幹壞事是進步最大的原動力
AWS 南韓區開第四個 AZ 了,比想像中的快不少:「Now Open – Fourth Availability Zone in the AWS Asia Pacific (Seoul) Region」。
而且不像東京,新客戶只能看到三個 AZ:「Regions and Availability Zones」。
*New customers can access three Availability Zones in Asia Pacific (Tokyo).
雖然台灣過去的 routing 都還是沒改善...
看到 AWS 公佈了大阪區要轉成正式區域的消息:「In the Works – AWS Osaka Local Region Expansion to Full Region」。
大阪區本來是東京區的 local region,主要是提供給東京區的用戶備份以及備援,現在如果變成 full region 的話可以觀察看看 routing,如果從日本西側進骨幹的話,有機會快個 4ms (直線約 400km)?
另外一個是價位不知道會跟東京差多少,畢竟東京週邊的各種物價與地價都算貴的,當然也有可能就全部照日本區的價錢算...
目前喊出來的目標是 2021 年年初會有 3 AZ,也就是標準 region 的架構:
Today, we are excited to announce that, due to high customer demand for additional services in Osaka, the Osaka Local Region will be expanded into a full AWS Region with three Availability Zones by early 2021.
AWS 宣佈 us-west-2 (Oregon) 開 Local Zone,這應該是 AWS 第一次在美國開 Local Zone,上次看到好像是 ap-northeast-1 (Tokyo) 的 Osaka 區:「AWS Now Available from a Local Zone in Los Angeles」。
控制都還是在 us-west-2 的範圍控制,但代碼會是 us-west-2-lax-1a (目前只有一區),之後會開 us-west-2-lax-1b (第二區):
In the fullness of time (as Andy Jassy often says), there could very well be more than one Local Zone in any given geographic area. In 2020, we will open a second one in Los Angeles (us-west-2-lax-1b), and are giving consideration to other locations. We would love to get your advice on locations, so feel free to leave me a comment or two!
剛剛登入進去 VPC 的 Subnets 想要增加看看,沒看到 us-west-2-lax-1a 的選項可以選,看起來還是需要另外申請?
另外算了一下 Oregon (用 Portland 算) 到 Los Angels 的直線距離,大約要 1300km 左右 (比台北到香港還遠不少),光速單趟大約要 6.5ms?這樣對一些應用程式應該是會有感覺...
This Local Zone is designed to provide very low latency (single-digit milliseconds) to applications that are accessed from Los Angeles and other locations in Southern California.
看起來主要還是支援異地的需求...
Amazon S3 有 RRS,提供給那些掉了可以重新產生的資料使用 (像是縮圖);另外也有 IA,提供給不常存取的資料使用。現在推出的這個等級結合了兩者,使得價錢更低:「Amazon S3 Update: New Storage Class and General Availability of S3 Select」。
New S3 One Zone-IA Storage Class – This new storage class is 20% less expensive than the existing Standard-IA storage class. It is designed to be used to store data that does not need the extra level of protection provided by geographic redundancy.
We recently added a fourth Availability Zone to the AWS Asia Pacific (Tokyo) Region - https://t.co/fa1cBkyoWI pic.twitter.com/Y1XQKrBmZo
— Jeff Barr ☁️ (@jeffbarr) April 3, 2018
居然默默地開了第四個 AZ 了... 不過大阪什麼時候要開放啊,以機房成本以及電力成本應該都會比東京低的前提下,不知道公告價錢會不會比較低...
不知道為什麼出現在 browser tab 上,不知道是哪邊看到的... AWS 放出了一份文件,在講 hybrid cloud 環境下當你同時有一般 IDC 機房,而且使用內部 domain 在管理時,網路與 AWS 打通後要怎麼解決 DNS resolver 的問題:「Hybrid Cloud DNS Solutions for Amazon VPC」。
有些東西在官方的說明文件內都寫過,但是是 AWS 的特殊設計,這邊就會重複說明 XDDD
像是這份文件裡提到 Amazon DNS Server 一定會在 VPC 的 base 位置加二 (舉例來說,10.0.0.0/16 的 VPC,Amazon DNS Server 會在 10.0.0.2):
Amazon DNS Server
The Amazon DNS Server in a VPC provides full public DNS resolution, with additional resolution for internal records for the VPC and customer-defined Route 53 private DNS records.4 The AmazonProvidedDNS maps to a DNS server running on a reserved IP address at the base of the VPC network range, plus two. For example, the DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2. For VPCs with multiple CIDR blocks, the DNS server IP address is located in the primary CIDR block.
在官方文件裡,則是在「DHCP Options Sets」這邊提到一樣的事情:
When you create a VPC, we automatically create a set of DHCP options and associate them with the VPC. This set includes two options: domain-name-servers=AmazonProvidedDNS, and domain-name=domain-name-for-your-region. AmazonProvidedDNS is an Amazon DNS server, and this option enables DNS for instances that need to communicate over the VPC's Internet gateway. The string AmazonProvidedDNS maps to a DNS server running on a reserved IP address at the base of the VPC IPv4 network range, plus two. For example, the DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2. For VPCs with multiple IPv4 CIDR blocks, the DNS server IP address is located in the primary CIDR block.
另外也還是有些東西在官方的說明文件內沒看過,像是講到 Elastic Network Interface (ENI) 對 Amazon DNS Server 是有封包數量限制的;這點我沒在官方文件上找到,明顯在量太大的時候會中獎,然後開 Support Ticket 才會發現的啊 XDDD:
Each network interface in an Amazon VPC has a hard limit of 1024 packets that it can send to the Amazon Provided DNS server every second.
Anyway... 這份文件裡面提供三種解法:
都可以考慮看看...
原文是講滲透測試的前置作業,需要將某個特定 domain 下的主機名稱掃出來:「A penetration tester’s guide to sub-domain enumeration」。
最直接的還是 DNS zone transfer (AXFR),如果管理者沒設好 DNS server 的話,這會是最快的方式。當沒有這個方法時就要用各種其他方式來掃了。
看了一下有幾種方式:
site: 指令過濾;用 VirusTotal 列;翻 Certificate Transparency 記錄;透過 ASN 資訊;透過 Forward DNS。應該有人可以提到所有的東西再寫成程式 XD
AWS 的 us-east-1 上次加第五個 AZ 不知道是什麼時候了,找資料找不太到... 這次宣佈加第六個 AZ 進去了:「Sixth AZ in US East (N. Virginia) Region」。
依照 AWS 之前有提出來的架構,所有 AZ 之間都是有互向連接的... 所以 us-east-1 加 AZ 都會比其他區域辛苦不少...
昨天 Amazon EC2 的 Reserved Instance 有了重大的變化:「EC2 Reserved Instance Update – Convertible RIs and Regional Benefit」。
當初 AWS 規劃 RI 的重點在於「保留」而不是「折扣」,所以在整體的規劃上你可以看到都是以「保留」為想法在規劃 (像是購買時要到 region + zone 的層級)。但其實更多人是看中他的「折扣」,所以 AWS 這次乾脆推出了不分區的「折扣」方案 (購買時只指定 region),當然使用者就要規劃成 a 區開不起來就去開 b 區的機器:
Many customers have told us that the discount is more important than the capacity reservation, and that they would be willing to trade it for increased flexibility. Starting today, you can choose to waive the capacity reservation associated with Standard RI, run your instance in any AZ in the Region, and have your RI discount automatically applied.
另外是 RI 之間的轉換,現在可以透過系統直接轉不同 type 的 RI 了:
Convertible RIs give you even more flexibility and offer a significant discount (typically 45% compared to On-Demand). They allow you to change the instance family and other parameters associated with a Reserved Instance at any time. For example, you can convert C3 RIs to C4 RIs to take advantage of a newer instance type, or convert C4 RIs to M4 RIs if your application turns out to need more memory.
不過相較於隔壁的 Google Cloud Engine 的 discount 是完全自動算 (不需要先買 RI 這類的產品) 還是差了不少...
在「How to Download a List of All Registered Domain Names」這邊介紹了 .com、.net 以及 .name 的 zone file 怎麼申請與下載 (由 Verisign 維護的三個 tld)。
另外也介紹了 Centralized Zone Data Service,包括所有的 tld,以及 ICANN 提供的 API。
這樣應該有很多資料可以分析?