AWS - Sysops Theory
VPC Overview
Logically isolated network in the AWS Cloud.
Control of Network architecture. (Divide smaller subnets)
Enhanced security (using security groups against the resources)
Internetwork with other organizations (VPC Peering Connecting VPC's together)
Elastic IP address
Enable hybrid cloud (site-to-site VPN)
Single tenant dedicated hardware.
VPC cost = 0$ / VPN cost is $0.05/hr
In order to AWS to isolate you as a tenant, they created the concept of a VPC.
A VPC gives you the ability to deploy reources in an isolated manner.
VPC Elements
Subnets : Private Subnets, public subnets, VPN subnets you can design any way you want.
Route Tables
Internet Gateways
Elastic IP's
Endpoints
NAT Gateways
Peering Connections
Network ACL's
Security Groups
VPN
VPC Charactersistics
AWS reservers 5 IP addresses per subnet (First 4 and last 1) Reservers for management purposes.
We can create three kinds of subnets. Private, Public and VPN Subnet.
Subnets do not span AZ's. You would need to have separate subnets per Availability zones.
Single Resion, Multi-AZ. (Multiple Availability zones atleast two.)
CIDR 16 - 28
Select IP Prefix
VPC Security
security groups : Resource Level traffic firewall. (instances, ELB, etc...)
Ingress and egress.
Stateful : Return traffic is allowed.
ACL's : Source and protocol filtering.
Subnet level traffic firewall. (Separate inbound and outbound rule set)
Stateless (Traffic is strictly filtered.)
VPC NAT Bottlenecks
Private Network <-> NAT <-> Public Network
Single NAT can lead to bottlenecks
We use NAT gateway instead (It is a AWS offering)
In some cases all the features that you need may not be available with the NAT gateway.
That is why we will probably revert to NAT instance.
To avoid bottle necks : we use enhanced networking, you get instances where you can use higher throughput through the networking.
HA for NAT is possible (Each subnet can route to a single NAT at a time.)
Subnet failover to another NAT is supported.
NAT Instances vs NAT Gateway
NAT Instances : Use a script to manage failover between instances.
Depends on bandwidth of instance type
Managed by us. (Responsible of software updates, troubleshooting)
A generic amazon Linux AMI That's configured to perform NAT.
Manual Port forwarding
Use a bastion server.
View cloudwatch alarms
NAT Gateway : As it is a platform service, Highly Available. NAT gateways in each availability zone are
Implemented with redundancy.
Supports bursts up to 10Gbps
Managed by AWS.
Software is optimized for handling NAT.
Port forwarding is not supported.
Bastian servers are not supported.
Traffic metrics not supported.
Ec2 (Elastic Cloud Compute)
On-demand instance
Reserved Instance : Two types 1) Standard Instance
2) Scheduled Instance
Spot Instances
Dedicated instance : Types ; Dedicated Host
Dedicated Instance.
on-demand instance :
Low Cost and flexibility with no up front cost
Ideal for auto scaling groups and unpredictable workloads
Dev/test environments
Reserved instances :
Steady state and predictable usage.
Applications that need reserved capacity.
Upfront payments reduce hourly rate.
Scheduled RI's match your capacity reservation to a predictale recurring schedule.
Spot Instances :
Flexible start and end times
Grid Computing and High performance computing.
Very low hourly compute cost.
Dedicated Instaces :
Predictable performance.
Complete Isolation.
Most expensive.
Load Balancers :
ELB - Elastic Load Balancers
ELB - two types - classic load balancer and application load balancer.
Now elastic load balancer is also called as classic load balancer.
Classic ELB Charactersistics :
Region wide Load balancer.
Can be used internally or externally.
Layer 4 and Layer 7
SSL Termination and Processing.
Cookie based Sticky session.
Integrates with Auto-scaling.
ELB EC2 health checks / cloudwatch.
Integrates with Route 53.
Supported Ports :
25 - SMTP
80/443 - HTTP / HTTPS
Anyport in range of 1024-65535
Does not Support Elastic IP.
Supports Domain zone Apex.
Supports IPv4 and IPv6.
It integrates with the cloudtrail for log security analysis.
Multiple SSL certificates require multiple ELBs
Wildcard certificates are supported.
ALB (Application Load Balancer) :
Listeners : We need to define the port and protocol
Each ALB needs atleast one listener.
Each ALB can listen up to 10 listeners in Max.
Routing rules are defined on listeners.
Target groups : Logical grouping of targets behind the load balancer
Made up of EC2 instances or containers.
Can exist independently from the ALB
target groups are region-based but can be associated with the auto-scaling group.
Target groups can contain upto 1000 targets.
It can be associated either with EC2 instance or containers. You can't have both in the same target group.
Now in target group we will be having either ec2 instances or containers.
Configuring Amazon S3 and Cloud front :
Storage and Archive :
Amazon S3 :
Amazon Glacier :
Amazon EBS :
Amazon EFS :
AWS Import / Export :
AWS Snowball :
AWS Storage gateway :
Amazon S3 Storage Classes :
S3 standard : Fastest, Popular and Object based storage, Highest level of SLA's.
S3 Standard Infrequent access : Reduced price, alternate for Glacier. SLA is low.
S3 RRS :Reduced Redenduncy Durability, SLA, Price are low when compared with others
Amazon S3 features :
Versioning : Protects you against
Cross Region Replication
Data Life cycle management
MFA delete
Permissions
Time limited access to objects
#######################################################################
Connecting on-prem Resources to Your AWS Infrastructure :
Implementation of Openvpn connection from AWS Infrastructure to on-premises :
Launch an ec2 instance with free tier image openvpn access server.
In security groups allow the below listed ports and it is recommended to allow only your Network IP range in the cidr block.
22 - ssh
943 - Access the Admin GUI
443 - TLS encrypted HTTP traffic
1194 - Openvpn incoming client connection.
When the new machine finishes loading, it is a good idea to assign an elastic IP to this.
From the instance page, right click on openvpn instance and Networking and disable the change source setting.
Now connect to the OpenVPN ec2 instance server through ssh
To configure the open vpn we need to run the command "sudo ovpn-init --ec2"
Follow the on-screen instructions to complete the configuration.
Also verify that NTP service is running or not.
Now assign the password for openvpn user id to access the same from the GUI interface.
Type the ec2 instance IP address with port 443 in the browser <Ip address>:443 to open the GUI inteface of OPEN VPN server.
Go through the settings.
Now type the ec2 instance IP with out the port number to access the admin console.
Download the configuration file for yourself.
Copy all the contents from the config file and paste it in a file in your onprem server. eg : client.ovpn
Now install openvpn on the instance.
sudo openvpn --config client.ovpn access with the same openvpn user id.
Now try to connect to openvpn server through ssh.
ssh -i *.pem openvpn@openvpn server
It should allow you without prompting for password.
Now create the Private instance with the private IP.
Try to access this private instance from your on-prem server.
It should allow you without prompting for password.
That's it we have established the openvpn tunnel from AWS infrastructure to on premises.
#################################################################################
Logically isolated network in the AWS Cloud.
Control of Network architecture. (Divide smaller subnets)
Enhanced security (using security groups against the resources)
Internetwork with other organizations (VPC Peering Connecting VPC's together)
Elastic IP address
Enable hybrid cloud (site-to-site VPN)
Single tenant dedicated hardware.
VPC cost = 0$ / VPN cost is $0.05/hr
In order to AWS to isolate you as a tenant, they created the concept of a VPC.
A VPC gives you the ability to deploy reources in an isolated manner.
VPC Elements
Subnets : Private Subnets, public subnets, VPN subnets you can design any way you want.
Route Tables
Internet Gateways
Elastic IP's
Endpoints
NAT Gateways
Peering Connections
Network ACL's
Security Groups
VPN
VPC Charactersistics
AWS reservers 5 IP addresses per subnet (First 4 and last 1) Reservers for management purposes.
We can create three kinds of subnets. Private, Public and VPN Subnet.
Subnets do not span AZ's. You would need to have separate subnets per Availability zones.
Single Resion, Multi-AZ. (Multiple Availability zones atleast two.)
CIDR 16 - 28
Select IP Prefix
VPC Security
security groups : Resource Level traffic firewall. (instances, ELB, etc...)
Ingress and egress.
Stateful : Return traffic is allowed.
ACL's : Source and protocol filtering.
Subnet level traffic firewall. (Separate inbound and outbound rule set)
Stateless (Traffic is strictly filtered.)
VPC NAT Bottlenecks
Private Network <-> NAT <-> Public Network
Single NAT can lead to bottlenecks
We use NAT gateway instead (It is a AWS offering)
In some cases all the features that you need may not be available with the NAT gateway.
That is why we will probably revert to NAT instance.
To avoid bottle necks : we use enhanced networking, you get instances where you can use higher throughput through the networking.
HA for NAT is possible (Each subnet can route to a single NAT at a time.)
Subnet failover to another NAT is supported.
NAT Instances vs NAT Gateway
NAT Instances : Use a script to manage failover between instances.
Depends on bandwidth of instance type
Managed by us. (Responsible of software updates, troubleshooting)
A generic amazon Linux AMI That's configured to perform NAT.
Manual Port forwarding
Use a bastion server.
View cloudwatch alarms
NAT Gateway : As it is a platform service, Highly Available. NAT gateways in each availability zone are
Implemented with redundancy.
Supports bursts up to 10Gbps
Managed by AWS.
Software is optimized for handling NAT.
Port forwarding is not supported.
Bastian servers are not supported.
Traffic metrics not supported.
Ec2 (Elastic Cloud Compute)
On-demand instance
Reserved Instance : Two types 1) Standard Instance
2) Scheduled Instance
Spot Instances
Dedicated instance : Types ; Dedicated Host
Dedicated Instance.
on-demand instance :
Low Cost and flexibility with no up front cost
Ideal for auto scaling groups and unpredictable workloads
Dev/test environments
Reserved instances :
Steady state and predictable usage.
Applications that need reserved capacity.
Upfront payments reduce hourly rate.
Scheduled RI's match your capacity reservation to a predictale recurring schedule.
Spot Instances :
Flexible start and end times
Grid Computing and High performance computing.
Very low hourly compute cost.
Dedicated Instaces :
Predictable performance.
Complete Isolation.
Most expensive.
Load Balancers :
ELB - Elastic Load Balancers
ELB - two types - classic load balancer and application load balancer.
Now elastic load balancer is also called as classic load balancer.
Classic ELB Charactersistics :
Region wide Load balancer.
Can be used internally or externally.
Layer 4 and Layer 7
SSL Termination and Processing.
Cookie based Sticky session.
Integrates with Auto-scaling.
ELB EC2 health checks / cloudwatch.
Integrates with Route 53.
Supported Ports :
25 - SMTP
80/443 - HTTP / HTTPS
Anyport in range of 1024-65535
Does not Support Elastic IP.
Supports Domain zone Apex.
Supports IPv4 and IPv6.
It integrates with the cloudtrail for log security analysis.
Multiple SSL certificates require multiple ELBs
Wildcard certificates are supported.
ALB (Application Load Balancer) :
Listeners : We need to define the port and protocol
Each ALB needs atleast one listener.
Each ALB can listen up to 10 listeners in Max.
Routing rules are defined on listeners.
Target groups : Logical grouping of targets behind the load balancer
Made up of EC2 instances or containers.
Can exist independently from the ALB
target groups are region-based but can be associated with the auto-scaling group.
Target groups can contain upto 1000 targets.
It can be associated either with EC2 instance or containers. You can't have both in the same target group.
Now in target group we will be having either ec2 instances or containers.
Configuring Amazon S3 and Cloud front :
Storage and Archive :
Amazon S3 :
Amazon Glacier :
Amazon EBS :
Amazon EFS :
AWS Import / Export :
AWS Snowball :
AWS Storage gateway :
Amazon S3 Storage Classes :
S3 standard : Fastest, Popular and Object based storage, Highest level of SLA's.
S3 Standard Infrequent access : Reduced price, alternate for Glacier. SLA is low.
S3 RRS :Reduced Redenduncy Durability, SLA, Price are low when compared with others
Amazon S3 features :
Versioning : Protects you against
Cross Region Replication
Data Life cycle management
MFA delete
Permissions
Time limited access to objects
#######################################################################
Connecting on-prem Resources to Your AWS Infrastructure :
Implementation of Openvpn connection from AWS Infrastructure to on-premises :
Launch an ec2 instance with free tier image openvpn access server.
In security groups allow the below listed ports and it is recommended to allow only your Network IP range in the cidr block.
22 - ssh
943 - Access the Admin GUI
443 - TLS encrypted HTTP traffic
1194 - Openvpn incoming client connection.
When the new machine finishes loading, it is a good idea to assign an elastic IP to this.
From the instance page, right click on openvpn instance and Networking and disable the change source setting.
Now connect to the OpenVPN ec2 instance server through ssh
To configure the open vpn we need to run the command "sudo ovpn-init --ec2"
Follow the on-screen instructions to complete the configuration.
Also verify that NTP service is running or not.
Now assign the password for openvpn user id to access the same from the GUI interface.
Type the ec2 instance IP address with port 443 in the browser <Ip address>:443 to open the GUI inteface of OPEN VPN server.
Go through the settings.
Now type the ec2 instance IP with out the port number to access the admin console.
Download the configuration file for yourself.
Copy all the contents from the config file and paste it in a file in your onprem server. eg : client.ovpn
Now install openvpn on the instance.
sudo openvpn --config client.ovpn access with the same openvpn user id.
Now try to connect to openvpn server through ssh.
ssh -i *.pem openvpn@openvpn server
It should allow you without prompting for password.
Now create the Private instance with the private IP.
Try to access this private instance from your on-prem server.
It should allow you without prompting for password.
That's it we have established the openvpn tunnel from AWS infrastructure to on premises.
#################################################################################
Comments
Post a Comment