AB1 Questions and Answers

Private Ips and public access

A private subnet is configured within your VPC as a subnet without a route to the Internet Gateway and where instances do not have public IP addresses.If you have data on-premise that cannot leave, AWS supports VPN endpoints and Direct Connect to allow your VPC to securely access your datacenter, allowing you to keep certain data on-prem but allow for processing and other workloads to run in AWS.

How often do you patch Amazon Linux and Windows AMIs? What about other OSs?

Amazon Linux is a rolling-release distribution where the latest package versions are available on first boot. The major releases are packaged every 6 months.Amazon also releases updated Windows AMIs monthly.For each AMI release, there's a changelog of included fixes, but once instances are launched from the AMIs, patching is the responsibility of the customer.

With the current economic situation and inflation, will AWS be raising their prices? How can you assure me your prices will not change in 6 months time?

Mention the history of AWS reducing pricesthe control of what you pay for via variable cost not upfront commitment

Does S3, Glacier or Storage Gateway de-dup data?

No, objects are mapped 1-1, there is no deduplication performed.

We have to use multicast, do you support it?

Not presently, but what are you using multicast for?

Is this similar to salesforce cloud or icloud?

Those services are cloud-hosted. AWS provides all the I.T. resources necessary to host an application, such as these, in the cloud.Those applications are higher-level offerings built on top of I.T. resources provided by cloud providers, like AWS.

What is a hypervisor?

Try to steer to discussing instance types and how the type specified determins the processor (Intel Xeon, AWS Graviton, GPUs...)One thread pulled was someone mentioned they need hardware accelerated encryption modules. Deferred this as a followup.

What type of hardware is this going to run on? We are very particular on what we want?

Try to steer to discussing instance types and how the type specified determins the processor (Intel Xeon, AWS Graviton, GPUs...)One thread pulled was someone mentioned they need hardware accelerated encryption modules. Deferred this as a followup.

What is the difference between Redshift and EMR?

Use Redshift when...Traditional data warehouseWhen you need the data relatively hot for analytics such as BIwhen there is no data engineering teamWhen you require joinsWhen u need a cluster 24X7. Use EMR (SparkSQL, Presto, hive) whenWhen you dont need a cluster 24X7When elasticity is important (auto scaling on tasks)When cost is important: spotsUntil a few hundred TB's, In some cases PB's will work.When you want to separate compute and storage (external table + task node + auto scaling)

What kind of connectivity to AWS can we expect from our datacenters?

[Ask questions about connectivity requirements]Aside from general Internet access, we have a several connectivity options. With VPN Gateways, you can establish a secure connection between your datacenter and your cloud environment. We also have Direct Connect, which would be a crossover from your datacenter directly to AWS's network.

Can you provide an SLA for latency over Direct Connect? Can you provide an SLA for latency over Direct Connect? Can you provide an SLA on your leg, your segment?

[I'm sure the answer is no, SLAs exist for availability, and latency has many factors outside AWS control to even offer, but I'm not sure of the best reply]

You said AWS decreased costs, but I heard that AWS has increased prices for IPv4 address

use AWS Public IP Insights to view detailed view of users' public IPv4 address usage and their associated costsAWS has to pay for this pool of IPv4 address and there are limited number of address to share. To make sure that the addresses are used efficiently AWS will start charging a nominal fee.have you considered IPv6 ?

We heavily use no sql databases such as MongoDB for customer data & product inventory. Does AWS have similar or alternative databases that we can use?

v

What are S3 and EBS SLAs?

The SLA for S3 Standard is 99.9% and EBS is covered under the EC2 SLA with availability at 99.99%

How do I move objects from s3 to glacier? What if I need the S3 object back from glacier?

.With S3's Lifecycle Policies you can define when and to what storage tier objects move.When objects are moved to Glacier, they remain as S3 objects that you can manage, but to retrieve the contents you have to request a temporary copy to be restored and it will become available in S3 for only the time period specified in the restore request.

We are happy with Akamai, why would we choose your CDN over them?

1. You get the benefit of several native integrations with other AWS services for easier management of your infrastructure.2. Significant cost advantage because Data Transfer costs (egress) from an AWS Origin (S3, ELB, EC2, etc.) to CloudFront is completely free3. Advanced security features through integration with ACM, Amazon GuardDuty, Shield Advanced for DDoS protection, and Layer 7 protection with AWS WAF4. With CloudFront triggers for Lambda@Edge, you can implement advanced custom logic at the edge, closer to your viewers to get increased cacheability, more customized, and personalized content delivery to your viewers.

You have a lot of services like DynamoDB or Kinesis which look designed to lock us into you as a vendor if we adopt them. Why would we want to choose being locked into AWS? Why should I use higher level services? Why can't I do things the old way with core services like EC2?

90% of the features and services AWS releases are based directly on customer feedback. Some services are based on what has worked well internally or created to address a gap in th market. We will never push you to use any particular service. They are available if you think they'll bring value.AWS was designed to be highly flexible. You can choose to run many of your existing workloads on our compute service, EC2. For example, while DocumentDB is a MongoDB API compliant service we offer, you can set up a MongoDB cluster on EC2 instances. The same is true for Kinesis, if you'd prefer to use Kafka or another product. Your Solutions Architects are here to help guide and support your decision.

Redshift: How is it different from Green Plum data warehouse that we use?

AWS Redshift is Large scale data warehouse service for use with business intelligence tools while Pivotal GreenPlum is a Analytic Database platform built on PostgresSQL. Can you kindly elaborate on the particular use case to deep dive at later point of time

Does AWS provide DDoS protection

AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards applications running on AWS. It provides dynamic detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.

Why should we switch away from MongoDB

AWS allows the flexibility to run almost any workload, including MongoDB. You can continue to use and manage MongoDB like you currently do by running it on EC2. AWS offers DocumentDB with MongoDB compatibility if you'd like to shift the infrastructure manangement to AWS, but there's no requirement to do so.

How does AWS operate under Amazon.com? Since you're part of Amazon, are we just getting excess capacity they're not using? Are we going to be treated like second class citizens? As a retailer, we're competitors with Amazon, so why should we work with AWS

AWS and Amazon.com are separate entities and Amazon.com is a customer of AWS with their own account manager and team, just like anyone else. Amazon.com doesn't get priority or special access and their utilization and growth plans are taken into account during AWS's capacity planning, just like with any other customer.

Could you talk about how you would provide us with HIPAA compliance. How much would it be?We need to be SOC1 compliant, will you certify our workload?We do business with gov and have to be FISMA compliant and end-point must have FIPS encryption. Do you provide this?If we don't have access to these [infrastructure components] how will we make sure that we are compliant?

AWS doesn't certify your workloads. We will provide you with the accredation documentation covering the infrastructure and hosting operations that you can send to your auditors with your own workload information.We are [accredation] certified.

What type of hypervisor

AWS historically leveraged the Xen hypervisor. Starting in 2018 AWS launched its own hypervisor named Nitro which uses less resources than traditional hypervisors making performance nearly indistinguishable from bare-metal systemsHypervisor runs in Ring0VMs run in Ring3/Ring4 and discuss from there.Isolation between EC2 and EBS - Understanding the communication.

Can you create a new region where I need it?

AWS is also looking for where demand exists for establishing or expanding our points of presence. What are the requirements for why you'd need AWS to build you a datacenter?

Can you talk about your plans to open new locations? like India

AWS is constantly looking for upgrading their region/AZ/datacenter footprints globally based on customer needs. We also publish our Global map of presence along with upcoming/planned AZ/region. What is the specific usecase

Could we bring our own appliance? Where do I ship our servers for migration?

AWS provides and manages all equipment in the datacenter. What are you looking to move?

We can't have our internal data on the Internet. Can we provision an S3 bucket in our VPC?

AWS supports VPC endpoints for services like S3, so you can certainly configure your account to ensure this traffic remains inside AWS network.

If we go over a defined budget, are you going to terminate and delete our instance and data?

AWS won't terminate or delete your data. We provide tools allowing you to define the actions to take based on alerts, but those are for you to define and manage.

Do you own all of the regions and AZs?

Amazon owns and operates many of its data centers, while others are housed in collocation spaces that are offered by various reputable companies under contract to Amazon. Is there any specific concern that I can help you address?=== Full response, which could be shared in writing IF the customer has an NDA signed with usThird-Party Management: Colocation OversightAmazon owns and operates many of its data centers, while others are housed in collocation spaces that are offered by various reputable companies under contract to Amazon. In these facilities, the colocation provider provides the first line of physical security that meets AWS' established requirements. Contracts with the third party colocation providers provide protection for AWS assets. In addition, AWS monitors adherence with security and operational standards by performing periodic reviews of colocation service providers. AWS spaces within colocation facilities are installed with AWS-operated CCTV, intrusion detection systems, and access control devices that alert AWS personnel of access and incidents. Physical access to AWS spaces within colocation facilities is controlled by AWS and follows standard AWS access management processes. Refer to the following AWS Artifacts for additional details: MTCS, ISO 27001, ISO 27017, IRAP, NIST 800-53 (FEDRAMP & DOD), SOC 2 COMMON CRITERIA, K-ISMS

Hardware fails and if we're running thousands of instances. What do you do to guarantee we're not losing VMs when your servers crash or fail?

As we get into architectural discussions with your teams, we have a Well Architected Framework and whitepapers we can leverage for resiliancy designs. At a high level, using multiple Availability Zones, Autoscaling Groups, and Elastic Load Balancers are some best practices around ensuring high availability.Is there a particular workload you have in mind?

How do you guarantee we don't get impacted by "noisy neighbors"? How do you guarantee the CPU and memory we've requested is actually allocated to us and not stolen by another VM?

As we get into architectural discussions with your teams, we have a Well Architected Framework and whitepapers we can leverage for resiliancy designs. With CloudWatch monitoring, actions can be automated for recovering from impacted components.AWS also offers Dedicated Hosts, which dedicates the underlying host solely for your account's use, but I would like to look at the requirements in more detail before making a recommendation.

Can I mount S3 on multiple instances?

Ask about use case as this likely means not understanding what S3 is.For shared-access storage, mention EFS or FSx, but dive into the use case further to see if that is the best fit.

If we spin down an environment on Friday, but need it on Monday, will AWS guarantee that they the capacity be available? If we're anticipating a huge spike and need 1000 instances, will AWS guarantee the capacity?

Ask how many such events are you expecting? or how often does it happen? If you're anticipating a need for a sudden increase in resources, like 1000 new instances, your Solution Architects and Account Manager would work with you to understand the use case and guide you meeting that demand. AWS also has a process for special events. By working with your account team, we can open an Infrastructure Events Management ticket that helps you plan for large-scale events such as product or application launches, infrastructure migrations, and marketing events. This includes capacity planning support. --------------------------------------------------------------------------- Another way to answer: There is a number of ways to architect this. You have ability to spin up resources On demand or we have an option for reserved instances. If you have bursty applications or you have large scale events, talk to you account manager and enterprise support teams (if you choose to go that route) to make sure we can have the necessary capacity. The team can help you with the architectures to design for such large scale events. We are truly a partner and will support you to achieve your business outcomes.

What's the latency b/w two AZs?

Availability Zones are connected by high speed, low latency links, typically in the single digit millisecond range.If you want to measure the latency of a particular set of AZs, you can use the same tools you normally would to test connectivity between instances.

Elastic Beanstalk and OpsWorks sound really similar. How are they different?

Both Beanstalk and OpsWorks are means of managing your infrastructure, but they target different use cases. For Beanstalk, you can simply upload your code and Elastic Beanstalk and define its requirements and the service handles the infrastructure, deployment, load-balancing, scaling, and monitoring.OpsWorks is a configuration management service that provides managed instances of Chef and Puppet that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed.

I've heard some rumors that the cloud is more expensive so i'd like to learn how this will affect our bottom line

By aggregating the usage of thousands customers, AWS is able to achieve massive economies of scale. This translates to lower pay-as-you go prices. We pass these savings on to our customers automatically without the need to request it. For instance, when AWS reduced the price of our Block Storage snapshots in August 2016 by 47%, this change was automatically applied to our customers. Also, we've reduced prices 134 times (as of September 20 2023) since AWS launched in 2006.I need to better understand the workloads in discussion, perhaps we can have a session around a particular workload and business needs to perform a Total Cost of Ownership analysis.There may be areas to further cost-optimize workloads for cloud hosting.

How do I cutover across regions if one is unavailable?

Can you please help me to understand the use case ? We can do a deep dive using AWS Well Architected Framework and work on this concern/requirements of availability/fault toleranc

Can SNMP traps provide information to feed into CloudWatch?

CloudWatch allows you to send custom metrics to fit your workload's monitoring requirements. SNMP isn't natively supported, but between third party solutions from AWS partners or custom scripts, the data can be sent into CloudWatch.If you have an example in mind, I can look a more specific way to accomplish this or perhaps provide a script that would show how.

How is S3 replicated and backed up? What is the S3 durability?

DRAFT: Region protection: Cross-region ReplicatonSame region: Versioning11-9s of durability for most storage options

EBS volumes are stored in S3, right? How is S3 different than EBS?

EBS snapshots are stored in S3, but they're not objects you can access via the S3 console. EBS volumes are not stored on S3, it is a separate storage service.EBS and S3 are different technologies. EBS is a block storage service to provide harddrives mounted to instances. S3 is an object store for API-based access to data.Think of EBS as just hard drives, mounted filesystems you access via normal file operations. S3 isn't mounted and is designed for API-based access.

Are there granular resource level permissions for SQS?

In what way, what are you looking to do?Access policies can be defined at the queue level or at the user level (using IAM policies) that can grant rights to perform queue-based actions like get/put/list.

We've invested heavily in X and its licensed per processor ID, so we can't use cloud virtualization can we?

If you have licensing requirements tied to hardware IDs, AWS offers Bare Metal instances where you have access to the hardware for use cases like this.

We have requirements for data center distances. How far apart are the data centers in availability zone? Where are your data centers? How far apart are two AZs? How many availability zones are in a region?

For the security of all customers, we don't publish the locations or details of the specific datacenters. We can provide you with the third-party audit reports and dive deeper into our certifications if you'd like. For high availability, best practices are to ensure a workload spans multiple Availability Zones, which are designed to be fault-isolated from each other.Every region has at least two Availability Zones, but for a particular region, we publish the AZ counts by region online. I'd be happy to get the latest info for you.What is the business driver for specified distances?

Can I use the GovCloud Region?

GovCloud has a set of requirements for who can access it, but you are able to apply for access if you have an existing AWS account.What are you looking to use GovCloud for?

We just bought lots of new hardware and software license, do I need to throw them away to move to AWS?

Hybrid Strategy ,Bring Your Own License (BYOL) , BYOL Keep using existing hardware until end-of-lifeGradually migrate workloads to AWSUse AWS Direct Connect to integrate on-premises with cloud

Can we still use AWS if we don't have internet?

I am not sure about our competitors capabilities.To deliver content to end users with lower latency, Amazon services like CloudFront uses a global network of 600+ Points of Presence (and 13 Regional edge caches) in 84 cities across 42 countries and growing. We can do a deep dive

You only have X POPs? Akamai has YY so why would we use CloudFront?

I am not sure about our competitors capabilities.To deliver content to end users with lower latency, Amazon services like CloudFront uses a global network of 600+ Points of Presence (and 13 Regional edge caches) in 84 cities across 42 countries and growing. We can do a deep dive

Can I get private pricing through the Marketplace?

I can reach out to our partnership team to look into that further. Is there a particular product you're interested in?

We can't have competitors on the same hosts as our workloads. Can AWS guarantee we won't be sharing hardware?

I'm curious what your concerns are? AWS fully isolates instances from each other, but we do offer Dedicated Hosts which dedicates the underlying host solely for your account's use.

Azure has x # of Regions but you have only Y?

I'm not sure how other providers configure their offerings, but AWS has XX Availability Zones within XX geographic regions around the world, with announced plans for XX more Availability Zones and XX more AWS Regions. (XX- confirm the latest numbers on global infrastructure site)AWS also has 600+ Points of Presence (XX Edge Locations and X Regional Edge Caches) in XX cities across XX countries.What global capabilities are you looking for?

Can we use an existing directory

IAM can federate with your existing directory where you can map IAM groups to directory group membership.

Microsoft offers instances with 64TB of memory. What's your largest? What's the largest machine we can get in terms of memory? If you can't offer 64TB, why would we choose you over Azure

If its a knowledge-check question, mention what you're aware of but caveat the need to check. (U7i instances are up to 32TB)If its a challenge of AWS vs Azure, don't fall for the trap, ask about the use cases and try to pivot to a followup discussion.

What's our RTO if there is a failure? Do you support point in time restores?

If you are using Multi-AZ RDS, a failure of one node generally recovers within a minute by switching to the standby instance with the only availability impact being the time it takes for the DNS pointer to update.For a single-AZ RDS instance, the RTO of an outage where the data isn't impacted, just the EC2 instance, the availability impact would be the length of time it takes for the underlying EC2 instance to recover, which could take several minutes plus the time to replay any transaction logs.If the impact is due to losing the storage volume, a point-in-time restore can be performed from a snapshot.

What's a region? What's an availability zone?

Regions are separate geographic areas completely independent from each other. Each region has multiple isolated fault domains called Availability Zones connected to each other by low latency links. Availability Zones contain one or more discrete datacenters.

If we enter an enterprise relationship with AWS, what discount structures can we expect?

Reserved Instance (RI) and Savings Plans. Up to 72% savings vs On-Demand pricing1 or 3 year commitment optionsCompute and EC2 Instance Savings Plans available

What's the difference between S3 and glacier?

S3 is designed for fast access to frequently used data whereas Glacier is an archival system. Glacier has lower per-gig storage costs, but higher retrieval times. Glacier is also designed for meeting compliance requirements around long term data retention.Think of Glacier as like a tape library.

We have petabytes of data. Can we just dump it into S3 or do we need to notify you first to ensure capacity?

S3 is designed for to be effectively limitless. You're not required to notify AWS, but if you want to give your account team a heads up, we can help with the best methods for transferring that data. In addition to just copying to S3, we also offer services like SnowBall where we ship you an appliance to copy data to which we can load for you. These may be faster or more efficient.

Can I use S3 for all my storage needs, or are there case where its not appropriate?

S3 is great for high speed object storage. Great use cases are to store static assets like images and javascript files to offload serving that content from the web tier. Any use case that requires file I/O isn't a fit for S3, such as a database or any operations that require file locks or file appends. In S3, reads are GET operations and writes are PUT, which uploads the entire object again.

Can I host dynamic content on S3?

S3 is widely used for hosting static content. It doesn't process files read, so it cannot host dynamic content. S3 can be used to augment other options for dynamic hosting, like Elastic Beanstalk or EC2 instances running Apache or Nginx, by offloading the static content to S3.[If asked how to offload static:] Elastic Load Balancers and CloudFront can do path-based routing, so your /images/ URI can be configured to serve from S3

We have an existing auditor that comes in and inventories our systems and performs detailed tests. How do we get our audit team in to validate the environment and application if they're in your datacenter?

Security in the cloud is a shared responsibility model. For infrastructure compliance, AWS have certifications based on third-party audits and we can provide you that documentation to aid in your audit requirements. Additionally, you have full visibility into the logical infrastructure via API calls, so your auditors can get information on items like security group (firewall) rules or RDS configuration via API calls, or account access information through our API auditing service, CloudTrail.I can also get you more information on auditing in the cloud, perhaps even sit down with your internal audit team and AWS's specialists in the field to better understand how to meet your needs.

Can you view my data? If we're running on your hardware in your data centers, I can't imagine you guys don't have root controls to log into the machine. If we have to store an encryption key with you, you can theoretically still get access, right?

Security is our top concern and we have a robust separation of duties. The datacenter operations personnel do not have access to or knowledge of the logical layer, meaning that even when troubleshooting a system, they don't know which customer or workload is running on that instance. Conversely, those with logical access don't know the physical systems involved. For physical system access, those events are tracked and audited. We have many certifications and regularly have third-parties audit us and those documents can be made available to you.Access to your account is under your control. Even the Solutions Architects assigned to you can't access your account or systems unless you create an IAM account for them.There are also many options for encrypting data at rest and in transit, including using client-side encryption if you want to retain full control over the keys.

You recommend us deploy in at least two Availability zones (AZ)/Regions. Does that mean our costs will double?

Some of the resources like EC2 will increase. But for Multi AZ RDS and elastic cache, feature is already included. Customer can implement autoscaling groups acrss AZ's to optimize instnace count.

If I buy through the AWS marketplace, who do I call for support? You, or them?

Support for Marketplace software is based on your agreement with the vendor of that product, but the resources provisioned run within your AWS account and you can leverage your AWS support contract for assistance with the infrastructure, if needed.

You mentioned encryption at rest and in transit, but that's a heavy hit to compute power. How much overhead is there when enabling encryption?

That depends on where we're discussing encryption. For example: encrypted EBS volumes you can expect the same IOPs with minimal impact on latency. For SSL between EC2 instances, you can expect similar performance overhead to hosting on-premises. Where are you most concerned about performance impact? I can dig deeper into this and get back to you with more details.

You said regions contain multiple availability zones, but I see one circle on your side that only has a "1" in it.

That's the Osaka-local region, a special use case created to comply with changes in Japanese data availability and privacy laws after Fukushima. It is not generally available and can only be accessed by accounts with workloads in the Tokyo region. While it is a separate region by definition, it is a special use case for customers of the Tokyo region.

Will AWS use my data to train the model? Does AWS provide free training? With all the benefits of the cloud, do we still need to pay you?

There are free trainings availe such as free trainings offered by AWS skill builder.Ask about the concern is budget or cost. And answer from there

We have a lot of business units with different policies so we don't everyone in the same account. Should we have an account for each? How can we maintain cost controls, access policies, and security with a bunch of accounts?

There's a lot of flexibility in setting up an organization structure in AWS and creating centrally managed guardrails around security, access, compliance etc.. It might be a good idea go over your needs in more detail. We can help design a structure using AWS Landing Zones, which are our best practices around account management.

You said we can instantly scale, but realistically how long does it take?

This depends on your workload and services and how you choose to configure the instances.For services like DynamoDB, when you adjust the throughput capacity, the capacity is available as soon as the configuration change is applied.For an EC2 instance, you'll want to do some test runs to determine the average OS bootup time and any post-boot configuration management runs to understand how long from initiating an launch to application availability. The turnaround time is within minutes. The majority of replacements happen within less than 5 minutes, and on average it is significantly less than 5 minutes. It depends on a variety of factors, including how long it takes to boot up the AMI of your instance.:

How does IDS/IPS works on AWs? If we need a network tap, can we do so? If AWS is blocking attacks, that means you're reading our traffic, right?

To reiterate the shared security responsibility , security of the cloud is AWS while security in the cloud is customer's responsibility. Intrusion Detection and Prevention can be achieved in number of ways. There are tools/services like Guard Duty, 3rd party solution (AWS marketplace) as well architecture best practices which we can go through using our well architected framework. Let's setup a follow up with our specialists on this topic.Amazon VPC traffic mirroring is a "virtual fiber tap" that gives you direct access to the network packets flowing through your VPC.I respectfully disagree to to 3rd statement. Let's have a follow up on what are specific concerns

Do you support TDE? (Transparent Data Encryption)

Transparent Data Encryption (TDE) serves as a security mechanism that encrypts data at the storage layer, protecting sensitive data contained in database files on disk. TDE encrypts and decrypts data on the fly as it is written to or read from the storage without requiring any modifications to the application's code. Amazon RDS supports using Transparent Data Encryption (TDE) to encrypt stored data on your DB instances running Microsoft SQL Server.

What happens if the court requests for our data to be released that is stored in AWS?

We operate within the jurisdictions and have to comply with local laws.

We have a hybrid/multi-cloud strategy, how can we manage & monitor our workloads with a small set of tools or solutions? We don't want to use tools from different cloud providers to manage the our servers, applications or data. How would AWS address this challenge?

We've seen that customers get the best experience, performance, and cost when they choose a primary cloud provider. However, for a variety of reasons, some customers end up in a situation where they're running their IT operations in a multicloud environment. For example, a customer might have acquired a company that was already running on a different cloud provider.Whatever the reason, operating multiple-cloud environments at scale adds significant complexity and increased management difficulties. Customers often must use solutions from multiple providers to provision, manage, and govern IT resources; monitor the health of their applications; and collect and analyze data stored in multiple locations. To help customers overcome these challenges, AWS has extended its services over the past several years to help them create, manage, and govern infrastructure and applications hosted in hybrid and multicloud environments.

Do you use Juniper or Cisco Switches?

What kind of access are you referring to? What are you looking to do?AWS doesn't provide access to the infrastructure layer. The route tables within your VPC are fully managed by you, and you also control the network ACLs for your VPC subnets, through the AWS console or CLI/API calls.

What kind of access do we have to routers and switches?

What kind of access are you referring to? What are you looking to do?AWS doesn't provide access to the infrastructure layer. The route tables within your VPC are fully managed by you, and you also control the network ACLs for your VPC subnets, through the AWS console or CLI/API calls.

You said we'll move to a variable expense model, but we are used to/like the CapEx model we have. Can we remain CapEx in AWS? Can we amortize our spend? How do we expense our AWS costs?

While AWS is a pay-as-you-go model for the consumption of resources, we do offer the ability to pay upfront for usage committments with our Reserved Instances. Several options there are full or partial upfront payment for 1 to 3 years of specified utilization for compute shapes.Whether or not you can amortize or consider this as CapEx is more of a finance discussion. I can set up a meeting with your Account Manager and your finance team to dive a bit deeper into this, if you'd like.

So, EC2 is basically the same as VMWare?

While similar to VMware in terms of being virtualized operating systems, EC2 is compute on demand and there are a lot of options to enable your developers and engineers to create resilient applications with AWS managing the underling infrastructure.VMware is also a partner and it is possible to run VMware on top of EC2 and to integrate with your on-premises VMWare infrastructure.

I see that some regions only have 2 AZ's listed. That means S3 Standard isn't supported there, correct?

While we design regions with at least two publicly Availability Zones, we ensure the capacity exists to meet service commitments. S3-standard is supported and the replication occurs to a private area within that Region, but that area isn't made publicly available for workload placement.

Do you support Windows server 2003?

Windows 2003 R2 is available as an AMI, but we can also discuss steps to migrate your workloads to a newer Windows version since Microsoft ended support in 2015.

How do we prevent costs going out of control? It's great that this can enable our developers to be more agile, but what's to stop them from spinning up a lot of expensive services?

With AWS Budgets, set custom budgets to track your costs and usage, and respond quickly to alerts received from email or SNS notifications if you exceed your threshold. Service Control Policies offer central control over the maximum available permissions for all accounts in your organization.

You said the AWS Marketplace helps with licensing, but how? Is it cheaper? What if I already have license?

With AWS Marketplace, licensing is included as a per-hour charge, so you pay normal AWS costs for the infrastructure plus the vendor's licensing fee. You can use a product without paying a large up-front agreement.Depending on your licensing agreement and the vendor's Marketplace offering, you may be able to use your existing licenses, but that's a discussion to have with the vendor. Is there a particular workload you're looking for from the Marketplace?

We own our datacenter, so internal traffic isn't encrypted, but we're not comfortable having unencrypted traffic on a public cloud. Does AWS encrypted the traffic between our intances? Do you encrypted traffic between AZs?

Within the AWS network, you'll be hosting in a Virtual Private Cloud (VPC) and all traffic between your instances stay within your VPC. Other customers cannot see your traffic.Configuring inter-instance traffic encryption would be the same as on-premises.

Can we bring our own class C IP / Public IP addresses? For email sending for example. We have our own range that's very clean and we don't want to get rejected

Yes, AWS supports bringing IP ranges you own to your account.For email sending, I'd like to understand that use case further. AWS provides the Simple Email Service with agressive management of remaining a trusted sender to avoid rejections.One thing to mention is port 25 is throttled by default for all EC2 instances, but this can be removed for an specific instance if needed.

Can we use Route 53 without CloudFront?

Yes, Route53 is a separate service that integrates with, but doesn't require CloudFront.

Can we use CloudFront with our datacenter instance?

Yes, you can define a custom HTTP origin in CloudFront for your on-prem hosts.

We have to do regular intrusion / penetration testing and vulnerability scans. Are we allowed?

Yes, you can perform intrusion and penetration testing against your own workloads on AWS. Depending on the type of test, you may need to submit a request beforehand. You're not allowed to perform such tests against AWS services or APIs, however.I can get the AWS policy details around this if you'd like.