AWS Network Basic Knowledge
AWS Network Basic Knowledge:
Note to learn aws network.
AWS Basic Network
Note to learn aws network.
AWS
- Region (Barginia, Oregon, Tokyo...)
- Availability Zone (Phisically separated, )
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html
IP Address
-
IP Address
- 8 bit * 4 = 32 bit 0.0.0.0 ~ 255.255.255.255
- 00000000.00000000.00000000.0000000 ~ 11111111.11111111.11111111.11111111
-
Network part
- 192.168.1.0 ~ 192.168.1.255 -> Network part: 192.168.1 (24bit), Host part 0, 255(8bit)
- 192.168.0.0 ~ 192.168.255.255 -> Network part: 192.168(16bit), Host part 0.0, 255.255(16bit)
-
PrivateIP Addresses which is not used in internet
- 10.0.0.0 ~ 10.255.255.255
- 172.16.0.0 ~ 172.31.255.255
- 192.168.0.0 ~ 192.168.255.255
-
CIDR notation (show network part by bit which is called prefix)
- 192.168.0.0 ~ 192.168.255.255 -> 192.168.0.0/16 [prefix:16bit]
- 192.168.10.0 ~ 192.168.10.255 -> 192.168.10.0/32 [prefix:32bit]
-
Subnet mask notation (show network part by 1)
- 192.168.0.0 ~ 192.168.255.255 -> (11111111.11111111.00000000.00000000) -> 192.168.0.0/255.255.0.0
- 192.168.10.0 ~ 192.168.10.255 -> 192.168.10.0/255.255.255.0
-
Conclusion
- These three expressions mean the same IP address range.
- 192.168.0.0 ~ 192.168.255.255
- 192.168.0.0/16
- 192.168.0.0/255.255.0.0
- These three expressions mean the same IP address range.
-
AWS Specification
- When create VPC, more than 16 must be configured as prefix.
- ex) 10.0.0.0/16 -> 10.0.0.0 ~ 10.0.255.255
- When create VPC, more than 16 must be configured as prefix.
Practice
-
Create VPC
- IPv4 CIDR block
- CIDR block: 10.0.1.0/24
- https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/getting-started-ipv4.html
-
Divide VPC into Subnet
- pre-test-public : 10.0.1.0/24
- The reason to divide: want to attach another subnet corresponding to the physical area, want to configure other security policy
-
Connect pre-test-public to internet
- Create an internet gateway
- Attach VPC to the gateway
- https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/VPC_Internet_Gateway.html
-
Configure Route table
- Route table: Configure the route to where depending on IP address.
- Target: Who
- Desitnation: to where
- Enable to configure route table in each subnet
- Default Desitination: 10.0.0.0/16, Target: local -> Send local network to CIDR 10.0.0.0/16 -> Cannot go out internet
- In order to connect internet, need to send packet except for destination 10.0.0.0/16 to internet gateway
- Create New Route Table
- Add configuration in route table Destination: 0.0.0.0/0, Target: Internet Gateway
- Connect route table to public subnet
- https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/VPC_Route_Tables.html
-
Create EC2 instance in public subnet
- Network : Choose VPC
- Subnet : Choose Subnet to put
- Auto-assign Public IP: Enable
- Network Interfaces, Primary IP: 10.0.1.10 (Public Subnet CIDR 10.0.1.0/24)
- Cannot use top and bottom of CIDR block for instance private IP, since 10.0.1.0 means the whole subnet network, 10.0.1.255 means broadcast address( but aws does not support)
- Skip Storage and tags and security group.
-
Security Group
- Security: Packet filtering = Firewall
- Inboud: Who can come in
- Outbound: Who can go out
- https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/VPC_SecurityGroups.html
-
DNS
- No pulic DNS on the instance
- Edit DNS Hostnames on VPC
- public DNS is attached into instances which have public ip
- https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/vpc-dns.html
-
Private Subnet
- Never connect from internet like Database
- Enable to make subnet in other availability zone, but low latency
- Create Subnet : Smae AZ with public subnet, CIDR block is 10.0.2.0/24
- Unnecessary to configure route table (default is OK, since no need to connect internet)
- Create EC2 instance as Database in private subnet
- Network : Choose VPC
- Subnet : Choose private Subnet to put
- Auto-assign Public IP: Disable
- Network Interfaces, Primary IP: 10.0.2.10 (Private Subnet CIDR 10.0.2.0/24)
- SecurityGroup: Create a new secrutiy group.
- Add MYSQL with 0.0.0.0/0
- Add ALL ICMP with 0.0.0.0/0 for ping connection
- If private IP of public subnet CIDR(10.0.1.0/24), secrutiy becomes more stronger
- This instance does not have public IP and public DNS
-
NAT
- Network Address Tanslation
- Databse server cannot connect internet now. How can we install databse server? -> NAT
- With NAT, enable to connect to internet from private subnet, but disable to connect to private subnet from internet
- 2 way to create NAT in AWS, one is NAT instance (Community AMIs), the other is NAT Gateway
- Create NAT
- VPC menu -> Create a NAT gateway
- Choose public subnet
- Allocate Elastic IP
- Update Route Table
- Open Route table for private subnet and add rule Destination: 0.0.0.0/0, Target: NAT Gateway
- https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/vpc-nat.html
Trouble Shoot
- ping
- ICMP(Internet Control Message Protocal)
- If server does not open ICMP, ping cannot reach
- traceroute
- ICMP
- Check routing table function
- telnet
- Check the port can be reached
- telnet [target] [port]
- nslookup, dig
- Request to solve domain
tools
- CloudWatch
- AWS Managed Service
コメント
コメントを投稿