Amazon EC2

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
Has anyone ever put together an Amazon EC2 instance? The pricing estimator is a little overwhelming.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
Has anyone ever put together an Amazon EC2 instance? The pricing estimator is a little overwhelming.

We make an extensive use of EC2 here, but I'm not the one who manage the instances. I have an admin access to the account and I can look into it. One thing to note is that I always bitch about the small fortune it cost us. EC2 can end up being quite expensive if you don't take advantage of the fact that you can shut down the instance when not in use. If you keep them up and running all the time, prepare yourself for a shock when the invoice will come in.

We use small, medium and extra-large instances. All Linux.
 

timwhit

Hairy Aussie
Joined
Jan 23, 2002
Messages
5,278
Location
Chicago, IL
We use them extensively at my company for development purposes. We pass on all bills to our clients, but like Coug says, if you run them 24/7 you'll be shocked by the price.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
One of our clients is looking for a "cloud" solution for our hosted application and EC2 looks downright reasonable compared to some of the managed hosting providers I've looked at. i do actually think they want to be fully buzzword compliant rather than needing any specific from Amazon, but they're looking for hosting and I know I'm very limited in terms of my in-house resources to provide it.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
There's a lot of stupid involved in this.

I think the appeal of EC2 in this case was the idea of only paying for resources being used, but like I said this was coming from the customer so who the hell knows what they actually think they want.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
Pencil pushers should never make technical decisions.

A typical mid-range dedicated server cost ~150$-250$ per month, including reasonable networking bandwidth. Instances on EC2 will cost significantly more (2x or 3x). It simply isn't worth it. Like Timwhit wrote, EC2 is good for development or to fill additional demands on casual occasions. It is not an advantageous alternative for a constant service, unless availability is paramount, technical staff is unqualified and pockets are deep.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
Windows is, as usual, a requirement for what I'm deploying.

There's a data center not all that far from where I live. I'm contemplating just renting 2U of space for $50/month. I think I could stick a couple boxes in that and call it a cloud.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,927
Location
USA
Windows is, as usual, a requirement for what I'm deploying.

There's a data center not all that far from where I live. I'm contemplating just renting 2U of space for $50/month. I think I could stick a couple boxes in that and call it a cloud.

That makes things a more-complicated for cloud hosting. Is Rackspace cloud a possibility? I'm guessing their pricing is right up there with Amazon. Their lowest plan is around $58/month
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
Verizon Terremark is also in the cloud business and they seem to be pretty big and well done. Their cloud runs on Cisco servers, according to the spokeman I met last Fall.

...Or you could create your own cloud platform with Openstack. I'm just saying.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
I did look at Rackspace. They were stratospherically expensive. Which doesn't actually surprise me.

Openstack is more or less what I'm contemplating. Until recently, there wasn't anything like a local Colo option, but right now I rent 2U of space with unmetered power and unmetered 100Mbit network access for around the price of a tank of gas, which makes the whole idea a lot more appealing to me.
I should probably take a few boxes and see how much of a PITA it is to get it running.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
I'm getting ready to install a 1U server at a datacenter. I just realized that I'm going to be exposing my ESXi server's management interfaces directly to the internet unless I figure out some way to lock that down.

I have two public IPs and ESXi of course doesn't give me any utility to work with for this so I guess what I'd need is some kind of vswitch that points all my inbound traffic to something I can use to firewall and also provides a VPN end point I can use to connect to the ESX interface if I actually need it. Does that sound right? Or else I could just suck it up and hope every hacker on the internet has forgotten what port scanners and rainbow tables are.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,729
Location
Horsens, Denmark
I would not be comfortable putting ESXi directly on the internet. I would probably try to find a way to get a hardware firewall in there somehow. Even if it is a gumstix-type machine running smoothwall stickytaped to the back of the 1U server. Unless your bandwidth requirements are beyond that....
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
I hope you rent more than a 1U space at the datacenter. You need to put a firewall between ESXi and the web. Then, you connect your ESXi server to the firewall and only receive traffic through it. It could be a secured openVPN server too. Anyway, you know more than I do how to configure a firewall with a remote access.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
Of course, If I just stick a $100 Firewall appliance between my server and the internet, I also lose out on all the nifty management stuff the hosting service is supposed to provide me. And I'd have to worry about the damned thing needing reboots, which seems to be what happens with every SOHO router/firewall product that costs less than a small fortune.

If I build a VM to be a firewall and VPN end point I'll be making much more efficient use of my resources, but that seems like it would be a really clunky configuration to troubleshoot.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,729
Location
Horsens, Denmark
Of course, If I just stick a $100 Firewall appliance between my server and the internet, I also lose out on all the nifty management stuff the hosting service is supposed to provide me. And I'd have to worry about the damned thing needing reboots, which seems to be what happens with every SOHO router/firewall product that costs less than a small fortune.

If I build a VM to be a firewall and VPN end point I'll be making much more efficient use of my resources, but that seems like it would be a really clunky configuration to troubleshoot.

If you end up doing that, let me know how it works. I've been thinking of the same for quite a while, but would want to map a physical NIC directly to that VM for the red interface. Of course, you won't need to worry about that if the only machine inside the firewall is the ESXi box.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
I need to get it done before I put that machine in to production. I found instructions for doing it using a Gentoo Linux instance.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,927
Location
USA
Of course, If I just stick a $100 Firewall appliance between my server and the internet, I also lose out on all the nifty management stuff the hosting service is supposed to provide me. And I'd have to worry about the damned thing needing reboots, which seems to be what happens with every SOHO router/firewall product that costs less than a small fortune.

If I build a VM to be a firewall and VPN end point I'll be making much more efficient use of my resources, but that seems like it would be a really clunky configuration to troubleshoot.

If you end up doing that, let me know how it works. I've been thinking of the same for quite a while, but would want to map a physical NIC directly to that VM for the red interface. Of course, you won't need to worry about that if the only machine inside the firewall is the ESXi box.

I've been thinking about this for a bit and I'm thinking it should be theoretically possibly to get the management port behind a firewall that is a VM. Here is my reasoning to think it's possible:

The "Management Network" is nothing more than a pre-defined (and named) virtual port group which sits on a pre-defined vSwitch which are both generated during the install of ESXi. The Management Network is a special type of Port Group known as a vmkernel type. You can actually move the "Management Network" Port group to a different vSwitch and link the two vSwitches together via the virtual firewall/router. You would give the VM-based router two vNICs. One would be set to the public-facing vSwitch port group and the other to the private-facing vSwitch. Basically putting the physical nic attached to vSwith #1 and no physical nic to vSwitch #2 therefore isolating the "Management Network". It would then be up to you to assign the IP on the VM-based router and open the proper ports etc. to the "Management Network".

vSwitch config example:
vm_config2.jpg

VM properties running smoothwall (or whatever you like) as the firewall/router with two vNics added. You have to make sure you make note of which one is assigned to which port group so that you get the proper public/private orientation.
vm_config.jpg
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,927
Location
USA
You will also want to make sure you setup a policy to automatically boot the firewall/router VM on power on of the ESXi server. You can also use the same VM router for all your other VMs that will do the actual work if you so desire a single implementation of a firewall to manage all the traffic. If you go this route you can then team the two physical nics into the the public-facing vSwitch for added redundancy and performance. This may be a little more complicated because you would then set all the vnic port groups to the private switch and manage the IP addressing through your router. It's obviously not required but could give you more flexibility.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
I'm playing with the setup now using a m0n0wall appliance I found online. vSwitches are something I've never messed and I'm more than a little concerned that I'm going to wind up with a system I can't interact with except from the console.

Thanks for the thorough reply, too!
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,927
Location
USA
I'm playing with the setup now using a m0n0wall appliance I found online. vSwitches are something I've never messed and I'm more than a little concerned that I'm going to wind up with a system I can't interact with except from the console.

Thanks for the thorough reply, too!

Is the machine already deployed in the colocation environment or is it still local? If it is already deployed, things may certainly be a bit trickier to get this working. Once you move the management network off of the vSwitch containing the physical adapter, you will obviously lose connection to the box by both vCenter console and any other kind of connection. Once setup your you'll be at the mercy of the firewall VM for connectivity. vSwitch configuration and stability/reliability are top-grade. Once those are setup you shouldn't have any issues with those, it'll be the underlying OS/software of the VM where you'll have concerns. Same would be true in physical form as you've already expressed concern over.

Think of vSwitches as physical layer 2 switches in virtual form. They actually have a count of ports (which you can increase/decrease) and allow you to set MTU, traffic shaping, and etc. The physical NIC adapters can be connected to any of the vSwitches (or none at all). The vNICs on each VM consume a port on the vSwitch. The port groups allow you to manage the traffic for individual VMs if you use VLANs for example. If your existing network allows you to do VLAN taggin you can manage this on the ESXi level rather than messing about with your physical switches external to the ESXi deployment or rather than requiring you to have one NIC per VLAN. You can create VLAN ID port groups that you would then select when creating/deploying a VM to put it on a proper network/subnet. You also use port groups to isolate traffic like for vmotion if you used this feature or for special cases like the management network to connect the ESXi OS to the network for management.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
I think I've almost got it. I'm working with m0n0wall right now and I can connect via OpenVPN. I had planned to do PPTP but I must be formatting something incorrectly because it won't let me connect with that.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,729
Location
Horsens, Denmark
The power control unit requires the Spider. The only connection to the PCU (besides power in/out) is to the Spider itself. The reboot command is sent from the main control interface.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
DD, put up a pic of her smiling/laughing. Poor thing is not happy as shown. How old is she now? Is she big for her age?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
For what it's worth, I do have a functioning firewalled ESXi setup now. So it is possible. Just a total PITA.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
It's not as hard as I thought it would be. For my server with two physical NICs, I created a third interface (vSwitch). I installed m0n0wall and set it up to use one physical NIC and my pretend one. I put an ESX management IP on the pretend switch, made sure that VMs on the vSwitch being served by my m0n0wall router can access my server through the vSphere client and then moved the external management interface to the unused NIC. In theory the only way I'd be able to get to that one is if I walked over and plugged in a cable.


Setting up PPTP on m0n0wall was a little fussy since I wasn't completely clear whether it had created the proper firewall exceptions but once I sorted that out, everything seemed OK. I also have Hamachi running on my VMs, which gives me another route to vSphere. In practice I don't need to mess with the ESX Server very often so that's more for peace of mind than anything else.
 
Top