Aws meetup managed_nat
-
Upload
adam-book -
Category
Technology
-
view
247 -
download
0
Transcript of Aws meetup managed_nat
AWS Manged NAT & VPC Network Troubleshooting
Managing Windows instances in the Cloud
Sponsors
Presented by Adam Book from
Find me on LinkedIn
News Recap 2014
NAT vs NAT GatewaysComparisonAttribute NAT Gateway NAT InstanceAvailability Highly Available. Nat Gateways in
each Availability Zone are implemented with redundancy. *
Use a script to manage failover between instances
Bandwidth Supports Bursts of up to 10 Gbps Instance type and size dependent
Maintenance Managed by AWS Managed by you, installing software updates, system patches etc.
Performance Software is optimized for handling NAT traffic
A generic Amazon Linux AMI that’s configured to perform NAT.
Cost Charged depending on the number of NAT gateways you use, duration of use and amount of data sent.
Charged depending on # of Nat Instances used duration or use and size
NAT vs NAT GatewaysComparisonAttribute NAT Gateway NAT InstancePublic IP addresses
Choose the Elastic IP address to associate with the Gateway during creation
Use an Elastic IP or public IP address with a NAT instance. You can change the IP by associating a new Elastic IP address.
Security Groups
Cannot be associated with a NAT Gateway, associate with your resources behind the Gateway
Can be assouciated with the NAT instance and the instances behind the NAT
Flow Logs Use Flow logs to capture the traffic Use Flow logs to capture the traffic
Bastion Servers
Not Supported A generic Amazon Linux AMI that’s configured to perform NAT.
Traffic metrics
Not Supported View CloudWatch Metrics
What about pricing?
Region Name Price per Hour Price per GB data processed ($)US East (N Virginia) 0.045 0.045
US West (Oregon) 0.045 0.045
US West (N California) 0.048 0.048
EU (Ireland) 0.048 0.048
EU(Frankfurt) 0.052 0.059
Asia Pacific (Singapore)
0.059 0.059
Asia Pacific (Tokyo) 0.062 0.062
Asia Pacific (Sydney) 0.059 0.059* Prices as of 3/21/2016
What about pricing?
Region Name Price per Hour t2.small Price per HourUS East (N Virginia) 0.045 0.026
US West (Oregon) 0.045 0.026
US West (N California) 0.048 0.034
EU (Ireland) 0.048 0.028
EU(Frankfurt) 0.052 0.03
Asia Pacific (Singapore)
0.059 0.04
Asia Pacific (Tokyo) 0.062 0.04
Asia Pacific (Sydney) 0.059 0.04* Prices as of 3/21/2016
Nat Gateway vs Nat Instance (t2.small)
Old NAT HA Architecture
Previously in an old HA Nat Archicture, one way of doing it would be to have a NAT in each AZ and then have a script that would check the heart beat checking the status of the other.
Creating the NAT Gateway
For more info http://docs.aws.amazon.com/cli/latest/reference/ec2/create-nat-gateway.html
If you would like to create your NAT Gateway via the CLI then use the following syntax:
$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d --region eu-west-1
Creating the NAT Gateway
If you would like to create your NAT Gateway via the CLI then use the following syntax:
$ aws ec2 allocate-address --domain vpc --region us-west-2 --profile myprofile
$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d –allocation-id eipalloc-dl3648b5 --region us-west-2 --profile myprofile
{ "PublicIp": "52.54.70.124", "Domain": "vpc", "AllocationId": "eipalloc-d1e648b5"}
Creating the NAT Gateway
If you would like to create your NAT Gateway via the CLI then use the following syntax:
{ "NatGateway": { "NatGatewayAddresses": [ { "AllocationId": "eipalloc-37fc1a52" } ], "VpcId": "vpc-1122aabb", "State": "pending", "NatGatewayId": "nat-08d48af2a8e83edfd", "SubnetId": "subnet-1a2b3c4d", "CreateTime": "2015-12-17T12:45:26.732Z” } }
$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d –allocation-id eipalloc-dl3648b5 --region us-west-2 --profile myprofile
Below is an example of how to create a NAT Gateway with an EIP (elastic IP)
Creating with CloudFormation
"NAT" : { "DependsOn" : "VPCGatewayAttach", "Type" : "AWS::EC2::NatGateway", "Properties" : { "AllocationId" : { "Fn::GetAtt" : ["EIP", "AllocationId"]}, "SubnetId" : { "Ref" : "Subnet"} } },
"EIP" : { "Type" : "AWS::EC2::EIP", "Properties" : { "Domain" : "vpc" } },
"Route" : { "Type" : "AWS::EC2::Route", "Properties" : { "RouteTableId" : { "Ref" : "RouteTable" }, "DestinationCidrBlock" : "0.0.0.0/0", "NatGatewayId" : { "Ref" : "NAT" } } }
Migrating to A NAT Gateway Demo Time
Photo curtesyof Stephen Radford via http://snap.io
Have you ever dealt with
Image by http://www.gratisography.com/
My private instance
can’t reach the internet
Check to make sure your routing table are intact for your private routes.
First Steps
By default the Amazon Linux instance does not have telenet installed
Tips if you using aNAT Instance
It does however have NetCat which can provide instant troubleshooting abilities
nc 10.0.022 22 &> /dev/null; echo $?
Will output 0 if port 22 is open, and 1 if it's closed.
Other ways of using NetCat
Tips if you using aNAT Instance
Try using netcat to open a connection and listen to a port and then connect from your other instance using telnet
>nc –l 80
See if you can reach the outside world
Tips if you using aNAT Instance
Try using nslookup to see if you can get out and get a response to a known dns name
nslookup google.comServer: 10.0.0.2Address: 10.0.0.2#53
Non-authoritative answer:Name: google.comAddress: 216.58.193.78
Make sure that the source-dest check is set to:FALSE on the NAT instance
Tips if you using aNAT Instance
VPC FlowLogs includes
1) Information about allowed and denied traffic(based on security group and ACL rules)
2) Source and Destination Addresses 3) Ports, Protocol Number4) Packet and byte counts
VPC FlowLogs don’t include
For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
1) Traffic to Amazon DNS Servers 2) Windows license activation traffic for licenses
provided by Amazon 3) Requests for instance metadata4) DHCP requests or responses
Turning on VPC Flow Logs
For more info http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
First Step:Create a Role that can publish to CloudWatch logs { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams” ], "Effect": "Allow", "Resource": "*" } ] }
Turning on VPC Flow LogsFrom the AWS Console Go to CloudWatch Choose Logs Go to Actions Create Log Group
Turning on VPC Flow Logs
For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
From the AWS Console Go to VPC Choose your VPC Go to Actions Create Flow Log
Turning on VPC Flow Logs
VPC FlowLog Limitations
• You cannot enable flow logs for network interfaces that are in the EC2-Classic Platform
• You cannot enable flow logs for VPCs that are peered with their VPC unless the peer VPC is in your account
• You cannot tag a flow log. • After you’ve created a flow log, you cannot change it’s
configuration; for example, you can’t associate a different IAM role with the flow log.
• If your network interface has multiple IP addresses and traffic is sent to a secondary private IP address, the flow log displays the primary IP address in the destination IP address field.
Questions?
Image by http://www.gratisography.com/