AWS switches hypervisor for their new C5 instances and introduces PrivateLinks while GCP adds DNSSEC to their DNS.

AWS’s new Hypervisor

Almost a year after their initial Coming Soon announcement, AWS has finally released the new C5 Instances. These instances are using custom versions of the latest Intel Xeon processors to be faster, more efficient, and all that sort of thing¹. This is good news if you can make use of these instances, which at the moment are only available in a couple of supply constrained regions.

But new instance types are launched all the time, so that’s not what makes this one interesting. No, the really interesting part is the new hypervisor, which they plan to roll out to all future instance types². For existing types AWS uses the Xen hypervisor, but the new one is based on KVM. The switch to a new custom-built hypervisor sounds like it would have been a lot of work and presumably brings with it improved performance and utilization. AWS promised multiple sessions at RE:Invent about the technical details of this new proprietary hypervisor, and I’m looking forward to watching those videos to see what this all means.

AWS PrivateLink

As there is a mix between in-VPC and non-VPC services in AWS, that often means you need to access the non-VPC services over the public Internet. This was solved a couple of years ago for S3 with VPC Endpoints, and earlier this year for DynamoDB. That still left a lot of other services, and it sounds like AWS is now starting to tackle those with PrivateLink.

The difference between PrivateLinks and “old-style” Endpoints is how they are implemented. Both are documented as Endpoints, but PrivateLinks are called Interfaces while the existing method is seen as Gateways. The main difference is therefore how they behave. An Endpoint Gateway is similar to other VPC Gateways. It’s a virtual bridge between 2 things and you can update your routing to use it as such. Endpoint Interfaces on the other hand will create an ENI in your VPC, similar in a way to how that works for Elasticsearch. These ENIs then have an IP address and several CNAMEs you can use to access the underlying service. As these are ENIs, that means access control works through security groups.

At the moment the services are still limited, and mostly seem to be focused on ensuring private API calls for managing your VPC. While that is a good step forward, I would love to see this being used for private API Gateways.

GCP DNSSEC

Google seems to be the first major cloud provider to support DNSSEC for the domains it manages. Domain Name System Security Extensions are a set of specifications for ensuring the validity of your domain.

Basically this means that DNS servers will be able to verify that the DNS information they receive is valid, by verifying each layer, thereby lowering the chances of man-in-the-middle and other attacks. It is a very useful security feature but, as so often, the good people at CloudFlare have a far better explanation of how it works so I’ll let you read that instead.