亚马逊AWS VPC深入探讨_Shun Wang

weidil123
1 ℃
2020-03-13

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

AWSVPC深入探讨AWSVPC深入探讨ShunWang,CSE–AWSSupportDec2015ShunWang,CSE–AWSSupportDec2015主要议题•VPC设计原理–L2–L3•VPC新/高级特性–VPCS3Endpoint–VPCFlowLogs–VPCPeering和其他连接方式•VPC实践问题–EnhancedNetworking–LinuxSystemTuningVPC设计原理VPC设计原理AWS云服务EBSRDSElastiCacheAmazonRedshiftEC2ElasticLoadBalancing客户自有数据中心白板工程化EBSRDSElastiCacheAmazonRedshiftEC2ElasticLoadBalancingEC2曾经是这样10.44.12.410.44.12.510.44.92.1710.44.12.2710.108.6.4为什么不工作192.168.0.0/16路由表•192.168.0.0/16:本地•10.44.12.4/32:AWS•10.44.92.17/32:AWS•10.108.6.4/32:AWS10.44.0.0/1610.44.12.410.44.12.510.44.92.1710.44.12.2710.108.6.4需求•客户指定的IP地址（段）•外部连接的路由聚合•与现有网络设计的一致性虚拟私有云172.31.0.0/18192.168.0.0/16路由表•192.168.0.0/16:本地•172.31.0.0/18:AWS172.31.1.0/24172.31.2.0/24172.31.1.7172.31.1.8172.31.1.9172.31.2.12172.31.2.51这就是virtualnetworking!•子网~=VLAN•VPC~=VRF(虚拟路由转发)•但是…扩展的挑战•VLANID数量上的限制–12位=4096个VLANs•VRF支持上的限制–大型路由器=1K-2K个VRF表•VLAN:VRF间的固定比率路由器和容量纬度BigRouterDataPlaneControlPlaneBigRouterDataPlaneControlPlane一个例子•路由配置平均每行:50个字符•每个VPC的配置数:10行•每个VPC的子网数:4个•每个子网的配置数:5行•总VPC数:2,000•配置大小:3MB但是…•无法扩展–12位VLANID=4096VLANs(远远不够)–大型路由器最多支持到4000VRFs($200k+)•大量的VLAN导致网络工程师崩溃•受到供应商bug修复速度约束(6个月+)•需要日用品型的,可替换型的网络设备–少数几家公司生产大型虚拟路由器–高级特性等卖点并不包含好的互操作性容量库ACBFEDGAAAABCBBBBCDFFFDDBGG/4/4/40/4000001324132CGG327DDD9910FFFFF181540BBBBBBBBBBBBBBBBB实现需求•缩放至百万个Amazon.com规模的环境•一个region中任何位置的任何服务器都能够创建位于任意VPC的任意子网的实例概念Server192.168.0.3Server192.168.0.4…Server192.168.1.3Server192.168.1.4…10.0.0.210.0.0.310.0.0.410.0.0.410.0.0.210.0.0.510.0.0.3映射服务物理服务器:位于亚马逊数据中心的物理主机实例：客户所创建的亚马逊EC2实例VPC:客户创建的VirtualPrivateCloudVPCID:VPC的标识符，类似于vpc-1a2b3c4d映射服务：分布式查找服务.映射VPC+实例IP到物理服务器L2-Ethernet10.0.0.210.0.0.3L2Src:MAC(10.0.0.2)L2Dst:ff:ff:ff:ff:ff:ffARPWhohas10.0.0.3?交换机会对所有端口广播ARP请求EthernetSwitchL2Src:MAC(10.0.0.3)L2Dst:MAC(10.0.0.2)ARP10.0.0.3isatMAC(10.0.0.3)交换机收到ARP响应并了解具体地址为MAC(10.0.0.3)的端口.L2Src:MAC(10.0.0.2)L2Dst:MAC(10.0.0.3)L3Src:10.0.0.2L3Dst:10.0.0.3ICMP/TCP/UDP/…L2-VPCServer192.168.0.3Server192.168.0.4…Server192.168.1.3Server192.168.1.410.0.0.310.0.0.410.0.0.410.0.0.210.0.0.510.0.0.3映射服务L2Src:MAC(10.0.0.2)L2Dst:ff:ff:ff:ff:ff:ffARPWhohas10.0.0.3?L2Src:MAC(10.0.0.3)L2Dst:MAC(10.0.0.2)ARP10.0.0.3isatMAC(10.0.0.3)Src:192.168.0.3Dst:MappingServiceQuery:Blue10.0.0.3Src:MappingServiceDst:192.168.0.3Reply:Host:192.168.1.4MAC:MAC(10.0.0.3)10.0.0.2Server192.168.0.3Server192.168.0.4Server192.168.1.3Server192.168.1.410.0.0.310.0.0.410.0.0.410.0.0.210.0.0.510.0.0.3映射服务10.0.0.2…L2Src:MAC(10.0.0.2)L2Dst:MAC(10.0.0.3)L3Src:10.0.0.2L3Dst:10.0.0.3ICMP/TCP/UDP/…VPC:BlueSrc:192.168.0.3Dst:192.168.1.4Src:192.168.1.4Dst:MappingServiceValidate:Blue10.0.0.2isat192.168.0.3Src:MappingServiceDst:192.168.1.4Mappingvalid:Blue10.0.0.2isat192.168.0.3L2-VPC…VPC隔离Server192.168.0.3Server192.168.0.4…Server192.168.1.3Server192.168.1.410.0.0.310.0.0.410.0.0.410.0.0.210.0.0.510.0.0.3映射服务10.0.0.2Src:192.168.0.4Dst:MappingServiceQuery:Grey10.0.0.3L2Src:MAC(10.0.0.4)L2Dst:ff:ff:ff:ff:ff:ffARPWhohas10.0.0.3?VPC隔离Server192.168.0.3Server192.168.0.4…Server192.168.1.3Server192.168.1.410.0.0.310.0.0.410.0.0.410.0.0.210.0.0.510.0.0.3映射服务10.0.0.2Src:192.168.0.4Dst:MappingServiceQuery:Blue10.0.0.3L2Src:MAC(10.0.0.4)L2Dst:ff:ff:ff:ff:ff:ffARPWhohas10.0.0.3?192.168.0.4isnothostinganyinstancesinVPCBlue.MappingDeniedAlarmRaisedVPC隔离Server192.168.0.3Server192.168.0.4…Server192.168.1.3Server192.168.1.410.0.0.310.0.0.410.0.0.410.0.0.210.0.0.510.0.0.3映射服务10.0.0.2…L2Src:MAC(10.0.0.4)L2Dst:MAC(10.0.0.3)L3Src:10.0.0.4L3Dst:10.0.0.3ICMP/TCP/UDP/…VPC:BlueSrc:192.168.0.4Dst:192.168.1.4Src:192.168.1.4Dst:MappingServiceValidate:Blue10.0.0.4isat192.168.0.4Src:MappingServiceDst:192.168.1.4Mappinginvalid!192.168.1.4doesnotdeliverthepackettotheinstance.AlarmRaised.L3–IP路由10.0.0.210.0.1.3L2Src:MAC(10.0.0.2)L2Dst:ff:ff:ff:ff:ff:ffARPWhohas10.0.0.1?EthernetSwitchL2Src:MAC(10.0.0.1)L2Dst:MAC(10.0.0.2)ARP10.0.0.1isatMAC(10.0.0.1)L2Src:MAC(10.0.0.2)L2Dst:MAC(10.0.0.1)L3Src:10.0.0.2L3Dst:10.0.1.3ICMP/TCP/UDP/…RouterEthernetSwitchL2Src:MAC(10.0.1.1)L2Dst:MAC(10.0.1.3)L3Src:10.0.0.2L3Dst:10.0.1.3ICMP/TCP/UDP/…L3-VPCServer192.168.0.3Server192.168.0.4…Server192.168.1.3Server192.168.1.410.0.1.310.0.0.410.0.0.410.0.0.210.0.0.510.0.0.3映射服务L2Src:MAC(10.0.0.2)L2Dst:ff:ff:ff:ff:ff:ffARPWhohas10.0.0.1?L2Src:MAC(10.0.0.1)L2Dst:MAC(10.0.0.2)ARP10.0.0.1isatMAC(10.0.0.1)Src:192.168.0.3Dst:MappingServiceQuery:Blue10.0.0.1Src:MappingServiceDst:192.168.0.3Reply:Host:GatewayMAC:MAC(10.0.0.1)10.0.0.2L3-VPCServer192.168.0.3Server192.168.0.4…Server192.168.1.3Server192.168.1.410.0.1.310.0.0.410.0.0.410.0.0.210.0.0.510.0.0.3映射服务Src:192.168.0.3Dst:MappingServiceQuery:Blue10.0.1.3Src:MappingServiceDst:192.168.0.3Reply:Host:192.168.1.4MAC:MAC(10.0.1.3)10.0.0.2L2Src:MAC(10.0.0.2)L2Dst:MAC(10.0.0.1)L3Src:10.0.0.2L3Dst:10.0.1.3ICMP/TCP/UDP/…VPC:BlueSrc:192.168.0.3Dst:192.168.1.4Src:192.168.1.4Dst:MappingServiceValidate:Blue10.0.0.2isat192.168.0.3Src:MappingServiceDst:192.168.1.4Mappingvalid:Blue10.0.0.2isat192.168.0.3L2Src:MAC(10.0.1.1)L2Dst:MAC(10.0.1.3)L3Src:10.0.0.2L3Dst:10.0.1.3ICMP/TCP/UDP/…缓存Server192.168.0.3Server192.