From The Expert Feature Article
November 19, 2014

Amazon's 1 Million Lemmings


WARNING: This whole article is my opinion. The point is to ruffle your feathers enough to make you go out and ask the relevant questions - trust no one and find out the facts for yourself. Otherwise, you might just be a human Lemming, doing “business as usual” and following the rest of humanity off the cliff. Oh, and if Amazon (or anyone else) can supply facts, I’m more than happy to publish those and change my opinion. Only until the light is shone, do the shadows fade.

No One Ever Gets Fired For Ordering AT&T AWS (yet)

Amazon Web Services (AWS) just completed its re:Invent annual gathering of customers, vendors, and the overtly curious on November 10-14, 2014 in Las Vegas. There were over 13,500 in attendance, and at least that many watching remotely, as Amazon produced a lot of online content available as iTunes podcasts, presentations on SlideShare.net, and even an app for your Apple (News - Alert) or Android phone.

During the event, Amazon announced it has over 1,000,000 customers in over 63 countries. With these kinds of numbers, it’s somewhat understandable why the mass majority of consumers don’t ask any relevant questions about how this cloud giant delivers its wares. The few who do are met with the all too common Amazon answer: “I’m sorry, but there’s no publicly available information about that.” This is often ameliorated by, “But there’s 11x9s of availability” or some other number that you are supposed to apparently take on faith alone. This begs the question: What exactly is Amazon going to “re:Invent”?  Their datacenter infrastructure, or a new list of marketing answers to keep the human Lemmings at bay?

Are You A Lemming?

Wikipedia defines a lemming as “small rodents, usually found in or near the Arctic, in tundra biomes.”  More on point with this article, the urban dictionary defines a lemming as: “A member of a crowd with no originality or voice of his own. One who speaks or repeats only what he has been told.  So, when Amazon tells you how many 9s they have, do you gulp/swallow or do you ask questions and make them PROVE IT? Most people go the Lemming route and just believe it.

This prompted the now famous Apple 1985 Super Bowl commercial:

http://www.youtube.com/watch?v=V-SJQdREDKM

To the soundtrack of a whistled, discordant and down-tempo version of "Heigh-Ho", a long line of blindfolded businesspersons slowly makes its way through a dusty, windswept landscape to a cliff, where one by one they fall to their doom. A voiceover notes that the "Macintosh Office" will soon be announced. The last businessperson in the line stops just at the brink, uncovers his eyes, and takes in the situation, as the announcer states, "You can look into it". A second line of people is then shown, as the announcer continues, "Or you can go on with business as usual".

And even a video game: http://en.wikipedia.org/wiki/Lemmings_(video_game)!

Does anyone really care about blood diamonds? Non-genetically altered food? A solid datacenter infrastructure to run all that software in the cloud? Or do we turn a blind eye because we either don’t care or are just too naive?

Steve Jobs (News - Alert) once said: “When you're young, you look at television and think, ‘There's a conspiracy.’ The networks have conspired to dumb us down. But when you get a little older, you realize that's not true. The networks are in business to give people exactly what they want. That's a far more depressing thought. Conspiracy is optimistic! You can shoot the bastards! We can have a revolution! But the networks are really in business to give people what they want. It's the truth.”

I think Steve could have just as easily said this about CLOUD!

My opinion: the c-suite at your Fortune 500 has determined that AWS is revolutionary so the 10,000 foot answer is King and you are stuck in a cloud that leaves serious questions as to what it runs on and where. Yet with a few appeasing buzz words like “11 x 9s of availability” or “you can survive two site failures” and “availability zones” we are somehow lulled into believe it’ll all be OK. Think twice!

10 Shocking Basic Questions You Must Ask ANY Cloud Service Provider (CSP (News - Alert))

  1. Do you run your own datacenters? Where are they? Can I get a tour?
    1. Don’t be surprised if the answer ranges from a big fat NO to “I’m sorry, but there’s no public information about that”, followed by a quick tap dance to the next feature and someone blurting out a zillion 9s of availability, guards, security cameras, and regulatory compliance. Really? PROVE IT.
  2. Do you use physical firewalls? Are your firewalls multi-tenant?
    1. It looks to me like AWS is using physical firewalls with an API to their cloud orchestration software which passes the ACL info down from the user-created “security groups” applied to Virtual Machines (VMs). Anyone knows that a physical firewall is great if you’re partying like its 1999, but in modern times, a virtual firewall can scale up to thwart even the most robust DDoS and other types of attacks, whereas a fixed physical firewall hits its limits sooner or later and chokes. So for all this cloud nonsense, if you don’t have a virtual firewall AND it’s dedicated to YOU alone, then where’s the scale? Where’s the security?  You can claim as many 9s as you want, but I’d turn that 9 upside down to a 6 if you can’t get hard evidence that makes you believe it.
  3. How many copies do you keep of S3 objects?
    1. Don’t tell us about 11 x 9s of availability.
    2. Don’t tell us about multi-site failure odds of survival with the beloved Availability Zone (“AZ”).
    3. Tell us how many copies you keep and where; we can do the math and decide if S3 is for us or not.
  4. Do you take system level snapshots or only user level?
    1. Without system level snapshots you can get permanently cut off from ALL the resources you put into the cloud.  How?
      1. If a hacker breaks into your account and deletes all your images and your snapshots (often used as backups), which happened to other AWS customers, then you are potentially OUT OF BUSINESS FOR GOOD.
      2. If you lose your encryption keys with Amazon’s new Key Management System (“KMS”).
      3. If cryptolocker encrypts all your storage for you and holds it ransom.
    2. Find a CSP provider who does system level snapshots; for example, dinCloud does 1xday for 10xdays FREE.
  5. Does your network offer 10gbps min? Low latency?
    1. 10gbps is not the minimum, rather it’s the exception, or even maximum, at most clouds. In fact, most clouds are 1gbps or LESS, or like Azure, cap you at 2gbps for the entire cumulative virtual subnet. Put 50 servers on there and do the math! Ouch! AWS uses “placement groups” because otherwise your VMs may be spread out all over the AZ leading to poor network latency between them.
    2. These two factors and more can mean you cannot scale up, only out and perhaps poorly at that! For example, dinCloud offers 10gbps minimum up to 40gbps networking and guarantees low latency end-to-end in each availability zone. 
  6. Can I scale UP or only OUT?
    1. AWS seems quite proud of the fruit mix of servers they have: CPU, memory, storage, network, GPU, etc. “optimized”. Um, what if you want ALL OF THE ABOVE?  This hodge podge of servers is also why if you specify “placement groups” with AWS they all have to be relatively the same “size” of VM (small, medium, large, whatever).
  7. Do you charge data transfer fees in/out? For virtual desktops? For DDoS?
    1. Amazon typically lures you “in” for FREE but every packet that goes in must come out with, at the very minimum, an “ack” packet. Networking 101, but if you’re a Lemming, you think, “Wow free inbound, yay!”. Who wants a variable bill every month? Flat fee is King. Say NO to data transfer fees.
    2. The problem above is even worse when every click you make on your Amazon Workspaces (virtual desktop) is a pay-to-pay experience. No joke!
    3. If you’re being attacked, does that mean that your bill is going up with the network traffic being maliciously aimed at you? Not only is your environment running slower, but to add insult to injury, are you getting charged extra for this? You better ask!
    4. Isn’t Amazon Workspaces just VMware View with lipstick?  I think so!  Try surfing YouTube videos or Netflix with that. The fact is, the more servers you put into the cloud, more the desktops you’re eventually going to need.
    5. Find a provider that has no data transfer fees of ANY kind, and flat rate pricing only.
  8. What are my connectivity options? VPN? MPLS? DIRECT CONNECT? Routing protocols?
    1. Almost every cloud offers FREE VPN connectivity. But, with data transfer fees, this is a real drag so it’s only FREE if you’re on dinCloud, not AWS, Azure or anyone else charging FEES.
    2. MPLS and DIRECT CONNECT options are great; but not when you’re limited to 100 network prefixes or don’t know what the heck you’re plugging into at the other end or how the architecture is keeping you isolated/separate from other customers. I personally would NOT TRUST any CSP who REFUSES TO GIVE YOU DETAILS!
    3. If you’re going to get connected, what routing protocols are you allowed to run between your on-premises and cloud infrastructure?  If NONE then look somewhere else! Otherwise you will have a poorly routed infrastructure or will always be updating the “interesting networks” at both VPN ends (very administratively prohibitive).
    4. Find a CSP that offers VPN, MPLS, and DIRECT CONNECT transports with NO data transfer fees and a wide range of  routing protocols across them so you DON’T have to constantly update static network entries for a dynamically changing infrastructure.
  9. What security controls are ON (News - Alert) by DEFAULT?
    1. AWS offers encryption, multi-factor authentication, etc., but doesn’t offer them by default. Why? Performance impact? No one cares if your neighbor is insecure in a multi-tenant cloud?
    2. Find a CSP that encrypts all data in flight and at rest plus enforces multi-factor authentication for ALL customers by DEFAULT. At dinCloud, we also offer IP reputation filtering and system level snapshots for FREE by DEFAULT for all availability zones, all customers, all the time (24x7x365 worldwide).
  10.  Do you have certified engineers or just a lot of people calling themselves “architects”?
    1. Too many competitors have teenagers giving energy-drink fueled support or geniuses calling themselves “cloud architects” who don’t have any better clue what gear or underlying infrastructure is running the Land of Oz or who the Wizard is than you do. Find a CSP who has certified Microsoft and Linux engineers and individuals with Cisco (News - Alert) CCIEs, storage experts, etc.

Takeaways

Ask the basic questions and find out if your CSP has an underlying datacenter infrastructure to support their lofty claims. Trust, but verify.  Otherwise, the fog in cloud is lifting and you’ll be the first victim tossed out the door to the unemployment line as the truth continues to leak out and then your peers within the company want to know why you never did your due diligence. 

Ignorance has never been a defense, even in the law and certainly not in the cloud. I’m not saying that Amazon doesn’t have some cool software features but you are better off with a multi-cloud strategy than an all-eggs-in-one-basket, particularly when you haven’t even asked any questions about the basket your eggs are in.

So, unless you want your head in the basket, act now!

Yours truly, Dr. Cloud




Edited by Maurice Nagle




Comments powered by Disqus