[00:00:00] Speaker A: Foreign.
Welcome to the Cloud pod, where the.
[00:00:08] Speaker B: Forecast is always cloudy. We talk weekly about all things aws, GCP and Azure.
[00:00:14] Speaker A: We are your hosts, Justin, Jonathan, Ryan and Matthew.
[00:00:18] Speaker B: Episode 341, recorded for the week of February 3, 2026.
AWS layoffs. Scale down instead of scale out. You've done something wrong.
How are you, Ryan?
[00:00:31] Speaker A: I'm doing well.
[00:00:33] Speaker B: It's really hard to read that show title. I'm just saying, I. I've never done it before and requires a little bit of stress to do it.
[00:00:41] Speaker A: Yeah, I know. Justin will veto show titles even if they are funny, just because they're hard to read. So we probably should have, like, practiced that because that's why. That's why we redo the readout before usually. And I forgot that there's a purpose behind it.
[00:00:58] Speaker B: We were just like, nah, this title is not appropriate. But we like it, so we're going for it.
[00:01:03] Speaker A: That's it.
They're gonna leave us in charge. They have to deal with all the, you know, side effects.
[00:01:09] Speaker B: That's what happens when you have the kids running the asylum.
[00:01:11] Speaker A: Exactly. And just the two of us too. Not even John is in here to supervise us, so.
[00:01:17] Speaker B: Cool. I know. We went from, what, almost a month of Almost all four of us? I feel like. Well, last week was like, I came late, Jonathan left early, you know, so I'll still count that as a victory. All of us showed up.
[00:01:27] Speaker A: Oh, I think it counts for sure.
[00:01:29] Speaker B: So, like, we're down to two. Like it was a real big quick dip.
Yeah.
[00:01:35] Speaker A: Yeah. Well, hopefully next week we'll pick it back up with all of us.
[00:01:39] Speaker B: Yeah.
[00:01:40] Speaker A: All right, let me kick it off. With SpaceX acquiring Xai, they plan to launch a massive satellite constellation to power it.
So SpaceX has a plan to deploy up to 1 million satellites as orbital data centers representing significant bet that space based compute infrastructure can be cost competitive with traditional ground based data centers for AI workloads. The merger combines SpaceX launch capabilities and satellite manufacturing expertise with Xai's Grok chatbot and X Social platform formerly known as Twitter. The strategy assumes AI demand will continue growing and that compute capacity, rather than other factors, are the primary bottleneck for AI adoption. Orbital data center concept raises questions about latency and power requirements, thermal power management and maintenance. Compared to terrestrial facilities, traditional cloud providers have invested heavily in ground based infrastructure optimized for these factors.
This consolidation of Musk's companies creates a potential conflict between SpaceX established government and commercial contracts and Xai's more controversial products.
Integration of a Proven aerospace company of a newer AI venture introduced the execution risk of SpaceX core business.
This plan depends on several unproven assumptions including sustained AI market growth, viable economics for space based computing and the ability to manufacture and launch satellites at an unprecedented scale.
Cloud providers and enterprises will need to evaluate whether their Orbal compute offers advantages or over the existing multiple regional terrestrial deployments.
[00:03:19] Speaker B: Wow, I love, love that the word terrestrial is in there.
[00:03:23] Speaker A: Yeah.
Must be nice if you can just sort of like move your companies around. Like I feel like this is like a shell game con, you know, like ah, tax. Taxes are over here. No, they're over here. No, not under this cup.
[00:03:39] Speaker B: There's definitely something I don't understand how it was called. He said he would buy it for X.
For X price by Twitter. For X price. He bought it and he was called out on it after he kind of tried to back out of it. Then he moves it to X, then he opens up a new company. I think I never really understood what XAI was and related to X. And then he sells it to another company.
I feel like he's printing money somewhere along the way. He's like taking out a million here for me during this merger is my fee and this couple million here is part of my fee. I just don't understand that I'm not smart enough to understand the shell game that's going on here.
[00:04:24] Speaker A: I don't know if it's like you're not smart enough. I mean this is fishy, right? Because I think XAI actually came out of X formerly known as Twitter. Like I think they sort of spun off GROK into that new company.
[00:04:38] Speaker B: So is Grok its own business inside of.
[00:04:41] Speaker A: Yeah. Then later XAI basically bought Twitter, which I, which I thought was weird at that time because it just feels like you're moving losses around or doing something funky at that point. And now everything's getting sold to Space SpaceX which like is rumored to go public this year.
So it does really feel like something fishy is going on.
[00:05:06] Speaker B: Right?
[00:05:06] Speaker A: Like and if the. And they're all private companies so I don't know the legalities of these things. Like I guess, you know there's. It as long as, I guess it's, you know, cleared by the people that are owning the stock of these companies, I guess it's okay. But I don't know, the fact that SpaceX owns Twitter makes me like what? You know, like this doesn't make sense.
[00:05:28] Speaker B: So XAI owned Grok X, formerly known as Twitter Aurora, which is the image to Sorry, text to image model.
The Grokopedia, which I've never heard of till the first time I'm saying that. Which is the AI generated online encyclopedia Grokcode Fast one and prompt IPE Grokopedia. The idea of AI generating a Wikipedia terrifies me a little bit. Just saying like way to rewrite history. AI is gonna like hallucinate its own history about itself and how it's formed.
[00:06:07] Speaker A: I mean we have, we have anyone who wants to edit Wikipedia. So I don't know you, you always have to trust those things with, you know, whatever trust level you're comfortable with.
[00:06:18] Speaker B: What are you like my high school teacher that or like my college professors that like you can't use Wikipedia as a source. So everyone just went down to the bottom, found the source that they used to use that one?
[00:06:28] Speaker A: Yeah, yeah, exactly. Hey, that's. I don't think that's cheating at all. That's exactly what I would have done. I would have done that anyway. Because quoting Wikipedia sounds like silly, but having someone nowadays all the sources into one spot for. It's easy for me to easily gather.
[00:06:45] Speaker B: Oh yeah, that's 100% what I did.
So. In other fishy news, Notepad was hijacked by a state sponsored hacker. Chinese state sponsored hacker compromised Notepad update infrastructure from June to December of 2025 by exploiting vulnerabilities at the shared hosting provider level, not Notepad itself. And I've read the articles they definitely like, make sure to call that out.
The attacker maintained access to internal services and credentials after losing access to the servers in September, allowing them to selectively redirect update traffic to malicious servers until December.
The attack exploited insufficient update verification controls in older versions of Notepad, with attackers significantly targeting update manifest endpoints to serve compromised installers to selected users.
This affected version, version 8.8.9, added certificate and signature verification for the download installers, while the upcoming version 8.9.2 will enforce XML DSIG signature verification on the update server process. The hosting provider has confirmed the compromise and was limited to one shared hosting server, which obviously they were using.
No evidence was found in targeting other customers through the investigation of over 400 gigabytes of logs.
Rapid7 and Kopern ski later published detailed technical analytics of the actual IOCs.
This incident really does demonstrate supply chain attacks in open source software that's used by millions of people.
I mean, I've been using Notepad for years. Their response was to roll back and then redeploy deploy and essentially any system that actually has Notepad in my opinion, burn to the ground and start over. I mean this is a massive attack of. You know this to me is almost worse than like the SolarWinds attack.
You know where this is, you know Notepad people use on millions of Windows servers because standard Notepad can't handle log log files and everything else like that.
So like I know I've seen tens if not hundreds of companies that keep Notepad on their jump or other servers. Even the portable binary, you know that you can just go quickly go run around the log. So getting into at this level and that maintenance of control for seven months June through December is crazy.
You know. So I mean the, it's a pretty big attack.
[00:09:26] Speaker A: Oh for. Yeah, no, I mean it's the, the. The length of time doesn't really confuse me because these, I think this type of attack is pretty tricky to detect because you're you know, I think they're. They were redirecting upload traffic. Right. So requests coming in.
[00:09:43] Speaker B: Yeah. Only for a select number too.
And they were Targeting like those IPs is what I read.
[00:09:49] Speaker A: Yeah. So it's, I mean that's, it is pretty difficult.
But you know, you're right. This Notepad is on every Windows server running you know, in the environment that I can remember just because of like you said like you use it for all kinds of tools verifying you know, configurations, looking at log files and applications, all those things. So it is a pretty crazy to me.
I you know like I, I wish that they had more publishing of the compromise indicators because I don't know how anyone they release in their or do they they.
[00:10:31] Speaker B: So I'm actually reading one of the later articles about the IOC right now.
The initial part post where I read when it first came out on Notepad website like last night ish didn't link to it but now in the main article they link to a couple of the other for Rapid seven and the other one that really show how they did it at the technical level. So you would see like redirects to IP addresses versus the primary one is where I'm quickly skimming.
[00:10:59] Speaker A: I was just wondering how if there's enough information to see if you know, people can detect this in their own environment. You know, kind of any kind of indication of compromise. But definitely no matter what I would definitely go upgrade. And I think this you know, highlights it's yet another supply chain attack where I which is you know I think a known weakness in a lot of people's software delivery. I know that you know I've Worked with two companies now where we've had to do a ton of hardening just because people, you know, don't think about it as an attack vector. They think about, you know, the code running in production on servers in that environment being which you have to protect and they.
The idea of protecting the code itself as it moves from one spot to another people hadn't thought of. And so it can defeat any protection you had at your infrastructure level because it's already there. So it's kind of crazy and it's. I think a lot of companies are having to scramble a little bit and I think that they'll be. There's some, you know, crude hammers right now for like code signing and verification there, but I don't think it's quite good enough and not. And it's definitely not everywhere yet. So you can't even rely on it.
[00:12:08] Speaker B: Well, they haven't released the fix yet. They haven't released the core fix with the.
[00:12:14] Speaker A: They just published a new version. Right. That's probably the old.
[00:12:17] Speaker B: No, they actually. So it's not with the actual.
Maybe I'm wrong but the way I read it is it's not actually with the version of Notepad or in the code itself. It's with the plugins that you have and how those plugins get updated.
So Notepad is fine but it's downloading all those extra plugins that's a problem. So if you go to an older version then redownload the plugins, you're good.
And 8.9.2 will add the enforce XML D signature verification.
I feel like the SIG stands for signature but you know, I'm not going to make assumptions here like ATM machine machine.
[00:13:00] Speaker A: I assume you're right. But yeah, because I think that's yeah just code signing and so it's enforcing the code signing I guess if those plug in level which makes sense.
[00:13:10] Speaker B: Yeah.
So I mean but again this is all supply chain and supply chain is one of the most terrifying part especially with how fast, you know, all the different systems get, you know, how many plugins you have and if you're using any standard, you know, software out there like or sorry like libraries package system whether it's old school rupee or you know, going into NPM or anything else like all those packages and all I can think of is the XKCD of you that relies on that left space, you know what. Where you know, it takes down the whole Internet with somebody takes down their package but you know, one package pulls in 50 and keeping all those up to date and maintained and not breaking stuff. It's a lot of work. And keeping you know, the tools out there, whether it's, you know, Snyk or Dependabot or anything else that want to sponsor us that will are actually good dependency management tools. You know, see I slid that one in there. This, I was pulling my inner, my inner Justin there a little bit. You know, getting those tools in place and getting those automatic updates and everything else like that in places is important in your infrastructure. Otherwise it's hard.
[00:14:20] Speaker A: Yeah.
And you know, companies willingness to introduce friction at that development layer is virtually non existent. Right. Because it's so, so painful if you can't, you know, develop your features or get it through the environment. So it's, it's you know, having very long review times and stuff that doesn't promote, you know, very quick CI CD is definitely something that's a little tricky these days. So not an easy job but very important.
[00:14:51] Speaker B: Yep.
[00:14:52] Speaker A: All right. Moving on to even more miserable news.
Internal messages reveal teams, jobs and are affected in Amazon layoffs Business Insider probably got to redo that title. That seems wrong.
Amazon is cutting 16,000 corporate roles in its second major layoff round within four months according to multiple AWS service teams.
The teams include Bedrock AI, Redshift, Data Warehouse and Proserve Consulting divisions. Cuts represent a significant restructuring of Amazon's corporate workface of approximately 350,000 employees.
AWS Engineering teams appear heavily, heavily impacted based on internal Slack messages with software engineers from cloud services posting job searches. This raises questions about AWS product development velocity and customer support capacity during periods of intense AI competition. Microsoft Azure and Google Cloud affected US employees receive 90 days for internal job searches with severance and benefits for those unable to find new positions. Timing follows Amazon's return to office mandate and broader tech industry cost cutting trends. The layoffs touch customer facing teams like Prime Subscription Services and Last Mile Delivery alongside cloud infrastructure groups. This dual impact on retail and AWS operations suggests company wide efficiency initiatives rather than targeted underperformance at specific business units.
Yikes. So huge layoff. Lame.
[00:16:21] Speaker B: Yeah, I know a ton of. I saw a ton of things on LinkedIn. I think it was like last Wednesday or Tuesday, Wednesday, Thursday, something like that. Because I was traveling last week so the days kind of blur together when you're at a sales kickoff event.
But I saw a ton of people posting, you know, hey, this person just got affected, this person got affected and it sucks. And it's everything from I know people on the CS delivery side to account reps to bedrock engineers. I saw it really did affect the broad spectrum of the org and I think some of this also is uncertainty in the economy over hiring over the last years. And I think people hope the return to work was going to scare more people away.
I say that, but that's kind of what I feel like.
[00:17:12] Speaker A: I mean, it might be. I, you know, it's hard to see some of these return to work initiatives as anything but that sort of layoff in chief's clothing just because it's, it seems so nonsensical, but you're losing the.
[00:17:24] Speaker B: Wrong people is the problem.
[00:17:26] Speaker A: Oh, 100%. Like it's such a bad strategy if it's true. Yeah, I don't think it's a good idea in the slightest.
[00:17:33] Speaker B: I want to join the super secret, like HR association of America is where they talk about some of these things and be like, what are you thinking? Why do you think that this is a good idea for HR people?
[00:17:44] Speaker A: I wonder. I wonder if it's. I think you're giving them too much credit. I think they just like see that as, you know. Yeah, I don't know. I don't know how people see it.
[00:17:54] Speaker B: It's probably what our five listeners think of us. You know, they think we're so polished to put together. You know, not knowing that we really.
[00:18:02] Speaker A: Made and us barely like, oh, this.
[00:18:05] Speaker B: Like joining this week. Yeah, like, what's this word?
Like, you know, I'll see the behind the scenes stuff. You know, thank God that we have an editor that makes us sound good and we know what we're doing.
I don't. I never listen to us. I can't stand listening to my own voice.
Wait, that's not what I sound like.
[00:18:24] Speaker A: Yeah, no. I prefer the noise that reverberates around my skull. For sure.
[00:18:28] Speaker B: Yeah.
AI is how ML makes money. Project Genie AI world model now available for Ultra users in the US Google's DeepMind Project Genie, an experimental web app now available to Google AI Ultra subscribers in the US 18+ powered by Genie 3 model that generates interactive 3D in real time base from text prompts and images. Unlike 3D static snapshots, Genie 3 simulates physics and interaction dynamically as users navigate and explore the world on the fly.
So I feel like if I'm understanding this correctly, they've now made a world that we can live in that dynamically generated as we walk through it, which is crazy in my head.
The platform offers three core capabilities. World sketching using obviously nanobanano Pro, which I still love. Whoever named that world exploration, the real time path generation based on user interactions with adjustable camera controls and world remixing. I feel like we need a remixing DJ sound right there.
[00:19:40] Speaker A: Yeah.
[00:19:40] Speaker B: Users can define. Users can define characters, perspectives, third and first world and movement person. Sorry. And movement types.
Current limitations include 67, 60 second generation caps, occasional physics inconsistency. It's like the world's crashing down upon you. Character control issues with latency. Don't mind that lagging and world generations that might not always match the prompt. The release represents Google's approach to building general AI systems that can navigate diverse real world scenarios. Moving beyond the domain specific agents like AlphaGo.
I mean this is crazy. There like it could be a whole new world in like the gaming world in my, in my head.
[00:20:25] Speaker A: Yeah.
[00:20:26] Speaker B: And obviously it's in their beta, you know.
You know it's in their deep mind. Like to me this is all like the very edge of everything that they're playing with. But like it's pretty damn cool that what they're able to do. Like that is impressive. I've watched like a piece of it as, as I was prepping. You'll see. Sometimes we prep and it's freaking crazy. It's scary at the same time.
[00:20:50] Speaker A: Yeah, I mean it's, it is going to really change. Just I think video games I think is definitely the primary thing that will change. Right. You're, you, you remove all limits in these open world scenarios and it, you know, it won't be repeating, it'll just be generated indefinitely, which is kind of nuts. But there's also like, you know, when I think about manufacturing and different industries there, I can see a lot of impact there for kind of overlaying instructions and doing all that and dynamically generating those types of things based off of real world data at that time. Which I think is kind of amazing. And it feels like something we see in movies when you have people do those wireframe overlays of their existing environment and then make changes.
You know in my head that's what it looks like. And so it does really feel like we're starting to live in the future, which is kind of neat.
[00:21:44] Speaker B: I wonder what the Matrix would be like. They remade the Matrix today with what we have today versus what was it like 1999. Yeah. Dating myself and I'm worried about the actual release date to make me feel old.
[00:21:56] Speaker A: So 1999 was not that long ago and I stand by that.
[00:21:59] Speaker B: You know, Ty keeps moving forward, just.
[00:22:01] Speaker A: Nope.
[00:22:01] Speaker B: Like, you know.
[00:22:03] Speaker A: Yeah, you stopped believing that long time ago.
[00:22:05] Speaker B: It's kind of like your kids are still four in my head. Yeah. Your twins. Like, that's where my head is. Like.
[00:22:10] Speaker A: Well, they still act four, so that's different problems.
[00:22:14] Speaker B: I'm just saying.
No, but even like simulations, like it talks about in the article and things like that, like, think about you're modeling like an airplane or something like that. You like, here's the general world.
You tell AI to think of the craziest scenarios to run. Your simulated AI, you know, playing through and see what, what it possibly could have done.
[00:22:37] Speaker A: Like, take this 2D sketch and that let me walk through this plane that I, I, I drew.
Right. Like it's crazy to me. Yeah.
[00:22:45] Speaker B: And now test the physics on it. Yeah. You know, and keep going. Like it could do like the, it's crazy what, where we are and what we're capable. I'm also worried about, you know, how many whales I kill every time I run my cloud code. But we'll talk different time.
[00:23:03] Speaker A: Yeah, I've not. Yeah. Well, that's a, that'll, that'll diverge. I'm gonna, I'm gonna self edit myself, I guess.
[00:23:13] Speaker B: Yeah.
[00:23:15] Speaker A: All right. OpenAI is retiring GPT 4.0, 4.1, 4.1 mini and OpenAI 04 mini in chat GPT on February 13, 2026.
OpenAI is retiring those models, although the API access will remain unchanged. They say that only 0.1% of users are still selecting GPT 4.0 or GPT 4.0 daily, with the most usage shifted to GPT 5.2.
GPT 4.0 was previously deprecated and then later restored after the user feedback about creative ideation needs and the preference for its conversational warmth was found lacking in GPT5.
The feedback directly referenced 5.1 and 5.2.
And so now in those models, there's customizable personality controls for warmth, enthusiasm, and conversational styles like friendly.
OpenAI is addressing user complaints about unnecessary refusals and overly cautious responses in newer models.
The company's developed an adult focused version of ChatGPT for users over 18 with with expanded freedom with appropriate safeguards supported by age prediction rollouts in most markets.
The model retirement strategy allows OpenAI to concentrate resources on improving models with active user bases rather than maintaining the legacy versions.
This follows a pattern of deprecating older models as newer versions incorporate user requested features and achieve broader adoption.
[00:24:46] Speaker B: You know, deprecation of things is one of the hardest things. And know we joked a lot last year when, you know, AWS Valley deprecated things and you know, a few came back from the dead. But deprecating things is hard. You know, people have it built in, hard coded, you know, et cetera, et cetera into their apps, into their workflows and they're used to, you know, specific types of responses back. You know, you go between the miles, you get slightly different responses. You know, I understand that every time you ask the question you'll get a different response but you know, consistently you'll get different types of responses back from different models. So it's interesting that they are, it's good to me that they're trying to kill off and kind of keep the world clean. They don't need to keep computer set aside and everything else for these old models. But I understand why it's so hard.
[00:25:38] Speaker A: Yeah, I think it's a real interesting change to our software. Right. Because it's not only are you looking at things like version compatibility and you know, do the API contracts remain unchanged, but if you're, if you've built in AI responses into your own application, all of a sudden it can turn cold and unfriendly and it's nothing to do with anything you've done. It's just the model that's changing underneath it. Right. So it's, it can really change the user behavior and you know, maybe you'd want to instruct the model to, you know, compensate for that or have a very specific tone where you didn't have to do that previously or vice versa. Right. Like who made my, my scientific app sound like a bubbly, like, you know, teenager?
You know, so it is sort of an interesting sort of trend and I think we'll see more, more of that. And I wonder, you know, if these tools will standardize across, you know, products, you know, above OpenAI just because there's, there's kind of a lot riding on that. Right. Like the accuracy. You, you're kind of stating you're staking your business a little bit on, on these models and the results are going to feedback. So it is kind of nerve wracking if you're one of those companies.
[00:26:46] Speaker B: I mean it's so different than we just talked about, about software dependencies. It's going to be your AI model dependency and keeping it up to date with the latest. It's just another kind of, you know, software composition analysis, keeping yourself up to date to kind of have it.
Same concept, different form.
[00:27:05] Speaker A: Yep.
[00:27:06] Speaker B: Onto new forms of the way to deal with things. Codex introduces a Mac app OpenAI launches Codex, a desktop app for Mac OS X. A command line sorry a command center interface for managing multiple AI coding agents simultaneously across long range development tasks.
The app includes native support for parallel agent workflows using git work trees, allowing multiple agents to work in isolated copies of the same repo without conflicts while maintaining separate threads context per project Codec now expands beyond co generations through skill systems that bundle instructions, resources and scripts for tasks like figment design, user linear project management and cloud deployments to cloudflare and other tools.
The app introduces automations a scheduled background tasks like daily issue triage so CI failure analysis release briefs with resulting landing in review queues for developer oversight. All agent runs are configurable system level sandbox by default restricting edit files in the working directory requiring elevated permissions for elevated network access like network access for a limited time.
OpenAI is introducing Codex Access with ChatGPT Free Go tiers and doubling rate limits across all paid plans. Usage has has since doubled for 5.2 codecs since the launch in mid December. With over 1 million developers now using its servers Windows support plan for the future.
[00:28:42] Speaker A: They got a lot of catching up to do. You know cloud code is all I hear about, you know. You know I don't know specific numbers on their market presentation but or you know like it's just everywhere.
I know I do hear about Gemini code and the sort of code to command.
[00:29:01] Speaker B: Yeah, I've been hearing more about mostly.
[00:29:03] Speaker A: Because I live in a Google ecosystem.
[00:29:05] Speaker B: So yeah, I was going to say so I've heard a lot in the last week about about Codex. Last like two, three weeks it's been on my list of things to play.
[00:29:15] Speaker A: With but Codex, the model and its use of tools through other tools I've.
[00:29:18] Speaker B: Definitely heard of but yeah, and then it was going around my day job today about the Codex app and leveraging it and everything else.
[00:29:26] Speaker A: Yeah, you know I haven't had a chance to play with it yet, compare it with the other tools and it's you know, it's kind of tricky because you know, I think now with these agentic flows and code development, you know there's so much investment in your workflows and your personal environments and so like having specific tools set up a certain way, having skills and and agents configured the way you like them, it makes moving between these things a little complex and you know then you gotta sort of adapt to a different tool settings and I know as I've moved from like cursor to to VS code to cloud code like it's each time I sort of make those transitions it's sort of, I don't know, I'm less excited about trying the new one.
You know, I think it is something that OpenAI had to do to keep up with the other providers.
[00:30:15] Speaker B: Yeah. I mean especially this specific, you know, app and everything.
I mean I definitely started playing more with the Claude app locally, you know, just for like revise my email. You know, things along those lines, you know, make me sound not like a monkey on acid. You know, things along those lines and even cowork stuff I've kind of played around with a little bit more and it does make my life a little bit easier. I haven't done it, but like I still live in VS code and it's gonna take a long time for me to get out of that. It's kind of like when Adam died. I don't remember that Mac editor back in the day.
[00:30:49] Speaker A: Oh yeah.
[00:30:50] Speaker B: Like that was my go to notes for everything. Like I'd be in a meeting and be like, let me pull up Adam. Type my notes in there real fast. And you know, I just type my notes in markdown because I'm a crazy person, you know. And then kind of moved over to VS code. So I feel like it's almost like VS code for my cold dead hands. Like it has to have a plugin to VS code, otherwise it's like hard for me to start to use.
[00:31:16] Speaker A: Yeah. Which I do believe Codex like has as a VS code module, just not this app.
[00:31:23] Speaker B: Yeah.
[00:31:24] Speaker A: So it's sort of, sort of using it through VS code. You know, I think a lot of the, A lot of the similarities between the app and what you can do in VS code are probably similar. And so I know that that's something I've sort of found with cloud code. Like I was sort of underwhelmed like when it first came out. Cause I'm like, oh cool, terminal. I can do terminal things. And I'm like. And it wasn't as exciting to me as, as doing using VS code, but now I see like I haven't really adopted these workflows, but I see a lot of others adopting more sort of unsupervised sort of code execution. I'm still too much of a nanny. I want, I want to see what it's doing and make sure I can be there for correction. So I don't like it running and doing things without me sitting there watching it.
You know, Like I see what people are doing now, which is they're, they're not directly interacting and supervising it. Which is why something like you Know this code of desktop app or cloud code or those like it's. You're more executing, you know, different functions behind the scenes and then having it come back when it's finished.
[00:32:27] Speaker B: I definitely have it. Do more. I still use actually the command line though, within VS code. I don't know why.
[00:32:34] Speaker A: Oh, so do I.
[00:32:35] Speaker B: No. A ton. I can't handle the UI and like a couple times it's turned on. It's like, hey, do you want to like there's an option to go do it. I'm like, yes, please stop. Like, no, no, stop talking to me at this like weird UI thing. Like maybe it's just. I won't. I need like a cli. So I feel like I'm in control of what's happening and the Linux is admin comes out. But like, no, no, this is garbage. Please try again later.
[00:33:00] Speaker A: Yeah, it'd be kind of interesting now. Now that you. I got thinking while you were talking, like I could do a cloud code terminal session within VS code in the bottom part.
[00:33:11] Speaker B: Yeah.
[00:33:11] Speaker A: And then could just be turtles all the way down.
[00:33:15] Speaker B: So I normally have one or two going. You know, when I'm actually like, I have one going, which is like my ongoing project. Like I have a side project to work on. Working on. And then when I actually have time, I've started giving myself some engineering work to kind of like help expedite projects on my team for my day job. And I'll actually open up another shell, like go knock out a JIRA task in like 30 minutes. And then I, you know, and that's kind of the way I keep them separated again. I'm a crazy person. I get it. Yeah.
[00:33:44] Speaker A: Yeah, definitely. Yeah.
All right, moving on to aws.
AWS announces deployment Agent SOPS in AWS MCP server.
So this will enable developers to deploy web applications to production using natural language prompts through MCP compatible tools like Claude Cursor, Kero Codex app.
The System automatically generates CDK infrastructure, deploys CloudFormation stacks and sets up CICD pipelines with AWS security, best practices included. What could go wrong?
This feature addresses the gap between AI assisted prototyping and production developments by allowing developers to move from vibe coded application direct to production. Let's not review that at all. Sometimes even in a single prompt. Oh, good.
Agent SOPs follow multi step procedures to analyze project structure, create Preview environments on S3 and CloudFront and configure code pipeline for automated deployments from source repositories.
Support includes popular web frameworks like React Vue JS, Angular and Next with automatic documentation generation that enables AI agents to handle future deployments and troubleshooting across sessions.
The deployment process creates persistent documentation in the repository for continuity.
Currently this preview is only available in US east and is at no additional cost.
Customers do pay for the standard rates for AWS resources that are created and the applicable data transfer costs.
This represents AWS integration of AI agents into the deployment workflow, competing with other infrastructures, deployment automation tools.
[00:35:17] Speaker B: Hooray.
[00:35:19] Speaker A: I like and hate this all at the same time. I feel like, you know, a quick way to traverse through the software development life cycle is a good thing. Having AI agents develop, you know, stuff that's, you know, boilerplate YAML configurations for kubernetes like fantastic.
[00:35:39] Speaker B: Automatically promote code to production.
[00:35:41] Speaker A: Yeah, like I mean I think that, you know, there's other bistim business processes that would sort of prevent that. So it would be kind of cool. That's you know, being able to, to create end to end infrastructure and code through. Through like all the way to an integration environment maybe and then having you know, sort of more, more eyes review that process.
But not everyone really has that capability too in terms of like having having multiple teams evaluate production code, having security teams analyze it for potential risks. And so they're just building a lot of these things into agents. So I think that that's better than nothing.
[00:36:19] Speaker B: Yeah, no, it's definitely.
I get what they're going for. It's the infrastructure.
AWS, DevOps engineering me is like, you're going to have something, just develop code. Good luck with that, sir.
[00:36:37] Speaker A: And push it directly to production.
[00:36:38] Speaker B: And push it directly.
But don't worry, that SRE agent that you developed will figure out how to fix that and like it might with enough iterations, you know. And this is where I'm still like I sound old school at this point, I feel like. But you still need human in the loop somewhere along the way to kind of review and make sure that, you know, I told it to set me up a cloudfront with backed up. I said hey, I need a blob storage account with Cloudfront. And it sent me up Cloudfront with the server that, you know, connected to efs. And I was like whoa, time out. Trying to do static content. Let's make this simpler. And I was like, oh yeah, you're right. And I'm like, I love when AI tells me I'm right. Makes me feel good about myself.
[00:37:20] Speaker A: Oh, I hate that.
Makes me feel like when I am right it diminishes its value.
[00:37:26] Speaker B: I I love at one point when I said unfortunately you are correct, I was like f you Claude, go away. I was so mad.
[00:37:36] Speaker A: Yeah, no, I mean this, you know, I think it's you, you got to review these things and make sure that you've got some sort of check and balances. I can see this developing infrastructure that's really expensive and you know, maybe not as performant. I think that people underestimate the amount of context a human can sort of use at a single time when, when developing something and so they don't. There's a lot of intangibles that aren't defined in that prompt that just a native human would do.
And of course that changes as, you know, people gain more experience. Someone that's fresh out of college may not know that this one technology is really expensive and that's why you generally have more senior people on the team review those that code and those processes. I think this should be no different because I don't think AI is quite good enough to where I would trust it like deploy create my cloudformation stack and just go yeah, no no, no.
Like I said, I don't even trust it to do like off background coding at this point just because I feel like I'm very much hurting it like a cat more than in order to make it get good develop good code then then I would trust to have it just do that with just my prompts in the background and I spend a lot of time in configuring that those workflows but it's not quite good enough there.
[00:38:59] Speaker B: AWS STS now supports validation of select identity provider specific claims from Google, GitHub, CircleCI, OIC.
Obviously we need Oracle somewhere in here.
AWS STS now validates provider specific claims from the prior people when federating into AWS via oidc. This allows customers to reference custom claims as conditional keys in IAM roles, trust policies and resource control policies, enabling more granular access for federated identities beyond the standard OITC claim. This feature addresses a common security gap where organizations previously could have only validated standard OIDC claims like Subject and Audience but could not enforce conditional based on provider specific like GitHub repository names or Google Workspace domains. This enhancement helps establish data perimeters by allowing customers to restrict access based on specific context from the identity provider. It's now available everywhere in sts.
[00:40:09] Speaker A: This is a fantastic feature that I was convinced as brand new announced until Matt schooled me and said I've been doing this for months because I did not know that you could do this with sts, you know, use a different technology to sort of create an authentication token to directly access AWS resources.
But apparently that's been around for a.
[00:40:31] Speaker B: While so you can always do OIDC claims and I've done it a bunch between GitHub specifically for GitHub app actions and AWS because otherwise prior to that you had to like use hard coded credentials and access keys, secret key and bad news bears and turtles all the way down.
So when they released this I think it was around 2022 from our pre show random rant that we realized we really should record the pre show and you know, have actually just stubbed into the actual show. But it's the. What do we decide it was? It's the custom, the custom claims. Yeah, the custom claims for things like GitHub repository names and things like that.
[00:41:15] Speaker A: Because I, I think before like always OIDC like standard claims are really, really tailored toward human attributes. Right. And so you've got the subject and the issue identifier and the audience and expiration time that those are useful like when you think about GitHub Actions or other automation workflows. But then everything else is like name, family name, email address, you know, blood type or you know, other things that aren't really useful for, for doing sort of automated workflows. And so this, this allows you to sort of, this is where you'd be able to put a, a claim that's specific to your repo or specific to your branch or you know, maybe even depending on your action workflow name, you know, you could have different, a specific sort of authorization for just that role.
[00:42:04] Speaker B: Which I think is cool.
[00:42:06] Speaker A: So I use this a lot for. Because if we use hosted runners, right, but those are running on cloud provider so they already have a certain amount of cloud authorization, right. It just through the sort of just running, you get your, your built in EC2 roles or you know im, you have instant profiles forgetting the name.
[00:42:26] Speaker B: Sure.
[00:42:26] Speaker A: Azure has a similar thing and so I don't necessarily want to give those runners which are a shared resource in the company access to every sensitive workload in my company. And so I can I use these claims to validate sort of this token exchange validating custom claims. So runners that are running executing out of this repo can use these privileges rather than using the shared infrastructure to allow to do privilege escalation and a validation of infrastructure. And it's pretty cool. I'm really happy with this workflow. It's been a big concern of mine that you know a Lot of these deployment tools and stuff that we use on our pipelines are shared across the entire company and so it's big separation problem.
This fixes that.
[00:43:12] Speaker B: I actually realized why I thought that this was already there prior to the show too was because I recently did GitHub to SSL and it was ODIC into Azure DevOps or something like that. It was GitHub into somewhere, some connection we had. And you can specify the repo that's running as. And that's what it is here is you can have an ODIC connector for a repo and say this repo is only able to be the one that identifies. Yeah. Oh it was into our Azure.
Yeah.
[00:43:48] Speaker A: Audience claim.
[00:43:49] Speaker B: Yeah.
[00:43:50] Speaker A: So yeah, because it's the, it's the provider on that end who's doing the authentication that they have to be able to. When that token exchange happens, they have to be able to sort of understand those claims and evaluate whether that's an authorized request or not.
[00:44:03] Speaker B: Yeah.
[00:44:03] Speaker A: So it sounds like, you know, Amazon in the security token service now can do that across all these tools, which is super cool.
Amazon cloudfront Announces Mutual TLS Support for Origins Mutual TLS authentication allows customers to verify that requests to their backend servers come only from authorized cloudfront distributions using certificate based authentication. This eliminates the operational overhead of managing custom solutions like Shared Secret Headers or IPL allow lists that previously required constant rotation and maintenance.
This feature works with AWS Private security authority or third party private CAs imported through AWS certificate manager providing cryptographic verification cloudfront identity to any origin that supports MTLs, including application load balancers, API gateway and on premise servers.
There's no additional charge for using Origin STLs beyond the standard Cloudfront pricing.
This is a common security gap you typically see in organizations where you want to restrict access to your website, if you will, and make sure that it goes through your, your caching layer, your. Your WAF protection layer.
And I have definitely put this in place where restricting this down to IP addresses and which is awful or headers which is just non secure, you know, but you put it in there just in the hopes that you know, someone can't just figure out the custom headers that you're using. So this is I think a great thing. I hope it's easy to enable because mutual tls and the certificate management can be. Can bite you and can be difficult to resolve when, when certificates expire and you don't know what needs to be updated. But I do like to see this change.
[00:45:51] Speaker B: Yeah, I mean while I hate supporting mtls it is a really good layer of security and stuff. Yeah. And having that extra layer now, you know, they did albs, you know, last year, a couple months ago, whenever it was lose track of time, you know.
And to get to the point now where they're at of supporting this, it's, it's amazing, you know, how security is not just, you know, a single point, it's really in the entire stack and you have to really be careful with it. That.
[00:46:22] Speaker A: Yeah, definitely.
And it's, I do think that this, this type of thing of being able to verify not only the outbound request but the, the incoming request is from who you think it is, is, is a good thing.
You know, we're seeing, you know, this, this is something you can set up, you know, in, in your code pipelines and that to protect supply chain attacks and that kind of thing.
And so I, I do like to see this more and more and more. And then I think putting it in at the cloud front layer and you know, tying it to application load balancers is kind of just an easy button which I do like on a great.
[00:46:58] Speaker B: Quality of life improvement that I very much appreciate. The AWS console now displays account names in the navigation bar, replacing the prior reliance on account numbers for identification. Because who doesn't like memorizing all their account numbers?
This addresses a common pain point for organization managing multiple accounts like AWS promotes when they're us Control Tower product where you manage multiple dev prod or even business users. Crazy concept. This feature is crazy does not cost anything to display what is something useful. Once enabled, all authorized users in an account can see the account name displayed in the console for your navigation bar. The update provides immediate values for the teams working across multiple accounts who priorly had to memorize 12 digits. I was going to say double digits 10 when I was going to say it earlier, but good thing I didn't.
The visual distinction helps reduce errors when switching between environments and other business units. I don't understand why this was so hard to do. I am sure there was a technical reason, but for the love of God I think I put this request in like 10 years ago.
[00:48:08] Speaker A: Oh yeah, I remember the first Rube Goldberg setup. I set up with a browser extension so that I could individually color tabs and separate the sessions for like the session cookies per account. Because I was so sick of trying to remember which account I was in over across the 200 accounts we had and whether or not it was dev or prod or then having to go and look up, you know, in an outside source. What. What account number is what name? Like.
[00:48:38] Speaker B: Oh yeah, no, like I said, not the sexiest feature. But for the love of God, the most useful feature of this podcast is.
[00:48:47] Speaker A: Definitely my favorite announcement in this entire list for today. Like is my favorite one.
[00:48:52] Speaker B: I almost want to save this as my favorite announcement of the year is where I'm at right now. Like it's the stupidest thing, but it's so nice.
[00:49:02] Speaker A: No, I, I agree. Like, and they've been making some real AWS has been making some real, real improvements with and I think they, I think you're right. I think there was technical limitations because they didn't really build a multi account strategy. Right. They these accounts.
[00:49:16] Speaker B: I assume it was like a separate database and querying it would have DDoS it, you know.
[00:49:21] Speaker A: Well, I think session state was a big deal. I don't think they really had the ability to sort of.
You had to log all the way out of an account and all the way back in if you wanted to switch accounts up and up until fairly recently.
[00:49:32] Speaker B: Yeah, just say six months ago, the multi account session. So I feel like this is building on it and I hate to say this, but I also feel like this is probably where if they are leveraging Curo internally, like a lot of these low priority requests that just aren't going to make the money. I feel like they're getting too recently and maybe that's like me reading way too far into the tea leaves but like there's been a lot of just small quality of life improvements like this that maybe someone's just sitting there on the backlog.
Maybe we'll stop seeing them now. They laid off 16,000 people.
[00:50:06] Speaker A: Yeah, I don't know. Yeah, I don't know. I think this is, I think enough people complaining about this maybe, you know and I, I agree. I think it's that multi account thing that allows this.
But yeah, I, I hesitate to think that they're just getting to these features. I think it's much more demanded and required by businesses these days to be able to use your product.
[00:50:28] Speaker B: Yeah.
[00:50:30] Speaker A: All right, moving on. Announcing increased 1 megabyte payload size for Amazon EventBridge.
This is up from the previous 256kb limit, eliminating the need for developers to split large events, compress data or store Payloads externally in S3.
Simplifies architectures for applications handling LLM prompts, telemetry data and complex JSON structures from machine learning models.
The increased payload size reduces architectural complexity and operational overhead by allowing comprehensive contextual data to be included. In a single event rather than require chunking, logic or coordination with external systems.
This is particularly relevant for AI and ML workloads where the model outputs and prompts can exceed the previous size constraints features now available in most AWS commercial regions where EventBridge operates, with notable exceptions being the Asia Pacific regions like New Zealand, Thailand, Malaysia and Taipei.
And there's no additional cost mentioned for the larger payload support other than the standard event bridge pricing. This charge addresses common pain point where developers had to implement workarounds. I think I've said that like six times. I'm not reading the rest of this.
[00:51:38] Speaker B: This is what happens when we, when we do the podcast. It's like, yeah, it's fine.
[00:51:42] Speaker A: Yeah, it's the last bullet point. I clearly only read the first three, didn't edit the last one. Yeah, I think that this is a, a good thing. I've. I, I was laughing at this because I remember event event size and Kinesis being a big, you know, to do in an early like a, a project forever ago and trying to, trying to think through all the, the limits and what we were going to have to do with that. And I was a big advocate for storing pointers and external systems and, but then now, you know, I was thinking through the AI workloads and how much of a pain in the ass and slow it would be to have your, your prompts referencing an external source every time for just the return value. So I'm glad to see this.
[00:52:26] Speaker B: Yeah, I mean, again, nice quality of life. I've done so many, like you've said pointers, you know, whether it's an S3 event, you know, or hey, write it to here and then, you know, wait for it and then put it in there, you know. So hopefully it just helps kind of drive out that toil, you know, I hope they don't keep increasing this because I feel like it's going to break more stuff down the line and let people do bad architectural things.
But you know, they keep doing that.
[00:52:55] Speaker A: Yeah, I mean it really depends on what you put in that payload. Right. Cause it's, you can, you can definitely introduce poison pills really easily with, with larger payloads and you can, you know, like if you don't manage that well, you can put yourself in danger of major data loss. Right. Depending on like if your entire pipeline goes down, all those requests and all the content within there could be a problem. So it's, you know, you want to make sure that you have a, a disaster recovery strategy for case of failure for sure. Because it's These. I don't think people really consider these event pipelines as these massive data conduits that they are. And so they don't have the same sort of backups in place like you would with a database or, or something else. Right. Like, so it's definitely true. But again, like I do see the for. For AI stuff like you can't really introduce any latency. It's already slow.
I don't want to wait for that prompt to come back. I'm lazy. Screw that along.
[00:53:47] Speaker B: Ways to block your AI traffic AWS Network Firewall Manager now supports Genai traffic visibility and enforcement with web category based filtering the network Firewall Manager has URL category based filtering that lets you control access to Genai applications, social media, streaming services and other web categories using predefined categories instead of maintaining manual domain lists.
This reduces operational overhead obviously of your security team, who has nothing better to do, who maintain and enforce consistent policies across AWS environments while gaining visibility into emerging technologies that they have no idea of.
Sorry Ryan.
The Gen AI component addresses a growing compliance need as organizations struggle to track and govern access to all the AI possibilities out there, such as GPT Cloud, Gemini, et cetera. The security team can now restrict Geni to only approved control tools and block access entirely if they have no risk tolerance for anything or if it's a government requirement. In combination with TLS inspection enables full URL path based inspection beyond just granular domain.
[00:55:01] Speaker A: I swear this is the second time we're talking about this article too. I feel like there's, there's a glitch in our system that we've moved to more automations. Definitely introduced more, more ability for this. Like I can't.
Yeah, we're gonna, we're gonna have to like, you know, do yet more. Another AI agent to keep us on track for. Yeah, for topics.
[00:55:20] Speaker B: I was reading it, I was like, did we talk about this last week?
[00:55:23] Speaker A: I think we did.
I still like it. Like I do think that this is. These category based filtering rules are, you know, a life, life sentence because like if you have to white list or deny list every single URL, like it's untenable. Like it's just crazy.
And even in like a production ecosystem where the outbound, you know, calls should be fairly limited other than responding back to, you know, application requests, it's still really difficult to catch all the different, you know, URLs. You need just to download a software update package from Microsoft. Right there's the list that you have to do for just that is crazy. It's like 10 to 20 URLs and you're wildcarding within that. So having the categorization really helps because you can sort of define that for your teams and then you don't have to do every single URL.
You'll still run into things where it categorize it in the wrong bucket and then it blocks some traffic that it shouldn't be blocking. But damn the breaks.
[00:56:25] Speaker B: Always blame your security team.
[00:56:26] Speaker A: That's right, we suck, no doubt.
All right, Moving on to GCP conversational analytics in BigQuery is now in preview.
This lets users query data using natural language instead of SQL. The AI agent uses Gemini models to generate queries, execute them, and create visualizations while maintaining security controls and audit logging within BigQuery's existing frameworks.
System goes beyond basic chatbots by grounding responses in actual BigQuery schemas, metadata and custom business logic, and includes verifying queries and user defined functions. This ensures generated SQL aligns with production metrics and enterprise standards rather than making generic assumptions about data structure.
Users can perform predictive analytics through natural language by querying AI functions like forecasts and detect anomalies without writing code, and the agent supports querying unstructured data such as images stored in BigQuery.
Agents can be deployed across multiple services, including Looker, Studio Pro and BigQuery UI custom applications via UI or API.
The existing Agentic ecosystem through ADK tools allow integration as well. Documentation and codelabs are
[email protected] for implementation guidance and specific and their and specific pricing details.
Losing the ability to talk? We're not discussed in the announcement.
I do like this.
[00:57:49] Speaker B: Anything that makes BigQuery easier to use. I don't have to write SQL. I don't have to do any of that.
I'm happy for sure.
So in this week's new way to run the cloud poorly or more expensively introducing Single Tenant Cloud HSM for more data control, Google Cloud has launched a Single Tenant Cloud hsm, a dedicated hardware security module that gives organization exclusive controls over cryptographic keys with FIPS142 Level 3 validation. Unlike multi Tenant Solutions, customers get a sole physical HSM partition with hardware enforcement isolation being their keys are cryptographically separated from all other customers and Google operators don't want to know how much this costs and I'm going to tell you anyways. This costs $3,500 a month to just launch this bad boy. It wouldn't surprise me actually if there's like a one month minimum and like you know, six months, you know. But from there obviously this is targeting highly regulated industries like financial services, defense, healthcare, government that need strict compliance and want to avoid managing their own physical hardware.
Key security features include full ownership of root quorum based administration, requiring multiple authorized users for sensitive operations, and the ability to revoke Google's access at any time, which immediately makes all keys and hardware encryption data inaccessible. Is it in or unaccessible? I don't know the difference.
[00:59:21] Speaker A: I think in.
[00:59:22] Speaker B: I know but what's unassessed? Am I making it up? Because it's. I think that's not approaching 11 o'. Clock. Yeah, it's approaching 11 o' clock and we're just making stuff up.
Sorry.
The single tenant integrates with existing APIs and works with CMEKS across all Google managed services. Setup takes approximately 15 minutes.
So Ryan and I were talking to the pre show and I'm gonna fill you guys in on our pre show banter that we were talking about. I was like wow, I feel like AWS had this like 15 years ago and the quick research. I was like yeah, they totally did. And it took them two weeks to pre set it up. So I feel like we're on full circle where like AWS had this thing where it was single tenant. It required like a support ticket to open it up. Then they're like no, no, we're not doing that. That's anti cloud. We're building a multi tenant environment. We're gonna make everything API based so they move to, you know, KMS the way we know it today or CloudHSM the way we know it today.
And now Google's like now we're going back to old school guys. Like here's your dedicated like I get the use cases ish of it.
[01:00:26] Speaker A: You know someone's demanding this. I think the reason why this is so late is government.
Yeah, I know it's. And especially the way Google manages their infrastructure. They don't do a separate isolated cloud.
They do assured workloads within their existing clouds. So I can see that being part of this too. And so I feel like they hesitated to do this just because it is a terrible support model. I think it's priced to indicate that and I think please don't do it. Yeah, the people who are going to demand the single tenancy hardware level isolation should have to pay through the noise because there's a dumb compliance rule and I'm not sure which regulatory framework would enforce this. I'm not familiar with all of them.
[01:01:09] Speaker B: I'm getting Better, I assume it's a DOD somewhere one.
Yeah, maybe it's probably for a secret or top secret environment really is what they're doing it for would be my assumption.
[01:01:20] Speaker A: That would be my guess. Which would be somewhere in the fedrampdisa IL5 sort of framework somewhere I believe. But yeah, yeah, no, this is, you know, like the isolation at the hardware layer just seems so, so unnecessary these days.
And I don't think really providing any different security levels. Right. Because it's still hosted in Google's data center. An arachnis next to all the other ones.
And so you're really just protecting yourself from Google on premise technicians and.
Sure, I guess, you know, and in that case, you know, they, you can.
[01:01:57] Speaker B: But that's the same thing as any EBS level or drive level encryption in the cloud. It's like, okay, what am I really protecting against Someone going to the data center pulling out the hard drive that contains my hard drive, which let's be honest, I assume it's already spanned across multiple hard drives and pulling the data like okay, I guess you're then like at the physical and maybe a level up some Azure technician or AWS technician that logs in and has some level of access, but doesn't have access.
Is that what we're protecting against? I'm just not sure anymore.
It's a checkbox. I check it. But what's the thing that we're actually.
[01:02:37] Speaker A: Solving for, and that's why Google has announced this is someone had this checkbox, someone with enough, you know, deep enough pockets had this checkbox and they wanted to check it and they're like, we will pay you any amount of money and that any amount of money is $3,500 a month, which, you know.
[01:02:53] Speaker B: So my next question is, do I need two of these for Ha. Yeah, right.
Like I know Google doesn't quite have the same premises, you know, primitives as the other clouds. But like do I need two? Do I need multiple reasons? So now do I need four?
Like I just don't know so well.
[01:03:11] Speaker A: I mean it's. Yeah, there's, it's definitely. That would, all of that would be in question. Setting up your infrastructure, depending on, you know, how you set it up and you know, can you store like a basic key in the HSM and then sort of orchestrate everything through cloud kms? That way you get your disaster recovery.
[01:03:31] Speaker B: I don't answer. Only U.S. central 1 and U.S. east Force, Iowa and North Virginia support single tenant HSM.
[01:03:39] Speaker A: Ah, okay, so it is a federal required compliance yeah, because there's the two assured workload locations in the U.S.
yeah.
[01:03:47] Speaker B: And I don't know if this is a lot. Like, I just, I don't have the concept. It supports only 15,000 keys.
But like, if you're issuing, in this case, where you're running your own hsm, would you be issuing a key for every EBS drive that you do or do you. Would you still do like one, like one key for all EBS drives and then like 15,000 either is like really small or like more than you would ever need. Yeah, and I'm not sure.
[01:04:19] Speaker A: I mean, I've seen it. I mean, it's, it's.
I don't think 15,000 keys is required. Right. Like, you know, you don't typically have or want to manage that level of granularity because like, it's. And I've seen like transparent level encryptions where each individual sort of endpoint node had its own sort of encryption key. And so you had these guard point nodes that had to sort of understand all the, all the other nodes. And so it was trying to manage 15,000 keys. And let me tell you, it does not work. And so, like, I think that, you know, it's. You want, just like anything else, you want to structure the key management of these things and isolation boundaries that make sense for your business and keep you safe while also limiting your blast radius.
So it's, you know, you have to just figure it out. There's no right number, but 15,000 sounds like a lot to manage.
[01:05:12] Speaker B: It both sounds like a lot and not a lot. That's why I'm like, it's like PKI where like there's a single one that kind of, you know, you have your, your root cert, then you have your multiple secondary, I don't remember what they're called at 11 o' clock at night. You know, these certs, which, you know, daisy chain up. So.
[01:05:27] Speaker A: And you could set this up like that where just your roots are on here.
[01:05:30] Speaker B: Right.
[01:05:30] Speaker A: Like, it's, that's, that's one of the things you could do.
[01:05:33] Speaker B: Yeah, it's what I assume. That's where I'm like, maybe 15,000 is way overkill, but it's just the limit of what they can support.
[01:05:40] Speaker A: Yeah, I'm sure it's a hardware limit.
[01:05:43] Speaker B: Yeah.
[01:05:44] Speaker A: Where that number comes from. Yeah.
All right, moving on to Azure, the sole single and only Azure workload that we're only keeping in here because we know Justin will like it.
[01:05:56] Speaker B: It's sad, but true.
And I get to make fun of Azure.
[01:05:59] Speaker A: Let's be honest.
[01:06:00] Speaker B: That's true.
[01:06:00] Speaker A: All right, there's two reasons it's always good to make fun of Azure.
Azure launches DLSV7, DSV7 and ESV7 virtual machines in public preview Powered by Intel Xeon 6 processors codenamed Granite Rapids, these 7th generation intel based VMs represent the latest iteration of Azure's general purpose and memory optimized VM families, bringing the newer processor architecture to cloud workloads. The new VM series targets customers running compute intensive and memory intensive workloads that could benefit from the latest intel processor improvements.
General purpose DLS v7 and DSV7 VMs suit balanced workloads like web servers and application hosting, while ESV7 VMs are optimized for memory heavy applications such as databases and in memory analytics.
Intel Xeon 6 processors introduced architectural improvements over previous generations. Those specific performance metrics and pricing details were not provided in this announcement.
[01:06:59] Speaker B: Let's preview. That makes sense.
[01:07:01] Speaker A: Yeah.
The preview Status means these VMs are only available for testing and not really suitable for production workloads.
And depending on your service level agreements and regional availability, organizations should check the Azure documentation for details.
[01:07:17] Speaker B: The other reason I want to keep it in was I'm still struggling to get the V6 in regions like some regions and granted these are less common regions, you know, but you know I have a different SKUs based on region availability because I just can't get it. And in some places it's like we can do it in two zones and I'm like cool, thank you. Way to make yourself more money. Because if I want to have a one zone outage, feel like this is like that old AWS exam.
You want to be able to maintain six nodes at any time and you are expanded across three nodes, you know your three zones. How many instances do you need? Well that means I need, but I don't remember the Numbers I just said 622-4689. Oh, I chose hard number three in each zone. This is a really good podcast material. Math on the fly.
I need three in each zone. But now when I have this like you think it just doesn't work, you know like and like thank you Azure for making yourself more money because now I have to pay you more to keep my same availability.
[01:08:20] Speaker A: Yeah, I mean this just goes to show how spoiled you and I were on aws. Because I never had to deal with this on aws, like never once. And I have to deal with it in Google all the time now. And so it's like it really is like the way they manage capacity and they do their advertisements and I wonder if it's changed as the, the hardware requirements.
[01:08:39] Speaker B: I think it has.
[01:08:40] Speaker A: Yeah. So even on AWS, maybe they run into this because there's so many SKUs available these days.
[01:08:44] Speaker B: There's definitely some in the less prevalent regions where I've helped people where they're just not available.
[01:08:51] Speaker A: Yeah.
[01:08:52] Speaker B: You know, so like this, the straight up SKU or instance type isn't around.
[01:08:56] Speaker A: Yeah.
[01:08:56] Speaker B: Wow. My default linguistic is now sometimes going to Azure and sometimes aws, depending on the verbiage. It's really funny. I talked to my day job on whatever the next day, normally Wednesday morning after we do the podcast, and I can't keep any terminology straight. I just flip between the clouds. Everyone's like, you did the podcast last night? I'm like, yeah, sorry, that's funny.
[01:09:21] Speaker A: I think it was earlier this week in a meeting I stated publicly, it's like, don't Worry, I understand AWS. Because someone was just speaking in EC2 and S3, talking about generally cloud computing. They were, and then they, they caught themselves and I was like, don't worry.
[01:09:37] Speaker B: Gotcha.
[01:09:38] Speaker A: It's pretty funny. It is difficult.
[01:09:40] Speaker B: Whenever I interview or like I work with like our auditors or anything else, you know, one of the first things I say to people, I'm like, what cloud do you want me to speak? I'm really good at AWS and I'm pretty good at Azure compared to I'm supposed to be because I'm your expert that you're talking to right now.
But if you want me, you know, I can wing in enough on gcp, you know, normally between AWS and Azure, you know, I've definitely talked to like an auditor or like, you know, even like customers. They're like, how are you doing this? And I'm like, what is your cloud terminology of choice? Because that's what I can talk to you about.
[01:10:15] Speaker A: Yeah, I found that specifically being on GCP for the day job, like most external companies, I'm talking like that only understand aws and so I have to translate that that direction. I haven't had anyone that only understood Azure or only understood gcp.
So, yeah, which, thank God, if they were saying, oh, we only know Azure, and I'd translate to that. I was like, well, we're gonna have to get someone else.
[01:10:39] Speaker B: You're like, matt, Matt, can I pay you a couple hundred dollars?
Just, just show up, I'll give you some.
[01:10:46] Speaker A: Let me FaceTime a friend. Yeah, exactly.
[01:10:49] Speaker B: Phone a friend. I also know spacetime a friend.
It would just be the three way translation. You would tell me in aws. I would have to translate.
[01:11:00] Speaker A: Yeah.
[01:11:00] Speaker B: And go from there.
[01:11:02] Speaker A: And that's what it would take to get the job done. That's hilarious. No wonder AI is like taking over the world.
[01:11:11] Speaker B: Well, even the. We talked about it a few weeks ago, like the AI specific translation models that came out, like, I think I'm really going to be revolutionary in like business, you know.
And getting into that point, we've completely digressed off Azure instance types. But, you know, that's a different problem.
[01:11:29] Speaker A: Well, that was our last story. So this episode has been at our long point. Well, it's not too long.
[01:11:38] Speaker B: Well, should we do the cloud journey?
[01:11:39] Speaker A: I was thinking we should save it for next week.
[01:11:42] Speaker B: Yeah, I'm okay with that because there people are done hearing the two of us talk.
[01:11:46] Speaker A: Yeah. So we'll, we'll save those for next week. So stay tuned. If we.
Yeah, we didn't really tease that enough to.
[01:11:52] Speaker B: I was going to say. Well, we'll talk. We'll talk next week about how AI assistants are taking over our. Our lives.
[01:11:58] Speaker A: Our lives. Yeah, some more. Talk about AI some more. Yeah, yeah.
[01:12:01] Speaker B: I don't talk about AI.
[01:12:02] Speaker A: This used to be a cloud hosting infrastructure, cloud pod. Now it's just AI like every, like everything else in the industry.
[01:12:09] Speaker B: I was think talking to somebody, I was like, they're like, oh, you do a podcast about the cloud? I'm like, yeah, it's like 60% AI at like 20% cloud at this point.
[01:12:19] Speaker A: Yeah, well, I mean we, we do still heavily like lean towards those, those articles and those announcements, but there are not very many of them anymore. You don't really hear, you know, other than our, you know, we get our pittance of AWS console improvements, but then it's this bot, that bot, this thing.
[01:12:38] Speaker B: Yeah.
Anyway, we should sign off.
We're getting, we're getting rap.
Bye, everyone.
We'll see you next week.
[01:12:48] Speaker A: Yeah. And that is this week in the Cloud. Bye, everybody.
[01:12:52] Speaker B: Bye, everyone.
[01:12:56] Speaker A: And that's all for this week in Cloud. Head over to our
[email protected] where you can subscribe to our newsletter, join our Slack community, send us your feedback and.
[01:13:05] Speaker B: Ask any questions you might have. Thanks for listening and we'll catch you.
[01:13:08] Speaker A: On the next episode.
