AWS Wish List : Set Query Filter VPC globally in AWS Management Console

This is yet another wish list for AWS Management Console‘s Usability Feature which I feel IMHO would improve the usability and controls the error & recreation of the VPC Components.

It is unimaginable to work without the Filtering the SELECTED VPC in production work loads in VPC Menu of AWS Management Console. I remember how my life would be for the project which had 4 VPC and each of it had 30+ Subnets by extension that many Route Tables and ACLs.  Having all the VPC components listed altogether gives the room for wrong configuring the network entities. It is very hard for humans to fully read between app-dmz-subnet-az1 and app-dmz-subnet-az2. The more horrifying reality is there is no UNDO.

I really should thank AWS team for continuously improving their services with new features and improvements. I would like to request and add the below to their list for AWS Management Console – Specifically for VPC Menu.

Current Setup :

There is a Dropdown Box which has the list of the VPCs running in that account in the selected Region. Selecting a VPC filters and shows only the components belonging to that VPC and this is applicable for all the entities [ Subnets, Route Tables, ACLs, Security Groups etc. ].

On a different note – a newly created (hence unattached) Internet Gateway wouldn’t show up if the VPC filter is ON.  This has trolled me hard time [it was a very long 5 mins. of searching and pondering in my life then.]

Problem :

Yes, the filter is applied across the board for the AWS Management console – except for the popup / dialog box to create a new entity. What happens is that, the state of the selected VPC filter isn’t showing up in the dialog box and by default the last created VPC.

VPC Filter

VPC_Management_Console

This would just surprise again where did my Subnet Go – I remember creating it just now.

Feature Request :

Continue the state of the currently applied VPC filter for the dialog boxes as well.

www.awsiamlogin.com

www.awsiamlogin.com aims at providing easy access to manage and navigate across multiple Amazon Web Services (AWS) Accounts and bookmarking. AWS strongly recommends usage of IAM Access and the structure of the AWS IAM Login Portal or with AWS Alias; for which the URL isn’t rememberable (easily) thus leaning towards the usage of root account. Today DevOps and Cloud Architects have the need to manage across multiple AWS accounts and adding more to the problem of remembering the AWS IAM Portal.

The feature of www.awsiamlogin.com include

  • Maintain Bookmarks of AWS accounts
  • No data Stored at Server [effective use of Local Storage]
  • One-Click Navigation to AWS account

 www.awsiamlogin.com

Categories AWS

Scope of AWS Entities

AWS has a vast ecosystem of services and entities. There are few intricacies like EC2 Snapshots’ scope is at Region level but where as its cousin EC2 Volume’s scope is at Availability Zone. Below is the list of such tabulation and certainly it is not exhaustive.

AWS Resource Scope Hierarchy Region Hierarchy Sharing
VPC Account Region
Subnet Account > VPC Region > Availability Zone
Route Table Account > VPC Region
ACL Account > VPC Region
Internet Gateway Account > VPC Region
DHCP Option Set Account
Elastic IP Account Region
Endpoints Account > VPC Region
Peering Connection Account > VPC & VPC Region Peer-able to VPC under same account or different Account
Security Groups Account > VPC Region
Customer Gateway Account Region
Virtual Private Gateway Account Region
EC2 – Instance Account > VPC > Subnet Region
EC2 – Images Account Region Sharable to external account(s) or entire public
EC2 – Snapshot Account Region Sharable to external account(s) or entire public
EC2 – Volume Account Region > Availability Zone
EC2 – Reserved Purchases Account Region > Availability Zone > [Specific Instance Size, Type, etc.]
EC2 – Key Pairs Account Region
ELB Account > VPC Region
ENI Account > VPC  > Subnet Region
IAM User Account Global
IAM Role Account Global
IAM Group Account Global
IAM Customer Managed Policy Account Global
IAM Identity Providers Account Global
RDS Instance Account Region
RDS Reserved Purchase Account Region > [Instance Class, AZ]
RDS Snapshot Account Region Sharable to external account(s)
RDS Parameters Account Region
RDS Option Group Account Region
RDS Subnet Group Account > VPC Region
Categories AWS

AWS Wish List : Usability Features for Security Groups in AWS Management Console

With a single concept of Security Group in AWS, we incorporate the functionality of Security, Isolation with ease. It is impossible to imagine the world without Security Group. We take security groups for granted in AWS, it would pain when we try to build architectures using VMs in Azure [not today but couple of months back when there was no Azure Resource Group].  That doesn’t mean there wasn’t Security in Azure but the security implementation was tied to the individual instance rather than Security Groups be able to attach to the instance(s) [Again it was before the era of Azure Resource Group – now called as Azure Virtual Machines – Classic].

Getting back to AWS & Security Group – I can’t thank enough for the feature of “Copy Security Group”. There are couple operations or functionalities which I would like to request AWS Management Console team to consider [Please].

Copy Security Group to Different Region :

This is the mere extrapolation of the Copy Security Group. I feel the Copy Security Groups would be just as important as Copy Snapshots and Copy AMI to different region. Understand that the copied security group wouldn’t be directly useful and may require several modifications – nevertheless, that could help as a placeholder. This functionality would aid in scenarios in Region Migration, Region Replication, DR & DR Test Drill etc.

Copy Security Group to Different Region

Edit Description :

Editing the description field is not supported today in AWS Console (well I haven’t tried that in CLI yet). This happened to me quite often than you can think – Create a Security Group, Launch Instance(s) with that Security Group then finally notice – I missed filling the description or didn’t follow the convention used by Ops Team. Then I copy the security group, this time put the correct name and description, attach the new SG and detach the old SG then delete it.

Editing the description field for the AMI images has been made possible; similarly requesting the feature set to extended for Security Group’s description as well.

Copy Security Group with Tags :

Tags play a vital role in almost all AWS resource entities. I love what are the possibilities – searching based on tag in search bar, ability to group and understand the cost breakup in Cost Center. Personally, I am thankful for the scenario without tags would be like – environment_tier_instance_role_let_god_forbid_name_getting_any_bigger_sg. I am not against the big names or effort associated with that but, IMHO it is an intentional step towards making thing harder. The readability takes a big hit. I love making things simpler and easier. Tags are much more efficient.

Copy Tags for Security Group

It would be awesome if there is a check box which accepts “copy tags” in the same dialog box where we key in the VPC, Name & Description of the Security Group. It would be really handy to see the rules and tags come along.

Sorting Security Group Rules :

Having a holistic view of Security Group Rules is little harder today. It is really difficult to find or check if rules are present in the security group. I open the security group rules and perform the browser’s CTRL+F and search – this helps most of the cases but that is a quick and dirty way.

It would be awesome if we can sort the 3 columns CIDR, PORT, PROTOCOL individually (nested – secondary sort would be even cool). In fact a data tables like interface would be really applicable for the context. Just imagine if all the UDP, TCP, ICMP rules sorted individually.

Sort Security Group Rules

Categories AWS

AWS Wish List : VPC Name Tag to be shown in EC2 Details

It is the very small piece of information which makes job lot easy by avoiding the need to query and search. It is generally easy to remember names rather than IDs. IMHO the same would apply for the VPC ID and Subnet ID in AWS.

AWS Management Console shows elaborate information about the EC2 instances which are part of the specified region and Account. Under the same details section, we can see the VPC and Subnet where the instance is placed. It would be great if the details would also show the Name Tag of the VPC & Subnet not just the VPC ID or Subnet ID.

Slide2

Apparently the convention / notion of  showing the Name tag is already used in the VPC menu where we apply the filter for the VPC.

VPC ID - Name Tag

It would help a lot if the same convention is also extended to EC2 Details Page.

Categories AWS

AWS Wish List : AWS Tagging Support for EIP

Elastic IP in AWS gives us ability to have the ownership of the IP Address as long as we want and have the complete liberty to attach and detach them to instances.
It is completely understandable to have EIP charged when we don’t use them. That is the point when the need to account that under cost center accounting arises. It would be awesome if we have the ability Tag the EIP as well.
Categories AWS