Hacker News new | ask | show | jobs
by mrweasel 2071 days ago
I would guess around half. We've bought brand new Cisco gear, which for some unholy reason didn't support IPv6. We've worked with vendors who told us that they've been supporting IPv6 for years, a decade even, but try to enable it, and you'll see that no one actually ever used it, and it doesn't work.

Amazon could perhaps do with less IPv4 addresses, if people did misuse them. I work with a client who have a public IPv4 address associated with every single EC2 instance they have, despite only 5% of them have public facing services. They just got in the habit of assigning a public IP I guess.
2 comments
luhn 2071 days ago
I do the same thing. Without IPv4 for an EC2 instance, your options are:

- No outbound internet access

- IPv6-only outbound internet access

- NAT, for an addition monthly and per-GB fee

Given you can assign a public IPv4 address at no additional cost and have everything just work, there's little reason not to have one.

link
outworlder 2070 days ago
So you have everything in a public subnet? That's asking for trouble.

Sure, if you have a tiny deployment you may not care (and the NAT fees may be a significant portion of that).

At some point, the NAT fees are noise - it amounts to ~ a dollar per day in us-west-2. Data processing charge is $0.045

It becomes way more valuable to ensure IT security, regulators and auditors that no, no inbound connections are allowed no matter what anyone does with the security group rules.

Also note that the AWS managed NAT gateways haven't been there forever. The option, before they were available, was to use one or more of your instances to NAT traffic. That's still available and could be an alternative, while reducing your potential footprint.

link
ArchOversight 2071 days ago
Why shouldn't someone assign a public IPv4 address to a server? The whole NAT game is just that, a game.

Also, NAT gateways cost money in AWS, so much that it is a running joke:

https://twitter.com/QuinnyPig/status/1294047698560012289

https://twitter.com/QuinnyPig/status/1293366642567651330

NAT doesn't add any additional security, Security Groups are fantastic at allowing you define your ingress/egress between instances and protecting them from harm.

All my instances get an IPv4 address an an IPv6 address by default so that there is parity. The fact that the IPv4 address still goes through some sort of NAT on AWS's side (1:1 but still NAT) kind of bothers me.

link
_alex_ 2071 days ago
> The fact that the IPv4 address still goes through some sort of NAT on AWS's side (1:1 but still NAT) kind of bothers me.

Why does that bother you?

link
ArchOversight 2070 days ago
Cause all my services bind to a private IP on the inside. I don't see the real IP that it is receiving traffic on.

Also, if I have multiple IP's with EIP's attached so I can host multiple services (with unique IP's) I have to write automation to make sure I bind the service to the right internal private IP for the appropriate external IP address. It'd be much better if the IP address were routed directly to my EC2 instance.

link
outworlder 2070 days ago
> I have to write automation to make sure I bind the service to the right internal private IP for the appropriate external IP address.

Isn't that done in a more straightforward fashion by AWS loadbalancers? AWS load balancer IPs and ports on one side, listeners on the other side talking to your instances - if the instances are also in auto-scaling groups, there's zero automation needed after you set this up.

link