AWS User Guide Notes

Others 2021-02-28 19:46:44 views: null

A small note made when learning the basic operations of AWS, for reference only

EC2

Amazon EC2: Amazon Elastic Compute Cloud
AWS : Amazon Web Services

By using Amazon EC2, you can start any number of virtual servers, configure security and network, and manage storage according to your own needs.
Amazon EC2 can provide

  • Virtual Computing Environment-Examples
  • The pre-configured template of the instance — Amazon Machine Image (AMI), which contains the packages required by the server (including the operating system and other software)
  • Multiple configurations of instance CPU, memory, storage, and network capacity, also known as instance types
  • The secure login information of the instance using the key pair (AWS stores the public key, and stores the private key by itself)
  • Storage volume for temporary data (the data will be deleted when the instance is stopped or terminated), also known as instance storage volume
  • A persistent storage volume for data using Amazon Elastic Block Store (Amazon EBS), also known as an Amazon EBS volume.
  • Multiple physical locations for storing resources, such as instances and Amazon EBS volumes, also known as regions and availability zones
  • Firewall
  • A static IPv4 address used for dynamic cloud computing, called an elastic IP address
  • Metadata, also known as tags, can be created and assigned to your Amazon EC2 resources
  • You can create virtual networks, which are logically isolated from the rest of the AWS cloud, and you can choose to connect to your own network, also known as Virtual Private Cloud (VPC) , which can be simply understood as a cluster (virtual private cloud)

1. EC2 settings

Register with AWS to
create a key pair: you need to save the private key when you
create it. Create a security group: you need to use the public IPv4 address of the local computer; you can also use the CIDR notation to specify the computer’s public IPv4 address or network

2. Getting started

Start the instance: When starting the instance, the default VPC will be used to create the instance. If you need to change it, please modify the VPC used in the configuration instance details .

Connect to the Linux instance :

  1. A private key file is required, PuTTY or SSH client can be used (if it is a pem file, it needs to be converted into a ppk file through puttygen
  2. Create an elastic ip and associate it to the instance
  3. Connect through Putty, the connection method is username@公有DNSname or username@IPv4公有IP
    Note: For Amazon Linux 2 or Amazon Linux AMI, the user name is ec2-user.
    For CentOS AMI, the user name is centos. I use Red Hat, and the user name is ec2-user who
    wants to connect to the corresponding instance through Putty, and its security group must have inbound rules that allow SSH access (applicable to Linux instances). If you only want to connect to the machine through one of the springboard machines, you can specify the source IP of the inbound rule for SSH access as the security group ID of the springboard machine instance.
    Security group rule reference

For source IP: you can use a specific IP address or IP address range in the local network (in CIDR block notation) or the security group ID of the instance

Network interface: a virtual network interface containing IP addresses, etc., which can be associated with or separated from the instance

VPC

What is Amazon VPC?

Amazon Virtual Private Cloud (Amazon VPC) allows AWS resources to be launched within a defined virtual network. It is equivalent to a relatively isolated cluster environment defined by yourself

  • Virtual Private Cloud (VPC) — Virtual network only available for AWS accounts.
  • Subnet — A range of IP addresses within the VPC.
  • Routing table — A set of rules called "routes" that are used to determine where to send network traffic.
  • Internet Gateway — The gateway connected to the VPC, used to enable communication between the resources in the VPC and the Internet.
  • VPC Endpoint — Ability to connect VPC privately to supported AWS services and VPC Endpoint services (powered by PrivateLink) without the use of Internet gateways, NAT devices, VPN connections, or AWS Direct Connect connections. Instances in the VPC can communicate with resources in the service without a public IP address. Communication between the VPC and other services will not leave the Amazon network.

VPC and subnet

Virtual Private Cloud (VPC) is logically isolated from other virtual networks in the AWS cloud. AWS resources can be launched in the VPC, such as Amazon EC2 instances. The
subnet is the range of IP addresses in the VPC. You can launch AWS resources within the specified subnet. Use public subnets for resources that must be connected to the Internet, and use private subnets for resources that will not be connected to the Internet.

To protect AWS resources in each subnet, multiple security layers can be used, including security groups and access control lists (ACLs).

When creating a VPC, you must specify the IPv4 address range for the VPC in the form of a CIDR block; for example, 10.0.0.0/16. A VPC has multiple Availability Zones. After the VPC is created, one or more subnets can be added to each Availability Zone. When creating a subnet, you need to specify the CIDR block of the subnet, which is a subset of the VPC CIDR block. The first four IP addresses and the last IP address in the CIDR block of each subnet cannot be used and cannot be assigned to an instance (reserved address).

The difference between a public subnet and a private subnet : Check whether the traffic of a subnet has a route to the Internet gateway

Add CIDR block rules to VPC:

  • The allowed block size is between the /28 netmask and the /16 netmask.
  • The CIDR block must not overlap with any existing CIDR block associated with the VPC.
  • The range of IPv4 addresses that can be used is limited.
  • You cannot increase or decrease the size of the existing CIDR block.
Subnet routing

Each subnet must be associated with a routing table, which can specify available routes that allow outbound traffic to leave the subnet. Each subnet created is automatically associated with the main route table of the VPC.

Subnet security

AWS provides two functions that can be used to improve security in a VPC: security groups and network ACLs (network access control lists) . The security group can control the inbound and outbound data flow of the instance, and the network ACL can control the inbound and outbound data flow of the subnet. In most cases, security groups are sufficient; however, if you need to add an extra layer of security protection to the VPC, you can also use network ACLs.
Each subnet created is automatically associated with the default network ACL of the VPC

Routing table

The routing table contains a set of rules called "routes" that are used to determine where to send network traffic from the VPC. You can explicitly associate a subnet with a specific routing table. Otherwise, the subnet will be implicitly associated with the main routing table.

basic concepts
  • Main routing table — A routing table automatically generated with the VPC. It controls the routing of all subnets that are not explicitly associated with any other routing table.
  • Custom routing table -the routing table we created for the VPC.
  • Edge Association -The routing table used to route inbound VPC traffic to the device. You need to associate the routing table with the Internet gateway or virtual private gateway, and specify the device's network interface as the destination of the VPC traffic.
  • Routing table association — the association between the routing table and the subnet, Internet gateway, or virtual private gateway.
  • Gateway routing table — The routing table associated with the Internet gateway or virtual private gateway.
  • Local gateway routing table — The routing table associated with the Outposts local gateway.
  • Destination — the IP address range (destination CIDR) to which you want the traffic to be transmitted
  • Propagation -Route propagation allows the virtual private gateway to automatically propagate routes to the routing table. This means there is no need to manually enter VPN routes into the routing table
  • Destination — The gateway, network interface, or connection used to send the destination traffic, such as an Internet gateway.
  • Local route —The default route for communication within the VPC.

You can use routing tables to control the flow of network traffic. Each subnet in the VPC must be associated with a routing table, which controls the routing of the subnet (subnet routing table).
A subnet can only be associated with one routing table at a time, but multiple subnets can be routed to the same subnet. Table association.

routing

Each route specifies a destination and a target
Insert picture description here
. The destination of the route is 0.0.0.0/0, which means all IPv4 addresses. The goal is to connect to the Internet gateway of the VPC.

Insert picture description here
The routing explanation in the figure above: Traffic destined for a subnet with a 172.31.0.0/20 CIDR block will be routed to a specific network interface. Traffic to all other subnets in the VPC uses local routing.
The gateway routing table only supports routes whose destination is local (default local route) or network interface

If you don’t know how to set the gateway, you can refer to this example routing option

NAT Gateway Use NAT devices to allow instances in the private subnet to connect to the Internet (for example, for software updates) or other AWS services, but prevent the Internet from initiating connections to the instance. The NAT device is equivalent to a transit station, serving as a bridge between the instance and the Internet.

General process:

Create VPC -> Create Subnet -> Create Gateway -> Create Custom Routing Table -> Associate the routing table with the subnet (control the traffic routing method of the subnet)
If an instance does not want to be directly accessed through the external network, but wants to be able to download Update, you can set the route of the NAT gateway (note that you need to select a public subnet when creating a NAT gateway, that is, a subnet that can communicate with the Internet)

Best practices for VPC with NAT

Insert picture description here

Load balancer

AWS has its own load balancer and supports three types of load balancers: Application Load Balancer, Network Load Balancer
and Classic Load Balancer.
The schematic diagram of the application of the load balancer is as follows:
Insert picture description here
How the load balancer will route the request to the registered target through the rules defined by the Listener (target can be an ec2 instance)

Reference:
VPC Guide
EC2 Guide

Guess you like

Origin blog.csdn.net/qq_35448165/article/details/108404589
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com