networking - kurt2439/wiki GitHub Wiki
-
Allow you to route traffic between two VPCs -- can be peered within your accounts or other AWS accounts within the same region (so different AZ's are OK)
- Neither a gateway nor a VPN connection -- no separate piece of hardware. No single point of failure.
- No transient peering. In A<->B<->C A can route to B but not to C. (would have to peer between A<->C)
- Cannot have same IP ranges in different VPCs
- VPCs can having many peers (50 soft limit, up to 125?)
- "Placement groups" can span peered VPCs but you will not get full bandwidth between instances in peered VPCs
-
Limits
- Cannot reference a security group from the peer VPC as a source of destination, must use CIDR block.
- Private DNS values cannot be resolved between VPC
-
Steps
- One party sends request
- 2nd party accepts
- 1st party adds route to 2nd party
- 2nd party adds routes back
- Security groups in both VPCs have to allow traffic between each other (also Network ACLs)
- Steps to setup VPC peer
- Troubleshooting VPC peering
- Establish a dedicated network from premises to AWS.
- Increase bandwidth, more reliability, lower cost when dealing with large volumes of traffic
- 802.1q VLANs
- Allows Multiple Virtual Interfaces (VIFs)
- Access public resources such as S3 and private resources like EC2 private IP space while maintaining network separation between environments
- 10Gbps, 1Gpbs, sub 1Gbps through AWS partners (?)
- NOT Redundant -- use BGP to fail over automatically from Direct Connect to Site to Site VPN OR a second Direct Connect
- Reminder: Site to Site VPN uses Customer Gateway (customer side) to Virtual Private Gateway (AWS side) when setting up VPN connection
- If accessing public services using HTTPS endpoints (dynamodb, s3) use public vifs
- If private IPs then use private vifs
- In US you only need 1 direct connect to access all 4 US regions -- data between regions goes over AWS lines and not public internet
- Layer 2 connections not supported
-
HPC involves
- batch processing with large and compute intensive workloads
- Demands high performance CPU, network, and storage
- Usual jumbo frames are required (9000 bytes of payload): used in shared files systems frequently and HPC apps need lots of disk I/O on shared file systems so jumbo frames critical in many cases...
-
Jumbo Frames only supported on "enhanced networking" instances.
- Enhanced Networking provided by using "single root I/O virtualization (SR-IOV) on supported instance types
- C3, C4, D2, I2, M4, R3
- Only on HVM (hardware virtualized) instances, not PV (paravirtual)
- See Enhanced Networking Documentation on AWS Docs
-
Placement Groups are a logical grouping of instances within a single AZ.
- Low latency, 10Gpbs network
- Instance type must support Enhanced Networking
- Placement Groups do NOT span AZ, but can span subnets in the same AZ (can span VPC but lots of performance degradation)
- Use homogenous instance types so that your launch suceeds (??). May not be enough capacity to launch all your instances later on so size for peak load (??)
- Enhanced Networking available using SR-IOV with HVM
- Can span subnets but not AZ
- Cannot move existing instances into a placement groups
- Use homogenous instance types
- Provision your placement group for peak, may not be able to add instances later
-
Automatically distributes incoming traffic across multiple instances
-
Know which ports ELB's support
- SMTP
- HTTP/S
- 1024-65535
-
Cannot assign an elastic IP address to ELB (still true?)
-
IPv4 and IPv6 are supported (VPC's do not support IPv6 currently [still true?])
-
You can load balance to the "Zone Apex" of your domain name (using alias record)
-
You can get history of ELB API calls made on account for security analysis and operation troubleshooting purposes with CloudTrail
-
If you have multiple SSL certs you should use multiple ELBs (unless you have a wildcard, obviously)
-
Enable isntances in private subnet to access internet outbound
-
Bottleneck when single NAT has too much traffic
- Scale up, bigger instance type or one with enhanced networking
- Scale out, add additional NAT and subnet and migrate half your workload to the new subnet
- HA for NAT instances (check the amazon blog)
-
More from Amazon