Thursday, 31 October 2019

Site To Site VPN (AWS managed VPN)


AWS Details: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html





$ sudo su
$ yum install openswan

  • Update /etc/sysctl.conf:


net.ipv4.ip_forward=1net.ipv4.conf.all.accept_redirects=0net.ipv4.conf.all.send_redirects=0

  • Restart network service
$ service network restart


  • VPC A: Create VGW, Customer Gateway and a VPN Connection. Download `generic` configuration  

  • Configure Openswan ( IPSec tunnels ) based on the information provided in the downloaded configuration:
  • $ vi /etc/ipsec.d/aws-vpn.conf:

 conn Tunnel1
authby=secret auto=start left=%defaultroute leftid=<Customer Gateway IP> right=<AWS Virtual Private gateway IP> type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 keyingtries=%forever keyexchange=ike leftsubnet=<Customer CIDR> rightsubnet=<AWS VPC CIDR> dpddelay=10 dpdtimeout=30 dpdaction=restart_by_peer
  • $ vi /etc/ipsec.d/aws-vpn.secrets
 <Customer gateway IP> <AWS VGW IP>: PSK "<Pre-Shared Key>"

  • $ chkconfig ipsec on
  • $ service ipsec start 
  • $ service ipsec status

at No comments:

Thursday, 24 October 2019

AWS VPC - Key concepts

Amazon VPC is the networking layer for Amazon EC2.
  • virtual private cloud (VPC) is a virtual network dedicated to your AWS account. Span across all Availability Zones in a Region. You must assign a IPv4 or IPv6 CIDR block to VPC.
  • subnet is a range of contiguous block of IP addresses (IPv4 or IPv6) in your VPC allocated from the VPC CIDR block. Resides within a single Availability Zone (AZ) and cannot span multiple AZ. Smallest subnet you can create is a /28 (16 IPv4 addresses).
  • route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
  • An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
  • VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

at No comments:

AWS VPC - CIDR ranges

AWS VPCs can exist in private (RFC 1918) IPv4 space. (You can also create them with public IP CIDR blocks, but this is less common as you must own your own IPv4 block.) Private IPv4 addresses are not directly routable from the Internet, and traffic to/from the Internet must generally go through Network Address Translation (NAT). Therefore, you can have multiple occurences of the CIDR block in these private spaces because they cannot route to each other directly. You cannot have multiple subnets with the same (or overlapping) CIDR blocks in the same VPC, though, because AWS treats it as one continuous network.
Reserved RFC 1918 CIDR blocks (AWS will let you use any of these for your VPC):
  • 10.0.0.0/8 (The most commonly used, because it's the largest)
  • 192.168.0.0/16 (Also commonly used, generally on home routers or small office networks)
  • 172.16.0.0/12 (Less commonly used, because most people cannot remember how many addresses are in a /12 without a calculator)
You probably do not want to create VPCs with overlapping CIDR blocks if you're creating multiple VPCs, though, because then you cannot link them together later via VPC Peering, because the addresses would no longer be unique in the joined network space. 

Plan ahead for your current and possible future VPC usage, because you cannot change a VPC's CIDR block after it has been created. You'd have to move everything out and start fresh. The same goes for subnets in a VPC.

  • After you've created your VPC, you can associate secondary CIDR blocks with the VPC. 


  • You can create a VPC with a publicly routable CIDR block that falls outside of the private IPv4 address ranges specified in RFC 1918;

  •  The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC), or a subset of the CIDR block for the VPC (for multiple subnets). The allowed block size is between a /28 netmask and /16 netmask. If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap.

The first four IP addresses and the last IP address in each subnet CIDR block (5 addresses) are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:
  • 10.0.0.0: Network address.
  • 10.0.0.1: Reserved by AWS for the VPC router.
  • 10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two; however, AWS also reserves the base of each subnet range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. For more information, see Amazon DNS Server.
  • 10.0.0.3: Reserved by AWS for future use.
  • 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.

Adding IPv4 CIDR Blocks to a VPC

You can associate secondary IPv4 CIDR blocks with your VPC. When you associate a CIDR block with your VPC, a route is automatically added to your VPC route tables to enable routing within the VPC (the destination is the CIDR block and the target is local).

To add a CIDR block to your VPC, the following rules apply:
  • The allowed block size is between a /28 netmask and /16 netmask.
  • The CIDR block must not overlap with any existing CIDR block that's associated with the VPC
  • You have a limit on the number of CIDR blocks you can associate with a VPC and the number of routes you can add to a route table. You cannot associate a CIDR block if this results in you exceeding your limits

VPC and Subnets Limits

ResourceDefault limitComments
VPCs per Region
5
The limit for internet gateways per Region is directly correlated to this one. Increasing this limit increases the limit on internet gateways per Region by the same amount.
You can have 100s of VPCs per Region for your needs even though the default limit is 5 VPCs per Region. You can request an increase for these limits using the Amazon VPC limits form.
Subnets per VPC
200
-
IPv4 CIDR blocks per VPC5This primary CIDR block and all secondary CIDR blocks count toward this limit. This limit can be increased up to a maximum of 50.
IPv6 CIDR blocks per VPC
1
This limit cannot be increased.

DNS







at 1 comment:
Subscribe to: Comments (Atom)

Site To Site VPN (AWS managed VPN)

AWS Details:  https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html Install Openswan (details:  https://www.openswan.org/ ...

  • AWS VPC - CIDR ranges
    AWS VPCs can exist in private ( RFC 1918 ) IPv4 space. (You can also create them with public IP CIDR blocks, but this is less common as you...
  • AWS VPC - Key concepts
    Amazon VPC is the networking layer for Amazon EC2. A  virtual private cloud  (VPC) is a virtual network dedicated to your AWS account....