DMS - Database Migration Services
Class note - 3/27/2021
Today's topic: vpc peering, endpoint, migration
Region: NV
VPC - VPC gives you isolation
Subnet
by default instances within a vpc can connect with each other
By default instances within two different VPC is denied
Connection within
- same region/multi region
- different account
Lets say we have two account
- from one account John creates a front end server
- From another account Bill creates a backend
How to do we connect?
- we will make both ip of the system public
- they will go over the net and make a connection
- Entire traffic will go through the internet and its not secure and reliable.
For secure connection
- We will only provide private ip to database server
How to secure the connection?
- AWS has product called global infrastructure
- Their own private network.
- Use their private global network to connect these two different VPC.
- These service is private, secure and fast.
connecting two vpc is called VPC peering
- know how to set up vpc peering
VPC end point
LAB
plan:
- Create two vpcs A and B
- Plan for network:
VPC-A:- 10.0.0.0/16 and
VPC-B: 11.0.0.0/16
create elastic IP and assign to it.
Create two Subnets on VPC-A
- Public Subnet: 10.0.0.0/16
- Private Subnet: 10.0.1.0/24
create two instances
Create VPC in Mumbai
go to VPC
- launch vpc wizard
- vpc with public and private subnet
- VPC Name: vpc-mum
- VPC: 10.0.0.0/24
- Subnet private: 10.0.0.0/24
- Subnet: 10.0.0.0/24
- Attach elastic IP
Create VPC2 - In NV
- go to VPC
- launch wizard
- vpc with public private subnet
- as our plan is to peer the VPC. IP conflict happens so plan
Iv4 CIDR: 11.0.0./16
public IP: 11.0.0./24
Please note what AZ you are creating your subnet?
some az do not support free tier or some instances.
attach elastic IP
Now, go to ec2
- launch one instance
- amazon linux, default
Now, we have two subnets public and private on each VPCs
Now, go to mumbai VPC
- launch an instance
- amazon linux
- select private subnet that you created
- everything else is default tag: mumbai-VPC-private
same way create instance on public subnet
- make sure to tag
Create two instances same way at NVirginia as well
now we have to perform vpc peering
first login to these systems.
go to mumbai private instance and login
# ifconfig
We have to private instances
Mumbai instance: 10.0.2.194
NV instance: 11.0.1.58
now they don't have connectivity between these instances.
- since these systems do not have public ip.
now, in mumbai-VPC
we have instance with public ip (basin host: )
- Upload your key there
make sure to transfer the pem key that putty supports
now, from this public
lets login to this system.
# ifconfig
# ping 10.0.2.194 (can ping, same VPC)
# ping 11.0.1.58 (failed)
Now, logint to instance at NoVA-VPC
- go to peering connection
- click on create pering connection
- Name: NOVA-Peer
- now, vpc nova (requester) - NOVA
-- select anothe vpe to peer with
account:
- my account - select
- another account
account IP:
region:
- this region
- another region - select -> mumbai
VPC IP (Accepter): <specify vpcIP> -> Go to mumbai vpc and copy the VPC ID
request has been sent - now on pending state
Now, to go Mumbai VPC
-> Peering connection
you will see status as pending acceptance
You can review requester and acceptance.
Since we requested and they are same
To acccept
- click on action ->
accept request.
you will see alert, you can send and receive connection.
But you have to add route.
Now, VPC peering is done.
go back to your NOVA instance.
can you ping mumbai instance?
- NO
you have to update the routing table on both side.
$
login toprivate instance. use
go to NOVA VPC
- goto rvpc
click on route
Add/Edit route
add route 11.0.0.0/24 peering connection
and add
so, to go to private network, we added new route.
Now, go back to Mumbai
- go to vpc
- click on routes
- it has 11 network - local
- add route 10.0.0./24 and peering connection
now, two difference vpc and resources are able to communicate.
login to 11.0.1.58
now go ahead and ping
$ ping 10.0.2.194 can ping
lets try to communicate
$ aws s3 ls
fails
within aws instance, you can use keys or role
go to your instance
- action -> modify ami role
- create a role to allow s3.and attach
now, without supplying user/pw, your role allow you to connect.
$ aws s3 ls
It was possible because of NAT Gateway
on private instance -> We have netwdateway and it is going to internet which is not resucre
Go to VPC from mumbai
- click on vpc
-
route
remove the entry nat and save
now, technically removed nat and our private instance can't connect to internet or s3.
lets try again
$ aws s3 ls
it failed now,
even we have NAT Gateway, but we want to use private gateway.
we have to create VPC end point
we want the above command aws s3 ls to run.
how to do that? using VPC endpoint
VPC Endpoint
VPC end point
Lets say you have one vpc, one private subnet and you have one instance running.
- you add one NAT gateway witin the VPC
- this NAT GAteway allow you to go to internet from your private instance but traffic can't be connected reverse.
- This instance can use s2, rds and other services. They can go but traffic can't not come to the instance.
Instance -> NAT Gateway -> VPC -> internet -> s3/rds
to make this happed, we have to establish vpc endpoint
Go to VPC
-> Endpoints
- Click on create endpoing
- service category: aws services
- all the services are listed.
what service your internal guys to use
- go and search s3 select type gateway not the interface
- now specify the vpc from mumbai
- now, you have multiple subnets, spefcify the subnet
at routing table
check on one of the box to enable routing table. this is basically allowing gateway of s3 thats why we have gateway as type
(private)
since our instance is running on private
policy - allow/deny -> control access with policy. write yaml or customize it there
for this lab: we give full access.
click on create and your end point has been created and available.
now, go back again and try to run the command.
$ aws s3 ls
now, you can run the command.
==========================================
RDS
Using kms. we can encipt the database
go to RDS
- mysql
user: admin
pw
additional information
you didn't see encription
go to template and review if there is a way to encript the database?
There is an option for enable encription.
Lets say rds is already running and we forgot to enable encription
how do you encrippt your database?
- first create a snapshot
- now, encript the snaoshot
- from snapshot, you can launch new database (import)
- new database come up with encript database.
go to database
- take snapshot
go to snspshot
- encript
- from snpshot - resotre
DMS next week ....
No comments:
Post a Comment