Sabitlenmiş Tweet
Alon Shrestha
1K posts

Alon Shrestha
@alonshrestha
cloud architect | distributed systems & scaling | building on aws
Kathmandu, Nepal Katılım Nisan 2018
87 Takip Edilen77 Takipçiler

@webdevcody so? you mean code volume equal success. i'm more worried if you used ai to build this content.
English

just hopped off a great call with an aws ssm specialist about patch management.
our journey with ssm has been a big win. we are 100% compliant and rely nearly full on it to manage of our resources. while linux patching works beautifully and completely blew me away, windows has been a totally different story with painful limits.
we dug deep into those hurdles today. moving forward, we are teaming up with aws for sometime to rewrite our windows patching process, crush zero-day vulnerabilities, 3rd party application patching, tackle workspace patching, and build better automation.

English

wallets (esewa/khalti), banking apps, or ntc treat a major bug as a feature.
they must hear this a lot since i personally complained twice. people make mistakes doing topups instead of transfers, and it is non-reversible. accidentally recharging 5k leaves users stuck with money that is difficult to spend. topups must have a 1000rs threshold or below. the logic to fix this is simple from either side, but the system clearly looks like profit first.
English

this can be a lesson for many. never start the first day of the week with a fixed plan of what you will work on. instead come in with an open mind. you are not the only one bringing new ideas or priorities. your seniors and your team will too.
you might get into the flow of one project and then get assigned something else. switching context can be frustrating. this could be solved with better project management, but somehow we in the infra team have never really believed in project managers.
English

@gxjo_dev the guy in the first one has ruined my youtube experience.
English

@GergelyOrosz and i never understood why threads exists, even though i don't have a threads account.
English

@rohanpaul_ai it''s funny, but some robotics videos are hard to believe because of ai.
English

i've had to deal with challenges like this a few times, and over the years, "i've become pretty good at handling them."
that's what one of my clients told me.
funny how the work you never planned to do sometimes becomes the work you're known for.
i never really considered myself a web or local seo person. one of my clients initially came to me looking for someone to handle their seo. after a few conversations, they asked me to take it on instead.
the beginning wasn't easy. progress was slow, and there was a lot to learn. but over time, the results started showing up, and i genuinely began to enjoy the work.
then recently came this biggest challenge yet.
their google business profile got suspended.
it was a panic moment for us because all the hard work we did to build this vanished, and also, this is a healthcare business that relies heavily on calls from google.
the suspension meant missed opportunities and lost inquiries.
today, the profile is back, and we're expecting calls to return to normal soon.
if you're running a business similar to this and need help with local seo, feel free to reach out.


English

no matter how professional you are, you can still make a simple mistake and break everything.
just one week before the first client release, a terraform apply with the wrong workspace configuration wiped the entire infrastructure.
all because the destroy plan wasn't checked carefully enough.
testing got delayed.
everyone knew the infrastructure was gone. but where? how? and why?
the expected questions:
"how did this happen?"
"why wasn't destroy protection enabled from the beginning?"
yes, this definitely helped uncover the loopholes, but at a huge cost.
reapplying is simple, but engineers still refuse to accept that deleting infrastructure is fast, while provisioning it is not.
that's the part many engineers don't fully appreciate until they experience it.
English

this architecture blog was a good read on what it really takes to scale big.
the team scaled to 1m+ aws lambda functions. and the best part?
it was not about lambda scaling, because lambda already does that.
the real thing was how small serverless costs become huge at scale.
they used one aws account per customer, with automated account creation and infrastructure deployment on signup. for isolation, quotas, and blast radius.
but scale creates hidden problems:
- thousands of scheduled jobs running at the same time created a self-ddos.
- sqs, usually a best practice, became expensive because of idle polling.
- observability costs almost doubled their cloud bill.
so the lesson was simple:
- question every “best practice” at your scale.
my favorite takeaway:
- never do the same thing at the same time everywhere.
#aws
aws.amazon.com/blogs/architec…


English

setting up a tool is the easy part, but nobody talks about the operation nightmare.
every tech blog loves telling you how to deploy the latest managed service, like using ssm for patching or inspector for vulnerabilities, like it magically solves everything overnight.
but honestly, the real daily pain starts when the automated agent randomly dies, systems silently skip updates, and you get hit with a wall of thousands of alerts you are not ready for or have no idea how to actually remediate.
these tools only solve about eighty percent of the problem.
if you don’t have a plan for the twenty percent that breaks or gets missed, you haven’t actually solved anything.
English

@alonshrestha Good point, but 2 things:
1. Don’t forget the route table associations.
2. It’s public service endpoint routing through AWS-managed prefix lists, not private network.
English

quick aws tip: every time you create a new vpc, add gateway endpoints for s3 and dynamodb.
free, no hourly charge, no data processing charge. traffic goes through AWS private routing instead of the internet.
better cost + security + cleaner networking.
#aws
English

if security is the priority, i don't agree with this aws post.
this architecture makes transfer family authentication look secure with waf, but the transfer family endpoint is still public.
anyone can connect to it over ssh or sftp.
the flow is:
client → transfer family → api gateway (protected by waf) → lambda
connection floods still hit transfer family first, and repeated auth attempts can drive api gateway and lambda invocations, increasing cost.
for security focused workloads, i think this is a weak design.
i'd rather use network layer controls like aws network firewall with ip allowlists. but the tradeoff is higher cost.
#aws
aws.amazon.com/blogs/storage/…

English

i have no idea if this is actually true since it's not from an official aws incident report.
but this article claims it happened because of ai in one of the world's biggest tech company(aws), which is kind of crazy if true.
-december 2025 aws cost explorer outage → 13 hours
-march 2, 2026 amazon retail disruption → 1.6m website errors
-march 5, 2026 amazon retail outage → 6.3m lost orders
the causes don't even sound that complicated, yet they led to massive outages.
if this is true, i really don't know what was going on with the way things were structured internally.
the first and simple rule before letting ai touch production would be putting strong guardrails in place. and that's that simple.
#aws #ai #kiro
ruh.ai/blogs/amazon-k…




English








