diff --git a/tech_docs/cloud/aws_lab.md b/tech_docs/cloud/aws_lab.md index a006c05..f5e7d43 100644 --- a/tech_docs/cloud/aws_lab.md +++ b/tech_docs/cloud/aws_lab.md @@ -1,3 +1,146 @@ +Absolutely! You can build a **highly functional, mostly local lab** that integrates AWS *only* for specific services (like IAM, Route 53, or GuardDuty) while keeping compute/storage/networking on-prem. Here’s how to architect it: + +--- + +### **🔧 Lab Design: "AWS-Hybrid Minimalist"** +**Goal**: 99% of workloads run locally, but leverage AWS for: +- **Identity** (AWS IAM for authentication) +- **DNS** (Route 53 private zones) +- **Security** (GuardDuty for threat detection) +- **Cost Zero** (Free-tier services only). + +#### **Architecture** +```mermaid +graph TB + subgraph Local[On-Prem Lab] + Proxmox-->VM1[VyOS Router] + Proxmox-->VM2[K8s Cluster] + Proxmox-->VM3[CI/CD Server] + end + subgraph AWS[Cloud Services] + IAM-->|STS|Local + Route53-->|Private DNS|Local + GuardDuty-->|Threat Intel|Local + end +``` + +--- + +### **🚀 Step 1: Local Core Infrastructure** +#### **1. Hypervisor (Proxmox/KVM)** +- **Role**: Host VMs for networking, K8s, and workloads. +- **Networking**: + ```bash + # Create a bridge for VMs (vmbr0) + sudo ip link add name vmbr0 type bridge + sudo ip link set vmbr0 up + ``` + +#### **2. Networking (VyOS/FRRouting)** +- **Role**: Simulate AWS TGW/VPC routing. +- **Config**: + ```bash + # BGP with AWS (over VPN) + set protocols bgp 65001 neighbor 169.254.100.1 remote-as 64512 + set protocols bgp 65001 network 192.168.1.0/24 + ``` + +#### **3. Kubernetes (k3s/EKS Anywhere)** +- **Role**: Run containerized apps locally. +- **Integration**: + ```bash + # Use AWS ECR for images (but run locally) + aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com + ``` + +--- + +### **🔗 Step 2: Strategic AWS Integrations** +#### **1. IAM for Authentication** +- **Local Services Auth via AWS IAM**: + ```bash + # Use AWS CLI to generate temp credentials for local apps + aws sts assume-role --role-arn arn:aws:iam::123456789012:role/LabAdmin --role-session-name lab-cli + ``` + +#### **2. Route 53 Private DNS** +- **Hybrid DNS Resolution**: + ```bash + # On VyOS/Ubuntu DNS server + cat < /etc/resolv.conf + search us-east-1.compute.internal + nameserver 10.0.0.2 # AWS DNS + nameserver 192.168.1.1 # Local DNS + EOF + ``` + +#### **3. GuardDuty for Threat Detection** +- **Forward Local Logs to AWS**: + ```bash + # Install AWS agent to send syslogs to GuardDuty + sudo amazon-cloudwatch-agent-ctl -a fetch-config -m onPremise -s -c ssm:AmazonCloudWatch-linux.json + ``` + +--- + +### **💡 Step 3: Cost-Free AWS Services** +| Service | Free Tier Usage | Local Integration Command | +|------------------|------------------------------------------|------------------------------------------| +| **IAM** | 1000+ free API calls/month | `aws iam list-users` | +| **Route 53** | 1 private hosted zone | `aws route53 list-hosted-zones-private` | +| **GuardDuty** | 30-day free trial | `aws guardduty list-detectors` | +| **CloudTrail** | 1 free trail | `aws cloudtrail lookup-events` | + +--- + +### **🔬 Sample Lab Exercises** +#### **1. Authenticate Local K8s to AWS ECR** +```bash +# On local K8s node +aws eks get-token --cluster-name my-local-cluster | kubectl config set-credentials aws-user --token +``` + +#### **2. Hybrid DNS Debugging** +```bash +# Query AWS Route 53 from local VM +dig +short myapp.internal.aws # Should resolve to local IP +``` + +#### **3. GuardDuty Alert Simulation** +```bash +# Trigger a fake threat locally +sudo nmap -sS 192.168.1.1 # GuardDuty detects port scans +``` + +--- + +### **⚡ Why This Works** +- **Zero Compute Costs**: All heavy lifting is local. +- **Real AWS Integration**: IAM, DNS, and logging work like production. +- **Portable**: Replace Proxmox with Raspberry Pis for edge testing. + +**Pro Tip**: Use Terraform to define AWS resources, then `terraform destroy` daily to avoid costs. + +Want the **exact Terraform configs** to auto-setup this lab? Here’s a snippet: +```hcl +# AWS Route 53 private zone +resource "aws_route53_zone" "local_lab" { + name = "internal.aws" + vpc { + vpc_id = "vpc-123" # Dummy VPC (not used locally) + } +} +``` + +--- + +### **Final Thought** +This setup gives you **production-grade AWS patterns** (IAM roles, centralized DNS) without paying for EC2/VPCs. You’re only charged for API calls (which stay free-tier compliant). + +**Need a full terraform config or Proxmox setup script?** I can package it all into a GitHub repo! + +--- + ### **The Ultimate Linux Networking & CLI Fluency Guide for AWS Professionals** *(A tactical, no-fluff manual for mastering the fundamentals that power AWS under the hood)*