#aws (2018-11)

Just saw this… with the new Amazon AMEX, get 5% cashback AWS

@Erik Osterman (Cloud Posse) Whoa, good looking out!

https://aws.amazon.com/blogs/aws/new-lower-cost-amd-powered-ec2-instances/

Hey guys i have a question. Is it possible to create a private dns route 53 address and resolve it as static website in web browser internally behind vpn

with added alb or without alb

I think that should be possible. Openvpn can push a DNS option to the vpn client. So either you push the AWS DNS server as an option and push a route for that IP. Or you host a DNSMASQ daemon on your VPN instance and push that IP as DNS to your clients.

Not AWS but similar: https://superuser.com/questions/1090216/internal-domain-on-openvpn-with-dnsmasq

I can create wild card ssl certs *.internal.domain.com and renew them even year manually so it looks like https://something.internal.domain.com as its private hosted route53 domain attached to vpcs. Its not resolved outside vpcs. Right now i can ping inside vpc on ec2 instances but not in web browser

Thanks @maarten

For a private domain there is no need for anything public or even any normal domain root. In the past I’ve used <env>.<company>.aws for private domains and issue our own SSL certs with any length of life that is desired. Depending on service, have ranged between 1 and 20 years for service certs as well as using a wildcard one.

What you can also do is just use a public visible domain btw, not sure what the security context is but that will work too.

@Tee we do something just like this. Client-> VPN -> AWS

We just have 2 unbound recursive servers running that FW->AWS DNS and only send *.ourdomain or *.internal.whatever and *.awsinternaldomains to them

Does it need to be a VPN? If you want auth in front of a static website you could use CloudFront/Lambda/S3 and have it serverless.

@Tee, similar to @joshmyers point, the Identity-Aware Proxy (IAP) approach is advantageous over the VPN approach. It’s like having a point-to-point VPN whereby exactly one service is exposed and behind auth.

This is the “BeyondCorp” model pioneered at Google. I can share more if it sounds interesting.

Thanks

https://aws.amazon.com/about-aws/whats-new/2018/11/aws-cloudtrail-adds-support-for-aws-organizations/

Fits nicely with geodesic

NIce

That’s awesome!

I note that it isn’t yet supported in Terraform, would be a small PR. The vendored version of aws-sdk supports it too. Maybe interesting in terms of geodesic. What could that mean for the audit account? That would need to be the org master account

Audit account is just the sink. I presume you enable it in the master but ship it to the sink.

https://aws.amazon.com/blogs/aws/new-aws-resource-access-manager-cross-account-resource-sharing/

Fintech startups , rejoice! https://aws.amazon.com/about-aws/whats-new/2018/11/aws-transfer-for-sftp-fully-managed-sftp-for-s3/

https://aws.amazon.com/about-aws/whats-new/2018/11/aws-transfer-for-sftp-fully-managed-sftp-for-s3/

@Andriy Knysh (Cloud Posse) duplicate (see above)

do you have the link to mongodb announcement

ah yes

it’s not announcement yet, just speculations, but prob will happen https://seekingalpha.com/news/3410999-aws-develops-new-services-amid-open-source-pushback

Any recommendations for sites summarizing all announcements from reinvent?

https://www.reddit.com/r/aws/?st=JOZCDTJ4&sh=fd1837db

https://www.reddit.com/r/aws/comments/a0p0pz/inter_region_dns_resolution_between_peered_vpcs/?st=JOZCFWTQ&sh=6ff97907

https://www.cnet.com/news/everything-you-need-to-know-about-aws-reinvent-2018/

https://aws.amazon.com/blogs/aws/new-amazon-cloudwatch-logs-insights-fast-interactive-log-analytics/

@Andriy Knysh (Cloud Posse) that looks super sweet!

https://youtu.be/fnxXNZdf6ew?t=1165

https://aws.amazon.com/about-aws/whats-new/2018/11/alb-can-now-invoke-lambda-functions-to-serve-https-requests/

Also nice: https://aws.amazon.com/about-aws/whats-new/2018/11/announcing-amazon-aurora-global-database/