Open in app

Sign in

Write

Sign in

16 AWS Gotchas

Angela Branaes
Proximistyle
Published in
5 min readFeb 27, 2018

In January I launched the MVP for my own startup, Proximistyle, which helps you find what you’re looking for nearby. On advice from friends and industry contacts I chose AWS as my cloud provider. Having never had to set up my own cloud infrastructure before, the learning curve to get from no experience to a stable VPC system I was happy with was significantly steeper than expected, and had its fair share of surprises.

#1 Take advantage of the free resources offered

AWS offers a free tier for new accounts. If you have recently bought a domain and set up a company you qualify for the free tier for a year. Additionally, if you are a bootstrapped startup you can apply for the Startup Builders package and get $1000 in AWS credits.

After doing the above, you’re now ready to get started with setting up the AWS infrastructure for your startup.

#2 Set up billing budgets and alerting

The very first thing you should do after setting up billing, is enabling a budget and billing threshold notifications. This is incredibly useful in case you have happened to enable a service that is NOT covered by the free tier. It is always good practice to stay on top of your finances.

#3 Never use your billing user for development

Now that you have set up billing, create a new IAM admin user and set up two factor auth. Do all further work through this admin user. This separates your billing from your dev, and is an extremely important security consideration.

#4 Save time with wizards and automated workflows

If you are new to AWS I would recommend using one of the quick setup wizards to get started. I did not do this, and I wish I had. It is one of the first things you see when you log into your console as your new IAM user:

I did however use one of their wizards when setting up my VPC wit ha public+private subnet. It was easy to follow and is the VPC architecture solution recommended by Amazon.

There are however a few gotchas here:

#5 The NAT gateway is NOT covered by the free tier!

You need a NAT gateway if you want your private VPC components to talk to the internet. This is where the billing thresholds you just set up in #2 will come in handy. I discovered this after getting a billing alert email the morning after setting it up. As a rough estimate leaving your NAT gateway up will cost you around $30/month. This is because you get charged both for the uptime and for the data transfer. There were a lot of unhappy people on the internet complaining about it not being covered under the free tier when I googled that. My recommendation for keeping costs low here is to only create the NAT gateway when something in your private VPC needs access to the internet and immediately deleting it after.

#6 Unused Elastic IPs are charged by the hour

When you delete your NAT gateway, remember to also delete the elastic IP it used.

#7 The NAT gateway goes in the public subnet

When you create your NAT gateway, remember that it goes in the public and not the private subnet. This will save you some confusing debugging time.

#8 Lambdas go in the private subnet

Any lambdas talking to your private subnet also need to be in the private subnet. This means that you need to set up a NAT gateway with an elastic IP if you want your lambdas to talk to the internet.

#9 Configure your security groups so components can talk to each other

If your lambda wants to talk to your private subnet database, the database needs to allow the lamba’s security group access into its security group. This is a silent network error with dropped packages otherwise.

#10 Use API Gateway to call your lambdas

For security and convenience reasons you probably want to use API Gateway to communicate with your Lambdas from your S3 hosted website / mobile app.

#11 Timeouts do not propagate

API Gateway calls time out after 29 seconds, but the timeout for the lambda it calls is whatever is set in the lambda. This means that the API call can fail on timeout, but the lambda can still happily finish.

#12 You have to enable CORS headers if you call your API with JavaScript

If you are creating a website that uses javascript to call an API Gateway API, you have to ensure that you enable CORS headers. If you don’t, you get 403 errors because of cross-domain calling. If you are not using a proxy API, all you need to do is to enable CORS for your chosen API. If your API gateway is using proxy and calling a lambda function, the lambda function has to return CORS headers. You manually have to add this in the return method of your lambda function. This is because proxy API Gateway calls can’t transform the return to add a header.

#13 Serve your S3 bucket from CloudFront and SSL

Now that you’re all set up, you probably want to cache your S3 bucket website behind CloudFront and SSL. CloudFront caches your website in edge locations around the world. You should absolutely use SSL (https) for security! This is very easy to set up and there is extensive AWS documentation on it.

#14 When you move your DNS name servers to AWS, you also have to move your MX records

I bought my domain through Google domains and set up G-Suite emailing through that. When I moved my name servers to AWS the email stopped working. I could still send emails, I just couldn’t receive any. When I later looked on my Google domains page there was a clear warning saying why it no longer worked, but you had to go to the webpage to see this. Thankfully, moving your mail records (MX) to AWS takes all of 5 minutes, and then mail slowly starts ticking in again.

#15 Default CloudFront cache time is 24h.

This means that it might be 24h before updates with the same file name are propagated to edge locations! There are ways to work around this. You can either invalidate your cache, or better yet, use object name versioning.

#16 SSL and http links are not friends

If your website is served on SSL(https) from CloudFront, any http links for images will most likely not show up. I often have issues with having to refresh twice for any such images. Images on https links do not have this issue. On mobile they don’t load at all.

Hope you found these tips useful and that they saved you some time. Feel free to add your own gotchas as a reply below.

Angela, Founder and CEO of Proximistyle.

For any outfit, Proximistyle lets you see which shops have it in stock, in your size, nearby. Try it out if you’re in London!

AWS
AWS Lambda
Aws Api Gateway
Infrastructure
Tech

--

--

Angela Branaes
Proximistyle

Written by Angela Branaes

506 Followers
Editor for

Entrepreneurial Product Leader and Founder with 10+ years of experience, focusing on AI and consumer retail. Imperial Computing Alumni.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams