dokucama

User Tools

Site Tools

Trace: azure gcp
virtualization:cloud:aws

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
virtualization:cloud:aws [2023/10/19 10:03] jotasandokuvirtualization:cloud:aws [2025/03/25 14:58] (current) jotasandoku
Line 22: Line 22:
 Refreshing workaround for error "...The security token included in the request is expired": **disruptive** Refreshing workaround for error "...The security token included in the request is expired": **disruptive**
   mv .aws/credentials credentials.bak2   mv .aws/credentials credentials.bak2
-  aws configure --profile jaimecli+  aws configure
   ./refresh_aws_mfa.py jaimecli   ./refresh_aws_mfa.py jaimecli
  
 SIMPLER SETUP. remove credentials when done and set them up again when start working: SIMPLER SETUP. remove credentials when done and set them up again when start working:
 +  # or just keep credentials but gran/revoke 'AdministratorAccess' policy during works : 
 +  # https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/groups/details/gr2?section=permissions
   rm /home/pi/.aws/credentials*   rm /home/pi/.aws/credentials*
   aws configure    aws configure 
-  # aws --profile jaimecli sts get-caller-identity 
   aws sts get-caller-identity   aws sts get-caller-identity
   ! when logging off   ! when logging off
Line 114: Line 115:
     * An example, rtb for a vpc endpoint: destination: pl-7ba54012(com.amazonaws.us-est-2.s3) (this represents the subnet of the service) + target: vpce-aa852c     * An example, rtb for a vpc endpoint: destination: pl-7ba54012(com.amazonaws.us-est-2.s3) (this represents the subnet of the service) + target: vpce-aa852c
       * vrf ~= multiple rts/subnets. Which is not 💯 true because different subnets/rts can talk to each other by default       * vrf ~= multiple rts/subnets. Which is not 💯 true because different subnets/rts can talk to each other by default
 +    * VIRTUAL PRIVATE GATEWAY [vpw]: AWS network service component that serves as the AWS-side endpoint for connecting external networks to a VPC. (can be used with dx or s2s vpn).
 +    * AWS GLOBAL ACCELERATOR: For those applications that cannot use DNS for optimally routing; Traffic hits an Anycast address and then goes through AWS internal network. AWS internal network uses public IP space. Your endpoint needs to have public IP, eg ALB or NLB; Another use case is the ''accelerated VPN'' where we use the nearest global accelerator edge-location so it traverses the internal AWS network (instead of Internet) on its route to the remote VPC.
  
  
Line 141: Line 144:
     * EC2     * EC2
  
-  * TRANSIT GATEWAY [tgw] : Similar to transit vpc but more 'router-like'. For hub and spokes type deployments.  +  * **TRANSIT GATEWAY [tgw]** : Similar to transit vpc but more 'router-like'. For hub and spokes type deployments.  
-    * VPCs, on-premise stuff and so on, all can connect to the tgw+    * VPCs, on-premise stuff and so on, all can connect to the tgw : In the transit gatewaym, we create VPC attachments, then in the VPC we can leave the deafult table (automatically created) or add custom routes with target [tgw]
     * If we want traffic between __different regions__ we can do it but peering together transit gateways.     * If we want traffic between __different regions__ we can do it but peering together transit gateways.
     * Manages/abstracts all the vpn tunnels. [[https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway-vs-transit-vpc.html|External Link]]     * Manages/abstracts all the vpn tunnels. [[https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway-vs-transit-vpc.html|External Link]]
Line 159: Line 162:
 ---- ----
  
-**DIRECTCONNECT [dgw] **+**DIRECTCONNECT [dgw] ** [[https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html|External Link]]
  
   * VIF   * VIF
-  * **DirectConnect Gateway**: We can think of it as a ROUTE REFLECTOR. Not in the forwarding plane. [[https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html|External Link]] +  * **DirectConnect Gateway**: We can think of it as a ROUTE REFLECTOR. Not in the forwarding plane. [[https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html|External Link]]. It then connects to one the these two: 
-  In aws direct connect gateway also require virtual private gateway [vpg] between itself and the vpcs. Do not identify [vpg] with ipsec.+    * virtual private gateway [vpg] between itself and the vpcs ([vpg] are not just for ipsec) 
 +    * [tgw] 
 +  * Directconnect can be used with multiple regions single [dgw] connects to multiple [vpg] in different regions. 
 +  *  Directconnect can be used with multiple accounts: [dgw] belongs to account Z, then accounts A and B send 'association requests' from their [vpg]] 
 +  * Depending on what we want to access we can create the following interfaces (VIFs) in DirectConnect: 
 +    * Private virtual interface 
 +    * Public virtual interface 
 +    * Transit virtual interface 
 +  * BGP MP is not supported. MD5 is enabled by default. 
 +    * Peering can/should be done from rfc1918.  
 +    * Shorter-prefix, Local-pref, AS-prepending, MED aand [[https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html|Communities]] can be used to influence traffic.
  
  
Line 285: Line 298:
     *  Is rspan with VXLAN udp-4789 as transport. Target doesn't need to filter vxlan but we need to consider the 60B added by vxlan so we don't get over the mtu.     *  Is rspan with VXLAN udp-4789 as transport. Target doesn't need to filter vxlan but we need to consider the 60B added by vxlan so we don't get over the mtu.
     * In reality the nitro nic (hypervisor's smart nic) does acl does sg does rspan and cloudwatch metrics(review this))     * In reality the nitro nic (hypervisor's smart nic) does acl does sg does rspan and cloudwatch metrics(review this))
- 
----- 
-Aws global accelerator: 
-for those applications that cannot spell dns. \\ 
-Traffic hits an Anycast address and then goes through Aws internal network.\\  
-Aws internal network uses public space.\\ 
-Your endpoint needs to have public IP, eg alb or nlb 
  
 ---- ----
Line 353: Line 359:
 AWS autoescaling features only deal with EKS (workers) or EC2 instances. If we want to dynamically allocate other resources like, subnets, directconnects, vpc peerings ans so on, we can use: AWS autoescaling features only deal with EKS (workers) or EC2 instances. If we want to dynamically allocate other resources like, subnets, directconnects, vpc peerings ans so on, we can use:
   * [[https://networktocode.com/nautobot/nautobot-cloud/]]   * [[https://networktocode.com/nautobot/nautobot-cloud/]]
 +
 +
 +----
 +Amazon VPC Flow Logs - TODO
virtualization/cloud/aws.1697709817.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki