re:Growth 2018 Tokyo:Amazon Global Networkが提供する新サービスShuji Kikuchi
Global Accelerator and Transit Gateway provide connectivity solutions. Global Accelerator optimizes routing between clients and applications, while Transit Gateway enables VPN and direct connections between VPCs and on-premises networks. Both services improve performance and reduce costs compared to alternative connectivity architectures.
This document discusses several ways to connect Amazon Web Services (AWS) virtual private clouds (VPCs), including AWS Direct Connect, VPN connections, and VPC Peering. It notes that Direct Connect provides a dedicated network connection, while VPN and VPC Peering are software-based options that can be used for workloads that don't require as dedicated a connection. The document provides brief descriptions of each connectivity method.
1. The document discusses how to configure a Network Load Balancer (NLB) with a PrivateLink endpoint to provide private access to services within a VPC.
2. Key steps include creating an Elastic Network Interface (ENI) in each Availability Zone, associating the ENIs to the NLB, and specifying the PrivateLink endpoint DNS name to route traffic privately.
3. PrivateLink allows networking interfaces and resources to be accessed privately without an internet gateway, NAT device, VPN connection or AWS Direct Connect.
This document discusses AWS Step Functions and provides an overview of its key features and components. It introduces AWS Step Functions as a way to visually coordinate distributed applications using a series of steps defined as a state machine. It then covers the Amazon State Language used to define state machines, and explains how state machines are executed including starting execution and viewing results. It also discusses how activity tasks can be used to execute applications outside of Lambda in a pull-based manner.
21. 21Inter Region VPC Peering の制約
• Inter Region VPC Peeringにはリージョン内の
VPC Peeringと⽐べ未サポートの機能がある
• Security Group参照
• VPC間のプライベートIP解決
22. 22Inter Region VPC Peering の制約
• Security Group参照
• リージョン内ではSourceにSecurity Groupを指定可能
• Inter RegionではIP/CIDRで指定する必要あり
Security Group
Web
Security Group
DB
Protocol Port Source
TCP 3306 SG:Web
24. 24Inter Region VPC Peering の制約
• プライベートIP解決
VPC外:Public IPを取得
VPC内(AmazonProvidedDNS):Private IPを取得
$ dig ec2-13-231-218-52.ap-northeast-1.compute.amazonaws.com @8.8.8.8
:
:;ec2-13-231-218-52.ap-northeast-1.compute.amazonaws.com. IN A
;; ANSWER SECTION:ec2-13-231-218-52.ap-northeast-1.compute.amazonaws.com. 21599 IN A 13.231.218.52
$ dig ec2-13-231-218-52.ap-northeast-1.compute.amazonaws.com @172.31.0.2
:
:;ec2-13-231-218-52.ap-northeast-1.compute.amazonaws.com. IN A
;; ANSWER SECTION:ec2-13-231-218-52.ap-northeast-1.compute.amazonaws.com. 21599 IN A 172.31.5.216
25. 25Inter Region VPC Peering の制約
• PeeringしたVPCでも「プライベートIP解決」を有効にすること
でVPC間でもPrivate IPで名前解決可能
• Inter Region VPC Peeringでは「プライベートIP解決」が設定
できないので⾃VPC以外はPublic IPを取得してしまう
ec2-xxx-xxx-xxx-xxx.ap-northeast-
1.compute.amazonaws.com
DNS DNS
ec2-xxx-xxx-xxx-xxx.ap-northeast-
1.compute.amazonaws.com
Private IP
26. 26Inter Region VPC Peering の制約
• パブリックアクセスを有効にしたRDS/Redshiftの場合には重要
• VPC Peeringを経由せずにInternet経由のアクセスになってしまう
DNS DNS
Public IP
xxx.ap-northeast-
1.rds.amazonaws.com
Private IP
RDS
xxx.ap-northeast-
1.rds.amazonaws.com
27. 27Inter Region VPC Peering の制約
• パブリックアクセスを有効にしたRDS/Redshiftの場合には重要
• VPC Peeringを経由せずにInternet経由のアクセスになってしまう
DNS DNS
Public IP
xxx.ap-northeast-
1.rds.amazonaws.com
Private IP
RDS
xxx.ap-northeast-
1.rds.amazonaws.com
28. 28Inter Region VPC Peering の制約
• 解決⽅法はDNSキャッシュの配置
• AmazonProvidedDNSはVPC内からしか利⽤できない
• Peering経由でアクセスするにはDNSキャッシュを経由させる
https://dev.classmethod.jp/cloud/aws-hybrid-cloud-dns-designs/
DNS
xxx.ap-northeast-
1.rds.amazonaws.com
Private IP
RDS
xxx.ap-northeast-
1.rds.amazonaws.com
Private IPDNSキャッシュ
サーバ