One simple approach to minimize operating cost in AWS

I am using AWS for the last couple of months. The more I am exploring it, the more I am loving it. Thinking about doing a PhD on AWS (Just kidding).
Since I am still using my credit card, sometimes it’s scary while running a large instance as pay per use model. What I have observed is most of my internal servers are only running during the office hour but they are generating cost as those are running instances. Below approach helps me to minimize 50% cost that was generating earlier.

Use AWS CLI

Using AWS CLI you can create a simple script which will run as a scheduler to stop and start any instance.

• Install AWS CLI (http://docs.aws.amazon.com/cli/latest/userguide/installing.html)
• Configure the tool as per the above link
• Create two batch files to start and stop your instances

In start batch file write the below command
aws ec2 start-instances –instance-ids [YOUR INSTANCE ID]
You will find the instance id in EC2 management console. Add multiple instance id in the same line with a space.

In stop batch file write the below command
aws ec2 stop-instances –instance-ids [YOUR INSTANCE ID]
You will find the instance id in EC2 management console. Add multiple instance id in the same line with a space.

• Create two windows scheduler and map those batch files to run as you want

I have seen a tremendous result in my environment after following this technique. I am still very new in AWS world and I am sure there may be several other techniques available to control the cost on AWS. Please do let me know if you are following any better approach.

Concern

• Do not store anything in the temporary drive AWS creates. AWS always refresh temporary drives data after restarting
• Use VPC to have same private IP
• If you have public IP associated with an instance, use elastic IP as AWS will assign new public IP if you stop and restart an instance, in case you are not using any elastic IP

 

Step by step – site-to-site VPN with AWS VPC and CISCO ASA 5505

To configure VPC follow the below steps:

• Login to AWS console
• From services select VPC
• From VPC Dashboard click on Start VPC Wizard
• Click on VPC with Public and Private subnets – (assuming that you network will have internet access as well) and click on Select button
• 
• Enter configuration details as below (assuming your network will be 172.16.4.0/24)
• 
• Click Next
• Enter IP firewall outside IP, enter name for gateway and VPN
• Select routing type as static
• Enter your office network IP prefix
• Assuming that you AWS Private subnet will be: 172.16.4.0/24
• Click on Create VPC
• 
• After you see the successful creation of you VPC, go to route tables
• Select the correct route table from the list (associated with 2 subnet)
• Click on subnet Associations tab
• Click on Edit
• Select your subnet and click save button
• 
• Go to VPN connection link, select your VPN and click on download configuration
• Open you CISCO ASA firewall
• Click on Wizard –> IPSec VPN wizard
• Select site-to-site VPN, VPN tunnel interface as outside and click next
• 
• Enter the IP address that you have in the downloaded file – as tunnel-group
• Enter the pre-shared-key that they have provided
  
• Click next
  
• Select the configuration as below
  
• Select the configuration as below
  
• Enter the remote network configuration as below
  
• Click next and click finish
• Follow the same step to configure second tunnel-group that you have on that VPN text file
• Promote a EC2 instance with your newly create VPC
• Note the private IP address that is automatically assigned to your new instance
• Open CLI of you CISCO ASA device, we need to configure SLA monitoring as AWS bring the VPN connection down if it does not see the network traffic on the tunnel. To keep the VPN connection alive all the time we need to configure SLA monitoring in our CISCO device
• Enter the below command
• ciscoasa# config t
  ciscoasa(config)# sla monitor 1
  ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 172.16.8.4 interface outside
  ciscoasa(config-sla-monitor-echo)# frequency 5
  ciscoasa(config-sla-monitor-echo)# exit
  ciscoasa(config)# sla monitor schedule 1 life forever start-time now
  ciscoasa(config)# icmp permit any outside
• Now you need to configure your VPC to accept ICMP connection from internet or your firewall outside IP. To configure this
• Go to VPC –> Security group
• Select the security group that is associated with the instance you have created earlier
• Click on Inbound rules tab
• Click on Edit
• Select ALL ICMP and enter you firewall outside interface IP as source
• Click Save
• 
• Click on VPN connections link
• Select your VPN and click on tunnel tab
• You should see at least one VPN tunnel status is UP (In AWS you can’t make two tunnel up at the same time)