diff --git a/tech_docs/cloud/aws_lab.md b/tech_docs/cloud/aws_lab.md index 1af3408..a006c05 100644 --- a/tech_docs/cloud/aws_lab.md +++ b/tech_docs/cloud/aws_lab.md @@ -1,3 +1,212 @@ +### **The Ultimate Linux Networking & CLI Fluency Guide for AWS Professionals** +*(A tactical, no-fluff manual for mastering the fundamentals that power AWS under the hood)* + +--- + +## **Part 1: Linux Networking Fundamentals** +### **1. TCP/IP Stack: The Bare Metal** +#### **Key Concepts** +- **IP Addressing**: IPv4 (e.g., `10.0.0.1/24`), IPv6 (e.g., `fd00::1/64`) +- **Ports**: `0-65535` (Well-known: `0-1023`, Ephemeral: `32768-60999`) +- **Protocols**: TCP (reliable), UDP (unreliable), ICMP (ping/traceroute). + +#### **Commands to Master** +```bash +# View IP addresses and interfaces +ip addr show # Modern replacement for `ifconfig` +ip -4 addr # Show only IPv4 addresses + +# Check listening ports +ss -tulnp # Replacement for `netstat -tulnp` +lsof -i :80 # Find processes using port 80 + +# Test connectivity +ping -c 4 8.8.8.8 # Basic ICMP test +traceroute -n 8.8.8.8 # Path discovery (no DNS resolution) +nc -zv 10.0.1.5 443 # Test TCP port (like telnet) +``` + +#### **AWS Relevance** +- Security Groups → `iptables` rules +- VPC CIDR blocks → `ip route` table + +--- + +### **2. Routing: How Packets Move** +#### **Key Concepts** +- **Default Gateway**: Route for "everything else" (`0.0.0.0/0`). +- **Routing Tables**: Linux supports multiple tables (e.g., `main`, `local`). +- **BGP/OSPF**: Used in AWS Direct Connect and Transit Gateway. + +#### **Commands to Master** +```bash +# View routing table +ip route show # Show main routing table +ip route show table all # All tables (e.g., AWS uses multiple) + +# Add/delete routes +sudo ip route add 10.0.2.0/24 via 10.0.1.1 dev eth0 +sudo ip route del 10.0.2.0/24 + +# Simulate AWS Route Tables +ip rule add from 10.0.1.5 lookup 100 # Like AWS route table associations +``` + +#### **AWS Relevance** +- VPC Route Tables → `ip route` +- NAT Gateway → `iptables -t nat` + +--- + +### **3. iptables/nftables: The Firewall** +#### **Key Concepts** +- **Tables**: `filter` (default), `nat` (NAT rules), `mangle` (packet modification). +- **Chains**: `INPUT` (inbound), `OUTPUT` (outbound), `FORWARD` (routed). + +#### **Commands to Master** +```bash +# List all rules +sudo iptables -L -n -v # Security Groups map here +sudo iptables -t nat -L # NAT rules (for NAT Gateway simulation) + +# Block/allow traffic (like Security Groups) +sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow SSH +sudo iptables -A INPUT -p tcp --dport 80 -j DROP # Block HTTP + +# NAT example (AWS NAT Gateway behavior) +sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +``` + +#### **AWS Relevance** +- Security Groups → `iptables` filter table +- NACLs → Stateless (no `conntrack`) + +--- + +## **Part 2: Non-Negotiable CLI Fluency** +### **1. awk: Text Processing Superpower** +#### **Key Use Cases** +- Extract fields from AWS CLI output. +- Transform logs (e.g., VPC Flow Logs). + +#### **Examples** +```bash +# Extract private IPs from `aws ec2 describe-instances` +aws ec2 describe-instances | jq -r '.Reservations[].Instances[].PrivateIpAddress' | awk '{print "IP:", $1}' + +# Parse /etc/passwd +awk -F: '{print $1, $6}' /etc/passwd # Username and home dir +``` + +--- + +### **2. jq: JSON Wizardry** +#### **Key Use Cases** +- Filter AWS CLI JSON output. +- Transform API responses. + +#### **Examples** +```bash +# Get all VPC IDs in a region +aws ec2 describe-vpcs | jq -r '.Vpcs[].VpcId' + +# Find Security Groups allowing 0.0.0.0/0 +aws ec2 describe-security-groups | jq -r '.SecurityGroups[] | select(.IpPermissions[].IpRanges[].CidrIp == "0.0.0.0/0") | .GroupId' +``` + +--- + +### **3. tmux: Terminal Multiplexing** +#### **Key Use Cases** +- Run parallel commands (e.g., `tcpdump` + `aws cli`). +- Persist sessions across SSH disconnects. + +#### **Cheat Sheet** +```bash +tmux new -s aws_lab # Start new session +Ctrl+b % # Split pane vertically +Ctrl+b " # Split pane horizontally +Ctrl+b [arrow key] # Switch panes +tmux attach -t aws_lab # Reattach session +``` + +--- + +## **Part 3: AWS + Linux Integration Drills** +### **Drill 1: Simulate a Security Group** +```bash +# Allow SSH only from 192.168.1.100 +sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT +sudo iptables -A INPUT -p tcp --dport 22 -j DROP + +# Verify +sudo iptables -L INPUT -n -v +``` + +### **Drill 2: Debug EC2 Networking** +```bash +# Check ENI attachment +ip link show eth0 # Is it UP? + +# Verify routes (VPC route table) +ip route show | grep default + +# Test metadata service (IMDS) +curl http://169.254.169.254/latest/meta-data/local-ipv4 +``` + +### **Drill 3: Parse AWS CLI with jq/awk** +```bash +# Find all EC2 instances with public IPs +aws ec2 describe-instances | jq -r '.Reservations[].Instances[] | select(.PublicIpAddress != null) | .InstanceId' + +# Count running instances +aws ec2 describe-instances | jq -r '.Reservations[].Instances[] | .State.Name' | awk '{count[$1]++} END {for (s in count) print s, count[s]}' +``` + +--- + +## **Cheat Sheets** +### **Linux Networking Quick Reference** +| Command | Purpose | AWS Equivalent | +|--------------------------|------------------------------------------|-------------------------------| +| `ip addr show` | List interfaces | `aws ec2 describe-network-interfaces` | +| `ip route show` | View routing table | `aws ec2 describe-route-tables` | +| `sudo iptables -L` | List firewall rules | Security Groups/NACLs | +| `ss -tulnp` | Check listening ports | `aws ec2 describe-security-groups` | + +### **CLI Fluency Quick Reference** +| Tool | Command Example | Use Case | +|--------|------------------------------------------|---------------------------------------| +| `awk` | `awk '{print $1}' file.txt` | Extract first column | +| `jq` | `jq -r '.VpcId' vpc.json` | Parse AWS JSON output | +| `tmux` | `tmux attach -t session` | Reattach to a saved session | + +--- + +## **Final Challenge** +**Simulate a NAT Gateway**: +1. On a Linux VM, enable IP forwarding: + ```bash + echo 1 > /proc/sys/net/ipv4/ip_forward + ``` +2. Add NAT rules: + ```bash + sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + ``` +3. Test from a private instance: + ```bash + curl ifconfig.me # Should return NAT VM's public IP + ``` + +--- + +**This is the toolkit AWS network engineers use daily.** Master these, and you’ll debug issues faster than 90% of cloud teams. + +Want **real-world break/fix scenarios** to practice? Let me know—I’ll draft a chaos engineering lab! + +--- + Here’s the **ultimate workhorse lab setup** for mastering cloud networking, hybrid environments, and CLI muscle memory—designed by a fellow nerd who values efficiency, realism, and cost-effectiveness. ---