Just something to keep in mind: this also has about half of additional bandwidth costs (above 100GB) of the reddit post, so in your case you'd be billed for ~$57k or so with similar DDOS. At least they seem to provide monitoring/alerts based on their Security page.
Not for me. It's always configuration voodoo. i've done it dozens of times and i used to think it's normal developer workflow. now i realize I was putting thumbtacks in my eyes for no good reason.
Creating an s3 bucket is easy enough. but you need to add the policy Json config to allow public access, and it has various versions across time and space. the one that works for me is like 15 years old iono. object resource "//*" something or other.
ok so now you have an s3-east-mybucket.com/index.html, ok custom domain that's route 53 yet more configuration vooodoo to point an s3 website enabled bucket blah blah.
wait! need SSL? oops actually that's cloudfront. need a cloudfront config voodo to point to an s3 config voodoo to your hopefully correctly configured route 53.
are you kidding me, 10 mins? You're a wizard. Now i do git push origin main and my sites up on render.com
yes, you need to spend the time to learn about the environment you are hosting your app in and then suddenly it won't seem like "voodoo" as much. you absolutely can set this up in 10 minutes (probably much quicker if you are adept with various infra tooling). theres even wizard dialogs for most of the things you've described right in the AWS UI nowadays.
That depends on what level of knowledge you are based on. The UX of AWS offers even leading experienced admins and developers some surprising stumbling blocks.
"In order to keep your service online, you are required to keep a positive account credit balance. Our system will automatically send multiple warning emails if your account balance drops beyond a certain point. If you fail to recharge your account, the system will automatically suspend your account"
Just checked, you can also set a limit on monthly bandwidth.
"Monthly Bandwidth Limit (GB) - Limits the allowed bandwidth used in a month. If the limit is reached the zone will be disabled. Set to 0 for unlimited."
Love Bunny too, wonderful service and great team. I wish there'd be an easy way to set up auto-deploy to Bunny Edge Storage on GitHub commit (to avoid doing so manually), but I guess it's not to hard to do through GitHub Actions.
I switched from Bunny to BlazingCDN, with same performance...
1000TB - $0.0025 per Gb
And the support helps a lot, they even made the config for Asia for free
If it’s really pure static, github is great because it’s impossible for you to be billed. If you want some functions, Cloudflare free plan is nice because you can configure it to stop operating when the usage limit is reached, or pay $5 a month for more than you’ll likely ever need for a hobby project. Also bandwidth is free.
Cloudflare. You will get a call if on a free or pro ($25/month) plan [1] if your bandwidth usage is so high it would warrant increasing your plan. Worst case, they turn you off. Preferred over denial of money attack based on your use case. Set and forget after pointing at your origin (time is money).
You'll get a call on any of their plans if your bandwidth usage exceeds certain thresholds, I am assuming your median usage is relatively tame.
Disclosure: Cloudflare enterprise customer, no other affiliation. I don't get anything for saying nice things.
You typically can't replace Netlify with Cloudflare. You need something like Github actions with some storage, S3 or something and then one can put Cloudflare in front of it all for caching, DDOS protection and so on.
Sounds like you're thinking of Cloudflare still as just the DNS/DDoS protection it started out with. I'm not that familiar with Netlify, but just going on your description:
For less than 1% of OP's monthly bill, you can build or obtain a more-than-enough server, drop your static files on it, and serve through nginx. And you get to keep it forever; there's no monthly subscription fee!
Seriously, maybe I'm just old, but I look at the pricing of these hip and modern SaaS products for dead simple software and I cannot believe my eyes. The "old fashioned way" works just fine (and has always worked just fine) and is orders of magnitude cheaper.
Hetzner or DigitalOcean with Coolify [0] works great, it's like an open source Heroku that runs on any host, you get git push to deploy, and a bunch of other features built in. It only works on one machine at a time though so it's not like a CDN but for small sites, it's great.
I use DigitalOcean to host some things (with my own setup for deployments with git push, because `curl | bash` is not a great way to install/maintain software).
How am I protected against extra charges for traffic?
Same here, using DigitalOcean instead of Vercel to host my Next.js app. I have a billing alert to notify of unexpected bills, but I don't know what DO does if somehow TBs of traffic are sent to my apps or Cloudflare, because DO App Platform actually uses Cloudflare behind the scenes.
I pay less than $5/mth for a VPS with static IP and 1GB/mth transfer. If I get close to any of my CPU/Memory/Disk/Transfer capacity I get a friendly email letting me know that I might want to add more capacity.
I mean, the C10k problem was coined in 1999[0]. A 10W raspberry pi is going to be faster than any server of that day, so it depends on what exactly you are hosting if you need the noisy box.
Dynamic type IP doesn't usually change for no reason, work around whatever instability you have, set BIOS so PC auto-restarts and OS launches apps when failed power returns, get a mini fanless PC which can be easily concealed, and you don't even need to tell anyone who doesn't have a need to know.
Whether that includes your wife or not is up to you ;)
EC2 is so much more expensive than a standard VPS from almost any other provider though. If you're not embedded heavily in other AWS products I don't think it's worth bothering with EC2 - LightSail is way more cost effective and gets you most of the features.
For personal servers you can use the dynamic DNS feature on your modem in combination with Cloudflare if you like doing it at home, if it's for your business you can see if you can afford the €2 per month for Hetzner managed hosting or your local equivalent.
You just posted it on Reddit and I already see few comments of people say they will never use it. Stuff like this can cause PR damage worth millions to a company. I'm pretty sure that it will go viral and they won't charge you.
Eh, I wouldn’t say that’s necessarily the case. AWS support, for example, tends to be really good about waiving charges for things that are clearly your mistake, like an unused instance that you forgot to turn off for a couple months. That’s not because hosting instances doesn’t actually cost Amazon anything! It’s because they want to keep you as a customer even if it loses them a bit of money right now.
In the Netlify case, though, insisting that this person still pay 5% is downright insulting. I’m sure they’re taking a hit already - just waive the whole thing.
I wonder if you’ve hit some kind of internal limit. I don’t know if such things exist but I’ve noticed a pattern around how discounts and credits are allocated.
I do feel your pain though. Managing AWS costs can be a full time job itself.
Is it, though? We've been getting a lot of pushback for months, even for things that weren't really completely our fault (and were made worse by the horrible lag of cost explorer), or even for things that were aws bugs. Maybe now it's official policy, but definitely it's been hard to get refunds for a while now. They were throwing tens of thousands of dollars of credits at us to just play with new services a year and a half ago.
Nowadays for customers spending millions of dollars you'd expect (at least, Amazon would expect) that the customer has a FinOps department who are already working on getting the most 'bang for their buck' out of what they're paying for and minimising their spend, and they would jump to another platform in a heartbeat if they thought they could save money. It's not unreasonable to think that you don't need to do these customers any favours to keep their business, because those customers are big enough to look after themselves.
For smaller customers, the friendliness of customer support and the flexibility to help them if they make mistakes is much more likely to be a retention consideration. And who knows when a company spending 3 digits a month becomes a customer spending 6 digits a month? You want to be the provider of choice in case the company grows.
AWS will save us so much money! We don't have to pay for people to look after hardware! ... just pay for people to set up AWS, and maintain AWS, and make sure we're not paying thousands extra for AWS...
Yeah, exactly. I’m talking “I got billed $15 for an instance I haven’t used for the last few months. Can you refund me?”, not “You guys mind writing off a million or two?”
That’s not because hosting instances doesn’t actually cost Amazon anything
Except it doesn't cost them anything. The marginal cost of keeping your single instance running is $0 (unless they were 100% out of capacity and they could have sold that instance to someone else either at full price or spot price)
What does "idle" mean? Both a Linux or Windows OS not running any active software will still do computation and even network traffic (disk cache wrangling, indexing, checking for updates, NTP clock syncing etc), and requires electricity to do so.
It's very low cost, especially if its on a VM from a host that otherwise runs other VMs, but it's not 0. And if it happens to be the last VM preventing a hardware server from completely powering off, then it's actually quite far from 0.
But that's not what's happening: they aren't keeping a full host for you.
Your argument is like saying that a bus traveler costs the gas needed to power the bus, but it's never the case: the bus would be cruising no matter what. And symmetrically the VM host would be up no matter what you did with your instance.
You assume that the hardware would be unneeded, but that's a very strong assumption.
It would be very bad for any cloud provider to leave hosts with only one VM running on it, and you can be pretty sure only very small minority of their park that end up in that situation where shutting down a single VM would lead to a shut-down of the entire host, because it means that the host was vastly under-used in the first place.
As far as I know, most cloud hosts don't actually support automatically moving live VMs, so I think it's fairly common for a host to be left running a single VM.
At least in AWS, they never supported this, and in fact may require you to reboot an instance occasionally in order for it to be moved to a new hardware host (typically when they are upgrading their hardware).
But why are you talking about moving VMs?! Looks like you're adding tons of far-fetched speculations at every step of your reasoning.
The way you easily deal with this issue is very simple and does not require moving VMs: you just allocate newly spawned VMs to existing hosts with available room! When you do so (and they obviously all do!) you end up with little unused hardware…
Say you have 3 hosts, each with a capacity of 10 VMs. At some point you have 28 running VMs - 10 on host1, 10 on host2, 8 on host3. Someone then closes down 2 of the VMs on host1, and 7 of the VMs on host3.
Now you have 19 VMs running, but need to keep all 3 hosts powered. If you don't have live VM moving, you are now forced to keep Host3 running only because 1 VM is running on it, even if that VM is idle. So, this one idle VM is responsible for all the energy consumption of host3, and will continue to be so until at least 3 more VMs get started (since you have room for 2 more VMs on host1).
If you did have live VM migration, or if the idle VM were powered down instead of running idle, you could close host3 completely, moving the VM to host 1, and only re-open host3 if needed for new VMs.
This is equivalent to the problem of memory fragmentation. Even though overall usage is low, if host usage is highly fragmented and you aren't allowed to move used memory around (compacting), you can end up consuming far more than actually needed.
Except you don't have 3 hosts but 3 thousands, and during the time you're stopping the 9 VMs somebody else is starting 5 or 15 new ones!
Yes it is similar to memory fragmentation in some way, but your argument is like saying an integer stored on the heap costs a full memory page! You realize that it's nonsense. Sure in extreme edge cases it can, but that's not a good metric to know the memory footprint of an integer!
Being able to move VMs is nice as it allows more host use, but it's doesn't mean hosts end up with single idle VMs often!
Then you need to account for their low share in idle VMs when measuring how much electricity it is responsible for. If it's only the case for 1% of the idle VMs, then you need to count only 1% of the electric power of a host per idle VM (+ the small fraction of a host CPU power that an idle VM consumes). In any case, it's going to be very small (~$20/year)[1] and the “it costs them nothing” is a good approximation of that, or at least a much better one that assuming that the cost they charge you reflects an expense on their side (which is the point that was argued by rafram at the very start of this discussion.
[1]: let say 10W, which at $.2 per kWh[2], ends up costing $17.5 for an entire year!
AWS support, for example, tends to be really good about waiving charges for things that are clearly your mistake, like an unused instance that you forgot to turn off for a couple months.
This is an admission that their UX sucks and makes it hard to know what state your account is in and what you're paying for. They waive the fees because a few high profile cases of people paying thousands due to the AWS console being awful would drive a lot of customers away.
Especially since they admit it was a DDoS attack. What I find outrageous is first that they charge for incomming traffic (which is often free with other providers), but also 55$ per 100GB. For comparisson, Hetzner charges you 1€ per 1TB of outgoing traffic while incoming is free.
>it shows how disconnected this is from their real bandwidth cost
It's a value added service, they don't trade bandwidth as a commodity. Therefore unfair characterisation.
Plus, if you dive deeper: Bandwidth doesn't cost anything because bandwidth is just about pulsing some light in some glass fiber and applying some minuscule voltage on some metal fiber.Okay, maybe it costs some amount of electricity but all this is just a business model for paying on capital expenditure through time share arrangements. People can have all kind of models for this, for example you can come together with others or pay it all by yourself to install the equipment and have free bandwidth for the lifetime of the equipment.
It's all just arrangements to cover the capital investment and earn something on top of it. That's not a scam. A scam would be if they didn't account correctly for the timeshare usage or induce usage to boost payments.
I really don't get your point. If you're a hosting provider, the very thing you're selling is bandwidth (and disk space). Everything else is a value added service.
I disagree, they are not a colocation service that happens to rent servers. They are opinionated platform for deploying web applications in a specific way. The bandwidth happens to be a necessity to do that and also a useful metric for billing by usage.
So even a reduction to 0.2% would habe been possible. Honestly don't understand why anyone feels comfortable overpaying so much. Especially when there is no configurable spending limit.
At that scale, probably. Especially since AWS would offer you discounts over their public prices too. Netlify et al probably stop making sense when they cost more than a few engineering hours and the cost of AWS, Azure or GCP
If you use Netlify in the free tier you cannot automatically go to pro tier either. Yet they will charge you for bandwidth > 100GB, and THERE IS NO WAY FOR YOU TO SWITCH THAT OFF, even in the free tier.
"Should be fine" is exactly what is not the case here. Better check your Vercel terms again.
From every Vercel document that I can read though is that when you exceed the limits of free tier they are just locked for 30 days unless you upgrade to Pro.
So unless I am mistaken this cannot happen on Vercel.
Would be for a new business. Not a fan of introducing this sort of tail risk & whatever other risks I don't even know about for their managed service, when there are simpler ways to host I've done for years.
That sounds like a company that is happy to ignore customer pain. Agree, default-on telemetry that cannot fully be disabled is a red flag that on their side, the people with development experience have no say.
This seems like a lot of brouhaha about nothing. They just recorded the fact that a user opted out of telemetry, they didn't stealthily send telemetry against user wishes.
I don't see why people are surprised by this or why people are calling it a scam. Netlify and others are extremely transparent about the fact that there are no limits. I completely understand not liking it and can see why the lack of limits would make it a bad option for plenty of people, but I don't see how it can possibly be called a scam.
>Netlify and others are extremely transparent about the fact that there are no limits
Are they also transparent about the fact that they
1. Won't do anything about a DDoS, and
2. In case there's a DDoS (or some other unusual traffic spike), you'll only get notified waaaaay after the fact when you get the $100K bill, instead of getting a timely alert that would allow you to shut your site down to prevent getting extreme charges?
The primary purpose of these services is to be able to scale up and continue working under heavy load, shutting the site down when this occurs would defeat the entire purpose of the service. I would say that they are transparent about both of the things you have listed by virtue of being one of those scaling serverless hosting services.
How about letting the user decide whether they want to scale beyond a certain point or incur huge charges?
Not too mention: if the primary purpose of these services is to allow a DDoS and then charge the user for it — then, yup, you're guessing it right: it's a scam.
When their business model makes DDoS attacks profitable for them... They're not in the hosting business, they're in DDoS/extortion business.
My previous understanding was that service would be stopped once you hit past the free tier.
Upon review, it does not look like this is the case. I have several very low traffic projects on which would have never been anywhere close to the free limit. However, if I get involved in a random spam attack, it seems I could be on the hook for several thousand dollars.
This is incredibly dangerous. Netlify is often used as a beginner friendly free tier for static hosting. Not as something that is cheap, but as something that is free. This is just an overall dangerous position to put people in.
It does say it's pay-as-you-go on their pricing page. However they probably should have a giant warning page for new users who don't know that this is how this kind of service works if they want to target the beginner web-dev market. As far as I know, no other similar service has this though.
It smells like a scam, because they can suddenly bill any user they want for a scary number like $100,000, then when the user complains they "generously" reduce that to only 5%, or $5,000, hoping the user will just pay the massively reduced cost. This kind of thing - showing a huge number upfront then reducing it to a "small" number - is a classic scam.
Who controls the DDOS bots? Are they truly a separate entity? There is no direct evidence to link them together, but you would think that an honest company would be more proactive in preventing problems like this for their customers.
According to the linked reddit story, this is a known issue with Netlify and their response to past incidents is basically to pound sand. It all adds up to them purposefully trying to find ways to generate a high bill for their customers and hoping a small amount will pay for it.
Not to mention the strong conflict of interest for netlify, who stands to gain from their customers being attacked. Netlify is getting paid for something criminal in nature having occurred.
It's like who is responsible for credit card fraud? If customers are responsible for credit card fraud, and it's their responsibility not to get scammed, then who implements fraud prevention measures and what effect would that have on the volume of fraud?
Companies like these give out ridiculously huge free tiers in the hopes that very few users end up using the high free bandwidth limits. In most cases, they do. However, they do need to make their money back somehow.
I don't really get why people put their tiny static sites on hosts designed to never fall over no matter the traffic generated, no matter the situation. You're running a blog, not a government service. You don't need AWS or Netlify.
The ability to withstand almost any DDoS attack for a high price is a valuable service. It's not a scam. The people who get these huge bills just picked a hosting service that doesn't fit their requirements. I can promise you that the $3 shared hosting providers won't charge you $5k, five minutes after the DDoS starts your site just goes down.
Any suggestions for hosts that will just make your site offline once it reaches its tier limit? Cloudflare and Netlify get suggested a lot and I was considering one of them before this.
From what I can tell, OVH allows for unlimited traffic, unless you host in Sydney or Singapore.
Budget hosters will either cut you off completely (shut down your VPS) or throttle your network. For instance, Contabo doesn't charge extra, but it does reduce your network speed to 100mbps if you're exceeding an average connection speed of 100mbps over a timespan of 10 days. Leaseweb offers you the choice to power down a VPS when exceeding the bandwidth cap (though this is disabled by default).
If you need more bandwidth, Hetzner is popular, and charges around €1 per TB of bandwidth if you exceed their free bandwidth (+VAT, the $104k bill would be €40 under Hetzner, as 20TB is included for free) and provides configurable automated traffic email notifications before you hit that. Personally, I would add a warning after the very first terabyte, because I don't know what personal project even uses that much bandwidth.
Their dedicated servers don't seem to have a bandwidth limit, though there seems to be a fair use policy (there's this thread: https://lowendtalk.com/discussion/180504/hetzner-traffic-use... where a user complains about Hetzner threatening to end the contract after exceeding 250TB of traffic).
Many VPS providers and shared hosters won't send you these huge bills, but you should always read up on their policies when renting servers of any kind. These hosters don't come with free tiers (which I assume is the reason people consider services like Netlify in the first place) but they will usually tell you how they deal with bandwidth issues in their FAQs.
Regardless, at the end of the day, budgets still need to be followed whether you're an individual or a business. It's simply insane in the first place that someone on the free tier would want absolutely no downtime regardless of how high the traffic is. For that, it would make sense for such an individual to be already on an Enterprise plan if they do expect it to likely happen and for which many do not.
I think it depends on what you're using the free plan for. If you're kickstarting a business and manage to attract a wide audience by getting featured on HN/Reddit/the news, you may want to sacrifice a few thousand dollars for the user growth that all of this traffic provided. Paying enterprise pricing doesn't necessarily make sense if you're normally getting less than a few thousand visits per day. Same goes for all the hip and cool server solutions such as "serverless" cloud functions.
The core product is already enterprise-grade. Netlify's pricing page basically turns into a "contact sales" button when you select "enterprise", probably for businesses that did their math and are trying to get a discount. Everything about their website seems to target medium to large businesses or hopeful startups.
You're assuming Netlify is paying for bandwidth in $/GB, when in reality they're probably paying $/gbps and thus have no costs to cover when a customer temporarily bursts their bandwidth.
It doesn't really matter how Netlify ends up paying for their traffic, at the end of the day, there's a bill to be paid.
In your example, a DDoS sucking down bandwidth would cost more than a DDoS would had it been about total transfer volume. Their servers can only produce a set amount of network traffic at a time and on one single day, this one customer sucked up 5½gbps continuously, based on the 60TB figure provided in the reddit post.
This kind of extremely bursty traffic takes capacity that would otherwise be usable for tens or hundreds of customers, but to meet their guarantees, they must scale out massively to catch these bursts. I think it makes sense that making them dip into their bandwidth reserves should cost more than the average cost of a network transfer.
I don't know the actual costs Netlify has, and I'm sure the support rep saying they can drop this down to 20% or even 5% shows that there's a buffer here, but the 5 grand OP was asked to pay seems to come awful close to what you would pay on other high-reliability providers, such as Amazon. The max fee is probably to push their expensive customers into special deals (or to their competitors), but I find their 5% offer quite reasonable.
> Not to mention the strong conflict of interest for netlify, who stands to gain from their customers being attacked. Netlify is getting paid for something criminal in nature having occurred.
I think you could argue that Netlify is guilty of racketeering in OP's case.
1. They admit illegal activity happened (a DDoS attack).
2. They demand money to be reimbursed for the illegal activity. However, the reimbursement they ask is several hundred times higher than the actual damages incurred.
I looked up the definition of scam and the goal is to make money out of the naivety of the victim. It involves a crisis, the illusion of shared exposure to a risk.
The price of cdn bandwidth is about 0.01/gb on low volume (cloudflare, aws, azure…) so op should be billed around $500 with 40TB. Netlify probably buys this for way less. He was presented a bill at $104k, « generously » reduced to $5k, still a x10 margin. Vercel and Netlify are outrageously expensive for what they do.
I understand the lack of limits but I haven't accounted for DDoS attacks on Netlify infrastructure to impact me. I was assuming this only included real, "organic" traffic.
What I think Netlify needs on their Plans page is to include "DDoS attacks is included in your traffic" as well as their 20%/5% charge system.
> and can see why the lack of limits would make it a bad option for plenty of people
Just out of curiosity, can you see any scenario where it WOULD be a decent option to use a free tier where you may be hit by a $20,000 or $5,000 bill out of the blue and outside of your control? You say "plenty" so I assume you consider this a reasonable system to some?
The most bizarre thing is that this is a known issue that folks have asked them for ways to mitigate, to no avail. The reddit thread even links to an extremely weird dialogue where Netlify's response boils down to, "if you're hosting a small site that gets DDoS'd, don't."
true. I have a 9€/mo vps at Contabo for my blog and once boasted on HN that my small VPS is able to handle reddit/hn hugs which one user seemed to take personally and they started a DDOS against my VPS.
I only realized this after Contabo contacted me and said the traffic is so high that other clients service is also degraded and they will have to take my VPS down if its much longer (which was understandable). Gladly the ddos stopped soon.
But never was there any talk about any cost, they were very supportive
https://www.netlify.com/security/ sez “Active DDoS mitigation — Netlify monitors for traffic pattern anomalies and spikes, and effectively controls for them as needed” and now I'm curious about what that actually means.
It means they protect themselves from layer 3 and 4 DDoS. For layer 7 you're mostly on your own. That's what most companies mean when they talk about DDoS anyway.
“The cool thing is that we also provide a load balancer, and if our system has detected that our main load balancer is currently being hit by a large DDoS attack and is slow or unresponsive, we’ll simply route around that on the DNS level. Since we cache content at our edge nodes around the world, end users also experience extremely fast page load times because of this.”
Right and as a CDN they HAVE to handle layer 3 & 4 DDoS themselves so it's not like they're doing you any favours. The traffic is typically routed to the customer based on SNI.
OT: It seems like your comments are being automatically flagged/killed by HN, you might want to reach out to HN staff. You're the second person in this situation I've come across in the past hour, odd.
I had the intuition that Netlify are extremely incompetent compared to Cloudflare, and this thread adds another data point. So no, if you value uptime you are not going to rely on them.
Or, rather than creating more regulations, people could read the contracts they agree to when they get service, and use a competitor if they don't like it
The problem is that it isn't entirely clear which ones have predictable cost to the non-lawyers eye. I.e. they should have to have sane defaults, like reasonable spending limits and opt-out, by regulation, since the market is failing here.
There is such a thing as an unfair contract. Moreover, there are business practices that can become a local maxima in an industry and squeeze out competition which would actually be a net benefit to most consumers.
Mobile roaming was the same before the EU intervened, and were now going back to the shitshow tjat preceded it in the uk.
Why do we need regulation? "Keep the service up no matter what happens, no matter the cost" is a useful business model for companies that make the mistake of promising too many nines to their customers.
The issue at hand is that people put small websites on hosting providers designed for megacorporation wealth, like Netlify. I highly doubt the average blog needs more than a $10 VPS located in one single country without automatic fallback to another data centre. You can probably even go with a $5 VPS if you don't care about the first wave of HN front page bots not being able to reach your site.
> "Keep the service up no matter what happens, no matter the cost" is a useful business model
I mean, yeah - but that shouldn't be the default and it shouldn't be something that you can't opt out of if it is, which is what sounds like happened with Netlify.
Why would Netlify offer the option to opt out when extreme availability is their core business? I'd argue that people are using the wrong service provider if they need to opt out in the first place.
Same goes for most of the other pay-as-you-go providers that turn HN into billing support every now and then; very rarely do I see "we suddenly got a $20k bill" posts about services that these extreme availability products make sense for.
I'd be in favour of a regulation to allow them to set a spend limit, opt-out.
I'm fine with their pricing structure right now, since you have PLENTY of providers to choose from - people can easily vote with their wallets and there's no problem that needs solving.
However, the unexpected spikes are a problem, and providers seemingly don't provide any way to solve them because they make more money by not solving them. A regulation to require all providers of post-billed services to provide spending limits would make a lot of sense.
Of course, customers should also have the option to opt out of the limit or set a very high limit.
This should apply to any service that's billed by usage calculated afterwards, not just web hosting, and not just technology.
Playing ”devil’s” advocate: tracking spend in real-time is not trivial. It adds complexity to stack. Bugs in the feature can cause sites to go down (for long time) without a reason. Larger online businesses likely rather sort out the problems later than risk shutting down in the middle of unexpected success.
OP is right though, realtime alerting is non-trivial to build. It looks us a lot of work at Vercel to get right. We also offer budgeting options where you can set spend limits now, too.
Oh wow sorry didn't mean to be personally flippant to the VP! Hacker news is wild.
I just had a look at the billing screen and I can see notifications but not budgeting options (on the Pro plan). Ideally I'd like to monitor/configure spend per deployment as some of our sites have big sales which can = big fees. Is this possible?
Not really. AWS has budget alerts right? And I can read those budget alerts through their API.
So it would be trivial for me to poll their budget API for an alert, and immediatly trigger a shutdown of my Cloudfront service. Why can't they do that for me?
It's something. I started looking into the budget alert docs and it does use SNS so it should be easy to have something polling that queue and respond in any way necessary.
I'm imagining an alert to the on-call team, and a soft shutdown until the on-call team can figure out the next step.
If it can save a few thousand dollars, it's worth it. Each business must make their own estimate of course.
To some extent, that answer is fair enough, assuming they make this clear up front. If their service is "we'll keep your site up no matter what, for a price" that's a fine service to offer. It's not what the vast majority of people want, of course.
If their advertising is targeted to small businesses and individuals who could never afford this type of service, they could be guilty of false advertising, at least morally guilty. I haven't seen their marketing so I wouldn't want to say.
I don't fully understand Netlify, but it seems though it tries to be a one-stop solution for everything it doesn't have to be - you could put free Cloudflare in front of it and probably mitigate this kind of thing?
There's no way in hell anyone should ever under any circumstance use a free service that might, for reasons entirely outside your control, suddenly bill you 5k, or 104k... or any non trivial amount really.
Yeah Like wtf is wrong with that? Are people just to lazy to check what the conditions are when exceeding traffic? I'd never ever sign up for anything that just keeps charging...!?
too lazy is a bit uncharitable. These terms tend to be buried 8pt font disclaimer text and esoteric metering matrixes.
meanwhile in size 72 font on the marketing page it says FREE STATIC SITE HOSTING!
that's why this thread is more or less condemning scammy business practices.
[edit] check out this forum explanation from render.com billing:
> Free Tier Services are suspended, no overage charges. Paid Tier Services are unaffected (Free Tier Services can be upgraded to a Paid Tier, this isn’t an overage because you are manually intervening.)
Exceeding allotted Bandwidth does result in automatic overage charges. $30 for additional 100 GB blocks.
Exceeding Pipeline Minutes results in deployments failing and no overage charges by default, you can configure whether you want to allow overage charges for additional blocks of Pipeline Minutes.
I still don't understand, free tiers are suspended so no overage charges, but then how can they exceed bandwidth of which we're liable? x_X
But then where would you run a small hobby project that you'd like to run in the cloud? I have some small stuff I'm running on Google Cloud Platform, and honestly I'm scared of the same thing happening to me because there's no easy way to set a limit. But AWS and Azure have the same policy.
(In my case, I'm looking for somewhere I can easily deploy a set of ~5 Docker containers, they don't need to scale up, and it's a hobby project so I'd like to keep costs as low as possible.)
self-Host with a provider that has clear TOS and not twenty pages of fine print. Something like the good old "if you exceed X TB in a month, you will be limited to 10mbit/s for the rest of that month". As long as you're running a hobby project or even some side project that starts making money but is still beta, this should be good enough. Once business gets serious, you will inevitably have to spend more money, and you might have to look at cloudflare et al if you're actually in a business where ddos happen.
Seriously, if you just want to run docker, maintaining a debian VPS for that is basically enabling unattended-upgrades and doing a dist-upgrade every two years. If you can't be arsed to do that then maybe you deserve the 100k bill...
The big, professional, business cloud providers aren't designed for small hobby projects with expenditure limits.
You should look into going old school and just renting a VPS with any VPS provider that's not AWS/GCP/Azure. I know the big three are super popular, as are all of these "serverless" cloud companies, but very few of them offer the most important service for a small project: shutting down before you owe them a fortune.
Depending on the guarantees you want, Oracle has a free tier with no time limit. It provides 4 ARM cores with something crazy like up to 6GB of RAM for free. You may have a few days if downtime during maintenance, but once you've allocated the resources, you'll eventually get your services back from what I can tell. Best part is, if you only use their free tier, you need to manually upgrade your account to even be able to buy anything extra. Just make sure you have backups in case Oracle pulls an Oracle.
Or you could get a VPS from a budget hoster like Contabo, which isn't free but will fit most hobby projects I know just fine. They may shut you down if they're suffering from a DDoS because of you, but you won't get a $100k bill.
People don't check for every possible thing that can go wrong, otherwise we wouldn't have time to do anything. I remember when I got charged a "cancelling fee" for cancelling my Adobe subscription that accidentally went past its free trial. The situation was so ludicrous that I had never imagined that they would charge something like 6 months worth of subs me to cancel a monthly subscription. In the end I got out of it and paid nothing but I have absolutely hated Adobe ever since.
These things are scams because they prey on the fact that they're the only one shitty enough to do something so shitty and are counting on you not realising just how shitty they are.
Sorry, maybe this is a generational thing? I always look for a catch when something is "free". Your example as old as time, offer a free trial period but if you don't cancel X days before it ends, you automatically subscribe for another week/month/year. This has extended to getting a big discount for your first year after signup and then you pretty much have to cancel and go to a competitor, or wait until a couple days before the contract ends and some sales rep will call you and offer you another discount. It's scummy, it sucks, but it's been s reality for decades and is only getting worse.
With hosting - be it cloud or virtual or real hardware - the problem has always been that bandwidth use is completely outside your control. It was the first thing to check in the early 2000s and still is today, to an even greater extend.
So yes, sorry, as the other reply says, I might come across uncharitable or even condescending, but as tech people developing tech stuff how can one not be at least a little careful when there's a big "free candy" sign slapped onto something?
I definitely think this is a generational thing. Like you, I come from the land of "everything costs something" and treat free with suspicion, but also, we have been conditioning people to expect things to be free, and to bury and distract people from the real cost of those things for quite some time.
Two of the largest video content distribution platforms on the Internet, YouTube and Twitch. Free!* (just watch these ads). Store your data on the cloud with Dropbox, Google Drive, or OneDrive! Free!* (just let us harvest data about what you put in there) Hell, 25 years ago, you want to get on the internet? Use NetZero! Free!* (just look at these popups) And this pattern continues to be pervasive. And the real killer here is that we keep getting things for free*, so people that weren't around during the introduction of these tactics have grown accustom to it as if it's how things should be.
So, I agree, we really have a problem here in messaging and in using misleading psychology to bury dark patterns like the true cost of Free in services we use. We probably should be teaching more folks to beware of the true cost of things, that if it's free, you're the product, not the user, so on and so forth.
You do not understand. Of course I know that if I fail to cancel, then I must keep paying. I had a month's subscription. At worst I expected to pay for one extra month of subscription before I remembered to cancel. I was OK with that perceived risk and understood it.
What I did not expect: to cancel one month of subscription you must pay 6 months of subscription as a cancellation fee. Maybe you expect that, but I have seen that anywhere else and did not expect it.
>So yes, sorry, as the other reply says, I might come across uncharitable or even condescending, but as tech people developing tech stuff how can one not be at least a little careful when there's a big "free candy" sign slapped onto something?
first of all these cloud services are designed especially for that, for autoscaling. Second of all, if these are hobby projects we cannot look every hour the costs etc unlike people who's that their job. So stop calling people lazy and pretend like you are better than others because you are not.
I understand that some businesses might want to take the hit from a cost surge because they get an even higher revenue surge. But a large fraction of sites aren't like that and would prefer a loss of service to a cost overrun. Service providers should always offer a "maximum out-of-pocket cost" service option. Those that don't aren't suitable vendors for most customers and customers should be warned about them.
As I recall, you have to actively sign up for the paid plan (Blaze) to get pay-as-you-go billing. Otherwise, you get free quota, and if it's up, it's up.
I think it also integrates into all of Google Cloud's billing management stuff, but I've never had to bother with that.
Yeah. Elsewhere in these comments there's a link to a support thread[0] where Netlify support essentially says you shouldn't ever need an option to suspend your site at a certain point because:
#1. If you think there's any chance of getting DDoSd, you should already be on a business plan instead of a starter tier.
#2. If you think there's any chance of your site going viral, you're going to want to pay the cost anyway to let all those people visit.
I agree that's ridiculous and that the lack of any option of capping costs would mean I'd never sign up for the service. But that's the official response, for what its worth.
I'd think Hacker News actually comes under #2. If 100,000 people come from Hacker News to look at your hobby site about the Aamber Pegasus, you're supposed to think of how you've improved their lives by letting them read about it.
Use a virtual card with just a small amount of money on it to limit your liability. Won't work if you've entered a contract, but for a lot of these providers, including AWS it works.
This "one crazy trick" does nothing to limit your true liability.
If you go to a restaurant someone at your table orders 5,000 plates of mozzarella sticks, the fact that your credit card only covers $5 doesn't mean you are magically absolved from the rest of the bill.
For $100k, a debt collection firm would be more than happy to get a judgement against you. Credit card or no.
What the hell. Netlify has implemented all these customer-hostile billing changes. Literally the worst. I migrated my company's site off of Netlify when they tried charging for per user on one of my repos (a documentation site). Glad I left them and never looked back.
The test for federal class action lawsuit includes 4 prongs, all of which must be satisfied: numerosity, commonality, typicality, and adequacy. [1]
I would think (as a former lawyer with only passing familiarity with class actions) that 'typicality' would be the key question.
> to determine typicality the courts consider to what extent plaintiffs’ claims are markedly different or are generally the same (for instance arising from the same event or pattern) as those of other class members with respect to the relevant legal theory and factual circumstances of the case. [1]
The defendant would probably claim that each plaintiff's issues are quite unique. However, this prong is apparently not based on the typicality of the specific facts giving rise to the lawsuit, but rather the typicality of the nature of the claim or defense. And it's apparently hard to 'win' (defeat a class action) via this prong. [2]
That makes sense, but is the Netlify subdomain visible from your custom domain? How would they be able to figure it out, other than humans leaking it somehow?
Really uncomfortable with how many services like this are “we scale to your needs” and end up here. I guess capacity planning from oversubscribing bandwidth is its own can of worms but surely that is a bit… less surprise generating.
This and that similar story recently about Vercel makes me feel iffy about these services at this point. I guess I’ll either use Cloudflare pages or simple dedicated machines from Hetzner going forward.
Since the author has gone viral I expect some netlify exec is going to take over and write this bill off to $0. In the words of Kramer “these big companies, they just write it off!”
A moment of silence for the people who got DDoS-ed, didn’t go viral and still had to pay $5k.
The very fact that you expect that making front page of hn will make them cancel that bill means that it will soon be over.
These kind of stories (alongside cancelled accounts) repeat over and over again and will soon become so not newsworthy that they will either not end up in front page, nor people will check on the eventual outcome which means these companies will get away with not moving a finger.
Nah. I think the dev community has long memory. Events like this is damaging for years. Whenever Netlify is mentioned, someone will inevitably point to this thread for a few years.
When I received a message from the bank saying my account was in the red I discovered that AWS had been billing me 1100 / month for 5 months before I even noticed. It was for something I'd set up one night while bored and then forgot about it. They drained my account :( Even had the nerve to say I had to pay for premium support only to get a "lol, pay" response.
If you bend over and pay in such circumstances, you are part of the problem. Twilio tried to pull this crap on me and I simply created another account with an email forwarder and left them holding the bag on the previous account
More reasons why I avoid clouds with outrageous bandwidth fees, and prefer Hetzner's low cost fixed pricing with Cloudflare R2's 0 egress fees.
Even if the DDoS wasn't caught by Cloudflare, the total cost for 192TB bandwidth on Hetzner would be €172. Although even after 10 years on Hetzner I've never paid for any bandwidth, always well within their generous 20TB free bandwidth.
First of all Hetzner would't let your server to be DDOSed for 192TB if it's not your normal usage. They'll likely just null route your IP if serious attack hit.
They also likely drop any charges if you escalate via support in case it was actually DDOS. E.g if you normally have 100GB / month and now you magically have 50TB / day.
I really hate Clouflare and at the same time love them. Love them for their free, generous 500k req./day pages and workers, hate them for not having spending limits (or at least I can't find them). I get that they probably don't care about individuals and small businesses paying them peanuts, and corps can afford to pay extra if something blows up, but for me it just means I will only use a free account, and they get none of my money.
I also take advantage of their free services and only pay for R2 on Cloudflare since it's the best value managed provider I could find.
I prefer to keep my App's stateless and running in Docker containers which means storing all uploaded files and generated assets in R2 managed storage - which is also used for Litestream backups of our SQLite databases.
Blowouts are minimized when using low cost services, e.g. we had a rogue process that ended up causing 1.5M writes to R2, which only ended up costing us $4.50 in that month.
This is the reason I've never used all of these user-facing serverless services. The price depends on the usage, but if anything goes wrong they are the ones to decide what you pay. It's not comfortable thinking that you could screw up, or get DDoS'd, and the remedy is hoping they wave the bill.
A lot of today's managed service solutions turn scaling problems into billing problems. While that's a useful tradeoff for many business use-cases, there should still be a way to set limits so you don't wind up with insane cost overruns.
835 comments
[ 2.4 ms ] story [ 490 ms ] threadused to use s3 for the longest time, but aside from costing a nominal fee, it's so unnecessarily complicated in this day and age.
edit: refreshing that they highlight baked in ddos protection right up front on their marketing site: https://docs.render.com/ddos-protection
https://community.render.com/t/confused-about-the-free-tier/...
> Exceeding allotted Bandwidth does result in automatic overage charges. $30 for additional 100 GB blocks.
So the same shady pracrice as on Netlify.
its like 10 minutes of setup tops to host on s3
Creating an s3 bucket is easy enough. but you need to add the policy Json config to allow public access, and it has various versions across time and space. the one that works for me is like 15 years old iono. object resource "//*" something or other.
ok so now you have an s3-east-mybucket.com/index.html, ok custom domain that's route 53 yet more configuration vooodoo to point an s3 website enabled bucket blah blah.
wait! need SSL? oops actually that's cloudfront. need a cloudfront config voodo to point to an s3 config voodoo to your hopefully correctly configured route 53.
are you kidding me, 10 mins? You're a wizard. Now i do git push origin main and my sites up on render.com
I run my sites [0] on Hugo and copy the generated sites (Makefile) to BunnyCDN with their command line tool.
It's a plain CDN, but does include DNS hosting for easy SSL certificates and has scriptable DNS [1] where you can run Javascript for dynamic DNS.
I went with them b/c they are in the EU, but I've stayed because I love them.
[0] e.g. https://www.amazingcto.com/
[1] https://bunny.net/dns/
Does their ddos protection work differently than Netlify and could Bunny ever pull the same stunt with billing?
I think the main difference to me is
You preload your account:"In order to keep your service online, you are required to keep a positive account credit balance. Our system will automatically send multiple warning emails if your account balance drops beyond a certain point. If you fail to recharge your account, the system will automatically suspend your account"
[0] https://getdeploying.com/reference/data-egress
[1] https://bunny.net/pricing/
"Monthly Bandwidth Limit (GB) - Limits the allowed bandwidth used in a month. If the limit is reached the zone will be disabled. Set to 0 for unlimited."
https://blazingcdn.com/pricing/
I was thinking they never charge for anything unless you explicitly allowed it.
You'll get a call on any of their plans if your bandwidth usage exceeds certain thresholds, I am assuming your median usage is relatively tame.
Disclosure: Cloudflare enterprise customer, no other affiliation. I don't get anything for saying nice things.
[1] https://www.cloudflare.com/plans/
[1] https://workers.cloudflare.com/
- Cloudflare Pages: https://pages.cloudflare.com/
- Cloudflare R2: https://developers.cloudflare.com/r2/
Seriously, maybe I'm just old, but I look at the pricing of these hip and modern SaaS products for dead simple software and I cannot believe my eyes. The "old fashioned way" works just fine (and has always worked just fine) and is orders of magnitude cheaper.
[0] https://coolify.io
How am I protected against extra charges for traffic?
[0] https://en.wikipedia.org/wiki/C10k_problem
Whether that includes your wife or not is up to you ;)
The best of both worlds is to host on AWS EC2 or a similar product from your web service provider of choice.
If it’s been a while since you did any server work: https://www.dannyvankooten.com/blog/2024/static-site-hosting...
If they just reduce to 5% like that, it shows how disconnected this is from their real bandwidth cost. Really does feel like a scam.
In the Netlify case, though, insisting that this person still pay 5% is downright insulting. I’m sure they’re taking a hit already - just waive the whole thing.
I do feel your pain though. Managing AWS costs can be a full time job itself.
For smaller customers, the friendliness of customer support and the flexibility to help them if they make mistakes is much more likely to be a retention consideration. And who knows when a company spending 3 digits a month becomes a customer spending 6 digits a month? You want to be the provider of choice in case the company grows.
Except it doesn't cost them anything. The marginal cost of keeping your single instance running is $0 (unless they were 100% out of capacity and they could have sold that instance to someone else either at full price or spot price)
It's very low cost, especially if its on a VM from a host that otherwise runs other VMs, but it's not 0. And if it happens to be the last VM preventing a hardware server from completely powering off, then it's actually quite far from 0.
Your argument is like saying that a bus traveler costs the gas needed to power the bus, but it's never the case: the bus would be cruising no matter what. And symmetrically the VM host would be up no matter what you did with your instance.
It would be very bad for any cloud provider to leave hosts with only one VM running on it, and you can be pretty sure only very small minority of their park that end up in that situation where shutting down a single VM would lead to a shut-down of the entire host, because it means that the host was vastly under-used in the first place.
At least in AWS, they never supported this, and in fact may require you to reboot an instance occasionally in order for it to be moved to a new hardware host (typically when they are upgrading their hardware).
The way you easily deal with this issue is very simple and does not require moving VMs: you just allocate newly spawned VMs to existing hosts with available room! When you do so (and they obviously all do!) you end up with little unused hardware…
Now you have 19 VMs running, but need to keep all 3 hosts powered. If you don't have live VM moving, you are now forced to keep Host3 running only because 1 VM is running on it, even if that VM is idle. So, this one idle VM is responsible for all the energy consumption of host3, and will continue to be so until at least 3 more VMs get started (since you have room for 2 more VMs on host1).
If you did have live VM migration, or if the idle VM were powered down instead of running idle, you could close host3 completely, moving the VM to host 1, and only re-open host3 if needed for new VMs.
This is equivalent to the problem of memory fragmentation. Even though overall usage is low, if host usage is highly fragmented and you aren't allowed to move used memory around (compacting), you can end up consuming far more than actually needed.
Yes it is similar to memory fragmentation in some way, but your argument is like saying an integer stored on the heap costs a full memory page! You realize that it's nonsense. Sure in extreme edge cases it can, but that's not a good metric to know the memory footprint of an integer!
Being able to move VMs is nice as it allows more host use, but it's doesn't mean hosts end up with single idle VMs often!
[1]: let say 10W, which at $.2 per kWh[2], ends up costing $17.5 for an entire year!
[2]: electricity prices from [here](https://www.eia.gov/electricity/monthly/epm_table_grapher.ph...) $.2 per kWh is slightly above the rates in California and Rhode Island, which is the highest in the US for industrial use.
This is an admission that their UX sucks and makes it hard to know what state your account is in and what you're paying for. They waive the fees because a few high profile cases of people paying thousands due to the AWS console being awful would drive a lot of customers away.
It's a value added service, they don't trade bandwidth as a commodity. Therefore unfair characterisation.
Plus, if you dive deeper: Bandwidth doesn't cost anything because bandwidth is just about pulsing some light in some glass fiber and applying some minuscule voltage on some metal fiber.Okay, maybe it costs some amount of electricity but all this is just a business model for paying on capital expenditure through time share arrangements. People can have all kind of models for this, for example you can come together with others or pay it all by yourself to install the equipment and have free bandwidth for the lifetime of the equipment.
It's all just arrangements to cover the capital investment and earn something on top of it. That's not a scam. A scam would be if they didn't account correctly for the timeshare usage or induce usage to boost payments.
I really don't get your point. If you're a hosting provider, the very thing you're selling is bandwidth (and disk space). Everything else is a value added service.
So even a reduction to 0.2% would habe been possible. Honestly don't understand why anyone feels comfortable overpaying so much. Especially when there is no configurable spending limit.
They should definitely be able to accomodate and account for what should be a very common issue (does).
I know during heavy DDoS attacks they might be too late, but also cache?
You need to manually upgrade.
Unless you need more than the Free-Tier Vercel should be fine.
"Should be fine" is exactly what is not the case here. Better check your Vercel terms again.
From every Vercel document that I can read though is that when you exceed the limits of free tier they are just locked for 30 days unless you upgrade to Pro.
So unless I am mistaken this cannot happen on Vercel.
https://github.com/netlify/cli/issues/739
They removed this call in the meantime [0].
[0] https://github.com/netlify/cli/pull/740/files
Are they also transparent about the fact that they
1. Won't do anything about a DDoS, and
2. In case there's a DDoS (or some other unusual traffic spike), you'll only get notified waaaaay after the fact when you get the $100K bill, instead of getting a timely alert that would allow you to shut your site down to prevent getting extreme charges?
No and no.
It's a scam.
they could ask the user for their budget when they are setting up their account as a basic guardrail, or they could give you a call
Not too mention: if the primary purpose of these services is to allow a DDoS and then charge the user for it — then, yup, you're guessing it right: it's a scam.
When their business model makes DDoS attacks profitable for them... They're not in the hosting business, they're in DDoS/extortion business.
Upon review, it does not look like this is the case. I have several very low traffic projects on which would have never been anywhere close to the free limit. However, if I get involved in a random spam attack, it seems I could be on the hook for several thousand dollars.
This is incredibly dangerous. Netlify is often used as a beginner friendly free tier for static hosting. Not as something that is cheap, but as something that is free. This is just an overall dangerous position to put people in.
Who controls the DDOS bots? Are they truly a separate entity? There is no direct evidence to link them together, but you would think that an honest company would be more proactive in preventing problems like this for their customers.
According to the linked reddit story, this is a known issue with Netlify and their response to past incidents is basically to pound sand. It all adds up to them purposefully trying to find ways to generate a high bill for their customers and hoping a small amount will pay for it.
Not to mention the strong conflict of interest for netlify, who stands to gain from their customers being attacked. Netlify is getting paid for something criminal in nature having occurred.
It's like who is responsible for credit card fraud? If customers are responsible for credit card fraud, and it's their responsibility not to get scammed, then who implements fraud prevention measures and what effect would that have on the volume of fraud?
I don't really get why people put their tiny static sites on hosts designed to never fall over no matter the traffic generated, no matter the situation. You're running a blog, not a government service. You don't need AWS or Netlify.
The ability to withstand almost any DDoS attack for a high price is a valuable service. It's not a scam. The people who get these huge bills just picked a hosting service that doesn't fit their requirements. I can promise you that the $3 shared hosting providers won't charge you $5k, five minutes after the DDoS starts your site just goes down.
Budget hosters will either cut you off completely (shut down your VPS) or throttle your network. For instance, Contabo doesn't charge extra, but it does reduce your network speed to 100mbps if you're exceeding an average connection speed of 100mbps over a timespan of 10 days. Leaseweb offers you the choice to power down a VPS when exceeding the bandwidth cap (though this is disabled by default).
If you need more bandwidth, Hetzner is popular, and charges around €1 per TB of bandwidth if you exceed their free bandwidth (+VAT, the $104k bill would be €40 under Hetzner, as 20TB is included for free) and provides configurable automated traffic email notifications before you hit that. Personally, I would add a warning after the very first terabyte, because I don't know what personal project even uses that much bandwidth.
Their dedicated servers don't seem to have a bandwidth limit, though there seems to be a fair use policy (there's this thread: https://lowendtalk.com/discussion/180504/hetzner-traffic-use... where a user complains about Hetzner threatening to end the contract after exceeding 250TB of traffic).
Many VPS providers and shared hosters won't send you these huge bills, but you should always read up on their policies when renting servers of any kind. These hosters don't come with free tiers (which I assume is the reason people consider services like Netlify in the first place) but they will usually tell you how they deal with bandwidth issues in their FAQs.
The core product is already enterprise-grade. Netlify's pricing page basically turns into a "contact sales" button when you select "enterprise", probably for businesses that did their math and are trying to get a discount. Everything about their website seems to target medium to large businesses or hopeful startups.
You're assuming Netlify is paying for bandwidth in $/GB, when in reality they're probably paying $/gbps and thus have no costs to cover when a customer temporarily bursts their bandwidth.
In your example, a DDoS sucking down bandwidth would cost more than a DDoS would had it been about total transfer volume. Their servers can only produce a set amount of network traffic at a time and on one single day, this one customer sucked up 5½gbps continuously, based on the 60TB figure provided in the reddit post.
This kind of extremely bursty traffic takes capacity that would otherwise be usable for tens or hundreds of customers, but to meet their guarantees, they must scale out massively to catch these bursts. I think it makes sense that making them dip into their bandwidth reserves should cost more than the average cost of a network transfer.
I don't know the actual costs Netlify has, and I'm sure the support rep saying they can drop this down to 20% or even 5% shows that there's a buffer here, but the 5 grand OP was asked to pay seems to come awful close to what you would pay on other high-reliability providers, such as Amazon. The max fee is probably to push their expensive customers into special deals (or to their competitors), but I find their 5% offer quite reasonable.
There's also the question of whether Netlify is even accurately tracking this bandwidth...
I think you could argue that Netlify is guilty of racketeering in OP's case.
1. They admit illegal activity happened (a DDoS attack).
2. They demand money to be reimbursed for the illegal activity. However, the reimbursement they ask is several hundred times higher than the actual damages incurred.
The price of cdn bandwidth is about 0.01/gb on low volume (cloudflare, aws, azure…) so op should be billed around $500 with 40TB. Netlify probably buys this for way less. He was presented a bill at $104k, « generously » reduced to $5k, still a x10 margin. Vercel and Netlify are outrageously expensive for what they do.
> they probably should have a giant warning page for new users who don't know that this is how this kind of service works
Pick one
What I think Netlify needs on their Plans page is to include "DDoS attacks is included in your traffic" as well as their 20%/5% charge system.
> and can see why the lack of limits would make it a bad option for plenty of people
Just out of curiosity, can you see any scenario where it WOULD be a decent option to use a free tier where you may be hit by a $20,000 or $5,000 bill out of the blue and outside of your control? You say "plenty" so I assume you consider this a reasonable system to some?
https://answers.netlify.com/t/limit-bandwidth-to-avoid-high-...
I only realized this after Contabo contacted me and said the traffic is so high that other clients service is also degraded and they will have to take my VPS down if its much longer (which was understandable). Gladly the ddos stopped soon.
But never was there any talk about any cost, they were very supportive
But hey - just think about how much you saved on Netlify! Composable!
“The cool thing is that we also provide a load balancer, and if our system has detected that our main load balancer is currently being hit by a large DDoS attack and is slow or unresponsive, we’ll simply route around that on the DNS level. Since we cache content at our edge nodes around the world, end users also experience extremely fast page load times because of this.”
1. Comfortable paying >$100,000 to prevent their site going down for a single day, and
2. Doesn't pay a dime for their hosting service on a day-to-day basis
I don't understand why they won't just raise a 503 if the traffic exceeds the spend limit, or at the very least provide that as an option.
Autoscaling is a feature!
The issue at hand is that people put small websites on hosting providers designed for megacorporation wealth, like Netlify. I highly doubt the average blog needs more than a $10 VPS located in one single country without automatic fallback to another data centre. You can probably even go with a $5 VPS if you don't care about the first wave of HN front page bots not being able to reach your site.
I mean, yeah - but that shouldn't be the default and it shouldn't be something that you can't opt out of if it is, which is what sounds like happened with Netlify.
Same goes for most of the other pay-as-you-go providers that turn HN into billing support every now and then; very rarely do I see "we suddenly got a $20k bill" posts about services that these extreme availability products make sense for.
You wouldn't believe the amount of times I've said this and the response was "but it costs me nothing right now"...
Adding more regulation makes the system slower.
I'm fine with their pricing structure right now, since you have PLENTY of providers to choose from - people can easily vote with their wallets and there's no problem that needs solving.
However, the unexpected spikes are a problem, and providers seemingly don't provide any way to solve them because they make more money by not solving them. A regulation to require all providers of post-billed services to provide spending limits would make a lot of sense.
Of course, customers should also have the option to opt out of the limit or set a very high limit.
This should apply to any service that's billed by usage calculated afterwards, not just web hosting, and not just technology.
(But I also would like to see this feature)
I just had a look at the billing screen and I can see notifications but not budgeting options (on the Pro plan). Ideally I'd like to monitor/configure spend per deployment as some of our sites have big sales which can = big fees. Is this possible?
So it would be trivial for me to poll their budget API for an alert, and immediatly trigger a shutdown of my Cloudfront service. Why can't they do that for me?
Something based on this could be definitely better than nothing, but might also give false impression of safety.
[1] https://docs.aws.amazon.com/cost-management/latest/userguide...
I'm imagining an alert to the on-call team, and a soft shutdown until the on-call team can figure out the next step.
If it can save a few thousand dollars, it's worth it. Each business must make their own estimate of course.
Nope. Not in real time, they don't.
You can significantly overspend before the warning comes in.
I've dealt with Netlify's support [1], and one of their CS heads was incredibly rude to me and blamed me for the problem they created.
[1] https://news.ycombinator.com/item?id=35610956
If their advertising is targeted to small businesses and individuals who could never afford this type of service, they could be guilty of false advertising, at least morally guilty. I haven't seen their marketing so I wouldn't want to say.
https://docs.netlify.com/domains-https/custom-domains/config...
Just suspend service on excessive overages...
meanwhile in size 72 font on the marketing page it says FREE STATIC SITE HOSTING!
that's why this thread is more or less condemning scammy business practices.
[edit] check out this forum explanation from render.com billing:
> Free Tier Services are suspended, no overage charges. Paid Tier Services are unaffected (Free Tier Services can be upgraded to a Paid Tier, this isn’t an overage because you are manually intervening.) Exceeding allotted Bandwidth does result in automatic overage charges. $30 for additional 100 GB blocks. Exceeding Pipeline Minutes results in deployments failing and no overage charges by default, you can configure whether you want to allow overage charges for additional blocks of Pipeline Minutes.
I still don't understand, free tiers are suspended so no overage charges, but then how can they exceed bandwidth of which we're liable? x_X
(In my case, I'm looking for somewhere I can easily deploy a set of ~5 Docker containers, they don't need to scale up, and it's a hobby project so I'd like to keep costs as low as possible.)
Seriously, if you just want to run docker, maintaining a debian VPS for that is basically enabling unattended-upgrades and doing a dist-upgrade every two years. If you can't be arsed to do that then maybe you deserve the 100k bill...
You should look into going old school and just renting a VPS with any VPS provider that's not AWS/GCP/Azure. I know the big three are super popular, as are all of these "serverless" cloud companies, but very few of them offer the most important service for a small project: shutting down before you owe them a fortune.
Depending on the guarantees you want, Oracle has a free tier with no time limit. It provides 4 ARM cores with something crazy like up to 6GB of RAM for free. You may have a few days if downtime during maintenance, but once you've allocated the resources, you'll eventually get your services back from what I can tell. Best part is, if you only use their free tier, you need to manually upgrade your account to even be able to buy anything extra. Just make sure you have backups in case Oracle pulls an Oracle.
Or you could get a VPS from a budget hoster like Contabo, which isn't free but will fit most hobby projects I know just fine. They may shut you down if they're suffering from a DDoS because of you, but you won't get a $100k bill.
These things are scams because they prey on the fact that they're the only one shitty enough to do something so shitty and are counting on you not realising just how shitty they are.
With hosting - be it cloud or virtual or real hardware - the problem has always been that bandwidth use is completely outside your control. It was the first thing to check in the early 2000s and still is today, to an even greater extend.
So yes, sorry, as the other reply says, I might come across uncharitable or even condescending, but as tech people developing tech stuff how can one not be at least a little careful when there's a big "free candy" sign slapped onto something?
Two of the largest video content distribution platforms on the Internet, YouTube and Twitch. Free!* (just watch these ads). Store your data on the cloud with Dropbox, Google Drive, or OneDrive! Free!* (just let us harvest data about what you put in there) Hell, 25 years ago, you want to get on the internet? Use NetZero! Free!* (just look at these popups) And this pattern continues to be pervasive. And the real killer here is that we keep getting things for free*, so people that weren't around during the introduction of these tactics have grown accustom to it as if it's how things should be.
So, I agree, we really have a problem here in messaging and in using misleading psychology to bury dark patterns like the true cost of Free in services we use. We probably should be teaching more folks to beware of the true cost of things, that if it's free, you're the product, not the user, so on and so forth.
What I did not expect: to cancel one month of subscription you must pay 6 months of subscription as a cancellation fee. Maybe you expect that, but I have seen that anywhere else and did not expect it.
>So yes, sorry, as the other reply says, I might come across uncharitable or even condescending, but as tech people developing tech stuff how can one not be at least a little careful when there's a big "free candy" sign slapped onto something?
It wasn't free candy in my case, I was paying.
As I recall, you have to actively sign up for the paid plan (Blaze) to get pay-as-you-go billing. Otherwise, you get free quota, and if it's up, it's up.
I think it also integrates into all of Google Cloud's billing management stuff, but I've never had to bother with that.
#1. If you think there's any chance of getting DDoSd, you should already be on a business plan instead of a starter tier.
#2. If you think there's any chance of your site going viral, you're going to want to pay the cost anyway to let all those people visit.
I agree that's ridiculous and that the lack of any option of capping costs would mean I'd never sign up for the service. But that's the official response, for what its worth.
[0] https://answers.netlify.com/t/limit-bandwidth-to-avoid-high-...
If you go to a restaurant someone at your table orders 5,000 plates of mozzarella sticks, the fact that your credit card only covers $5 doesn't mean you are magically absolved from the rest of the bill.
For $100k, a debt collection firm would be more than happy to get a judgement against you. Credit card or no.
Like all of the big clouds with free tiers and nuke it from orbit level footguns lying about everywhere?
At first I thought it might've been https://hanhngiox.net/ , but that one appears to have simply expired.
I would think (as a former lawyer with only passing familiarity with class actions) that 'typicality' would be the key question.
> to determine typicality the courts consider to what extent plaintiffs’ claims are markedly different or are generally the same (for instance arising from the same event or pattern) as those of other class members with respect to the relevant legal theory and factual circumstances of the case. [1]
The defendant would probably claim that each plaintiff's issues are quite unique. However, this prong is apparently not based on the typicality of the specific facts giving rise to the lawsuit, but rather the typicality of the nature of the claim or defense. And it's apparently hard to 'win' (defeat a class action) via this prong. [2]
1: https://www.bonalaw.com/insights/legal-resources/what-are-th...
2: https://california-business-lawyer-corporate-lawyer.com/clas...
If anyone figures out what your Netlify subdomain is, it's my understanding that they can DDoS you and there's nothing you can do about it.
It's a design limitation of Netlify that might cost you $100,000 some day.
A moment of silence for the people who got DDoS-ed, didn’t go viral and still had to pay $5k.
These kind of stories (alongside cancelled accounts) repeat over and over again and will soon become so not newsworthy that they will either not end up in front page, nor people will check on the eventual outcome which means these companies will get away with not moving a finger.
When I received a message from the bank saying my account was in the red I discovered that AWS had been billing me 1100 / month for 5 months before I even noticed. It was for something I'd set up one night while bored and then forgot about it. They drained my account :( Even had the nerve to say I had to pay for premium support only to get a "lol, pay" response.
Even if the DDoS wasn't caught by Cloudflare, the total cost for 192TB bandwidth on Hetzner would be €172. Although even after 10 years on Hetzner I've never paid for any bandwidth, always well within their generous 20TB free bandwidth.
They also likely drop any charges if you escalate via support in case it was actually DDOS. E.g if you normally have 100GB / month and now you magically have 50TB / day.
What Netlify does is a scam.
I prefer to keep my App's stateless and running in Docker containers which means storing all uploaded files and generated assets in R2 managed storage - which is also used for Litestream backups of our SQLite databases.
Blowouts are minimized when using low cost services, e.g. we had a rogue process that ended up causing 1.5M writes to R2, which only ended up costing us $4.50 in that month.
Additionally, they own ( or co-own) their DC, while Netlify and Vercel doesn't. So they can fix any billing issues at their end.