Answers to questions about AWS that we often see at Cornell. |
The cost of Standard AWS Account Configurations can be broken into two parts:
Graph of Typical Costs for auditing configurations
The auditing configuration created as part of our Standard AWS Account Configuration includes setting up auditing in all AWS regions. This is to log activity in an AWS account targeting other AWS regions. These costs should be minimal because most folks aren't using regions across the globe. However, it is important that the auditing configuration is in place globally to ensure that any malfeasance in other regions is logged.
AWS offers a Data Egress Waiver that mostly eliminates Data Transfer charges for Cornell. See the AWS blog post about it for more details.
As of February 2018, most services that advertise the $0.09/GB data egress fee on the pricing page are covered. Feel free to check with the Cloud Team if you aren't sure about a particular service.
One notable exception is CloudFront egress, which is not covered by the waiver. CloudFront egress shows as a separate line-item and is billed at a (slightly) cheaper rate than normal data egress. AWS is looking into adding CloudFront egress to the waiver. Any campus customers who have a current or future plan to generate significant CloudFront egress charges should forward their use-case to the Cloud Team for a consult with our AWS Representatives.
A second notable exception is Direct Connect egress, which is not covered by the waiver. Egress costs for our Direct Connect are $0.02/GB and those charges are billed to your AWS account.
According to AWS, their service offerings that use CloudFront under the covers, API Gateway for example, are covered by the egress waiver and a separate consult is not needed.
In short, no, Cornell is not near the 15% cap of the Data Egress Waiver. As of March 2023, the last three months averaged 6.83% utilization and the last six averaged 6.16%. If more detailed information is needed, please contact cloud-support@cornell.edu.
We use CloudCheckr to send informational invoice for each AWS account on the 15th of each month. Those invoices cover the prior calendar month. You do not need to do anything with those invoices.
On or about the 17th of each month, a KFS transaction is automatically created that charges the designated default KFS account for the charges in your AWS account. That KFS transaction also has a copy of the invoice for backup purposes.
Please contact cloud-support@cornell.edu if you need to change the KFS account used by default for your AWS account charges.
If you'd like to target the charges for specific AWS resources to specific KFS accounts, you can "Cost Center" tags to your AWS resources. See AWS Standard Tagging for details.
In most cases, the EC2 charge you are seeing is a result of the standard configuration we use in your VPC. The private subnets in your Cornell standard VPC are connected to the world (for outgoing traffic) by a NAT gateway. That NAT gateway is really a small EC2 instance, though it won't appear in your EC2 instance list in the AWS Console. You can see the NAT gateway(s) configured for your account here: https://console.aws.amazon.com/vpc/home?region=us-east-1#NatGateways:sort=desc:createTime
The NAT gateway gives EC2 instances in your private subnets access to the world for things like Linux repos or Windows update servers. We do have some AWS account owners that do not find the $1/day cost of the NAT gateway to be worthwhile and turn it off. We advise caution around this because, with it off, your instances will not be able to do something as basic and critical as running "yum update" or "apt-get update" or get Windows updates.
Contact the Cloud Team if you'd rather not have the NAT gateway deployed for that VPC.
See NAT gateway pricing info here: https://aws.amazon.com/vpc/pricing/.
Direct billing from AWS to KFS is now enabled. We have a default KFS account to bill for charges in each AWS account. If you'd like to target the charges for specific AWS resources to specific KFS accounts, you can "Cost Center" tags to your AWS resources. See AWS Standard Tagging for details.
As of June 2022, individual Cornell AWS accounts cannot buy Reserved Instances or Savings Plans. Cornell has a program that purchases those centrally. See
In most cases, no. See Microsoft Licensing within AWS.
You can create custom IAM roles that integrate with the Cornell Shibboleth so that access to those roles is granted according membership in an AD group. See Creating Custom Roles to use With Shibboleth.
No. Our Shibboleth implementation does not work with DOC accounts, Holding IDs, or Guest IDs. (More info about various Cornell account types: https://it.cornell.edu/cornellad/terms-and-conditions-cornellad and Cornell's Shibboleth Implementation.)
Please contact cloud-support@cornell.edu to discuss other options.
You can create a new one. See https://aws.amazon.com/about-aws/whats-new/2017/07/create-a-new-default-vpc-using-aws-console-or-cli/.
Direct from AWS tech support, here's what they have to say about this (as of 2017-02-08):
...existing VPC's can not be assigned as the default and we can only create a new Default VPC for you.
Please note that when we create a default VPC, we do the following to set it up for you:
- Create a default subnet in each Availability Zone.
- Create an Internet gateway and connect it to your default VPC.
- Create a main route table for your default VPC with a rule that sends all traffic destined for the Internet to the Internet gateway.
- Create a default security group and associate it with your default VPC.
- Create a default network access control list (ACL) and associate it with your default VPC.
- Associate the default DHCP options set for your AWS account with your default VPC.
See Cornell AWS Direct Connect.
See The Cornell “Standard” AWS VPC.
You might want to look at the diagrams on Cornell AWS Direct Connect Routing Diagrams
In short, yes. To ensure distribution of load across their infrastructure, AWS creates an independent mapping of Availability Zone designations (ie: "us-east-1a", "us-east-1d") for each account. Within the same Region, if you need to guarantee the Availability Zone that you see as "zone A" lives in the same back-end environment as "zone A" seen from a different AWS account you will need to utilize the Availability Zone ID. For more information about zones and regions, see the AWS documentation on Regions and Availability Zones.
The process for creating a cucloud.net Hosted Zone in your AWS account and requesting DNS delegation can be found in Route 53 Subdomain Delegation.
Suppose I have two AWS VPCs that are both connected to campus networks with Direct Connect. How can I tell if traffic between those two VPCs are using an AWS peering connection or traveling the Direct Connect and making a u-turn on-campus? The answer is to look at the results of traceroute
between two IPs, one in each VPC.
Here is the traffic pattern traceroute
would return when Direct Connect is being used
> traceroute 10.92.131.194 traceroute to 10.92.131.194 (10.92.131.194), 30 hops max, 60 byte packets 1 * * * 2 aws1-mx-vl3302.net.cornell.edu (10.22.223.4) 10.856 ms 10.799 ms 10.741 ms 3 aws-bgp-vl3334.net.cornell.edu (10.22.223.85) 10.722 ms 10.676 ms 10.629 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * |
Here is the traffic pattern traceroute
would return when AWS traffic is traversing peered VPCs:
> traceroute 10.92.168.117 traceroute to 10.92.168.117 (10.92.168.117), 30 hops max, 60 byte packets 1 10.92.168.117 (10.92.168.117) 5.174 ms 5.201 ms 3.095 ms |
If there is any chance that Network ACLs or Security Groups are blocking ICMP traffic, you can use the TCP (-T) and port (-p) switch with {{traceroute}. The example below proves that the instance where the traceroute
is run in in a VPC that is peered directly to the VPC containing the AWS Active Directory server ad10.cornell.edu
. Note that you will need to pick a port that you know to be open for the target system. This example uses port 389 because the Active Directory server has port 389 (LDAP) open.
$ traceroute -T -p 389 ad10.cornell.edu traceroute to ad10.cornell.edu (10.92.36.80), 30 hops max, 60 byte packets 1 ip-10-92-36-80.ec2.internal (10.92.36.80) 7.740 ms 7.711 ms 9.136 ms |
VPCs created by the Cloud Team for Cornell AWS customers generally contain only a single NAT Gateway. This NAT Gateway provides access to the public internet for private subnets in the VPC. All private subnets in the VPC are configured to use the same NAT Gateway, regardless of the Availability Zone of the private subnet. This means that the NAT Gateway is a single point of failure because the resources in your private subnets may not be able to reach the internet if the AZ where the NAT Gateway resides experiences network issues.
If you require high availability and resiliency for the deployments in your private subnets, you may want to consider adding additional NAT Gateways to your VPC. You would want one NAT Gateway in each Availability Zone where your private subnets reside.
The downside of multiple NAT Gateways is that each one costs about $1/day to run, and some Cornell AWS customers do not consider the high availability worth that cost.
Email cloud-support@cornell.edu if you'd like help setting up additional NAT Gateways in your Cornell AWS account.
Direct Connect is mostly useful when a reliable latency is needed to be maintained between systems on campus and in AWS. Another use case could be that you are required to use a private network due to some policy, or you must access a system on campus that will not allow access via the public internet due to firewall rules that cannot be changed or because the system is only in campus 10-Space.
In the majority of other scenarios, the Cloud Team recommends using the public internet to transfer all data and updating firewall configurations to allow access to/from the internet with trusted systems that you run in AWS. The available bandwidth to the internet is much greater than the 1Gbps Direct Connect that is shared among many units at Cornell.
We also recommend using end-to-end encryption whenever transferring data over the internet. If you are using AWS provided CLI or SDKs (or 3rd party tools that utilize these) to transfer data to AWS, your connections will be encrypted by default.
Amazon S3 supports individual objects up to 5TB in size. However, when uploading large files, you run the risk of that transfer being interrupted and having to start over. Each individual connection to S3 also only gets 100Mbps from AWS.
We recommend using the AWS CLI or a 3rd party tool to utilize "multipart uploads" when transferring large files. Most tools also multithread when uploading the parts of your file, so you will be able to utilize the full bandwidth of your machine (usually 1Gbps on campus).
The following tools support multipart uploads:
There are some options here:
As of Mechanical Turk resources (projects, etc.) cannot be tagged.
Therefore it is not possible to use "Cost Center" tagging to direct MTurk charges to KFS accounts other than the default KFS account configured for the AWS account.
RDS is a fully-managed service at Amazon, meaning you do not have access to the underlying operating system. Patching to the database engine or underlying operating system is handled as a scheduled maintenance event:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Maintenance.html
Maintenance to RDS can happen "immediately" or in a regularly-scheduled 30-minute window. An RDS instance can also be configured to automatically apply "minor" updates during the standing maintenance window without prior approval. For instances supported by the CIT DBA team, they can likely give you the details on your current configuration(s); the Cloud Team can also help fill in gaps if needed.
It is certainly likely that this activity will result in a brief outage. Use of a Multi-AZ deployment for RDS helps mitigate that for most activities since AWS will first perform maintenance on the standby instance, promote that to primary, then perform maintenance on the "old primary/new standby". Emphasis is on "most" because some major changes, like modifying the database engine, may require updating both primary and standby at the same time. Multi-AZ also gives you increased availability in the case of an Availability Zone going offline. Keep in mind that Multi-AZ deployments come with additional cost. You will need to find the balance between desired availability and total monthly spend.
While we can help you setup almost any type of web site in AWS, your best bet may be to start with the CIT Custom Web Development team, which brokers a varierty of web site hosting options. See Hosting Comparison Chart for options. In short the options are:
Basic
Static Web Hosting
Content Management Systems
CampusPress (WordPress)
Pantheon (WordPress and Drupal)
Acquia (Drupal)
Highly Customizable
Media3 (ColdFusion, LAMP)
Amazon Web Services (AWS) (CIT Cloud Services)
Managed Server
See Examples of Email Sent to AWS Root Account Addresses and AWS Security Contacts