Solana. Outbound traffic throttling feature

Author: vlasonfa

lib/solana/README.md

@@ -26,6 +26,16 @@ Solana nodes on AWS can be deployed in 2 different configurations: base RPC and
 3.	The Solana nodes use all required secrets locally, but optionally can store a copy in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) as secure backup.
 4.	The Solana nodes send various monitoring metrics for both EC2 and Solana nodes to Amazon CloudWatch.
 
+### Optimizing Data Transfer Costs
+
+Solana Agave clients generate significant outbound traffic, ranging from 80 to 200+ TiB monthly in recent years. To manage associated costs, the blueprint includes an outbound traffic optimization feature that automatically monitors and adjusts bandwidth usage.
+
+The system works by tracking the node's "Slots Behind" metric after the initial sync is done. When this metric reaches zero, indicating the node is fully synced, the system applies a user-defined bandwidth limit specified in the `SOLANA_LIMIT_OUT_TRAFFIC_MBPS` variable of your `.env` file. If the slots behind metric exceeds 100, the limit is temporarily removed until the node catches up. While the default outbound bandwidth limit is set to 20 Mbit/s (~6.5 TiB/month), testing has shown that nodes can maintain synchronization even at speeds as low as 15 Mbit/s. Inbound bandwidth remains unrestricted.
+
+To maintain operational efficiency, the system excludes internal network traffic from these restrictions. Traffic within standard internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) remains unrestricted, ensuring that AWS applications using internal IPs function normally. This optimization can reduce data transfer costs by over 90%.
+
+It's important to note that while this feature is highly effective for RPC nodes, it should not be implemented on consensus nodes. Restricting outbound traffic on consensus nodes can compromise performance and is not recommended for optimal network participation.
+
 ## Additional materials
 
 <details>
@@ -84,8 +94,8 @@ This is the Well-Architected checklist for Solana nodes implementation of the AW
 
 | Usage pattern  | Ideal configuration  | Primary option on AWS  | Data Transfer Estimates | Config reference |
 |---|---|---|---|---|
-| 1/ Base RPC node (no secondary indexes) | 48 vCPU, 384 GiB RAM, Accounts volume: EBS gp3, 500GiB, 7K IOPS, 700 MB/s throughput, Data volume: EBS gp3, 2TB, 9K IOPS, 700 MB/s throughput   | r7a.12xlarge, Accounts volume: EBS gp3, 500GiB, 7K IOPS, 700 MB/s throughput, Data volume: EBS gp3, 2TB, 9K IOPS, 700 MB/s throughput | 13-15TB/month (no staking) | [.env-sample-baserpc-x86](./sample-configs/.env-sample-baserpc-x86) |
-| 2/ Extended RPC node (with all secondary indexes) | 96 vCPU, 768 GiB RAM, Accounts volume: 500GiB, 7K IOPS, 700 MB/s throughput, Data volume: 2TB, 9K IOPS, 700 MB/s throughput  | I8g.18xlarge, Accounts volume: Instance Store, Data volume: Instance Store | 20-38TB/month (no staking) | [.env-sample-extendedrpc-arm](./sample-configs/.env-sample-extendedrpc-arm) |
+| 1/ Base RPC node (no secondary indexes) | 48 vCPU, 384 GiB RAM, Accounts volume: EBS gp3, 500GiB, 7K IOPS, 700 MB/s throughput, Data volume: EBS gp3, 2TB, 9K IOPS, 700 MB/s throughput   | r7a.12xlarge, Accounts volume: EBS gp3, 500GiB, 7K IOPS, 700 MB/s throughput, Data volume: EBS gp3, 2TB, 9K IOPS, 700 MB/s throughput | 100-200TB/month (no staking) | [.env-sample-baserpc-x86](./sample-configs/.env-sample-baserpc-x86) |
+| 2/ Extended RPC node (with all secondary indexes) | 96 vCPU, 768 GiB RAM, Accounts volume: 500GiB, 7K IOPS, 700 MB/s throughput, Data volume: 2TB, 9K IOPS, 700 MB/s throughput  | r7a.24xlarge, Accounts volume: EBS io2, 500GiB, 10K IOPS, Data volume: EBS io2, 2000GiB, 30K IOPS | 100-200TB/month (no staking) | [.env-sample-extendedrpc-arm](./sample-configs/.env-sample-extendedrpc-arm) |
 </details>
 
 ## Setup Instructions
@@ -305,6 +315,37 @@ free -g
 sudo sysctl vm.swappiness=10
 ```
 
+6. How can I check network throttling configuration currently applied to the instance?
+
+```bash
+# Check iptables manage table
+iptables -t mangle -L -n -v
+
+# Set network interface ID
+INTERFACE=$(ip -br addr show | grep -v '^lo' | awk '{print $1}' | head -n1)
+
+# Check  traffic control (tc) tool configuration
+tc qdisc show
+
+# Watch current traffic
+tc -s qdisc ls dev $INTERFACE
+
+# Monitor bandwidth in real-time
+iftop -i $INTERFACE
+```
+
+7. How to manually remove all iptables and tc rules?
+
+```bash
+# Remove tc rules
+tc qdisc del dev $INTERFACE root
+
+# Remove iptables rules
+iptables -t mangle -D OUTPUT -j MARKING
+iptables -t mangle -F MARKING
+iptables -t mangle -X MARKING
+```
+
 ## Upgrades
 
 When nodes need to be upgraded or downgraded, [use blue/green pattern to do it](https://aws.amazon.com/blogs/devops/performing-bluegreen-deployments-with-aws-codedeploy-and-auto-scaling-groups/). This is not yet automated and contributions are welcome!

lib/solana/app.ts

@@ -21,34 +21,15 @@ new SolanaSingleNodeStack(app, "solana-single-node", {
     stackName: `solana-single-node-${config.baseNodeConfig.nodeConfiguration}`,
     env: { account: config.baseConfig.accountId, region: config.baseConfig.region },
 
-    instanceType: config.baseNodeConfig.instanceType,
-    instanceCpuType: config.baseNodeConfig.instanceCpuType,
-    solanaCluster: config.baseNodeConfig.solanaCluster,
-    solanaVersion: config.baseNodeConfig.solanaVersion,
-    nodeConfiguration: config.baseNodeConfig.nodeConfiguration,
-    dataVolume: config.baseNodeConfig.dataVolume,
-    accountsVolume: config.baseNodeConfig.accountsVolume,
-    solanaNodeIdentitySecretARN: config.baseNodeConfig.solanaNodeIdentitySecretARN,
-    voteAccountSecretARN: config.baseNodeConfig.voteAccountSecretARN,
-    authorizedWithdrawerAccountSecretARN: config.baseNodeConfig.authorizedWithdrawerAccountSecretARN,
-    registrationTransactionFundingAccountSecretARN: config.baseNodeConfig.registrationTransactionFundingAccountSecretARN,
+    ...config.baseNodeConfig
 });
 
 new SolanaHANodesStack(app, "solana-ha-nodes", {
     stackName: `solana-ha-nodes-${config.baseNodeConfig.nodeConfiguration}`,
     env: { account: config.baseConfig.accountId, region: config.baseConfig.region },
 
-    instanceType: config.baseNodeConfig.instanceType,
-    instanceCpuType: config.baseNodeConfig.instanceCpuType,
-    solanaCluster: config.baseNodeConfig.solanaCluster,
-    solanaVersion: config.baseNodeConfig.solanaVersion,
-    nodeConfiguration: config.baseNodeConfig.nodeConfiguration,
-    dataVolume: config.baseNodeConfig.dataVolume,
-    accountsVolume: config.baseNodeConfig.accountsVolume,
-
-    albHealthCheckGracePeriodMin: config.haNodeConfig.albHealthCheckGracePeriodMin,
-    heartBeatDelayMin: config.haNodeConfig.heartBeatDelayMin,
-    numberOfNodes: config.haNodeConfig.numberOfNodes,
+    ...config.baseNodeConfig,
+    ...config.haNodeConfig,
 });
 
 

lib/solana/lib/assets/instance/network/net-rules-start.sh

@@ -6,8 +6,7 @@ if [ -n "$1" ]; then
 else
   echo "Warning: Specify max value for outbound data traffic in Mbps."
   echo "Usage: net-rules.sh <max_bandwidth_mbps>"
-  echo "Default is 26"
-  LIMIT_OUT_TRAFFIC_MBPS=26
+  exit 1;
 fi
 
 # Step 1: Create an iptables rule to mark packets going to public IPs

lib/solana/lib/assets/instance/network/net-rules-stop.sh

@@ -1,7 +1,9 @@
 #!/bin/bash
 
+INTERFACE=$(ip -br addr show | grep -v '^lo' | awk '{print $1}' | head -n1)
+
 # Remove tc rules
-/usr/sbin/tc qdisc del dev eth0 root
+/usr/sbin/tc qdisc del dev $INTERFACE root
 
 # Remove iptables rules
 /usr/sbin/iptables -t mangle -D OUTPUT -j MARKING

lib/solana/lib/assets/instance/network/net-rules.service

@@ -1,5 +1,5 @@
 [Unit]
-Description=ipables and Traffic Control Rules
+Description="ipables and Traffic Control Rules"
 After=network.target
 
 [Service]
@@ -9,5 +9,4 @@ ExecStart=/opt/instance/network/net-rules-start.sh _LIMIT_OUT_TRAFFIC_MBPS_
 ExecStop=/opt/instance/network/net-rules-stop.sh
 
 [Install]
-WantedBy=multi-user.target
-EOF
+WantedBy=multi-user.target

lib/solana/lib/assets/instance/network/net-sync-checker.timer

@@ -1,8 +1,8 @@
 [Unit]
-Description="Run Network Sync checker service every 5 min"
+Description="Run Network Sync checker service every 1 min"
 
 [Timer]
-OnCalendar=*:*:0/5
+OnCalendar=*:*:0/1
 Unit=net-sync-checker.service
 
 [Install]

lib/solana/lib/assets/instance/network/net-syncchecker.sh

@@ -5,6 +5,7 @@ INIT_COMPLETED_FILE=/data/data/init-completed
 TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
 EC2_INTERNAL_IP=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/local-ipv4)
 
+# Start checking the sync node status only after the node has finished the initial sync
 if [ -f "$INIT_COMPLETED_FILE" ]; then
     SOLANA_SLOTS_BEHIND_DATA=$(curl -s -X POST -H "Content-Type: application/json" -d ' {"jsonrpc":"2.0","id":1, "method":"getHealth"}' http://$EC2_INTERNAL_IP:8899 | jq .error.data)
     SOLANA_SLOTS_BEHIND=$(echo $SOLANA_SLOTS_BEHIND_DATA | jq .numSlotsBehind -r)

lib/solana/lib/assets/instance/network/setup.sh

@@ -6,7 +6,7 @@ if [ -n "$1" ]; then
 else
   echo "Warning: Specify max value for outbound data traffic in Mbps."
   echo "Usage: instance/network/setup.sh <max_bandwidth_mbps>"
-  LIMIT_OUT_TRAFFIC_MBPS=26
+  exit 1;
 fi
 
 INTERFACE=$(ip -br addr show | grep -v '^lo' | awk '{print $1}' | head -n1)

lib/solana/lib/assets/user-data-ubuntu.sh

@@ -128,7 +128,7 @@ systemctl restart amazon-cloudwatch-agent
 
 systemctl daemon-reload
 
-if [[ "$LIMIT_OUT_TRAFFIC_MBPS" == "true" ]]; then
+if [[ "$LIMIT_OUT_TRAFFIC_MBPS" -gt 0 ]]; then
   echo "Limiting out traffic"
   /opt/instance/network/setup.sh
 fi

lib/solana/lib/config/node-config.ts

@@ -52,7 +52,7 @@ export const baseNodeConfig: configTypes.SolanaBaseNodeConfig = {
     voteAccountSecretARN: process.env.SOLANA_VOTE_ACCOUNT_SECRET_ARN || "none",
     authorizedWithdrawerAccountSecretARN: process.env.SOLANA_AUTHORIZED_WITHDRAWER_ACCOUNT_SECRET_ARN || "none",
     registrationTransactionFundingAccountSecretARN: process.env.SOLANA_REGISTRATION_TRANSACTION_FUNDING_ACCOUNT_SECRET_ARN || "none",
-    limitOutTrafficMbps: process.env.SOLANA_LIMIT_OUT_TRAFFIC_MBPS ? parseInt(process.env.SOLANA_LIMIT_OUT_TRAFFIC_MBPS) : 25,
+    limitOutTrafficMbps: process.env.SOLANA_LIMIT_OUT_TRAFFIC_MBPS ? parseInt(process.env.SOLANA_LIMIT_OUT_TRAFFIC_MBPS) : 20,
 };
 
 export const haNodeConfig: configTypes.SolanaHAConfig = {