Skip to content

Instantly share code, notes, and snippets.

@Millward2000

Millward2000/aws_network_notes.txt

Created September 21, 2022 16:42
Show Gist options
  • Save Millward2000/c6435e2aa1c608bc115482716bee2b64 to your computer and use it in GitHub Desktop.
Save Millward2000/c6435e2aa1c608bc115482716bee2b64 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
aws_network_notes.txt
Networking Notes
================
VPC Basics
- dualstack for v4 and v6
- v6 bounded by v4 (number of v6 addresses)
- Dedicated or default tenancy
- 5 Addresses reserved per subnet
- number of tiers and AZs affect subnet design
- implicit router uses the .1 address
- dns uses .2 (in reality the .2 address of the CIDR block is used, but this address is reserved per subnet)
- future proofing/testing - .3
- main route tables vs custom route tables
- local, static and dynamic routes
- route priority is implicit
- longest prefix match
- route priority and propagated routes
- static takes priority if overlap with progagated route or is identical
- priority and prefix lists
- propagated routes that reference a prefix-list take priority (unless there is a longest match)
- multiple prefix lists with overlapping CIDR blocks to different targets have a random route priority chosen and remembered(sticky)
- route-types
- AWS Outposts local gateway - lgw-xxx
- Peering connection - pcx-xxx
- VGW
- IGW
- NAT Device
- Nat Gateway - (natgatewayid)
- longest prefix match to direct specific traffic away from NAT Gateway
- VPCE
- route is automatically inserted based on a prefix-list (pl-xxx)
- Egress-Only gateway (IPv6) - eigw-id
- Transit-Gateway (tgw-id)
- tgw-attach-xxxx is used for VPC attachments in TGW Route Tables
- tgw-id is used in VPC to route to TGW
- Prefix-List
- good for referencing common sets of CIDR blocks
- destination would be a pl-xxxx with an appropriate target
- VPN Routing
- BGP Propagated from Direct Connect
- manually added static routes for a s2s VPN
- BGP propagated routes for s2s VPN
- matching prefixes - AS Path length
- same AS Path length and first AS same - MED
- MiddleBox Routing
- specific prefix routed to ENI of appliance - eni-....
- with the middlebox routing wizard, tags will be created for you with an Origin Key and value of "Middlebox wizard"
- Use a GWLB
- specific route pointing to vpc-endpoint-id will be used to forward traffic to the GWLB
- GWLB configured as a service with a VPC Endpoint service configuration
- you then create a GWLB endpoint in your VPC to connect your VPC to the service
- Multiple middleboxes addressed with multiple nat-gateway appliances
- ENI
- primary IPv4 address, primary IPv6 address
- cannot detach primary ENI from a resource
- multiple ENIs for dual-homed (subnet connection) entities
- can attach/detach additional ENIs as hot or cold operations
- SGs are associated with ENIs
- ENI must be in the same AZ as Instance
- NIC Teaming not supported (but you could do ENI trunking in awsvpc mode)
- ENA
- 100Gbps for supported instance types
- EFA
- HPC and MPI for single subnet optimized hardware bypass
- NCCL can be used for accessing GPUs across a single node or multiple nodes
- EIPs
- can be reserved (up to 5)
- charged when not using it
- you own the EIP until you explicitly release it
- SGs
- can associate up to 5 (default quota and can be increased up to 16)
- 60 rules per SG(default can be increased)
- Cannot exceed 1000 when multiplying number of SGs and number of rules
- allow rules only
- stateful
- NACLs
- subnet must be associated with a NACL (and only 1 at a time)
- NAT Instances
- HA - use ASG for steady state (min/max/dedicated=1)
- disable source/destination check
- NAT Gateway
- fully managed and associated with AZs
- can create separate NAT Gateways in separate subnets
- can now be private (and will not allow routing to an IGW)
- Supports NAT64
- 64:ff9b::/96 prefix
- Allows your v6 only services to communicate with v4 only services across subnets, connected VPCs, on-premises networks of over the Internet
- Supports DNS64
- enabled per subnet
- allows your v6 workload to query Route53
- If a record contains an IPv6 address, this is returned
- If there is not IPv6 address, one is synthesized with the 64:ff9b::/96 prefix
- client then sends packets to the synthesized address
- VPC Endpoints
- gateway
- prefix-list and route table hack
- S3
- add VPC ID and VPC endpoint to the S3 bucket policy
- Cheaper than interface (for S3)
- interface
- dns hack
- VPC Peering
- VPC Flow Logs
- some delay
- not capture (metadata)
- secondary IP address will be reflected as primary
- only see private IP addresses
- HPC
- enhanced networking
- cluster placement
- enhanced networking and jumbo frames
- 9001 MTU (will be fragmented if traversing Internet Gateways or other regions)
- MTU can also be set on private VIFs for scenarios where you connect to on-premises using DX
X-Ray
- can read the x_forwarded___ headers automatically
CloudHSM
- provides SSL offload
- CloudHSM controls and has access to the Private Key
- Public Key (in the pub cert) is sent from the Server to the Client and the encrypted session key is sent to the HSM
VPC Peering Scenario
- Two overlapping VPCs as spokes
- Two different EC2 instances in hub VPC need access to each
- Isolated subnets with appropriate routes to required peers will work
VPN CloudHub
- Supports VPN communication between branches, with or without a VPC requirement
BGP
- cannot use EBGP-Multihop
- Path prepending and local preference for primary/secondary
- 7224:7300 is a high preference
- 7224:7200 is medium preference
- 7224:7100 is low preference
- 100 Prefix limit, use summaries to keep within the limit
- by default session will reset
CloudFront with Lambda@Edge gives edge computing features and low-latency benefits
WAF
- supports geo match conditions to block blacklisted countries
S2S VPN Configuration Options
- PSK/DPD/DH
- NO SUPPORT FOR PMTUD
DHCP Options Set
- To force new settings create a new option set and associate it with your VPC
- Can force a lease renewal to speed up the process of receiving the options
DX
- Public VIF
- can connect to non-VPC services
- can access public AWS resources in any region
- can receive Amazon's global IP routes
- Private VIF
- connect to VPC services
- connect to a DX Gateway, and then associate the DX gateway with one or more VGWs in any region
- connect to multiple Amazon VPCs in any AWS region
- MTU of 1500 or 9001
- Transit VIF
- MTU of 1500 or 8500
- update can be disruptive
- connect multiple VPCs in the same or different AWS accounts using DX
- Associate up to three Transit Gateways in any AWS region when connected to a DX Gateway
- Attach VPCs in the same Region to the transit gateway, then access multiple VPCs in different accounts in the same region
- Hosted VIF
- has a different virtual interface owner (account id)
- APN can provision this for their customers
- Like a private vif, associated with a VLAN and BGP ASN
DX-Gateway use-case
- Access public AWS services and multiple regional VPCs
- public VIF for AWS services
- DX Gateway and multiple private VIFs for VPC related access
Transit Gateway and third party SD-WAN
- uses GRE tunnel as the high performance attachment point
- uses BGP for dynamic routing
- two BGP peers for redundancy
- Create a connect attachment
- create one or more GRE Tunnels (Transit Gateway connect peers)
- establish BGP over both tunnels for redundancy
- inside CIDR blocks from 169.254.0-5.0/29 and 169.254.169.248/29
- first address on the appliance side
- addresses must be unique
- ebgp
- ebgp multihop with a ttl of 2
- ibgp
- will only install routes originated outside the common ASN
- MP-BGP
- v4/v6
- peering only over v4, v6 prefixes can be exchanged
- keep-alive 30 seconds, hold-timer 90 seconds
- can use an existing VPC or DX attachment as the underlying transport
- traffic is verified with required source and destination addresses
- any other traffic is considered to be part of the transport attachment
VPC Endpoint with KMS
- KMS supports interface endpoints
- private DNS hostnames and AmazonProvidedDNS allow you to connect without an endpoint URL
- Supports condition keys, to match on aws:sourceVpce
DNS and Conditional Forwarders
- on-prem AD needs access to AWS resolved private resources
- create a trust relationship between on-prem AD and AWS managed AD
- set the domain-name-servers field in a new DHCP Options set to AWS-based domain controllers
OR
- Statically assign the AD DNS servers on windows instances
- Create a conditional forwarder so that requests for the Route 53 private hosted zone are sent to the VPC-provided DNS
- CIDR address and second IP (for example CIDR 10.10.0.0/16 would use 10.10.0.2)
- you can also add a forwarder on the AWS AD to point to the on-prem DNS Server
DNS on-premises BIND
- configure conditional forwarder to forward requests to VPCDNS
- Setup a private hosted zone in Route53
- ensure that you enableDnsHostnames and EnableDnsSupport in VPC Settings
EKS Load-Balancer Controller
- Supports ALB or NLB
- ALB with Ingress
- NLB with service-type Load-Balancer
MTU Notes
- AWS Managed VPN MTU uses 1500
- if both DX and Managed VPN have the same route advertised, 1500 will be used
- JUMBO frames only apply to propagated routes from DX, static routes added to a route table pointing to a VGW use 1500 MTU
- Two VIFs advertising the same route, but using different MTUs result in 1500 MTU
DX LAG
- logical interface created with the help of LACP to aggregate multiple connections at a single DX endpoint
- Create a LAG from existing or new connections
- Associate the individual links with the LAG
- Can enforce number of active links required for the LAG to be operational (0 by default)
- Rules
- same bandwidth
- max of four connections
- all connections must terminate at the same DX Endpoint
DX MACsec
- uses a secret key (PSK) to establish connectivity between on-premises router and DX connection port
- CKN/CAK - Connection Key Name and Connectivity Association Key used to generate the MACsec key
- Can define policies
- should_encrypt (optional)
- must_encrypt
- no_encrypt
Storage Gateway and DX Connectivity
- Uses public endpoints
- use a public VIF
- can be in different regions
NLB subtleties
- Instance Target - client source IP address will be preserved
- IP Target
- if the target group is TCP and TLS the source will be the load balancer nodes
- use Proxy_Protocol in order to preserve the customer source IP addresses
- however if the target is UDP and TCP_UDP the source IP address is the original client IP
X-Forwarded-For
- is a header containing the sequence of IP addresses a connection has been processed through
- first IP address is the original Client
- good for identifying a user's geolocation
- nginx and other web-servers typically extract this detail using a variable such as $remote_addr
- normally appended to the existing x_forwarded_for headers
- also note a new standard that pulls multivalues for x_forwarded_x headers - Forwarded (RFC 7239)
LAMBDA in a VPC
- creates ENIs
- requires Subnet ID and SG ID
- can attach to multiple subnets
- hyperplane ENIs
- multiple execution environments can use a Hyperplane ENI
- NATs the original execution environment IP to the Hyperplane ENI Private IP (from your private VPC CIDR Block)
- each unique Subnet and SG ID uses a different ENI
- functions will be in a pending state during creation (and invocations will fail) until the interface is ready
- if interfaces are not used for a few weeks, the unused Hyperplane ENIs are reclaimed
- removing the VPC configuration can take up to 20 minutes...
- utility called Lambda ENI finder to fine functions (or function versions) using a particular ENI
- Grant secure outgoing only Internet access with a NAT Gateway
- deploy in a private subnet
- Can use VPC Endpoints as an alternative to NAT Gateway for accessing other AWS Services
- Can enforce the usage of VPCs and restrict/require subnet/vpc/sg ids with IAM condition keys
CloudFront
- Origin Protocol Policy options
- Match Viewer
- HTTP
- HTTPS
Route53 and DNSSEC
- Uses public key provided to domain registrar, which in turn is forwarded to TLD
- signature can be validated based on the private key, by using the shared public key
- up to 13 keys for .com and .net and 4 keys for other TLDs
- keys can be rotated
- wait for up to 3 days before deleting keys after adding new keys
RDS Encryption for MS SQL Server
- supports Transparent Data Encryption (TDE)
- encrypts data before writing to storage, decrypts when read
- Defined as part of an option group setting
Network Access Analyzer
- identify unintended access to your resources
- Three step process:
- Create a network access scope
- can include and exclude paths (VPC, IGW, vpce, tgw-X)
- you will be given a "nis-xxxxx' resource handle
- Analyze a scope
- takes a few minutes
- get the results of the analysis
ECS Bridge and awsvpc modes
- bridge uses the built-in docker network
- awsvpc will ensure that each task gets its own ENI and private IP address
Public VIF with BGP over DX
- Requires the following inputs:
- List of IP prefix CIDRs that will be advertised to AWS
- VLAN ID
- BGP ASN
- Router peer IP
- Amazon router peer IP
- all routes advertised to customers are tagged with NO_EXPORT
- outbound routing policies (set by customer)
- SCOPE to set where you want your prefixes to be sent
- 7224:9100, 9200, 9300 - local, regional, global
- set this as a customer when advertising routes to AWS
- global by default!
- 8100,8200 for its advertised routes (8100 is same region ,8200 is same continent, no tag is global)
- customer can filter routes to only match on the required tags
On-Prem to DX Location requirements
- Must use single-mode-fiber
- port speed and duplex configured manually
- dot1q
- BGP and MD5 Authentication
- Optional BFD
Route Propagation
- Checkbox associated with a VGW in a route table
- With overlapping or matching routes the following rules apply:
- local route most prefereed over routes from on-prem S2S or DX connection, even if propagated prefixes are longer
- static routes with the same destination CIDR block as propagated are prioritized if their targtet is:
- IGW, VGW, ENI, instance-id, pcx, NATGW, TGW, gateway VPCE
Active/Passive setup with DX
- Public ASN
- prepend and local-preference
- Private ASN
- NO PREPENDING!
- use longer match for active path
VPC Flow Logs
- custom-format - can specify the fields and order in which you want records to be generated
- aggregation level (1 or 10 minutes)
- cloudwatch or s3 as destination
Private Link
- You can create your own endpoint
- It can be accessed via third parties
- Private DNS names can be customised
- Add a TXT record to your DNS server to validate your ownership
- You can associate either a NLB or GWLB
- Use a GWLB if you want to provision multiple security appliances to offload traffic inspection to
- traffic will be intercepted in the consumer VPC by a GWLB endpoint, sent to the provider GWLB and appliances, and then forwarded back to the consumer
DX LOA Process
- request a DX
- configure it to go through a DX Partner
- Wait for AWS to send LOA-CFA and send it to the telco provider
Amazon Inspector
- supports network assessments (network reachability)
- also has host rules to identify vulnerabilities
CloudFront Geo-Restrictions
- You can identify specific countries to blacklist/whitelist
- Origin shield provides centralized caching, with a particular region selected.
- Can be combined with Lambda@Edge to enable advanced serverless logic
BYOIP
- Uses a Route Origin Authorization
- created through your RIR (AFRINIC)
- identifies which ASNs can advertise address range
- Also requires you to publish a self-signed x509 certificate in the RDAP
CFN
- Fn::Cidr
- ipBlock, count(number of CIDRs), cidrBits(number of Subnet Bits (inverse of subnet Mask))
- 192.168.0.0/24 into 6 CIDRs with a /27 mask i.e. 5 subnet bits
!Cidr [ "192.168.0.0/24",6,5 ]
EKS CNI Plugin Variables
- MINIMUM_IP_TARGET - minimum number of IP addresses assigned to a node - set this to the number of pods you expect per node
- WARM_ENI_TARGET - how many network interfaces the L_IPAMD keeps available (15 IPs per interface, good for expected rapid scaling)
- WARM_IP_TARGET - number of IP addresses in L-IPAMDs warm pool (good for conserving IP addresses)
- WARM_PREFIX_TARGET - number of /28 prefixes added to the instance's network interface (can be used to limit the number of allocated prefixes in smaller subnets)
- MAX_ENI - max number of ENIs
Wildcards with AWS Listener Rules
- *
- ?
- a-z/A-Z/0-9/-.
S3 Bucket Policy
- can reference aws:sourceVpc to limit access to a bucket
- will only work with VPC Endpoints configured tho
- alternatively for a specific endpoint
- aws:sourceVpce
SES endpoint for TLS
- email-smtp.region.amazonaws.com:587 (STARTTLS)
- email-smtp.region.amazonaws.com:465 (TLS Wrapper)
169.254.169.123 - Time Sync Service (NTP on port 123)
Route 53 split-view DNS
- use the same domain name for internal and external usage
- create public and private hosted zones with the same name
- associate one or more VPCs with the private hosted zone (the AWS provided DNS resolver will use the private-hosted zone for lookups)
- create records in each hosted zone
NAT Gateway limitations
- no port forwarding
- no bastion servers
- cannot associate with SGs
- 45Gbps
- only sends an RST (no FIN)
- ip fragmented packets for UDP
- no fragmentation of TCP and ICMP
- Supports up to 55000 simultaneous connections
CFN VPC Peering
- Create the resource in the requester account
- Requires a Role to be defined in the accepter account (PeerRoleArn property to reference it)
- Region must match (PeerRegion property)
Route 53 Private Hosted Zone Failover
- health checkers require public IP access
- alternatively you could use a CW metric/alarm combination, and create a health check based on the data stream for hte alarm
EKS VPC FlowLog
- Pod to Pod traffic
- use the sourceaddress and destinationaddress for Node IP filtering
- use the packetsourceaddress and packet destination address for Pod to Pod (client to server)
- also note that the sender will see the client node ip as the sourceaddress and the packetsourceaddress as the client pod ip
- however the server side would see the client pod ip as both the sourceaddress and packetsourceaddress
- likewise, the client would see both the destinationaddress and packetdestinationaddress as the server pod ip
VPC CIDR Blocks
- if you have a primary CIDR block that is non-RFC 1918, you cannot add RFC 1918 ranges to it
DX Billing
- Port Hours
- Outbound Data Transfer
Track Public IP address changes with SNS
- just subscribe to the topic ARN arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged subscription
Cloud-Map
- provides an API-based service discovery mechanism with faster change propagation and the ability to use attributes to narrow down the set of discovered resources
- updates existing Route 53 auto naming resources
- can integrate with EKS through ExternalDNS
VPN over DX
- requires a public VIF
- allows multiple VGWs to be created to terminate managed VPNs
- alternatively you could use a transit virtual interface on the DX location to connect it to a TGW with VPNs
Route 53 Private hosted zone
- can associate with a VPC in a different account
- use the API call CreateVPCAssociationAuthorization action
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment