Answers to questions about AWS that we often see at Cornell.
Billing
How come my AWS bill contains charges for EC2 when I haven't used EC2 at all?
In most cases, the EC2 charge you are seeing is a result of the standard configuration we use in your VPC. The private subnets in your Cornell standard VPC are connected to the world (for outgoing traffic) by a NAT instance. That NAT instance is really a small EC2 instance, though it won't appear in your EC2 instance list in the AWS Console. You can see the NAT instance(s) configured for your account here: https://console.aws.amazon.com/vpc/home?region=us-east-1#NatGateways:sort=desc:createTime
The NAT instance gives EC2 instances in your private subnets access to the world for things like Linux repos, Windows update servers. We do have some AWS account owners that do not find the $1/day cost of the NAT to be worthwhile and turn it off. However, we caution about this because, with it off, your instances will not be able to do something as basic and critical as running "yum update" or "apt-get update" or get Windows updates.
Contact the Cloud Team if you'd rather not have the NAT deployed for that VPC.
See NAT Gateway pricing info here: https://aws.amazon.com/vpc/pricing/.
When will direct billing (though KFS) based on "Cost Center" tags be released?
This is still a work in progress and we expect to release this Cornell KFS feature in Spring 2017. In the meantime, you should strive to add "Cost Center" tags to your AWS resources as soon as possible. See Standard Tagging for details.
Until direct billing is turned on, you can use CloudCheckr or our billing API to sub-total the resource costs in your account (based on tag) and re-allocate those costs with the help of your unit Business Service Center.
When I purchase a reserved EC2 instance, how is billing handled for that?
If your AWS account is part of the AWS consolidated billing scheme, the purchase of a reserved instance triggers an invoice from AWS to Cornell. Please send details of the purchase and the Cornell account to be charged to cloud-support@cornel.edu, and we will ensure that the invoice is charged appropriately.
Licensing
Does the Cornell Microsoft Agreement cover Microsoft software in AWS?
In most cases, no. See Microsoft Licensing within AWS.
Users, Policies and Roles
How can I give Cornell users access and privileges to my AWS account?
You can create custom IAM roles that integrate with the Cornell Shibboleth so that access to those roles is granted according membership in an AD group. See Creating Custom Roles to use With Shibboleth.
Can I use a DOC (delegation of control) account to login to AWS?
No. Our Shibboleth implementation does not work with DOC accounts. (More info about DOC accounts: https://it.cornell.edu/cornellad/admin-account-guidelines.)
Networking
I deleted my "default" AWS VPC. How do I get it back?
See I've deleted my default VPC. How do I get it back?
Will AWS designate an existing VPC as the "default" VPC?
Direct from AWS tech support, here's what they have to say about this (as of 2017-02-08):
...existing VPC's can not be assigned as the default and we can only create a new Default VPC for you.
Please note that when we create a default VPC, we do the following to set it up for you:
- Create a default subnet in each Availability Zone.
- Create an Internet gateway and connect it to your default VPC.
- Create a main route table for your default VPC with a rule that sends all traffic destined for the Internet to the Internet gateway.
- Create a default security group and associate it with your default VPC.
- Create a default network access control list (ACL) and associate it with your default VPC.
- Associate the default DHCP options set for your AWS account with your default VPC.
What is AWS Direct Connect and how does Cornell use it?
See AWS Direct Connect for Cornell.
What is the Cornell Standard VPC?
See The Cornell “Standard” AWS VPC.
Why can't I connect to my EC2 instance?
You might want to look at the diagrams on AWS Direct Connect Routing Diagrams
Can I coordinate VPC Availability Zones between AWS accounts?
In practice, no. To ensure distribution of load across their infrastructure, AWS creates an independent mapping of Availability Zone designations (ie: "us-east-1a", "us-east-1d") for each account. Within the same Region, there is no way to guarantee the Availability Zone that you see as "zone A" lives in the same back-end environment as "zone A" seen from a different AWS account. For more information, see the AWS documentation on Regions and Availability Zones.
How can I request a cucloud.net subdomain for use in Route 53?
The process for creating a cucloud.net Hosted Zone in your AWS account and requesting DNS delegation can be found in Route 53 Subdomain Delegation.