Posts in Category: aws

AWS – VPC Peering

All resources inside a vpc can automatically communicate with each other via their private ip addresses, irrespective of which public/private subnets they belong to. However it is also possible for resources in one vpc to communicate with resources in another vpc. This is done by setting up a “vpc peering” connection.

A VPC peering connection is a network connection between two VPCs which lets instances from one vpc to  communicate with instances in the other vpc  as if they are within the same network.

There are a few conditions that needs to be met for setting up vpc peering:

  • Both VPCs needs to reside in the same region. I.e. you can’t set up vpc peering between vpc’s in different regions.
  • Each VPC’s CIDR block range  is not allowed to overlap. Otherwise it would potentially

AWS – NAT Instances

If you have an ec2 instance that is attached to a private subnet only, then it won’t have internet access. That’s because by definition, the routing table that is associated with the private subnet, doesn’t have an entry for routing traffic to/from an internet gateway.

For security reasons, this is a good thing, if the resources does not provide a service that requires direct access. However this is also a problem, because you can’t use commands like yum which requires internet access.

You can overcome this problem by creating a NAT instance.  A NAT instance allows instances that are on the private subnet to initiate outbound traffic to the internet, and thereby establishing a connection session which will then allow inbound traffic for the duration fo the session. It’s a


AWS – VPCs & Subnets, routing tables, and Internet Gateways

In order for an instance to have internet access, you will need the following:

  • An internet gateway attached to your vpc
  • The internet gateways is associate by an entry in your route table. Note, your VPC can have multiple route tables.
  • This route table must be attached to your subnet, which consequently makes your subnet into a public subnet.
  • The subnet’s attached network acl, must have the appropriate inbound/outbound firewall rules in place to allow the desired traffic through
  • your instance must have a public or Elastic IP address
  • ensure your security groups and network ACLs allows the relevant traffic to go through
  • setting inside instances are correct, e.g.:
    • firewalld is configured
    • network service is running
    • services are running and listening on ports.

 

 

First off, a vpc is a way to group your resources. These resources can be in different AZ.


AWS – Setting up ELB to send public traffic to Private EC2 instances

Here are the steps:

  1. Create a vpc (which also creates a new route table behind the scenes)
  2. Create 2 subnets inside this vpc. These subnets also needs to be in the same availability zone as the web-server instance, which by default both subnets ends up inheriting the vpc’s route table. We’ll call them public-subnet and private-subnet.
  3. Create an “Internet Gateway” and attach it to the vpc’s routing table. This ends up making both public-subnet and private-subnet, public.  Later on we will set  the subnet, private-subnet, to a private subnet.
  4. attach the Internet Gateway to the route table, configure it to accept traffic from an IP address
  5. Create an EC2 instance inside the vpc (via dropdown list), and attach the subnet, private-subnet (via dropdown list). Also assign a public ip address
  6. Log into this EC2 instance using

AWS – Placement Groups

Key points

  • the name of a placement group has to be unique within your aws account.
  • only certain instance types can be attached to placement groups, c, g, m, i
  • you can’t move existing instances into a placement group.

 

A placement group  is a cluster of instances that are all in the same AZ. These instances have 10 Gbps networks and they  need to have the “Enhanced Networking” feature. You need to puts instances into a placement group if they need to have very low latency between them.

You need to use appropriate EC2 instance types to get the best use out of placement groups.

You should try create all your ec2 (placement group) instances in a single request, this is possible because when creating an instance, there is a “number of field” to


AWS – Security Groups and Network ACLs (firewalls)

You can control data traffic flowing to/from your resources via security groups. Or at the higher subnet level, via Network ACLs.

Security Groups

When you create a new instance, then by default all data traffic that are attempting to reach the EC2 instance (across all ports) are denied. I think the only exception is the ssh port, port 22.

You can apply individual/collection-of firewall rules to an instance, in the form of a “security group”.

Security groups are a grouping of firewall rules, that you can assign to an EC2 instance.

Security groups are things that exist at the vpc level. Therefore once you create a security group, you can then assign that security group to any EC2 instances that exists in that vpc.

Security Group firewall rules are stateful, meaning that if you allow incoming


AWS – Cloudwatch

Status checks

Cloudwatch is a monitoring service.  It can monitor for 2 types of checks:

  • System Status Checks
  • Instance Status Checks

System Status Checks

These are checks that gives information about whether aws underlying hardware/software has developed a fault. If any of these checks fails then it is something AWS is required to repair. Here are some examples checks of this type:

  • Loss of network connectivity
  • Loss of system power
  • Software issues on the physical host
  • Hardware issues on the physical host

When one of these system checks fails, it can be fixed in one of 2 ways:

  • Wait for AWS to fix the issue
  • Stopping and starting an instance, or by terminating and replacing an instance.  Behind the scenes, this has the effect automatically moving your instance to working hardware.

Instance Status Checks

These are checks that gives information about the software and


AWS – Private IP Addresses, Public IP addresses, and Elastic IP Addresses

A public IP address is not a static IP address, i.e. it will change if you reboot your EC2 instance

 

Elastic IP Addresses on the other hand is persistant. you can assign to one instance, or at a later date reassign it to a different instance.

Inside a vpc we can have to types of subnets:

 

  • Private subnets – This is a subnet that does not have an internet gateway attached to it. This means an instance  can’t access the internet via this type of subnet. This address is persitant and will survive a reboot.
  • Public subnets – This is a subnet that does have an internet gateway attached to it.

 

In order for an instance to have internet access, it first needs to be in a vpc that contains a Public Subnet. The next


AWS – Overview of Elastic Block Storage (EBS)

EBS is the way to add additional block device storage to your ec2 instance. Once attached it is still up to you to do all the tasks you need to mount it, e.g. use fdisk, mkfs.ext4, add entry to /etc/fstab…etc.

Note, you can only attach EBS devices to the an EC2 that is in the same AZ. But you can overcome this using snapshots, covered further down.

There are different types of EBS storage, each offering different levels of max capacity and performance. In terms of performance, the key performance indicator is “IOPS”.

 

IOPS: Input/output Operations Per Seconds, where the data processed in each operation is 256kb in size.

IOPS is just an alternative measurement for network bandwidth.  Therefore if I an EC2 instance can interact with an EBS at 20000 IOPS, then in


AWS – Bootstrapping EC2 instance using cloud-init

When you create a new EC2 instance, there is a chance you want to run a series of shell scripts to further prepare the instance before it is ready for use. This is possible using a tool called cloud-init.

You have to pass in “user-data” into cloud-init.

As a sidenote, After your instance is built, you can view this data, by going to the following url from inside your instance:

http://169.254.169.254/latest/meta-data

You can use the same method, to view your instance general meta data:

http://169.254.169.254/latest/user-data

Note: you have to be inside the instance before querying the above url.

 

$ curl http://169.254.169.254/latest/       # notice the last trailing slash, which makes curl act a bit like the ls command. 
dynamic
meta-data
user-data

 

These 2 urls are useful, if you want to run a ruby/python/bash