hosts face the internet directly, consider plugging a separate ENI into the host, and run cluster control trafﬁc through different subnets. ➤ Augment Security Groups + Route Tables with on-host iptables rules ➤ If hosts are fronted by a load balancer then this is less of a concern.
if deploying solely on EC2 ➤ But using Erlang Distribution over WAN can be questionable ➤ See WhatsApp’s wandist ➤ Alternatively, run a host-to-host VPN between each host ➤ This establishes a virtual switch for your applications
of containers per host), you may be able to use the VPC networking mode, which gives each container its own ENI and therefore its own privately routable IP ➤ As fast as host networking, more isolation ➤ There is a limit on how many ENIs can be attached to each container host, so this is not for you (currently) if you run many containers per host
of this as ECS without need to manage instances ➤ vCPU: $0.0506/h; Memory: $0.0127/h ➤ This is however much more expensive than instances ➤ m4.large @ 2vCPU + 8GB = app. $0.025/h (spot) or $0.1/h (on-demand) ➤ No EBS support yet https://news.ycombinator.com/item?id=15808416
is allowed by default without much hassle. But communication across hosts (which crosses pods) is an entirely different matter ➤ n.b. AWS EKS is now available and in Preview https://aws.amazon.com/eks ➤ Kubernetes: Cluster Networking https://kubernetes.io/docs/concepts/cluster-administration/networking/
/ pod (Kube) ➤ Weave Net/Scope does it for you and there is a blog post about it https://aws.amazon.com/blogs/apn/architecting-microservices-using- weave-net-and-amazon-ec2-container-service/ ➤ Each container is started with two network interfaces, instead of one ➤ TCP for control trafﬁc and UDP for data trafﬁc ➤ Queries EC2 ASG for peer information at boot time
for outstanding nodes / containers / pods ➤ However, AWS IAM permissions for describeInstances is not granular ➤ Multicast gossip (now you have a private network, UDP works again) ➤ SELECT * FROM nodes; ➤ if you have a database, you can keep information in there so it is easy to expose that information elsewhere…
a node A connects to node B, and node B has a connection to node C, then node A will also try to connect to node C. This feature can be turned off by using the command line ﬂag - connect_all false, see erl(1).”