From 251ae2f1a0a9cb8bb23beb9455779182f50cd3c2 Mon Sep 17 00:00:00 2001 From: medusa Date: Sun, 20 Jul 2025 21:39:28 -0500 Subject: [PATCH] Update tech_docs/cloud/aws_notes.md --- tech_docs/cloud/aws_notes.md | 198 +++++++++++++++++++++++++++++++++++ 1 file changed, 198 insertions(+) diff --git a/tech_docs/cloud/aws_notes.md b/tech_docs/cloud/aws_notes.md index eea2850..cf6c6f3 100644 --- a/tech_docs/cloud/aws_notes.md +++ b/tech_docs/cloud/aws_notes.md @@ -1,3 +1,201 @@ +Here’s a **30-day hands-on exercise plan** to build muscle memory for hybrid/multi-cloud networking, using free or low-cost tools. Start with foundational drills and progress to real-world scenarios: + +--- + +### **Week 1: Core Hybrid Connectivity** +#### **Exercise 1: Site-to-Site VPN (AWS ↔ On-Prem)** +**Goal**: Simulate a branch office connection. +**Steps**: +1. **AWS Side**: + ```bash + # Create a Virtual Private Gateway (VGW) + aws ec2 create-vpn-gateway --type ipsec.1 --tag-specifications 'ResourceType=vgw,Tags=[{Key=Name,Value=Lab-VGW}]' + ``` +2. **On-Prem Side**: + - Use a **free VPN appliance** (Sophos XG Home Edition or pfSense). + - Configure IPsec tunnel to AWS VGW using [AWS-generated config](https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html). +**Validation**: + ```bash + # Check tunnel status + aws ec2 describe-vpn-connections --query 'VpnConnections[].VgwTelemetry[].Status' + ``` + +#### **Exercise 2: Direct Connect BGP Tuning** +**Goal**: Optimize BGP for failover. +**Steps**: +1. Simulate Direct Connect with **AWS VPN + BGP**: + ```bash + aws ec2 create-vpn-connection \ + --type ipsec.1 \ + --customer-gateway-id \ + --vpn-gateway-id \ + --options "{\"TunnelOptions\": [{\"TunnelInsideCidr\": \"169.254.100.0/30\", \"BGPConfig\": {\"Asn\": 65001}}]}" + ``` +2. Adjust BGP timers: + ```bash + # On Linux (FRRouting) + vtysh -c "configure terminal" -c "router bgp 65001" -c "timers bgp 10 30" + ``` +**Pro Tip**: Use `tcpdump` to verify BGP keepalives: +```bash +sudo tcpdump -i eth0 'tcp port 179 and (tcp-syn|tcp-ack)!=0' -vv +``` + +--- + +### **Week 2: Multi-Cloud Networking** +#### **Exercise 3: AWS TGW ↔ Azure vWAN** +**Goal**: Connect AWS and Azure without public internet. +**Steps**: +1. **AWS Side**: + ```bash + # Create Transit Gateway attachment + aws ec2 create-transit-gateway-vpc-attachment \ + --transit-gateway-id tgw-123 \ + --vpc-id vpc-abc \ + --subnet-ids subnet-456 + ``` +2. **Azure Side**: + ```powershell + # Create Virtual WAN connection + New-AzVirtualHubVnetConnection -ResourceGroupName "rg1" -VirtualHubName "hub1" -Name "aws-conn" -RemoteVirtualNetworkId "/subscriptions/.../vnet-xyz" + ``` +**Validation**: + - Ping an Azure VM from an AWS EC2 instance over private IPs. + +#### **Exercise 4: Google Cloud Interconnect** +**Goal**: Set up VLAN attachment between GCP and AWS. +**Steps**: +1. In **GCP Console**: + - Create a **Cloud Interconnect VLAN Attachment**. +2. **AWS Side**: + - Configure a **Direct Connect Gateway**. +**Pro Tip**: Use `gcloud` to verify: +```bash +gcloud compute interconnects attachments describe aws-attachment --region us-central1 +``` + +--- + +### **Week 3: Zero Trust & Security** +#### **Exercise 5: Replace VPN with Tailscale** +**Goal**: Implement identity-based access. +**Steps**: +1. **On-Prem Server**: + ```bash + curl -fsSL https://tailscale.com/install.sh | sh + tailscale up --advertise-routes=10.0.1.0/24 --accept-routes + ``` +2. **AWS EC2 Instance**: + ```bash + tailscale up --exit-node= + ``` +**Validation**: + ```bash + # Access on-prem resources from AWS without VPN + ping 10.0.1.100 + ``` + +#### **Exercise 6: Microsegmentation with Calico** +**Goal**: Enforce L3-L4 policies across clouds. +**Steps**: +1. **Deploy Calico on EKS**: + ```bash + kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml + ``` +2. **Block cross-namespace traffic**: + ```yaml + apiVersion: projectcalico.org/v3 + kind: NetworkPolicy + metadata: + name: deny-cross-ns + spec: + selector: all() + types: [Ingress, Egress] + ingress: + - action: Deny + source: + namespaceSelector: "!projectcalico.org/name == 'default'" + ``` +**Validation**: + ```bash + kubectl exec -it pod1 -- curl pod2.default.svc.cluster.local + # Should fail + ``` + +--- + +### **Week 4: Observability & Troubleshooting** +#### **Exercise 7: Unified Flow Logs** +**Goal**: Correlate AWS VPC Flow Logs + on-prem NetFlow. +**Steps**: +1. **AWS Side**: + ```bash + aws ec2 create-flow-logs --resource-type VPC --resource-id vpc-123 --traffic-type ALL --log-destination-type s3 --log-destination "arn:aws:s3:::my-flow-logs" + ``` +2. **On-Prem Side**: + - Configure **ntopng** or **Elasticsearch** to ingest NetFlow. +**Query**: + ```sql + -- Find top talkers across environments + SELECT src_addr, SUM(bytes) FROM flow_logs GROUP BY src_addr ORDER BY SUM(bytes) DESC; + ``` + +#### **Exercise 8: Break & Fix (Chaos Engineering)** +**Goal**: Simulate hybrid network failures. +**Steps**: +1. **Induce BGP Flapping**: + ```bash + # On Linux (FRRouting) + vtysh -c "configure terminal" -c "router bgp 65001" -c "timers bgp 30 90" + ``` +2. **Monitor Impact**: + - Use **CloudWatch Metrics** (AWS) + **Azure Monitor**. +**Fix**: + ```bash + vtysh -c "configure terminal" -c "router bgp 65001" -c "timers bgp 10 30" + ``` + +--- + +### **Daily Drills (5-10 mins)** +1. **`tcpdump` Warmup**: + ```bash + sudo tcpdump -i eth0 'icmp' -c 5 -nnvv + ``` +2. **BGP Quick Check**: + ```bash + vtysh -c "show ip bgp summary" + ``` +3. **Cost Hygiene**: + ```bash + aws ce get-cost-and-usage --time-period Start=$(date +%Y-%m-01),End=$(date +%Y-%m-%d) --granularity DAILY --metrics "UnblendedCost" + ``` + +--- + +### **Tools to Keep Sharp** +| Skill | Free Tools to Practice With | +|-----------------------|---------------------------------------------| +| **BGP** | FRRouting, Bird | +| **VPN/IPsec** | StrongSwan, pfSense | +| **Zero Trust** | Tailscale (free plan), OpenZiti | +| **K8s Networking** | Minikube + Calico | +| **Observability** | ntopng, Elasticsearch (free tier) | + +--- + +### **Pro Tips for Muscle Memory** +- **Repetition**: Do each exercise 3x until commands flow without thinking. +- **Break Things**: Intentionally misconfigure BGP/VPNs, then troubleshoot. +- **Keep Notes**: Log commands and fixes in a personal GitHub repo. + +**Next-Level Challenge**: Set up a **multi-cloud failover** where traffic shifts from AWS → Azure if latency exceeds 50ms (using **Cloudflare Load Balancer**). + +Want the **step-by-step break/fix guide** for any exercise? I can draft a detailed playbook! + +--- + To complete your **networking trifecta**, you need a specialization that bridges the gap between traditional infrastructure and cloud-native environments while addressing modern architectural challenges. The **third pillar** should be: ### **Hybrid & Multi-Cloud Networking**