough security.
Otherwise, you will have to wait for PrivateLink to support Lambda. You can see more on how to work with PrivateLink here: https://aws.amazon.com/blogs/aws/new-aws-privatelink-endpoints-kinesis-ec2-systems-manager-and-elb-apis-in-your-vpc/