Analyst 451 Research has released a new report on ParkMyCloud, highlighting that “ParkMyCloud continues to build out its multi-cloud scheduling software, maintaining the clean interface but adding functionality with a reporting dashboard, single sign-on and notifications, including a Slackbot for automated parking.”
It’s true! We’ve been steadily adding features to ParkMyCloud as our customers ask for them. Recent examples include:
- Mobile app – easy access to your ParkMyCloud account for cost management on the go
- RDS parking – park AWS RDS instances, just like EC2
- Slack integration – get notifications and manage your continuous cost control via Slack
Here’s the full “451 take” on ParkMyCloud:
“ParkMyCloud is one of a handful of products that automate cloud resource scheduling via a lightweight SaaS application. With support for Azure and Google Cloud Platform as well as AWS, it offers a bird’s-eye view of provisioned public cloud resources and a slick interface for ‘parking’ idle capacity, either according to a schedule or ad hoc. With a clear ROI story and plans to improve the user experience with a mobile app and a more robust policy engine, the company benefits from a focus on doing one thing and doing it well.”
That “clear ROI story” that 451 Research noted is clear to our customers, too. In fact, most customers have an ROI of less than two months of using the product. The savings rapidly pays for the cost of premium features.
They also noted that the number of instances managed in the platform has tripled, just from Q2 to Q3 this year. More and more AWS, Azure, and GCP users are relying on ParkMyCloud for continuous cost control.
So if you are evaluating cloud cost control (ParkMyCloud), we encourage you to check out the full 451 Research analysis. Download and read the report here: ParkMyCloud automates scheduling of AWS, Azure, and GCP resources.
Ready to join the ParkMyCloud following and start controlling your cloud spend? Start a free trial of ParkMyCloud today.
It has been a little over a month since Amazon and Google switched some of their cloud services to per-second billing and so the first invoices with the revised billing are hitting your inboxes right about now. If you are not seeing the cost savings you hoped for, it may be a good time to look again at what services were slated for the pricing change, and how you are using them.
Google Cloud Platform
Starting with the easiest one, Google Cloud Platform (GCP), you may not be seeing a significant change, as most of their services were already billing at the per-minute level, and some were already at the per-second level. The services moved to per-second billing (with a one-minute minimum) included Compute Engine, Container Engine, Cloud Dataproc, and App Engine VMs. Moving from per-minute billing to per-second billing is not likely to change a GCP service bill by more than a fraction of a percent.
Let’s consider the example of an organization that has ten GCP n1-standard-8 Compute Engine machines in Oregon at a base cost of $0.3800 per hour as of the date of this blog. Under per-minute billing, the worst-case scenario would be to shut a system down one second into the next minute, for a cost difference of about $0.0063. Even if each of the ten systems were assigned to the QA or development organization, and they were shut down at the end of every work day, say 22 days out of the month, your worst-case scenario would be an extra charge of 22 days x 10 systems x $0.0063 = $1.3860. Under per-second billing, the worst case is to shut down at the beginning of a second, with a highest possible cost for these same machines (sparing you the math) being about $0.02. So, the best this example organization can hope to save over a month with these machine with per-second billing is $1.39.
Amazon Web Services
On the Amazon Web Services (AWS) side of the fence, the change is both bigger and smaller. It is bigger in that they took the leap from per-hour to per-second billing for On-Demand, Reserved, and Spot EC2 instances and provisioned EBS, but smaller in that it is only for Linux-based instances; Windows instances are still at per-hour.
Still, if you are running a lot of Linux instances, this change can be significant enough to notice. Looking at the same example as before, let’s run the same calculation with the roughly equivalent t2.2xlarge instance type, charged at $0.3712 per hour. Under per-hour billing, the worst-case scenario is to shut a system down even a second into the next higher hour. In this example, the cost would be an extra charge of 22 days x 10 systems x $0.3712 = $81.664. Under per-second billing, the worst case is the same $0.02 as with GCP (with fractions of cents difference lost in the noise). So, under AWS, one can hope to see significantly different numbers in the bill.
The scenario above is equally relevant to other situations where instances get turned on and off on a frequent basis, driving those fractions of an hour or a minute of “lost” time. Another common example would be auto-scaling groups that dynamically resize based on load, and see enough change over time to bring instances in and out of the group. (Auto-scale groups are frequently used as a high-availability mechanism, so their elastic growth capabilities are not always used, and so savings will not always be seen.) Finally, Spot instances are built on the premise of bringing them up and down frequently, and they will also enjoy the shift to per-second billing.
However, as you look at your cloud service bill, do keep in mind some of the nuances that still apply:
- Windows: GCP applies per-second billing to Windows; AWS is still on one-hour billing for Windows.
- Marketplace Linux: Some Linux instances in the AWS Marketplace that have a separate hourly charge are also still on hourly billing (perhaps due to contracts or licensing arrangements with the vendors?), so you may want to reconsider which flavor of Linux you want to use.
- Reserved instances: AWS does strive to “use up” all of the pre-purchased time for reserved instances, spreading it across multiple machines with fractions of usage time, and per-second billing can really stretch the value of these instances.
- Minimum of one-minute charge: Both GCP and AWS will charge for at least a minute from instance start before per-second billing comes into play.
Overall, per-second billing is a great improvement for consumers of cloud resources…and will probably drive us all more than ever to make each second count.
Cloud Cost Optimization Just Got Easier With the New ParkMyCloud Mobile App
November 8, 2017 (Dulles, VA) – ParkMyCloud, the leading enterprise platform for continuous cost control in public cloud, announced today the release of a new iOS app that allows users to park idle instances directly from their mobile devices. The app makes it easy for ParkMyCloud customers to reduce cloud waste and cut monthly cloud spend by 65% or more, now with even more capability and ease of use.
Before release of the app, current users were invited to participate in a beta test and offer feedback. Keith Nichols, CTO of FurstPerson, said, “Overall love it. I was out to dinner last Friday and got an emergency call to restart an instance that was parked – and I had my phone with me and was able to use the app without needing to drive home to login to my laptop.”
ParkMyCloud CTO Bill Supernor adds that “In addition to reducing cloud costs, ParkMyCloud stands for simplicity and ease of use. Our customers are thrilled to have control over cloud resources with a mobile app, making reducing cloud spend that much easier, even when they are on the go.”
ParkMyCloud is a recognized leader in cloud cost optimization. The new mobile app is another example of how the platform provider is making the experience of managing cloud costs easier and more accessible for enterprise customers. An Android version of the app is currently in development. ParkMyCloud also plans to release utilization-based parking later this year, to further automate instance off times and maximize savings.
ParkMyCloud is a SaaS platform that helps enterprises optimize their public cloud spend by automatically reducing resource waste — think “Nest for the cloud”. ParkMyCloud has helped customers such as McDonald’s, Capital One, Unilever, Foster Moore, and Sage Software dramatically cut their cloud bills by up to 65%, delivering millions of dollars in savings for customers using Amazon Web Services, Microsoft Azure, and Google Cloud Platform. For more information, visit http://www.parkmycloud.com.
What are AWS IAM Roles?
Within AWS Identity and Access Management system (IAM) there are a number of different identity mechanisms that can be configured to secure your AWS environment, such as Users, Groups, and AWS IAM Roles. Users are clearly the humans in the picture, and Groups are collections of Users, but Roles can be a bit more obscure. Roles are defined as a set of permissions that grant access to actions and resources in AWS. Unlike Users, which are tied to a specific Identity and a specific AWS account, an IAM Role can be used by or assumed by IAM User accounts or by services within AWS, and can give access to Users from another account altogether.
To better understand Roles, I like the metaphor of a hat. When we say a Role is assumed by a user – it is like saying someone can assume certain rights or privileges because of what hat they are wearing. In any company (especially startups), we sometimes say someone “wears a lot of hats” – meaning that person temporarily takes on a number of different Roles, depending on what is needed. Mail delivery person, phone operator, IT support, code developer, appliance repairman…all in the space of a couple hours.
IAM Roles are similar to wearing different hats this in that they temporarily let an IAM User or a service get permissions to do things they would not normally get to do. These permissions are attached to the Role itself, and are conveyed to anyone or anything that assumes the role. Like Users, Roles have credentials that can be used to authenticate the Role identity.
Here are a couple ways in which you can use IAM Roles to improve your security:
All too often, we see software products that rely on credentials (username/password) for services or accounts that are either hard-coded into an application or written into some file on disk. Frequently the developer had no choice, as the system had to be able to automatically restart and reconnect if the machine rebooted, without anyone to manually type in credentials during the rebootwhen the system rebooted. If the code is examined, or file system is compromised, then the credentials are exposed, potentially compromisingand can potentially used to compromise other systems and services. In addition, such credentials make it really difficult to periodically change the password. Even in AWS we sometimes see developers hard-code API Key IDs and Keys into apps in order to get access to some AWS service. This is a security accident waiting to happen, and can be avoided through the use of IAM Roles.
With AWS, we can assign a single IAM Role to an EC2 instance. This assignment is usually made when the instance is launched, but can also be done at runtime if needed. Applications running on the server retrieve the Role’s security credentials by pulling them out of the instance metadata through a simple web command. These credentials have an additional advantage over potentially long-lived, hard-coded credentials, in that they are changed or rotated frequently, so even if somehow compromised, they can only be used for a brief period.
Another key security advantage of Roles is that they can be limited to just the access/rights privileges needed to get a specific job done. Amazon’s documentation for roles gives the example of an application that only needs to be able to read files out of S3. In this case, one can assign a Role that contains read-only permissions for a specific S3 bucket, and the Role’s configuration can say that the role can only be used by EC2 instances. This is an example of the security principle of “least privilege,”, where the minimum privileges necessary are assigned, limiting the risk of damage if the credential is compromised. In the same sense that you would not give all of your users “Administrator” privileges, you should not create a single “Allow Everything” Role that you assign everywhere. Instead create a different Role specific to the needs of each system or group of systems.
Sometimes one company needs to give access to their resources to another company. Before IAM Roles, (and before AWS) the common ways to do that were to share account logins (with the same issues identified earlier with hardcoded credentials) or to use complicated PKI/certificate based systems. If both companies using AWS, sharing access is much easier with Role-based Delegation. There are several ways to configure IAM Roles for delegation, but for now we will just focus on delegation between accounts from two different organizations.
At ParkMyCloud, our customers use Delegation to let us read the state of their EC2, RDS, and scaling group instances, and then start and stop them per the schedules they configure in our management console.
To configure Role Delegation, a customer first creates an account with the service provider, and is given the provider’s AWS Account ID and an External ID. The External ID is a unique number for each customer generated by the service provider.
The administrator of the customer environment creates an IAM Policy with a constrained set of access (principle of “least privilege” again), and then assigns that policy to a new Role (like “ParkMyCloudAccess”), specifically assigned to the provider’s Account ID and External ID. When done, the resulting IAM Role is given a specific Amazon Resource Name (ARN), which is a unique string that identifies the role. The customer then enters that role in the service provider’s management console, which is then able to assume the role. Like the EC2 example, when the ParkMyCloud service needs to start a customer EC2 instance, it calls the AssumeRole API, which verifies our service is properly authenticated, and returns temporary security credentials needed to manage the customer environment.
AWS IAM Roles make some tasks a lot simpler by flexibly assigning roles to instances and other accounts. IAM Roles can help make your environment more secure by:
- Using the principle of Least Privilege in IAM policies to isolate the systems and services to only those needed to do a specific job.
- Prevent hard coding of credentials in code or files, minimizing danger from exposure, and removing the risk of long-unchanged passwords.
- Minimizing common accounts and passwords by allowing controlled cross-account access.
Among the variety of AWS services and functionality, AWS Lambda seems to be taking off with hackers and tinkerers. The idea of “serverless” architecture is quite a shift in the way we think about applications, tools, and services, but it’s a shift that is opening up some new ideas and approaches to problem solving.
If you haven’t had a chance to check out Lambda, it’s a “function-as-a-service” platform that allows you to run scripts or code on demand, without having to set up servers with the proper packages and environments installed. Your lambda function can trigger from a variety of sources and events, such as HTTP requests, API calls, S3 bucket changes, and more. The function can scale up automatically, so more compute resources will be used if necessary without any human intervention. The code can be written in Node.js, Python, Java, and C#.
Some pretty cool ideas already exist for lambda functions to automate processes. One example from AWS is to respond to a Github event to trigger an action, such as the next step in a build process. There’s also a guide on how to use React and Lambda to make an interactive website that has no server.
For those of you who are already using ParkMyCloud to schedule resources, you may be looking to plug in to your CI/CD pipeline to achieve Continuous Cost Control. I’ve come up with a few ideas of how to use Lambda along with ParkMyCloud to supercharge your AWS cloud savings. Let’s take a look at a few options:
Make ParkMyCloud API calls from Lambda
With ParkMyCloud’s API available to control your schedules programmatically, you could make calls to ParkMyCloud from Lambda based on events that occur. The API allows you to do things like list resources and schedules, assign schedules to resources, snooze schedules to temporarily override them, or cancel a snooze or schedule.
For instance, if a user logs in remotely to the VPN, it could trigger a Lambda call to snooze the schedules for that user’s instances. Alternatively, a Lambda function could change the schedules of your Auto Scaling Group based on average requests to your website. If you store data in S3 for batch processing, a trigger from an S3 bucket can tell Lambda to notify ParkMyCloud that the batch is ready and the processing servers need to come online.
Send notifications from ParkMyCloud to Lambda
With ParkMyCloud’s notification system, you can send events that occur in the ParkMyCloud system to a webhook or email. The events can be actions taken by schedules that are applied to resources, user actions that are done in the UI, team and schedule assignments from policies, or errors that occur during parking.
By sending schedule events, you could use a Lambda function to tell your monitoring tool when servers are being shut down from schedules. This could also be a method for letting your build server know that the build environment has fully started before the rest of your CI/CD tools take over. You could also send user events to Lambda to feed into a log tool like Splunk or Logstash. Policy events can be sent to Lambda to trigger an update to your CMDB with information on the team and schedule that’s applied to a new server.
Think outside the box!
Are you already using AWS Lambda to kick off functions and run scripts in your environment? Try combining Lambda with ParkMyCloud and let us know what cool tricks you come up with for supercharging your automation and saving on your cloud bill! Stop by Booth 1402 at AWS re:Invent this year and tell us.
Cloud Cost Optimization Platform Vendor Gears Up for Rapid Expansion with New Hire
October 16, 2017 (Dulles, VA) – ParkMyCloud, the leading enterprise platform for continuous cost control in public cloud, announced today that Bill Supernor has joined the team as Chief Technology Officer (CTO). His more than 20 years of leadership experience in engineering and management have included scaling teams and managing enterprise-grade software products, including KoolSpan’s TrustCall secure call and messaging system.
At ParkMyCloud, Supernor will be responsible for product development and software engineering as ParkMyCloud expands its platform, which currently helps enterprises like McDonald’s, Unilever, and Fox control costs on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, to more clouds and continues to add more services and integrations.
“Bill’s experience in the software industry will be a boon to us as we scale and grow the business,” said ParkMyCloud CEO Jay Chapel. “His years in the software and IT space will be a huge advantage as we grow our engineering team and continue to innovate upon the cost control platform that cloud users need.”
“This is a fast-moving company in a really hot space,” said Supernor. “I’m excited to be working with great people who have passion about what they do.”
Prior to joining ParkMyCloud, Supernor was the CTO of KoolSpan, where he led the development of a globally deployed secure voice communication system for smartphones. He has also served in engineering leadership positions at Trust Digital, Cognio, Symantec, and McAfee/Network Associates, and as an officer in the United States Navy.
ParkMyCloud is a SaaS platform that helps enterprises optimize their public cloud spend by automatically reducing resource waste — think “Nest for the cloud”. ParkMyCloud has helped customers such as McDonald’s, Capital One, Unilever, Fox, and Sage Software dramatically cut their cloud bills by up to 65%, delivering millions of dollars in savings on Amazon Web Services, Microsoft Azure, and Google Cloud Platform. For more information, visit http://www.parkmycloud.com.