[danielheath]

The biggest one for me is the way AWS security groups & IAM work.

In AWS, it's straightforward to say e.g. "permit traffic on port X from instances holding IAM role Y".

You can easily e.g. get the firewall rules for all your ec2 instances in a structured format.

I really would not look forward to building something even 1/10th as functional as that.

[esseph]

I would probably just build the infra in crossplane which standardizes a lot of features across the board and gives developers a set of APIs to use / dashboard against. Different deployments and orgs have different needs and desire different features though.

[tempaccount5050]

And you think just anyone can set that up? No sys admin/infra guy needed? Seems pretty risky.

[vel0city]

I mean not just anyone, but its far less complicated than dealing with arcane iptables commands. And yet far more powerful, being able to just say "instances like this can talk to instances like this in these particular ways, reject everything else". Don't need subnet rules or whatever, its all about identity of the actual things.

Meanwhile lots of enterprise firewalls barely even have a concept of "zones". Its practically not even close to comparing for most deployments. Maybe with extremely fancy firewall stacks with $ $MAX_INT service contracts one can do something similar. But I guess with on-prem stuff things are often less ephemeral, so there's slightly less need.

[ahartmetz]

I could type your arcane iptables commands for a couple hundred an hour. That stuff is easy compared to some software development tasks. I have sometimes struggled, but I've always found a solution after a few hours max.

[esseph]

> I guess with on-prem stuff things are often less ephemeral, so there's slightly less need

Kubernetes is running on bare metal quite a lot of places.