[AWS] ANS-C01#02: VPC fundamentals
Topics
What is VPC?
AWS Service scope with respect to Region, AZ and VPC
AWS Services inside and outside of VPC
VPC Addressing (CIDR)
VPC Subnets and Route Tables (Public/Private)
IP Addresses (IPv4, IPv6, Private/Public/Elastic)
Security Groups and Network ACL
NAT gateway and NAT instance
Transit Gateway: 2018년 출시한 네트워킹 라우터
VPC의 서브넷: 개별 LAN 네트워크, VPC로부터의 작은 주소 범위
서브넷이 사용자 지정 route table을 생성하여 Main Route Table을 따르지 않으면, 두 다른 AZ의 서브넷이 Local Router를 통해 연결할 수 없음
VPC의 모든 서브넷이 같은 종류의 네트워크 연결을 원할 경우 메인 루트 테이블 수정
Amazon에서 제공하는 IPv6 DNS가 없음
Security groups are stateful
Network Access Control List(NACL):
1) works at Subnet level
2) Stateless(inbound/outbound 별도)
3) contains both Allow and Deny rules
4) 규칙 번호 순서대로 평가
5) default NACL allows all inbound and outbound traffic
6) NACL are a great way of blooking a specific IP at the subnet level
Hands-on#01
1) create VPC public
2) create Internet Gateways > Attach to VPC
3) create subnet > modify auto-assign IP settings
4) create Route Table > routes 0.0.0.0/0 IGW
VPC 내 고립된 라우트 테이블
5) create VPC private
VPC secondary CIDR blocks
ENI: IP 주소 제공, 네트워크 통신 가능하게 하는 VPC의 논리적 구성 요소, 가상 네트워크 카드
IP주소는 EC2 인스턴스를 실행할 때 AWS가 만드는 ENI를 이용해 할당됨
Bring Your Own IP
Hands-on#02
EC2 인스턴스 2개 - app / DB server
Domain-name = corp.internal
Steps
1) Create a VPC with Public & Private subnet
2) (Optional) Create DHCP Option set with domain as corp.internal and associate with your VPC
- Domain name: corp.internal / Domain name servers: AmazonProvidedDNS
- Edit VPC settings: option set - corp.internal
3) Launch one EC2 instance in Public subnet (say app) and one instance in Private subnet (say db).
- Allow SSH (source type: My IP) and ICMP IPv4 (source type: 10.0.0.0/16) in the security group
4) Create Route 53 Private hosted zone and associate with the VPC
- NS, SOA + app (10.10.0.206), db (10.10.1.173)
5) Create A records for ec2 instances pointing to their Private IPs
6) SSH into Public EC2 instance and ping to other instance using it's DNS name
- cat /etc/resolv.conf : nameserver
- ping db.corp.internal or ping db
VPC DNS with custom DNS server
Step - Setup a VPC and launch instances
- Create a VPC with public and private subnets
- Launch DNS server ec2 instance: Security group to allow UDP 53 from VPC CIDR, SSH (22)
- Launch an app server & db server ec2 instances: Security group to allow SSH (22), ICMP IPv4 All (ping)
----------------------------------------------
Step 4a – Configure on-premise DNS server
----------------------------------------------
1. Login to on-premise DNS server (via SSH into VPN server first)
2. Install DNS server packages
sudo su
yum update –y
# DNS를 위한 패키지 설치, util을 binding
yum install bind bind-utils –y
3. Create file /var/named/corp.internal.zone
$TTL 86400
@ IN SOA ns1.corp.internal. root.corp.internal. (
2013042201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
; Specify our two nameservers
IN NS dnsA.corp.internal.
IN NS dnsB.corp.internal.
; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.
dnsA IN A 1.1.1.1
dnsB IN A 8.8.8.8
; Define hostname -> IP pairs which you wish to resolve
@ IN A 10.0.11.191
app IN A 10.0.11.191
db IN A 10.0.0.221
# APP 10.0.11.191
# DB 10.0.0.221
4. Create file /etc/named.conf [Replace X.X with your DNS server IP]
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { localhost; 10.0.11.191; };
recursion yes;
forward first;
forwarders {
10.0.0.2;
};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
zone "corp.internal" IN {
type master;
file "corp.internal.zone";
allow-update { none; };
};
# DNS 10.0.11.191
5. Restart named service
service named restart
chkconfig named on
+ create DHCP Option sets
+ edit VPC DHCP option set
+ reboot App, DNS, DB server
----------------------------------------------
Step 5b – Configure on-premise DNS server
----------------------------------------------
1. Add following to /etc/named.conf. Replace ENDPOINT IPs with Route53 inbound resolver IPs.
zone "cloud.com" {
type forward;
forward only;
forwarders { INBOUND_ENDPOINT_IP1; INBOUND_ENDPOINT_IP2; };
};
2. Restart named service
sudo service named restart
VPC DNS & DHCP exam essentials
- VPC has a default DNS server AmazonProvidedDNS
References
Udemy, AWS Certified Advanced Networking Specialty, Section 3