“New” Amazon EC2 Networking

Amazon says in a blog post that they are so excited they can barely contain themselves.

Today we are releasing a set of features that expand the power and value of the Virtual Private Cloud.

Woo hoo, break out the cloud party hats. More power. More value. This EC2 goes all the way to 11…or maybe not.

You can think of this new collection of features as virtual networking for Amazon EC2. While I would hate to be innocently accused of hyperbole, I do think that today’s release legitimately qualifies as massive, one that may very well change the way that you think about EC2 and how it can be put to use in your environment.

Yes, ok, I see trusted security partners still are relied upon to provide advanced features for EC2/VPC. I take that to mean this a core/basic security announcement; it’s like an “oops, here’s that thing you have been looking for” release.

The first three comments on the blog post emphasize a sort of underwhelming-ness. Not everything you have been looking for is there yet.

  1. Simon, March 14, 2011 at 11:50 PM: “Whats the ETA on IPV6 support?”
  2. Pve, March 15, 2011 at 01:29 AM: “Now, what about your roadmap for IPv6 integration?”
  3. Roland, March 15, 2011 at 01:57 AM: “What about IPv6?”

Let me get out my language pattern analysis toolkit…yes, yes, aha! IPv6 apparently is not yet supported.

A little more digging and it appears the security group you can attach now to the VPC Internet gateway is stateless. Stateful-packet filtering is ages old. It also is required for PCI compliance (DSS v2.0 Requirement 1.3.6), and Amazon says they are PCI compliant. So perhaps I am missing something in this “new” networking model; but it looks to me that you would have to manually configure inbound high-level ports. That makes it neither secure nor compliant.

What about cost?

I think this is the best part of the Virtual Private Cloud: you can deploy a feature-packed private network at no additional charge! We don’t charge you for creating a VPC, subnet, ACLs, security groups, routing tables, or VPN Gateway, and there is no charge for traffic between S3 and your Amazon EC2 instances in VPC. Running Instances (including NAT instances), Elastic Block Storage, VPN Connections, Internet bandwidth, and unmapped Elastic IPs will incur our usual charges.

The usual charges. A NAT for 2-tiers with a private IP range to the public will set you back at least 0.09/hr — a micro instance is not allowed. So a networking instance you setup is going to bring cost but they are not adding an additional burden for the above networking features. Imagine if they tried to charge to add an ACL. Like I said, this is the “oops, here’s that thing you have been looking for” release. Party like it’s 1999. Or should I say dude, where’s my DMZ?

In related news an Amazon EC2 bicycle now has tires…and here’s the best part: they let you put in air and lubricate your chain at no additional charge!

8 thoughts on ““New” Amazon EC2 Networking”

  1. Hi Hoff. So you think AWS is “sucking less”. Why are you shouting down someone else with the same message? What’s with the moral ground nonsense?

    @Beaker (Christofer Hoff) on Twitter.com:

    > Final RT for today: AWS’ New Networking Capabilities – Sucking Less ;) http://t.co/ljlQNgW

    > @vcloudinsdr @mathewlodge @teavu @daviottenheimer So after ragging on AWS, where is IPv6 for vCloud Director/vShield? #cloudglasshouses

    > Um @daviottenheimer I’m referring to vShield Edge which is not L2 & doesn’t support IPv6 & didn’t out of the gate…

    > @daviottenheimer …and since vShield App is not bundled with vCloud Director & vShield Edge is…well, you get the picture…

    > Well @daviottenheimer point is, roadmaps are roadmaps and while your AWS blog post was fun & snarky, your karma just ran over your dogma…

    > “@daviottenheimer: @Beaker …Point is aws claiming big ‘new’ but it’s not new & incomplete. Reveals gaps.” < Those features are new to AWS

    > @daviottenheimer Also you call out another cloud platform w/out understanding your own & call out missing features yours also has. Lame

    > …and THAT my friends, is what we call ClouDouchery.

    > @daviottenheimer Nice attempt at a side-step though. I expect you won't update the blog as usual ;(

    > @reillyusa It's not a fight. A fight is when 2 ppl start & then one falls over due to the other. He knocked himself out with that bullshit.

    > @daviottenheimer If you're going to attempt a new career in vCloud marketing, own your mistakes or don't make them in the first place.

    > “@daviottenheimer: @Beaker …But since i'm so lame, why waste ur awesomeness on me?” < Why because I'm Captain Cloud, righter of FUD & FAIL

  2. @Christopher

    Thanks for your comment.

    vCloud Director and vShield are not Amazon EC2 products.

    The IPv6 thread is on the Amazon blog, which I linked to above. I cited the first three comments as an example of the feedback you will find on the Amazon announcement. Go there to find out more and register your concern with IPv6 support. (Note that they moderate comments so they will not appear until the author has approved them.)

    I see you also are name-calling with Douchery, bullshit, lame, snarky and…fun.

    I accept the fun and snarky but decline the other names. Not sure what you hope to achieve, but I’ll take it as your way of expressing how much you care.

  3. I always buy my bicycles as a frame only and build using parts I like. Your analogy says to me Amazon has been a lot more IaaS than people realized. They thought they were getting a full kit when they still needed brakes and such to make it go right.

  4. @Brad

    Good point. A long time ago I used to design and have my frames hand built. Maybe that’s where the analogy came from; the expectation of different riders.

    The unfamiliar cyclist buys a bike with the expectation it is ready to ride; it should be easy for them to put their goods on it and go. When/if they find out they also need extra protection for the most common risks they may be disappointed.

    Perhaps I should have said instead that the bike comes without puncture-resistant tires, or without a helmet. The law requires that a bike come with reflectors…so the analogy can keep going.

  5. The question is if VMware supports IPv6. What you do not say is that VMware supports IPv6 on *everything else* so VCD and VSE are not a big hurdle. It runs today in providers with dual-mode to support IPv6 so its weird that Hoff jumped on that but you are right about the firewall. Stateless means you have to use a partner product.

    Cheers,
    Nate

  6. We will get to stateful firewall someday but for now I appreciate you not losing suight of it. Sometimes we caught up in believing things are “massive” because like everyone we want to pat ourselves on the back for the road behind instead of where we are on the road ahead. Good post, keep them coming..

  7. Hoff’s abusive whim is just him trying to be funny. At RSA he was teasing some guy about needing tampons just because the guy did not want to hang out with him. He says you don’t understand “your platform” but what is your platform? I thought you also run products on EC2. I guess some people don’t appreciate your direct style. The exciting news for us is VPC with Internet and VPN access because it can support our on-premise router and VPC with Internet access. Major improvement over the Cisco crap that was always tits up, speaking of bad platforms.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.