The service gateways are such a weird thing in AWS. There seems to be no reason not to use them and it's like they only exist as a trap for the unaware.

▲

wiether 12 hours ago | parent | next [-]

Reading all the posts about people who got bitten by some policies on AWS, I think they should create two modes:

- raw

- click-ops

Because, when you build your infra from scratch on AWS, you absolutely don't want the service gateways to exist by default. You want to have full control on everything, and that's how it works now. You don't want AWS to insert routes in your route tables on your behalf. Or worse, having hidden routes that are used by default.

But I fully understand that some people don't want to be bothered but those technicalities and want something that work and is optimized following the Well-Architected Framework pillars.

IIRC they already provide some CloudFormation Stacks that can do some of this for you, but it's still too technical and obscure.

Currently they probably rely on their partner network to help onboard new customers, but for small customers it doesn't make sense.

▲

viraptor 12 hours ago | parent [-]

> you absolutely don't want the service gateways to exist by default.

Why? My work life is in terraform and cloudformation and I can't think of a reason you wouldn't want to have those by default. I mean I can come up with some crazy excuses, but not any realistic scenario. Have you got any? (I'm assuming here that they'd make the performance impact ~0 for the vpc setup since everyone would depend on it)

▲

wiether 11 hours ago | parent [-]

Because I want my TF to reflect exactly my infra.

If I declare two aws_route resources for my route table, I don't want a third route existing and being invisible.

I agree that there is no logical reason to not want a service gateway, but it doesn't mean that it should be here by default.

The same way you need to provision an Internet Gateway, you should create your services gateways by yourself. TF modules are here to make it easier.

Everything that comes by default won't appear in your TF, so it becomes invisible and the only way to know that it exists is to remember that it's here by default.

	▲	viraptor 4 hours ago \| parent [-]
		There's lots of stuff that exists in AWS without being in TF. Where do you create a router, a DHCP server, each ENI, etc. ? Why are the instances in a changing state in ASG rather than all in TF? Some things are not exactly as they exist in TF, because it makes more sense that way. We never had 1:1 correspondence in the first place.

▲

benmmurphy 10 hours ago | parent | prev [-]

the gateway endpoints are free (s3 + dynamodb?), but the service endpoints are charged so that could be a reason why people don't use the service endpoints. but there doesn't seem to be a good reason for not using the service gateways. it also seems crazy that AWS charges you to connect to their own services without a public ip. also, i guess this would be less of an issue (in terms of requiring a public ip) if all of AWS services were available over ipv6. because then you would not need NAT gateways to connect to AWS services when you don't have a public ipv4 ip and I assume you are not getting these special traffic charges when connecting to the AWS services with a public ipv6 address.