We've [1] been using Hetzner's dedicated servers to provide Kubernetes clusters to our clients for a few years now. The performance is certainly excellent, we typically see request times half. And because the hardware is cheaper we can provide dedicated DevOps engineering time to each client. There are some caveats though:<p>1) A staging cluster for testing updates is really a must. YOLO-ing prod updates on a Sunday is no one's idea of fun.<p>2) Application level replication is king, followed by block-level replication (we use OpenEBS/Mayastor). After going through all the Postgres operators we found StackGres to (currently) be the best.<p>3) The Ansible playbooks are your assets. Once you have them down and well-commented for a given service then re-deploying that service in other cases (or again in the future) becomes straightforward.<p>4) If you can I'd recommend a dedicated 10G network to connect your servers. 1G just isn't quite enough when it comes to the combined load of prod traffic, plus image pulls, plus inter-service traffic. This also gives a 10x latency improvement over AWS intra-az.<p>5) If you want network redundancy you can create a 1G vSwitch (VLAN) on the 1G ports for internal use. Give each server a loopback IP, then use BGP to distribute routes (bird).<p>6) MinIO clusters (via the operator) are not that tricky to operate as long as you follow the well trodden path. This provides you with local high-bandwidth, low-latency object storage.<p>7) The initial investment to do this does take time. I'd put it at 2-4 months of undistracted skilled engineering time.<p>8) You can still push ancillary/annoying tasks off onto cloud providers (personally I'm a fan of CloudFlare for HTTP load balancing).<p>[1]: <a href="https://lithus.eu" rel="nofollow">https://lithus.eu</a>
> dedicated 10G network to connect your servers<p>Do you have to ask Hetzner nicely for this? They have a publicly documented 10G uplink option, but that is for external networking and IMHO heavily limited (20TB limit). For internal cluster IO 20TB could easily become a problem
It is under their costing for 'additional hardware'[1]. You need to factor in the switch, uplink for each server, and the NIC for each server.<p>[1]: <a href="https://docs.hetzner.com/robot/general/pricing/price-list-for-additional-products/" rel="nofollow">https://docs.hetzner.com/robot/general/pricing/price-list-fo...</a>
Hetzner does not charge for internal bandwidth.
> 5) If you want network redundancy you can create a 1G vSwitch (VLAN) on the 1G ports for internal use. Give each server a loopback IP, then use BGP to distribute routes (bird).<p>Are you willing to share example config for that part?
> I'd put it at 2-4 months of undistracted skilled engineering time.<p>How much is that worth to your company/customer vs a higher monthly bill for the next 5 years?<p>As a consultancy company, you want to sell that. As a customer, I don't see how that's worth it at all, unless I expect a 10k/month AWS bill.<p>xkcd comes to mind: <a href="https://xkcd.com/1319/" rel="nofollow">https://xkcd.com/1319/</a>
> As a consultancy company, you want to sell that. As a customer, I don't see how that's worth it at all.<p>Well I do rather agree, but as a consultancy I'm biased.<p>But let's do some math. Say it's 4 months (because who has uninterrupted time), a senior rate of $1000/day. 20 days a month, so 80 days, is an $80k outlay. That's assuming you can get the skills (because AWS et al like to hire these kinds of engineers).<p>Say one wants a 3 year payback, that is $2,200/month savings you need. Which seems highly achievable given some of the cloud spends I've seen, and that I think an 80-90% reduction in cloud spend is a good ballpark.<p>The appeal of a consultancy is that we'll remove the up-front investment, provide the skills, de-risk the whole endeavour, even put engineers within your team, but you'll _only_ save 50%.<p>The latter option is much more appealing in terms of hiring, risk, and cash-flow. But if your company has the skills, the cash, and the risk tolerance then maybe the former approach is best.<p>EDIT: I actually think the(/our) consultancy option is a really good idea for startups. Their infrastructure ends up being slightly over-built to start with, but very quickly they end up saving a lot of money, and they also get DevOps staffing without having to hire for it. Moreover, the DevOps resource available to them scales with their compute needs. (also we offer 2x the amount of DevOps days for startups for the first year to help them get up and running).
this assumes there are no devops/consulting cost to setup something with AWS. My experience is that "the aws way of doing XYZ" is almost as complicated as doing it the non-AWS-way.
On top of that: the non-AWS-way is much more portable across hosting providers, so you decrease your business risks considerably.
I wholeheartedly agree, I'm trying to be generous as I know I have a bias here.<p>I think the AWS way made clear sense in the days before the current generation of tooling existed, when we were SSH-ing into our snowflake servers (for example). But now we have tools like Kubernetes/Nomad/OpenShift/etc/etc, the logic just doesn't seem to add up any more.<p>The main argument against it is generally of the form, "Yes, but we don't want to hire for non-cloud/bare-metal". Which is why I think a consultancy provides a good middle ground here – trading off cost savings against business factors.
Can you recommend any resources on how to approach the topic for a startup? Most startups have very similar needs, but every single "batteries included" solution that I've encountered so far explicitly excluded infrastructure and DevOps – either because it's out of scope for the creators, or because that's what they monetize (e.g. supabase).
I have experience running Kubernetes clusters on Hetzner dedicated servers, as well as working with a range of fully or highly managed services like Aurora, S3, and ECS Fargate.<p>From my experience, the cloud bill on Hetzner can sometimes be as low as 20% of an equivalent AWS bill. However, this cost advantage comes with significant trade-offs.<p>On Kubernetes with Hetzner, we managed a Ceph cluster using NVMe storage, MariaDB operators, Cilium for networking, and ArgoCD for deploying Helm charts. We had to handle Kubernetes cluster updates ourselves, which included facing a complete cluster failure at one point. We also encountered various bugs in both Kubernetes and Ceph, many of which were documented in GitHub issues and Ceph trackers. The list of tasks to manage and monitor was endless. Depending on the number of workloads and the overall complexity of the environment, maintaining such a setup can quickly become a full-time job for a DevOps team.<p>In contrast, using AWS or other major cloud providers allows for a more hands-off setup. With managed services, maintenance often requires significantly less effort, reducing the operational burden on your team.<p>In essence, with AWS, your DevOps workload is reduced by a significant factor, while on Hetzner, your cloud bill is significantly lower.<p>Determining which option is more cost-effective requires a thorough TCO (Total Cost of Ownership) analysis. While Hetzner may seem cheaper upfront, the additional hours required for DevOps work can offset those savings.
This is definitely some ChatGPT output being posted here and your post history also has a lot of this "While X, Y also does Z. Y already overlaps with X" output.<p>I'd like to see your breakdowns as well, given that the cost difference between a 2 vCPU, 4GB configuration (as an example) and a similar configuration on AWS is priced much higher.<p>There's also <a href="https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner">https://github.com/kube-hetzner/terraform-hcloud-kube-hetzne...</a> to reduce the operational burden that you speak of.
It is my ouput, but I use ChatGPT to fix my spelling and grammar. Maybe my prompt for that should be refined in order to not alter the wording too much.
While using ChatGPT for enhancing your writings is not wrong by any means, reviewing the generated output and re-editing when necessary is essential to avoid <i>robotic</i> writing style that may smell unhuman. For instance, these successive paragraphs: "In contrast, using AWS.." and "In essence, with AWS.." leaves a bad taste in your brain when read consecutively.
> I use ChatGPT to fix my spelling and grammar<p>I have a better suggestion, which will save time, energy, money, and human work.<p>Don't.<p>Write it yourself. If you can't, don't post.
While I agree that your characterisation is true for a lot of chatgpt output, it can also be true for a human explaining their nuanced point of view.
I've never operated a kubernetes cluster except for a toy dev cluster for reproducing support issues.<p>One day it broke because of something to do with certificates (not that it was easy to determine the underlying problem). There was plenty of information online about which incantations were necessary to get it working again, but instead I nuked it from orbit and rebuilt the cluster. From then on I did this every few weeks.<p>A real kubernetes operator would have tooling in place to automatically upgrade certs and who knows what else. I imagine a company would have to pay such an operator.
This.<p>I run BareMetalSavings.com[0], a toy for ballpark-estimating bare-metal/cloud savings, and the companies that have it hardest to move away from the cloud are those who are highly dependent on Kubernetes.<p>It's great for the devs but I wouldn't want to operate a cluster.<p>[0]: <a href="https://www.BareMetalSavings.com" rel="nofollow">https://www.BareMetalSavings.com</a>
That's just not how it works on any scale other than "toy"
Ceph is a bastard to run. Its expensive, slow and just not really ready. Yes I know people use it, but compared to a fully grown up system (ie lustre[don't its raid 0 in prod] or GPFS [great but expensive]) its just a massive time sync.<p>You are much better off having a bunch of smaller file systems exported over NFS make sure that you have block level replication. Single address space filesystems are ok and convenient, but most of the time are not worth the cost of admin to get <i>reliable</i> at scale. like a DB shard your filesystems, especially as you can easily add mapping logic to kubernetes to make sure you get the right storage to the right image.
I agree that it is hideously complicated (to anyone saying “just use Rook,” I’ll counter that if you haven’t read through Ceph’s docs in full, you’re deluding yourself that you know how to run it), but given that CERN uses it at massive scale, I think it’s definitely prod-ready.
I mostly agree, but it surprises me that people don't often consider a solution right in the center, such as openshift. Have a much, much less burden for devops and have all the power and flexibility of running on bare metal. It's a great hybrid between a fully managed and expensive service versus a complete build your own. It's expensive enough. Todd, for startups it is not likely a good option, but if you have a cluster with at least 72 GB of RAM or 36 CPUs going (about 9 mid size nodes), you should definitely consider something like openshift.
Manually updating k8s clusters is a huge tradeoff. I can’t imagine doing that to save a couple bucks unless I was desperate
I dunno, I've had to spend like two or three hours each month on updating mine for its entire lifetime (of over 5 years now), and that includes losing entire nodes to hardware failure and spinning up new ones.<p>Originally it was ansible, and so spinning up a new node or updating all nodes was editing one file (k8s version and ssh node list), and then running one ansible command.<p>Now I'm using nixos, so updating is just bumping the version number, a hash, and typing "colmena apply".<p>Even migrating the k8s cluster from ansible to nixos was quite easy, I just swapped one node at a time and it all worked.<p>People are so afraid of just like learning basic linux sysadmin operations, and yet it also makes it way easier to understand and debug the system too, so it pays off.<p>I had to help someone else with their EKS cluster, and in the end debugging the weird EKS AMI was a nightmare and required spending more time than all the time I've had to spend on my own cluster over the last year combined.<p>From my perspective, using EKS both costs more money, gives you a worse K8s (you can't use beta features, their ami sucks), and also pushes you to have a worse understanding of the system so that you can't understand bugs as easily and when it breaks it's worse.
if the "couple of bucks" ends up being the cost of an entire team, then hire a small team to do it.<p>Then get mad at them because they don't "produce value", and fold it into a developers job with an even higher level of abstraction again. This is what we always do.
> Determining which option is more cost-effective requires a thorough TCO (Total Cost of Ownership) analysis. While Hetzner may seem cheaper upfront, the additional hours required for DevOps work can offset those savings.<p>Sure, but the TLDR is going to be that if you employ n or more sysadmins, the cost savings will dominate. With 2 < n < 7. So for a given company size, Hetzner will start being cheaper at some point, and it will become more extreme the bigger you go.<p>Second if you have a "big" cost, whatever it is, bandwidth, disk space (essentially anything but compute), cost savings will dominate faster.
Not always. Employing Sysadmins doesn't mean Hetzner is cheaper because those "Sysadmin/Ops type people" are being hired to managed the Kubernetes cluster. And Ops type people who truly know Kubernetes are not cheap.<p>Sure, you can get away with legoing some K3S stuff together for a while but one major outage later, and that cost saving might have entirely disappeared.
Even a short outage can completely wipe out any savings.
Yep. That's why we are building a managed service that runs on Hetzner, for lower costs, but still offers all the comforts of a managed service. <a href="https://cloud.gigahatch.ch/" rel="nofollow">https://cloud.gigahatch.ch/</a>
Obviously it's still in beta and not finished yet, so I wouldn't run my whole production on it, but it's very convenient for things like build agents.
Is it just me or do the last 3 paragraphs feel like ChatGPT output?
I used GPT4o to fix all my spelling and grammar mistakes, maybe it went a little too far, but this is 100% my comment
Isn't the point of ChatGPT to mimic sentences written by humans?
Kind of. But which humans? It's a bit like how the average person doesn't exist, except in the LLM world, now it does.
GPT-4 is, but ChatGPT is fine-tuned to emit sentences that get rated well (by humans, and by raters trained to mimic human evaluation) in a conversational agent context.
Yeah, I was wondering the same thing.
Been a happy Hetzner customer for over a decade, previously using their dedicated servers in their German DC's before migrating to their Cloud US VMs for better latency with the US. Slightly disappointed with their recent cuts of their generous 20TB free traffic down to 3TB (€1.19 per additional TB), but they still look to be a lot better value than all other US cloud providers we've evaluated.<p>Whilst I wouldn't run Kubernetes by choice, we've had success moving our custom SSH / Docker compose deployments over to use GitHub Actions with kamal-deploy.org, easy to setup and nice UX tools for monitoring remote deployed apps [1]<p>[1] <a href="https://servicestack.net/posts/kamal-deployments" rel="nofollow">https://servicestack.net/posts/kamal-deployments</a>
Seems to be a US thing, maybe their peering partners are forcing them to raise prices, the German DC still stells the 20TB bandwidth <a href="https://www.hetzner.com/cloud/" rel="nofollow">https://www.hetzner.com/cloud/</a>, but US is an order of magnitude less for the same price :/
This is an interesting writeup, but I feel like it's missing a description of the cluster and the workload that's running on it.<p>How many nodes are there, how much traffic does it receive, what are the uptime and latency requirements?<p>And what's the absolute cost savings? Saving 75% of $100K/mo is very different from saving 75% of $100/mo.
In my experience noone bothers unless they are using GPUs or they are already at 100k/mo.<p>I do think 100k/mo is the tipping point actually, that is $1.2M/yr.<p>It costs around $400k/yr in engineering salaries to reasonably support a sophisticated bare metal deployment (though such people can generally do that AND provide a lot of value elsewhere in the business, so really it's actual cost is lower than this) and about $100k/yr in DC commitments, HW amortisation, and BW roughly. So you save around $700k a year which is great but the benefit becomes much greater when your equiv cloud spend is even bigger than that.
When I worked in web hosting (more than 10 years ago), we would constantly be blackholeing Hetzner IPs due to bad behavior. Same with every other budget/cheap vm provider. For us, it had nothing to do with geo databases, just behavior.<p>You get what you pay for, and all that.
It's always evolving, but these days the most common platforms attacking sites that I host are the big cloud providers, especially Azure. But AWS, Google, Digital Ocean, Linode, Contabo, etc all host a lot of attacks trying to brute-force logins and search for common exploits.
Yep I had the same problem years ago when I tried to use Mailgun's free tier. Not picking on them, I loved the features of their product but the free tier IPs had a horrble reputation and mail just would not get accepted especially by hotmail or yahoo.<p>Any free hosting service will be overwhelmed by spammers and fraudsters. Cheap services the same but less so, and the more expensive they are the less they will be used for scams and spams.
I had to try multiple floating IPs on hcloud before I got one that wasn't blacklisted on the k8s repos.
AWS tries hard to keep its public IPs from getting on banlists.
depending on the prices, maybe a valid strategy would be to have servers at hetzner and then tunnel ingress/egress somewhere more prominent. Maybe adding the network traffic to the calculation still makes financial sense?
They could put the backend on Hetzner, if it makes sense (for example queues or batch processors).
> Hetzner volumes are, in my experience, too slow for a production database. While you may in the past have had a good experience running customer-facing databases on AWS EBS, with Hetzner's volumes we were seeing >50ms of IOWAIT with very low IOPS. See <a href="https://github.com/rook/rook/issues/14999">https://github.com/rook/rook/issues/14999</a> for benchmarks.<p>I set up rook ceph on a talos k8s cluster (with vm volumes) and experienced similar low performance; however, I always thought that was because of the 1Gi vSwitch (i.e. networking problem)?! The SSD volumes were quite fast.
SSD volumes are physically on the same node, and afaik not redundant. The cloud vms are ceph clusters behind the scenes, and writes need to commit for 3+ machines. It's both network latency and inherent process latency<p>Additionally, hetzner has an IOPS limit of 5000 and write limit of some amount that does not scale with the size of database.<p>50G has the same limits as 5TB.<p>For this reason, people are sometimes using different table spaces in postgres for example.<p>Ceph puts another burden on top of already-ceph-based cloud volumes, btw, so don't do that.
In my limited experience with rook-ceph it is strictly bare metal technology to deploy. On virtualization it will basically replicate your data to VM disks which usually are already replicated, so quite a bit of replication amplification will happen and tank your performance.
I work for a consultancy company that helps companies building and securing infrastructure. We have a lot of customers running Kubernetes at low-cost providers (like Hetzner), more local middle-tier and top-three (AWS, GCP, Azure). We also have some governmental, financial and medical companies that can not or will not run in public clouds, so they usually host on-prem.<p>If Hetzner has an issue or glitch once a month, the middle-tier providers have one every 2-3 months, and a place like AWS maybe every 5-6 months. However, prices also follow that observation, so you have to carefully consider on a case-by-case basis whether adding some extra machines and backup and failure scenarios is a better deal.<p>The major benefit by using basic hosting services is that their pricing is a lot more predictable; you pay for machines and scale as you go. Once you get hooked into all the extra services a provider like AWS provides, you might get some unexpectedly high bills and moving away might be a lot harder. For smaller companies, don't make short-sighted decisions that threaten your ability to survive long-term by choosing the easy solution or "free credits" scheme early on.<p>There is no right answer here, just trade-offs.
Hi Bill, Wow! Thanks for the amazing write-up and for sharing it on your blog and here! I am so happy that we've helped you save so much money and that you're happy with our support team! It's a great way to start off the week! --Katie
As far as I see, no one is mentioning sustainability AKA environmental impact or 'green hosting' here. Don't you care about that?<p>I believe that Hetzner data centers in Europe (Germany, Finland) are powered by green energy, but not the locations in US.
Data centers used 460 TWh, or about 2% of total worldwide electricity use, according to IEA in 2022.<p>In comparison, 30% of total energy (energy! Not electricity) goes to transport!<p>As another point of comparison, transport in Sweden in 2022 used 137 TWh [1]. So the same order of magnitude as total datacenter energy use.<p>And datacenters are powered by electricity which increases the chance that it comes from renewable energy. Conversely,
the chance that diesel comes from a renewable source is zero.<p>So can we please stop talking about data center energy use? It’s a narrative that the media is currently pushing but as so many things it makes no sense. It’s not the thing we should be focusing on if we want to decrease fossil fuel use.<p>[1]: <a href="https://www.energimyndigheten.se/en/energysystem/energy-consumption/" rel="nofollow">https://www.energimyndigheten.se/en/energysystem/energy-cons...</a>
2% of total worldwide electricity use in 2022 is a shit load of electricity and emissions. Your argument is the same as those who argue "our country shouldn't care about emissions when China is the biggest emitter".<p>If you dive into a detailed breakdown of emissions you'll find that it's a complex hierarchy of categories. You can't just fix "all of transport" or treat it like a "low hanging fruit", just look at how much time it's taken for EV penetration to be in any way significant; look at how much of transport emissions are from aviation or shipping or other components.<p>Any energy use that's measurable in whole percentage points of global emissions needs addressing. That includes data centers.
> Your argument is the same as those who argue "our country shouldn't care about emissions when China is the biggest emitter".<p>China and the US are in the same order of magnitude in emissions. So NO that's absolutely not the argument I am making.<p>> Any energy use that's measurable in whole percentage points of global emissions needs addressing<p>But it isn't! That's my point. Electricity use is about 20% of total energy use. So if we talk about global emissions, data center is only about 20% * 2% = 0.4% of total energy use.<p>And then if we talk about total emittance, it's even lower because 40% of electricity is generated from nuclear and renewables.<p>> just look at how much time it's taken for EV penetration to be in any way significant<p>Yes so let's focus on that instead of data centers. Data centers are not the problem!<p>EDIT: Also CPUs and GPUs are still becoming more energy efficient. So I'm a bit skeptical of extrapolations which say that data centers will consume a large percentage of US energy. If the number of CPUs and GPUs doubles each 2 years, but energy efficiency doubles too, then overall energy usage doesn't grow so fast. Especially if old CPUs and GPUs are taken out of the system over time because they become too expensive to operate.
> our country shouldn't care about emissions when China is the biggest emitter<p>To be fair, until China does something about their emissions, the rest of us are just pissing in the ocean.
Eh, per capita China has lower emissions than the US whilst manufacturing and exporting significantly more.<p>Everything is intertwined and tightly coupled, such simple statements are rarely accurate.
China is actively working on reducing their emissions (they're building tons of nuclear and renewables, and have long term plans for both), and a lot of theirs are to manufacture stuff the whole world uses.
Don't shit in your own back yard, no matter what other people like to do.
Thanks for sharing. I care about it. I run a small hosting company. Sure, there are many low hanging fruits for fighting CO2 emissions that should be tackled first. I am also hopeful that energy from directly available renewables will be the most economic choice for building data centers anyhow, so that this is not a matter of believes any more.<p>But on the other side, to bring down CO2 levels, fast change everywhere is required. As far as I see data center energy consumption continues to grow, specifically with AI.<p>If I am not mistaken, data centers produce more CO2 than aviation.<p>And sure, most 'green hosting' is probably 'green washing', yet I would still support and link initiatives such as:
<a href="https://www.thegreenwebfoundation.org/" rel="nofollow">https://www.thegreenwebfoundation.org/</a>
They probably just use the local power grid. You can use ElectricityMaps to look up the average carbon intensity per kWh of those grids<p><a href="https://app.electricitymaps.com/" rel="nofollow">https://app.electricitymaps.com/</a>
You can choose which electricity company provides the amount of power to the grid that you're using. While you don't get "your" electricity, overall you can still affect the carbon balance of the electricity that's produced in your name.<p>Hetzner is using 100% green hydro and wind power for that, which is as sustainable as any grid-connected company can be.
> They probably just use the local power grid<p>A lot of EU datacenter providers specifically pick green electricity providers/sources, and pride themselves on it, and use it in advertising their sustainability.<p>Scaleway in particular are 100% no-CO2 (they have it easy, most of their DCs are in France where it's easy to be fully nuclear+renewable). Hetzner are the same.
> I believe that Hetzner data centers in Europe (Germany, Finland) are powered by green energy, but not the locations in US.<p>Green lignite.
While fans of nuclear energy like to meme about the German power grid, Hetzner is — in so far as anyone with a grid connection can be — powered by 100% green wind and hydro energy.<p>You can see the paperwork here:<p>- <a href="https://cdn.hetzner.com/assets/Uploads/oekostrom-zertifikat-2025.pdf" rel="nofollow">https://cdn.hetzner.com/assets/Uploads/oekostrom-zertifikat-...</a><p>- <a href="https://cdn.hetzner.com/assets/Oomi-sertifikaatti-tuuli+vesi-Hetzner-2024-eng.pdf" rel="nofollow">https://cdn.hetzner.com/assets/Oomi-sertifikaatti-tuuli+vesi...</a>
I haven't used it personally, but <a href="https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner">https://github.com/kube-hetzner/terraform-hcloud-kube-hetzne...</a> looks amazing as a way to setup and manage kubernetes on Hetzner. At the moment I'm on Oracle free tier, but I keep thinking about switching to it to get off... Well Oracle.
I'm running two clusters on it, on for production and one for dev. Works pretty good. With a schedule to reboot machines every sunday for automatic security updates (SuSE Micro OS). Also expanded machines for increased workloads. You have to make sure to inspect every change terraform wants to do, but then you're pretty save.
The only downside is that every node needs a public IP, even though they are behind a firewall. But that is being worked on.
I've used this to set up a cluster to host a dogfooded journalling site.<p>In one evening I had a cluster working.<p>It works pretty well. I had one small problem when the auto-update wouldn't run on arm nodes which stopped the single node I had running at that point (with the control plane taint blocking the update pod running on them).
i recently read an article about running k8s on the oracle free tier and was looking to try it. i'm curious, are there any specific pain points that are making you think of switching?
Nope, just Oracle being a corp with a nasty reputation. Honesty it was easy to set up and has been super stable, and if you go ARM the amount of resources you get for free is crazy. I actually do recommend it for personal projects on the like. I'd just be hesitant about building a business based on any Oracle offering.
I've got a couple of free arm machines setup as a cluster for learning k8 + a few LB in front of it. I use k3s, with pg rather than etcd. Been a great learning experience.
Ive also been using Cluster-API + Cluster-API-Provider-Hetzner<p><a href="https://github.com/syself/cluster-api-provider-hetzner">https://github.com/syself/cluster-api-provider-hetzner</a><p>works rock solid
The key take home point here is not how amazingly cheap Hetzner is, which it is. But how much of an extortion game Google, Amazon, MS, etc. are playing with their cloud services. These are trillion dollar companies because they are raking in cash with extreme margins.<p>Yes, there is some added value in the level of convenience provided. But maybe with a bit more competition, pricing could be more competitive. A lot more competitive.
I loved the article. Insightful, and packed with real world applications. What a gem.<p>I have a side-question pertaining to cost-cutting with Kubernetes. I've been musing over the idea of setting up Kubernetes clusters similar to these ones but mixing on-premises nodes with nodes from the cloud provider. The setup would be something like:<p>- vCPUs for bursty workloads,<p>- bare metal nodes for the performance-oriented workloads required as base-loads,<p>- on-premises nodes for spiky performance-oriented workloads, and dirt-cheap on-demand scaling.<p>What I believe will be the primary unknown is egress costs.<p>Has anyone ever toyed around with the idea?
For dedicated they say this:<p>>All root servers have a dedicated 1 GBit uplink by default and with it unlimited traffic.<p>>Inclusive monthly traffic for servers with 10G uplink is 20TB. There is no bandwidth limitation. We will charge € 1/TB for overusage.<p>So it sounds like it depends. I have used them for (I'm guessing) 20 years and have never had a network problem with them or a surprise charge. Of course I mostly worked in the low double digit terabytes. But have had servers with them that handled millions of requests per day with zero problems.
1 / 8 * 3600 * 24 * 30 = 324000 so that 1GBit/s server could conceivably get 324TB of traffic per month "for free". It obviously won't, but even a tenth of data is more than the data included with the 10G link.
They do have a fair use policy on the 1GBit uplink. I know of one report[1] of someone using over 250TB per month getting an email telling them to reduce their traffic usage.<p>The 10GBit uplink is something you need to explicitly request, and presumably it is more limited because if you go through the trouble of requesting it, you likely intend to saturate it fairly consistently, and that server's traffic usage is much more likely to be an outlier.<p>[1]: <a href="https://lowendtalk.com/discussion/180504/hetzner-traffic-use-notice-unlimited-unlimited" rel="nofollow">https://lowendtalk.com/discussion/180504/hetzner-traffic-use...</a>
20TB egress on AWS runs you almost $2,000 btw. one of the biggest benefits of Hetzner
> We will charge € 1/TB for overusage.<p>It sounds like a good tradeoff. The monthly cost of a small vCPU is equivalent to a few TB of bandwidth.
We've toyed around with this idea for clients that do some data-heavy data-science work. Certainly I could see that running an on-premise Minio cluster could be very useful for providing fast access to data within the office.<p>Of course you could always move the data-science compute workloads to the cluster, but my gut says that bringing the data closer to the people that need it would be the ideal.
> Has anyone ever toyed around with the idea?<p>Sidero Omni have done this: <a href="https://omni.siderolabs.com" rel="nofollow">https://omni.siderolabs.com</a><p>They run a Wireguard network between the nodes so you can have a mix of on-premise and cloud within one cluster. Works really well but unfortunately is a commercial product with a pricing model that is a little inflexible.<p>But at least it shows it's technically possible so maybe open source options exist.
You could make a mesh with something like Netmaker to achieve similar using FOSS. Note I haven’t used Netmaker in years but I was able to achieve this in some of their earlier releases. I found it to be a bit buggy and unstable at the time due to it being such young software but it may have matured enough now that it could work in an enterprise grade setup.<p>The sibling comments recommendation, Nebula, does something similar with a slightly different approach.
> They run a Wireguard network between the nodes so you can have a mix of on-premise and cloud within one cluster.<p>Interesting.<p>A quick search shows that some people already toyed with the idea of rolling out something similar.<p><a href="https://github.com/ivanmorenoj/k8s-wireguard">https://github.com/ivanmorenoj/k8s-wireguard</a>
I believe the Cilium CNI has this functionality built in. Other CNIs may do also.
Slack’s Nebula does something similar, and it is open source.
[flagged]
I'm a bit sad the aggressive comment by the new account was deleted :-(<p>The comment was making fun of the wishful thinking and the realities of networking.<p>It was a funny comment :-(
// Taking another slant at the discussion: Why kubernetes?<p>Thank you for sharing your experience.
I also have my 3 personal servers with Hetzner, plus a couple VM instances in Scaleways (French outfit).<p>Disclaimer: I’m a Googler, was SRE for ~10 years for GMail, identity, social, apps (gsuites nowadays) and more, managed hundreds of jobs in Borg, one of the 3 founders of the current dev+devops internal platform (and I focused on the releases,prod,capacity side of the platform), dabbled in K8s on my personal time. My opinions, not Google’s.<p>So, my question is: given the significant complexity that K8s brings (I don’t think anyone disputes this) why are people using it outside medium-large environments?
There are simpler and yet flexible & effective job schedulers that are way easier to manage. Nomad is an example.<p>Unless you have a LOT of machines to manage, with many jobs (I’d say +250) to manage, K8s complexity, brittleness and overhead are not justifiable, IMO.<p>The emergence of tools like Terraform and the <i>many</i> other management layers in top of K8s that try to make it easier but just introduce more complexity and their own abstractions are in itself a sign of that inherent complexity.<p>I would say that only a few companies in the world need that level of complexity. And then they <i>will</i> need it, for sure.
But, for most is like buying a Formula 1 to commute in a city.<p>One other aspect that I also noticed is that technical teams tend to carry on the mess they had in their previous “legacy” environment and just replicate in K8s, instead of trying to do an architectural design of the whole system needs. And K8s model enables that kind of mess: a “bucket of things”.<p>Those two things combined, mean that nowadays every company has soaring cloud costs, are running things they know nothing about but are afraid to touch in case of breaking something. And an outage is more career harming than a high bill that Finance will deal with it later, so why risk it, right?
A whole new IT area has been coined now to deal with this: FinOps :facepalm:<p>I’m just puzzled by the whole situation, tbh.
I too used to run a large clustered environment (VFX) and now work at a FAANG which has a "borg-like" scheduler.<p>K8s has a whole kit of parts which sound really grand when you are starting out on a new platform, but quickly become a pain when you actually start to implement it. I think thats the biggest problem, is by the time you've realised that actualy you don't need k8s, you've invested so much time into learning the sodding thing, its difficult to back out.<p>The other seductive thing is helm provides "AWS-like" features (ie fancy load balancing rules) that are hard to figure out unless you've dabbled with the underlying tech before (varnish/nginx/etc are daunting, so is storage and networking)<p>this tends to lead to utterly fucking stupid networking systems because unless you know better, that looks normal.
Be careful with Hetzner, they null routed my game server on launch day due to false positives from their abuse system, and then took 3 days for their support team to re-enable traffic.<p>By that point I had already moved to a different provider of course.
Digital Ocean did this to my previous company. They said we’d been the target of a DOS attack (no evidence we could see). They re-enabled the traffic, then did it again the next day, and then again. When we asked them to stop doing that they said we should use Cloudflare to prevent DOS attacks… all the box did was store backups that we transferred over SSH. Nothing that could go behind Cloudflare, no web server running, literally only one port open.
where did you move, asking to keep a list of options for my game servers, i’m using ovh game servers atm
Reading comments from the past few days makes it seem like dealing with Hetzner is a pain (and as far as I can tell, they aren't really that cheaper than the competitors).
> (and as far as I can tell, they aren't really that cheaper than the competitors)<p>Can you say more? Their Cloud instances, for example, are less than half the cost of OVH's, and less than a fifth of the cost of a comparable AWS EC2 instance.
I don't think so. We see the outliers. Those happens at Linode, Digital Ocean, etc also. And yes even at Google Cloud and AWS you sometimes get either unlucky or unfairly treated.
What competitors are similar to Hetzner in pricing? Last I checked, they seemed quite a bit cheaper than most.
Forum for cheap hosts:<p><a href="https://lowendtalk.com/" rel="nofollow">https://lowendtalk.com/</a><p>Wouldn't reccomend any of these outside of personal use though.
OVH is larger provider, servers usually not significantly more expensive than hetzner.
> they aren't really that cheaper than the competitors<p>This is demonstrably false.
Honestly hetzner supoort has bren outstanding from my experience.
They are always there and very responsive using email
If you prefer no bullshit communications they are great. They are to the point, terse and very German. I find this both refreshing and exactly what I want/need out of support. The few times I have needed to contact them it's been HW related. One was a SSD that was clearly having issues even though SMART reported nothing wrong, I sent them blktrace output and they said yup that checks out, scheduled disk replacement right away. The other time was a network related problem with their transit, I had some ASNs that I was trying to talk to suddenly getting some pretty damn cursed paths and a big increase in latency as a result, they sorted out the path weights super fast and everything has been great since.<p>The only other time I have received better support was from Aussie ISPs. Back in the day when you called Internode the guy who answered the phone was a bona-fide network engineer and would go as far as getting a shell on the DSLAM to check out what is going on. To me that is peak support, live debugging of the problem!<p>Similarly I called into Aussie Broadband to do my first NBN setup, explained I did "BYO" modem because I was going to initiate the PPPoE session with my Linux router and they said no problem. She even offered to send me a cookie cutter pppd config along with the info to set it up myself. Easily the some of the most knowledgeable and "can do" attitude for first layer support I have encountered.<p>Needless to say when I encounter damn good support I stay even when it costs more.
When I first started hosting servers/services for customers I was using EC2 and Rackspace, then I discovered Linode and was happy it was so much cheaper with apparently no downside. After the first couple of interactions with support I started to relax. Then I discovered OVH, same story. I haven't needed the support yet though.
For those considering Hetzner, there is also Contabo which is another German hosting company that is also good, at least in my experience
That's a really good article. Actually, recently we were migrating as well and we were using dedicated nodes in our setup.<p>In order to integrate a load-balancer provided by hetzner with our k8s on dedicated servers we had to implement a super thin operator that does it: <a href="https://github.com/Intreecom/robotlb">https://github.com/Intreecom/robotlb</a><p>If anyone will be inspired by this article and would want to do the same, feel free to use this project.
> While DigitalOcean, like other providers, offers a free managed control plane, there is typically a 100% markup on the nodes that belong to these managed clusters.<p>I don't think this is true. With Digital Ocean, the worker nodes are the same cost as regular droplets, there's no additional costs involved. This makes Digital Ocean's offering very attractive - free control plane you don't have to worry about, free upgrades, and some extra integrations to things like the load balancer, storage, etc. I can't think of a reason to not go with that over self-managed.
I feel lots of the work described in the article can be automated by kops, probably in a much better way, especially when it comes to day 2 operations.<p>I wonder what is the motivation behind manually spinning up a cluster instead of going with more established tooling?
We're very happy to use Hetzner for our bare-metal staging environments to validate functionality, but I still feel reluctant to put our production there. Disks don't quite work as intended at all times and our vSwitch setup has gotten reset more than once.<p>All of this makes sense considering the extremely low price.
Can anybody speak to the pros and cons of Hetzner vs OVH?<p>There ain't many large European cloud companies, and I would like to understand how they differentiate.<p>Ionos is another European one. Currently, it looks like their cloud business is stagnating, though.
My main complaint with OVH is that their checkout process is broken in various ways (missing translations so you get French bits, broken translations so placeholders like ACCEPT_BUTTON leak through, legally binding terms with typos and weird formatting because someone copied them from a PDF into a textarea, UIs from the 90s plastered in between modern ones, missing option to renew a domain for longer than a year, confusing automatic renewal setup, and so on). The control panel in general is quite confusing. They also don't allow hosting an email server (port 25 blocked), iirc the docs tell you to go away and use a competitor<p>I didn't have any of these web UI issues with Hetzner, but iirc OVH is cheaper for domain names, as well as having very reliable and fast DNS servers (measured various query types across some 6 months), and that's why I initially chose them — until my home ISP gave me a burned IP address and I needed an externally hosted server for originating email data (despite it coming from an old and trusted domain that permitlists the IP address) so now I'm with both OVH and Hetzner... Anyway, another thing I like in OVH is that you can edit the raw zone file data and that they support some of the more exotic record types. I don't know how Hetzner compares on domain hosting though
I use Scaleway for my EU cloud needs.<p>This is a very low usage toy server, can't speak for performance/cost.
I'd say stay clear of Ionos.<p>Bonkers first experience in the last two weeks.<p>Graphical "Data center designer", no ability to open multiple tabs, instead always rerouting to the main landing page.<p>Attached 3 IGWs to a box, all public IPs, GUI shows "no active firewall rules".<p>IGW 1: 100% packet loss over 1 minute.<p>IGW 2: 85% packet loss over 1 minute.<p>IGW3: 95% packet loss over 1 minute.<p>Turns out "no active Firewall rules" just wasn't the case and explicit whitelisting is absolutely required.<p>But wait, there's more!<p>Created a hosted PostgreSQL instance, assigned a private subnet for creation.<p>SSH into my server, ping the URL of the created Postgres instance: The DB's IP is outside the CIDR range of the assigned subnet and unreachable.<p>What?<p>Deleted the instance, created another one, exact same settings. Worked this time around.<p>Support quality also varies extremely.<p>Out of 3 encounters, I had a competent person once.<p>Other two straight out said they have no idea what's going on.
This is probably out of left field, but what is the benefit of having a naming scheme for nodes without any delimiters? Reading at a glance and not knowing the region name convention of a given provider (i.e. Hetzner), I'm at a loss to quickly decipher the "<region><zone><environment><role><number>" to "euc1pmgr1". I feel like I'm missing something because having delimiters would make all sorts of automated parsing much easier.
Quicker to type and scan! Though I admit this is preference, delimiters would work fine too.<p>Parsing works the same but is based on a simple regex rather than splitting on a hyphen.<p>euc=eu central; 1=zone/dc; p=production; wkr=worker; 1=node id
Thanks for getting back to me! Now that you've written it out, it's plainly obvious, but for me the readability and flexibility of delimiters beats the speed of typing and scanning. Many a times I've been grateful that I added delimiters because then I was no longer be hamstrung by any potential changes to the length of any particular segment within the name.
Yea, not putting in delimiter and then us having to change our format has bitten me so many times. Delimiter or bust.
You can treat the numeric parts as self-delimiting ... that leaves only the assumption that "environment" is a single letter.
I went hetzner baremetal, set up a proxmox cluster over it and then have kubernetes on top. Gives me a lot of flexibility I find.
I’m planning on doing something similar but want to use Talos with bare metal machines. I suspect to see similar price reductions from our current EKS bill.
Depending on your cluster size I highly recommend Omni: <a href="https://omni.siderolabs.com" rel="nofollow">https://omni.siderolabs.com</a><p>It took minutes to setup a cluster and I love having a UI to see what is happening.<p>I wish there were more products like this as I suspect there will be a trend towards more self-managed Kubernetes clusters given how expensive the cloud is becoming.
I set up a Talos bare metal cluster about a year ago, and documented the whole process on my website. Feel free to reach out if you have any questions!
Very nicely written article. I’m also running a k8s cluster but on bare metal and qemu-kvms for the base load. Wonder why you would chose VMs instead of bare metal if you looking for cost optimisation (additional overhead maybe?), could you share more about this or did I miss it?
Thank you! The cloud servers are sufficiently cheap for us that we could afford the extra flexibility we get from them. Hetzner can move around VMs without us noticing but in contrast they are rebooting a number of metal machines for maintenance now and for the last little while, which would have been disruptive especially during the migration. I might have another look next year at metal but I’m happy with the cloud VMs currently.
Note, they usually do not reboot or touch your servers. But yes, the current maintenance of their metal routers (rare, like once every 2 years) requires you to juggle a bit with different machines in different datacenters.
> Hetzner volumes are, in my experience, too slow for a production database. While you may in the past have had a good experience running customer-facing databases on AWS EBS, with Hetzner's volumes we were seeing >50ms of IOWAIT with very low IOPS.<p>There is a surprisingly easy way to address this issue: use (ridiculously cheap) Hetzner metal machines as nodes. The ones with nvme storage offer excellent performance for dbs and often have generous amounts of RAM. I'd go as far as to say you'd be better off to invest in two or more beefy bare metal machines for a master-replica(s) setup rather than run the db on k8s.<p>If you don't want to be bothered with the setup, you can use one of many modern packages such as Pigsty: <a href="https://pigsty.cc/" rel="nofollow">https://pigsty.cc/</a> (not affiliated but a huge fan).
There are plenty of options for running a database on Kubernetes whilst using local NVMe storage.<p>There are just pinning the database pods to specific nodes and using a LocalPathProvisioner or distributed solutions like JuiceFS, OpenEBS etc.
Thanks, hadn’t heard of pigsty. As you say, I had to use nvme ssds for the dbs, the performance is pretty good so I didn’t look to get metal nodes.
Thanks for the Pigsty link. I have been a big fan of running Postgres on metal machines.
Funnily enough, we made the exact same transition from heroku to DigitalOceans managed Kubernetes service, and saved about 75%. Presumably this means that had we moved from heroku to hetzner, it would have been 93% savings!<p>The costs of cloud hosting are totally out of control, would love to see more efforts that lets developers move down the stack.<p>I’ve been humbly working on <a href="https://canine.sh" rel="nofollow">https://canine.sh</a> which basically provides a Heroku like interface to any K8 cluster
Anybody running k3s/k8s on Hetzner using cax servers? How's that working?
Did you try Cloud66 for deploy?
What about cluster autoscaling?
I didn’t touch on that in the article, but essentially it’s a one line change to add a worker node (or nodes) to the cluster, then it’s automatically enrolled.<p>We don’t have such bursty requirements fortunately so I have not needed to automate this.
Works rather well. I use CAPI + Cluster-Autoscaler + Talos and new nodes are provisioned and ready within 2-3 minutes.
Do you know that they are cutting their free tier bandwidth? Did not read too much into it, but heard a few friends were worried about.<p>End of they day, they are a business!
Great write up Bill!
Lovely website.
<a href="https://github.com/puppetlabs/puppetlabs-kubernetes">https://github.com/puppetlabs/puppetlabs-kubernetes</a><p>What do the fine people of HN think about the size/scope/amount of technology of this repo?<p>It is referenced in the article here: <a href="https://github.com/puppetlabs/puppetlabs-kubernetes/compare/main...bilbof:puppetlabs-kubernetes:main#diff-50ae7fb3724b662b58dbc1c71663cb16a484ab36aecd5a11317fb14465f847fa">https://github.com/puppetlabs/puppetlabs-kubernetes/compare/...</a>
Puppet's original design was that it was meant to be agent based on the things it was meant to configure. It was never very good at bringing up stuff before the agent could be connected.<p>The general flow was Imager->pre-configured puppet agent->connect to controller->apply changes to make it perform as <i>x</i><p>originally it never really had the capacity to kick off the imaging/instantiation. THis meant that it scaled better (shared state is better handled than ansible)<p>However ansible shined because although it was a bastard to get running on more than a couple of hundred hosts in any speed, you could tell it to spin up 100x EC2(or equivalent) machines and then transform them into which every role that was needed. In puppet that was impossible to do in one go.<p>I assume thats changed, but I don't miss puppet.
Honestly I was surprised to hear about puppet at all. Thought that was dead and buried, like chef.
this is good<p>well, running on bare metal would be even better