3. Instance
Instances within a subnet Instance
10.0.0.197 10.0.0.211
Instance
Instance in two subnets Instance
10.0.0.211 10.0.2.176
Instance
Instance and the Internet
10.0.0.211
Instance to host via
Instance
VPN or AWS Direct Connect
10.0.0.211
5. $ sudo tcpdump -s 1500 -q -n port 22 –c 10
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
20:16:50.650863 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 116
20:16:50.650958 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 116
20:16:50.651117 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 116
20:16:50.727337 IP 10.0.0.48.63071 > 10.0.0.197.ssh: tcp 0
20:16:50.727360 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 232
20:16:50.727451 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 116
20:16:50.727529 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 116
20:16:50.727532 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 116
20:16:50.727556 IP 10.0.0.48.63071 > 10.0.0.197.ssh: tcp 0
20:16:50.727626 IP 10.0.0.197.ssh > 10.0.0.48.63071: tcp 116
A to B: src 10.0.0.48– dst 10.0.0.197
TCP src 63071– dst 22
6. Subnet 1 Subnet 2 Subnet 3
10.0.0.0/24 10.0.1.0/24 10.0.2.0/24
Instance
A Instance
10.0.0.197 C
10.0.2.176
Instance
B
10.0.0.211 10.0.1.99
elastic
Router network
interface
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22. Subnet 1 Subnet 2 Subnet 3
10.0.0.0/24 10.0.1.0/24 10.0.2.0/24
Instance
A Instance
10.0.0.197 C
10.0.2.176
Instance
B
10.0.0.211 10.0.1.99
elastic
Router network
interface
23.
24. Instance B Instance
eth0 10.0.1.50
10.0.0.211
eth1
x
10.0.1.99
25. $ ip -f inet addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet 10.0.0.211/24 brd 10.0.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet 10.0.1.99/24 brd 10.0.1.255 scope global eth1
$ ip route list table main
default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.211
10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.99
$ ssh 10.0.1.73 –b 10.0.0.211
[ No response ]
$ sudo tcpdump –s 1500 –n –q –i eth1
20:53:57.453687 IP 10.0.0.211.46505 > 10.0.1.73.ssh: tcp 0
20:53:58.450816 IP 10.0.0.211.46505 > 10.0.1.73.ssh: tcp 0
26. # echo 10001 eth1-rt >> /etc/iproute2/rt_tables
# ip rule add from 10.0.1.99 table eth1-rt
# ip rule list
0: from all lookup local
32765: from 10.0.1.99 lookup eth1-rt
32766: from all lookup main
32767: from all lookup default
# ip route add default via 10.0.1.1 dev eth1 table eth1-rt
# ip route list table eth1-rt
default via 10.0.1.1 dev eth1
# ip route flush cache
27.
28.
29.
30.
31.
32.
33.
34.
35. VPC Security Group Network ACL
Filter inbound or outbound Filter inbound or outbound
Manage via APIs, console Manage via APIs, console
Filter TCP, UDP, IP Filter TCP, UDP, IP
Stateful Stateless
Packets in/out of instance Packets in/out of subnet
1+ Groups per Instance 1 ACL per Subnet
“Allow” rules only “Allow” or “Deny” rules
Unordered Ordered
36.
37.
38.
39. Instance
A
Instance Internet
B
Internet
Instance
C
Gateway
10.0.0.0/16
44. Instance
A
VPN Connection Customer
Instance Gateway
B
Host D
Instance
AWS Direct Router
C Connect
HQ Datacenter
Virtual Private 192.168.33.0/24
10.0.0.0/16 Gateway
192.168.44.0/24
45.
46.
47.
48.
49. http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
router# show bgp all neighbors 169.254.255.1 advertised-routes
For address family: IPv4 Unicast
BGP table version is 3, local router ID is 172.12.3.3
Status codes: s suppressed, d damped, h history, * valid, > best,
i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Originating default network 0.0.0.0
Network Next Hop Metric LocPrf Weight Path
*> 192.168.33.0/24 169.254.255.1 100 0 7224 i
Total number of prefixes 1
50.
51. Instance
Instances within a subnet Instance
10.0.0.197 10.0.0.211
Instance
Instance in two subnets Instance
10.0.0.211 10.0.2.176
Instance
Instance and the Internet
10.0.0.211
Instance to host via
Instance
VPN or AWS Direct Connect
10.0.0.211