dokucama

User Tools

Site Tools

Trace: azure gcp
virtualization:cloud:aws

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
virtualization:cloud:aws [2023/10/19 12:12] jotasandokuvirtualization:cloud:aws [2025/03/25 14:58] (current) jotasandoku
Line 22: Line 22:
 Refreshing workaround for error "...The security token included in the request is expired": **disruptive** Refreshing workaround for error "...The security token included in the request is expired": **disruptive**
   mv .aws/credentials credentials.bak2   mv .aws/credentials credentials.bak2
-  aws configure --profile jaimecli+  aws configure
   ./refresh_aws_mfa.py jaimecli   ./refresh_aws_mfa.py jaimecli
  
 SIMPLER SETUP. remove credentials when done and set them up again when start working: SIMPLER SETUP. remove credentials when done and set them up again when start working:
 +  # or just keep credentials but gran/revoke 'AdministratorAccess' policy during works : 
 +  # https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/groups/details/gr2?section=permissions
   rm /home/pi/.aws/credentials*   rm /home/pi/.aws/credentials*
   aws configure    aws configure 
-  # aws --profile jaimecli sts get-caller-identity 
   aws sts get-caller-identity   aws sts get-caller-identity
   ! when logging off   ! when logging off
Line 114: Line 115:
     * An example, rtb for a vpc endpoint: destination: pl-7ba54012(com.amazonaws.us-est-2.s3) (this represents the subnet of the service) + target: vpce-aa852c     * An example, rtb for a vpc endpoint: destination: pl-7ba54012(com.amazonaws.us-est-2.s3) (this represents the subnet of the service) + target: vpce-aa852c
       * vrf ~= multiple rts/subnets. Which is not 💯 true because different subnets/rts can talk to each other by default       * vrf ~= multiple rts/subnets. Which is not 💯 true because different subnets/rts can talk to each other by default
 +    * VIRTUAL PRIVATE GATEWAY [vpw]: AWS network service component that serves as the AWS-side endpoint for connecting external networks to a VPC. (can be used with dx or s2s vpn).
 +    * AWS GLOBAL ACCELERATOR: For those applications that cannot use DNS for optimally routing; Traffic hits an Anycast address and then goes through AWS internal network. AWS internal network uses public IP space. Your endpoint needs to have public IP, eg ALB or NLB; Another use case is the ''accelerated VPN'' where we use the nearest global accelerator edge-location so it traverses the internal AWS network (instead of Internet) on its route to the remote VPC.
  
  
Line 141: Line 144:
     * EC2     * EC2
  
-  * TRANSIT GATEWAY [tgw] : Similar to transit vpc but more 'router-like'. For hub and spokes type deployments.  +  * **TRANSIT GATEWAY [tgw]** : Similar to transit vpc but more 'router-like'. For hub and spokes type deployments.  
-    * VPCs, on-premise stuff and so on, all can connect to the tgw+    * VPCs, on-premise stuff and so on, all can connect to the tgw : In the transit gatewaym, we create VPC attachments, then in the VPC we can leave the deafult table (automatically created) or add custom routes with target [tgw]
     * If we want traffic between __different regions__ we can do it but peering together transit gateways.     * If we want traffic between __different regions__ we can do it but peering together transit gateways.
     * Manages/abstracts all the vpn tunnels. [[https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway-vs-transit-vpc.html|External Link]]     * Manages/abstracts all the vpn tunnels. [[https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway-vs-transit-vpc.html|External Link]]
Line 167: Line 170:
   * Directconnect can be used with multiple regions single [dgw] connects to multiple [vpg] in different regions.   * Directconnect can be used with multiple regions single [dgw] connects to multiple [vpg] in different regions.
   *  Directconnect can be used with multiple accounts: [dgw] belongs to account Z, then accounts A and B send 'association requests' from their [vpg]]   *  Directconnect can be used with multiple accounts: [dgw] belongs to account Z, then accounts A and B send 'association requests' from their [vpg]]
-  * Depending on what we want to access we can create the following interfaces in DirecConnect:+  * Depending on what we want to access we can create the following interfaces (VIFs) in DirectConnect:
     * Private virtual interface     * Private virtual interface
     * Public virtual interface     * Public virtual interface
Line 173: Line 176:
   * BGP MP is not supported. MD5 is enabled by default.   * BGP MP is not supported. MD5 is enabled by default.
     * Peering can/should be done from rfc1918.      * Peering can/should be done from rfc1918. 
-    * Local-pref, AS-prepending, MED aand [[https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html|Communities]] can be used to influence traffic.+    * Shorter-prefix, Local-pref, AS-prepending, MED aand [[https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html|Communities]] can be used to influence traffic.
  
  
Line 295: Line 298:
     *  Is rspan with VXLAN udp-4789 as transport. Target doesn't need to filter vxlan but we need to consider the 60B added by vxlan so we don't get over the mtu.     *  Is rspan with VXLAN udp-4789 as transport. Target doesn't need to filter vxlan but we need to consider the 60B added by vxlan so we don't get over the mtu.
     * In reality the nitro nic (hypervisor's smart nic) does acl does sg does rspan and cloudwatch metrics(review this))     * In reality the nitro nic (hypervisor's smart nic) does acl does sg does rspan and cloudwatch metrics(review this))
- 
----- 
-Aws global accelerator: 
-for those applications that cannot spell dns. \\ 
-Traffic hits an Anycast address and then goes through Aws internal network.\\  
-Aws internal network uses public space.\\ 
-Your endpoint needs to have public IP, eg alb or nlb 
  
 ---- ----
Line 363: Line 359:
 AWS autoescaling features only deal with EKS (workers) or EC2 instances. If we want to dynamically allocate other resources like, subnets, directconnects, vpc peerings ans so on, we can use: AWS autoescaling features only deal with EKS (workers) or EC2 instances. If we want to dynamically allocate other resources like, subnets, directconnects, vpc peerings ans so on, we can use:
   * [[https://networktocode.com/nautobot/nautobot-cloud/]]   * [[https://networktocode.com/nautobot/nautobot-cloud/]]
 +
 +
 +----
 +Amazon VPC Flow Logs - TODO
virtualization/cloud/aws.1697717535.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki