CPN401 Packet plumbing in Amazon VPC - AWS re: Invent 2012

2,923 views

Published on

CPN401 Packet plumbing in Amazon VPC - AWS re: Invent 2012

  1. 1. Why can’t I connect to the server?
  2. 2. Instance Instances within a subnet Instance10.0.0.197 10.0.0.211Instance Instance in two subnets Instance10.0.0.211 10.0.2.176Instance Instance and the Internet10.0.0.211 Instance to host viaInstance VPN or AWS Direct Connect10.0.0.211
  3. 3. Troubleshooting 100% LossInstance Instance A BA to B: src 10.0.0.48– dst 10.0.0.197 TCP src 63071– dst 22
  4. 4. $ sudo tcpdump -s 1500 -q -n port 22 –c 10listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes20:16:50.650863 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 11620:16:50.650958 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 11620:16:50.651117 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 11620:16:50.727337 IP 10.0.0.48.63071 > 10.0.0.197.ssh: tcp 020:16:50.727360 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 23220:16:50.727451 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 11620:16:50.727529 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 11620:16:50.727532 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 11620:16:50.727556 IP 10.0.0.48.63071 > 10.0.0.197.ssh: tcp 020:16:50.727626 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 116 A to B: src 10.0.0.48– dst 10.0.0.197 TCP src 63071– dst 22
  5. 5. Subnet 1 Subnet 2 Subnet 310.0.0.0/24 10.0.1.0/24 10.0.2.0/24 Instance A Instance 10.0.0.197 C 10.0.2.176 Instance B 10.0.0.211 10.0.1.99 elastic Router network interface
  6. 6. Subnet 1 Subnet 2 Subnet 310.0.0.0/24 10.0.1.0/24 10.0.2.0/24 Instance A Instance 10.0.0.197 C 10.0.2.176 Instance B 10.0.0.211 10.0.1.99 elastic Router network interface
  7. 7. Instance B Instance eth0 10.0.1.50 10.0.0.211 eth1 x 10.0.1.99
  8. 8. $ ip -f inet addr2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet 10.0.0.211/24 brd 10.0.0.255 scope global eth03: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet 10.0.1.99/24 brd 10.0.1.255 scope global eth1$ ip route list table maindefault via 10.0.0.1 dev eth010.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.21110.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.99$ ssh 10.0.1.73 –b 10.0.0.211[ No response ]$ sudo tcpdump –s 1500 –n –q –i eth120:53:57.453687 IP 10.0.0.211.46505 > 10.0.1.73.ssh: tcp 020:53:58.450816 IP 10.0.0.211.46505 > 10.0.1.73.ssh: tcp 0
  9. 9. # echo 10001 eth1-rt >> /etc/iproute2/rt_tables# ip rule add from 10.0.1.99 table eth1-rt# ip rule list0: from all lookup local32765: from 10.0.1.99 lookup eth1-rt32766: from all lookup main32767: from all lookup default# ip route add default via 10.0.1.1 dev eth1 table eth1-rt# ip route list table eth1-rtdefault via 10.0.1.1 dev eth1# ip route flush cache
  10. 10. VPC Security Group Network ACLFilter inbound or outbound Filter inbound or outboundManage via APIs, console Manage via APIs, console Filter TCP, UDP, IP Filter TCP, UDP, IP Stateful StatelessPackets in/out of instance Packets in/out of subnet 1+ Groups per Instance 1 ACL per Subnet “Allow” rules only “Allow” or “Deny” rules Unordered Ordered
  11. 11. Instance A Instance Internet B Internet Instance C Gateway10.0.0.0/16
  12. 12. Internet
  13. 13. Internet
  14. 14. Instance A VPN Connection Customer Instance Gateway B Host D Instance AWS Direct Router C Connect HQ Datacenter Virtual Private 192.168.33.0/2410.0.0.0/16 Gateway 192.168.44.0/24
  15. 15. http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuiderouter# show bgp all neighbors 169.254.255.1 advertised-routesFor address family: IPv4 UnicastBGP table version is 3, local router ID is 172.12.3.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteOriginating default network 0.0.0.0Network Next Hop Metric LocPrf Weight Path*> 192.168.33.0/24 169.254.255.1 100 0 7224 iTotal number of prefixes 1
  16. 16. Instance Instances within a subnet Instance10.0.0.197 10.0.0.211Instance Instance in two subnets Instance10.0.0.211 10.0.2.176Instance Instance and the Internet10.0.0.211 Instance to host viaInstance VPN or AWS Direct Connect10.0.0.211
  17. 17. Thank YouPlease complete an evaluation for this session.

×