#office-hours (2022-05)

Consistent delivery tool. Git as a single source of truth. Build, deploy to Kubernetes, stay in sync.

TLDR: How do you achieve static IPs for a Root Domain hosted behind CloudFront without using Route53 Aliases?

Details: I am working with a client that started with a website running on a single EC2 instance. An Elastic IP (EIP) was associated with the instance. The IP was used to create A records in a third-party DNS for routing the root and the “www” endpoints to the instance.

[root.com](http://root.com), [www.root.com](http://www.root.com) → 3rd-party DNS (A) → EIP → EC2

After much refactoring, the site is now running behind CloudFront and an ALB. The CloudFront endpoint is published as a CNAME for the “www” endpoint and works great. The root, however, is still using the old EIP as a A record because you can’t use CNAMEs with the root.

[www.root.com](http://www.root.com) → 3rd-party DNS (CNAME)→ CloudFront → ALB [root.com](http://root.com) → 3rd-party DNS (A)→ EIP → EC2 (Redir to www with NGINX)

Of course, the “easiest” (!) way to get the root domain pointed at CloudFront is to create an ALIAS record in Route53. Ha! I say “easiest” because moving the zone from the third-party DNS hosting into Route53 would take far too much effort for this one little redirect. For example, retraining people to use AWS instead of the DNS tool they have been using for years among many, many other potential snares and time sinks.

So I’ve looked at a couple solutions.

The current one works but I don’t want to have to run/manage an NGINX server for redirects. It’s also not highly available; if the server goes offline then redirects will fail. So use an ALB, right?

Since the IPs for ALBs change, but NLBs can have an EIP assigned to them, I tried assigning an EIP to a Network Load Balancer backed by an ALB that listens on ports 80 and 443. The listeners have a rule that redirects the request to “www”. I should add, content doesn’t need to be served from the root domain; it should all come from “www”.

[root.com](http://root.com) → 3rd-party DNS (A)→ EIP -> NLB -> ALB -> Redirect to WWW

This works for the most part but I feel like an NLB and and ALB for redirecting a request is overkill. I figure there has to be a better, cheaper solution. (this one is about $30/month not including traffic which should be pretty minimal)

So I looked at AWS Global Accelerator. This provides static IPs that can be pointed at a few different AWS resources; ALBs are there but sadly not CloudFront (AFAICT).

[root.com](http://root.com) → 3rd-party DNS (A)→ Global Accelerator -> ALB (live site!)

In my early exploration of this, its only working for HTTP requests… not for HTTPS requests. So if someone enters “https://root.com”, the redirect won’t ever happen. Bummer! This one is about $18/month not including traffic.

So before I settle on the EIP->NLB->ALB approach, I ask the question: How do you achieve static IPs for a Root Domain hosted behind CloudFront without using Route53 Aliases?

Amazon Elastic Kubernetes Service (Amazon EKS) is excited to introduce the Kubernetes resource view. You will now be able to see all Kubernetes API resource types running in your Amazon EKS cluster using the AWS Management Console for Amazon EKS, making it easier to visualize and troubleshoot your Kubernetes applications using Amazon EKS. Amazon EKS […]

Generate Crossplane Providers from any Terraform Provider

Lens IDE for Kubernetes. The only system you’ll ever need to take control of your Kubernetes clusters. It’s open source and free. Download it today!

A reproducible Docker image build system for complex software stacks

Terraform module for public and private subnets provisioning in existing VPC

An overview of how to use the Pulumi YAML config languages for infrastructure as code on any cloud (AWS, Azure, GCP, Kubernetes, etc.).

Converts a Terraform module to a Helm Chart

@Jeremy G (Cloud Posse) what I found with the VPC module, more to the point the VPC endpoint sub-module, was that while the interface endpoint allowed for the optional subnet IDs to be passed through the gateway endpoint did not accept route table IDs so it could associate the gateway service with the VPC route table. It makes sense having it as a sub-module as you need both the VPC and the subnets created before it can be of use. Inside the sub module makes sense to perform the aws_vpc_endpoint_route_table_association resource definition but it requires passing along the route table IDs. Also it could probably just more simply be passed as the optional property to the aws_vpc_endpoint itself. I thought it could be added as an optional variable in the existing mapped variable just like how the subnet IDs are for interface endpoints.

Question for anyone who has worked with the transit-gateway module as it is… I’m currently working to codify our existing setup that has been done mostly by hand thus far. It follows a hub-spoke design with 2 route tables but we’re looking to add a 3rd RT into it. As I have been reading over the module I see it allows passing either a RT you create outside the module or creating one, but it appears like it only deals with a single RT.

what

• Full support for IPv6

why

• Requested feature

notes

• This will become version 2.0 of this module because there will be breaking changes. The intention is that people will be able to adapt existing configurations to v2.0 with minimal effort (mainly changing some string inputs to lists of strings), but some breaking changes are necessary to accomplish other goals like making inputs optional or preserving Elastic IPs when switching from NAT Instance to NAT Gateway.

Join the online charity conference on 17-18 May. We’ll talk about DevOps in crisis with Debois, Hightower, Woodward, Nova, Clay Shafer and others.

OtterTune uses machine learning to automate database tuning that improves PostgreSQL and MySQL performance and reduces costs.

A startup using AI and machine learning to optimize database performance, OtterTune has raised $12 million in a venture funding round led by Intel Capital.

ACK service controller for Amazon API Gateway v2

Recently, AWS launched the ability to delegate administration of AWS Single Sign-On (AWS SSO) in your AWS Organizations organization to a member account (an account other than the management account). This post will show you a practical approach to using this new feature. For the documentation for this feature, see Delegated administration in the AWS […]

This post is written by Dan Fox, Principal Specialist Solutions Architect, Serverless. You can now develop AWS Lambda functions using the Node.js 16 runtime. This version is in active LTS status and considered ready for general use. To use this new version, specify a runtime parameter value of nodejs16.x when creating or updating functions or by using the appropriate […]

Yea way we do it for preview environments that we dump DB from prod to staging, do the tokenization, and then take a EBS Snapshots from this. The we create volumes from it on each preview environment deployment and create its PV and PVCs.

KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge.It is built upon kubernetes and provides fundamental infrastructure support for network, app. deployment and metadata synchronization between cloud and edge. Kubeedge is licensed under Apache 2.0. and free for personal or commercial use absolutely. We welcome contributors!

API traffic viewer for Kubernetes enabling you to view all API communication between microservices. Think TCPDump and Wireshark re-invented for Kubernetes

A simple-yet-powerful API traffic viewer for Kubernetes to help you troubleshoot and debug your microservices. Think TCPDump and Chrome Dev Tools combined.

A tool for securing CI/CD workflows with version pinning.

Debug your GitHub Actions via SSH by using tmate to get access to the runner system itself.

Enhance the developer experience with measurable improvements

A tool for securing CI/CD workflows with version pinning.

GoCD is an open source build and release tool from ThoughtWorks. GoCD supports modern infrastructure and helps enterprise businesses get software delivered faster, safer, and more reliably.

Terramate is a tool for managing multiple Terraform stacks that comes with support for change detection and code generation.