undefined | Better HN

0 pointstime0ut5mo ago0 comments

Interesting day. I've been on an incident bridge since 3AM. Our systems have mostly recovered now with a few back office stragglers fighting for compute.

The biggest miss on our side is that, although we designed a multi-region capable application, we could not run the failover process because our security org migrated us to Identity Center and only put it in us-east-1, hard locking the entire company out of the AWS control plane. By the time we'd gotten the root credentials out of the vault, things were coming back up.

Good reminder that you are only as strong as your weakest link.

0 comments

SOLAR_FIELDS5mo ago

This reminds me of the time that Google’s Paris data center flooded and caught on fire a few years ago. We weren’t actually hosting compute there, but we were hosting compute in AWS EU datacenter nearby and it just so happened that the dns resolver for our Google services elsewhere happened to be hosted in Paris (or more accurately it routed to Paris first because it was the closest). The temp fix was pretty fun, that was the day I found out that /etc/hosts of deployments can be globally modified in Kubernetes easily AND it was compelling enough to want to do that. Normally you would never want to have an /etc/hosts entry controlling routing in kube like this but this temporary kludge shim was the perfect level of abstraction for the problem at hand.

citizenpaul5mo ago

> temporary kludge shim was the perfect level of abstraction for the problem at hand.

Thats some nice manager deactivating jargon.

LPisGood5mo ago

Manager deactivating jargon is a great phrase - it’s broadly applicable and also specific.

SOLAR_FIELDS5mo ago

Yeah that sentence betrays my BigCorp experience it’s pulling from the corporate bullshit generator for sure

johndubchak5mo ago

+1...hee hee

jordanb5mo ago

Couldn't you just patch your coredns deployment to specify different forwarders?

SOLAR_FIELDS5mo ago

Probably. This was years ago so the details have faded but I do recall that we did weigh about 6 different valid approaches of varying complexity in the war room before deciding this /etc/hosts hack was the right approach for our situation

nahumba5mo ago

This is the en of the thread of the first comment. Now i can find below the second comment

1970-01-015mo ago

I remember Facebook had a similar story when they botched their BGP update and couldn't even access the vault. If you have circular auth, you don't have anything when somebody breaks DNS.

crote5mo ago

Wasn't there an issue where they required physical access to the data center to fix the network, which meant having to tap in with a keycard to get in, which didn't work because the keycard server was down, due to the network being down?

kylecazar5mo ago

Wishful thinking, but I hope an engineer somewhere got to ram a door down to fix a global outage. For the stories.

4 more replies

lenerdenator5mo ago

Not to speak for the other poster, but yes, they had people experiencing difficulties getting into the data centers to fix the problems.

I remember seeing a meme for a cover of "Meta Data Center Simulator 2021" where hands were holding an angle grinder with rows of server racks in the background.

"Meta Data Center Simulator 2021: As Real As It Gets (TM)"

UltraSane5mo ago

Yes for some insane reason facebook had EVERYTHING on a single network. The door access not working when you lose BGP routes is especially bad because normal door access systems cache access rules on the local door controllers and thus still work when they lose connectivity to the central server.

2 more replies

junon5mo ago

Yep. And their internal comms were on the same server if memory serves. They were also down.

1 more reply

bcrl5mo ago

That's similar to the total outage of all Rogers services in Canada back on July 7th 2022. It was compounded by the fact that the outage took out all Rogers cell phone service, making it impossible for Rogers employees to communicate with each other during the outage. A unified network means a unified failure mode.

Thankfully none of my 10 Gbps wavelengths were impacted. Oh did I appreciate my aversion to >= layer 2 services in my transport network!

YokoZar5mo ago

That's kind of a weird ops story, since SRE 101 for oncall is to not rely on the system you're oncall for to resolve outages in it. This means if you're oncall for communications of some kind, you must have some other independent means of reaching eachother (even if it's a competitor phone network)

1 more reply

ttul5mo ago

There is always that point you reach where someone has to get on a plane with their hardware token and fly to another data centre to reset the thing that maintains the thing that gives keys to the thing that makes the whole world go round.

beefnugs5mo ago

So sick of billion dollar companies not hiring that one more guy

ttul5mo ago

That is perhaps why they are billion dollar companies and why my company is not very successful.

vladvasiliu5mo ago

> Identity Center and only put it in us-east-1

Is it possible to have it in multiple regions? Last I checked, it only accepted one region. You needed to remove it first if you wanted to move it.

raverbashing5mo ago

Security people and ignoring resiliency and failure modes: a tale as old as time

AndrewKemendo5mo ago

Correct. That does make it a centralized failure mode and everyone is in the same boat on that.

I’m unaware of any common and popular distributed IDAM that is reliable

fheisler5mo ago

Not sure if this counts fully as 'distributed' here, but we (Authentik Security) help many companies self-host authentik multi-region or in (private cloud + on-prem) to allow for quick IAM failover and more reliability than IAMaaS.

There's also "identity orchestration" tools like Strata that let you use multiple IdPs in multiple clouds, but then your new weakest link is the orchestration platform.

1 more reply

bravetraveler5mo ago

> I’m unaware of any common and popular distributed IDAM that is reliable

Other clouds, lmao. Same requirements, not the same mistakes. Source: worked for several, one a direct competitor.

barbazoo5mo ago

Wow, you really *have* to exercise the region failover to know if it works, eh? And that confidence gets weaker the longer it’s been since the last failover I imagine too. Thanks for sharing what you learned.

shdjhdfh5mo ago

You should assume it will not work unless you test it regularly. That's a big part of why having active/active multi-region is attractive, even though it's much more complex.

ej_campbell5mo ago

That wouldn't have even caught that, most likely unless they verified they had no incidental tie ins with us-east-1.

jpollock5mo ago

The last place I worked actively switched traffic over to the backup nodes regularly (at least monthly) to ensure we could do it when necessary.

We learned that lesson by having to do emergency failovers and having some problems. :)

shawabawa35mo ago

for what it's worth, we were unable to login with root credentials anyway

i don't think any method of auth was working for accessing the AWS console

kondro5mo ago

Sure it was, you just needed to login to the console via a different regional endpoint. No problems accessing systems from ap-southeast-2 for us during this entire event, just couldn’t access the management planes that are hosted exclusively in us-east-1.

nijave5mo ago

Like the other poster said, you need to use a different region. The default region (of course) sends you to us-east-1

e.x. https://us-east-2.console.aws.amazon.com/console/home

reenorap5mo ago

It's a good reminder actually that if you don't test the failover process, you have no failover process. The CTO or VP of Engineering should be held accountable for not making sure that the failover process is tested multiple times a month and should be seamless.

sroussey5mo ago

If you don’t regularly restore a backup, you don’t have one.

hinkley5mo ago

Too much armor makes you immobile. Will your security org be held to task for this? This should permanently slow down all of their future initiatives because it’s clear they have been running “faster than possible” for some time.

Who watches the watchers.

ej_campbell5mo ago

Totally ridiculous that AWS wouldn't by default make it multi-region and warn you heavily that your multi-region service is tied to a single region for identity.

The usability of AWS is so poor.

skywhopper5mo ago

They don’t charge anything for Identity Center and so it’s not considered an important priority for the revenue counters.

ct5205mo ago

I always find it interesting how many large enterprises have all these DR guidelines but fail to ever test. Glad to hear that everything came back alright

ransom15385mo ago

People will continue to purchase Mutli-AZ and multi-region even though you have proved what a scam it is. If east region goes down, ALL amazon goes down, feel free to change my mind. STOP paying double rates for multi region.

ozim5mo ago

Sounds like a lot of companies need to update their BCP after this incident.

michaelcampbell5mo ago

"If you're able to do your job, InfoSec isn't doing theirs"

j / k navigate · click thread line to collapse

0 comments

SOLAR_FIELDS5mo ago

citizenpaul5mo ago

> temporary kludge shim was the perfect level of abstraction for the problem at hand.

Thats some nice manager deactivating jargon.

LPisGood5mo ago

Manager deactivating jargon is a great phrase - it’s broadly applicable and also specific.

SOLAR_FIELDS5mo ago

Yeah that sentence betrays my BigCorp experience it’s pulling from the corporate bullshit generator for sure

johndubchak5mo ago

+1...hee hee

jordanb5mo ago

Couldn't you just patch your coredns deployment to specify different forwarders?

SOLAR_FIELDS5mo ago

nahumba5mo ago

This is the en of the thread of the first comment. Now i can find below the second comment

1970-01-015mo ago

I remember Facebook had a similar story when they botched their BGP update and couldn't even access the vault. If you have circular auth, you don't have anything when somebody breaks DNS.

crote5mo ago

kylecazar5mo ago

Wishful thinking, but I hope an engineer somewhere got to ram a door down to fix a global outage. For the stories.

4 more replies

lenerdenator5mo ago

Not to speak for the other poster, but yes, they had people experiencing difficulties getting into the data centers to fix the problems.

I remember seeing a meme for a cover of "Meta Data Center Simulator 2021" where hands were holding an angle grinder with rows of server racks in the background.

"Meta Data Center Simulator 2021: As Real As It Gets (TM)"

UltraSane5mo ago

2 more replies

junon5mo ago

Yep. And their internal comms were on the same server if memory serves. They were also down.

1 more reply

bcrl5mo ago

Thankfully none of my 10 Gbps wavelengths were impacted. Oh did I appreciate my aversion to >= layer 2 services in my transport network!

YokoZar5mo ago

1 more reply

ttul5mo ago

beefnugs5mo ago

So sick of billion dollar companies not hiring that one more guy

ttul5mo ago

That is perhaps why they are billion dollar companies and why my company is not very successful.

vladvasiliu5mo ago

> Identity Center and only put it in us-east-1

Is it possible to have it in multiple regions? Last I checked, it only accepted one region. You needed to remove it first if you wanted to move it.

raverbashing5mo ago

Security people and ignoring resiliency and failure modes: a tale as old as time

AndrewKemendo5mo ago

Correct. That does make it a centralized failure mode and everyone is in the same boat on that.

I’m unaware of any common and popular distributed IDAM that is reliable

fheisler5mo ago

There's also "identity orchestration" tools like Strata that let you use multiple IdPs in multiple clouds, but then your new weakest link is the orchestration platform.

1 more reply

bravetraveler5mo ago

> I’m unaware of any common and popular distributed IDAM that is reliable

Other clouds, lmao. Same requirements, not the same mistakes. Source: worked for several, one a direct competitor.

barbazoo5mo ago

shdjhdfh5mo ago

You should assume it will not work unless you test it regularly. That's a big part of why having active/active multi-region is attractive, even though it's much more complex.

ej_campbell5mo ago

That wouldn't have even caught that, most likely unless they verified they had no incidental tie ins with us-east-1.

jpollock5mo ago

The last place I worked actively switched traffic over to the backup nodes regularly (at least monthly) to ensure we could do it when necessary.

We learned that lesson by having to do emergency failovers and having some problems. :)

shawabawa35mo ago

for what it's worth, we were unable to login with root credentials anyway

i don't think any method of auth was working for accessing the AWS console

kondro5mo ago

nijave5mo ago

Like the other poster said, you need to use a different region. The default region (of course) sends you to us-east-1

e.x. https://us-east-2.console.aws.amazon.com/console/home

reenorap5mo ago

sroussey5mo ago

If you don’t regularly restore a backup, you don’t have one.

hinkley5mo ago

Who watches the watchers.

ej_campbell5mo ago

Totally ridiculous that AWS wouldn't by default make it multi-region and warn you heavily that your multi-region service is tied to a single region for identity.

The usability of AWS is so poor.

skywhopper5mo ago

They don’t charge anything for Identity Center and so it’s not considered an important priority for the revenue counters.

ct5205mo ago

I always find it interesting how many large enterprises have all these DR guidelines but fail to ever test. Glad to hear that everything came back alright

ransom15385mo ago

ozim5mo ago

Sounds like a lot of companies need to update their BCP after this incident.

michaelcampbell5mo ago

"If you're able to do your job, InfoSec isn't doing theirs"

j / k navigate · click thread line to collapse