Shashikant shah

Tuesday, 5 January 2021

AWS Network VPC Details.

1.VPC Peering :- vpc to vpc connection local.

2.VPC Endpoint :- private access s3 bucket and ec2 API internal without NAT Gateway.

3.site to site VPN :- aws to data-Centre private connection, aws to (openswan) client connection privately,  

4.OpenVPN :- Site to Client , create instance  using image openvpn.

6.AWS Direct Connect :- Establish a dedicated network connection from your on Premises to AWS.

7.AWS Direct Connect Gateway :- multiple VPC then use.

8.Transit Gateway TGW :- multiple VPC and ON-Premises connection then used. 

Public :-  VPC -- Subnet -- internet Gateway -- Route Table 

Private :- VPC -- Subnet -- NAT Gateway -- Route Table

VPC

·       VPC stands for Virtual Private Cloud.

  • Amazon Virtual Private Cloud (Amazon VPC) provides a logically isolated area of the AWS cloud where you can launch AWS resources in a virtual network that you define.
  • You have complete control over your virtual networking environment, including a selection of your IP address range, the creation of subnets, and configuration of route tables and network gateways.

VPC Per Region

5

Subnet in 1 VPC

200

Route Table

200

Elastic IP

5

Internet Gateway

5

NAT Gateway

5

VPC peering

50

Network ACL

200

 
How to Create a VPC ?
1.Create a VPC.
VPC :- 10.0.0.0/16
 
2.Create a Internet gateway.
 
3.Create a subnet.
Subnet Public :- 10.0.0.0/24
 
4.Create a Route Table.
PublicRoute
Subnet Associations – add public subnet
Routes – add 0.0.0.0/0 – Internet gateway
 
NAT Gateway :-
 NAT for Network Address Translation enable instances in a private subnet to connect to the internet or other AWS services.

















1.       VPC :- 10.0.0.0/16
2.       Create Internet gateway attached with VPC
3.       Create NAT Gateway.
4.       Subnet Public :- 10.0.0.0/24
5.       Subnet Private :- 10.0.1.0/24
6.       Create Route table
PublicRoute
Subnet Associations – add public subnet
Routes – add 0.0.0.0/0 – Internet gateway
PrivateRoute 
Subnet Associations – add private subnet
Routes – add 0.0.0.0/0 – NAT
 
 VPC Peering
·       VPC Peering is a networking connection that allows you to connect one VPC with another VPC through a direct network route using private IP addresses.
·       VPC Perring same account and other aws account.
·       You can peer between regions. Suppose you have one VPC in one region and other VPC in another region, then you can peer the VPCs between different regions.
·       The maximum quota is 125 peering connections per VPC.
Peering Two VPC in same regions.
vpc1 - 172.31.0.0/16
vpc2 – 10.0.0.0/16








1.    Create Peering connection.
Name – demovpcpeering
vpc request – 172.31.0.0/16
vpc accepter – 10.0.0.0/16
 
2.    Select (demovpcpeering) – Accept request.
3.    Go to routing table
Route-vpc1 – route – 10.0.0.0/16 – vpcpeering
Route-vpc2 – route – 172.31.0.0/16 – vpcpeering

NACL
·       NACL stands for Network Access Control Lists.
·       It is a security layer for your VPC that controls the traffic in and out of one or more subnets.
·       You can set up a Network ACL similar to the security group that adds an additional layer of security to your VPC.
·       Security group only allow inbound on ec2 instance.
·       NACL allow/deny inbound and outbound on subnet.
·       You have apply rule 100 allow and 200 deny. First rule apply 100 after that rule allow 200.
·       Last rule is an asterisk (*) and denies a request in case of no rule match.
·       Security group is Stateful – if allow inbound rds port then automatically allow outbound rule rds.
·       NACL is a Stateless – manually allow inbound and outbound for any service.















Direct Connect
·       Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office.
·       Two type of connection in aws direct connect.
Dedicated connections.
Hosted Connections.
·       Direct Connect is a direct connection which is available on a dedicated line.
·       It provides you a stable and reliable secure connection.
·       All AWS services, include EC2 , VPC, S3, and DynamoDB can be used with aws Direct Connect.
·       1 Gbps and 10Gbps ports are available.
·       Reduce costs when using large volume of traffic.
·       Not dependent on internet connection as it is a direct connection.
 
VPC Endpoint (PrivateLink)
  • A VPC endpoint allows you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN Connection, or AWS Direct Connect connection.
  • Instances in your VPC do not require public addresses to communicate with the resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
  • VPC endpoints are virtual devices.
  • VPC Endpoints are horizontally scaled, redundant and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
Types of VPC Endpoints
·       Interface Endpoints
·       Gateway Endpoints







Interface Endpoints
·       Interface Endpoint is an Elastic Network Interface with a private IP address which will act as an entry point for the traffic destined to a particular service.
·       An interface endpoint supports services such as Amazon CloudWatch, Amazon SNS, EC2 API etc.

Gateway Endpoints
·       Gateway Endpoint is a gateway which is targetted for a specific route in your route table.
·       It can be used to route the traffic to a destined service.
·       Amazon S3 and DynamoDB are the only services which are supported by Gateway Endpoints.
S3 bucket access without internet on Private Network

1.Create Role for s3 bucket
IAM -> Roles ->  ec2 -> next -> amazonS3FullAccess -> tags -> next -> S3FullAccess.

2.add Role on EC2 instance.
# right click -> instance settings -> attach/replace IAM Role -> S3FullAccess.

3.Create an  Endpoint.
Create Endpoint -> com.amazonaws.eu-west-1.s3 ->  select VPC and Route tables -> policy Full access.

4.check Route Table (Private route table).
 Route table -> routes (check only)
0.0.0.0/0            NAT (options remove route table. Disable internet)
If any changes go to (Endpoints options)

5.Check s3 bucket.
# aws s3 ls  --region  eu-west-1  

######## Interface endpoint #####

access ec2 instance details :-

1.Create an  Endpoint.
Create Endpoint => com.amazonaws.ap-south-1.ec2 =>  select my-VPC => Select private-subnet => Select security group => policy Full access.

2. test private ec2 instance.
aws ec2 describe-instances --region ap-south-1

#######################################################


How to create private connection NLB to other VPC connection without internet.












Step A (VPC01)

1.create a Network Load Balancer in private subnet. (scheme: - internal)

2.create two instances in private subnet.

Step B

1.Create a Endpoint Services.

# Select NLB

# Select Acceptance required

# create service.

2.Create a endpoints. (jise connection krna hai)

# Find service by name :- (service name copy from endpoint services) paste com.amazonaws.vpce.ap-south-1.vpce-svc-0525a810bc4e33c05  (verify)

# VPC :- VPC-client (VPC02)

# select private subnet.

# select security group.

# create endpoint.

3. go to Endpoint services.

# Actions => Accept endpoint connection request

4.Endpoints => subnets   
















# client side curl hit

# curl http://10.1.1.213











VPN Site to Site setup :-


 














Mumbai Region :- myvpc
Virginia Region :- myCustomer

1.Customer gateway
2.Virtual Private Gateway
3.Site-to-Site Connections
 
Mumbai Region :- myvpc
1.Create a VPC myvpc 10.0.0.0/16
2.Create a subnet public-sub 10.0.1.0/24
3.Create a internet gateway attached myvpc.
4.Create a Route Table 0.0.0.0/0 - igw.

Virginia Region :- myCustomer
1.Create a VPC mycustomer 10.2.0.0/16
2.Create a subnet public-sub 10.2.1.0/24
3.Create a internet gateway attached myvpc.
4.Create a Route Table 0.0.0.0/0 - igw.
5.launch one instance with vpc mycustomer (public-sub).
Public ip :- 52.204.32.66 (use elastic IP)

Mumbai Region :-
1. Customer gateway à Create customer gateway à customer instance IP
















2.Virtual Private gateways à Create virtual private gateway à name: aws-side-vpg à Amazon default ASN.









3.attach VPC à myVPC. à Yes, Attach.







3.Site-to-Site VPN Connections à Name: vpn-mumbia-virginia
#Target Gateway Type :- Virtual Private Gateway à aws-side-vpg
#Customer Gateway :- Existing
#Customer Gateway ID :- AWS-CG
#Route Options :- Static
# Static IP PreFixes :- 10.2.0.0/16 (Virginia)
# create VPN Connection.

Note:- State showing available then download configuration.

 Go to Virginia region:-

1.Setup openswan (IPsec) on ec2 instance.
i) Install openswan:
# yum install openswan -y
ii) In /etc/ipsec.conf uncomment following line if not already.
   uncommented:
   include /etc/ipsec.d/*.conf
iii) Update /etc/sysctl.conf to have following.
 net.ipv4.ip_forward = 1
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
vi) Restart network service:
  # service network restart
 
2. Command for /etc/ipsec.d/aws-vpn.conf
conn Tunnel1
        authby=secret
        auto=start
        left=%defaultroute
        leftid= 52.204.32.66 (Customer end Gateway VPN public IP)
        right= 52.66.114.53 (AWS Virtual private gateway ID- public IP)
        type=tunnel
        ikelifetime=8h
        keylife=1h
        phase2alg=aes128-sha1;modp1024
        ike=aes128-sha1;modp1024
        keyingtries=%forever
        keyexchange=ike
        leftsubnet= 10.2.0.0/16 (Customer end VPN CIDR)
        rightsubnet= 10.0.0.0/16 (AWS end VPN CIDR)
        dpddelay=10
        dpdtimeout=30
        dpdaction=restart_by_peer

3. Contents for  /etc/ipsec.d/aws-vpn.secrets
(customer_public_ip) (aws_vgw_public_ip): PSK "(shared secret)"
52.204.32.66  52.66.114.53: PSK "XGu3_ROu5zPCPB1nyfZ.zNw0a6KvscN6"

4. Commands to enable/start ipsec service
  # chkconfig ipsec on
  # service ipsec start
  # service ipsec status

Test site-site VPN

Check tunnel, one tunnel is UP.









Both side ping Private IP





No comments:

Post a Comment