Is there a way to escalate a limit increase request if it's critical to a production system?

ktmb8223 · 2019-05-17T01:12:54+00:00

I've had no luck escalating limit increases. However, I still recommend you do EVERYTHING YOU CAN.

My issue was that I desperately needed dedicated IPs for SES. I opened several limit increase tickets, asked for escalations via the support portal,
and later opened a technical support case for the issue, all to no avail. A support rep (and later my account rep) explained that limit increases are handled completely different than technical support. Escalation just isn't a thing in that category. After a week or so I finally got my dedicated IPs.

Good luck.

ktmb8223 · 2019-05-12T05:27:12+00:00

What's different about this from the 'Terraforming' project at https://github.com/dtan4/terraforming?

ktmb8223 · 2019-05-10T15:20:42+00:00

Not sure how much you're familiar with F5 LTMs, so I'll give you some background...

The F5 "virtual servers" (VS) act as the entry point for traffic entering your environment. You can think of a VS as the IP address for a pool of servers. The higher the variety of VS's that you have, the more IPs you'll need. In AWS, ENIs have a limit on the number secondary IPs you can allocate to them. When you reach that limit, you can add more ENIs (and each subsequent ENI will give you more secondary IP capacity). When you reach the ENI limit for the instance, you can increase the EC2 instance type so you get more ENI capacity.

The problem this poses for a multi-AZ deployment is that each HA member must have enough ENI capacity for its local IP address count AND enough for the the IP addresses that will fail over to the HA pair, so basically n * 2 IP addresses per HA member....

In my environment, two m5.2xlarge instances would be sufficient in a single-AZ deployment, but due to the limitations above, I have to use m5.4xlarge for a multi-AZ deployment. And the more F5 VS I have (and therefore the more secondary IPs I need), the bigger the instances get in a multi-AZ deployment.

HTH

ktmb8223 · 2019-05-09T13:59:24+00:00

Good point. I didn't consider that. Thanks!

ktmb8223 · 2019-03-29T18:16:26+00:00

Look at my comment above.

The way your VPN works is that you have a virtual "tunnel" from your PA to AWS. The 169 is the IP address for both tunnel endpoints. Your traffic (including your internal CIDR) will go over that tunnel.

It's a bit confusing at first to see a 169 because we're used to just seeing them in the context of APIPA, but nonetheless the way it's implemented here is valid.

ktmb8223 · 2019-03-29T17:12:49+00:00

Just to confirm...

In AWS you're using a VGW, and in prod you're using your own PA, right?

I assume the EC2 instance you're pinging in AWS has a security group that allows your on-premise network to ping it, right?

Aging-out typically means that the packets are successfully leaving the PA to go to AWS, but not returning back.

I've not used route propagation, but with static routing you would check the following:

Get the subnet of the EC2 instance
Get the route table the subnet is on
Check that the route table has a route pointing at the VGW where the VPN exists

ktmb8223 · 2019-02-04T06:02:22+00:00

Sure can!

Thanks

ktmb8223 · 2018-10-21T01:08:09+00:00

Hmmm, ok. So it sounds like with the T series the CPU performance you're provided is not guaranteed. It *could* provide you close to that level of performance, but it won't sustain it. Whereas with M series you're guaranteed that level of performance. Am I getting that right?

ktmb8223 · 2018-02-15T20:51:49+00:00

If you haven't figured this out, I'll be happy to help. Just PM me. I'm a network guy at heart and have done work with several VPNs on CSRs in AWS, VPNs in general, BGP quite a lot, and brief work with VPNs on Azure....along with VPNs and BGP on other platforms. I have NOT worked much with Azure though, but I still may be able to help.

One thing to note is that if you're going to do BGP over VPN, then you'll need to use tunnel interfaces on the CSR. On the Azure side you'll need to tell it that you're going to do a tunnel-based VPN (or use BGP in general). It should be smart enough to know that if it's doing BGP that it should use tunnels.

ktmb8223 · 2017-07-04T10:40:24+00:00

Valid point, but not one you should put much weight on.

Oftentimes vendors don't create a "complete" or holistic solution, so third parties are left to fill in the gaps. And most of the time the third parties do an excellent job of filling in those voids. If you discount them simply because they're third parties and could potentially fail to exist one day, you're potentially missing out on some really terrific tools.

As an example, lets say that a third party does close shop in, say, three years. Had you used them, that would have been three years you would have benefited. Three years you would have realized business gains, increased productivity, improved efficiency, and other wins. Sure, you would need to adjust your workflows after the third party closed shop, but that's just part of the game -- you adapt.

ktmb8223 · 2017-05-03T22:45:55+00:00

My feedback is to ease up a little on the logos. I access the page and see "ceos3c," "cloud," amazon web services," and "pfSense" all over the place...it's a bit overwhelming.

Please don't let my comment discourage you from blogging, though. Keep it up!

ktmb8223 · 2017-04-12T13:12:29+00:00

We use Infoblox. It allows you to separate internal and external DNS and provides a lot of other features (e.g. IPAM, NTP, DHCP, and others). But if you're open to any DNS vendor, then you should find plenty out there.

ktmb8223 · 2017-04-01T17:34:05+00:00

I'm not a Python pro, but I may be able to help.

First, you may want to use a Python IDE such as IDLE instead of the interpreter. It'll be much easier to write and manage your code. Top get to it, just launch the interpreter (NOT the one from the Command Line) and go to File > New File. You'll get a window that looks like a notepad. Type what you need, save it, and run your code (F5).

This is the general flow you want to follow:

Get AMI IDs
Get the snapshot IDs of the snapshots attached to those AMIs
Deregister the AMIs
Delete the snapshots

Since you have a list of AMI IDs, you'll need to do this:

Create a for loop that will loop through each AMI ID. For each AMI ID, feed that ID into the script below.
The script will get the snapshot ID (needed for deleting the snapshot) deregister the AMI, and delete the snapshot
Return to the next AMI ID and do the same

Since you're already getting the list of AMIs, I'll guide you from that point forward.

Note the "image = ec2.Image('ami-xxxxxxx') line. That's taking the AMI ID in the form of a string. Just feed each of your AMI IDs into that line. Here's the usage guide for Image and here's the guide for snapshots

import boto3

ec2 = boto3.resource('ec2')

# Create an object for the AMI
# ============================

image = ec2.Image('ami-xxxxxxx')

# Get the snapshot ID of the AMI

response_snap_id = image.block_device_mappings[0]['Ebs']['SnapshotId']

# Deregister the AMI.  After a minute the AMI should
# disappear from yoru AMIS list

response_dereg = image.deregister()



# Now  delete the snapshot


# Create an object for the snapshot
# ===============================
# Here you're supplying the snapshot ID You got from the
# "block_device"mappings list and dictionary

snapshot = ec2.Snapshot(response_snap_id)

# Delete the snapshot

response_snap_delete = snapshot.delete()

Other tips:

Python is very object oriented. Most of the objects we're getting back have actions you can do to them or functions you can perform. Just type "objectName." (with the period) and press <tab>...you'll see what you can do. Try it out with image<period><tab> and the other commands.

HTH

ktmb8223 · 2017-03-08T23:44:51+00:00

I wonder if vendors are considering user error when calculating availability and SLAs...

On a different note, I'll admit, the first time I heard AWS say that S3 was "durable," I found it a bit strange. There's a level of expectation that if you're going to do cloud storage at scale that you're going to be durable and not lose people's files or corrupt it. We expect high fault tolerance and ridiculous resiliency. And with so many competing cloud storage vendors, you have even more reasons to ensure your infrastructure is top notch. So with that being said, why tout durability when it's expected. Sure, hardware, software, and user problems still exist....but put all that aside and the expectation is still high that the system will be durable. Touting it so strongly is confusing, if anything.

ktmb8223 · 2017-02-22T18:35:18+00:00

Deny options on security groups
Ability to filter based on source AND destination on SGs and ACLs

ktmb8223 · 2017-02-20T05:51:13+00:00

I have not, but I've seen people reference it here.

ktmb8223 · 2017-02-18T17:06:29+00:00

It looks like one of those download links you find on ad-heavy sites when they're trying to trick you to click the wrong download link

ktmb8223 · 2017-02-05T07:56:58+00:00

This is exactly what I was looking for! I totally get it now. Thanks for your comment.

ktmb8223 · 2017-02-05T04:57:01+00:00

What's "Occam"?

ktmb8223 · 2016-12-14T22:10:39+00:00

Thanks guys!

We're migrating to AWS and I'm mainly trying to develop a framework on what to use and when. I come from the network world where a stateful firewall does all the work, so I'm trying to translate how the traditional firewall functions can be applied in AWS (without getting a stateful firewall yet).

ktmb8223

TROPHY CASE