By Rohit Gohri

罗希特·格里(Rohit Gohri)

或者，我们如何通过Let's Encrypt每月节省1200美元 (Or, how we saved $1200 every month with Let’s Encrypt)

This past month we had a really high AWS bill, and it was supposed to be high but not THIS high. The culprit — “Data Transfer Out”. I’m sure I’m not the only one who has had to deal with this.

在过去的一个月中，我们的AWS账单非常高，本来应该很高，但并不高。 罪魁祸首是“数据传输出去”。 我敢肯定我不是唯一一个必须处理这个问题的人。

一些背景 (Some Context)

We had a NodeJS service running on EC2 in an Auto Scaling Group (ASG) behind an Application Load Balancer (ALB) that was supposed to handle a huge volume of requests. We were expecting a consistent increase in traffic this month, so we had made estimates on how it would affect our costs. We had expected some high data transfer out of our Application Load Balancer (ALB) but this was a consistent 4–5x of our estimates. Time to investigate.

我们在EC2上的Auto Scaling组(ASG)中运行了一个NodeJS服务，该应用程序位于应处理大量请求的应用程序负载平衡器(ALB)之后。 我们原本预计本月的流量会持续增长，所以我们已经估算出它将如何影响我们的成本。 我们原本期望从应用程序负载均衡器(ALB)传输出大量数据，但这是我们估计值的4-5倍。 该调查了。

分析数据 (Analyzing the Data)

After filtering Cost Explorer data with tags, it was clear that the ALB was the source of these costs. I immediately went to CloudWatch and checked the “Processed Bytes” metric of the ALB.

在使用标签过滤了Cost Explorer数据之后，很明显，ALB是这些成本的来源。 我立即前往CloudWatch，检查了ALB的“已处理字节数”指标。

Cloud Watch

云观察

Processed Bytes is supposed to be “the total number of bytes processed by the load balancer over IPv4 and IPv6 … includes traffic to and from clients”, so ideally Processed Bytes should be greater than the “Data Transfer Out”. But it was not..?

处理的字节应该是“负载均衡器通过IPv4和IPv6处理的字节总数...包括往返于客户端的流量”，因此理想情况下，处理的字节应大于“数据输出”。 但这不是..？

Our stats showed Processed Bytes to be around what our estimates had predicted for this amount of traffic. But Cost Explorer was showing a number that was 4–5 times that. Time to contact support.

我们的统计数据显示，“已处理的字节数”与我们对此流量预计的估计值相符。 但是Cost Explorer显示的数字是该数字的4到5倍。 是时候联系支持了。

AWS Support

AWS支持

We raised a support request to AWS, but we didn’t have high hopes because we were not on the premium support plan. But it was worth a shot.

我们向AWS提出了支持请求，但我们并不寄予厚望，因为我们没有参与高级支持计划。 但这值得一试。

ELB Access Logs

ELB访问日志

Next up, we enabled ALB Access Logs to an S3 bucket and let it generate some logs for some time. Upon checking the logs, we were certain that this wasn’t a problem at the application level. The access logs showed response size consistent with what we had estimated, no inflation due to extra headers or something like that.

接下来，我们启用了对S3存储桶的ALB访问日志，并使其在一段时间内生成一些日志。 在检查日志后，我们确定这在应用程序级别上不是问题。 访问日志显示响应大小与我们的估计一致，没有因额外的标题或类似内容而引起的膨胀。

VPC Flow Logs

VPC流日志

We wondered if there was some other service running that might be communicating over an Elastic IP or public IP instead of a private IP. To check that, we enabled VPC Flow logs to another S3 bucket and let it generate some logs for some time.

我们想知道是否正在运行其他一些服务，这些服务可能正在通过弹性IP或公用IP而不是专用IP进行通信。 为了进行检查，我们启用了VPC Flow日志到另一个S3存储桶，并使其在一段时间内生成一些日志。

We didn’t find any services that might be communicating over Elastic IP but we did find some services that could be moved to the same Availability Zone (AZ) and reduced some Regional Data Transfer costs.

我们没有找到任何可能通过Elastic IP进行通信的服务，但是我们确实找到了一些可以移至同一可用区(AZ)并减少了一些区域数据传输成本的服务。

疯狂的谷歌搜索 (Frantic Googling)

After eliminating all possible sources of Data Transfer we still had no clue what was the source of the Cost other than that it was from the ALB. This led to frantic googling and sending/explaining the problem statement to various people.

消除了所有可能的数据传输来源之后，我们仍然不知道费用的来源是什么，除了来自ALB的费用。 这导致了疯狂的谷歌搜索，并将问题陈述发送/解释给各个人。

Then over the weekend, trying to think of keywords that would not lead me down to more documentation, I finally found this StackOverflow answer:

然后在整个周末，试图想到那些不会导致我文档的关键字，我终于找到了这个StackOverflow答案 ：

Q. AWS ELB: How can I see how many bytes of outbound network traffic an SSL-enabled ELB generates

问：AWS ELB：如何查看启用SSL的ELB生成多少字节的出站网络流量

A. The handshake of a TLS connection is pretty much constant and do not depend on your application. So your function is really : number of connections * ( size of http responses + constant)

答：TLS连接的握手几乎是恒定的，并且与您的应用程序无关。 因此，您的功能确实是：连接数*(http响应的大小+常量)

And it finally clicked, the missing piece of the puzzle. Since HTTPS was handled directly by the ALB, it wouldn’t show in the Access Logs as the instance didn’t have to deal with it.

最终，它点击了，这是拼图的缺失部分。 由于HTTPS是由ALB直接处理的，因此它不会显示在访问日志中，因为实例无需处理它。

Here is an article that estimates the payload to average ~6.5k (depending on your certificate size). Our response sizes were really small, and this could be a major part of the response size if the user was visiting the site for the first time. Since a lot of the traffic was new, it would be a significant chunk.

这是一篇估计平均有效负载约为6.5k的文章(取决于您的证书大小)。 我们的回复大小确实很小，如果用户是第一次访问该网站，这可能是回复大小的主要部分。 由于很多流量是新流量，因此这将是一个很大的块。

That led to even more Googling on how HTTPS might affect AWS ELB costs and we came upon this very good article that also suggested increasing the default timeout for idle connections to 10 minutes for the ALB along with changing the certificate.

这就导致人们更多地使用HTTPS如何影响AWS ELB成本，我们撰写了一篇非常不错的文章 ， 该文章还建议将ALB的空闲连接的默认超时增加到10分钟，同时还要更改证书。

测试不同的HTTPS证书 (Testing Different HTTPS Certs)

We were currently using the default certificate generated by Amazon Certificate Manager (ACM) with the Load Balancer. We tested the size of the TLS handshake with Wormly Test SSL Tool and then replaced it with one generated with Let’s Encrypt. To be thorough we also tested TLS handshake sizes of different websites with different Certificate Authorities.

我们当前正在将Amazon Certificate Manager(ACM)生成的默认证书与负载均衡器一起使用。 我们使用Wormly Test SSL Tool测试了TLS握手的大小，然后将其替换为使用Let's Encrypt生成的握手。 为了更全面，我们还测试了具有不同证书颁发机构的不同网站的TLS握手大小。

DigiCert was the best with respect to size, but Let’s Encrypt was close enough (& free!). ECC certificates are not compatible with some older browsers, so we generated both the smaller ECC and RSA certificates through acme.sh and uploaded them through AWS CLI. The ALB will automatically select the best one depending on the client (read more here).

DigiCert在大小方面是最好的，但是Let's Encrypt足够接近(＆免费！)。 ECC证书与某些旧版浏览器不兼容，因此我们通过acme.sh生成了较小的ECC和RSA证书，并通过AWS CLI上载了它们。 ALB将根据客户自动选择最佳的ALB( 在此处了解更多信息 )。

After adding them to the ALB listener and letting Cost Explorer catch up for a day, we saw a significant decrease in our Data Transfer Out Costs for the same number of requests.

在将它们添加到ALB侦听器并让Cost Explorer赶上一天之后，对于相同数量的请求，我们发现数据传输成本显着降低。

It was still not equal to the estimates we had, but it will never be because we never considered the TLS handshake size in our estimates. AWS Costs really are a mystery until you actually get the bill.

它仍然不等于我们的估计，但绝不会因为我们从未在估计中考虑TLS握手大小。 在您实际收到账单之前，AWS Costs确实是个谜。