[ramshanker]

If not possible to cap price, starting with the capacity limiter on S3 and bandwidth limit at VPC level would do.

The possibility that someone flood the server even for static resources causing bandwidth spiked Bill is scary.

[Nextgrid]

> The possibility that someone flood the server even for static resources causing bandwidth spiked Bill is scary.

Genuinely curious, is this just a side-effect of the cloud craze or did DDoS attacks become so powerful that old-school approaches of appropriately-sized bare-metal infrastructure with finite but unmetered bandwidth are no longer viable?

The way I see it, you can provision enough unmetered bandwidth to cover your typical load + a safety margin at a flat rate per month, and worst case scenario if the attack is big enough you merely get downtime (allowing you to re-evaluate the situation and decide whether to throw more bandwidth at the problem or purchase attack mitigation services) instead of an infinite bill?

My current ISP gives me 1Gbps unmetered. Worst case scenario the connection is saturated but at no point the ISP will come to me and ask for extra money.

[Silhouette]

You could still run many systems just fine on private infrastructure with at most a business-class Internet connection to your office or a colo bill for putting your servers somewhere more central. This didn't magically stop working just because someone got paid a lot of money to do PR for cloud services. By the time you take into account the financial costs and inherent risks of cloud hosting, maybe more things should still run that way than actually do.

The practical problem today is that cloud now has so much mindshare, justified or otherwise, that the ecosystem around private hosting is diminished. Finding good people with the required admin skills, good sources of equipment, even good software to run local versions of automation we take for granted in the cloud, can be harder than it used to be.

I won't be surprised if in a few years some huge tech firm we all thought had faded into obscurity enjoys a new lease of life by offering a set of locally hosted equivalents to popular cloud services that are also easy to administer and scale but come with a lot more predictability because they run on the customer's own infrastructure.

[withinboredom]

We still use bare-metal at Automattic. All our global-scale admin stuff is open source... it shouldn't be surprising that bash scripts aren't all that interesting. People want it written in Go, with Raft-consensus to think for us humans, running on blockchain.

[ValentineC]

Are they published somewhere on https://github.com/Automattic?

[withinboredom]

No, it all predates git/Github: https://code.svn.wordpress.org/servermattic/README

If you go up a few levels you can find more interesting things as well...

Someone wrote an good tutorial on using it here: https://codeseekah.com/2012/03/19/cross-server-deployment-wi...

[closeparen]

One big problem with that is the dichotomy between "cloud" and "open source" - people will pay for SaaS but they absolutely balk at paying for licenses.

[Silhouette]

In this hypothetical scenario the real money might be in consultancy. "Sure, we can get your organisation set up with OpenNotAWSBecauseTrademarks. Our rates are $20K/consultant/week and we expect to bring a team of 5 for a fortnight." It just has to be a comparable cost and financial structure to how a large organisation trying to escape from cloud lock-in would have otherwise expected to engage their cloud architecture consultants or cloud security red team or other cloud specialists and then you're in the game.

[closeparen]

Technology is a good business because a small labor input can scale to a very large impact. I'm sure there is a place for consultancy but I don't see it winning against "scale" in the long term.

[mr_toad]

Licenses are a major PITA when you want to be spinning machines up and down all the time. Some enterprise vendors have pay as you go solutions, but many don’t.

I get the impression that some enterprise vendors don’t offer pay as you go solutions because it would put their sales staff out of work, and because they wouldn’t be able to use a “how much can you afford?” pricing model.

[Silhouette]

That threat even has its own name now: a denial-of-wallet attack.

The limited protections available against this threat from the big cloud providers have to be seen as a warning sign. It's only a matter of time before any small business using these services for hosting can be subject to sudden shakedowns by criminals. "Nice business-critical infrastructure you have there, be a shame if anything were to happen to it." Some of the providers do offer a DoS mitigation service, but the cost for the higher levels can start to look like a shakedown itself.

[res0nat0r]

Set an SNS alert to sent an email/SMS message to your phone if your monthly bill goes over whatever $X you decide. I've had this set on my personal account for years and it isn't too hard to configure, most of it is just point and click via the SNS and CloudWatch GUIs and is pretty foolproof.

[jjnoakes]

From all of the horror stories I've heard, it is not foolproof. For one, don't you get notified after the usage and charge happens? So one mistake that causes a large spike and the notification is too late.

[res0nat0r]

This is true, it isn't really possible to get a near instantaneous real-time feed of every single charge from all of the different AWS services you may be using, because they are all unrelated and do their logging / billing differently. IE EC2 will scrape and upload your iptables data-usage info to s3 and then that will get scraped and generated into a daily billing/money report etc, and there are thousands of things such as this between all of AWS services.

This likely will just alert you somewhat quickly after something has spiked and been running for a number of hours/day, most likely.