• AWS Amplify geo-block

    I was going to write a post about setting geo restrictions for your CloudFront distribution but Andreas Wittig from Cloudonaut already did that so I’m going to just link to his post. However if you’re using AWS Amplify, like I do for this blog, you can not directly modify CloudFront settings as distribution is not shown on console.

  • Sharing AWS NAT Gateways

    AWS NAT Gateway is a great service that helps in building reliable networks. Scaling it however can become expensive when you have 100s of VPCs. Until I realised I had misunderstood a very critical bit of AWS pricing. This allows, not just to build more affordable, but also better network architectures.
  • SSH over AWS SSM

    There is a saying that something is more than sum of it's parts, meaning it is the specific combination of things that makes it useful or valuable. But it can also be that one those parts is especially useful on it's own too. Here is the one-liner, taken from it's original context, that has saved me from a lot of trouble when I have needed remote access to EC2 instances.
  • Delegating IAM access with permission boundary

    Back in the days, when creating an AWS account was a lot of overhead, common pattern was to have multiple teams sharing a single account. While it might have been possible (in theory) to create complex IAM policies to containerize resources by application or team, one fundamental problem did remain. Once you granted a right to create an IAM policy or role, you effectively granted admin level access to everything on the account.
  • Networking meets Agile Deployment

    You know the feeling when you get a new idea and would like to start building right away, and then run into road block of getting IP addresses allocated for a new VPC. But unless you get CIDR from the network team, it is likely you have to tear down everything and start from scratch later when you want to connect with other services or internal networks. Or simply answering the question “how many IPs do you need?” isn’t possible because you are still evaluating different architecture options. Would it be possible to get best of the both worlds? Start independently, without risking future connectivity.