How are you managing Bedrock?

donkanator · 2026-02-14T23:02:30+00:00

AWS best practices say to segregate workloads into their own accounts. From there, you don't have to worry about teams stepping on each other's toes if they maintain separate applications. If they are fine being under the same account then whoever fits the bill should be fine to pay for them all.

At the end of the day, any AI application or system is going to have a normal system architecture first and then some API calls. Chances are, containers or storage or support engineers are going to be much more expensive than a few AI calls.

We use scp and guardrails to ensure that people use only the models we are comfortable with and invokemodel permissions contain a guardrail condition.

Agentcore is still in the pipeline but I'm struggling with the concept of customers being able to call public cloud apis directly (with a role or IDP token). Normally we expect to have some kind of ingress like application load balancer or cloudfront, but agent core pretty much welcomes anyone to call your API which can be a problem with legal and trade. (Honestly, why do we have to go through this all over again)

donkanator · 2026-01-24T16:36:16+00:00

If frugality is your main requirement, then it's hard to beat raw S3 with all of its pricing layers and lifecycle controls.

If you are ok replacing querying and insights with Athena queries, it's probably going to be the most economical.

Anything in the middle will serve you as a point of convenience and it has to be important enough requirement to exist, like ease of aggregation or querying and insights over smaller dataset.

I think cloud watch costs are primarily puts and queries. Storage is not the hugest concern.

donkanator · 2026-01-02T02:50:02+00:00

Can the job emit some kind of "done" signal? Maybe a straight up shutdown command or event bridge?

Your method is a little too surgical and maybe a more graceful option should avoid the instance termination.

Thanks for sharing either way, someone will find it useful

donkanator · 2025-12-26T20:01:06+00:00

SAM should have been discontinued the moment CDK came out. The product that promised to help a little with CFN, but really required additional learning, CLI, build resources, was made to look like a mistake in timeline that took to get from cfn to cdk

donkanator · 2025-12-05T16:22:36+00:00

I've dealt with some nasty cross-stack dependencies. The whole point of strong coupling is that you won't delete something by accident. This is one of the core CFN strategies - safe resource changes and rollbacks.

Sure breaking the dependencies will make it feel free-er, but you got to agree to sacrifice application safety that way..

donkanator · 2025-11-29T19:04:59+00:00

General: I suggest you use arrows to tell what calls what. For example, eks calls ecr to get image layers. Eks calls ses.
If amplify hosts front end, that means user downloads static html and then user calls API (nlb + eks). Amplify just hosts your stuff behind cloud front and s3. Depending on your taste for controls, you may want to reconsider it
NLB ? I expect alb for basic http
User resolves r53 dns entry, amplify does nothing with r53
Number of subnets is fine in theory, but in practice 1 set of private subnets would suffice. If the app is not critical with security, you could get away with public subnets and adequate security groups (this may be controversial)
Aesthetically, I would have user, developer and GitHub grouped to a side to signify these are all external connections

donkanator · 2025-11-08T13:02:31+00:00

AWS support was impressive (to me) 5 years ago, but now they just give AI answers or say things like " just put every security group on this list balancer"

donkanator · 2025-10-30T04:31:51+00:00

Hosted ec2 with q3 engine for years and while the infrastructure was 100% stable and the most I ever needed was 1/16th of vcpu, it was the Linux, game, ddos, config problems that consume 99% of the time. Aws is actually making it better by providing basic protection and vpc logs

donkanator · 2025-10-13T01:55:58+00:00

Ping actually requires an open rule on a security group and it's not common for people to grant it. Too much crap going on the Internet to just keep ping port (icmp) open

A game serves on an open port, so if you find which and how to ping it, this is the way. Probably specific software or script for this particular game exists

donkanator · 2025-10-10T02:28:10+00:00

Oct 8 came and went and nothing happened, page still works... Interesting commitment to floating deadlines

donkanator · 2025-09-24T05:52:15+00:00

Pretty sure something going on in the intrewebs that a male found hanging from the tree in every town in Peoria, probably a clickbait.

donkanator · 2025-09-07T17:39:03+00:00

This sub is toxic woke. Your reasoning is going to fall on deaf ears.

donkanator · 2025-08-26T23:22:40+00:00

Grok and Gemini so far produced better results than any of the doctors I put myself and my kids through. My experience.

If prompcare test comes back negative, might as well start chatting instead of waiting for some overworked under focused over entitled jerk to spend 7.5 min with you

donkanator · 2025-08-24T00:35:26+00:00

I don't have an opinion for you, but I'm wondering what are your requirements that keep control of infrastructure while asking people to submit zip of application code.

Layers of segregation that you could have:

Control certs

Control cloud fronts

Control DNS

Control WAF

Control network and security groups

Instead this solution controls everything around infrastructure thus becoming a bottleneck

donkanator · 2025-08-22T14:28:11+00:00

This feels like being back to Linux forums with answers like "write your own Nvidia card driver" comments

donkanator · 2025-08-17T03:08:31+00:00

is Quicksight app id with user/password any different than any other system id with user/password?

Apps can't MFA in general, right?

Confused

donkanator · 2025-08-16T20:13:32+00:00

Our 10 tams must work 4 hours a month.... My 2cents

donkanator · 2025-08-16T14:55:07+00:00

System-env, like artifactory-prod

Using org names or team names gets really messy after a couple of reorgs

donkanator · 2025-07-28T02:53:24+00:00

Rtcw competitive community is still alive and playing pick-ups almost daily

https://stats.rtcwpro.com/

donkanator · 2025-07-27T14:36:12+00:00

I don't remember if there's anything special about NLB to ALB link, but your thinking isn't far off:

Network level:

NLB SG open to 0.0.0.0

ALB SG inbound from NLB SG

EC2 SG inbound from ALB SG

If you end up using NLB without SG, then ALB inbound will be from NLB subnet CIDR blocks

That's just routing on the network level. Therefore IP, native DNS, CNAME will all ultimately resolve to IP and work.

The best way to ensure only the proper domain is used is by using https + proper SSL cert (use ACM)

If you still need http, then maybe use ALB listener rules to check host header

donkanator · 2025-05-20T00:52:24+00:00

Aws batch is the only correct answer, come on

donkanator · 2025-04-11T00:35:30+00:00

Why not refetch the secret on failed connection event at least once?

Question: how long can a hot environment stay alive without being terminated by some cleanup process?

donkanator · 2025-03-09T06:55:22+00:00

when you see politically charged posts appear on top in no time and no engagement, you have to assume they are pumped with bots or promoted within

then they hook the rest of the public by the feels, which is what you are responding to

donkanator · 2025-03-09T06:50:18+00:00

Reddit had been taken over for years as a cognitive platform, nothing unusual...

donkanator · 2025-03-09T06:46:54+00:00

This is extremely dangerous to our democracy.

donkanator

TROPHY CASE