aws VPC-Peering实践探索
本博客所有文章采用的授权方式为 自由转载-非商用-非衍生-保持署名 ,转载请务必注明出处,谢谢。
VPC相关概念和实践1/2(VPC-Peering)
VPC可以理解为一个虚拟的数据中心,数据中心会部署不同类型的应用,不同应用对网络的访问要求不一样(比如有些应用需要和internet双向访问,有些应用需要单向访问internet,有些应用需要禁止访问internet,数据中心内部之前的网络访问也可以设置),这些网络控制的需求都可以在VPC中实现
VPC网络整体示意图
-
相关术语
IGW: vpc中访问internet的虚拟设备
NGW:vpc中,ec2没有public ip但是有希望访问internet,会用到该虚拟设备
一个vpc中会划分不同的subnet,subnet可以选择不同AZ(availability zone)
可以根据需要创建internet-gateway (IGW)
和NAT-gateway(NGW)
route table (有vpc全局的main route table,也有每个subnet自己的route table)
vpc-peeing: 将2个vpc(可以是同一个账号下的2个vpc,也可以是不同账号下的vpc)网络打通(前提是2个vpc的CIDR网段没有重叠(overlap))
带路由表的示意图
vpc property
vpc-routetable
有vpc全局层面的route-table(main route table)
每个subnet也可以创建自己的route-table
default vpc
“VPC comes preconfigured with the following set of configurations:
- The default VPC is always created with a CIDR block of /16, which means it supports 65,536 IP addresses in it.
- A default subnet is created in each AZ of your selected region. Instances launched in these default subnets have both a public and a private IP address by default as well.
- An Internet Gateway is provided to the default VPC for instances to have Internet connectivity.
- A few necessary route tables, security groups, and ACLs are also created by default that enable the instance traffic to pass through to the Internet. Refer to the following figure:”
VPC peering
Inter-Region VPC peering provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html
limit
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html
操作
vpc 属性检查
-
network ACL
-
route-table
-
route-internet-gateway
igw(internet-gateway)可以从vpc中detach
vpc CIDR(subnet)分配后不可更改?
可以查看vpc相关资源在所有region的分布
admin用户查看
prefix list
默认会看到这些 prefix
aws cli
-
创建vpc
➜ aws-cli aws ec2 create-vpc --cidr-block 172.16.0.0/16 ➜ aws-cli
-
check vpc
➜ aws-cli aws ec2 describe-vpcs --vpc-ids vpc-0b696b859f722d87b { "Vpcs": [ { "CidrBlock": "172.16.0.0/16", "DhcpOptionsId": "dopt-02e2df729b14fb866", "State": "available", "VpcId": "vpc-0b696b859f722d87b", "OwnerId": "359990655175", "InstanceTenancy": "default", "CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-09fd3439beb8f53d8", "CidrBlock": "172.16.0.0/16", "CidrBlockState": { "State": "associated" } } ], "IsDefault": false } ] } //与default vpc 对比 ➜ aws-cli aws ec2 describe-vpcs --vpc-ids vpc-0d33f1d31b002d5c7 { "Vpcs": [ { "CidrBlock": "172.31.0.0/16", "DhcpOptionsId": "dopt-02e2df729b14fb866", "State": "available", "VpcId": "vpc-0d33f1d31b002d5c7", "OwnerId": "359990655175", "InstanceTenancy": "default", "CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-02519e6b9bd118b4d", "CidrBlock": "172.31.0.0/16", "CidrBlockState": { "State": "associated" } } ], "IsDefault": true } ] } (END)
# 场景操作
## 同一个账号下,同一个region(virginia)的2个vpc创建 vpc peering
-
当前环境检查
Name VPC ID State IPv4 CIDR default-vpc https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#VpcDetails:VpcId=vpc-0d33f1d31b002d5c7 Available 172.31.0.0/16 my-vpc https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#VpcDetails:VpcId=vpc-0b696b859f722d87b Available 172.16.0.0/16 my-vpc中的vm ip: 172.16.10.160 (因为没有公网ip,无法通过公网登陆)
default-vpc中的vm ip: 172.31.80.132
[ec2-user@ip-172-31-80-132 ~]$ ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 12:83:fe:31:b3:71 brd ff:ff:ff:ff:ff:ff inet 172.31.80.132/20 brd 172.31.95.255 scope global dynamic eth0 valid_lft 2261sec preferred_lft 2261sec inet6 fe80::1083:feff:fe31:b371/64 scope link valid_lft forever preferred_lft forever // [ec2-user@ip-172-31-80-132 ~]$ traceroute 172.16.10.160 traceroute to 172.16.10.160 (172.16.10.160), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * *
目标:vm(172.31.80.132) can connect to 172.16.10.160
-
发起vpc-peering request
-
接受 request
-
检查创建好的vpc-peering
-
增加路由表
对端vpc路由表
-
验证vpc之间联通性(reachability Analyzer)
可以看到网络包的双向的路由path
-
hping3 检查vm之间网络延迟
平均0.8ms,
[ec2-user@ip-172-31-80-132 ~]$ sudo hping3 -c 10 -S -p 22 172.16.10.160 HPING 172.16.10.160 (eth0 172.16.10.160): S set, 40 headers + 0 data bytes len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=0 win=62727 rtt=0.5 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=1 win=62727 rtt=0.5 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=2 win=62727 rtt=0.6 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=3 win=62727 rtt=0.5 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=4 win=62727 rtt=0.5 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=5 win=62727 rtt=0.5 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=6 win=62727 rtt=0.6 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=7 win=62727 rtt=3.2 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=8 win=62727 rtt=0.5 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=9 win=62727 rtt=0.5 ms --- 172.16.10.160 hping statistic --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 0.5/0.8/3.2 ms [ec2-user@ip-172-31-80-132 ~]$
-
上面测试的2个vm位与同一个 AZ上, 如果位于不同的AZ上,结果类似
所以看起来,同一个 region内部,AZ之间网络和内网类似
[ec2-user@ip-172-31-80-132 ~]$ sudo hping3 -c 10 -S -p 22 172.16.2.105 HPING 172.16.2.105 (eth0 172.16.2.105): S set, 40 headers + 0 data bytes len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=0 win=62727 rtt=1.2 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=1 win=62727 rtt=0.7 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=2 win=62727 rtt=0.6 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=3 win=62727 rtt=0.6 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=4 win=62727 rtt=0.8 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=5 win=62727 rtt=0.8 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=6 win=62727 rtt=1.3 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=7 win=62727 rtt=0.8 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=8 win=62727 rtt=0.8 ms len=44 ip=172.16.2.105 ttl=255 DF id=0 sport=22 flags=SA seq=9 win=62727 rtt=0.8 ms --- 172.16.2.105 hping statistic --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 0.6/0.8/1.3 ms [ec2-user@ip-172-31-80-132 ~]$
-
## 不同账号,不同region vpc peering创建
-
环境准备
资源 account1 account2(mama) vpc myvpc(virgina) wsg-vpc(tokyo) vm 172.16.10.160 10.0.13.59(public subnet) 10.0.129.120(private subnet) -
account1 创建vpc peering
其中需要填入 account2 的 account-ID 和 VPC ID
创建成功后,可以看到vpc peering request已经成功发送到对端account
-
account2 中接受 vpc-peering reques
accept后,就可以看到vpc-peering的状态(可以看到2端 vpc的CIDR(网段))
- 2个account的对应vpc中分别增加到对端的路由
-
account1 vpc 增加路由
-
account2 的 vpc的 public subnet 增加路由
-
-
check
[ec2-user@ip-172-16-10-160 ~]$ telnet 10.0.13.59 22 Trying 10.0.13.59... Connected to 10.0.13.59. Escape character is '^]'. SSH-2.0-OpenSSH_7.4 ^C^C^C^C^C^C [ec2-user@ip-10-0-129-120 ~]$ sudo hping3 -c 10 -S -p 22 172.16.10.160 HPING 172.16.10.160 (eth0 172.16.10.160): S set, 40 headers + 0 data bytes len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=0 win=62727 rtt=167.9 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=1 win=62727 rtt=167.9 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=2 win=62727 rtt=166.9 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=3 win=62727 rtt=169.2 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=4 win=62727 rtt=166.0 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=5 win=62727 rtt=167.6 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=6 win=62727 rtt=168.1 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=7 win=62727 rtt=167.2 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=8 win=62727 rtt=176.3 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=9 win=62727 rtt=167.5 ms --- 172.16.10.160 hping statistic --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 166.0/168.5/176.3 ms [ec2-user@ip-10-0-129-120 ~]$ //from ec2 10.0.13.59 [ec2-user@ip-10-0-13-59 ~]$ sudo hping3 -c 10 -S -p 22 172.16.10.160 HPING 172.16.10.160 (eth0 172.16.10.160): S set, 40 headers + 0 data bytes len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=0 win=62727 rtt=167.5 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=1 win=62727 rtt=167.4 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=2 win=62727 rtt=167.8 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=3 win=62727 rtt=166.1 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=4 win=62727 rtt=167.6 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=5 win=62727 rtt=166.6 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=6 win=62727 rtt=167.4 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=7 win=62727 rtt=166.9 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=8 win=62727 rtt=168.3 ms len=44 ip=172.16.10.160 ttl=255 DF id=0 sport=22 flags=SA seq=9 win=62727 rtt=167.2 ms --- 172.16.10.160 hping statistic --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 166.1/167.3/168.3 ms [ec2-user@ip-10-0-13-59 ~]$
-
与account2 中 vpc的private subnet 没有创建路由,所以不通
[ec2-user@ip-172-16-10-160 ~]$ telnet 10.0.129.120 22 Trying 10.0.129.120...
在 private subnet中再补上 路由,
再次验证
[ec2-user@ip-172-16-10-160 ~]$ telnet 10.0.129.120 22 Trying 10.0.129.120... Connected to 10.0.129.120. Escape character is '^]'. SSH-2.0-OpenSSH_7.4
-
# FAQ
## 为啥我的vm无法ssh登陆
新建了一个vpc,划分为多个 subnet
-
现象
我的ec2 已经分配了54.168.57.130
➜ ~ ssh -i ~/.ssh/mama.pem ec2-user@54.168.57.130 ssh: connect to host 54.168.57.130 port 22: Operation timed out ➜ ~
-
check subnet
this is a subnet route table
-
subnet route table add route
➜ ~ ssh -i ~/.ssh/mama.pem ec2-user@54.168.57.130 Last login: Sat Oct 29 09:49:01 2022 from 103.183.218.24 __| __|_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/ -bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory [ec2-user@ip-10-0-13-59 ~]$ ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 06:6c:a1:e4:ba:1f brd ff:ff:ff:ff:ff:ff inet 10.0.13.59/20 brd 10.0.15.255 scope global dynamic eth0 valid_lft 3395sec preferred_lft 3395sec inet6 fe80::46c:a1ff:fee4:ba1f/64 scope link valid_lft forever preferred_lft forever [ec2-user@ip-10-0-13-59 ~]$
## vpc peering 中创建的路由,会把 igw的路由自动删除?
如果需要internet访问,需要把igw的路由再加上
()
## VPC中的main route table
和route table的区别,main route table看起来都是一样的??
每个subnet都可以有自己路由表
https://medium.com/@mda590/aws-routing-101-67879d23014d
## 如何确认一个subnet是否允许公网访问?
创建vpc过程中,自动创建的subnet有public和private 2种,如果 vm放在private的subnet中,即使vm自动分配了公网ip,还是无法ssh登陆。
## 如何确认一个region有哪些AZ()
在创建subnet时,这边可以列出所有的az,
## 延迟
https://blog.cnlabs.net/wp-tools/aws_network_test/
https://www.cloudping.co/grid/latency/timeframe/1D
-
同一个vpc中,同一个AZ中的 vm之间延迟
[ec2-user@ip-172-31-80-132 ~]$ sudo hping3 -c 10 -S -p 22 172.31.81.200 HPING 172.31.81.200 (eth0 172.31.81.200): S set, 40 headers + 0 data bytes len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=0 win=62727 rtt=0.9 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=1 win=62727 rtt=0.7 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=2 win=62727 rtt=0.6 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=3 win=62727 rtt=0.6 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=4 win=62727 rtt=0.6 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=5 win=62727 rtt=0.7 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=6 win=62727 rtt=0.7 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=7 win=62727 rtt=0.6 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=8 win=62727 rtt=0.7 ms len=44 ip=172.31.81.200 ttl=255 DF id=0 sport=22 flags=SA seq=9 win=62727 rtt=0.6 ms --- 172.31.81.200 hping statistic --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 0.6/0.7/0.9 ms [ec2-user@ip-172-31-80-132 ~]$
## vpc中的ip不够用了怎么办?
vpc可以增加 secondary CIDR block(需要满足一定要求,https://www.youtube.com/watch?v=ZdydaX1ds8I)
The RFC1918 address space includes the following networks:
- 10.0.0.0 – 10.255.255.255 (10/8 prefix)
- 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
## public subnet中 ec2无法访问 internet
** ec2 需要public ip ,igw 最终才能正常访问 internet **(是双向访问)
或者 ec2 没有public ip,通过ngw,igw 最终访问internet(只能是单向访问)
通过有public ip的vm 跳转到上面的 vm里面 [ec2-user@ip-172-16-10-160 ~]$ ping www.google.com PING www.google.com (172.253.122.104) 56(84) bytes of data. ^C --- www.google.com ping statistics --- 8 packets transmitted, 0 received, 100% packet loss, time 7169ms [ec2-user@ip-172-16-10-160 ~]$ ^C
-
给该ec2 增加一个 public ip(创建一个 E IP,然后attach到该 ec2的 ENI上)
then check connet to internet,ok
[ec2-user@ip-172-16-10-160 ~]$ ping www.google.com PING www.google.com (172.253.122.104) 56(84) bytes of data. 64 bytes from bh-in-f104.1e100.net (172.253.122.104): icmp_seq=1 ttl=50 time=1.37 ms 64 bytes from bh-in-f104.1e100.net (172.253.122.104): icmp_seq=2 ttl=50 time=1.35 ms 64 bytes from bh-in-f104.1e100.net (172.253.122.104): icmp_seq=3 ttl=50 time=1.27 ms ^C --- www.google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 1.277/1.333/1.371/0.050 ms [ec2-user@ip-172-16-10-160 ~]$ ^C [ec2-user@ip-172-16-10-160 ~]$
-