另外也可以當作是安全性確認的 list，把 HTTP header 類的安全性設定都放上去了。
不過跟 GitHub 其他文章不太一樣，這篇算是 PR 稿吧，簡單來說就是花錢買 Akamai Prolexic 的過濾服務解決... Akamai 方的 PR 稿則是在「Memcached-fueled 1.3 Tbps attacks - The Akamai Blog」這邊可以看到。
17:21 UTC 發現問題，然後判斷超過 100Gbps，所以 17:26 決定讓 Akamai Prolexic 接管過濾：
At 17:21 UTC our network monitoring system detected an anomaly in the ratio of ingress to egress traffic and notified the on-call engineer and others in our chat system. This graph shows inbound versus outbound throughput over transit links:
Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai. Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC. At 17:34 UTC routes to internet exchanges were withdrawn as a follow-up to shift an additional 40Gbps away from our edge.
就這樣而已，完全就是 PR 稿 XDDD
在「Italian Anti-Corruption Authority (ANAC) Adopts Onion Services」這邊看到，義大利政府因為法令要求必須保護告密者，而不只是在需要提供身份的階段才保護：
Many national laws (such as Italian Dlgs. 231/2001) require companies to adopt corporate governance structures and risk prevention systems, which can include allowing whistleblowing submissions. However, most whistleblowing laws only protect whistleblowers when their identity is disclosed, which can put the person reporting corruption at risk.
In 2016, the International Standards Organization (ISO) released a new model for organizations setting up and operating anti-bribery management systems, ISO 37001:2016. To meet ISO standards, organizations or companies implementing anti-corruption procedures must allow anonymous reporting, as explicitly indicated in point 8.9 of section C of ISO 37001:2016.
Furthermore, national laws (such as recent Italian 179/2017) require the adoption of IT systems for whistleblowing, leading to the practical integration and use of Tor for its technological anonymity features.
而義大利政府的系統選擇用 Tor 的 Onion (Hidden Service) 提供服務接受檢舉：
To comply with these standards, the Italian Anti-Corruption Authority (ANAC), an administrative watchdog, just launched their national online whistleblowing platform using onion services, giving whistleblowers who come forward a secure way to report illegal activity while protecting their identities.
這使用了 hidden service 的特性，讓伺服器端完全無法得知 client 的位置，對於使用有足夠保護的 browser 來說 (像是 Tor Browser)，這可以完全讓 server 端無法得知身份，即使政府的伺服器都入侵也沒辦法知道告密者是誰。
The PostgreSQL-compatible edition of Amazon Aurora is now available in 10 regions. With the addition of the AWS Asia Pacific (Tokyo) region, you have a new option for database placement, availability, and scalability.
不過 Region Table 裡面還沒更新，亞洲區裡面的東京還沒勾起來，應該過幾天就會更新了...
Amazon Route 53 的 Auto Naming API 可以拿來跑 Service Discovery (參考先前的「用 Amazon Route 53 做 Service Discovery」這篇)，當時是
CNAME 了：「Amazon Route 53 Auto Naming Announces Support for CNAME Record Type and Alias to ELB」。
Beginning today, you can use the Amazon Route 53 Auto Naming APIs to create CNAME records when you register instances of your microservices, and your microservices can discover the CNAMEs by querying DNS for the service name. Additionally, you can use the Amazon Route 53 Auto Naming APIs to create Route 53 alias records that route traffic to Amazon Elastic Load Balancers (ELBs).
不過去年公佈的當時需要申請才有機會用，算是 Private Beta。現在則是開放讓大家玩 (Open Beta) 讓大家幫忙測試了：「Cloudflare Workers is now on Open Beta」。
Cloudflare Workers are modeled on the Service Workers available in modern web browsers, and use the same API whenever possible.
現階段 Cloudflare Worker 是免費的，看起來是用這段時間的用量與用法來看要怎麼設計收費機制：
Cloudflare Workers is completely free during the open beta. We do intend on charging for Workers, but we will notify you of our plans at least thirty days before any changes are made.
AWS 的 Jeff Barr 宣佈了有 ENA 的 EC2 instance 的頻寬提升到 25Gbps：「The Floodgates Are Open – Increased Network Bandwidth for EC2 Instances」。
分成三種，第一種是對 S3 的頻寬提昇：
EC2 to S3 – Traffic to and from Amazon Simple Storage Service (S3) can now take advantage of up to 25 Gbps of bandwidth. Previously, traffic of this type had access to 5 Gbps of bandwidth. This will be of benefit to applications that access large amounts of data in S3 or that make use of S3 for backup and restore.
第二種是 EC2 對 EC2 (內網)：
EC2 to EC2 – Traffic to and from EC2 instances in the same or different Availability Zones within a region can now take advantage of up to 5 Gbps of bandwidth for single-flow traffic, or 25 Gbps of bandwidth for multi-flow traffic (a flow represents a single, point-to-point network connection) by using private IPv4 or IPv6 addresses, as described here.
第三種也是 EC2 對 EC2，但是是在同一個 Cluster Placement Group：
EC2 to EC2 (Cluster Placement Group) – Traffic to and from EC2 instances within a cluster placement group can continue to take advantage of up to 10 Gbps of lower-latency bandwidth for single-flow traffic, or 25 Gbps of lower-latency bandwidth for multi-flow traffic.
有 ENA 的有這些，好像沒看到 CentOS？
ENA-enabled AMIs are available for Amazon Linux, Ubuntu 14.04 & 16.04, RHEL 7.4, SLES 12, and Windows Server (2008 R2, 2012, 2012 R2, and 2016). The FreeBSD AMI in AWS Marketplace is also ENA-enabled, as is VMware Cloud on AWS.
碰到信用卡卡號時會需要的 PCI DSS，在 AWS 上面多了一卡車服務過了這個認證：「AWS Adds 16 More Services to Its PCI DSS Compliance Program」。
- Amazon Inspector
- Amazon Macie
- Amazon QuickSight
- Amazon S3 Transfer Acceleration
- Amazon SageMaker
- Amazon Simple Notification Service
- AWS Batch
- AWS CodeBuild
- AWS Lambda@Edge
- AWS Shield
- AWS Snowball
- AWS Snowball Edge
- AWS Snowmobile
- AWS Systems Manager
- AWS X-Ray
馬上想到的用途是量爆增時，如果當初有作 R/W split (讀寫分離) 就可以直接用錢撐住，不過官方給的範例是降低 RDS 轉移到 Aurora 的 downtime，這點就有點微妙...：
You can now create an Amazon Aurora PostgreSQL read replica for an Amazon RDS for PostgreSQL instance, allowing you to continuously replicate to Amazon Aurora PostgreSQL. This helps you minimize downtime when migrating a live workload from Amazon RDS for PostgreSQL to Amazon Aurora PostgreSQL, by keeping the instances in sync until you're ready to move your applications and users to Amazon Aurora PostgreSQL.
所以這次算是陸陸續續把功能補上來，在 Amazon Aurora (MySQL) 有的一般性功能，這邊就跟著先實作...
AWS Key Management Service 宣布支援 AWS PrivateLink Endpoint 了：「How to Connect Directly to AWS Key Management Service from Amazon VPC by Using an AWS PrivateLink Endpoint」。先前需要透過 Internet 流量存取 (透過 NAT、Proxy 之類的服務)，現在則是可以接到 VPC 內直接用了：
Previously, applications running inside a VPC required internet access to connect to AWS KMS. This meant managing internet connectivity through internet gateways, Network Address Translation (NAT) devices, or firewall proxies.
With support for Amazon VPC endpoints, you can now keep all traffic between your VPC and AWS KMS within the AWS network and avoid management of internet connectivity.
KMS 需要 Internet 也是之前設計架構時比較痛的地方，現在總算是有個方向可以減少痛處了...