Every year AWS hosts a learning conference, for the global cloud community, called re:Invent. It brings the global AWS community together in Vegas for 5 days of feature keynotes, announcements, in depth training, certifications and interactions with partners and customers. Post pandemic, 2022 was the first opportunity to host the event back at full capacity in person. In this series of blogs I will be presenting a summary of the event. In part 1 I presented a summary of the keynotes from the different days. Here I will give a summery of some of the key networking and compute announcements. You can also see all my blog posts related to re:Invent on my re:Invent page.

re:Invent is always jam packed with announcements from AWS and this year was no exception. Like the previous re:Invent post, I will try to give a high level summary with details of how the announcement is useful plus link to the AWS documentation related to it. In future posts I will also try to present demos of some of the interesting services we have encountered here. In this blog I will present the following:

• Networking, Security, Identity, and Compliance
• Compute

Networking, Security, Identity, and Compliance

Networking and security are fundamental to any successful cloud architecture. This is why each year a re:Invent there is always a huge focus in that space. This year there were the following major announcements:

• AWS Verified Access
• VPC Lattice
• AWS KMS External Key Store (XKS)
• Amazon Inspector Lambda Vulnerability Scanning
• Automated Data Discovery for Macie
• Amazon Verified Permissions

Let briefly look into each one.

AWS Verified Access

Traditionally, remote access to applications when on the road or working from home is granted by a VPN. Once the remote workforce is authenticated on the VPN, they have access to a broad range of applications depending on multiple policies defined in siloed systems, such as the VPN gateway, the firewalls, the identity provider, the enterprise device management solution, etc. These policies are typically managed by different teams, potentially creating overlaps, making it difficult to diagnose application access issues.

AWS Verified Access is a new secure connectivity service that allows enterprises to enable local or remote secure access for their corporate applications without requiring a VPN. Verified Access improves your organization’s security posture by leveraging multiple security inputs to grant access to applications. It grants access to applications only when users and their devices meet the specified security requirements. Examples of inputs are the user identity and role or the device security posture, among others. Verified Access validates each application request, regardless of user or network, before granting access. You can find out more here.

VPC Lattice

Modern architecture rely on communication between components and services. To make these services communicate with each other, you need a way to let them discover where they are, authorise access, and route traffic. VPC Lattice is a new capability of Amazon Virtual Private Cloud (Amazon VPC) that gives you a consistent way to connect, secure, and monitor communication between your services. With VPC Lattice, you can define policies for traffic management, network access, and monitoring so you can connect applications in a simple and consistent way across AWS compute services (instances, containers, and serverless functions). VPC Lattice automatically handles network connectivity between VPCs and accounts and network address translation between IPv4, IPv6, and overlapping IP addresses. You can find out more here.

AWS KMS External Key Store (XKS)

Customers who have a regulatory need to store and use their encryption keys on premises or outside of the AWS Cloud can now do so. This new capability allows you to store AWS KMS customer managed keys on a hardware security module (HSM) that you operate on premises or at any location of your choice.

At a high level, AWS KMS forwards API calls to securely communicate with your HSM. Your key material never leaves your HSM. This solution allows you to encrypt data with external keys for the vast majority of AWS services that support AWS KMS customer managed keys, such as Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. There is no change required to your existing AWS services’ configuration parameters or code. You can find out more here.

Amazon Inspector Lambda Vulnerability Scanning

Amazon Inspector is a vulnerability management service that continually scans workloads across EC2 instances, container images living in ECR, and, now, AWS Lambda functions and Lambda layers. Before customers that wanted to analyse their mixed workloads (including EC2 instances, container images, and Lambda functions) against common vulnerabilities needed to use AWS and third-party tool. You can find out more here.

Automated Data Discovery for Macie

Security is always a priority. Amazon Macie is a data security service that discovers sensitive data using machine learning and pattern matching and enables visibility and automated protection against data security risks. Automated data discovery automates the continual discovery of sensitive data and potential data security risks across your entire set of buckets aggregated at AWS Organisations level. You can find out more here.

Amazon Verified Permissions

Amazon Verified Permissions is a scalable, fine-grained permissions management and authorisation service for custom applications. With Amazon Verified Permissions, application developers can let their end users manage permissions and share access to data. For example, application developers can use Amazon Verified Permissions to define and manage fine grained permissions to determine which Amazon Cognito users have access to which application resources. You can find out more here.

Compute

Lets take a look at the compute announcements next.

• AWS Lambda SnapStart
• ENA Express
• EC2 Instances with Higher Packet Performance
• AWS SimSpace Weaver
• New EC2 Instance Types
• Amazon EC2 Service Connect
• Amazon EC2 Inf2 Instances
• Microsoft Office AMIs with Amazon provided license
• Amazon EC2 Hpc6id Instances Optimised for High Performance Computing

Lets look at each one.

AWS Lambda SnapStart

AWS Lambda functions run inside a a secure and isolated execution environment. The lifecycle of each environment consists of three main phases: Init, Invoke, and Shutdown. Among other things, the Init phase bootstraps the runtime for the function and runs the function’s static code. In many cases, these operations are completed within milliseconds and do not lengthen the phase in any appreciable way. In the remaining cases, they can take a considerable amount of time, for several reasons. First, initialising the runtime for some languages can be expensive. Second, the static code might download some machine learning models, pre-compute some reference data, or establish network connections to other AWS services.

With Lambda SnapStart for a particular Lambda function, publishing a new version of the function will trigger an optimisation process. The process launches your function and runs it through the entire Init phase. Then it takes an immutable, encrypted snapshot of the memory and disk state, and caches it for reuse. When the function is subsequently invoked, the state is retrieved from the cache in chunks on an as-needed basis and used to populate the execution environment. This optimisation makes invocation time faster and more predictable, since creating a fresh execution environment no longer requires a dedicated Init phase. You can find out more here.

ENA Express

Over the years AWS has done a lot to improve the bandwidth available to services and instances within AWS. Its grown from 250mbs on the original m1 instances to 200Gbps on the new m6 instances. This is a huge leap. Along with this AWS has also released new adapter types such as as EFA and and ENAs with enhanced networking options. Often with networking there is a “Tail Latency” that can slow down your processes as this is a high percentile latency. AWS have created a new Secure Reliable Datagram protocol (SRD) to help improve how the underlying communication works and with ENA Express you can get the benefit of this improved network performance on instances using ENA adapters with Express enabled.

ENA Express reduces P99 latency of traffic flows by up to 50% and P99.9 latency by up to 85% (in comparison to TCP), while also increasing the maximum single-flow bandwidth from 5 Gbps to 25 Gbps. Bottom line, you get a lot more per-flow bandwidth and a lot less variability. You can find out more here.

EC2 Instances with Higher Packet Performance

A number of new instance types have been launched that can deliver twice the packets per second (pps) performance. They are all built using Intel Xeon Scalable processors (Ice Lake) running at 3.5 GHz. Here are the instance families:

• m6in
• m6idn
• c6in
• r6in
• r6idn

You can find out more here.

AWS SimSpace Weaver

 AWS SimSpace Weaver is a new compute service to run real-time spatial simulations in the cloud and at scale. With SimSpace Weaver, simulation developers are no longer limited by the compute and memory of their hardware. A number of complex and dangerous and expensive real world scenarios benefit from simulations. The issue with running these simulations in the past is they dont scale well on a distributed environment and so you need bigger more powerful computers. With SimSpace Weaver you can now scale across multiple EC2 instances and run even more complex simulations. You can find out more here.

New EC2 Instance Types

Three new instance types were also announced at re:Invent. They were:

• C7gn Instances: Designed for your most demanding network-intensive workloads: network virtual appliances (firewalls, virtual routers, load balancers, and so forth), data analytics, and tightly-coupled cluster computing jobs.
• Hpc7g Instances are also powered by AWS Graviton3E processors, with up to 35% higher vector instruction processing performance than the Graviton3. They are designed to give you the best price/performance for tightly coupled compute-intensive HPC and distributed computing workloads, and deliver 200 Gbps of dedicated network bandwidth that is optimised for traffic between instances in the same VPC.
• R7iz Instances are powered by the latest 4th generation Intel Xeon Scalable Processors (code named Sapphire Rapids) and run at a sustained all-core turbo frequency of 3.9 GHz

You can find out more here.

Amazon EC2 Service Connect

Microservice architectures are becoming popular with each passing moment. One challenge is you sometimes require specialist networking knowledge in order to understand how to breakdown your monolithic application and understand how the microservices will communicate.

 Amazon ECS Service Connect is a new capability that simplifies building and operating resilient distributed applications. ECS Service Connect provides an easy network setup and seamless service communication deployed across multiple ECS clusters and virtual private clouds (VPCs). You can add a layer of resilience to your ECS service communication and get traffic insights with no changes to your application code. You can find out more here.

Amazon EC2 Inf2 Instances

Inf2 instances are designed to deliver high performance at the lowest cost in Amazon EC2 for the most demanding deep learning (DL) inference applications. Inf2 instances are powered by up to 12 AWS Inferentia2, the third AWS-designed DL accelerator. Inf2 instances offer 3x higher compute performance, up to 4x higher throughput, and up to 10x lower latency compared to Inf1 instances. You can find out more here.

Microsoft Office AMIs with Amazon provided license

AWS now offers fully-compliant, Amazon-provided licenses for Microsoft Office LTSC Professional Plus 2021 Amazon Machine Images (AMIs) on Amazon EC2.

Amazon EC2 Hpc6id Instances Optimised for HPC

 Amazon EC2 Hpc6id instances is a new instance type that is purpose-built for tightly coupled HPC workloads. Amazon EC2 Hpc6id instances are powered by 3rd Gen Intel Xeon Scalable processors (Ice Lake) that run at frequencies up to 3.5 GHz, 1024 GiB memory, 15.2 TB local SSD disk, 200 Gbps Elastic Fabric Adapter (EFA) network bandwidth, which is 4x higher than R6i instances.

In the next part 3 I will cover Global Infrastructure, Container and Databases.