Sun, Feb 23, 2025 AWS / Hugo / CICD

Time flies - summer is almost over in New Zealand. Even though it has only been three weeks, my six-week summer break is already beginning to feel like a distant memory.

About nine months ago, I started this blog and decided to host my blog site on Amazon S3 and utilise Amazon CloudFront for the content delivery. My initial capital investment was simply 1 US dollar for the domain name wkhoo.com registration.

For nine months, my monthly AWS bills were either $0 or $0.01 (for S3 storage cost although my usage is well under the free tier limit; probably due to decimals round up but weird), all because I am reaping the benefits of AWS 12 months Free Tier program and have been staying within the limits so far.

Read More

Thu, Dec 19, 2024 AWS / Observability

Amazon Managed Grafana is a powerful tool for monitoring and visualisation, and integrating it with an identity provider (IdP) such as Microsoft Entra ID using SAML provides a secure and streamlined access management. Deploying Amazon Managed Grafana and configuring SAML integration are pretty straightforward.

Recently, I needed to configure group-based access control using the SAML group attribute and Grafana team sync, but I faced some challenges getting it to work. Both the AWS and Microsoft documentations do not clearly elaborate the steps to successfully enable the group attribute sync to Grafana team.

Read More

Sun, Nov 24, 2024 AWS / Landing Zone

A landing zone, typically set up using AWS Control Tower, is a well-architected, multi-account AWS environment that is scalable and secure. AWS Control Tower automates the configuration of the landing zone following AWS best practices, which include networking settings, identity and access management (IAM) policies, logging and monitoring settings, and security guardrails. Decommissioning an AWS Control Tower landing zone is a complex task that involves shutting down a multi-account AWS environment while ensuring no critical resources or data are lost.

In this post, I will walk through the necessary steps to decommission a landing zone focusing on key considerations for ensuring compliance, security, and cost management.

Read More

Sat, Nov 9, 2024 AWS / Networking

This is a spin-off from my previous blog post Centralised SSM VPC Endpoints Cost-Benefit Analysis where we explored how the centralised SSM VPC endpoints architecture could help organisations to minimise costs by creating the endpoints in one VPC and sharing the endpoints with the other VPCs, therefore reducing the number of endpoints required and the associated endpoint-hour charges.

In this blog post, I will illustrate how you can scale the centralised SSM VPC endpoints solution across AWS accounts.

Read More

Sat, Sep 21, 2024 AWS / Cost Optimisation

When using AWS services, it is important to access these services securely. One way to do this is by using VPC endpoints. A VPC endpoint is like a private doorway between your VPC and AWS services. This means that you can access AWS services such as S3, DynamoDB or Systems Manager within your VPC without leaving the AWS network. This improves security and ensures your data stays private.

There are two types of VPC endpoints - interface endpoints (powered by AWS PrivateLink ) and gateway endpoints. Gateway endpoints can be used to access S3 and DynamoDB services privately. There is no additional charge for using gateway endpoints. For interface endpoints, there is an hourly running cost incurred along with data processing charges.

For AWS environment with multiple VPCs, deploying separate interface endpoints in each VPC can get expensive. Each endpoint has a small cost to run per hour per Availability Zone (AZ). If your workloads span across multiple AZs, you would need an endpoint per subnet and the cost could quickly add up.

Read More