> Isn't this sort of what Amazon Lightsail is? (Haven't actually used it, but am under the impression it abstracts away networking config).
Yes. Many services abstract networking. App Runner, for example, even gives you a public URL with HTTPs. Lambda also can do that nowadays. Most managed services just expose endpoints.
> I'll probably get downvoted, but isn't global addressing + firewalling basically available by creating a VPC with only public subnets, and using security groups as your firewall? (Best practice is public/private subnets with NAT gateways, but it's probably not impossible to rely only on security groups)
I will also disagree with what others are saying. You can keep things simple in AWS if your use case is simple and never care about 99% of what's on the AWS VPC dashboard.
If your use case is complex (you need to connect several internal private apps, expose private things behind a single IP / FQDN, do load balancing, use private DNS, connect with other clouds and on-premises, segregate, monitor and authenticate traffic...) then using physical appliances would likely require more hard work and expertise.
A fun exercise to folks complaining about AWS complexity: go to Fortinet's web site and try to find out which appliances you should use to secure a small company (~ 100 employees, couple of public internet facing services, couple of internal apps), how much it costs and how can you buy it.
Mellanox switch is like $10k a pop. You install Linux on it (sonic) and configure firewall/vip/etc and you’re done. You can pay consultants to do all that once then save on aws cost for next 3 years.
37signals did basically this with same number of staff you can read about it on their blog. It’s not rocket science
Well if it’s that simple and 37 signals did it, then obviously everyone should!
It’s not like your description is ridiculously reductive, or like 37 signals/dhh have a history of attention seeking behavior that might drive them to make technical decisions on the basis of PR value. Never!
Not as reductive as your typical Certified Cloud “Architect’s” pitch ;)
This is not a question of why they did it (although they pretty clearly expand on it in those posts and everyone who didn’t flunk middleschool math can do the same with their setup) but question of can you do it. And the answer is pretty clearly - yes. But ofc you won’t, and not because of technical reasons either.
Yes. Many services abstract networking. App Runner, for example, even gives you a public URL with HTTPs. Lambda also can do that nowadays. Most managed services just expose endpoints.
> I'll probably get downvoted, but isn't global addressing + firewalling basically available by creating a VPC with only public subnets, and using security groups as your firewall? (Best practice is public/private subnets with NAT gateways, but it's probably not impossible to rely only on security groups)
I will also disagree with what others are saying. You can keep things simple in AWS if your use case is simple and never care about 99% of what's on the AWS VPC dashboard.
If your use case is complex (you need to connect several internal private apps, expose private things behind a single IP / FQDN, do load balancing, use private DNS, connect with other clouds and on-premises, segregate, monitor and authenticate traffic...) then using physical appliances would likely require more hard work and expertise.
A fun exercise to folks complaining about AWS complexity: go to Fortinet's web site and try to find out which appliances you should use to secure a small company (~ 100 employees, couple of public internet facing services, couple of internal apps), how much it costs and how can you buy it.