EC2: spreading out networking across multiple EC2's automatically

Question

I have a system where raspberry Pi's connect to a VPN hosted in an EC2 instance. The raspberry pi's essentially act as IoT devices and send images to an S3 bucket. I'm using Wireguard as the VPN as it's pretty low level and doesn't consume much CPU power on the raspberry pi or the host VPN.

My current network activity from 4 pi's peaks at about 500 kbps. So I can assume on average that each pi chews up about 125kbps.

If I want to scale up to a very large number, I would likely hit the 0.25Gbps limit on the EC2 threshold, causing a networking bottleneck in the system.

The obvious solution would be to make the Pi's connect to a different location, but that would require having a different VPN url for sets of pi's which would be difficult logistically.

Is there a way to distribute the networking load automatically?

I just used this table https://cloudonaut.io/ec2-network-performance-cheat-sheet/ I have a t2.medium — A_toaster, Mar 18 '19 at 02:41
Ah gotcha. As you scale, you'll probably run out of CPU before you run out of network, so keep an eye on the CPU Credit Balance unless you are using t2-unlimited. — Michael - sqlbot, Mar 18 '19 at 04:08

score 1 · Accepted Answer · answered Mar 17 '19 at 23:42

1

You've got a number of possibilities:

If your Pi only sends images to S3 you don't need a VPN, simply connect directly to the S3 HTTPS endpoint and be done with it. With VPN you are double-encrypting (HTTPS-inside-VPN) and also paying extra for a VPN instance that you don't need.
You can have multiple VPN servers with the same configuration and all their IPs under a single record in DNS. The clients (RPis) will then resolve to random one from the pool. See DNS Round Robin

Hope that helps :)

answered Mar 17 '19 at 23:42

MLu

24,849
5
59
86

great points! The reason we maintain a VPN is because of security, we want to hide the endpoints of requests made by the Pi from the customers location, and it gives us the ability to ssh into each and every pi from a central location. I had no idea about the DNS round robin, that seems like a really simple way to handle it! – A_toaster Mar 17 '19 at 23:53
Just had a thought, if we wanted to ssh into a specific pi, we would have to first know which of the VPNs they are connected to though, right? In this scenario the only way to know would be to open up each VPN host and check for the Pi you're looking for – A_toaster Mar 18 '19 at 02:43
@A_toaster that’s one way, or you can have some register that the vpn server will automatically update whenever a Pi established a new VPN connection. Most VPN solutions have a way to run *connection up / down* scripts. – MLu Mar 18 '19 at 02:46

EC2: spreading out networking across multiple EC2's automatically

1 Answers1