Questions tagged with Amazon EC2

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Global Accelerator Network Interface Appears in Network Insight Analysis From Different Ip Address

I have a Network Insight Analysis that runs daily. The analysis is fairly basic. It runs a check between any two network interfaces on our network. I have noticed that there is a finding that keeps appearing that we do not expect. (note I have replaced ids with unique letters). The source of the finding is a network interface associated with a global accelerator we have. However, the network interface is in a subnet with CIDR `10.48.161.64/28` but the source header indicates it is sending from a different CIDR range which allows it through security groups that should explicitly not allow traffic from that subnet. Hypothetically, these resources have security groups separating blocking ingress from one into the other. However, since the apparent source is different, it does not seem to be the case. I have not been able to replicate this network traffic outside of the network analysis tools. My suspicion is something to do with global accelerator being able to preserve client IP or change headers? Below is the first entry into the analysis. ``` { "SequenceNumber": 1, "Component": { "Id": "eni-BBB", "Arn": "arn:aws:ec2:us-west-1:yyy:network-interface/eni-BBB", }, "OutboundHeader": { "DestinationAddresses": ["10.48.129.197/32"], "DestinationPortRanges": [{"From": 8334, "To": 8334}], "Protocol": "6", "SourceAddresses": ["10.32.129.192/27"], "SourcePortRanges": [{"From": 0, "To": 65535}], }, "Subnet": { "Id": "subnet-AAA", "Arn": "arn:aws:ec2:us-west-1:xxx:subnet/subnet-AAA", }, "Vpc": { "Id": "vpc-yyy", "Arn": "arn:aws:ec2:us-west-1:xxx:vpc/vpc-", }, }, ``` I am aware that there are better ways to do what I am doing potentially. Right now I am just trying to understand why this behavior occurs or maybe some places to look for answers. Alternatively, if this is a false positive for whatever reason, understand how I can update my configurations to handle it. Also interesting to note, we have an identical setup in another region and that does not trip these same rules If there is any more information I can provide, please let me know! Network Analysis JSON below. ``` { "matchPaths": [ { "source": { "packetHeaderStatement": { "sourceAddresses": [ "0.0.0.0/0" ], "destinationAddresses": [ "10.48.0.0/12", "172.16.0.0/13" ] }, "resourceStatement": { "resourceTypes": [ "AWS::EC2::NetworkInterface" ] } }, "destination": { "packetHeaderStatement": { "sourceAddresses": [ "0.0.0.0/0" ], "destinationAddresses": [ "10.48.0.0/12", "172.16.0.0/13" ] }, "resourceStatement": { "resourceTypes": [ "AWS::EC2::NetworkInterface" ] } } } ] } ```
1
answers
1
votes
56
views
asked 23 days ago

AWS Batch requesting more VCPU's than tasks require

Hi, We have an AWS Batch compute environment set up to use EC2 spot instances, with no limits on instance type, and with the `SPOT_CAPACITY_OPTIMIZED` allocation strategy. We submitted a task requiring 32 VCPUs and 58000MB memory (which is 2GB below the minimum amount of memory for the smallest 32 VCPU instance size, c3.8xlarge, just to leave a bit of headroom), which is reflected in the job status page. We expected to receive an instance with 32 VCPUs and >64GB memory, but received an `r4.16xlarge` with 64 VCPUs and 488GB memory. An `r4.16xlarge` is rather oversized for the single task in the queue, and our task can't take advantage of the extra cores, as we pin the processes to the specified number of cores so multiple tasks scheduled on the same host don't contend over CPU. We have no other tasks in the queue and no currently-running compute instances, nor any desired/minimum set on the compute environment before this task was submitted. In the autoscaling history, it shows: `a user request update of AutoScalingGroup constraints to min: 0, max: 36, desired: 36 changing the desired capacity from 0 to provide the desired capacity of 36` Where did this 36 come from? Surely this should be 32 to match our task? I'm aware that the docs say: `However, AWS Batch might need to exceed maxvCpus to meet your capacity requirements. In this event, AWS Batch never exceeds maxvCpus by more than a single instance.` But we're concerned that once we start scaling up, each task will be erroneously requested with 4 extra VCPUs. I'm guessing this is what happened in this case is due to the `SPOT_CAPACITY_OPTIMIZED` allocation strategy. * Batch probably queried for the best available host to meet our 32 VCPU requirement and got the answer c4.8xlarge, which has 36 cores. * Batch then told the autoscaling group to scale to 36 cores, expecting to get a c4.8xlarge from the spot instance request. * The spot instance allocation strategy is currently set to `SPOT_CAPACITY_OPTIMIZED`, which prefers instances that are less likely to be killed (rather than preferring the cheapest/best fitting). * The spot instance request looked at the availability of c4.8xlarge and decided that they were too likely to be killed under the `SPOT_CAPACITY_OPTIMIZED` allocation strategy, and decided to sub it in with the most-available host that matched the 36 core requirement set by batch, which turned out to be an oversized 64 VCPU r5 instead of the better-fitting-for-the-task 32 or 48 VCPU R5. But the above implies that Batch itself doesn't follow the same logic as the `SPOT_CAPACITY_OPTIMIZED`, and instead requests the specs of the "best fit" host even if that host will not be provided by the spot request, resulting in potentially significantly oversized hosts. Alternatively, the 64 VCPU r5 happened to have better availability than the 48/32 VCPU r5, but I don't see how that would be possible, since the 64 VCPU r5 is just 2*the 32 VCPU one, and these are virtualised hosts, so you would expect the availability of the 64 VCPU to be half that of the 32 VCPU one. Can it be confirmed if either of my guesses here are correct, or if I'm thinking about it the wrong way, or if we missed a configuration setting? Thanks!
0
answers
0
votes
21
views
asked 23 days ago