[freshports-coders] FreshPorts & AWS - trimming excess services

Ihor Antonov ihor at antonovs.family
Fri Jan 22 00:15:10 UTC 2021 

On 1/21/21 3:16 PM, Dan Langille wrote:

> My current request is guidance for removing various services which are no longer required. I want to make sure they are not used before deleting them. From trial and error while getting FreshPorts working, I have multiple instances of these which I wish to remove:
> 
> *subnets
> * VPC
> * Internet Gateways
> * Egress Internet Gateways
> * Network ACLS
> 
> For example, my RDS instance has 6 subnets - not all of them are required.
> 
> While I think I could do that on my own, having another set of eyes / recommendations would help.
> 
> I also need to change the RDS subnet to a non-routable subnet.  Right now, it's on 54.242.45.0/24 address but only accepting incoming connections from my EC2 instance.

Hey Dan

It is hard to give you concrete recommendations without at least 
read-only access to AWS account. It is totally possible to create IAM 
users with read-only access. Is this something you might consider doing?

Meanwhile, some some general recommendations:

1. All these resources

 > * subnets

 > * VPC

 > * Internet Gateways

 > * Egress Internet Gateways

 > * Network ACLS

are free. They do not consume money, they won't show up in your bill. 
Although I understand that removing them might be just a matter of 
housekeeping. if you have an unused VPC - make sure there are no EC2 
instances running, and then simply delete. If you are using AWS console 
- it will delete all child resources of that VPC automatically (routes, 
subnets, internet gateways). Delete operation will fail if there are 
instances running in that VPC.

2. If you have a VPC that you use there is no need to worry about extra 
subnets that are not currently in use. By default AWS creates 1 subnet 
per AZ (AZ == a physically independent data center within that region)
multiplied by subnet type (private/public/nat).

Example: us-east-1 has 6 AZs. Depending on you VPC setup you might have 
6*3 subnets.

Having those subnets around has a benefit too. Sometimes AWS has outages 
or degradation of service quality in different AZs (e.g. instance type 
shortages, networking issues, EBS volume shortages, etc.) These are rare 
situations, but they do happen once in a blue moon. Being able to 
quickly move your workload to another AZ is a good thing.

3. Please clarify about "my RDS instance has 6 subnets". RDS can't 
"have" subnets. Only VPC can have subnets. Do you mean it is a mutli-AZ 
RDS deployment? or is it deployed in a VPC that has 6 subnets?

3. "I also need to change the RDS subnet to a non-routable subnet" - 
there are couple of ways you can go about this - redeploy your RDS to a 
different set of subnets. It requires some RDS downtime. Or you can edit 
the subnet by removing 0.0.0.0/0 route from it. This has a downside that 
this subnet might be also used by something else, and generally this is 
not a preferred way. I'd redeploy RDS to a different set of subnets.

4. "Right now, it's on 54.242.45.0/24" - can you clarify? AWS VPC allows 
only non-routable address ranges [1]. I think there is some mistake 
here. Having read access to AWS account would be great in cases like this.



[1] 
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing

More information about the freshports-coders mailing list