2. ABOUT ME
• 呂昭寬`CLIFFLU`
TREND MICRO DCS
• USING AWS SINCE ’09 AS
FULL-STACK WEB DEV(OPS)
• HTTP://BLOG.CLIFFLU.NET
• BADMINTON / BASEBALL
3. WHY NETWORKING
• EVERYONE KNOWS SOMETHING ABOUT
NETWORKING
• INFRASTRUCTURE
• ARCHITECT
• DEVELOPER
• OPERATOR
• LOTS OF TRAPS
• WHEN YOU FEEL YOU SHOULD LEARN IT, IT’S TOO
LATE
11. DIRECT CONNECT (DX)
• DEDICATED CONNECTION
• GUARANTEED BANDWIDTH & LATENCY
• PAY
• ISP FOR THE LINE
• AWS FOR
• PORT
• OUTBOUND TRAFFIC (AWS DATACENTER)
• OUTBOUND TO INTERNET (DATACENTER – DX INTERNET)
12. DX: NOTES
• CHANGING VLAN REQUIRES MANUAL OPERATION
FROM APN, USUALLY TAKES DAYS ~ WEEKS
• SECURITY ?
• DATA SHOULD BE ENCRYPTION AT REST AND IN
TRANSIT TO ACHIEVE MAXIMAL DATA SECURITY.
• DX DOES NOT ASSURE DEFENSE AGAINST
EAVESDROPPING OR OTHER MALICIOUS BEHAVIOR
13. VPC: VPN
• IPSEC W/ PRE-SHARED KEY
• BUILT-IN HA (VPC CLIENT) W/ BGP
• STANDARD DATA RATES APPLY
• VPN SERVER
• TAKES A DEDICATED PUBLIC IP
• VPN BOX / SOFTWARE VPN
14. VPC PEERING
• SAME REGION
• NON-TRANSITIVE
• NO CIDR OVERLAP
• BUILT-IN HA
• CHARGED OVER
• CONNECTION-HOURS
• DATA TRANSFER
• ACTION REQUIRED ON
ROUTE TABLE
16. VPC: ROUTE TABLE
• DEFAULT ROUTE: LOCAL
• CAN’T OVERRIDE IT
• LONGEST PREFIX
• PROPAGATED ~ REALTIME
17. VPC: ROUTE TARGET
• NAT INSTANCE (I-* / ENI-*)
• TURN OFF SRC./DEST. CHECK
• SECURITY GROUP / NACL APPLIES
• ALSO WORK FOR EC2-BASED VPN CONNECTION
• INTERNET GATEWAY (IGW-*):
• PUBLIC / ELASTIC IP REQUIRED
• VIRTUAL GATEWAY (VGW-*)
• WORKS FOR DX AND VPC:VPN
• PEERING (PCX-*)
18. VPC: ROUTE PROPAGATION
• REMOTE ROUTES TO VPC
• CREATES ROUTE TABLE ENTRIES AUTOMATICALLY
• LOCAL ROUTES TO DATA CENTER
• MAY RUIN ROUTE TABLES IN CASE OF IP CONFLICT
19. EC2: ROUTING
• lo
• LOOPBACK
• eth0
• LOCAL
• DEFAULT (GATEWAY)
20. EC2: NETWORK TRICKS
• MULTIPLE ENI
• AS LONG AS THEY BELONG TO THE SAME AZ
• SG APPLIES TO ENI, NOT EC2
• SECONDARY PRIVATE IP
• CONFIGURE OVER MANAGEMENT CONSOLE / API
• ENABLE IN EC2
• ifconfig eth0:0 [SECONDARY_IP] netmask [NETMASK]