I Asked Amazon Q How To Make My Private Network Cost Less

Everyone keeps asking me what I think of AI so here you go

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code

🔒 Related Stories: Encryption | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After the AWS re:Invent keynote today, I decided to see if Amazon Q can help me make my private network cost less on AWS. When I implemented VPC Endpoints and an AWS Transit Gateway my costs shot up over 2600%. Of course I am not the typical large corporation but still. For my budget it was a big increase.

Let me explain what I’ve already done

One of the things I realized almost immediately was that cross-region traffic is a serious source of cost increase but also a drag on performance. You can prevent that by restricting traffic to a single region as much as possible.

I also eliminated Transit Gateway until I really have time to focus on this and got rid of any VPC Endpoints I didn’t need. That was a large chunk of the cost.

In addition, I realized that trying to send cross-AZ traffic with an endpoint resulted in a 3 second Lambda function taking 10 minutes to execute. That was not good. So I restricted my endpoint to the subnet and AZ where my compute resource exists more for performance than anything.

As of now I should have no cross-region or cross-AZ traffic, and my traffic should be properly directed to the endpoint private IP address.

So what can I do to save money? I wondered if Amazon Q could give me any insights.

Amazon Q — in Preview

Now before I analyze the answers I get back, I want to point out how amazing this functionality is. And it is in preview — so it will get better. It is amazing how far we’ve come, but we still have so much farther to go.

I was in college before the Internet was used by almost anyone except for the people like those in the book I reviewed — Cult of the Dead Cow.

Although I had programmed as a kid I wasn’t allowed to use the modem because it was too expensive. I didn’t have anyone around me to tell me about phreaking. (Not that I would have participated anyway due to growing up in a pretty authoritarian household.)

The Internet was never once mentioned in any class I took in the business school at the University of Washington back in the early 90’s (Go Huskies Football! #4) — including computer classes. No one around me was using web browsers as far as I know. I’m sure some people were, but not in my circles.

I remember some people were using pine. Random dude in computer lab got my name off a printout and started sending me messages. I convinced another guy to keep writing to him and snuck around the computer lab looking over people’s shoulders until I figured out who it was. That was about it for me in college beyond a basic spreadsheet and relational database design class and my initial Pascal class to avoid another quarter of chemistry.

I was first introduced to the concept of a web browser by my first boss in my first real tech job. “That’s neat,” I thought…but I didn’t even use it much initially. Only by the time Google came out were search engines really useful.

Later, I’m designing html pages with text that blinks. Ooh ahhh. And then along comes e-commerce and that really changed my world. I switched jobs to work on web applications. And by that point I’m using web browsers on a daily basis.

But when I was trying to solve a particular problem — how to create a grid on a web page with forward and back buttons to display the next group of products — the web could not answer my question. Why? Because no one had published an answer. I had to figure it out from scratch using math and logic.

After starting my second company, I ended up reverse-engineering how search engine algorithms work to get customers higher web rankings (search engine optimization or SEO) for their web pages. Type in wedding invitations and get a company that sells you wedding invitations at the top of the list. Type in blue wedding invitations or teddy bear birth announcements and get an even more relevant product (with the help of my automated ranking technology.)

Questions and answers are not new. But here we are today and you can ask a question in plain English and get an answer. Like an actual direct answer in plain English (or whatever language you use maybe). I know the answers are not perfect but it’s still pretty cool.

And I wonder how anyone did their jobs before and I remember — ah yes, books. I practically lived at the bookstore. I bought so many technical books that I would buy the same book twice because I forgot I already had it. I read so many books and I leveraged the information in them and the sample code to learn to program and write better programs.

And the magazines…I remember going to live in Australia for three months and I couldn’t find my favorite tech magazines in the book store in Sydney. Now none of them exist. I just read that Popular Science, not a magazine I read a lot but one I remember having interesting articles here and there, is shutting down after 151 years. Times change.

But for all those people who think artificial intelligence is something someone just thought up and it’s suddenly going to change the world, realize that it has been around for like 50 years.

Amazon has been using AI for years. It is not new. How do you think you get product recommendations that align with what you search for on Amazon.com? I remember listening to talks and reading about Amazon search technology years ago when I was working on e-commerce sites.

I also remember one of my professors telling me when I was getting my master of software engineering degree back in 1999 or 2000 about how he had worked on AI in the 70’s. It was “the recurring dream.”

And actually, the first time I experienced a question and answer program like Q was when I was about 8 or 9 years old, circa 1976?? My dad enlisted in the Air Force during the Vietnam War and served for about two to four years. Along the way he met “Larry.” Don’t ask me how I even remember his name. He was my Dad’s boss at McChord Air Force base where my dad worked as an airplane mechanic after he came back from teaching English in Saigon.

We went to Larry’s house one night for dinner with his family. After dinner he was typing into this long rectangular beige box with a probably 4 inch by 4 inch black screen. You could ask a question and the computer would try to answer you. This was a form of artificial intelligence. I’m not sure how it worked exactly back then and at that age I didn’t really grasp the implications. But my dad did. He thought computers were the future and that’s partly how I ended up doing what I’m doing today in a very roundabout way.

I suppose when I wrote about where it begins I should have credited Larry, too. That’s when I saw my first computer. I was programming BASIC a few years later.

So AI is not new, but the way people are accessing it is a bit new. And the type of AI that is all the rage these days is called generative AI.

Generative AI is another form of AI with different methods of processing inputs to produce outputs. The algorithms are how the inputs are processed to produce the outputs. Different “formulas” can be used and over time those formulas might improve. But the underlying concept is the same — a question and some data that gets processed to produce an answer.

Is generative AI really new? I don’t really know or care if it answers my questions accurately. Let’s try it out.

Testing Amazon Q with a real question I have been asking lately

I open up the Amazon console and I ask it “How can I make my private network cost less?” Just as with a web browser, you have to make your questions pretty specific. Q doesn’t quite get the nuance that I’m asking specifically about networking costs. The answers are not wrong but obviously not what I’m seeking.

So I refine the question. I specify “network resources” but that doesn’t help too much. Though the scheduler idea is kind of nifty, I work at all random times and just turn on and off my instance when not in use and that’s not what I’m asking about — which is specifically networking.

The private network constructs I started using that shot my costs up were VPC Endpoints. So I specifically ask how I can make my VPC Endpoints cost less. Now we’re getting somewhere.

Hmm. Here are the answers. Let’s take a closer look.

1. Are gateway endpoints less than interface endpoints? I may have missed that. Why? Because it’s not easy to find the VPC Endpoint pricing. When I search for it in Google, it doesn’t easily come up by searching on “VPC Endpoint Pricing” — which is not typical for AWS product and feature pricing. I finally found the answer on this page once I knew to look for it and refined my search a few times:

I decided to try out the VPC pricing page. When you go to the VPC pricing page where I would expect to see VPC endpoint pricing, it’s not here and it sends you over to the AWS Calculator:

If I try to use the calculator there’s no option for VPC Gateway Type Endpoints. Or any endpoints for that matter. Perhaps because they are free but that’s not really clear here.

The only problem is that there are only two services at this time that work with Gateway endpoints. AWS S3 and DynamoDB (unless something gets announced at re:Invent in the next couple of days. :)

But still, that was a helpful answer as I do plan to use AWS S3 and maybe DynamoDB as well.

2. VPC Endpoint instead of a NAT — this doesn’t really help when you have resources in a private network that need to reach the Internet. So this one doesn’t do me much good. Also my VPC Endpoints are costing much more than my NAT at the moment.

3. Hmm. Why would you use a VPC Endpoint and then route traffic to the Internet or a NAT gateway? Doesn’t that defeat the purpose of using a VPC Endpoint (for security?) I’ve written a lot in prior blogs about how to make sure your traffic is actually routing to the VPC Endpoint if you have one configured. If you don’t have the configuration right your traffic may be taking an alternate path. But isn’t routing the traffic to the VPC Endpoint going to increase the associated VPC endpoint costs versus if it’s going to some other destination? Not sure about this answer but something to explore more later.

4. This one seems redundant.

5. I already mentioned that cross-region traffic didn’t even work in my case and I’m not doing that. It’s a good answer, but doesn’t help in my scenario.

6. Really? RTFM? Anywhere that answer exists, it should be deleted, in my opinion. If you are going to provide that answer, provide a link to said documentation. None of the links below the answers link specifically to VPC Endpoint pricing. As I pointed out above, it’s not easy to find, either.

What if I type in VPC Endpoint pricing?

I’m not sure this answer is technically correct.

Here’s interface pricing for VPC PrivateLink Interface Endpoints. Also note the footnote.

I know AWS S3 supports both Gateway and Interface type endpoints. But I can’t find information about that on the S3 pricing page either.

Well, I found a few things I can double check. As with most of the analysis of AI chatbots to date, the answers are the most helpful for beginners, rather than advanced users. AI is not going to magically solve all the problems (yet) but it is a good resource.

The other key point here is that the AI-driven chatbots have to get their answers from some source, and if the source is non-existent or obscure, the chat bots aren’t going to be able to magically solve that problem. I think this answer might be better if the underlying documentation for VPC endpoint pricing was clearer. In which case, we might not need the chat bot. But it could help us find the documentation faster.

How does Amazon Q do with CloudFormation error messages?

Well that was fun. Let’s try an even more obscure question. I keep getting this error message I really despise because it’s non-specific and can cover a seemingly endless number of typos. I have written blog posts about it, and when I find something that was wrong that was caused by this error and others like it I add them to my list and explain how to fix it. Here’s a post on the specific error message I am going to ask about:

So I paste that error message into the Q & A and here’s what I get back:

Honestly, none of that is helpful. Why is it not helpful? Because the error message is not helpful in the first place. It is not specific enough. A good error message when writing code tells you which line caused the error, and what character on the line caused the error. It also tells you the specific syntax problem that you need to fix.

The fact that Amazon Q cannot provide a better answer is not the fault of the AI technology. It has to do with the sources and inputs. The error message is too vague.

Policy errors in AWS CloudFormation, along with a lot of other CloudFormation error messages, need to more specifically tell you what is wrong, how to pinpoint it in your code, and how to fix it.

I have listed a number of possible causes of that error message, based on my experiences, in the above blog post.

I also have about 100 other error messages for CloudFormation listed in this blog post and their potential causes.

You need good inputs for any search and analysis technology to be helpful.

How AI relates to SEO

Thinking back to performing search engine optimization (SEO) for customers, the goal was to get the search engines to rank at the top when people searched for a particular term. How did I do it? I looked at other highly ranked web pages, how they were structured, and what their code looked like to reverse engineer how and why they were at the top of the list.

I also got a few tips from a company that was manually creating SEO Pages on my customer’s website to get her higher rankings. She was paying them a gazillion dollars to do this and it ticked me off because I could have done much better for less money.

So I took a couple of tips but for the most part reverse engineered other sites and changed her website (the input to the search engine algorithms) to structure every single page programmatically in a way that increased the rankings for every product and term on the site. I also inserted key search terms into product pages (which sometimes my client didn’t like 🤣.)

Almost immediately my customer’s site was at the top of the rankings across all the terms associated with her 1500+ products and she was getting more orders than she could handle. No one else was doing this at the time — the manual typing team was “the best in the industry” and people were paying them $100K to do what they were doing. I scoffed. But I never really got my ideas off the ground before other people started doing it.

Also, I was a bit devastated by what that customer did to me later when she sold the company, so I packed up and left for Australia. The next site I built got good rankings as well. It was a hostel booking site with which I had a revenue sharing deal with, but then that site got hacked — and I was the only one affected. I was losing my revenue share. I fixed the problem and became obsessed with security at that point and the rest is history.

But my background in SEO helps me understand that the outputs of any search technology is only as good as the inputs. In addition, the answers in the outputs can be manipulated by the inputs.

This holds true for security. The primary source of security vulnerabilities are malicious inputs which cause applications, processes, and people to provide unintended outputs that have negative consequences.

All paths testing

There’s an approach to testing a software program where you attempt to cover every path to make sure it works correctly. This is easy to do if the application only has a couple of paths and a couple of possible inputs.

Think about a game of chess — one of my Dad’s favorites. He studied the Bobby Fisher book and beat almost everyone he played because he memorized all the possible moves and likely outcomes.

A game of chess has a limited number of paths. There are a lot of paths — but it’s still a finite number. There are a certain number of squares, pieces, two players, and the pieces can only move a certain way. You have to stay within the bounds of the rules to win the game.

It was a monumental deal when Big Blue beat the best human chess player in the world. This also was a form of AI. The computer was “thinking.” But really it was calculating all the possible outcomes for a given spot on the board and all the potential moves after the current move to come up with the best probabilistic option.

And just a note — if I can determine the method by which the computer is choosing the “best” probabilistic option I can likely subvert it and win because I can use a path the computer isn’t expecting to achieve my objective.

Consider how many paths it had to evaluate compared to Amazon Q when I ask it how to limit the cost of my VPC Endpoints. First of all, I had to refine the question to get even close to the right answer. Then the program has to evaluate all the AWS documentation for key words and phrases that might relate to the problem and come up with the correct answer. If the answer does not exist in the documentation, or paths are missed, then they may not be helpful, only tangentially related, wrong, or non-existent.

As the paths and the inputs increase, the complexity of testing all the paths increases exponentially. It becomes infeasible to test and verify every possible outcome for every single question.

Think about the human body for a minute. I am always amazed at what doctors have to do. There are so many variations and mutations and inputs or malfunctions to the myriads of cells that make up a human body. How can a doctor ever provide a concrete answer to every problem? They can’t. There are too many paths and inputs to accurately define every single possible problem and solution. At least with the technology and knowledge we have to date. And how does anyone predict the way cells mutate?

AI is trying to take all the inputs and come up with the correct outputs and there is an infinity of possible paths and answers in some cases. Getting to the correct answer is not straightforward and likely never will be.

AI stills needs humans

You still need humans who can parse through the results to determine what is and is not relevant, what is correct and incorrect when it comes to AI.

All that said, these are two pretty complicated questions for an engine like this to parse. I’m sure Amazon Q will save a lot of people time for simpler questions and it’s still a promising technology. I think Stephen Schmidt’s take on AI in general in his presentation on Monday is spot on. I recommend his talk in this post and if you missed it you might want to go back and check it out ~ AI still needs humans.

And that’s my take on AI. It’s not new. It’s a tool. It’s always improving. But perhaps we are trying to solve an intractable problem.

Or perhaps the most efficient solution to the problem has more to do with the inputs than the processing in some cases.

The last presentation I recommended in the above top three talks is Werner Vogels’ talk coming up on Thursday. Looking forward to it and checking out all the new technology coming out of AWS re:Invent further.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab