![Page 1: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/1.jpg)
![Page 2: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/2.jpg)
![Page 3: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/3.jpg)
![Page 4: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/4.jpg)
![Page 5: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/5.jpg)
https://s3.amazonaws.com/reinvent-arc401/index.html
![Page 6: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/6.jpg)
• Basic automation– Automating network build
• Intermediate automation– Going beyond initial network build
• Advanced automation– Dynamic component configuration
![Page 7: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/7.jpg)
aws ec2 create-vpc --cidr-block 10.0.0.0/16
aws ec2 replace-route --route-table-id $ROUTE_TABLE_ID
--destination-cidr-block 0.0.0.0/0
--instance-id $INSTANCE_ID
aws ec2 attach-network-interface --network-interface-id $ENI
--instance-id $INSTANCE_ID
--device-index 1
aws ec2 assign-private-ip-addresses --network-interface-id $ENI
--private-ip-addresses 10.0.0.100
• AWS CLI
![Page 8: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/8.jpg)
#!/bin/sh
export AWS_DEFAULT_REGION="us-east-1"
VPC_ID=`aws ec2 create-vpc --cidr-block 10.0.0.0/16 --output text | awk '{print $6;}'`
SUBNET_ID=`aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --output
text | awk '{print $6;}'`
echo "Created $VPC_ID & $SUBNET_ID"
#Clean up
aws ec2 delete-subnet --subnet-id $SUBNET_ID
aws ec2 delete-vpc --vpc-id $VPC_ID
• Custom scripts
![Page 9: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/9.jpg)
#Powershell script
Initialize-AWSDefaults -Region 'us-east-1'
#Create new VPC
$vpc = New-EC2Vpc -CidrBlock '10.0.0.0/16'
$subnet = New-EC2Subnet -VpcId $vpc.VpcId -CidrBlock '10.0.1.0/24' -AvailabilityZone 'us-east-1d'
Write-Host “Created VPC: " $vpc.VpcId " subnet: " $subnet.SubnetId
#Clean up VPC
Remove-EC2Subnet $subnet.subnetId -Force
Remove-EC2Vpc $vpc.VpcId -Force
• Amazon SDK
![Page 10: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/10.jpg)
"Resources" : {
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : “10.0.0.0/16”,
"Tags" : [ { "Key" : “Name", "Value" : “VPCName“ } ]
}
},
"PublicSubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"CidrBlock" : “10.0.1.0/24”,
"Tags" : [ { "Key" : "Network", "Value" : "Public" } ]
}
}
• AWS CloudFormation
![Page 11: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/11.jpg)
• Allows network build to be:– Automated
– Tracked
– Version controlled
• A great start!– Aspirational for many of my customers
![Page 12: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/12.jpg)
• Control changes to the network
• Managing additional network components– Peering or VPN connections
– NAT or VPN instances
• Automate application-specific network components– EIPs, secondary IP assignments, routed VIPs
![Page 13: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/13.jpg)
• Controlling network changes with CloudFormation– Templates can be version controlled
– UpdateStack
• Add/Remove resources
• Modify security group rules
– Events are tracked by CloudFormation
![Page 14: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/14.jpg)
• In-region network expansion with VPC peering– Peering handshake can be scripted
– CloudFormation “AWS::EC2::VPCPeeringConnection” type
• Cross-region network expansion– VPC, routes, VPN instances can be scripted
– Check out vpc2vpc as an example
https://github.com/vinayselvaraj/vpc2vpc
vpc2vpc create 10.1.0.0/16 10.2.0.0/16 10.3.0.0/16
![Page 15: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/15.jpg)
#!/bin/sh
NAT_ID=“i-12345”
NAT_RT_ID=“rtb-22574640”
REGION=“us-east-1”
…
# So we can monitor the other NAT instance
NAT_IP=`aws ec2 describe-instances --instance-id $NAT_ID --region $REGION |
grep PrivateIpAddress -m 1 | awk '{print $2;}' | sed -re 's/[",]//g'`
…
aws ec2 replace-route --route-table-id $NAT_RT_ID --instance-id $Instance_ID
--destination-cidr-block 0.0.0.0/0 --region $REGION
• Manage networking components (for example, HA)
https://aws.amazon.com/articles/2781451301784570
![Page 16: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/16.jpg)
• Allows networks and components to be:– Automated
– Tracked
– Version controlled
• Not very dynamicInstance_ID=“ ”
Route_Table_ID=“ ”
Virtual_IP=“ ”
EIP_Alloc_ID=“ ”
![Page 17: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/17.jpg)
• Dynamic network automation scripts
• Automation that responds appropriately when network or application conditions change – Without changing the scripts
• Examples– VIP reassignment in response to Auto Scaling
– New subnets get appropriate dynamic routing rules
– Create VPN tunnels when new regions are brought online
![Page 18: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/18.jpg)
• Dynamic network automation approaches– Instance bootstrapping
– Store dynamic information in an external store
– Change polling, detection, and response
• Standard external stores– Amazon S3, Amazon DynamoDB, Configuration Management Tool
![Page 19: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/19.jpg)
• What about using resource tags?– AWS resources can be tagged
• Tags are great for identifying resources– In the console
– By project or environment
– For billing
![Page 20: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/20.jpg)
• Network tagging scheme– Route table tags
• NAT = true
• NATAZ = [any, us-east-1a]
![Page 21: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/21.jpg)
Public Subnet 1
AWS Region
Availability Zone 1 Availability Zone 2
NAT
Public Subnet 2
Private Subnet 1 Private Subnet 2
TAG
NATAZ
any
Auto Scaling Group
TAG
NATAZ
anyThis subnet
needs NAT
This subnet
needs NAT
![Page 22: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/22.jpg)
Public Subnet 1
AWS Region
Availability Zone 1 Availability Zone 2
NAT
Public Subnet 2
NAT
Private Subnet 1 Private Subnet 2
This subnet
needs AZ-
specific NAT
This subnet
needs AZ-
specific NAT
TAG
NATAZ
AZ1
TAG
NATAZ
AZ2
![Page 23: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/23.jpg)
--filters "Name=tag-key,Values=NAT"
--filters "Name=tag:NATAZ,Values=any,us-east-1a"
• Filtering AWS resources by tag--filters are awesome!
![Page 24: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/24.jpg)
#!/bin/bash
INSTANCE_ID=`curl --silent http://169.254.169.254/latest/meta-data/instance-id`
AZ=`curl --silent http://169.254.169.254/latest/meta-data/placement/availability-zone`REGION="${AZ%?}"
MAC=`curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/`
VPC_ID=`curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/vpc-id`
![Page 25: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/25.jpg)
#!/bin/bash
INSTANCE_ID=`/usr/bin/curl --silent http://169.254.169.254/latest/meta-data/instance-id`
AZ=`/usr/bin/curl --silent http://169.254.169.254/latest/meta-data/placement/availability-zone`
REGION="${AZ%?}"
MAC=`curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/`
VPC_ID=`curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/vpc-id`
ROUTE_TABLES=`aws ec2 describe-route-tables --region $REGION --output text
--filters "Name=tag:NATAZ,Values=any,$AZ" | grep ROUTETABLES | awk '{print $2}'`
![Page 26: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/26.jpg)
#!/bin/bash
INSTANCE_ID=`/usr/bin/curl --silent http://169.254.169.254/latest/meta-data/instance-id`
AZ=`/usr/bin/curl --silent http://169.254.169.254/latest/meta-data/placement/availability-zone`
REGION="${AZ%?}"
MAC=`curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/`
VPC_ID=`curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MAC/vpc-id`
ROUTE_TABLES=`aws ec2 describe-route-tables --region $REGION --output text
--filters "Name=tag:NATAZ,Values=any,$AZ" | grep ROUTETABLES | awk '{print $2}'`
# Parse through RouteTables that need to be modified
for MY_RT_ID in $ROUTE_TABLES; do
aws ec2 replace-route --route-table-id $MY_RT_ID --destination-cidr-block 0.0.0.0/0 --instance-id $INSTANCE_ID` --region $REGION
done
![Page 27: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/27.jpg)
Public Subnet 1
US-West-2
Availability Zone 1 Availability Zone 1
Public Subnet 2
Private Subnet 1 Private Subnet 2
US-East-1
TAG
VPN
EIP
TAG
VPN
true
TAG
VPN
true
TAG
VPN
EIP
![Page 28: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/28.jpg)
• Network automation doesn’t require hard-core
development
• Simple scripts can be very powerful– Create dynamic, resilient networks and network components
– Respond to application or business requirements
![Page 29: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/29.jpg)
• Network automation
• Manipulating IPs
• Network monitoring
![Page 30: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/30.jpg)
• Virtual IP addresses– Support less cloud-friendly use cases
• Multicast– Support legacy multicast use cases
• Floating networks– Support overlapping network use cases
![Page 31: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/31.jpg)
• Elastic IP
10.0.0.55
72.44.63.250
10.0.1.79
AWS Region
aws ec2 associate-address --private-ip-address 10.0.1.79
--allocation-id [EIP Allocation ID] --allow-reassociation
Availability Zone Availability Zone
![Page 32: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/32.jpg)
• Secondary private IP
10.0.0.55
72.44.63.250
10.0.0.79
AWS Region
aws ec2 assign-private-ip-addresses --private-ip-addresses 10.0.0.10
--network-interface-id eni-123abcde --allow-reassociation
10.0.0.10
Availability Zone
![Page 33: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/33.jpg)
• Routed virtual IP
10.0.0.55
192.168.0.10
10.0.1.79
AWS Region
#ifconfig eth0:1 192.168.0.10/32 up
aws ec2 replace-route --route-table-id [Route Table ID]
--destination-cidr-block 192.168.0.10/32
--instance-id [Instance ID]
Availability Zone Availability Zone
![Page 34: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/34.jpg)
• Configure your instance OS with another IP
• Disable SRC/DST checking
• Use a replace-route API call to direct traffic
# ifconfig eth0:1 192.168.0.10/32 up
aws ec2 replace-route --route-table-id [Route Table ID]
--destination-cidr-block 192.168.0.10/32
--instance-id [Instance ID]
aws ec2 modify-instance-attribute --instance-id [Instance ID]
–no-source-dest-check
![Page 35: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/35.jpg)
Approach Pros Cons
EIP Multi-AZ Public IP only
(split-brained DNS within
VPC for private IP)
Secondary IP Public and/or
private IP
Single AZ
Routed VIP Multi-AZ Private IP only
Only accessible from
instances within the VPC
![Page 36: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/36.jpg)
• Each VIP option supports application-specific
requirements
• Embrace automation– Build this into application deployment
• Build your network as an integral part of the
application it supports
![Page 37: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/37.jpg)
• By and large, a disappointment
• Some legacy apps/app servers require multicast– Node discovery
– Session management
– Automated failover
![Page 38: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/38.jpg)
• Not directly supported
• Can be implemented with an overlay network• GRE or L2TP tunnels, Ntop’s N2N
10.0.0.54
10.0.0.79
10.0.1.132
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
10.0.1.18310.0.0.41
![Page 39: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/39.jpg)
• This technically isn’t multicast– Multicast packets are wrapped in unicast packets
• Not a solution for unicast scaling
– Additional packet overhead
• GRE approach adds 38 bytes (MTU of 1500 will effectively be 1462)
• Unicast traffic can also traverse the overlay network– Not subject to security group filtering
• Decent option for small, legacy clusters– App server node discover
– Low traffic volumes
![Page 40: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/40.jpg)
• GRE configuration can be automated– Multicast configuration stored in tags
• Periodically check for new members (60 seconds)
172.31.16.124
172.31.28.164
172.31.47.71
Subnet 172.31.16.0/20 Subnet 172.31.32.0/20
TAG: multicast
App1,192.168.0.12/24
TAG: multicast
App1,192.168.0.11/24
TAG: multicast
App1,192.168.0.10/24
192.168.0.0/24 Overlay
Community: App1
![Page 41: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/41.jpg)
![Page 42: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/42.jpg)
• Trend: We have less control over the network
ranges our networks must interact with– SaaS
– Mergers
– DevOps
![Page 43: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/43.jpg)
Customer ‘n’
192.168.0.0/16
Customer 3
10.0.0.0/16
10.0.0.0/16
Customer 2
10.0.0.0/16
Customer 1
172.16.0.0/16
172.16.0.268
Service 1
Service 2
Service EIPs
Amazon
Route 53
Service ‘n’
...
Service load
balancers
![Page 44: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/44.jpg)
• Most straightforward approach
• Great when your services do
not need to initiate connections
![Page 45: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/45.jpg)
10.0.0.0/22
Customer 2
10.0.0.0/16
10.0.0.58
10.0.0.105
192.168.0.0/22
192.168.0.124
Customer 1
172.16.0.0/16
172.16.0.268
![Page 46: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/46.jpg)
• Fairly straightforward
• Viable option with AWS
automation
• Typically best for single tenants– Shared systems can be challenging
![Page 47: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/47.jpg)
10.0.0.0/16
10.0.0.0/16
192.1
68.0
.0/1
6
10.0.0.58
10.0.0.105
SRC: 10.0.0.58
DST: 192.168.0.105
SRC: 192.168.0.58
DST: 10.0.0.105
![Page 48: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/48.jpg)
192.168.0.0/16
10.0.0.0/16
10.0.0.0/1610.0.0.58
10.0.0.105
SNAT: 192.168.0.0/16
DNAT: 10.0.0.0/16
# iptables -t nat -A PREROUTING -d 192.168.0.0/16 -j NETMAP --to 10.0.0.0/16
# iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j NETMAP --to 192.168.0.0/16
![Page 49: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/49.jpg)
Customer #
Customer #
10.0.0.0/16
Customer #
Customer #
![Page 50: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/50.jpg)
• Slightly more complicated
• Consider a shared service, HA VPN tier
• Viable option with VPN appliance automation
• May be better for multitenant solutions
![Page 51: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/51.jpg)
• Network automation
• Manipulating IPs
• Network monitoring
![Page 52: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/52.jpg)
• Monitoring has traditionally been siloed– Application
– Server
– Network
• Limited access to networking devices– NAT/VPN instances
– No access to cloud switches/routers
• Need to think about monitoring differently
![Page 53: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/53.jpg)
• Lorien Wood School– OpenDNS, SNMP (cacti)
• New network monitoring requirements– More visibility into student activity
![Page 54: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/54.jpg)
• Urlsnarf
• Logrotated
• Cron
• SCP
• Python script
• PHP/MySQL app
t2.micro
![Page 55: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/55.jpg)
• Focus on requirements– “Network monitoring” can mean just about anything
– Plan for scale
• Find the right tool to meet the requirements– Gateway-based vs. host-based
– Simple scripts
– OS tools (job schedulers, SSH/WMI, logging capabilities, and log file rotators)
– AWS partner solutions
• Leverage reusable architectural patterns
![Page 56: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/56.jpg)
AWS_Regions
CloudWatch_Region
cw ec2.cloudwatch.connect_to_region
region AWS_Regions
vpcconn vpc.connect_to_region
vpns vpcconn.get_all_vpn_connections
vpn vpns
vpn.state available
active_tunnels
vpn.tunnels[0].status UP
active_tunnels
vpn.tunnels[1].status UP
active_tunnels
cw.put_metric_data VPNStatus vpn.id
VGW vpn.vpn_gateway_id CGW vpn.customer_gateway_id
![Page 57: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/57.jpg)
• Log network events locally and ship them to: – CloudWatch logs
– Syslog / Windows logs
– AlertLogic, Cloudlytics, Logentries, Loggly, Splunk, SumoLogic …
• Leverage existing log monitoring infrastructure– Should already be built for scale
• Add network requirements and admins to log monitoring infrastructure development
![Page 58: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/58.jpg)
Orchestrator Configure
MonitoringDistributed
Monitoring
Store ResultsAnalyze and
Report
![Page 59: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/59.jpg)
Monitoring
Orchestrator
SCP
SSHtcpdump -G 60 pcap
collectorpcap
analyzer
curl
![Page 60: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/60.jpg)
• Network monitoring gateways– Barracuda Networks, Checkpoint, Palo Alto Networks,
Sophos
• Host-based network intrusion detection– AlertLogic, TrendMicro, ThreatStack
• Network traffic analysis– Boundary, CloudShark
• Application network performance– Compuware
![Page 61: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/61.jpg)
• Focus on requirements
• There are actually a lot of tools out there to help– Some you might not have thought of before
• Leverage automation to create application-specific
network monitoring solutions
• Plan for scale from the start
• Don’t fear doing things a little differently
![Page 62: (ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014](https://reader030.vdocument.in/reader030/viewer/2022020110/55a22eaa1a28ab87428b463a/html5/thumbnails/62.jpg)
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals
https://s3.amazonaws.com/reinvent-arc401/index.html