Successfully reported this slideshow.
Your SlideShare is downloading. ×

Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungsprobleme in AWS lösen

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Feature Management Platforms
Feature Management Platforms
Loading in …3
×

Check these out next

1 of 71 Ad
Advertisement

More Related Content

More from Steffen Gebert (20)

Recently uploaded (20)

Advertisement

Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungsprobleme in AWS lösen

  1. 1. Wenn selbst ‘erlaube allen Verkehr von 0.0.0.0/0’ nicht hilft - Verbindungsprobleme in AWS lösen Steffen Gebert (@StGebert) Wolfgang Schäfer (@wo_wue) AWS Community Day DACH in Dresden 19.10.2022
  2. 2. 2
  3. 3. This is Our Architecture 3 VPC left 10.1.0.0/16 VPC right 10.2.0.0/16 AWS Transit Gateway EC2 instance client Amazon API Gateway VPC Endpoint Transit Gateway Attachment Transit Gateway Attachment
  4. 4. Problem
  5. 5. Problem
  6. 6. Problem
  7. 7. Problem
  8. 8. Problem
  9. 9. VPC Reachability Analyzer
  10. 10. VPC Reachability Analyzer
  11. 11. VPC Reachability Analyzer
  12. 12. VPC Reachability Analyzer
  13. 13. VPC Reachability Analyzer
  14. 14. VPC Reachability Analyzer
  15. 15. VPC Reachability Analyzer
  16. 16. VPC Reachability Analyzer
  17. 17. Fixing Connectivity
  18. 18. VPC Reachability Analyzer
  19. 19. VPC Reachability Analyzer
  20. 20. Connectivity Test
  21. 21. Metrics
  22. 22. This is Our Architecture 22 VPC left 10.1.0.0/16 VPC right 10.2.0.0/16 AWS Transit Gateway EC2 instance client Amazon API Gateway VPC Endpoint Transit Gateway Attachment Transit Gateway Attachment
  23. 23. Metrics
  24. 24. Metrics
  25. 25. Metrics Transit GW
  26. 26. Metrics Transit GW § Per TGW and per TGW Attachments § In and out bytes and packets § Blackhole and NoRoute metrics
  27. 27. Metrics Transit GW § Per TGW and per TGW Attachments § In and out bytes and packets § Blackhole and NoRoute metrics
  28. 28. § Custom Dashboard Metrics Transit GW
  29. 29. § Automatic Dashboard “VPC Transit Gateway” Metrics Transit GW
  30. 30. Flow Logs 30
  31. 31. Flow Logs § VPC Flow Logs § TGW Flow Logs new
  32. 32. 32 CloudWatch Logs Insights
  33. 33. 33 CloudWatch Logs Insights
  34. 34. 34 Reachability Analyzer zu Flow Logs
  35. 35. 35 Reachability Analyzer zu Flow Logs
  36. 36. 36 Reachability Analyzer zu Flow Logs
  37. 37. 37 Flow Logs – Additional Destinations § S3 and Kinesis Firehose § Use cases • Continuous monitoring • Retrospective analysis
  38. 38. Packet Capture
  39. 39. Wireshark § tcpdump running on client instance § Streamed through SSH or SSM connection
  40. 40. Wireshark § tcpdump running on client instance § Streamed through SSH or SSM connection § Comfortably displayed on local computer
  41. 41. Wireshark § tcpdump running on client instance § Streamed through SSH or SSM connection § Comfortably displayed on local computer § Filter out own traffic!
  42. 42. Wireshark § tcpdump running on client instance § Streamed through SSH connection § Comfortably displayed on local computer § Filter out own traffic!
  43. 43. VPC left 10.1.0.0/16 VPC right 10.2.0.0/16 AWS Transit Gateway EC2 instance client Amazon API Gateway VPC Endpoint Transit Gateway Attachment Transit Gateway Attachment Transit Gateway Attachment VPC capture 10.99.0.0/16 EC2 instance capture-receiver VPC left 10.1.0.0/16 VPC right 10.2.0.0/16 AWS Transit Gateway EC2 instance client Amazon API Gateway VPC Endpoint Transit Gateway Attachment Transit Gateway Attachment VPC Traffic Mirroring 43 source target filter session
  44. 44. VPC Traffic Mirroring § Packets duplicated by Nitro § Accounts to packet/sec limits of EC2 instance § Requires connectivity from source to target § Only for EC2 instances
  45. 45. VPC Traffic Mirroring § Packets duplicated by Nitro § Accounts to packet/sec limits of EC2 instance § Requires connectivity from source to target § Only for EC2 instances
  46. 46. VPC Traffic Mirroring § Packets duplicated by Nitro § Accounts to packet/sec limits of EC2 instance § Requires connectivity from source to target § Only for EC2 instances
  47. 47. VPC Traffic Mirroring § Packets duplicated by Nitro § Accounts to packet/sec limits of EC2 instance § Requires connectivity from source to target § Only for EC2 instances
  48. 48. VPC Traffic Mirroring § Packets duplicated by Nitro § Accounts to packet/sec limits of EC2 instance § Requires connectivity from source to target § Only for EC2 instances
  49. 49. VPC Traffic Mirroring § Packets duplicated by Nitro § Accounts to packet/sec limits of EC2 instance § Requires connectivity from source to target § Only for EC2 instances
  50. 50. VPC Traffic Mirroring § Packets duplicated by Nitro § Accounts to packet/sec limits of EC2 instance § Requires connectivity from source to target § Only for EC2 instances
  51. 51. VPC Traffic Mirroring § Packets duplicated by Nitro § Accounts to packet/sec limits of EC2 instance § Requires connectivity from source to target § Only for EC2 instances
  52. 52. VPC Traffic Mirroring § Capturing now on target instance § Packets received in VXLAN encapsulation
  53. 53. That’s fun! N O B O D Y E V E R D O I N G T H I S 53
  54. 54. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  55. 55. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  56. 56. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  57. 57. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  58. 58. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  59. 59. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  60. 60. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  61. 61. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  62. 62. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  63. 63. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  64. 64. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  65. 65. Can it be easier? § Aidan Steele’s projects § flowdogshark (GWLB) § vpcshark * § More concept studies than for production https://github.com/aidansteele/flowdog https://github.com/aidansteele/vpcshark (* not yet publicly released)
  66. 66. When nothing helps… Ask your AWS Account Team THANKS Karl!
  67. 67. EMnify IoT Communication Cloud 67 User Interface EMN IFY IOT COMMU N ICATION CLOU D API Data Event Stream CELLU LAR N ETW OR K Customer IoT Applications Customer Operations Team EMNI F Y SI M CU STOMER IOT DEVICE
  68. 68. Dr. Steffen Gebert Wolfgang Schäfer 68 Your Trouble Shooters § Director Technology, Infrastructure § @StGebert § Senior Core Network Engineer § @wo_wue
  69. 69. 69 Learn from our mistakes! § IaC definition of the setup used in this talk • Terraform • incl. Reachability Analyzer and Traffic Mirroring § github.com/EMnify/
  70. 70. One More Try Oh.. Layer 8 issues J
  71. 71. Agenda 1. Problem Scenario 2. VPC Reachability Analyzer 3. Metrics 4. Flow Logs 5. Packet capture 6. About us 7. Your questions, please!

×