AWS to begin charging for public IPv4 addresses (opens in new tab)

This is one thing Google Cloud does well - traffic to Google services bypasses NAT gateway, even over IPv4.

I was curious how they do this, so I set up a service on Google Cloud Run that just echo'd the user's public IP address. When curl'd over IPv4, it said I was coming from a unique local (i.e. private) IPv6 address. The private IPv4 address of my server was embedded in the address, along with some other random-looking bits that probably identified my VPC somehow. So they must have been doing some sort of stateless IPv4 to IPv6 translation behind the scenes.

It was a clever solution that takes advantage of the fact that all of Google's API endpoints are dual-stack, even though (at the time) they didn't support IPv6 on customer VMs. The problem AWS currently has is not all of their internal endpoints are dual-stack, so even using IPv6 can't save you from cloud NAT costs when accessing AWS services.

Another dead simple solution would be if AWS would provide us a simple subdomain (such as myapp.xxxx.aws-hosting.com), no need to meddle with IPs at all in that case. Google Cloud already does this with xyz.appspot.com subdomains, same with Github Pages as they provide you xyz.github.io subdomain for your app.

I wonder if someone at AWS noticed that the interface endpoint pricing was offensive for accessing S3 and therefore created the free “VPC Endpoint for Amazon S3.”

I would find it rather surprising if the actual cost to Amazon of connecting a VPC to S3 were substantially lower than the cost of connecting a VPC to any other AWS service.

Yeah, the endpoints bother me. I get charging for IPv4 space but they shouldn’t charge you for calling their APIs, especially since it’s one ENI per endpoint so I have a few VPCs which have half the allocated addresses used by endpoints (the old trade off between multi AZ reliability and the cost of allocating redundancy).

AWS NAT gateway is $0.045 per hour plus $0.045 per GB. The hourly fee seems mostly okay - for largish users, one or two per region is fine.

$0.045 per GB is nuts. That’s $20.25/hour or $14580/mo for 1 Gbps. One can buy a cheap gadget using very little power that can NAT 1 Gbps at line rate for maybe $200 (being generous). One can buy a perfectly nice low power server that can NAT 10Gbps line rate for $1k with some compute to spare. One can operate one of these systems, complete with a rack and far more power than needed, plus the Internet connection, for a lot less money than $14580/mo. (Never mind that your $14580 doesn’t actually cover the egress fee on AWS.)

A company with a couple full time employees could easily operate quite a few of these out of any normal datacenter, charge AWS-like fees, and make a killing, without breaking a sweat. But they wouldn’t get many clients because most datacenter customers already have a NAT-capable router and don’t need this service to begin with.

In other words, the OpEx associated with a service like this, including the sysadmin time, is simply not in the ballpark of what AWS charges.

For example, rather than simply routing IP packets and then forgetting them, you need to statefully inspect every TCP segment and every supposedly connectionless UDP conversation, you need to maintain state for every live conversation, and you need to mitigate DOS with all those resources.

At that point, you might as well be running a Layer 7 Firewall or an Intrusion Protection System.

> ISPs & mobile carriers are pushing IPv6 over CGNAT

LOL. Not Metronet. They are doubling down on CGNAT. They've acquired ISPs with IPv6 and killed it in favor of CGNAT.

This is missing the point mostly, my own sites have supported ipv6 for a going on a decade because it was fun to get it working. But that's a very different thing than supporting only IPv6.

It's not really computationally expensive, it's memory expensive. You need per connection state.

There is where people usually start chiming in about how they can run a VPS at Whatever Hosting and Waffles Inc. for $4/mo.

Plus $0.045 per gigabyte of data that passes through it.

AWS has notoriously high egress fees.

$40/month just to run it, but then $0.045 per GB data rates. The data rates are what is outrageous. NAT Gateways comprise a non-trivial portion of many customer's bills for this reason.

Most users are below 10Mbps average, so yes $480 per year is a huge price for a fraction of a percent share of a router (plus redundancy).

The expensive part of NAT Gateway is the $0.045/GB.

It's worth it if you spend thousands a month. I run assorted personal projects in AWS and pay $80/month. Another $40/month looks like a lot to me.

But I think the point is more that it's outrageous compared to the marginal costs.

Leasing an IPv4 is 0.40 per month. The 39.60 on top is just their margin.

For a lot of traffic $40 is not outrageous.

For a little traffic $40 is outrageous.

I'm shocked this isn't a feature of a VPC out of the box (shared internet bound traffic). You should only need a NAT gateway if you want the traffic to come out of a single set of external IPs that you control.

Almost all of my use cases I could easily ride out to the internet through a shared pipe (apt updates and such) and don't care whatsoever what IP that exits the AWS network from, since I'm not applying firewall rules or anything.

I think that as a business and given the fact they are now charging for a previously free service (public IPs), offering a now paid service as free would nullify the reasons for doing what they are doing. They don't owe anyone anything for free.

The 0.045/GB of NAT transfer cost is in addition to the $0.09/GB egress costs.

The sweet point should be that the total cost of using the managed services should be less than doing so yourself when you account for manpower.

If we have ended up at a place where it’s cheaper to run them yourself on an EC2 box then something has gone awry.

BTW AWS specifically allows you to bring your own IP addresses.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoi...

> makes more economic sense to have fewer, central owners that can maximize usage

What you have described is effectively a China-style ICP license[1]. Unless you are willing to give a big name cloud provider $x per month, you shouldn't be able to put a service on the internet?

1. https://en.wikipedia.org/wiki/ICP_license

I have a /24 of v4 just so I don’t have to run NAT at home. My Apple Watch has a real, globally unique IP address.

Is this valuable use of IPv4 space? I think yes.

"Putting a price on IP address usage again is a mechanism to prevent squatting/hoarding a scarce resource."

That isn't one company's call, it's past time for the DOJ to step in.

> It also seems that your use of "rent seeking" doesn't match established use.

No, OP used it exactly correctly. It's the textbook definition.

> It normally refers to people extracting money for things far beyond their actual value.

No, it doesn't. The use was popularized in Wealth of Nations (yes, the original) and it refers to, as the name implies, renting out land.

I buy land. Once I've done that, I extract wealth from the economy from the economy while putting nothing new in. There's a finite amount of land.

This contrasts with investing in businesses (which allows them to buy capital, thereby generating further wealth), work, and other forms of income which generate wealth for the economy.

In broad strokes, rent-seeking behavior is unproductive, while work, investment, etc. are productive.

> It normally refers to people extracting money for things far beyond their actual value.

That's not what "rent-seeking" means at all.

Rent-seeking is extracting wealth from a system without creating anything. It's a term meant to differentiate profiting via productivity/adding value (eg. manufacturing a better product and outcompeting others) and profiting via extracting value from others without adding anything (eg. buying out all of the manufacturers of a product and leveraging your monopoly position to jack up prices).

Amazon haven't created any value here - they own enough of a stock of a scarce, in-demand resource that they can charge a great deal for it. It's the definition of rent-seeking.

> You can't buy/sell/trade "ASN blocks". The only people handling "ASN blocks" are the 5 RIRs (APNIC, RIPE NCC, ARIN, AfriNIC and LACNIC) and IANA.

You absolutely can sell ASNs or ASN blocks, just like you can sell IPs.

Want to sell an ASN? Ask the buyer for money. When the money is in your account/escrow, transfer the ASN to them. Get money. Sale complete.

But that’s besides the point, this has got nothing to do with ASNs.

It's ISPs who are the main problem, not applications.

Even already, I think you can get away with doing almost everything v6 with a much smaller number of ipv4s for legacy traffic. I say that but still largely use v4 for everything, so maybe I'm not one to talk.

I doubt many people care about private aspect of the VPN. They usually want to access services which are inaccessible from their primary IP.

I'd say that VPN is a way for Internet to work around artificial obstacles.

That's not rent seeking: https://en.wikipedia.org/wiki/Rent-seeking

IP addresses are supposed to be free! The RIRs are in the business of handing out addresses to whoever applies for them if the applicant can show that they have a reasonable use for the addresses. But as the IPv4 addresses eventually run out, AWS will then buy addresses directly from whoever has them. This is allowed, but a bit dubious, since if someone aren’t using their addresses, it would make more sense to return them to the RIR to be reassigned. But if AWS owns all the addresses, and nobody can get any more, it makes sense for AWS to start charging for the addresses. It would also make sense for AWS to halt and delay any IPv6 adoption, so we should watch for that.

Had AWS not gone around offering to beat any offered price for IPs things might be a lot more reasonable right now. You can't complain that you had to pay a ton for a scare resource when you were the ones throwing gasoline on the scarcity problem.

They even did backroom deals to steal large blocks of IP space, most notably from the HAM radio community.

It’s worse than that: new software and hardware is being developed or rolled out right now that is incapable of working on an IPv6 network. Not just unable to use it, but actively incompatible — failing to run if other devices use IPv6!

This was an issue with Azure’s PostgreSQL service, which would fail if you deployed other unrelated IPv6 services in the same virtual network.

We need a guild of software engineering so that the people responsible for this can be summarily ejected from it.

Serious question, is there any enterprise gear made today which does not support IPv6? I have assumed that the natural hardware upgrade cycles made it so 99% of all active equipment could support the technology, even if it was not configured to do so.

Hmm, I use IPv4 mostly because nobody in their right mind can remember a IPv6 address…

IP addresses should never have had letters and double colons in them.

What's Google's IPv4 DNS? 8.8.8.8.

What SHOULD Google's IPv6 DNS be? 8.8.8.8.8.8.

What SHOULD Google's IPv8 DNS be? 8.8.8.8.8.8.8.8.

What IS Google's IPv6 DNS? 2001::some::shit::I::::can't::remember//::h0ff::affblah

This is why I'm still stuck on IPv4. I'm a walking DNS server for all the instances I own, I can hammer out IPs when DNS fails me and that's a very useful feature, especially when idiot Wi-Fi hotspots try to DNS poison you when you're trying to SSH into something and the poisoned IPs stay cached even after you've accepted the stupid TOS.

For iOS maybe. Most of those applications are also using Apple's networking libraries and are effectively required to be on Apple's infinite software update treadmill to continue to be listed, keeping them young and hip in perpetuity. This is the upside to that treadmill, things are up to date or just stop working.

But I don't think that's representative. "Or just stop working" isn't a valid alternative to the rest of the world. Outside of mobile ecosystems and maybe web development most things aren't on these 6 to 12 month update cycles. It would be absolutely unreasonable to tell a hospital that every piece of hardware and software and MRI machine in their building has to be upgraded every 2 years or it's positively geriatric and do you even `pacman -Syyu` bro?

Theres a whole world of things that haven't been, and may never be, transitioned. Useful things like utility control computers and even peoples' 10 year old, still perfectly functional and supported desktops. Heck, my "end user" newly-installed fibre ISP doesn't support IPv6! And their previous DSL installation to the same address did! So much for "solved problem" :(

This seems unlikely, as 6to4 was deprecated in 2015: https://datatracker.ietf.org/doc/html/rfc7526

You make it sounds like that expansion was performed automatically. Is that something HN's reply box supports?

I understand that Movistar, the largest Spanish ISP, is currently deploying IPv6 in beta at the moment. I expect that will trickle down to the various resellers of Movistar's network shortly after. Hopefully that will get that 98% down in the near future. :(

Sigh, so basically it's impossible to switch without shredding an already tiny audience. I'm sure it won't be a nice UX either to have a "can't connect to this IP" error in someone's browser.

IPv6 has been around for so long now, I'm disappointed it doesn't have a little bit higher adoption.

So if a domain only has a AAAA record, and for whatever reason a user can’t use IPv6, what sort of error message would the user see?

I think there’s a difference between “don’t” and “can’t”.

It’s not clear to me on that page how it describes “can’t”, other than ambiguous (to me) graph labels.

Is there more info elsewhere that describes the “can’t”?

Yep I think that's plan B, thanks.

So I used to use DigitalOcean for around the same intro price point, but after a while I realized that I could pay $22/year for a t4g.nano ec2 instance instead of $72 for the cheap DigitalOcean VPS. I guess in the end, the $22/year was too good to be true and the DO/Linode pricing effectively bundles in the price of the IPv4 address.

Linode was too slow and had outages in my experience. Used them for years.

Replaced them with lightsail and don’t have any of those problems, plus I can pick FreeBSD.

OVH gives me a single /128. Spam whitelists are at /64 grsnularity, so I cannot use IPv6 e-mail. this is not parity!

I asked their support about this a year ago. They said they were discussing increasing the prefix size internally.

That kind of makes me want to move to Hertzner or another competitor.

because they don't have to be. when you own 20% of the entire Internet, you can just do whatever you want, very few can compete

They expect us to be ready...

GitHub does not even have an IPv6 address.

aws is many things but 'incompetent' is not one of them.

Cloudflare does the trick tho

In addition, there are also impacts on other protocols such as ARP, DHCP, ICMP, DNS etc.

So it's not as simple as changing only the IP packet format either.

I wish I had the ability to downvote, so I could downvote this comment into oblivion. What a shit attitude to have. Asking stupid questions is how you learn. You stop asking questions, you stop learning.

IP version 5 actually was a real thing[0] (though it's usually called "Internet Stream Protocol"). It still used 32-bit addresses though.

[0]: https://en.wikipedia.org/wiki/Internet_Stream_Protocol

Yes [1], I was looking into Hetzner, which has an api to create machines programatically. I assume for bigger customers you could rent out collocated racks which would satisfy requirements. I don't have any experience in it though.

[1] example list of clouds https://www.vpsbenchmarks.com/plans

Hobby customers aren't using AWS, by and large. And it's only a matter of time before we see more and more costs for IPv4 down in these tiers as well.

Hobby provider most often are already charging for ipv4 addresses.

Some companies have been allocating a bunch of pointless IPv4 addresses and I think that's why AWS is doing this. A friend of mine have reduced the number of IPv4 addresses his employer uses by 80% (100+ IPs) in less than a week. That's a huge saving, but those IPs should never have been allocated to begin with.

At $45 a year per IP address you’d have to spend less than a man hour per address to even conceivably approach break even.

And I normally would be worried if my company was focusing on break even initiatives instead of higher impact ones.

Why :-( ? There's no way MIT was using more than a tiny fraction of that /8; now it's actually being put to real use, and MIT probably got some money out of it. Everybody wins.

The market is working :-)

My back charged me a new fee advertised on new fine print in a web page somewhere I never saw. I changed banks. You can hide things in plain sight. No one has visited every page on Amazon.com.

There has been a decrease in server costs. Prices of computers continue to fall. AWS hosting has become (relatively) more expensive over time.

Addresses were already being charged if they weren't attached to an interface. Increase that charge if you're looking to churn unused IP addresses.

If they're separating out functionality from that service and charging for it, sure. Customers who don't pay extra are getting less service than they used to for the same money they used to pay.

> but it seems more unreasonable to expect anything different from the oligarchy

oh my god when the demand for a scarce resource outstrips supply, prices go up. this is high school microecon, not some conspiracy by tHe oLiGaRcHy

Why would AWS charge less for IPv6 traffic through their stupid gateway than for IPv4 traffic? It's just an artificial money making machine anyway.

ELB is a substantial cost itself, though.

Cloudfront as well.

While you could make a case that it is convenient short-term, it is very cost-ineffective.