AWS-VPC深入探讨

AWSVPC深入探讨主要议题•VPC设计原理––L2L3•VPC新/高级特性–––VPCS3EndpointVPCFlowLogsVPCPeering和其他连接方式•VPC实践问题––EnhancedNetworkingLinuxSystemTuningVPC设计原理AWS云服务EBSRDSElastiCacheAmazonRedshiftEC2ElasticLoadBalancing客户自有数据中心白板工程化EBSRDSElastiCacheAmazonRedshiftEC2ElasticLoadBalancingEC2曾经是这样10.44.12.510.44.92.1710.44.12.410.44.12.2710.108.6.4为什么不工作192.168.0.0/16路由表•192.168.0.0/16:•10.44.12.4/32:•10.44.92.17/32:•10.108.6.4/32:本地AWSAWSAWS10.44.0.0/1610.44.12.410.44.12.510.44.92.1710.44.12.2710.108.6.4需求•••客户指定的IP地址（段）外部连接的路由聚合与现有网络设计的一致性虚拟私有云192.168.0.0/16路由表•192.168.0.0/16:•172.31.0.0/18:本地AWS172.31.1.0/24172.31.0.0/18172.31.2.0/24172.31.1.7172.31.1.8172.31.1.9172.31.2.12172.31.2.51这就是virtualnetworking!•••子网~=VLANVPC~=VRF(虚拟路由转发)但是…扩展的挑战•VLANID数量上的限制–12位=4096个VLANs•VRF支持上的限制–大型路由器=1K-2K个VRF表•VLAN:VRF间的固定比率路由器和容量纬度BigRouterControlPlaneDataPlaneBigRouterControlPlaneDataPlane一个例子••••••路由配置平均每行:每个VPC的配置数:每个VPC的子网数:每个子网的配置数:总VPC数:配置大小:50个字符10行4个5行2,0003MB但是…•无法扩展––12位VLANID=4096VLANs(远远不够)大型路由器最多支持到4000VRFs($200k+)•••大量的VLAN导致网络工程师崩溃受到供应商Bug修复速度约束(6个月+)需要日用品型的,可替换型的网络设备––少数几家公司生产大型虚拟路由器高级特性等卖点并不包含好的互操作性容量库ACGCEG01324/40132/4CAGACGAAG109037BDFBDFDDFDDFDFF18/4015/4040029FBBBBFBBBBFBBBBBBBBBBBBBB实现需求••缩放至百万个Amazon.com规模的环境一个region中任何位置的任何服务器都能够创建位于任意VPC的任意子网的实例……概念Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.410.0.0.5Server192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.0.3VPC:：ID:：实例映射VPC客户创建的服务.马逊EC2实例位于式查找亚分布所创建符，的标识类似于VPC+实Cloud映射Private例IP映射服务物理服务器:VPC亚马逊数据中心的物理主机Virtualvpc-1a2B3c4d到物理服务器L2-Ethernet10.0.0.210.0.0.310.0.0.3?EthernetSwitch收到ARP响应交换Src:MAC(10.0.0.2)对所有端口广播ARP请具体地址为求L2Dst:ff:ff:ff:ff:ff:ffMAC(10.0.0.3)的端口L3Src:L3WhohasisatL2机会MAC(10.0.0.3)并了解MAC(10.0.0.2)MAC(10.0.0.3)10.0.0.2.ARPDst:10.0.0.310.0.0.3MAC(10.0.0.3)ICMP/TCP/UDP/……L2-VPC10.0.0.5Server192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.0.3映射服务L2Src:192.168.0.3MappingServiceMAC(10.0.0.2)L2Dst:MappingService192.168.0.3ff:ff:ff:ff:ff:ffARPWhohasReply:Host:192.168.1.4Blue10.0.0.3?Src:MAC(10.0.0.3)Dst:MAC(10.0.0.2)Query:10.0.0.3isatMAC(10.0.0.3)MAC:MAC(10.0.0.3)Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.4……Src:192.168.1.4Dst:MappingService192.168.0.3Server192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.0.3Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.410.0.0.5Src:MappingServiceDst:192.168.1.4L3Dst:Mappingvalid:映射服务Src:192.168.0.3Dst:192.168.1.4VPC:BlueL2MAC(10.0.0.2)L2MAC(10.0.0.3)L3Src:10.0.0.2Validate:10.0.0.3Blue10.0.0.2isatICMP/TCP/UDP/…L2-VPC…VPC隔离10.0.0.5Server192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.0.3映射服务Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.4GreyL2Src:192.168.0.4L2Dst:MappingServiceARPSrc:MAC(10.0.0.4)Dst:ff:ff:ff:ff:ff:ffQuery:Whohas10.0.0.3?10.0.0.3…VPC隔离10.0.0.5Server192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.0.3映射服务Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.4ARPL2Src:Src:isnotDst:Dst:anyL2MappinginstancesServiceMappingBlueDenied192.168.0.4MAC(10.0.0.4)hostingff:ff:ff:ff:ff:ffinVPCBlue.Query:Whohas10.0.0.3?10.0.0.3AlarmRaised……theinstance.VPC隔离Server192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.0.3Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.410.0.0.5L3Src:Mappinginvalid!Src:MappingdoesnotL2Src:thepackettoDst:MappingService192.168.1.4映射服务Src:192.168.0.4Dst:192.168.1.4VPC:Blue192.168.1.4ServicedeliverMAC(10.0.0.4)L2Dst:MAC(10.0.0.3)Validate:10.0.0.4Alarm10.0.0.4isat192.168.0.4ICMP/TCP/UDP/…L3Dst:Raised.Blue10.0.0.3L3–IP路由10.0.0.210.0.1.310.0.0.1?EthernetSwitchff:ff:ff:ff:ff:ffMAC(10.0.0.2)L3hasisWho10.0.1.3L2Src:MAC(10.0.0.2)L2Dst:MAC(10.0.0.1)L3Src:10.0.0.2ARPDst:10.0.0.1atMAC(10.0.0.1)ICMP/TCP/UDP/…RouterEthernetSwitchL2Src:MAC(10.0.1.1)L2Dst:MAC(10.0.1.3)L3Src:10.0.0.2L3Dst:10.0.1.3ICMP/TCP/UDP/……L3-VPC10.0.0.5Server192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.1.3映射服务L2Src:192.168.0.3MappingServiceL2Dst:MappingServiceff:ff:ff:ff:ff:ff192.168.0.3Reply:ARPWhohas10.0.0.1?Host:GatewayBlueSrc:MAC(10.0.0.2)Dst:MAC(10.0.0.2)Query:10.0.0.1isatMAC(10.0.0.1)MAC:MAC(10.0.0.1)Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.4…L3-VPCServer192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.1.3Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.410.0.0.5映射服务Src:192.168.0.3Dst:192.168.1.4VPC:BlueSrc:MAC(10.0.0.2)Dst:MAC(10.0.0.1)L3Src:10.0.0.2Validate:10.0.1.3Host:192.168.1.4ICMP/TCP/UDP/…10.0.0.2Blue10.0.1.3isat192.168.0.3MAC:MAC(10.0.1.3)Src:192.168.0.3192.168.1.4L2L2Src:MappingServiceMappingServiceL2MAC(10.0.1.3)L2Dst:MappingService192.168.1.4192.168.0.3L3Dst:valid:Query:L3Dst:MappingReply:……缓存Server192.168.0.310.0.0.210.0.0.2Server192.168.0.410.0.0.410.0.0.5Server192.168.1.310.0.0.310.0.0.4Server192.168.1.410.0.0.3映射服务L2Src:MAC(10.0.1.1)L2Dst:MAC(10.0.1.3)L3Src:10.0.0.2L3Dst:10.0.1.3ICMP/TCP/UDP/…10.0.0.0/1810.0.0.710.0.0.810.0.0.910.0.0.0/2410.0.1.1210.0.1.5110.0.1.0/24与AWS之外互联172.16.0.0/16Src:192.168.0.3Dst:???VPC:BlueL3Src:10.0.0.7L3Dst:172.16.14.17ICMP/TCP/UDP/……Edge192.168.4.3Edge192.168.4.4边界（Edges）Server192.168.0.310.0.0.210.0.0.2Server192.16