AWS Insight: Virtual Private Cloud
Hi, habrasoobschestvo! 
Today, I finally plucked up courage and have time to tell you about the wonderful service that Amazon Web Services provides: Virtual Private Cloud - VPC .
VPC is a service that allows you to create private isolated networks in the Amazon public cloud. What does VPC provide?
VPC has a lot of internal concepts and terms, let me describe them as they are configured. And today, together with you, I will set up a cross-zone network for VPC for greater fault tolerance.
So, in the console, go to VPC and create a new private cloud:
')
For example, I chose the sixteenth subnet 10.50.0.0, which includes 256 * 256 = 65536 addresses. By the way, we can select the Tenancy parameter:
By default, this is as usual - your instances are raised anywhere. But a separate "apartment" allows you to run instances close, but for a fee.
Created a cloud, now you need to create subnets . Our cloud is tied to a region and can have many subnets (where can we stuff 65k addresses, then?), And the subnets themselves are already tied to regions.
There are also subnets:
So, let's create 2 subnets in one zone: private and public, and in the other only private, so that it turns out like this:
The private and public subnet will become later, therefore we will create 3 simple subnets:
And later we have what we wanted:
As I mentioned earlier, a public network can have direct access to the Internet through a gateway.
Internet Gateway is a virtual device that allows hosts that have Elastic IP (EIP) to the Internet. Let's create a gateway and attach it to our cloud, so that it is:
Actually, we create the gateway:
We cling the gateway to the cloud:
How now to direct our public network to the newly created gateway? For this there are routes.
Routes are virtual routes that span one or more subnets and give information about how traffic should be distributed. From the side of the hosts, this is not displayed. They have a simple main route to the first (for example 10.50.1.1) host on the subnet. VPC itself resolves through Routes where the traffic will go.
By default, when creating a subnet, a routing table is created, we leave it for private networks and create a new one:
Selecting a new table, at the bottom of the page we can see its components. Let's create a route to the Internet 0.0.0.0/24, which will go through our Internet Gateway:
Well, we associate our public subnet with this table:
So, let's raise the EC2 instance in our public subnet and give it the EIP, and put the private address 10.50.3.254 (we can control them !!!) so that it is:
Let's start by creating an instance in EC2. In fact, you need to check VPC and select the desired subnet:
While the instance is running, we’ll get EIP for VPC. But where it’s usually, just choose not EC2:
When you create a new instance in the VPC automatically creates a network interface.
A network interface is a virtual device with which you can manage the physical interfaces of an instance. Network interfaces are managed from the EC2 console.
So, let's see what we got there:
Now we will try to assign the interface a new private address:
Now the interface has virtually 2 addresses. Well, let's link to the EIP interface:
That's all, our instance is available outside:
As mentioned earlier, private subnets should only access the Internet through NAT. So let's make our new instance as such. Also, I usually put OpenVP on this instance in order to have access to VPC.
1. Resolve forwarding in /etc/sysctl.conf :
2. Let's solve forvarding in iptables:
Next, install and configure the OpenVPN server . So, suppose that we did everything and we can connect to the network.
How can private subnets be able to understand how to go to the Internet? Yes Easy! All the same routes. Let's take the remaining table and make changes to it: we will choose our NAT instance for the Internet as the gateway 0.0.0.0/0:
Well, let's associate this table with the two remaining subnets:
That's all, now we can create instances in our private subnets that will be available only through OpenVPN. Directly access to them can be opened through the Elastic Load Balancer, which is exposed to the outside. Subnet can later take such a simple but interesting view:
In VPC, there are still many nuances, for example, a VPN to your data center, which is AWS menthe and the heap of fine details, but in general the conclusion is obvious. With VPC, you can create a resilient AWS-based private cloud.
Questions?
Today, I finally plucked up courage and have time to tell you about the wonderful service that Amazon Web Services provides: Virtual Private Cloud - VPC .
VPC is a service that allows you to create private isolated networks in the Amazon public cloud. What does VPC provide?
- Gray Address Subnets
- Full control over the addresses
- Dynamic and convenient management of network devices and routing
- Supports EC2, RDS, SQS, ElastiCache and other services
- Much more ..
VPC has a lot of internal concepts and terms, let me describe them as they are configured. And today, together with you, I will set up a cross-zone network for VPC for greater fault tolerance.
VPC
So, in the console, go to VPC and create a new private cloud:
')
For example, I chose the sixteenth subnet 10.50.0.0, which includes 256 * 256 = 65536 addresses. By the way, we can select the Tenancy parameter:
- default
- separately
By default, this is as usual - your instances are raised anywhere. But a separate "apartment" allows you to run instances close, but for a fee.
Subnetworks
Created a cloud, now you need to create subnets . Our cloud is tied to a region and can have many subnets (where can we stuff 65k addresses, then?), And the subnets themselves are already tied to regions.
There are also subnets:
- private - do not have direct access to the Internet, only through public networks and NAT
- public - can access the Internet through Elastic IP and Internet Gateway
So, let's create 2 subnets in one zone: private and public, and in the other only private, so that it turns out like this:
The private and public subnet will become later, therefore we will create 3 simple subnets:
And later we have what we wanted:
Internet gateway
As I mentioned earlier, a public network can have direct access to the Internet through a gateway.
Internet Gateway is a virtual device that allows hosts that have Elastic IP (EIP) to the Internet. Let's create a gateway and attach it to our cloud, so that it is:
Actually, we create the gateway:
We cling the gateway to the cloud:
Route tables
How now to direct our public network to the newly created gateway? For this there are routes.
Routes are virtual routes that span one or more subnets and give information about how traffic should be distributed. From the side of the hosts, this is not displayed. They have a simple main route to the first (for example 10.50.1.1) host on the subnet. VPC itself resolves through Routes where the traffic will go.
By default, when creating a subnet, a routing table is created, we leave it for private networks and create a new one:
Selecting a new table, at the bottom of the page we can see its components. Let's create a route to the Internet 0.0.0.0/24, which will go through our Internet Gateway:
Well, we associate our public subnet with this table:
So, let's raise the EC2 instance in our public subnet and give it the EIP, and put the private address 10.50.3.254 (we can control them !!!) so that it is:
Let's start by creating an instance in EC2. In fact, you need to check VPC and select the desired subnet:
While the instance is running, we’ll get EIP for VPC. But where it’s usually, just choose not EC2:
Network interfaces
When you create a new instance in the VPC automatically creates a network interface.
A network interface is a virtual device with which you can manage the physical interfaces of an instance. Network interfaces are managed from the EC2 console.
So, let's see what we got there:
Now we will try to assign the interface a new private address:
Now the interface has virtually 2 addresses. Well, let's link to the EIP interface:
That's all, our instance is available outside:
$ telnet 107.23.210.139 22 Trying 107.23.210.139... Connected to 107.23.210.139. Escape character is '^]'. SSH-2.0-OpenSSH_5.3 NAT Instance
As mentioned earlier, private subnets should only access the Internet through NAT. So let's make our new instance as such. Also, I usually put OpenVP on this instance in order to have access to VPC.
1. Resolve forwarding in /etc/sysctl.conf :
net.ipv4.ip_forward = 1 2. Let's solve forvarding in iptables:
iptables -t filter -A FORWARD -s 10.50.0.0/16 -j ACCEPT iptables -t filter -A FORWARD -d 10.50.0.0/16 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.50.0.0/16 -o eth0 -j MASQUERADE Next, install and configure the OpenVPN server . So, suppose that we did everything and we can connect to the network.
Private networks
How can private subnets be able to understand how to go to the Internet? Yes Easy! All the same routes. Let's take the remaining table and make changes to it: we will choose our NAT instance for the Internet as the gateway 0.0.0.0/0:
Well, let's associate this table with the two remaining subnets:
Dedication
That's all, now we can create instances in our private subnets that will be available only through OpenVPN. Directly access to them can be opened through the Elastic Load Balancer, which is exposed to the outside. Subnet can later take such a simple but interesting view:
In VPC, there are still many nuances, for example, a VPN to your data center, which is AWS menthe and the heap of fine details, but in general the conclusion is obvious. With VPC, you can create a resilient AWS-based private cloud.
Questions?
Source: https://habr.com/ru/post/167635/
All Articles