Embed Size (px)
Citation preview
ABOUT ME
• 呂昭寬 `CLIFFLU`TREND MICRO DCS
• USING AWS SINCE ’09 ASFULL-STACK WEB DEV(OPS)
• HTTP://BLOG.CLIFFLU.NET
• BADMINTON / BASEBALL
WHY NETWORKING
• EVERYONE KNOWS SOMETHING ABOUT NETWORKING• INFRASTRUCTURE
• ARCHITECT
• DEVELOPER
• OPERATOR
• LOTS OF TRAPS
•WHEN YOU FEEL YOU SHOULD LEARN IT, IT’S TOO LATE
FIREWALL
VPC
•NETWORK IN AWS
•USES EC2 API ENDPOINT / RESOURCES
•HANDLES … IN MANAGEMENT CONSOLE• SUBNET
• SECURITY GROUP
• NETWORK ACL
• DHCP
• VPN
• PEERING
• ROUTE TABLE
• IGW, CGW, VGW
VPC: SECURITY GROUP
• L4 FIREWALL, (TCP) STATEFUL
•DEFAULT DENY
• ALLOW RULES ONLY
• AWS CREATES DEFAULT OUTBOUND RULE• ALLOW ALL EGRESS
VPC: SECURITY GROUP
•SECURITY GROUPS ARE VALID SOURCE / TARGET IN SG RULES, AS LONG AS THEY BELONG TO THE SAME VPC
VPC: NETWORK ACL
• L3 FIREWALL, STATELESS
•DEFAULT DENY
• CREATE ALLOW OR DENY RULES
• FIRST MATCH
• EPHEMERAL PORTS
Rule # Src IP Proto Port100 0.0.0.0/0 TCP 80110 0.0.0.0/0 TCP 443120 TCP 22130 TCP 3389140 0.0.0.0/0 TCP 49152-65535
* 0.0.0.0/0 all allRule # Dest IP Proto Port
100 0.0.0.0/0 TCP 80110 0.0.0.0/0 TCP 443120 10.0.1.0/24 TCP 1433130 10.0.1.0/24 TCP 3306140 0.0.0.0/0 TCP 49152-65535
* 0.0.0.0/0 all all
Inb
ou
nd
Ou
tbou
nd
EPHEMERAL PORTS
Platform OS / Distribution Port RangeBSD BSD 1025 - 5000
FreeBSD < 4.6 1025 - 5000FreeBSD >= 4.6 49152 - 65535
Linux * 32768 - 61000Windows Server 2003 1025 - 5000
Server 2003 + MS08-037 49152 - 65535Server 2008 49152 - 65535Server 2008 + Exchange 2007
1025 - 60000
ELB - 1024 - 65535
CONNECTIVITY
DIRECT CONNECT (DX)
• DEDICATED CONNECTION
• GUARANTEED BANDWIDTH & LATENCY
• PAY • ISP FOR THE LINE
• AWS FOR • PORT
• OUTBOUND TRAFFIC (AWS DATACENTER)
• OUTBOUND TO INTERNET (DATACENTER – DX INTERNET)
DX: NOTES
• CHANGING VLAN REQUIRES MANUAL OPERATION FROM APN, USUALLY TAKES DAYS ~ WEEKS
• SECURITY ?• DATA SHOULD BE ENCRYPTION AT REST AND IN
TRANSIT TO ACHIEVE MAXIMAL DATA SECURITY.
• DX DOES NOT ASSURE DEFENSE AGAINST EAVESDROPPING OR OTHER MALICIOUS BEHAVIOR
VPC: VPN
• IPSEC W/ PRE-SHARED KEY
• BUILT-IN HA (VPC CLIENT) W/ BGP
• STANDARD DATA RATES APPLY
• VPN SERVER• TAKES A DEDICATED PUBLIC IP
• VPN BOX / SOFTWARE VPN
VPC PEERING
• SAME REGION
• NON-TRANSITIVE
• NO CIDR OVERLAP
• BUILT-IN HA
• CHARGED OVER• CONNECTION-HOURS
• DATA TRANSFER
• ACTION REQUIRED ON ROUTE TABLE
ROUTING
VPC: ROUTE TABLE
•DEFAULT ROUTE: LOCAL• CAN’T OVERRIDE IT
• LONGEST PREFIX
• PROPAGATED ~ REALTIME
VPC: ROUTE TARGET
• NAT INSTANCE (I-* / ENI-*)• TURN OFF SRC./DEST. CHECK
• SECURITY GROUP / NACL APPLIES
• ALSO WORK FOR EC2-BASED VPN CONNECTION
• INTERNET GATEWAY (IGW-*): • PUBLIC / ELASTIC IP REQUIRED
• VIRTUAL GATEWAY (VGW-*)• WORKS FOR DX AND VPC:VPN
• PEERING (PCX-*)
VPC: ROUTE PROPAGATION
• REMOTE ROUTES TO VPC• CREATES ROUTE TABLE ENTRIES AUTOMATICALLY
• LOCAL ROUTES TO DATA CENTER• MAY RUIN ROUTE TABLES IN CASE OF IP CONFLICT
EC2: ROUTING
• lo• LOOPBACK
• eth0• LOCAL
• DEFAULT (GATEWAY)
EC2: NETWORK TRICKS
• MULTIPLE ENI• AS LONG AS THEY BELONG TO THE SAME AZ
• SG APPLIES TO ENI, NOT EC2
• SECONDARY PRIVATE IP• CONFIGURE OVER MANAGEMENT CONSOLE / API
• ENABLE IN EC2• ifconfig eth0:0 [SECONDARY_IP] netmask [NETMASK]
OTHER TRICKS
•NAT• SNAT
• DNAT (PORT FORWARDING)
• TUNNELING
VPN with BGP back
propagation
NETWORK EXAMPLE
BetaDB
Prod SharedVPC
H/W VPN
Beta
Prod
AWS S3
Logs
S/W VPN
S/W
S/W
Peering
THANK YOU
