Actually, the post was written by someone located outside the U.S. (a place not using any US-specific time-zone), and posted to the status page by someone else located outside the U.S.
"We are experiencing elevated API error rates and network connectivity errors in a single Availability Zone."
Key fact "A SINGLE AZ". Availability Zone's are isolated from each other with redundant power supplies and internet connectivity and most often physically different datacenter locations. Well architected applications are designed to allow for a single AZ to become unavailable. This is precisely why the cloud is useful: you can bring up new capacity in the other Availability Zones behind the same load balancer with zero effort - the autoscaling does that for you automatically.
Except it's not currently handling this nicely, we've got an ASG behind an ELB, spread across multiple AZs including the affected one, and the ASG doesn't see the new instances as it scales up as ever coming into service - they just stick in "Not yet in service"
What do you mean, "non issue"? We had timeouts all over the place. It doesn't matter how well you app is designed, if the network is congested, you're gonna have calls from your clients...
Its a non-issue because you are not immune to the laws of probability. Things will fail, and you should expect them to. The beautiful thing here is that the failovers work to spec, and in case a single AZ goes out, mean time to recovery for you app can be in the order of single digit minutes (if built right).
Are you talking about stateless applications here? The story is a bit different for databases on AWS in my experience. Yes, you can do multi-AZ synchronous replication, but failover times are between 1-2 minutes.
Also, I don't know how AWS implements failovers internally, but I can see several potential issues that could arise from connectivity loss between availability zones, especially if both EC2 and RDS are involved – few of which are trivial to handle if your application cannot tolerate loss of consistency.
Then you probably don't have the strict consistency and durability requirements that I mentioned. That is probably true for many use cases, but certainly not for all.
Yes, after skimming your referenced article, this is exactly the type of issue that prevents a "simple" failover when databases are involved.
Depending on your application, even returning stale data on one AZ in a split brain scenario might not be acceptable (this is a stronger requirement than not allowing non-reconcilable conflicting writes).
DynamoDB allows strongly consistent reads and your data is replicated across AZs. Id argue that its even better than an RDS setup in that respect.
RDS lets you choose a DB Engine (MySQL, Postgres, etc). the replication depends on the engine you choose, e.g. Postgres native streaming. Heres a good writup on how it works and best practices (https://aws.amazon.com/blogs/database/best-practices-for-ama...)
It doesn't affect a single AZ though. We see numerous problems with AWS services including but not limited to being unable to create new EC2 instances in any AZ.
This is creating a huge number of issues as you lose capacity with the AZ going down and can't recover by creating new instances.
If you were launching directly with EC2, were you doing targeted launches (e.g. specifying Placement.AvailabilityZone for classic or SubnetId for VPC)?
In the case of an AZ failure, launches which don't specify an AvailabilityZone or SubnetId may be impacted for a few minutes, whereas launches which do specify them should still succeed.
I have a couple of arguments, even if you are spread evenly:
* If you lose an AZ,, you are in a state of reduced redundency.
* If you have intermittent drops, you can have lots of issues as it will be coming up/dropping out and cause issues. This will also have an impact on replication of services and cause additional load on instances in working AZs (RDS saw this).
We were affected with one of our marketing pages that we migrated to ECS in a non-HA configuration, our main applications are setup in Multi-AZ HA Configs and weren't affected by this.
Not a big deal to remediate as all the other AZs are working.
This is a single AZ. Your application should tolerate single AZ outages. That is the first rule of building reliable, highly available services on AWS.
12:08 AM PST We are investigating increased network connectivity errors to instances in a single Availability Zone in the EU-CENTRAL-1 Region.
True, but autoscaling at the moment is unable to scale in/out because of this issue.
If your autoscaling group includes the affected AZ, you are out of luck because those instances are being terminated since their health checks fail. But because of the failures, autoscaling is unable to complete this, and unable to launch new instances in the other AZ's as it is stuck on the terminating part.
That is an interesting detail. Would you consider having 3 separate autoscaling groups (one per AZ) or this is not feasible for some reason? One of the interesting aspects of running services on AWS was to remove the AZ from "rotation" while the outage lasts. Meaning, having a DNS change and exclude the public endpoint from taking any traffic. If you have 3 separate groups doing 1/3 of the load and having independent DNS entries, autoscaling groups, etc. then moving traffic from one AZ to another is probably easier. Not sure about the details of your setup though, you might have reasons not to do this.
A setup with an ASG per AZ makes it a lot harder to do real autoscaling based on load/mem/connections.
If it was purely for running a fixed amount of instances equally spread acros AZ's this would probably work, but not in our setup where we have unpredictable traffic and load patterns.
[edit] I know it can be done with combined metrics etc, but it would make it a lot more complicated ;-)
It is most certainly more complicated. We were ok to be put up with that additional complication because service reliability (especially tolerating single AZ outages with ease) was higher on the requirements than avoiding complication. :)
We have the ability to do everything and anything in Javascript EXCEPT for fucking UTC or localized time zones.
Is PST the new UTC? Is there an RFC for this? Did I miss the memo?
Un-fucking-real.