Update tech_docs/cloud/aws_lab.md
This commit is contained in:
@@ -1,3 +1,212 @@
|
||||
### **The Ultimate Linux Networking & CLI Fluency Guide for AWS Professionals**
|
||||
*(A tactical, no-fluff manual for mastering the fundamentals that power AWS under the hood)*
|
||||
|
||||
---
|
||||
|
||||
## **Part 1: Linux Networking Fundamentals**
|
||||
### **1. TCP/IP Stack: The Bare Metal**
|
||||
#### **Key Concepts**
|
||||
- **IP Addressing**: IPv4 (e.g., `10.0.0.1/24`), IPv6 (e.g., `fd00::1/64`)
|
||||
- **Ports**: `0-65535` (Well-known: `0-1023`, Ephemeral: `32768-60999`)
|
||||
- **Protocols**: TCP (reliable), UDP (unreliable), ICMP (ping/traceroute).
|
||||
|
||||
#### **Commands to Master**
|
||||
```bash
|
||||
# View IP addresses and interfaces
|
||||
ip addr show # Modern replacement for `ifconfig`
|
||||
ip -4 addr # Show only IPv4 addresses
|
||||
|
||||
# Check listening ports
|
||||
ss -tulnp # Replacement for `netstat -tulnp`
|
||||
lsof -i :80 # Find processes using port 80
|
||||
|
||||
# Test connectivity
|
||||
ping -c 4 8.8.8.8 # Basic ICMP test
|
||||
traceroute -n 8.8.8.8 # Path discovery (no DNS resolution)
|
||||
nc -zv 10.0.1.5 443 # Test TCP port (like telnet)
|
||||
```
|
||||
|
||||
#### **AWS Relevance**
|
||||
- Security Groups → `iptables` rules
|
||||
- VPC CIDR blocks → `ip route` table
|
||||
|
||||
---
|
||||
|
||||
### **2. Routing: How Packets Move**
|
||||
#### **Key Concepts**
|
||||
- **Default Gateway**: Route for "everything else" (`0.0.0.0/0`).
|
||||
- **Routing Tables**: Linux supports multiple tables (e.g., `main`, `local`).
|
||||
- **BGP/OSPF**: Used in AWS Direct Connect and Transit Gateway.
|
||||
|
||||
#### **Commands to Master**
|
||||
```bash
|
||||
# View routing table
|
||||
ip route show # Show main routing table
|
||||
ip route show table all # All tables (e.g., AWS uses multiple)
|
||||
|
||||
# Add/delete routes
|
||||
sudo ip route add 10.0.2.0/24 via 10.0.1.1 dev eth0
|
||||
sudo ip route del 10.0.2.0/24
|
||||
|
||||
# Simulate AWS Route Tables
|
||||
ip rule add from 10.0.1.5 lookup 100 # Like AWS route table associations
|
||||
```
|
||||
|
||||
#### **AWS Relevance**
|
||||
- VPC Route Tables → `ip route`
|
||||
- NAT Gateway → `iptables -t nat`
|
||||
|
||||
---
|
||||
|
||||
### **3. iptables/nftables: The Firewall**
|
||||
#### **Key Concepts**
|
||||
- **Tables**: `filter` (default), `nat` (NAT rules), `mangle` (packet modification).
|
||||
- **Chains**: `INPUT` (inbound), `OUTPUT` (outbound), `FORWARD` (routed).
|
||||
|
||||
#### **Commands to Master**
|
||||
```bash
|
||||
# List all rules
|
||||
sudo iptables -L -n -v # Security Groups map here
|
||||
sudo iptables -t nat -L # NAT rules (for NAT Gateway simulation)
|
||||
|
||||
# Block/allow traffic (like Security Groups)
|
||||
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow SSH
|
||||
sudo iptables -A INPUT -p tcp --dport 80 -j DROP # Block HTTP
|
||||
|
||||
# NAT example (AWS NAT Gateway behavior)
|
||||
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
```
|
||||
|
||||
#### **AWS Relevance**
|
||||
- Security Groups → `iptables` filter table
|
||||
- NACLs → Stateless (no `conntrack`)
|
||||
|
||||
---
|
||||
|
||||
## **Part 2: Non-Negotiable CLI Fluency**
|
||||
### **1. awk: Text Processing Superpower**
|
||||
#### **Key Use Cases**
|
||||
- Extract fields from AWS CLI output.
|
||||
- Transform logs (e.g., VPC Flow Logs).
|
||||
|
||||
#### **Examples**
|
||||
```bash
|
||||
# Extract private IPs from `aws ec2 describe-instances`
|
||||
aws ec2 describe-instances | jq -r '.Reservations[].Instances[].PrivateIpAddress' | awk '{print "IP:", $1}'
|
||||
|
||||
# Parse /etc/passwd
|
||||
awk -F: '{print $1, $6}' /etc/passwd # Username and home dir
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### **2. jq: JSON Wizardry**
|
||||
#### **Key Use Cases**
|
||||
- Filter AWS CLI JSON output.
|
||||
- Transform API responses.
|
||||
|
||||
#### **Examples**
|
||||
```bash
|
||||
# Get all VPC IDs in a region
|
||||
aws ec2 describe-vpcs | jq -r '.Vpcs[].VpcId'
|
||||
|
||||
# Find Security Groups allowing 0.0.0.0/0
|
||||
aws ec2 describe-security-groups | jq -r '.SecurityGroups[] | select(.IpPermissions[].IpRanges[].CidrIp == "0.0.0.0/0") | .GroupId'
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### **3. tmux: Terminal Multiplexing**
|
||||
#### **Key Use Cases**
|
||||
- Run parallel commands (e.g., `tcpdump` + `aws cli`).
|
||||
- Persist sessions across SSH disconnects.
|
||||
|
||||
#### **Cheat Sheet**
|
||||
```bash
|
||||
tmux new -s aws_lab # Start new session
|
||||
Ctrl+b % # Split pane vertically
|
||||
Ctrl+b " # Split pane horizontally
|
||||
Ctrl+b [arrow key] # Switch panes
|
||||
tmux attach -t aws_lab # Reattach session
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## **Part 3: AWS + Linux Integration Drills**
|
||||
### **Drill 1: Simulate a Security Group**
|
||||
```bash
|
||||
# Allow SSH only from 192.168.1.100
|
||||
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
|
||||
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
|
||||
|
||||
# Verify
|
||||
sudo iptables -L INPUT -n -v
|
||||
```
|
||||
|
||||
### **Drill 2: Debug EC2 Networking**
|
||||
```bash
|
||||
# Check ENI attachment
|
||||
ip link show eth0 # Is it UP?
|
||||
|
||||
# Verify routes (VPC route table)
|
||||
ip route show | grep default
|
||||
|
||||
# Test metadata service (IMDS)
|
||||
curl http://169.254.169.254/latest/meta-data/local-ipv4
|
||||
```
|
||||
|
||||
### **Drill 3: Parse AWS CLI with jq/awk**
|
||||
```bash
|
||||
# Find all EC2 instances with public IPs
|
||||
aws ec2 describe-instances | jq -r '.Reservations[].Instances[] | select(.PublicIpAddress != null) | .InstanceId'
|
||||
|
||||
# Count running instances
|
||||
aws ec2 describe-instances | jq -r '.Reservations[].Instances[] | .State.Name' | awk '{count[$1]++} END {for (s in count) print s, count[s]}'
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## **Cheat Sheets**
|
||||
### **Linux Networking Quick Reference**
|
||||
| Command | Purpose | AWS Equivalent |
|
||||
|--------------------------|------------------------------------------|-------------------------------|
|
||||
| `ip addr show` | List interfaces | `aws ec2 describe-network-interfaces` |
|
||||
| `ip route show` | View routing table | `aws ec2 describe-route-tables` |
|
||||
| `sudo iptables -L` | List firewall rules | Security Groups/NACLs |
|
||||
| `ss -tulnp` | Check listening ports | `aws ec2 describe-security-groups` |
|
||||
|
||||
### **CLI Fluency Quick Reference**
|
||||
| Tool | Command Example | Use Case |
|
||||
|--------|------------------------------------------|---------------------------------------|
|
||||
| `awk` | `awk '{print $1}' file.txt` | Extract first column |
|
||||
| `jq` | `jq -r '.VpcId' vpc.json` | Parse AWS JSON output |
|
||||
| `tmux` | `tmux attach -t session` | Reattach to a saved session |
|
||||
|
||||
---
|
||||
|
||||
## **Final Challenge**
|
||||
**Simulate a NAT Gateway**:
|
||||
1. On a Linux VM, enable IP forwarding:
|
||||
```bash
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
```
|
||||
2. Add NAT rules:
|
||||
```bash
|
||||
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
```
|
||||
3. Test from a private instance:
|
||||
```bash
|
||||
curl ifconfig.me # Should return NAT VM's public IP
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**This is the toolkit AWS network engineers use daily.** Master these, and you’ll debug issues faster than 90% of cloud teams.
|
||||
|
||||
Want **real-world break/fix scenarios** to practice? Let me know—I’ll draft a chaos engineering lab!
|
||||
|
||||
---
|
||||
|
||||
Here’s the **ultimate workhorse lab setup** for mastering cloud networking, hybrid environments, and CLI muscle memory—designed by a fellow nerd who values efficiency, realism, and cost-effectiveness.
|
||||
|
||||
---
|
||||
|
||||
Reference in New Issue
Block a user