Amazon Web Services (AWS)

AWS is supported for organizations that require enterprise-grade infrastructure, compliance certifications, or integration with existing AWS services.

Note

AWS costs significantly more than Hetzner for equivalent compute resources. Consider Hetzner for cost-sensitive educational environments.

When to Use AWS

Requirement	Why AWS
Compliance	SOC 2, HIPAA, PCI DSS, FedRAMP certifications
Global presence	30+ regions worldwide
AWS integration	RDS, S3, Lambda, IAM, and other AWS services
Managed Kubernetes	EKS with AWS-native integrations
Enterprise requirements	Existing AWS commitments or contracts

Configuration

IAM Credentials

Create an IAM user or role with appropriate permissions:

Go to the AWS IAM Console
Create a new user or role for Teabar
Attach the required policies (see below)
Generate access keys

Required IAM Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "elasticloadbalancing:*",
        "autoscaling:*",
        "eks:*",
        "iam:CreateServiceLinkedRole",
        "iam:PassRole",
        "route53:*",
        "acm:*"
      ],
      "Resource": "*"
    }
  ]
}

Warning

For production, use more restrictive policies scoped to specific resources. The above is for initial setup only.

Configure in Teabar

teactl org provider set aws 
  --access-key <AWS_ACCESS_KEY_ID> 
  --secret-key <AWS_SECRET_ACCESS_KEY> 
  --region us-east-1

Or via environment variables:

export AWS_ACCESS_KEY_ID=<your-access-key>
export AWS_SECRET_ACCESS_KEY=<your-secret-key>
export AWS_DEFAULT_REGION=us-east-1

Regions

AWS offers 30+ regions. Common choices for training environments:

Region	Code	Location	Use Case
US East (N. Virginia)	`us-east-1`	Virginia, USA	Default, most services
US West (Oregon)	`us-west-2`	Oregon, USA	US West Coast
EU (Ireland)	`eu-west-1`	Ireland	European users
EU (Frankfurt)	`eu-central-1`	Germany	EU data residency
Asia Pacific (Tokyo)	`ap-northeast-1`	Japan	APAC users
Asia Pacific (Singapore)	`ap-southeast-1`	Singapore	Southeast Asia

Specifying Region

In blueprints:

spec:
  infrastructure:
    provider: aws
    region: us-east-1

Instance Types

General Purpose (T3/T3a)

Burstable instances with CPU credits. Best for variable workloads.

Type	vCPU	RAM	Baseline	Price/hr*	Use Case
`t3.micro`	2	1 GB	10%	~$0.01	Minimal workloads
`t3.small`	2	2 GB	20%	~$0.02	Participant VMs
`t3.medium`	2	4 GB	20%	~$0.04	Development
`t3.large`	2	8 GB	30%	~$0.08	K8s workers
`t3.xlarge`	4	16 GB	40%	~$0.17	K8s control plane

*Prices are approximate and vary by region.

Compute Optimized (C6i)

For compute-intensive workloads:

Type	vCPU	RAM	Price/hr*
`c6i.large`	2	4 GB	~$0.085
`c6i.xlarge`	4	8 GB	~$0.17
`c6i.2xlarge`	8	16 GB	~$0.34

Memory Optimized (R6i)

For memory-intensive applications:

Type	vCPU	RAM	Price/hr*
`r6i.large`	2	16 GB	~$0.126
`r6i.xlarge`	4	32 GB	~$0.252
`r6i.2xlarge`	8	64 GB	~$0.504

ARM64 (Graviton)

ARM-based instances with excellent price-performance:

Type	vCPU	RAM	Price/hr*	Use Case
`t4g.micro`	2	1 GB	~$0.008	Minimal ARM workloads
`t4g.small`	2	2 GB	~$0.017	ARM development
`t4g.medium`	2	4 GB	~$0.034	ARM workloads

Blueprint Examples

Single VM per Participant

apiVersion: teabar.dev/v1
kind: Blueprint
metadata:
  name: aws-linux-workshop
spec:
  infrastructure:
    provider: aws
    region: us-east-1

  resources:
    - name: participant-vm
      type: vm
      spec:
        size: t3.small
        image: ami-0c55b159cbfafe1f0  # Ubuntu 22.04
        perParticipant: true
        userData: |
          #!/bin/bash
          apt-get update
          apt-get install -y docker.io git vim
          usermod -aG docker ubuntu

EKS Cluster

apiVersion: teabar.dev/v1
kind: Blueprint
metadata:
  name: eks-workshop
spec:
  infrastructure:
    provider: aws
    region: us-east-1

  resources:
    - name: k8s-cluster
      type: cluster
      spec:
        distribution: eks
        version: "1.29"
        nodeGroups:
          - name: workers
            instanceType: t3.large
            minSize: 2
            maxSize: 5
            desiredSize: 3
        addons:
          - vpc-cni
          - coredns
          - kube-proxy
          - aws-ebs-csi-driver

Self-Managed Kubernetes (Talos)

apiVersion: teabar.dev/v1
kind: Blueprint
metadata:
  name: talos-on-aws
spec:
  infrastructure:
    provider: aws
    region: us-east-1

  resources:
    - name: k8s-cluster
      type: cluster
      spec:
        distribution: talos
        version: "1.29"
        controlPlane:
          count: 3
          size: t3.xlarge
        workers:
          count: 3
          size: t3.large
        cni: cilium

Networking

VPC Configuration

Each environment gets an isolated VPC:

spec:
  infrastructure:
    provider: aws
    region: us-east-1
    network:
      vpcCidr: 10.0.0.0/16
      subnets:
        public:
          - cidr: 10.0.1.0/24
            az: us-east-1a
          - cidr: 10.0.2.0/24
            az: us-east-1b
        private:
          - cidr: 10.0.10.0/24
            az: us-east-1a
          - cidr: 10.0.11.0/24
            az: us-east-1b

Generated Terraform

resource "aws_vpc" "environment" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true

  tags = {
    Name        = "env-abc123-vpc"
    Environment = "env-abc123"
    ManagedBy   = "teabar"
  }
}

resource "aws_subnet" "public" {
  count             = 2
  vpc_id            = aws_vpc.environment.id
  cidr_block        = cidrsubnet(aws_vpc.environment.cidr_block, 8, count.index)
  availability_zone = data.aws_availability_zones.available.names[count.index]

  tags = {
    Name = "env-abc123-public-${count.index}"
  }
}

Security Groups

Default security group rules:

spec:
  infrastructure:
    firewall:
      ingress:
        - port: 22
          protocol: tcp
          cidr: 0.0.0.0/0
          description: SSH
        - port: 443
          protocol: tcp
          cidr: 0.0.0.0/0
          description: HTTPS
        - port: 6443
          protocol: tcp
          cidr: 10.0.0.0/16
          description: K8s API (internal)
      egress:
        - protocol: -1
          cidr: 0.0.0.0/0
          description: All outbound

Load Balancers

AWS offers multiple load balancer types:

resources:
  - name: app-lb
    type: loadbalancer
    spec:
      type: alb  # or nlb for Layer 4
      scheme: internet-facing
      targets:
        - resource: webserver
      listeners:
        - port: 443
          protocol: HTTPS
          certificate: arn:aws:acm:...
          targetPort: 8080
          targetProtocol: HTTP

Storage

EBS Volumes

Attach persistent block storage:

resources:
  - name: data-volume
    type: volume
    spec:
      size: 100  # GB
      type: gp3  # gp2, gp3, io1, io2
      iops: 3000  # for gp3/io1/io2
      throughput: 125  # MB/s for gp3

  - name: database
    type: vm
    spec:
      size: t3.large
      volumes:
        - data-volume

EBS Volume Types

Type	Use Case	IOPS	Throughput
`gp3`	General purpose (recommended)	Up to 16,000	Up to 1,000 MB/s
`gp2`	Legacy general purpose	Burst to 3,000	128-250 MB/s
`io2`	High-performance databases	Up to 64,000	Up to 1,000 MB/s

EKS Integration

EKS with AWS Integrations

EKS clusters can leverage AWS-native services:

resources:
  - name: eks-cluster
    type: cluster
    spec:
      distribution: eks
      version: "1.29"
      nodeGroups:
        - name: workers
          instanceType: t3.large
          desiredSize: 3
      
      # AWS integrations
      integrations:
        # IAM Roles for Service Accounts
        irsa:
          enabled: true
        
        # AWS Load Balancer Controller
        albController:
          enabled: true
        
        # EBS CSI Driver
        ebsCsi:
          enabled: true
        
        # Cluster Autoscaler
        autoscaler:
          enabled: true
          minNodes: 2
          maxNodes: 10

IRSA (IAM Roles for Service Accounts)

Allow pods to assume IAM roles:

resources:
  - name: s3-access-role
    type: aws-iam-role
    spec:
      serviceAccount: my-app
      namespace: default
      policy: |
        {
          "Version": "2012-10-17",
          "Statement": [{
            "Effect": "Allow",
            "Action": ["s3:GetObject", "s3:ListBucket"],
            "Resource": ["arn:aws:s3:::my-bucket/*"]
          }]
        }

DNS with Route 53

resources:
  - name: app-dns
    type: dns
    spec:
      provider: route53
      zone: workshop.example.com
      records:
        - name: "app"
          type: A
          alias:
            target: "{{ .Resources.app-lb.dns_name }}"
            hostedZoneId: "{{ .Resources.app-lb.zone_id }}"

Cost Management

Pricing Considerations

Cost Factor	Notes
On-Demand	Default, pay-per-hour
Spot Instances	Up to 90% discount, can be interrupted
Reserved Instances	30-60% discount for 1-3 year commitment
Data Transfer	Outbound data charges apply

Using Spot Instances

For cost-sensitive, interruptible workloads:

resources:
  - name: worker-nodes
    type: vm
    spec:
      size: t3.large
      spotInstance:
        enabled: true
        maxPrice: 0.05  # Maximum hourly price

Warning

Spot instances can be terminated with 2 minutes notice. Use only for stateless, fault-tolerant workloads.

Cost Estimation

teactl env estimate --blueprint aws-workshop --participants 20

Limitations

Feature	AWS Notes
Cost	3-5x more expensive than Hetzner
Provisioning	Slower than Hetzner (~3-5 min for VMs)
Complexity	More configuration options to manage
EKS costs	$0.10/hr cluster fee + node costs

Troubleshooting

Common Issues

“UnauthorizedOperation”

Your IAM user lacks required permissions. Check the IAM policy.

“InstanceLimitExceeded”

Request a quota increase via AWS Service Quotas console.

“InsufficientInstanceCapacity”

The instance type isn’t available in the selected AZ. Try a different AZ or instance type.

View Provisioning Logs

teactl env logs my-workshop --component provisioner

Next Steps