[HN Gopher] AWS to begin charging for public IPv4 addresses
___________________________________________________________________
AWS to begin charging for public IPv4 addresses
Author : realshadow
Score : 150 points
Date : 2023-08-03 18:31 UTC (4 hours ago)
(HTM) web link (www.infoq.com)
(TXT) w3m dump (www.infoq.com)
| cferry wrote:
| The only barrier for me to go IPv6-only is those VPS that are
| provided with a _single_ /128 IPv6, and I do not know of a
| service that would offer IPv6 tunneling other than HE, that
| requires an IPv4 endpoint. The day I get a full /48 or /64 with
| my VPSes, I'm ready to drop IPv4.
| kccqzy wrote:
| Amazon gives you more than a single /128. So your complaint is
| irrelevant if you actually use AWS.
| devit wrote:
| Do they offer shared IPv4 addresses with routing by HTTPS SNI?
| Hikikomori wrote:
| On ELB yes.
| JoshTriplett wrote:
| ELB is a substantial cost itself, though.
| eastbound wrote:
| And not very good, together with the auto scaling groups,
| it performs the record act of not being able to do an
| instance refresh without downtime. We've put countless
| hours into that, seems like a simple problem, forums say
| it's not solved.
| dilyevsky wrote:
| Could you point to relevant thread please?
| Hikikomori wrote:
| With a single instance? Could also do blue green instead.
| zomglings wrote:
| This is not true.
|
| You have to define health checks on your instances that
| reflect the availability of all services they host.
|
| And you have to allow there to be more instances than
| your target number in each autoscaling group.
| anderspitman wrote:
| Hot take. IPv6 adoption is never going to hit 100% because SNI
| routing covers most of the cases people actually need. If UDP
| functionality is necessary QUIC will be used. I wish this wasn't
| the case. It would be nice if the software was good enough that
| more people were enabled to self host.
| NoZebra120vClip wrote:
| Which has been a more significant driver of address-space
| exhaustion: web servers, or consumer/corporate client devices?
| kccqzy wrote:
| Not a hot take at all. We don't need 100% IPv6 adoption because
| we can't control what people do in their private networks. If a
| load balancer supports IPv6 that's good enough, even if the
| load balancer talks to the backend over IPv4.
| supertrope wrote:
| In practice the Internet does not deliver IP packets. Only UDP
| or TCP is universally supported. Some firewalls, security
| appliances, filters, and proxies limit end to end connectivity
| to just TCP 443. Everything over IP has turned into everything
| over HTTP.
| grobbyy wrote:
| This is a hidden price hike. It would be more reasonable if there
| was a corresponding decrease in server costs.
| barryrandall wrote:
| The move may seem unreasonable, but it seems more unreasonable
| to expect anything different from the oligarchy.
| marcus0x62 wrote:
| Their costs for delivering one service are increasing so they
| should lower their prices on another?
| ribosometronome wrote:
| If they're separating out functionality from that service and
| charging for it, sure. Customers who don't pay extra are
| getting less service than they used to for the same money
| they used to pay.
| ketralnis wrote:
| > Customers who don't pay extra are getting less service
| than they used to for the same money they used to pay
|
| Sure, yeah. That's how price increases work. Nobody's
| arguing that it's not a price increase. But if your
| delivered pizza's costs are fuel+ingredients and the price
| of fuel goes up, well, the whole price goes up or you have
| to give on the amount of pizza. The price of the
| ingredients didn't go down, so yeah you're just going to
| have to pay more or get less pizza. Sorry.
|
| You can quibble on the pizzeria's margin I guess: AWS could
| just eat the increased price themselves, and probably have
| been until now. But apparently they don't want to so
| they're raising the price to compensate in frankly the most
| reasonable way possible. AWS has insane pricing for many of
| its services, especially bandwidth, but this isn't one of
| them.
| whalesalad wrote:
| IPv4 is a finite resource. This is a forcing function to ensure
| that people who actually need IPv4 addresses are using them.
| Gotta pay to play.
|
| I guarantee there are a ton of unused IP's just sitting on
| accounts doing absolutely nothing.
| mark242 wrote:
| Addresses were already being charged if they weren't attached
| to an interface. Increase that charge if you're looking to
| churn unused IP addresses.
| jeremyjh wrote:
| That would not catch every public IP address that is
| actually unused, because it can be attached to an interface
| and yet not be needed or actually used by any client. But I
| don't agree with GP that this is an important reason for
| the price increase. They are increasing prices simply
| because costs have increased.
| mark242 wrote:
| Anything that an IP address can be attached to is already
| accumulating a charge, just by existing and running. EC2,
| NAT gateway, ELB, etc. What's "actually unused" then?
| Minimum amount of traffic? I don't think it's in Amazon's
| purview to make those judgement calls.
| jeremyjh wrote:
| What I meant by unused is that there might not be a
| client that ever connects to that IP address, so the
| public IP address itself might not be used even if its
| attached to a resource.
|
| > I don't think it's in Amazon's purview to make those
| judgement calls.
|
| I already said I don't agree with GP that this is a
| motive for Amazon.
| ketralnis wrote:
| I don't think either of those is true?
|
| It's not hidden, they put it right up on their blog
| https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address...
| the opening line of which is "We are introducing a new charge
| for public IPv4 addresses" and when it starts and what the cost
| is. I assume like every other AWS charge it's broken out in
| great detail on their billing statements and even have APIs to
| query costs. Usually they send an email with these changes too
| so if they haven't I assume they will. It's a regular old price
| hike but it's not a hidden one.
|
| Secondly since "the cost to acquire a single public IPv4
| address has risen more than 300% over the past 5 years",
| there's no accompanying decrease in server costs that would be
| "reasonable" to account for this. Charging for the IP itself
| makes total sense since that's the cost they're accounting for.
| If it were packed into the instance costs, then instances
| without a public IP would be paying for it too. This
| incentivises you to do exactly what they want you to do: use
| fewer public IPs where you don't need them. This is way more
| reasonable than an across-the-board instance cost bump which
| _would_ be a hidden price hike. This is a bridge toll that
| covers the cost of the bridge by its users instead of raising
| taxes on everyone.
|
| I guess you're wanting to pay the same and just distribute the
| cost between the IP and the instance differently? And hey me
| too, I love not being charged more. But they want to account
| for their costs without eating into their margin and this is
| how they're going about it. You don't have to _like_ it; I sure
| don 't. You can wish AWS would just keep eating the cost for
| you; me too! But I don't think "hidden" or "unreasonable" is
| accurate.
| ChrisArchitect wrote:
| [dupe]
| londons_explore wrote:
| As long as IPv6 remains free, and there is some kind of ipv4
| accessible proxy for web stuff for free, I'm happy.
| mnutt wrote:
| I don't see where the latter is the case? For that I believe
| regular NAT gateway bandwidth charges apply?
| blibble wrote:
| the ipv6 support is sporadic and not in all regions
|
| https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-su...
|
| why are these large hosting companies so incompetent?
| psanford wrote:
| aws is many things but 'incompetent' is not one of them.
| blibble wrote:
| explain that page any other way
| est31 wrote:
| AWS has spent billions (with a b) on ipv4 addresses:
| https://news.ycombinator.com/item?id=36991477
|
| This investment wasn't just of a strategic nature: they
| have enough market power to hold back the move towards
| ipv6.
| blibble wrote:
| how does reducing your competitiveness in the ipv4 market
| (what they've done today) hurt ipv6?
|
| it will have the exact opposite effect
| Beached wrote:
| because they don't have to be. when you own 20% of the entire
| Internet, you can just do whatever you want, very few can
| compete
| ArchOversight wrote:
| > ipv4 accessible proxy for web stuff for free
|
| Not within AWS.
| wongarsu wrote:
| This finally puts real pressure on software and services to work
| on IPv6 only. I wouldn't be surprised if within 1-2 release
| cycles lots of distributions suddenly update just fine with just
| IPv6, package mangers can download packages over IPv6, lots of
| APIs gain solid and well-tested IPv6 support, etc.
| NoZebra120vClip wrote:
| TIL that my Chromebook connects to the Internet with a 6to4
| address rather than the real /64 that my ISP assigns.
| [deleted]
| p1mrx wrote:
| This seems unlikely, as 6to4 was deprecated in 2015:
| https://datatracker.ietf.org/doc/html/rfc7526
| NoZebra120vClip wrote:
| I couldn't believe it either, but using Chome on ChromeOS
| 114, updated yesterday, all the public sites report that I
| am connecting from 2002::/16
| p1mrx wrote:
| Interesting. It's only possible to terminate 2002::/16
| using a public IPv4 address, so if you're behind a NAT
| router, then the router itself must be running 6to4.
| NoZebra120vClip wrote:
| Aha! Thanks for the hint: I recently had to reconfigure
| my router from factory settings. The IPv6 configuration,
| sure enough, was kicked into 6to4 mode. I set it to "Auto
| Config" and now I've got end-to-end IPv6 connectivity
| with, look Ma, no NAT!
|
| Thank you, p1mrx!
| Macha wrote:
| As a business... $40/year/server is nothing.
|
| As a individual/hobbyist, it's a much bigger disincentive.
|
| For students and the like, it might actually be prohibitive.
|
| The problem is it's really the first group that needs to drive
| the remaining IPv6 adoption by replacing their middleware boxes
| etc. and they're the group who are unlikely to care at this
| price.
| kccqzy wrote:
| Apple has been demanding apps support IPv6 only for years now.
| They reject your app if it fails under NAT64. The end user side
| is mostly a solved problem.
| ketralnis wrote:
| For iOS maybe. Most of those applications are also using
| Apple's networking libraries and are effectively required to
| be on Apple's infinite software update treadmill to continue
| to be listed, keeping them young and hip in perpetuity. This
| is the upside to that treadmill, things are up to date or
| just stop working.
|
| But I don't think that's representative. "Or just stop
| working" isn't a valid alternative to the rest of the world.
| Outside of mobile ecosystems and maybe web development most
| things aren't on these 6 to 12 month update cycles. It would
| be absolutely unreasonable to tell a hospital that every
| piece of hardware and software and MRI machine in their
| building has to be upgraded every 2 years or it's positively
| geriatric and do you even `pacman -Syyu` bro?
|
| Theres a whole world of things that haven't been, and may
| never be, transitioned. Useful things like utility control
| computers and even peoples' 10 year old, still perfectly
| functional and supported desktops. Heck, my "end user" newly-
| installed fibre ISP doesn't support IPv6! And their previous
| DSL installation to the same address did! So much for "solved
| problem" :(
| kccqzy wrote:
| A hospital's MRI machine doesn't need an internet
| connection. IPv4 only intranets are fine and we are never
| going to get rid of them.
|
| But anything that connects to the internet needs to be
| updated regularly, if only for security and vulnerability
| reasons. If you have a 10-year-old functional and supported
| desktop, it most likely supports being IPv6 only just fine.
| The typical 10-year-old desktop came from the factory with
| Windows 8 and could be upgraded to Windows 10 (since it's
| supported). It even gets relatively new features such as
| IPv6 RDNSS allowing DHCP-less deployments.
| p_l wrote:
| Windows networking became v6-first in Vista, over a
| decade ago.
| candiddevmike wrote:
| Businesses and organizations are holding IPv6 back, not
| consumers. No one I talk to is prioritizing IPv6 migrations or
| spending money to upgrade gear that will support it. Maybe some
| net new stuff might get it, but for most businesses IPv4 is and
| will be the default, simply because they can't be bothered to
| do something different.
| jiggawatts wrote:
| It's worse than that: new software and hardware is being
| developed or rolled out right now that is incapable of
| working on an IPv6 network. Not just unable to use it, but
| actively incompatible -- failing to run if _other_ devices
| use IPv6!
|
| This was an issue with Azure's PostgreSQL service, which
| would fail if you deployed other unrelated IPv6 services in
| the same virtual network.
|
| We need a guild of software engineering so that the people
| responsible for this can be summarily ejected from it.
| 0cf8612b2e1e wrote:
| Serious question, is there any enterprise gear made today
| which does not support IPv6? I have assumed that the natural
| hardware upgrade cycles made it so 99% of all active
| equipment could support the technology, even if it was not
| configured to do so.
| candiddevmike wrote:
| That door alarm thing that has a Windows XP workstation VM
| the facilities team touches once a month probably doesn't
| support IPv6.
|
| Repeat that scenario across multiple BUs and multiple
| locations and no leader wants to commit to doing that kind
| of due diligence. What's wrong with our current IP?
| jandrese wrote:
| Man in the middle certificate re-signing deep packet
| inspection firewalls are notorious for not supporting IPv6.
| Most everything else has switched, but many network admins
| fear IPv6 and don't want to have to learn something new.
| Aeolun wrote:
| Hmm, I use IPv4 mostly because nobody in their right mind can
| remember a IPv6 address...
| post-it wrote:
| Who's out there remembering IPv4 addresses?
| brickteacup wrote:
| If only there were some sort of a system for translating
| human readable names to network addresses...
| mgaunard wrote:
| Anything in the cloud is 10 times the price it's worth.
|
| It's essentially a tax on the people gullible enough to believe
| in cloud tech or unable to set up real hardware.
| anonymous344 wrote:
| inflation is wild. dollar is predicted to crash any time. So now
| all the big companies are just taking what they can. I've seen
| everywhere 40% increases to prices, without any notification to
| the customer, for example Misshosting and many others
| sacnoradhq wrote:
| Inflation has been aberrant over the past 3 years in some
| areas, i.e., food, from profit-price spirals but there is not
| widespread hyperinflation.
|
| No one reputable is predicting the USD will crash imminently.
|
| US T-bills lost a notch of rating due to long-term declining
| governance tied to the cozy relationship and revolving door
| between Wall St. and federal regulators. This is a form of
| corruption that undermines the economy and strategic power.
| dragonwriter wrote:
| > dollar is predicted to crash any time.
|
| Clever use of passive voice but predicted _by whom_?
| netcraft wrote:
| I personally dont think 45$ per year is going to change habits
| that much, especially for larger customers who have a lot of
| public IPs.
| lokar wrote:
| Already a lot of discussion about this at my job. It's a lot of
| $ at scale. We will put a bunch of work in to avoid the fee.
| rblatz wrote:
| At $45 a year per IP address you'd have to spend less than a
| man hour per address to even conceivably approach break even.
|
| And I normally would be worried if my company was focusing on
| break even initiatives instead of higher impact ones.
| wongarsu wrote:
| But if you have 100 backend servers that mostly communicate
| on the internal network/VPC and need their IPv4 mostly for
| updates, it seems easy to justify standing up a proxy and
| reconfiguring your template. At least if your engineers
| aren't in Silicon Valley and thus don't cost you $400/h.
| toast0 wrote:
| Depends how many IPs you're using. If you're using 10, who
| cares; if you're using 100, I dunno. If it's 1,000 or more,
| that's real money you probably shouldn't be pissing away.
| (OTOH, a lot of cloud spend is pissing away money, so
| what's another $45k/year)
| lokar wrote:
| And at 100,000+ it's worth real engineering
| Beached wrote:
| you don't have to break even on implementation. you will
| get billed every single year, so if you can have two dudes
| solve this in 3 months, you can break even in 3 years and
| every year after that you saved money
| mrweasel wrote:
| Some companies have been allocating a bunch of pointless IPv4
| addresses and I think that's why AWS is doing this. A friend
| of mine have reduced the number of IPv4 addresses his
| employer uses by 80% (100+ IPs) in less than a week. That's a
| huge saving, but those IPs should never have been allocated
| to begin with.
| foobarian wrote:
| Huh, speaking of lots of public IPs, most of MIT's old class A
| is now owned by Amazon :-(
|
| NetRange: 18.32.0.0 - 18.255.255.255
| Analemma_ wrote:
| Why :-( ? There's no way MIT was using more than a tiny
| fraction of that /8; now it's actually being put to real use,
| and MIT probably got some money out of it. Everybody wins.
| amluto wrote:
| MIT _was_ using it. Not efficiently, but MIT sold addresses
| that were in use at the time due to what appeared to be IT
| ineptitude.
|
| It was also shortsighted. It was a massive resource, MIT
| presumably sold it for under $200M (I assume far under),
| and now AWS plans to rent the addresses at a rate that will
| be around $600M _per year_ if they manage to rent them all.
| wmf wrote:
| The market is working :-)
| kiririn wrote:
| Hobby customers can buy an entire VPS, complete with IPv4 to
| tunnel through, for 1/4 that
| [deleted]
| Operyl wrote:
| Hobby customers aren't using AWS, by and large. And it's only
| a matter of time before we see more and more costs for IPv4
| down in these tiers as well.
| preommr wrote:
| Counterpoint: My hobby projects all use AWS because that's
| what I am familiar with, and they have the cheapest prices.
| I also reuse a lot of resources like a database to further
| save costs.
| Aeolun wrote:
| AWS have many things, but they most definitely do not
| have the cheapest prices. Unless you are pricing in
| convenience.
| pnpnp wrote:
| Totally disagree! :)
|
| My monthly costs are minuscule with a reserved with a t4g
| instance, Lambda, S3 and Cloudfront as my primary usage.
|
| Honestly, it beats out the "budget" VPS providers I was
| previously using, and is a heck of a lot more
| powerful/reliable.
| Operyl wrote:
| I knew I'd get the counter points here on HN, but I'd
| argue we're probably the exception here. AWS can be
| really cheap, but it is easy for things to go wrong.
| Bandwidth, commonly unmetered at places like OVH or
| Hetzner, can cost a fortune at AWS if you get attacked.
| And while AWS will refund you once or twice, after that
| you're either left scared or on the hook eventually.
| pnpnp wrote:
| Absolutely! It just happens to be a good fit for me :)
|
| I use very little bandwidth and processing with the vast
| majority of my projects. In the even that I do need heavy
| lifting for a couple hours, it still tends to be a pretty
| minimal cost.
|
| Now for sustained heavy loads/bandwidth... I definitely
| would look elsewhere for hobby projects.
|
| Edit: and I agree with your point about attacks. I have
| pretty aggressive monitoring set up around billing.
| voytec wrote:
| > Hobby customers aren't using AWS
|
| AWS has the easy to use Lightsail[1] VPS offer with
| cheapest product at $3.5/mo but they'll likely increase
| these prices as well, since there's an IPv4 address
| included.
|
| [1] https://aws.amazon.com/lightsail/pricing/
| rusl1 wrote:
| I've got a 2GB ram 2 CPU for the same price on IONOS
| znpy wrote:
| Hobby provider most often are already charging for ipv4
| addresses.
| GabeIsko wrote:
| They want people to use EIP right? Is this really a problem for
| anything other than a device that cannot perform dns lookups.
| decasia wrote:
| So I have a tiny personal website hosted on ec2. Right now the
| DNS points to the server's public IPv4 address. But I don't
| really want to pay $40+/year for an IPv4 for my personal project.
|
| Does anyone have experience switching a small personal site to
| IPv6 only in 2023?
|
| I'm guessing the vast majority of my (North American/European-
| based) friends and visitors can probably connect just fine to an
| IPv6 address. I wish I knew what percentage it is.
|
| I guess I could add an AAAA record and check what percentage of
| traffic actually uses it.
| avereveard wrote:
| How about removing the public IP and receiving connection from
| cloudfront? Or have it hosted in apprunner. Then you cname your
| domain to the services' domain, and skip the cost.
| decasia wrote:
| Yep I think that's plan B, thanks.
| capableweb wrote:
| According to Google
| (https://www.google.com/intl/en/ipv6/statistics.html), 60% of
| word-wide users wouldn't be able to visit your website.
|
| In the US, it would be about ~50% of users, while in Europe
| it's ranging from 30% (France) to 98% (Spain) who wouldn't be
| able to visit the website.
|
| But yeah, I'd do what you say in the bottom of your comment.
| Add AAAA records and then see how many people uses ipv6
| compared to ipv4 and then decide.
| KAMSPioneer wrote:
| I understand that Movistar, the largest Spanish ISP, is
| currently deploying IPv6 in beta at the moment. I expect that
| will trickle down to the various resellers of Movistar's
| network shortly after. Hopefully that will get that 98% down
| in the near future. :(
| decasia wrote:
| Sigh, so basically it's impossible to switch without
| shredding an already tiny audience. I'm sure it won't be a
| nice UX either to have a "can't connect to this IP" error in
| someone's browser.
|
| IPv6 has been around for so long now, I'm disappointed it
| doesn't have a little bit higher adoption.
| smileybarry wrote:
| And if all else fails, you can put something like
| Cloudflare in front of it to handle IPv4 traffic.
| doublerabbit wrote:
| Which than you're back to paying $40+/year to ensure you
| don't get wiped from their "free" tier when they feel
| like it.
|
| Nothing is free forever.
| amluto wrote:
| > A new blog post shows you how to use Elastic Load Balancers and
| NAT Gateways for ingress and egress traffic, while avoiding the
| use of a public IPv4 address for each instance that you launch.
|
| It would be nice if this came with reasonably priced NAT
| gateways. The current pricing is outrageous.
| brickteacup wrote:
| Not to mention the absurd fact that accessing (IPv4) AWS APIs
| from a private subnet requires paying for either a NAT gateway
| or an interface endpoint (we got bitten by sending a ton of
| Kinesis traffic through a NAT gateway once)
| pnpnp wrote:
| I completely agree. It's odd they would announce charging for
| dedicated IPv4 while not having a free shared egress solution
| (unless I'm misunderstanding).
|
| I would expect them to reduce NAT pricing in the long run, but
| who knows.
| [deleted]
| SteveNuts wrote:
| I'm shocked this isn't a feature of a VPC out of the box
| (shared internet bound traffic). You should only need a NAT
| gateway if you want the traffic to come out of a single set
| of external IPs that you control.
|
| Almost all of my use cases I could easily ride out to the
| internet through a shared pipe (apt updates and such) and
| don't care whatsoever what IP that exits the AWS network
| from, since I'm not applying firewall rules or anything.
| patmcc wrote:
| >>> and don't care whatsoever what IP that exits the AWS
| network from
|
| You'll start to care pretty quickly if it's the same IP as
| a bad actor that's blocked everywhere.
| ishanjain28 wrote:
| So for this, Run your apps in public subnets that are
| attached to IGW.
| ransackdev wrote:
| I think that as a business and given the fact they are now
| charging for a previously free service (public IPs), offering
| a now paid service as free would nullify the reasons for
| doing what they are doing. They don't owe anyone anything for
| free.
| inopinatus wrote:
| That doesn't follow, because the reason is that IP
| addresses are scarce.
| hnav wrote:
| You can stand up your own on top of a t3.micro or something if
| you don't care too much about HA (e.g. you just wanna be able
| to hit the internet when SSHed into your instances).
| nodesocket wrote:
| 100% agree, they need to offer steep reserved instance pricing
| for NAT gateways. To deploy 3 NAT gateways (HA one in each
| availability zone) is $99/mo just for the instances.
| whalesalad wrote:
| $40/mo is outrageous? We spend thousands a month on AWS and
| drive most traffic thru a single NAT gateway. It's rock solid
| and it "just works" without any fuss. Totally worth it.
| mgaunard wrote:
| Leasing an IPv4 is 0.40 per month. The 39.60 on top is just
| their margin.
| ishanjain28 wrote:
| Where?
| est31 wrote:
| Exchange prices are still in that region, at least for
| some RIRs: https://www.ipxo.com/market-stats/
| paulddraper wrote:
| For a lot of traffic $40 is not outrageous.
|
| For a little traffic $40 is outrageous.
| Dylan16807 wrote:
| Most users are below 10Mbps average, so yes $480 per year is
| a huge price for a fraction of a percent share of a router
| (plus redundancy).
| ishanjain28 wrote:
| Okay and those users can easily use a much cheaper NAT
| instance instead of managed NAT Gateways.
| cdchn wrote:
| There is where people usually start chiming in about how they
| can run a VPS at Whatever Hosting and Waffles Inc. for $4/mo.
| whalesalad wrote:
| yep, and they should. aws has never really been suited to
| the hobbyist. does it work for that? of course. is it most
| cost effective? absolutely not. is it cost effective for
| people who need the resources? yes.
| Spivak wrote:
| Yes it is which is why Lightsail exists. The whole mantra
| of the cloud is only pay for what you need and scale down
| to zero.
| [deleted]
| otabdeveloper4 wrote:
| > is it cost effective for people who need the resources?
| yes.
|
| There is no possible use case in no possible universe
| where AWS is cost effective.
|
| Renting the same compute resources wholesale will cost
| you 20 times less. (Not a typo.)
| finikytou wrote:
| sure they became a multi billion dollar business by not
| being cost effective
| [deleted]
| dijit wrote:
| They became a multi-billion dollar business by:
|
| A) Promising scale (and delivering to a certain extent)
|
| B) being significantly more convenient than contemporary
| solutions
|
| C) becoming trendy
|
| D) hoodwinking CxO's into the belief that not owning your
| data is better for you, actually. (CapEx vs OpEx)
|
| E) unfathomable amounts of DevRel.
|
| Nobody has _ever_ claimed AWS was cost effective, they
| have said that "it's worth the cost" though.
| dmattia wrote:
| I run a number of personal projects on AWS entirely on
| their serverless offerings and pay $0 outside of domain
| registration as I'm well within their free tiers. That
| seems pretty cost effective.
| AlchemistCamp wrote:
| Yes, and for bandwidth, AWS is closer to 100x overpriced.
| electroly wrote:
| The expensive part of NAT Gateway is the $0.045/GB.
| cj wrote:
| Plus $0.045 per gigabyte of data that passes through it.
|
| AWS has notoriously high egress fees.
| CSSer wrote:
| I ran into a SaaS company recently that had a guide for how
| to setup a white-label domain using route 53 and Cloudfront
| for one of their services. The SaaS company charges for
| service bandwidth usage, and they host their infrastructure
| on AWS, so if you opt to follow their guide they get a fat
| margin bump in the form of avoiding an egress charge and
| you get to be double-charged for bandwidth. You've gotta
| love it.
| dilyevsky wrote:
| It's not just egress in case of NAT - they charge you 4.5c
| per _processed_ GB which means in both directions. This
| trips a lot of people up.
| aednichols wrote:
| NAT is pretty computationally intensive, this is why e.g. ISPs
| & mobile carriers are pushing IPv6 over CGNAT.
| NoZebra120vClip wrote:
| For example, rather than simply routing IP packets and then
| forgetting them, you need to statefully inspect every TCP
| segment and every supposedly connectionless UDP conversation,
| you need to maintain state for every live conversation, and
| you need to mitigate DOS with all those resources.
|
| At that point, you might as well be running a Layer 7
| Firewall or an Intrusion Protection System.
| tptacek wrote:
| UDP is connectionless precisely so you can build novel
| stateful protocols on it. There's no promise in UDP that
| you'll be able to statelessly monitor it.
| debugnik wrote:
| Which is why game networking libraries put a lot of
| emphasis on NAT traversal, forcing NATs to recognise the
| "connection". And why game console manufacturers tell
| users to just forward all incoming traffic unmanaged by
| the NAT to the console.
| colmmacc wrote:
| UDP is actually more expensive to NAT than TCP is. The
| reason is UDP fragmentation, which is my vote for the
| worst, and least forgivable, design error of TCP/IP.
|
| Instead of putting the fragmentation in L4 (like QUIC now
| does) and including a UDP header on every fragmented
| packet in a datagram, UDP only includes the header on the
| first packet. With fragmentation happening; firewalls,
| NATs, and end-hosts have to buffer and coalesce IP
| packets based on IP IDs, before the destination can be
| identified. It's a real nuisance. A lot of CGNAT
| "stateless" implementations can't handle this and you get
| very hard to debug issues when there are fragmentation
| and MTU mismatches.
| Bluecobra wrote:
| > At that point, you might as well be running a Layer 7
| Firewall or an Intrusion Protection System.
|
| If you go down this path consider using Transit Gateway so
| you can route multiple VPC traffic to a central security
| VPC in a region. I've done this a Palo Alto VM and it seems
| to work well.
| amluto wrote:
| AWS NAT gateway is $0.045 per hour plus $0.045 per GB. The
| hourly fee seems mostly okay - for largish users, one or two
| per region is fine.
|
| $0.045 per GB is _nuts_. That's $20.25 /hour or $14580/mo for
| 1 Gbps. One can buy a cheap gadget using very little power
| that can NAT 1 Gbps at line rate for maybe $200 (being
| generous). One can buy a perfectly nice low power server that
| can NAT 10Gbps line rate for $1k with some compute to spare.
| One can operate one of these systems, complete with a rack
| and far more power than needed, _plus_ the Internet
| connection, for a lot less money than $14580 /mo. (Never mind
| that your $14580 doesn't actually cover the egress fee on
| AWS.)
|
| A company with a couple full time employees could easily
| operate quite a few of these out of any normal datacenter,
| charge AWS-like fees, and make a killing, without breaking a
| sweat. But they wouldn't get many clients because most
| datacenter customers already have a NAT-capable router and
| don't need this service to begin with.
|
| In other words, the OpEx associated with a service like this,
| including the sysadmin time, is simply not in the ballpark of
| what AWS charges.
| ttt3ts wrote:
| Bit confused. Couldn't you just run a Linux VM to do your
| NAT and only pay normal egress?
| deadmutex wrote:
| > just run a Linux VM
|
| + Run extra for failover, HA etc + manage security +
| Monitor performance + ...
| xxpor wrote:
| It's not really computationally expensive, it's memory
| expensive. You need per connection state.
| blibble wrote:
| it already has stateful firewall
|
| so that's: source ip, dest ip, protocol, source port, dest
| port, connection state (say 16 bytes total)
|
| doing NAT too is what, 3 more bytes per connection (8 bits
| for an offset into an IP table and 16 bits for the
| translated port)
| p1mrx wrote:
| Generally an ISP does not have a stateful firewall prior
| to deploying CGNAT.
| dijit wrote:
| NAT and Stateful firewalling are commonly bundled
| together (especially on home systems) but I would not go
| so far as to say "NAT has a stateful firewall"-
|
| I hear such takes all the time and its really
| frustrating; usually in threads regarding IPv6,
| incidentally it is usually programmers who think they
| understand everything about networks because they know
| how tcp operates.
| blibble wrote:
| > but I would not go so far as to say "NAT has a stateful
| firewall"-
|
| > I hear such takes all the time and its really
| frustrating
|
| maybe you'd be less frustrated if you understood what
| people were saying, because I didn't say that
|
| AWS already do 1:1 NAT and there's additionally a
| stateful firewall, which necessitates connection state
| tracking
|
| adding the extra few bytes to do port translation
| shouldn't vastly increase the memory required
|
| > incidentally it is usually programmers who think they
| understand everything about networks because they know
| how tcp operates.
|
| from someone who has written a commercial packet filter:
| in terms of complexity, TCP blows the preceding layers of
| the stack out of the water
| meragrin_ wrote:
| > ISPs & mobile carriers are pushing IPv6 over CGNAT
|
| LOL. Not Metronet. They are doubling down on CGNAT. They've
| acquired ISPs with IPv6 and killed it in favor of CGNAT.
| Spivak wrote:
| This is missing the point mostly, my own sites have supported
| ipv6 for a going on a decade because it was fun to get it
| working. But that's a very different thing than supporting
| _only_ IPv6.
| p1mrx wrote:
| It's best for an ISP to deploy IPv6 and CGNATv4 in
| parallel, so the NAT only needs to handle traffic for
| services that don't support IPv6 (e.g.
| news.ycombinator.com)
| secondcoming wrote:
| Last time we used GCP's NAT gateway it was constantly dropping
| SYN packets. We had to revert to using External IPs on machines
| that talked to the wider internet.
| wmf wrote:
| Previously: https://news.ycombinator.com/item?id=36910855
| https://news.ycombinator.com/item?id=36910994
| https://news.ycombinator.com/item?id=36942424
| metadat wrote:
| Thanks! Macro-expanded:
|
| _AWS: IPv4 addresses cost too much, so you're going to pay_
|
| https://news.ycombinator.com/item?id=36942424 (3 days ago, 186
| comments)
|
| _AWS Begins Charging for Public IPv4 Addresses_
|
| https://news.ycombinator.com/item?id=36910994 (6 days ago, 36
| comments)
|
| _AWS Public IPv4 Address Charge and Public IP Insights_
|
| https://news.ycombinator.com/item?id=36910855 (6 days ago, 9
| comments)
| alberth wrote:
| This was expected, and rent seeking.
|
| AWS over the last decade has spent $ billions buying up ASN
| blocks.
|
| I've never been one to use the word "rent seeking", but owning
| IPs is the ultimate rent seeking cloud business. Domain names can
| change registries but if you own the underlining IP being used
| (and there's a depleting supply of them) - it's a great business
| to charge rents on.
|
| https://www.techradar.com/news/amazon-has-hoarded-billions-o...
| madsbuch wrote:
| Most applications will be able to move to v6 eventually.
| Hopefully moves like this will push that development.
| andrewstuart2 wrote:
| Even already, I think you can get away with doing almost
| everything v6 with a much smaller number of ipv4s for legacy
| traffic. I say that but still largely use v4 for everything,
| so maybe I'm not one to talk.
| pantalaimon wrote:
| Unless you need to pull anything from GitHub...
| kccqzy wrote:
| Then direct your anger at Microsoft, not Amazon.
| doublerabbit wrote:
| Why not both?
|
| Both are dominating the internet-cyberspace and both are
| screwing it over for everyone else.
| efitz wrote:
| Looking at it a different way, IPv4 addresses are scarce so it
| makes more economic sense to have fewer, central owners that
| can maximize usage, rather than millions of individuals owners,
| many or most of which would not necessarily be using them at
| any given time.
|
| Putting a price on IP address usage again is a mechanism to
| prevent squatting/hoarding a scarce resource.
|
| But if you don't want to "rent" IP addresses from anyone, you
| can still find blocks for sale. Last time I checked (last year)
| class C blocks were going for $15k-$20k.
| efitz wrote:
| BTW AWS specifically allows you to bring your own IP
| addresses.
|
| https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoi.
| ..
| yieldcrv wrote:
| Most of the internet is rent seeking
|
| VPNs just resell internet under a "more private than the next"
| unverifiable claim, and hope they get enough sycophants
| believing it
|
| Most of YC this year resells access to ChatGPT
|
| Its the game
___________________________________________________________________
(page generated 2023-08-03 23:00 UTC)