[AWS] ANS-C01#02: VPC fundamentals

Topics

What is VPC?

AWS Service scope with respect to Region, AZ and VPC

AWS Services inside and outside of VPC

VPC Addressing (CIDR)

VPC Subnets and Route Tables (Public/Private)

IP Addresses (IPv4, IPv6, Private/Public/Elastic)

Security Groups and Network ACL

NAT gateway and NAT instance

 

Transit Gateway: 2018년 출시한 네트워킹 라우터

 

VPC의 서브넷: 개별 LAN 네트워크, VPC로부터의 작은 주소 범위

서브넷이 사용자 지정 route table을 생성하여 Main Route Table을 따르지 않으면, 두 다른 AZ의 서브넷이 Local Router를 통해 연결할 수 없음

VPC의 모든 서브넷이 같은 종류의 네트워크 연결을 원할 경우 메인 루트 테이블 수정

Amazon에서 제공하는 IPv6 DNS가 없음

Security groups are stateful

 

Network Access Control List(NACL):

1) works at Subnet level

2) Stateless(inbound/outbound 별도)

3) contains both Allow and Deny rules

4) 규칙 번호 순서대로 평가

5) default NACL allows all inbound and outbound traffic
6) NACL are a great way of blooking a specific IP at the subnet level

 

Hands-on#01

1) create VPC public

2) create Internet Gateways > Attach to VPC

3) create subnet > modify auto-assign IP settings

4) create Route Table > routes 0.0.0.0/0 IGW

VPC 내 고립된 라우트 테이블

5) create VPC private

 

VPC secondary CIDR blocks

ENI: IP 주소 제공, 네트워크 통신 가능하게 하는 VPC의 논리적 구성 요소, 가상 네트워크 카드

IP주소는 EC2 인스턴스를 실행할 때 AWS가 만드는 ENI를 이용해 할당됨

 

Bring Your Own IP

 

Hands-on#02

EC2 인스턴스 2개 - app / DB server

Domain-name = corp.internal

 

Steps

1) Create a VPC with Public & Private subnet

2) (Optional) Create DHCP Option set with domain as corp.internal and associate with your VPC

- Domain name: corp.internal / Domain name servers: AmazonProvidedDNS

- Edit VPC settings: option set - corp.internal

3) Launch one EC2 instance in Public subnet (say app) and one instance in Private subnet (say db).

- Allow SSH (source type: My IP) and ICMP IPv4 (source type: 10.0.0.0/16) in the security group

4) Create Route 53 Private hosted zone and associate with the VPC

- NS, SOA + app (10.10.0.206), db (10.10.1.173)

5) Create A records for ec2 instances pointing to their Private IPs

6) SSH into Public EC2 instance and ping to other instance using it's DNS name

- cat /etc/resolv.conf : nameserver

- ping db.corp.internal or ping db

VPC DNS with custom DNS server

Step - Setup a VPC and launch instances

- Create a VPC with public and private subnets

- Launch DNS server ec2 instance: Security group to allow UDP 53 from VPC CIDR, SSH (22)

- Launch an app server & db server ec2 instances: Security group to allow SSH (22), ICMP IPv4 All (ping)

 

----------------------------------------------
Step 4a – Configure on-premise DNS server
----------------------------------------------
1. Login to on-premise DNS server (via SSH into VPN server first)
2. Install DNS server packages

sudo su
yum update –y
# DNS를 위한 패키지 설치, util을 binding
yum install bind bind-utils –y

 

3. Create file /var/named/corp.internal.zone

$TTL 86400
@ IN  SOA     ns1.corp.internal. root.corp.internal. (
  2013042201  ;Serial
  3600        ;Refresh
  1800        ;Retry
  604800      ;Expire
  86400       ;Minimum TTL
)
; Specify our two nameservers
IN  NS    dnsA.corp.internal.
IN  NS    dnsB.corp.internal.
; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.
dnsA IN  A   1.1.1.1
dnsB IN  A   8.8.8.8
; Define hostname -> IP pairs which you wish to resolve
@ IN  A   10.0.11.191
app IN A   10.0.11.191
db IN A   10.0.0.221

# APP 10.0.11.191
# DB 10.0.0.221

 

4. Create file /etc/named.conf [Replace X.X with your DNS server IP]

options {
  directory "/var/named";
  dump-file "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query { any; };
  allow-transfer { localhost; 10.0.11.191; };
  recursion yes;
  forward first;
  forwarders {
    10.0.0.2;
  };
  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;
  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";
  managed-keys-directory "/var/named/dynamic";
};
zone "corp.internal" IN {
    type master;
    file "corp.internal.zone";
    allow-update { none; };
};

# DNS 10.0.11.191

 

5. Restart named service

service named restart
chkconfig named on

 

+ create DHCP Option sets

+ edit VPC DHCP option set

+ reboot App, DNS, DB server

----------------------------------------------
Step 5b – Configure on-premise DNS server
----------------------------------------------
1. Add following to /etc/named.conf. Replace ENDPOINT IPs with Route53 inbound resolver IPs.

zone "cloud.com" { 
  type forward; 
  forward only;
  forwarders { INBOUND_ENDPOINT_IP1; INBOUND_ENDPOINT_IP2; }; 
};

2. Restart named service
sudo service named restart

 

VPC DNS & DHCP exam essentials

- VPC has a default DNS server AmazonProvidedDNS

 

References

Udemy, AWS Certified Advanced Networking Specialty, Section 3