1.VPC Peering :- vpc to vpc connection local.
2.VPC Endpoint :- private access s3 bucket and ec2 API internal without NAT Gateway.
3.site to site VPN :- aws to data-Centre private connection, aws to (openswan) client connection privately,
4.OpenVPN :- Site to Client , create instance using image openvpn.
6.AWS Direct Connect :- Establish a dedicated network connection from your on Premises to AWS.
7.AWS Direct Connect Gateway :- multiple VPC then use.
8.Transit Gateway TGW :- multiple VPC and ON-Premises connection then used.
Public :- VPC -- Subnet -- internet Gateway -- Route Table
Private :- VPC -- Subnet -- NAT Gateway -- Route Table
VPC
·
VPC stands for Virtual Private Cloud.
- Amazon Virtual
Private Cloud (Amazon VPC) provides a logically isolated area of the AWS
cloud where you can launch AWS resources in a virtual network that you
define.
- You have
complete control over your virtual networking environment, including a
selection of your IP address range, the creation of subnets, and
configuration of route tables and network gateways.
|
VPC Per Region |
5 |
|
Subnet in 1 VPC |
200 |
|
Route Table |
200 |
|
Elastic IP |
5 |
|
Internet Gateway |
5 |
|
NAT Gateway |
5 |
|
VPC peering |
50 |
|
Network ACL |
200 |
1.Create a VPC.
VPC :- 10.0.0.0/16
Subnet Public :- 10.0.0.0/24
PublicRoute
Subnet Associations – add public subnet
Routes – add 0.0.0.0/0 – Internet gateway
NAT for Network Address Translation enable instances in a private subnet to connect to the internet or other AWS services.
1. VPC
:- 10.0.0.0/16
2. Create Internet gateway attached with VPC
3. Create NAT Gateway.
4. Subnet Public :- 10.0.0.0/24
5. Subnet Private :- 10.0.1.0/24
6. Create Route table
PublicRoute
Subnet Associations – add public subnet
Routes – add 0.0.0.0/0 – Internet gateway
PrivateRoute
Subnet Associations – add private subnet
Routes – add 0.0.0.0/0 – NAT
VPC Peering
· VPC Peering is a networking connection that allows you to connect one VPC with another VPC through a direct network route using private IP addresses.
· The maximum quota is 125 peering connections per VPC.
Peering Two VPC in same regions.
vpc1 - 172.31.0.0/16
vpc2 – 10.0.0.0/16
2. Create Internet gateway attached with VPC
3. Create NAT Gateway.
4. Subnet Public :- 10.0.0.0/24
5. Subnet Private :- 10.0.1.0/24
6. Create Route table
PublicRoute
Subnet Associations – add public subnet
Routes – add 0.0.0.0/0 – Internet gateway
PrivateRoute
Subnet Associations – add private subnet
Routes – add 0.0.0.0/0 – NAT
· VPC Peering is a networking connection that allows you to connect one VPC with another VPC through a direct network route using private IP addresses.
· The maximum quota is 125 peering connections per VPC.
Peering Two VPC in same regions.
vpc1 - 172.31.0.0/16
vpc2 – 10.0.0.0/16
1. Create
Peering connection.
vpc request – 172.31.0.0/16
vpc accepter – 10.0.0.0/16
2. Select
(demovpcpeering) – Accept request.
Route-vpc2 – route – 172.31.0.0/16 – vpcpeering
vpc request – 172.31.0.0/16
vpc accepter – 10.0.0.0/16
Route-vpc2 – route – 172.31.0.0/16 – vpcpeering
NACL
· NACL stands for Network Access Control Lists.
· It is a security layer for your VPC that controls the traffic in and out of one or more subnets.
· You can set up a Network ACL similar to the security group that adds an additional layer of security to your VPC.
· Security group only allow inbound on ec2 instance.
· NACL allow/deny inbound and outbound on subnet.
· You have apply rule 100 allow and 200 deny. First rule apply 100 after that rule allow 200.
· Last rule is an asterisk (*) and denies a request in case of no rule match.
· Security group is Stateful – if allow inbound rds port then automatically allow outbound rule rds.
· NACL is a Stateless – manually allow inbound and outbound for any service.
Direct Connect
· Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office.
· Two type of connection in aws direct connect.
Dedicated connections.
Hosted Connections.
· Direct Connect is a direct connection which is available on a dedicated line.
· It provides you a stable and reliable secure connection.
· All AWS services, include EC2 , VPC, S3, and DynamoDB can be used with aws Direct Connect.
· 1 Gbps and 10Gbps ports are available.
· Reduce costs when using large volume of traffic.
· Not dependent on internet connection as it is a direct connection.
VPC Endpoint (PrivateLink)
· Interface Endpoints
· Gateway Endpoints
· Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office.
· Two type of connection in aws direct connect.
Dedicated connections.
Hosted Connections.
· Direct Connect is a direct connection which is available on a dedicated line.
· It provides you a stable and reliable secure connection.
· All AWS services, include EC2 , VPC, S3, and DynamoDB can be used with aws Direct Connect.
· 1 Gbps and 10Gbps ports are available.
· Reduce costs when using large volume of traffic.
· Not dependent on internet connection as it is a direct connection.
- A VPC endpoint allows you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN Connection, or AWS Direct Connect connection.
- Instances in your VPC do not require public addresses to communicate with the resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
- VPC endpoints are virtual devices.
- VPC Endpoints are horizontally scaled, redundant and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
· Interface Endpoints
· Gateway Endpoints
Interface Endpoints
· Interface Endpoint is an Elastic Network Interface with a private IP address which will act as an entry point for the traffic destined to a particular service.
· Interface Endpoint is an Elastic Network Interface with a private IP address which will act as an entry point for the traffic destined to a particular service.
· Gateway Endpoint is a gateway which is targetted for a specific route in your route table.
1.Create Role for s3 bucket
IAM -> Roles -> ec2 -> next -> amazonS3FullAccess -> tags -> next -> S3FullAccess.
IAM -> Roles -> ec2 -> next -> amazonS3FullAccess -> tags -> next -> S3FullAccess.
2.add Role on EC2 instance.
# right click -> instance settings -> attach/replace IAM Role -> S3FullAccess.
# right click -> instance settings -> attach/replace IAM Role -> S3FullAccess.
3.Create an Endpoint.
Create Endpoint -> com.amazonaws.eu-west-1.s3 -> select VPC and Route tables -> policy Full access.
Create Endpoint -> com.amazonaws.eu-west-1.s3 -> select VPC and Route tables -> policy Full access.
4.check Route Table (Private route table).
Route table -> routes (check only)
0.0.0.0/0 NAT (options remove route table. Disable internet)
If any changes go to (Endpoints options)
5.Check s3 bucket.
# aws s3 ls --region eu-west-1
access ec2 instance details :-
1.Create an Endpoint.
Create Endpoint => com.amazonaws.ap-south-1.ec2 => select my-VPC => Select private-subnet => Select security group => policy Full access.
Create Endpoint => com.amazonaws.ap-south-1.ec2 => select my-VPC => Select private-subnet => Select security group => policy Full access.
2. test private ec2 instance.
# aws ec2 describe-instances --region ap-south-1
#######################################################
How to create private connection NLB to other VPC connection without internet.
Step A (VPC01)
1.create a Network Load Balancer in private subnet. (scheme:
- internal)
2.create two instances in private subnet.
Step B
1.Create a Endpoint Services.
# Select NLB
# Select Acceptance
required
# create service.
2.Create a endpoints.
(jise connection krna hai)
# Find service by name :- (service name copy from
endpoint services) paste com.amazonaws.vpce.ap-south-1.vpce-svc-0525a810bc4e33c05 (verify)
# VPC :- VPC-client (VPC02)
# select private subnet.
# select security group.
# create endpoint.
3. go to Endpoint
services.
# Actions => Accept endpoint
connection request
4.Endpoints => subnets
VPN Site to Site setup :-
Mumbai Region :- myvpc
Virginia Region :- myCustomer
1.Customer gateway
2.Virtual Private Gateway
3.Site-to-Site Connections
Mumbai Region :- myvpc
1.Create a VPC myvpc 10.0.0.0/16
2.Create a subnet public-sub 10.0.1.0/24
3.Create a internet gateway attached myvpc.
4.Create a Route Table 0.0.0.0/0 - igw.
Virginia Region :- myCustomer
1.Create a VPC mycustomer 10.2.0.0/16
2.Create a subnet public-sub 10.2.1.0/24
3.Create a internet gateway attached myvpc.
4.Create a Route Table 0.0.0.0/0 - igw.
5.launch one instance with vpc mycustomer (public-sub).
Public ip :- 52.204.32.66 (use elastic IP)
1.Create a VPC mycustomer 10.2.0.0/16
2.Create a subnet public-sub 10.2.1.0/24
3.Create a internet gateway attached myvpc.
4.Create a Route Table 0.0.0.0/0 - igw.
5.launch one instance with vpc mycustomer (public-sub).
Public ip :- 52.204.32.66 (use elastic IP)
Mumbai Region :-
1. Customer gateway à Create customer gateway à customer instance IP
1. Customer gateway à Create customer gateway à customer instance IP
2.Virtual Private gateways à Create virtual private gateway
à name: aws-side-vpg à Amazon default ASN.
3.attach VPC à
myVPC. à Yes,
Attach.
3.Site-to-Site VPN Connections à Name: vpn-mumbia-virginia
#Target Gateway Type :- Virtual Private Gateway à aws-side-vpg
#Customer Gateway :- Existing
#Customer Gateway ID :- AWS-CG
#Route Options :- Static
# Static IP PreFixes :- 10.2.0.0/16 (Virginia)
# create VPN Connection.
#Target Gateway Type :- Virtual Private Gateway à aws-side-vpg
#Customer Gateway :- Existing
#Customer Gateway ID :- AWS-CG
#Route Options :- Static
# Static IP PreFixes :- 10.2.0.0/16 (Virginia)
# create VPN Connection.
Note:- State showing available then download configuration.
Go to Virginia region:-
1.Setup openswan (IPsec) on ec2 instance.
i) Install openswan:
# yum install openswan -y
ii) In /etc/ipsec.conf uncomment following line if not already.
uncommented:
include /etc/ipsec.d/*.conf
iii) Update /etc/sysctl.conf to have following.
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
vi) Restart network service:
# service network restart
2. Command for /etc/ipsec.d/aws-vpn.conf
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid= 52.204.32.66 (Customer end Gateway VPN public IP)
right= 52.66.114.53 (AWS Virtual private gateway ID- public IP)
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet= 10.2.0.0/16 (Customer end VPN CIDR)
rightsubnet= 10.0.0.0/16 (AWS end VPN CIDR)
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
i) Install openswan:
# yum install openswan -y
ii) In /etc/ipsec.conf uncomment following line if not already.
uncommented:
include /etc/ipsec.d/*.conf
iii) Update /etc/sysctl.conf to have following.
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
vi) Restart network service:
# service network restart
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid= 52.204.32.66 (Customer end Gateway VPN public IP)
right= 52.66.114.53 (AWS Virtual private gateway ID- public IP)
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet= 10.2.0.0/16 (Customer end VPN CIDR)
rightsubnet= 10.0.0.0/16 (AWS end VPN CIDR)
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
3. Contents for
/etc/ipsec.d/aws-vpn.secrets
(customer_public_ip) (aws_vgw_public_ip): PSK "(shared secret)"
52.204.32.66 52.66.114.53: PSK "XGu3_ROu5zPCPB1nyfZ.zNw0a6KvscN6"
(customer_public_ip) (aws_vgw_public_ip): PSK "(shared secret)"
52.204.32.66 52.66.114.53: PSK "XGu3_ROu5zPCPB1nyfZ.zNw0a6KvscN6"
4. Commands to enable/start ipsec service
# chkconfig ipsec on
# service ipsec start
# service ipsec status
# chkconfig ipsec on
# service ipsec start
# service ipsec status
Test site-site VPN
Check tunnel, one tunnel is UP.
Both side ping Private IP
No comments:
Post a Comment