AWS Client VPN

So after leaking (or not really leaking) from some of the sessions from re:Invent it seems that AWS have finally released the Client VPN

AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
So instead of you having to provision a EC2 instance on your own and configure your own OpenVPN server - you can use this service

But pricing is outrageous...

$0.05 per AWS Client VPN connection hour
$0.10 per AWS Client VPN endpoint association hour

Assuming I would like to bring up a EC2 instance that would handle a 5 VPN connections and I leave the server running 24/7 for a month users connect for approximately 8 hours a day - 5 days a week
LEaving this service provisioned for the entire month would cost

0.10 * 750(hours in a month) = $75
0.05 * 5(people) * 8(hours) * 5 (days) * 4 (weeks) = $40

Total cost for one month - $115

If I were to roll my own on EC2

Using a t3.small instance (2vCPU/2GB ram) should be more than sufficient.

0.02 * 750 (hours in a month) = $15

OK - it is not comparing apples to apples - not by a long shot

Client VPN offers the following features:

Secure — It provides a secure TLS connection from any location using the OpenVPN client.
Managed service — It is an AWS managed service, so it removes the operational burden of deploying and managing a third-party remote access VPN solution.
Highly available and elastic — It automatically scales to the number of users connecting to your AWS resources and on-premises resources.
Authentication — It supports client authentication using Active Directory and certificate-based authentication.
Granular control — It enables you to implement custom security controls by deļ¬ning network-based access rules. These rules can be configured at the granularity of Active Directory groups. You can also implement access control using security groups.
Ease of use — It enables you to access your AWS resources and on-premises resources using a single VPN tunnel.
Manageability — It enables you to view connection logs, which provide details on client connection attempts. You can also manage active client connections, with the ability to terminate active client connections.
Deep integration — It integrates with existing AWS services, including AWS Directory Service and Amazon VPC.
Are all these extra features worth paying so much more for this managed service?
You are the only one that can answer this.

I am throwing the gauntlet out there - for someone to write the code that will enable the provisioning of a VPN Endpoint on demand - based on usage - which will make this service more cost effective.


#AWS Outposts - told you so..

I called it - to me it was obvious that this was going to happen. The signs were all there. This was the direction that the market has been pushing for, and AWS has a reputation of giving the customers what they ask for.

The last announcement that was Andy Jassey made on the keynote on Wednesday - was AWS Outposts.

Here was the announcement. Usually Jeff Barr (or as of late - someone else on the Technical Evangelist team) have a detailed blog post - on a new product that was just announced.

For AWS Outposts - nada… The only thing that is out there - is the announcement - and a “TBD” product page - https://aws.amazon.com/outposts/


Once the announcement was made - VMware went all out with as much information as they could describing the VMware variant of AWS outposts https://cloud.vmware.com/community/2018/11/28/vmware-cloud-aws-outposts-cloud-managed-sddc-data-center/

Blog posts, interviews, sessions you name it they went all in - for a very good reason - if you ask me. This expands their VMware Cloud on AWS in a substantial way.

And who was missing from this announcement ? AWS.

To me this is puzzling. The one sided coverage of something that is supposed to be a joint venture, means that either - this was a pure publicity announcement - and the product has not yet been finalized - or AWS dropped the ball on this one - big time!!

So what do we know about a this product? It will come in two flavors:

  • VMware Cloud on AWS Outposts allows you to use the same VMware control plane and APIs you use to run your infrastructure

  • A native variant of AWS Outposts allows you to use the same exact APIs and control plane you use to run in the AWS cloud, but on-premises. 

The AWS native variant of AWS Outposts allows you to use the same exact APIs and control plane you use in the AWS cloud, but on-premises. You will be able to run Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Elastic Block Store (Amazon EBS) on Outposts. At launch or in the months after, we plan to add services like RDS, ECS, EKS, SageMaker, EMR.

Not a word has been published since the announcement, of how this is going to work from the perspective of the  “AWS variant” Outposts.

I even went as far and asked Jeff Barr - what is the story here. The funny thing is - I actually met him at Starbucks about 15 minutes after I posted the tweet.

His answer (if my memory serves me correctly) was..

“The team had not yet had the opportunity to go into detail into the new offering, and would be publishing more details about it"

To me Outposts - is the biggest announcement of the whole of re:Invent - if played correctly - it will remove any and all competition that is hoping to provide a Hybrid cloud story - one that enterprises can understand.

You want AWS - you can have it - in the cloud - and also on prem - the same exact experience - this is something that customers have been asking for years for AWS to provide (and also something that AWS have consistently been completely against - because everything and anything should run in AWS - there is no need for on-prem… - until now :) )

And mark my words, once you have an Outpost in almost every single datacenter - the need for Edge locations in each and every country - will be no more...

I guess we will have to wait for the aftermath to die down - and wait to see exactly how this going to work….

And now some of my personal thoughts about this whole topic.

There are a lot of moving parts that AWS will now have to go into - especially regarding the logistics of providing the end service to the customer.

If you remember there was once another product - that provided you with a similar service - yep I am talking about the vBlock - a joint venture from VMware, Cisco and EMC. Which went the way of the dodo. The partnership fell apart for a number of reasons.

Customers loved the solution!! You had a single number to call - for anything and everything related to the deployment. Disk died? Called the support number. Network not working? Call the support number.  vSphere doing some crazy shit? Call the same support number. One neck to throttle, and customers loved it.

And now you have Amazon selling you hardware - or should I rather say leasing you the hardware. You will not own it - you will pay as you go.  I assume that there will be a commitment - of some kind - and you will not be able to order by the hour - the logistics on per hour would be too complicated.

But speaking of logistics - if there is a company that commit to having a 4 hour delivery time on a failed piece of hardware - it is Amazon - with their global presence. They have  the logistical capability to ensure delivery of practically anything in their inventory to anywhere in the world - in the shortest amount of time.

But there are still many unknowns... here are  a few that come to mind:

  • Will this come with a networking component? I assume it will - what will that network component be? Software? Hardware?
  • By providing you (the customer) with the same experience and AWS hardware - are they risking exposure of how AWS works getting out? I assume that this will be covered in TOS and NDA that you sign as part of the upcoming service.
  • I assume there will be redundant network connectivity requirements in order for this to work - I will also go out on a limb and say that a Direct Connect link will be a requirement as well. This means that it will be only be suitable for a certain piece of AWS's customers. Perhaps redundant VPN's might be suitable as well.
  • What happens if/when the AWS endpoints are not available?  How if at all can the instances and the workloads on the Outpost be managed?
  • How self-service  will the offering be? I assume it will only be a node-by-node expansion - or per 1/4 rack. you will not be able to add more disks on your own, more RAM on your own etc. This makes sense.

In short - since this was announced at re:Invent 10 days ago - and that AWS have already stated this will not be available before H2 2019 - I do not expect that we will see anything before October/November 2019 (but that is just my hunch).

At the moment - there is a lot more to this announcement than meets the eye....


My overall impression of re:Invent 2018 #reInvent #aws

I am now on a plane on my way back home, on a really long flight from SFO to TLV (13.5 hours) so now is a good time to re-cap and reflect on what happened last week at re:Invent.
I think that this will be a set of posts - because there are a number of topics that I would like to address - and some of them deserve their own dedicated insight.

The first and foremost post I would like to go into - is the overall impression about of the conference.


AWS made a significant number of changes as compared to last years event. And overall - I found the event to be amazing!!

If you ask me - last year’s event was not user friendly, for a number of reasons.

  • Tracks were located in a single venue. That meant going between topics was not really possible.
  • Transport - the shuttles had a route - along a number of of the venues. The shuttles took a great deal of time.
  • Lines in the sessions were bad - they were really bad - people were lining up for hours before, without any real indication if they were going to get into a session.
  • The mobile app - was pretty much useless - and was not at all helpful.
  • The amount of repeats were not enough, and overflow sessions were also scarce.

This year AWS fixed all of the above.

  • Tracks were not restricted to a single venue, you could get ML, serverless, Storage and networking - were not only in one venue - but in multiple venues, that meant you did not need to bounce around between the venues.
  • The shuttles were point to point. No more round trips. This was brililant to save time - but on the other hand - there were a number of times where there were 3-5 people on a shuttle at times, not really an efficient way to spend money - it was kind not elastic in any way - and not well utilized from a cost perspective.
  • The mobile app - was much better, still slow as hell - but there was more functionality. Such as when will the sessions be repeated, what sessions have open seats right now, how much time it will take to get from one venue to the other - in real-time.
  • There were many more overflows… The amount of repeats were by large - more than we had last year - which meant you had an option to choose..

The lines this year for sessions - were better - much, much better!! No more lines of 500 people wrapping round the whole of the Venetian to get into a session. No more disgruntled attendees - who were not able to get into a session after having waited for an hour in line.

Lines for buses were much shorter - no more “routes” - but point to point - which was very well managed and funneled throughout the event.

You were not allowed to line up for a session more than an hour in advance. Now this solved most of the long line problems, but was not always enforced (take the DeepRacer sessions for example)

For me the overall impression was amazing. I think that I was only turned away from a single session throughout the whole event - and that was a builder session - which I was not registered to.  I managed to get into any session I wanted, not only frontal sessions, but also workshops as well.

AWS pride themselves on being fanatical about their customers, they listen to what their customers want, they listen to their feedback and they want to make thing better, they want to solve our problems. The feedback that I heard from attendees from last year was that it was a in plain words - a train wreck - because of all the reasons above.

If you ask me - they addressed all of the feedback points, and fixed almost all of them.

And for that I take my hat off to the event team - and say Bravo, that is a job well done.

Next posts will go into some more details about the announcements and some of the sessions.