Posts

EKS clusters rarely start inefficient. They drift there. What begins as a reasonable number of small nodes slowly becomes a fixed cost floor. HPAs are set optimistically. Storage is over-provisioned “just in case.” Instance types are chosen for safety, not fit. Recently, I revisited an EKS environment that had evolved into: 14 × t4g.medium nodes Predominantly gp2 volumes HPA minimum replicas set to 3 or 4 across multiple services Nothing was on fire. Services were stable. But the cost profile didn’t match the actual workload behaviour. ...

AWS NAT Gateways are frequently treated as a default component of VPC design. They are simple to deploy, highly available, and largely invisible once in place. In multiple Availability Zone environments, the recommended pattern is to deploy one NAT Gateway per AZ and route private subnets to their local gateway. While operationally convenient, this approach comes with a fixed and often under-examined cost. This post documents an alternative approach: replacing three managed AWS NAT Gateways with three self-managed NAT instances running FreeBSD on t4g.nano EC2 instances. The focus is on the mechanics of the design, the operational behaviour of FreeBSD as a routing platform, and the financial implications of the change. ...

🚀 How I Used a No-Code Backend to Power a Fake Startup Certification Platform Recently I launched S Corp™ — a parody certification for startups that want to look ethical without the burden of actually doing anything. You type in your company name, click a button, and get a downloadable certificate that looks suspiciously legit. It’s satire. It’s fast. It’s 100% nonsense. Behind the scenes, the app is powered by React, Tailwind, and a healthy disrespect for real sustainability certifications. ...

The AI MCP Protocol: An Ambitious Idea - But this feels like VHS vs Betamax The AI Model Context Protocol (MCP) burst onto the scene in late 2024 as an Open Standard, introduced by Anthropic, suggesting a simple way for AI-powered apps—especially chatbots and assistants—to dynamically plug into external tools and data at runtime. Sounds great, right? But after some digging, it turns out MCP might not be as practical as it initially seems. ...

Did this earlier today for a client. You can’t directly upgrade from 1.29 to 1.32, so instead have to repeat these steps for each version. Upgrading Amazon Elastic Kubernetes Service (EKS) is a crucial maintenance task that ensures security, stability, and access to the latest Kubernetes features. Given AWS’s recommendation to upgrade one minor version at a time, this guide walks through upgrading EKS from version 1.29 to 1.32 in stages. ...

Connecting GitHub Actions to AWS Using OIDC and an Assumed Role When deploying applications or managing AWS infrastructure through GitHub Actions, using OpenID Connect (OIDC) provides a secure way to authenticate without requiring static AWS credentials. This guide will walk you through setting up an AWS IAM role, configuring an OIDC identity provider, and updating your GitHub Actions workflow to assume the role. Step 1: Create an IAM Role for GitHub Actions Navigate to the AWS IAM Console. Click on Roles > Create role. Select Web identity as the trusted entity type. Choose OpenID Connect (OIDC) as the identity provider. Enter the OIDC provider URL: https://token.actions.githubusercontent.com Set the audience to sts.amazonaws.com. Click Next and proceed to configure permissions. IAM Trust Policy After creating the role, update the trust policy to allow GitHub Actions to assume it: ...

AWS + Azure - Single Sign-On: Configuring Azure Entra ID to Login to AWS via Terraform Single Sign-On (SSO) is a powerful feature that allows users to access multiple applications with a single set of credentials. Integrating Azure Entra ID (formerly Azure Active Directory) with Amazon Web Services (AWS) enables seamless access management across both platforms. In this blog post, we’ll explore how to configure Azure Entra ID to enable SSO to AWS using Terraform. ...

Leveraging Amazon Inspector for Enhanced Security: A Deep Dive In the realm of cloud computing, securing applications and infrastructure is paramount. Following our exploration of DevSecOps on AWS, this follow-up post delves into Amazon Inspector, an automated security assessment service that aids in improving the security and compliance of applications deployed on AWS. Amazon Inspector is a potent tool in the DevSecOps arsenal, designed to automatically discover and assist you in remediating security vulnerabilities and deviations from best practices. Here, we’ll explore how Amazon Inspector functions, its key features, and how to effectively integrate it into your AWS security strategy. ...

The Evolution of DevSecOps on AWS: A Comprehensive Guide The integration of security into the DevOps process, known as DevSecOps, is revolutionising how organisations deploy software, ensuring that security is not an afterthought but a fundamental aspect of the development lifecycle. Amazon Web Services (AWS), a leader in cloud computing, offers a robust platform for implementing DevSecOps practices. This blog post explores the significance of DevSecOps on AWS, its benefits, key practices, and tools to seamlessly integrate security into your development processes. ...

Until recently, this blog was hosted on GatsbyCloud – Which was recently discontinued :sadpanda: In theory, it should’ve been reasonably easy to just host Gatsby myself, and carry on, but really I thought I should upgrade to the latest version.. But that got me into NPM Dependency Hell, and frankly my dears, I don’t have time for that kind of nonsense. So I’m reworking it all to be generated by Hugo, then it’s just static, and I can stick it somewhere like S3 and call it a day. ...