Downloaded 19 times
![EC2: NETWORK TRICKS
• MULTIPLE ENI
• AS LONG AS THEY BELONG TO THE SAME AZ
• SG APPLIES TO ENI, NOT EC2
• SECONDARY PRIVATE IP
• CONFIGURE OVER MANAGEMENT CONSOLE / API
• ENABLE IN EC2
• ifconfig eth0:0 [SECONDARY_IP] netmask [NETMASK]](https://image.slidesharecdn.com/networkinginthecloud-141127001619-conversion-gate02/75/Networking-in-the-cloud-20-2048.jpg)
Uploaded byCliff Chao-kuan Lu
Networking in the cloud
This document discusses networking in the AWS cloud. It covers VPC components like security groups, network ACLs, route tables and how they control traffic and routing. It also discusses connectivity options between on-premises networks and VPCs like Direct Connect, VPN connections and VPC peering. The document provides examples of routing and networking tricks that can be used with EC2 instances and VPC configurations.
More Related Content
Similar to Networking in the cloud
![[AKIBA.AWS] VPN接続とルーティングの基礎](https://cdn.slidesharecdn.com/ss_thumbnails/akibaaws6vpn-180510092054-thumbnail.jpg?width=640&height=640&fit=bounds)
Networking in the cloud
- 1. NETWORKING IN THECLOUD clifflu <clifflu@gmail.com>
- 2. ABOUT ME •呂昭寬`CLIFFLU` TREND MICRO DCS • USING AWS SINCE ’09 AS FULL-STACK WEB DEV(OPS) • HTTP://BLOG.CLIFFLU.NET • BADMINTON / BASEBALL
- 3. WHY NETWORKING •EVERYONE KNOWS SOMETHING ABOUT NETWORKING • INFRASTRUCTURE • ARCHITECT • DEVELOPER • OPERATOR • LOTS OF TRAPS • WHEN YOU FEEL YOU SHOULD LEARN IT, IT’S TOO LATE
- 4.
- 5. VPC • NETWORKIN AWS • USES EC2 API ENDPOINT / RESOURCES • HANDLES … IN MANAGEMENT CONSOLE • SUBNET • SECURITY GROUP • NETWORK ACL • DHCP • VPN • PEERING • ROUTE TABLE • IGW, CGW, VGW
- 6. VPC: SECURITY GROUP • L4 FIREWALL, (TCP) STATEFUL • DEFAULT DENY • ALLOW RULES ONLY • AWS CREATES DEFAULT OUTBOUND RULE • ALLOW ALL EGRESS
- 7. VPC: SECURITY GROUP • SECURITY GROUPS ARE VALID SOURCE / TARGET IN SG RULES, AS LONG AS THEY BELONG TO THE SAME VPC
- 8. VPC: NETWORK ACL • L3 FIREWALL, STATELESS • DEFAULT DENY • CREATE ALLOW OR DENY RULES • FIRST MATCH • EPHEMERAL PORTS Rule # Src IP Proto Port 100 0.0.0.0/0 TCP 80 110 0.0.0.0/0 TCP 443 120 TCP 22 130 TCP 3389 140 0.0.0.0/0 TCP 49152-65535 * 0.0.0.0/0 all all Rule # Dest IP Proto Port 100 0.0.0.0/0 TCP 80 110 0.0.0.0/0 TCP 443 120 10.0.1.0/24 TCP 1433 130 10.0.1.0/24 TCP 3306 140 0.0.0.0/0 TCP 49152-65535 * 0.0.0.0/0 all all Outbound Inbound
- 9. EPHEMERAL PORTS PlatformOS / Distribution Port Range BSD BSD 1025 - 5000 FreeBSD < 4.6 1025 - 5000 FreeBSD >= 4.6 49152 - 65535 Linux * 32768 - 61000 Windows Server 2003 1025 - 5000 Server 2003 + MS08-037 49152 - 65535 Server 2008 49152 - 65535
- 10.
- 11. DIRECT CONNECT (DX) • DEDICATED CONNECTION • GUARANTEED BANDWIDTH & LATENCY • PAY • ISP FOR THE LINE • AWS FOR • PORT • OUTBOUND TRAFFIC (AWS DATACENTER) • OUTBOUND TO INTERNET (DATACENTER – DX INTERNET)
- 12. DX: NOTES •CHANGING VLAN REQUIRES MANUAL OPERATION FROM APN, USUALLY TAKES DAYS ~ WEEKS • SECURITY ? • DATA SHOULD BE ENCRYPTION AT REST AND IN TRANSIT TO ACHIEVE MAXIMAL DATA SECURITY. • DX DOES NOT ASSURE DEFENSE AGAINST EAVESDROPPING OR OTHER MALICIOUS BEHAVIOR
- 13. VPC: VPN •IPSEC W/ PRE-SHARED KEY • BUILT-IN HA (VPC CLIENT) W/ BGP • STANDARD DATA RATES APPLY • VPN SERVER • TAKES A DEDICATED PUBLIC IP • VPN BOX / SOFTWARE VPN
- 14. VPC PEERING •SAME REGION • NON-TRANSITIVE • NO CIDR OVERLAP • BUILT-IN HA • CHARGED OVER • CONNECTION-HOURS • DATA TRANSFER • ACTION REQUIRED ON ROUTE TABLE
- 15.
- 16. VPC: ROUTE TABLE • DEFAULT ROUTE: LOCAL • CAN’T OVERRIDE IT • LONGEST PREFIX • PROPAGATED ~ REALTIME
- 17. VPC: ROUTE TARGET • NAT INSTANCE (I-* / ENI-*) • TURN OFF SRC./DEST. CHECK • SECURITY GROUP / NACL APPLIES • ALSO WORK FOR EC2-BASED VPN CONNECTION • INTERNET GATEWAY (IGW-*): • PUBLIC / ELASTIC IP REQUIRED • VIRTUAL GATEWAY (VGW-*) • WORKS FOR DX AND VPC:VPN • PEERING (PCX-*)
- 18. VPC: ROUTE PROPAGATION • REMOTE ROUTES TO VPC • CREATES ROUTE TABLE ENTRIES AUTOMATICALLY • LOCAL ROUTES TO DATA CENTER • MAY RUIN ROUTE TABLES IN CASE OF IP CONFLICT
- 19. EC2: ROUTING •lo • LOOPBACK • eth0 • LOCAL • DEFAULT (GATEWAY)
- 20. EC2: NETWORK TRICKS • MULTIPLE ENI • AS LONG AS THEY BELONG TO THE SAME AZ • SG APPLIES TO ENI, NOT EC2 • SECONDARY PRIVATE IP • CONFIGURE OVER MANAGEMENT CONSOLE / API • ENABLE IN EC2 • ifconfig eth0:0 [SECONDARY_IP] netmask [NETMASK]
- 21. OTHER TRICKS •NAT • SNAT • DNAT (PORT FORWARDING) • TUNNELING
- 22. NETWORK EXAMPLE VPNwith BGP back propagation Beta DB Prod Shared VPC H/W VPN Beta Prod AWS S3 Logs S/W VPN S/W S/W Peering
- 23.
Editor's Notes
- #10 49152-65535: suggested by IANA