Networking in the cloud
•Télécharger en tant que PPTX, PDF•
1 j'aime•512 vues
Brief intro on how to connect AWS VPC to on-premises data centers.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (9)
Similaire à Networking in the cloud
Similaire à Networking in the cloud (20)
Plus de Cliff Chao-kuan Lu
Plus de Cliff Chao-kuan Lu (14)
Dernier
Dernier (20)
Networking in the cloud
- 1. NETWORKING IN THE CLOUD clifflu <clifflu@gmail.com>
- 2. ABOUT ME • 呂昭寬`CLIFFLU` TREND MICRO DCS • USING AWS SINCE ’09 AS FULL-STACK WEB DEV(OPS) • HTTP://BLOG.CLIFFLU.NET • BADMINTON / BASEBALL
- 3. WHY NETWORKING • EVERYONE KNOWS SOMETHING ABOUT NETWORKING • INFRASTRUCTURE • ARCHITECT • DEVELOPER • OPERATOR • LOTS OF TRAPS • WHEN YOU FEEL YOU SHOULD LEARN IT, IT’S TOO LATE
- 4. FIREWALL
- 5. VPC • NETWORK IN AWS • USES EC2 API ENDPOINT / RESOURCES • HANDLES … IN MANAGEMENT CONSOLE • SUBNET • SECURITY GROUP • NETWORK ACL • DHCP • VPN • PEERING • ROUTE TABLE • IGW, CGW, VGW
- 6. VPC: SECURITY GROUP • L4 FIREWALL, (TCP) STATEFUL • DEFAULT DENY • ALLOW RULES ONLY • AWS CREATES DEFAULT OUTBOUND RULE • ALLOW ALL EGRESS
- 7. VPC: SECURITY GROUP • SECURITY GROUPS ARE VALID SOURCE / TARGET IN SG RULES, AS LONG AS THEY BELONG TO THE SAME VPC
- 8. VPC: NETWORK ACL • L3 FIREWALL, STATELESS • DEFAULT DENY • CREATE ALLOW OR DENY RULES • FIRST MATCH • EPHEMERAL PORTS Rule # Src IP Proto Port 100 0.0.0.0/0 TCP 80 110 0.0.0.0/0 TCP 443 120 TCP 22 130 TCP 3389 140 0.0.0.0/0 TCP 49152-65535 * 0.0.0.0/0 all all Rule # Dest IP Proto Port 100 0.0.0.0/0 TCP 80 110 0.0.0.0/0 TCP 443 120 10.0.1.0/24 TCP 1433 130 10.0.1.0/24 TCP 3306 140 0.0.0.0/0 TCP 49152-65535 * 0.0.0.0/0 all all Outbound Inbound
- 9. EPHEMERAL PORTS Platform OS / Distribution Port Range BSD BSD 1025 - 5000 FreeBSD < 4.6 1025 - 5000 FreeBSD >= 4.6 49152 - 65535 Linux * 32768 - 61000 Windows Server 2003 1025 - 5000 Server 2003 + MS08-037 49152 - 65535 Server 2008 49152 - 65535
- 10. CONNECTIVITY
- 11. DIRECT CONNECT (DX) • DEDICATED CONNECTION • GUARANTEED BANDWIDTH & LATENCY • PAY • ISP FOR THE LINE • AWS FOR • PORT • OUTBOUND TRAFFIC (AWS DATACENTER) • OUTBOUND TO INTERNET (DATACENTER – DX INTERNET)
- 12. DX: NOTES • CHANGING VLAN REQUIRES MANUAL OPERATION FROM APN, USUALLY TAKES DAYS ~ WEEKS • SECURITY ? • DATA SHOULD BE ENCRYPTION AT REST AND IN TRANSIT TO ACHIEVE MAXIMAL DATA SECURITY. • DX DOES NOT ASSURE DEFENSE AGAINST EAVESDROPPING OR OTHER MALICIOUS BEHAVIOR
- 13. VPC: VPN • IPSEC W/ PRE-SHARED KEY • BUILT-IN HA (VPC CLIENT) W/ BGP • STANDARD DATA RATES APPLY • VPN SERVER • TAKES A DEDICATED PUBLIC IP • VPN BOX / SOFTWARE VPN
- 14. VPC PEERING • SAME REGION • NON-TRANSITIVE • NO CIDR OVERLAP • BUILT-IN HA • CHARGED OVER • CONNECTION-HOURS • DATA TRANSFER • ACTION REQUIRED ON ROUTE TABLE
- 15. ROUTING
- 16. VPC: ROUTE TABLE • DEFAULT ROUTE: LOCAL • CAN’T OVERRIDE IT • LONGEST PREFIX • PROPAGATED ~ REALTIME
- 17. VPC: ROUTE TARGET • NAT INSTANCE (I-* / ENI-*) • TURN OFF SRC./DEST. CHECK • SECURITY GROUP / NACL APPLIES • ALSO WORK FOR EC2-BASED VPN CONNECTION • INTERNET GATEWAY (IGW-*): • PUBLIC / ELASTIC IP REQUIRED • VIRTUAL GATEWAY (VGW-*) • WORKS FOR DX AND VPC:VPN • PEERING (PCX-*)
- 18. VPC: ROUTE PROPAGATION • REMOTE ROUTES TO VPC • CREATES ROUTE TABLE ENTRIES AUTOMATICALLY • LOCAL ROUTES TO DATA CENTER • MAY RUIN ROUTE TABLES IN CASE OF IP CONFLICT
- 19. EC2: ROUTING • lo • LOOPBACK • eth0 • LOCAL • DEFAULT (GATEWAY)
- 20. EC2: NETWORK TRICKS • MULTIPLE ENI • AS LONG AS THEY BELONG TO THE SAME AZ • SG APPLIES TO ENI, NOT EC2 • SECONDARY PRIVATE IP • CONFIGURE OVER MANAGEMENT CONSOLE / API • ENABLE IN EC2 • ifconfig eth0:0 [SECONDARY_IP] netmask [NETMASK]
- 21. OTHER TRICKS • NAT • SNAT • DNAT (PORT FORWARDING) • TUNNELING
- 22. NETWORK EXAMPLE VPN with BGP back propagation Beta DB Prod Shared VPC H/W VPN Beta Prod AWS S3 Logs S/W VPN S/W S/W Peering
- 23. THANK YOU
Notes de l'éditeur
- 49152-65535: suggested by IANA