undefined | Better HN

0 pointssaurik5y ago0 comments

I miss EC2 Classic :/. It always feels like the entire world of VPCs must have come from the armies of network engineers who felt like if the world didn't support all of the complexity they had designed to fix a problem EC2 no longer had--the tyranny of cables and hubs and devices acting as routers--that maybe they would be out of a job or something, and so rather than design hierarchical security groups Amazon just brought back in every feature of network administration I had been happily prepared to never have to think about every again :(.

0 comments

whatisthiseven5y ago

Agreed, I always thought VPC and all that complexity was a big step backwards. My org is moving from a largely managed network into AWS, and now we have to configure the whole network and external gateways ourselves? What engineer wants to do this?

VPCs are virtual, but I don't need VPCs, I need the entire network layer virtualized and abstracted. As you suggested,just grouping devices in a single network and saying "let them all talk to each other, let this one talk to that one over this port/IP" should be all I describe. Let AWS figure out CIDR, routing, gateways, etc.

gen2205y ago

People use it as a (imo lazy) form of enforcing access control. If two services aren’t in the same VPC, they can’t talk to each other. It theoretically limits the damage of a rogue node.

Of course, it also creates a ton of overhead and complexity, because you still have to wire all your VPCs together to implement things like monitoring and log aggregation, for example.

As other people have suggested, the better solution (imo) is to have all your traffic be encrypted with mTLS, and enforce your ACLs with certs instead of network accessibility.

whatisthiseven5y ago

Sure, but we also do the things you suggested.

However, if you are relying on defense in depth for security, then having them be network separate helps prevent internal DDoS attacks, whether malicious or not.

Enforcing security across the entire network layer has many positives. But I don't want to be messing with the lower levels, and those lower levels all have the same security models and solutions as one another, at least if you view them at a high level.

VPCs have value as a security and availability solution, I just don't want to have to configure it to get what could be an automatic benefit.

BillinghamJ5y ago

Generally inclined to agree, but to be fair you can operate a VPC in exactly the same way as EC2 Classic - give everything public IPs, public subnets and ignore the internal IPs. Pretty sure those are the defaults too

Lammy5y ago

My assumption is it's an IPv4 address exhaustion thing too.

mandis5y ago

Amazon and IPv4 exhaustion?

https://www.techradar.com/in/news/amazon-has-hoarded-billion...

jen205y ago

It's more to do with what entries you would put in a routing table to get EC2 Classic over a DirectConnect, no?

j / k navigate · click thread line to collapse

0 comments

whatisthiseven5y ago

gen2205y ago

People use it as a (imo lazy) form of enforcing access control. If two services aren’t in the same VPC, they can’t talk to each other. It theoretically limits the damage of a rogue node.

Of course, it also creates a ton of overhead and complexity, because you still have to wire all your VPCs together to implement things like monitoring and log aggregation, for example.

As other people have suggested, the better solution (imo) is to have all your traffic be encrypted with mTLS, and enforce your ACLs with certs instead of network accessibility.

whatisthiseven5y ago

Sure, but we also do the things you suggested.

However, if you are relying on defense in depth for security, then having them be network separate helps prevent internal DDoS attacks, whether malicious or not.

VPCs have value as a security and availability solution, I just don't want to have to configure it to get what could be an automatic benefit.

BillinghamJ5y ago

Lammy5y ago

My assumption is it's an IPv4 address exhaustion thing too.

mandis5y ago

Amazon and IPv4 exhaustion?

https://www.techradar.com/in/news/amazon-has-hoarded-billion...

jen205y ago

It's more to do with what entries you would put in a routing table to get EC2 Classic over a DirectConnect, no?

j / k navigate · click thread line to collapse