Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Networking in the cloud

393 views

Published on

Brief intro on how to connect AWS VPC to on-premises data centers.

Published in: Software
  • Be the first to comment

Networking in the cloud

  1. 1. NETWORKING IN THE CLOUD clifflu <clifflu@gmail.com>
  2. 2. ABOUT ME • 呂昭寬`CLIFFLU` TREND MICRO DCS • USING AWS SINCE ’09 AS FULL-STACK WEB DEV(OPS) • HTTP://BLOG.CLIFFLU.NET • BADMINTON / BASEBALL
  3. 3. WHY NETWORKING • EVERYONE KNOWS SOMETHING ABOUT NETWORKING • INFRASTRUCTURE • ARCHITECT • DEVELOPER • OPERATOR • LOTS OF TRAPS • WHEN YOU FEEL YOU SHOULD LEARN IT, IT’S TOO LATE
  4. 4. FIREWALL
  5. 5. VPC • NETWORK IN AWS • USES EC2 API ENDPOINT / RESOURCES • HANDLES … IN MANAGEMENT CONSOLE • SUBNET • SECURITY GROUP • NETWORK ACL • DHCP • VPN • PEERING • ROUTE TABLE • IGW, CGW, VGW
  6. 6. VPC: SECURITY GROUP • L4 FIREWALL, (TCP) STATEFUL • DEFAULT DENY • ALLOW RULES ONLY • AWS CREATES DEFAULT OUTBOUND RULE • ALLOW ALL EGRESS
  7. 7. VPC: SECURITY GROUP • SECURITY GROUPS ARE VALID SOURCE / TARGET IN SG RULES, AS LONG AS THEY BELONG TO THE SAME VPC
  8. 8. VPC: NETWORK ACL • L3 FIREWALL, STATELESS • DEFAULT DENY • CREATE ALLOW OR DENY RULES • FIRST MATCH • EPHEMERAL PORTS Rule # Src IP Proto Port 100 0.0.0.0/0 TCP 80 110 0.0.0.0/0 TCP 443 120 TCP 22 130 TCP 3389 140 0.0.0.0/0 TCP 49152-65535 * 0.0.0.0/0 all all Rule # Dest IP Proto Port 100 0.0.0.0/0 TCP 80 110 0.0.0.0/0 TCP 443 120 10.0.1.0/24 TCP 1433 130 10.0.1.0/24 TCP 3306 140 0.0.0.0/0 TCP 49152-65535 * 0.0.0.0/0 all all Outbound Inbound
  9. 9. EPHEMERAL PORTS Platform OS / Distribution Port Range BSD BSD 1025 - 5000 FreeBSD < 4.6 1025 - 5000 FreeBSD >= 4.6 49152 - 65535 Linux * 32768 - 61000 Windows Server 2003 1025 - 5000 Server 2003 + MS08-037 49152 - 65535 Server 2008 49152 - 65535
  10. 10. CONNECTIVITY
  11. 11. DIRECT CONNECT (DX) • DEDICATED CONNECTION • GUARANTEED BANDWIDTH & LATENCY • PAY • ISP FOR THE LINE • AWS FOR • PORT • OUTBOUND TRAFFIC (AWS  DATACENTER) • OUTBOUND TO INTERNET (DATACENTER – DX  INTERNET)
  12. 12. DX: NOTES • CHANGING VLAN REQUIRES MANUAL OPERATION FROM APN, USUALLY TAKES DAYS ~ WEEKS • SECURITY ? • DATA SHOULD BE ENCRYPTION AT REST AND IN TRANSIT TO ACHIEVE MAXIMAL DATA SECURITY. • DX DOES NOT ASSURE DEFENSE AGAINST EAVESDROPPING OR OTHER MALICIOUS BEHAVIOR
  13. 13. VPC: VPN • IPSEC W/ PRE-SHARED KEY • BUILT-IN HA (VPC CLIENT) W/ BGP • STANDARD DATA RATES APPLY • VPN SERVER • TAKES A DEDICATED PUBLIC IP • VPN BOX / SOFTWARE VPN
  14. 14. VPC PEERING • SAME REGION • NON-TRANSITIVE • NO CIDR OVERLAP • BUILT-IN HA • CHARGED OVER • CONNECTION-HOURS • DATA TRANSFER • ACTION REQUIRED ON ROUTE TABLE
  15. 15. ROUTING
  16. 16. VPC: ROUTE TABLE • DEFAULT ROUTE: LOCAL • CAN’T OVERRIDE IT • LONGEST PREFIX • PROPAGATED ~ REALTIME
  17. 17. VPC: ROUTE TARGET • NAT INSTANCE (I-* / ENI-*) • TURN OFF SRC./DEST. CHECK • SECURITY GROUP / NACL APPLIES • ALSO WORK FOR EC2-BASED VPN CONNECTION • INTERNET GATEWAY (IGW-*): • PUBLIC / ELASTIC IP REQUIRED • VIRTUAL GATEWAY (VGW-*) • WORKS FOR DX AND VPC:VPN • PEERING (PCX-*)
  18. 18. VPC: ROUTE PROPAGATION • REMOTE ROUTES TO VPC • CREATES ROUTE TABLE ENTRIES AUTOMATICALLY • LOCAL ROUTES TO DATA CENTER • MAY RUIN ROUTE TABLES IN CASE OF IP CONFLICT
  19. 19. EC2: ROUTING • lo • LOOPBACK • eth0 • LOCAL • DEFAULT (GATEWAY)
  20. 20. EC2: NETWORK TRICKS • MULTIPLE ENI • AS LONG AS THEY BELONG TO THE SAME AZ • SG APPLIES TO ENI, NOT EC2 • SECONDARY PRIVATE IP • CONFIGURE OVER MANAGEMENT CONSOLE / API • ENABLE IN EC2 • ifconfig eth0:0 [SECONDARY_IP] netmask [NETMASK]
  21. 21. OTHER TRICKS • NAT • SNAT • DNAT (PORT FORWARDING) • TUNNELING
  22. 22. NETWORK EXAMPLE VPN with BGP back propagation Beta DB Prod Shared VPC H/W VPN Beta Prod AWS S3 Logs S/W VPN S/W S/W Peering
  23. 23. THANK YOU

×