Support filtering by network encryption
Nuru opened this issue · 3 comments
A subset of Nitro instance types support automatic encryption of network traffic. For some applications, this is a requirement, so I would like to have an option to filter instances by this capability.
Hmmm I don't see any value we can use to filter those in the DescribeInstanceTypes API. I might be missing the attribute, do you see anything? It may very well not be exposed by this API yet, but I'd be hesitant hard code instance types or anything like that.
➜ ~ aws ec2 describe-instance-types --instance-types c5a.large --region us-east-1
{
"InstanceTypes": [
{
"InstanceType": "c5a.large",
"CurrentGeneration": true,
"FreeTierEligible": false,
"SupportedUsageClasses": [
"on-demand",
"spot"
],
"SupportedRootDeviceTypes": [
"ebs"
],
"SupportedVirtualizationTypes": [
"hvm"
],
"BareMetal": false,
"Hypervisor": "nitro",
"ProcessorInfo": {
"SupportedArchitectures": [
"x86_64"
],
"SustainedClockSpeedInGhz": 3.3
},
"VCpuInfo": {
"DefaultVCpus": 2,
"DefaultCores": 1,
"DefaultThreadsPerCore": 2,
"ValidCores": [
1
],
"ValidThreadsPerCore": [
1,
2
]
},
"MemoryInfo": {
"SizeInMiB": 4096
},
"InstanceStorageSupported": false,
"EbsInfo": {
"EbsOptimizedSupport": "default",
"EncryptionSupport": "supported",
"EbsOptimizedInfo": {
"BaselineBandwidthInMbps": 200,
"BaselineThroughputInMBps": 25.0,
"BaselineIops": 800,
"MaximumBandwidthInMbps": 3170,
"MaximumThroughputInMBps": 396.25,
"MaximumIops": 13300
},
"NvmeSupport": "required"
},
"NetworkInfo": {
"NetworkPerformance": "Up to 10 Gigabit",
"MaximumNetworkInterfaces": 3,
"MaximumNetworkCards": 1,
"DefaultNetworkCardIndex": 0,
"NetworkCards": [
{
"NetworkCardIndex": 0,
"NetworkPerformance": "Up to 10 Gigabit",
"MaximumNetworkInterfaces": 3
}
],
"Ipv4AddressesPerInterface": 10,
"Ipv6AddressesPerInterface": 10,
"Ipv6Supported": true,
"EnaSupport": "required",
"EfaSupported": false
},
"PlacementGroupInfo": {
"SupportedStrategies": [
"cluster",
"partition",
"spread"
]
},
"HibernationSupported": false,
"BurstablePerformanceSupported": false,
"DedicatedHostsSupported": false,
"AutoRecoverySupported": true
}
]
}
I have not done the full comparison with the documented list, but I think the filter is
Hypervisor == "nitro" && NetworkInfo.enaSupport == "required" && EbsInfo.NvmeSupport == "required"
You might consider using that filter with a documented caveat if it omits a small number of instance types that should be included, so long as it does not include any instance types that should be excluded.
Is that something you can try out?
Update: Well, z1d passes the filter but is not on the list. Bummer.
I can understand why you do not want to include (or maintain) a hard coded list, but if you don't, I have to, in order to provide the network encryption guarantee. So please think about a way you can support it with caveats.
Hopefully there is some other API call that will distinguish the z1d from the other instance types. Is there something more specific to networking?
I can look into this deeper and try to find something that works. Based on your suggestion of a filter, it would be neat to allow users to specify their own filters based on the describe-instance-types response so that you could do something like this without including it in the actual distribution.