当前位置:网站首页>AWS VPC
AWS VPC
2022-07-03 04:25:00 【Blue summer】
1 VPC
VPC(Virtual Private Cloud), Virtual private cloud , It is a logically independent data center , Public cloud service providers are based on overlay The Internet ( such as VXLAN and GRE), Divide the network into independent individuals , To different tenants . Tenants can deploy their own applications and resources in this independent network without interference from other users . At the same time, with some encryption and tunneling protocols , Ensure user data and communication security , This is the virtual network provided by cloud service providers .
2 Amazon VPC
aws Of VPC There are two types of ,default VPC and nondefault VPC,
- default VPC, default VPC(172.31.0.0/16), No need to create , In the VPC Created EC2 Will bring its own public network ip
- nondefault VPC, That is, the user creates and sets it himself VPC, It can be set according to actual needs ip Network segment and other properties , In the VPC Created EC Private network is used by default ip
3 Amazon VPC Network segment
- The network segment size can only be between /16 and /28 Between , That is to say 16-65,536 individual ip Address
- After the network segment is set, it cannot be modified , Neither expanding nor shrinking , You can delete, rebuild or add another network segment
- The same VPC There can be multiple network segments , But there are certain limitations , For example, it cannot overlap with the original , You can't cross A,B,C Class address , Like it turns out to be 10. Private network address of network segment , The new network segment cannot be 172.16 perhaps 192.168
4 Amazon VPC DNS
- VPC Internal default DNS The address is network segment +2, For example, the network segment is 10.0.0.0/16, So this one VPC Of dns The address is 10.0.0.2, If there are multiple network segments , Subject to the main network segment
- DNS Query has a rate limit , Each network interface can send at most 1024 Query message , The limit cannot be adjusted , After exceeding the limit , The query request will be rejected
5 Amazon VPC Access restrictions
There are two main ways ,security groups and network ACLs, The main differences are as follows ,
| Security group | Network ACL |
|---|---|
| Applicable to instance level | Applicable to network segment level |
| Only support allow The rules | Support allow and deny The rules |
| A stateful , For example, the return flow is automatically released | No state , Two way traffic must be explicitly released |
| Decide whether to release the flow after considering all the rules | Match in regular order , When the match is reached, execute , and iptables The rules are similar |
| It must be explicitly associated to a specific instance to take effect | Automatically applied to the associated instances in the subnet |
however , These two are for the following AWS Home Service access is not restricted ( Self built services will still be limited ),
- AWS DNS service
- AWS DHCP service
- AWS EC2 Instance metadata
- AWS Windows Certificate activation
- AWS Time synchronization service
- default VPC router Reservations IP Address
6 Amazon VPC signal communication
6.1 Connect to the public network
- If VPC The internal instance has a public network ip, Can be directly related to Internet gateway, You can access the public network
- For private networks ip, It's possible to relate Elastic IP To use the public network ip, So as to access the public network , But this requires manual Correlation , And only one instance can use this Elastic IP. In order to improve efficiency , have access to NAT gateway.
6.2 Connect to other VPC
- VPC peering, adopt peering, You can use private ip And others VPC, And different accounts VPC, Even other region Of VPC signal communication , But these two VPC Of ip Segments cannot overlap
VPC peering Not one gateway Neither VPN Connect , Independent of other separate hardware , At the same time, it has no single point of failure and bandwidth limitations . But it needs to save the opposite end VPC Routing information for , So when VPC Many times , Maintenance will be troublesome , Consider using transit gateway
- Transit Gateway, It can be regarded as a three-layer routing device , In more than one VPC Can act as a central router , It can also be used as isolation .
6.3 Connect to the local network
- Transit Gateway, adopt transit gateway You can put the local SD-WAN The network is connected to AWS, To achieve the purpose of expansion . It also supports routing VPN Connection and AWS Direct Connect gateways. Can connect multiple VPC
- AWS VPN, Include AWS Site-to-Site VPN,AWS Client VPN,AWS VPN CloudHub And other third parties VPN Software , Can only be connected to a single VPC
6.4 Use AWS PrivateLink Connect AWS service
In addition to the above , You can also use AWS PrivateLink The way , Give Way VPC Instances in can be connected to other AWS service ,AWS PrivateLink By way of VPC The application or service in is configured as endpoint, So that the opposite end VPC Be able to connect .
Service providers ( It can be a local service ) In their own region Create a endpoint service, At the same time, you need to create a load balancer Services are used to receive and route requests .
Service consumers need to be in their own region Create a VPC endpoint, Then you can connect to the service , That is to say endpoint service. By default endpoint service Cannot be accessed by external users , You need to open the corresponding permission .
about VPC endpoint, There are three types ,
- Interface, interface endpoint adopt NLB To distribute traffic , The destination address is via DNS analysis , Only support TCP Traffic , Support AWS Direct Connect Private connection , Therefore, local services can also connect to AWS VPC Services within , The service itself needs to be charged .
- GatewayLoadBalancer, Service consumers route traffic to it ,Gateway Load Balancer Distribute traffic to use private ip Virtual network devices for , It can be expanded on demand
- Gateway, A special , Don't use AWS PrivateLink, And can only be used to connect S3 and DynamoDB, The service itself is free
S3 Support at the same time gateway endpoints and interface endpoints, However, there are the following differences ,
- gateway Way to use S3 The public ip,interface The private network address is used , But the traffic is AWS Inside
- gateway Mode does not allow local traffic
- gateway The method cannot cross region Connect ,interface Can pass VPC peering perhaps AWS Transit Gateway Secondary connection
- gateway The method is free ,interface You need to charge for your own opening
most AWS Services are supported through AWS PrivateLink visit , The specific support list can be viewed https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
Reference documents :
- https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html
- https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html#add-cidr-block-restrictions
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison
- https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html
- https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html
- https://aws.amazon.com/privatelink/features/
- https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
10.https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html
边栏推荐
- JS realizes the animation effect of text and pictures in the visual area
- GFS distributed file system (it's nice to meet it alone)
- 类的基础语法
- CVPR 2022 | Dalian Institute of technology proposes a self calibration lighting framework for low light level image enhancement of real scenes
- Dismantle a 100000 yuan BYD "Yuan". Come and see what components are in it.
- Database management tool, querious direct download
- Joint set search: merge intervals and ask whether two numbers are in the same set
- 深潜Kotlin协程(十九):Flow 概述
- Which code editor is easy to use? Code editing software recommendation
- 2022-02-12 (338. Bit count)
猜你喜欢
Supervised pre training! Another exploration of text generation!
Deep dive kotlin synergy (19): flow overview
CVPR 2022 | 大连理工提出自校准照明框架,用于现实场景的微光图像增强
Joint search set: the number of points in connected blocks (the number of points in a set)
FuncS sh file not found when using the benchmarksql tool to test kingbases
redis 持久化原理
Feature_selection
Prefix and (continuously updated)
vulnhub HA: Natraj
C language series - Section 3 - functions
随机推荐
深潜Kotlin协程(二十):构建 Flow
[set theory] set operation (Union | intersection | disjoint | relative complement | symmetric difference | absolute complement | generalized union | generalized intersection | set operation priority)
RSRS指标择时及大小盘轮动
MySQL timestampdiff interval
[no title] 2022 chlorination process examination content and free chlorination process examination questions
Busycal latest Chinese version
Design and implementation of kubelet garbage collection mechanism to protect nodes from being preempted by containers image GC high threshold
arthas watch 抓取入参的某个字段/属性
怎么用Kotlin去提高生产力:Kotlin Tips
CVPR 2022 | 大连理工提出自校准照明框架,用于现实场景的微光图像增强
PostgreSQL database high availability Patroni source code learning - etcd class
Sklearn data preprocessing
Kingbasees plug-in KDB of Jincang database_ exists_ expand
220214c language learning diary
How to process the current cell with a custom formula in conditional format- How to address the current cell in conditional format custom formula?
Classes in TS
Basic types of data in TS
Basic syntax of class
金仓数据库KingbaseES 插件kdb_database_link
Pdf editing tool movavi pdfchef 2022 direct download