In 2002, when Benjamin and Chris first came up with the idea of the Cloud, they probably never thought it would turn into the enormous business it is today. On the whole, their idea has enabled organizations to improve performance a millionfold and reduce expenses, but for many other enterprises, the Cloud means hidden costs, over-configured resources and inefficient network topologies. Because people can’t see through the virtual network topologies, and because the current influx of Cloud “experts” has an under-developed understanding of networking, the cost of the network and the risk to security have increased.
According to research by vendor StackRox Inc., 94% of respondents fell victim to security incidents with Kubernetes, and in my experience, 96% of the organizations are paying more network costs than necessary simply because of misconfiguration and mismanaged resources.
In this article, we discuss networks and their related costs in detail and the best practices we should follow when designing a solution for an organization.
Let's take an interesting real-world, cost-related example of travel, security and the route we should follow.
Now imagine your organization is located in two countries, France and the UK. You have redundant teams of 30 in both countries. Each country has two offices with 15 people in each. Therefore, you have four geo locations and 60 people in four cities. In each country, one of the locations is ultra-secure with a big electronic gate through which only one employee can pass at a time with authorization and authentication. Every time an employee passes through that gate, you have to pay a significant amount of money, but the requirement is such that you have to keep some employees in a secured room at every location. Now tell me if you have 2 employees who need to communicate, would you place them around the countries or within the same city? so that communication and work can be completed with effectiveness and efficiency
Let's compare this example with the Network topology of AWS. You have 2 VPCs in 2 different regions and 2 subnets for each VPC. One of the subnets is a private subnet (more about private and public subnets at the end), and the other is a public subnet. As you would not keep 2 people at different places if they needed to talk to each other, in much the same way, we can’t keep 2 instances at different places if they too have to communicate with each other to perform very minor tasks. Imagine your application is hosted in France, for example, and your Db is in another city in the UK. Every time a transaction takes place, your request must travel through the entire country and get the data. Why don’t we keep the application and the Db in the same place from the start?
So, how do I achieve this? Multiple solutions currently available in the market allow you to visualize your network topology and discover where the overhead is and therefore reduce costs and make savings at the same time. VNT is one of them, and you can access it from here
Now, let's take a look at the AWS bill and find out which components are involved in AWS Network costs.
Three key components allow you to figure out your data transfer and network costs:
NAT
DATA TRANSFER
EIPS
You’ll find the NAT gateway under the EC2 tab in the billing details
This is one of the biggest pain points of network admin. We need to decide whether we really need to put something behind NAT, whether we should use NAT instances or a NAT gateway, and what alternatives there are to NAT.
When considering whether to create a NAT gateway or use the NAT instance for private-instance access to the Internet, take into consideration how often you will have to go out on+
to the Internet? Do we really need to use NAT to protect these resources? Might your backend application created behind the NAT be accessing something using the public IP and escalating your NAT charges? I don’t think we can give a custom solution concerning where we do or don’t need a dynamic NAT device. But I think that, before making the decision, expert advice should be sought, and the nature of the application should be taken into consideration.
The DATA TRANSFER tab on the main Bill combines 2 components:
a.)Data moving in and out of AWS to and from the Internet
1.) You are not charged for any data flowing from the Internet to AWS, which means inbound traffic from the Internet to AWS is Free.
2) You will be charged for outbound traffic from AWS to the Internet. Dynamic prices will be applied as per your usage capacity. If it's more than 500TB, you can also negotiate with AWS and get a Good Deal. Click here to find out more about dynamic billing.{link to AWS https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer}
b) Data moving in and out of AWS to other AWS services
1) Between the Host AWS region’s availability zones
a) Between multiple availability zones
You will be charged £0.01/GBP for moving data between the availability zones in AWS regions
b) Between host availability zones
You will be charged £0.01/GBP for moving data between the availability zones in AWS regions. But data transfer within the same availability zone is free when using private IPs.
2) Across AWS regions
a) No inbound cost is involved, but you will be charged for the outbound data traffic to each region of different rates. For further information, click here: https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer}
The EIP is under the EC2 tab in the billing details:
You will not be charged for EIPs if it is attached to a running instance and is the First EIP attached to the instance.
TIPS:
You will not be charged for using a private IP to move data in the same availability zone
You will not be charged for data flow from EC2 instances to ELB
You will not be charged for data traffic from EC2 to the Cloud front and data transfer across all regions on the Cloud front. You will only be charged for moving data out of the Cloud front. More details on AWS {link to AWS}
Make wise choices while developing network topology. Advanced Linux users can also take and visualize tcpdump to understand the network topology, but it’s recommended that you go ahead with the VNT solution to save time and resources.
##########Private and Public subnets############
Ipv4 is a 32-bit IP address, and you can only have 2^32 IP addresses. That amounts to around 4 billion IP addresses. With the growing number of IT appliances, more and more people bought computers in the 90s, and each device needs an IP address. That is when “natting” came into play and gave birth to the concept of public and private subnets.
The logic of public and private subnets is entirely based on NAT and different types of NATs. To begin with, what is a NAT: NAT stands for network address translation, and as the name suggests, that's what it does. It helps your private IPs and instances to talk to the Internet by translating private IP addresses to public ones.
NAT is very simple: If your NAT device is mapping IPs, one-to-one, from public to private, then its public subnet and you will be able to access the resources using the public IP from the Internet and the static NAT will do its job. Whereas, if the NAt is dynamic, the instances inside the subnet will be able to use the NAT’s public IP and go out to the Internet, but no one will be able to reach instances behind the dynamic NAT with Public IPs.
So a private IP is nothing but a private network of devices behind the dynamic NAT, which allows only outbound traffic to the Internet, and the public subnet is a private network of devices behind a static NAT, mapping each private IP to a public IP. Both outbound and inbound traffic can flow using a static NAT.
To learn more about Spot Storage, visit the Cloudport Network page, or connect with us.
תגובות