HN Distilled

Essential insights from Hacker News discussions

Serverless Horrors

Original Article

Hacker News Discussion

This discussion revolves around the risks and realities of unexpected cloud computing bills, particularly with serverless architectures, and the customer service experience when such issues arise.

Social Media as a Customer Service Channel

A recurring theme is the reliance on social media, specifically Twitter, to resolve billing issues when traditional customer support channels fail. Users express frustration that public shaming or viral posts seem to be the most effective way to get a response and resolution from cloud providers.

  • "This is what scares me, is social media the only way to get things sorted out nowadays? What if I don't have a large following nor an account in the first place, do I have to stomach the bill?" - Alifatisk
  • "I had to create a Twitter account, twit about my case et voila! 30 mins after I got a response and they send me a PM with a case number... Not even going to mention the airline, but it is infuriating..." - pelagicAustral
  • "Relying on the mercy of a support agent that may be having a bad day is a poor strategy" - Havoc

Lack of Budget Control and Hard Limits

A significant point of contention is the absence of robust, built-in mechanisms for setting hard spending limits on cloud services. Users feel that budget notifications are insufficient and that providers should offer automatic service shutdowns or resource deletion when spending thresholds are breached, similar to how traditional utilities or credit cards operate.

  • "They have budget alerts that do not shut services down. [...] This is a reason why I am not only clueless of anything related to cloud infrastructure unless it's stuff I am doing on the job, nor I am willing to build anything on these stacks." - Foobar8568
  • "I have a handful of toy projects on AWS and Google cloud. On both I have budgets set up at $1 and $10, with notifications at 10% 50% and 90%. Itā€™s great, but itā€™s not a limit. I can still get screwed if somehow, my projects become targets..." - appreciatorBus
  • "The only conclusion I can come to is that these services are simply not made for small experimental projects, yet I also donā€™t know any other way to learn the services except by setting up toy projects, and thus exposing yourself to ruinous liability." - appreciatorBus
  • "It just feels infuriating that the services are sold as easy to get started and risk free with generous free tiers, inviting people and companies to try out small projects, yet each small experiment contains an element of unlimited risk with no mitigation tools." - appreciatorBus
  • "You don't stop CHARGING. You stop providing the service that is accumulating charges in excess of what limit I set. And you give some short period of time to settle the bill, modify the service, etc. You can keep charging me, but provide a way to stop the unlimited accrual of charges beyond limits I want to set." - mgkimsal

Unintended Usage and Security Vulnerabilities Leading to Costs

The discussion highlights how simple configuration mistakes, security oversights, or even malicious attacks can lead to unexpected and exorbitant bills, particularly due to pay-per-use models intrinsic to serverless.

  • "I thought this would be about the horrors of hosting/developing/debugging on 'Serverless' but itā€™s about pricing over-runs. [...] About how you make unauthā€™d API calls to an s3 bucket you donā€™t own to run up the costs. That was a new one for me." - joshstrange
  • "I had cloudflare in front of my stuff. Hacker found an uncached object and hit it 100M+ times. I stopped that and then they found my origin bucket and hit that directly." - dakiol (quoted from another source)
  • "This story is giving 'I leave OWASP top 10 vulns in my code because hacker mindset'. It's not that hard to configure access controls, they're probably cutting corners on other areas as well." - gdbsjjdn
  • "With AWS, you wake up to a 6 figures bill." - mschuster91

The "Serverless" Paradox: Convenience vs. Control and Opacity

There's a sentiment that while "serverless" offers convenience, it comes at the cost of transparency and control. The underlying complexity, when issues arise, becomes a significant burden. Users express a preference for more traditional, predictable infrastructure like VPS for critical applications due to this opacity.

  • "The opacity of the underlying platform (which is the value proposition of serverless!) has made it very painful when the going gets tough and you find bugs in your system down close to that layer..." - thousand_bats
  • "I've had similar experiences with Azures services. Black boxes impossible to troubleshoot. Very unexpected behavior people aren't necessarily aware of when they initially spin these things up. For anything important I just accept the pain of deploying to kubernetes." - fishmicrowaver
  • "I pay about EUR 5 monthly, and never have to worry about unexpected bills." - rwmj (referring to Hetzner VPS)
  • "Serverless is the most common deployment on MACH projects. Because when everything is a bunch of SaaS Lego bricks, serverless is all one needs for integration logic, and some backend like logic." - pjmlp

The Nature of Cloud Billing and Refund Practices

Users debate whether the lack of immediate billing feedback and the reliance on post-incident refunds are intentional business strategies to maximize revenue, or simply a consequence of the complexity of distributed systems. The practice of requiring credit cards for "free tiers" and the subsequent large bills are particularly scrutinized.

  • "Those budget alerts are not real time. You can rack up a significant bill before they are triggered." - rustc
  • "The vendor has provided substandard tooling with the explicit intent of forcing you to spend more money." - McGlockenshire
  • "When I was learning to program through a bootcamp I spun up an elastic beanstalk instance that was free but required a credit card to prove your identity. [...] Amazon then charged me one hundred thousand dollars as the server was hit by bot spam. I had them refund the bill..." - phoenixhaber
  • "Is it just me or is this just a cheap excuse to grab a payment method from unsuspecting free-tier users?" - motoreast
  • "These 'refund after overcharge' things are not without benefit to the corporations. They get a nice tax write-off." - ChrisMarshallNY
  • "This is a reason why I am not only clueless of anything related to cloud infrastructure unless it's stuff I am doing on the job, nor I am willing to build anything on these stacks. [...] Oh lastly, for Azure, in different European regions you can't instance resources, you need to go through your account representative..." - Foobar8568

The "Orwellian" Nature of "Serverless" and Marketing

Some users find the term "serverless" to be misleading, as it still relies on servers. This, combined with aggressive marketing of "free tiers" that can lead to substantial bills, contributes to a general distrust of how these services are presented to the public.

  • "'Serverless' is a an Orwellian name for a server-based system!" - the__alchemist
  • "There becomes a point where being mad that the specific flavor of PaaS termed serverless achtually has severs is just finding a thing to be mad at." - Spivak
  • "The problem with the AWS certificate is that the entity issuing the certificate and the entity honoring the certificate have opposing priorities. When a company wants to use AWS, preferably they'd want to avoid needlessly expensive solutions and vendor lock-in, while Amazon wants to teach people how to choose needlessly expensive solutions with vendor lock-in. It is a fake degree." - anal_reactor

Developer Practices and Education

There's an undercurrent of developer responsibility, with some suggesting that developers should be more diligent in understanding the services they use and implementing appropriate safeguards, rather than solely blaming the providers. The role of educational programs in teaching these practices is also questioned.

  • "Don't stop putting stuff on the internet you don't understand." - tekno45
  • "You have to wonder how many people quietly got burned by that in the 18 years between S3 launching and that viral post finally prompting a response." - jsheard
  • "If it's a free tier there should never have been a charge in the first place..." - dismalaf (contesting the idea of charging for a free tier)
  • "Didn't the bootcamp told you to, at least, setup a budget alert? [...] if a teaching program tells you to use AWS but doesn't teach you how to use it correctly, you should question both AWS and the program's methods." - wiether

Analogy to Traditional Utilities and Safety

Some users draw parallels between cloud computing costs and traditional utilities, suggesting that unexpected bills due to usage have always been a possibility, and that modern cloud providers are simply the digital equivalent. Analogies to physical tools with safety features are also used to illustrate the debate around built-in spending limits.

  • "If you sign up for electrical service for your house, and your shithead neighbor taps your line to power his array of grow lamps and crypto mining rigs, the power company will happily charge you thousands of dollars..." - tetromino_
  • "When you use a tool you are responsible for what it does." - mlhpdx
  • "What seems like a basic feature to you is a hindrance to me. I donā€™t want to have to disable ā€œsafeguardsā€ all over the place just because of loud and rare complaints." - mlhpdx (in response to the safety analogy)