Like many things AWS all this information can be found in the AWS docs themselves, but scattered everywhere. This article on service policies (or resource policies) vs IAM permissions provides some background for what we'll do here. There are two pieces here: 1. The Elastic Container Repository (ECR) in one AWS account (account ID 1111111111… Continue reading How Access an AWS Container Repository from Another Account
Should applications use one S3 bucket, putting different categories of files under different directories?1 Or should an application use multiple S3 buckets -- one for each different category of files? As the title implies, the answer is many S3 buckets. While some things, like lifecycle rules, can be configured based on directories (key prefixes, really),… Continue reading Use Many S3 Buckets
One of the things I try to do when building applications is keep servers stateless. This makes those servers easy to throw away -- a piece of infrastructure failing (which it always will) is not a big deal with stateless servers. Just spin up a new one. When the requirement came down the pipeline to… Continue reading Building an Upload System Backed by S3 and Client-Side Uploads
The past week I've been doing some training at PMG around our AWS setup and infrastructure. In the past year we've become heavy users of Docker and Amazon's Elastic Container Service as well as moving more towards infrastructure as code with terraform. My team, understandably, feels a bit overwhelmed by the complexity of our AWS… Continue reading AWS’ Minimum Level of Complexity
Putting configuration in the environment is a fairly well acknowledged best practice now. That configuration often includes secrets. But environment variables in container images -- like the docker ENV stanza -- are not really secure. They are built as part of the image, after all, so anyone with access to the image can get at… Continue reading One Way to Manage Secrets in Dockerized Applications
AWS is, at best, complicated. Part of that complexity is that there are often seems to be more than one way to accomplish a goal. Service policies and IAM permissions are a great example of this. Both seem to accomplish the same thing (permissions), but serve different purposes. Service policies is probably not an official… Continue reading AWS Service Policies vs IAM Permissions
This is a recommendation on how to organize subnets inside an AWS VPC. Before continuing, it's important to understand the difference between a public and private subnet. There are three broad classes of subnets to run inside your VPC: Public Private Internal Internal subnets aren't really a thing, but it's a convenient way to talk… Continue reading A Recommended VPC Subnet Configuration
This is a brief intro to quite a few of the AWS VPC components and how they fit together with the goal of describing the difference between a public and private subnet. Amazon has this line in some VPC docs that hints at the difference: The instances in the public subnet can send outbound traffic… Continue reading What’s the Difference Between a Public and Private Subnet in an AWS VPC?
Updating an auto scaling group's (ASG) launch config exposes a little quirk: the old instances are not automatically taken out of service. Sometimes that's not a bad thing. Running a distributed database in an ASG would make taking old instances out of service all at once a bad idea. Other times removing the old servers… Continue reading How to Create New Autoscaling Groups on Lauch Configuration Change
I've been experimenting with running single instances in an autoscaling group. These single instances tend to be backing services that, while important, contain only ephemeral data that's okay being lost. A good example would be something like beanstalkd for a queue. Part of that process is registering the new instance with a Route 53 hosted… Continue reading How to Update a Route53 Record on Instance Boot
