What is the best time to start optimizing your cloud spend?
Three months ago... but the second-best time is today. Quickly implementing Turbot Guardrails prebuilt automated controls today will allow you to achieve far more savings in 2023 than a built-from-scratch or cross-team manual effort that won't start realizing value until mid-year (or later).
Your cloud costs are increasing daily, but controlling costs can be difficult and the time to execute on these initiatives competes with other priorities for the operations team. This post describes Turbot Guardrails automations that you can deploy immediately to reduce your cloud spend. The examples will focus on AWS, but the logic and tools apply to all major cloud providers.
Tagging strategies for charge-back and show-back
The adage - You can't control what you don't see - very much applies to cloud cost management. We have seen customers achieve massive cost savings of 30% or more by making sure each of their business units receive an accounting of their current spend each month. This will have even more impact if that business unit is charged for their usage, and it comes out of their budget.
Tagging resources correctly is critical to segmenting your cloud spend by business unit. Turbot Guardrails automated tagging solutions allow you to retroactively tag resources with additional metadata (like cost center) and ensure all newly created resources are tagged correctly. Some example tagging strategies that can be automated using Turbot Guardrails:
- Tag all resources with who created the resource and the resource created time.
- Propagate tagging metadata from AWS organizations to all resources in an account.
- Tag all resources with a cost center based on the account deployed to or the individual that created it.
- Propagate metadata from Service Now or custom databases to all resources.
- Auto remediate common misspellings and abbreviations in existing tag keys and values.
- Remediate competing tag strategies to one enterprise standard:
- Env:Dev -> environment:development
- env:Development -> environment:development
- Propagate tags from key resources to dependent resources:
- Tag volumes attached to a compute instance with the instance's tags.
- Tag snapshots created from a volume with the volume's tags.
- Tag all resources that are associated with a VPC with the VPC's metadata.
- Remediate when new resources are created without correct tags:
- Add missing tags to the resource.
- Create alarms and alert on the resource tagging issue.
- Terminate newly created resources without correct tags.
Related Post: Tagging with Context
Stopping resources when not in use
One of the best things about cloud services is that you only need to pay for what you use. For workloads that don't need to be running 24/7 (think development, testing, QA environments) scheduling resources to stop off hours can save over 70% of your cloud usage. Turbot Guardrails has some great built-in controls to help you automate this across hundreds of cloud service accounts.
There has never been a dev team in the history of IT that is not guilty of spinning up a few VMs for testing in a sandbox account, getting side-tracked with another urgent priority and forgetting about it until they show up in your cloud bill weeks later. Turbot Guardrails automation allows your cloud operations team to solve this problem permanently.
Related Post: Cost Savings
In Turbot Guardrails, scheduling guardrails are readily available to control your cloud resource usage. You can choose to shutdown instances every night, every weekend, or on a custom schedule with just a few clicks. Turbot Guardrails currently supports the following cloud services to be automatically scheduled for start/stop:
- AWS EC2 Instances
- AWS RDS Clusters/Instances
- AWS Redshift Clusters
- AWS WorkSpaces
- Azure Virtual Machines
- GCP Compute Instances
Finding and removing unused resources
Lack of visibility to cost factors and rapid development in the cloud can mean that teams lose track of infrastructure that is no longer needed over time. Turbot Guardrails can help your operations team hunt down and destroy these unwanted pests.
- Delete unattached storage volumes
- Delete old snapshots
- Delete load balancers without targets
- Delete unattached elastic IP addresses
- Delete unattached NAT gateways
- Delete unused internet gateways
- Unused Secret Manger Secrets
Delete default VPCs in unused regions
Did you know that AWS creates 17 VPCs in every new AWS account. Yes, a VPC is created automatically in every AWS region with multiple subnets and public accessibility via an internet gateway. Deleting these VPCs can create significant cost savings and cost avoidance.
- If you use AWS Config or similar products that catalog cloud resources, removing these VPCs can reduce your usage of those services by lowering the number of resources you are tracking.
- These VPCs are often mistakenly used to deploy resources to when using the AWS console, generating waste until discovered. Removing them early eliminates the technical debt and cost of cleaning them up later due to overlapping IP ranges.
- These VPCs are also frequently used by malicious insiders to hide crypto mining or other personal projects, and we have seen these VPCs used by external bad actors when an account is compromised. With Turbot Guardrails it is easy to delete them automatically:
Related Post: Automatic deletion of default VPCs
Remove multiple enabled CloudTrails per account
Did you know that your first AWS CloudTrail is free in each account, but you pay if you create multiple trails? Turbot Guardrails can ensure that you have one global CloudTrail configured in each account and automatically disable additional trails. This setting will continuously monitor this and remove trails created by third party tools or misunderstanding developers.
If you configure a higher TTL for your DNS records, intermediate resolvers cache the records for longer time. As a result, there are fewer queries received by the name servers. Turbot Guardrails can help you identify records with low TTL values, we suggest increasing the value to one day (86,400s) for production environments with static DNS, one hour (3,600s) for environments with more frequent changes.
Instance and volume type savings
There are two key strategies at play when considering automating optimization of instance and volume sizes.
- Identifying existing non-optimized instance types.
- Preventing future use of non-optimized instance types.
Turbot Guardrails can help with both; our automation can immediately stop (or terminate) usage of instance/volume types that are not approved for use in your cloud and reporting against our CMDB can help you identify where existing infrastructure could be optimized.
Key strategies here that Turbot Guardrails can implement:
Enforce use of gp3 instead of gp2/io1 volume types. AWS's newer gp3 volumes are lower cost and higher performance for every price point against the older gp2 volume type, but the AWS console is still defaulting to gp2 instead. Use Turbot Guardrails to ensure your developers are not leaving money on the table here and creating more technical debt. See: AWS EBS cost savings
If your workloads support running on ARM processors, you can save up to 40% by switching instance types from power hungry legacy x86 workloads. Turbot Guardrails can help you identify candidates for switching and automatically stop (or terminate) new instances created using older instance types.
Has your organization purchased reserved instances of a certain class? Use Turbot Guardrails to ensure dev teams are using the correct class and size of instance to maximize usage of your reserved instances.
Prevent usage of non-standard high-cost instance types by mistake. All three cloud providers have introduced a bevy of massive scale instance types for high performance computing needs (at eye-watering price points). Make sure your dev teams don't accidentally spin up that $100/hr instance using Turbot Guardrails guardrails to limit provisioning to only approved instance types. This prevents accidental use, and it is super simple to create an exception when a team has budget and need for the extra horse power.
Turbot Guardrails can monitor the month-to-date spend for AWS accounts and take actions when accounts are trending to overspend. This can take the form of creating an over-budget alert, preventing new resources from being created or even deleting existing resources from sandbox or playground accounts once a threshold has been exceeded.
Why real-time cost remediation?
No matter your organizations maturity level with cloud, reducing costs is something that will always be a priority. Using automation to enforce cost controls allows your operations team to focus on the next opportunity while your current automations continuously save you money. When cost savings initiatives are manual, you only get a one-time improvement and the amount of savings will always be limited by the number of people you can have executing those processes.