Update tech_docs/cloud/aws_lab.md

2025-07-20 23:05:03 -05:00
parent 82162a078f
commit c95b683f15
1 changed files with 143 additions and 0 deletions
--- a/tech_docs/cloud/aws_lab.md
+++ b/tech_docs/cloud/aws_lab.md
@@ -1,3 +1,146 @@
 Absolutely! You can build a **highly functional, mostly local lab** that integrates AWS *only* for specific services (like IAM, Route 53, or GuardDuty) while keeping compute/storage/networking on-prem. Here’s how to architect it:
 ---
 ### **🔧 Lab Design: "AWS-Hybrid Minimalist"**  
 **Goal**: 99% of workloads run locally, but leverage AWS for:  
 - **Identity** (AWS IAM for authentication)  
 - **DNS** (Route 53 private zones)  
 - **Security** (GuardDuty for threat detection)  
 - **Cost Zero** (Free-tier services only).  
 #### **Architecture**  
 ```mermaid
 graph TB
  subgraph Local[On-Prem Lab]
    Proxmox-->VM1[VyOS Router]
    Proxmox-->VM2[K8s Cluster]
    Proxmox-->VM3[CI/CD Server]
  end
  subgraph AWS[Cloud Services]
    IAM-->|STS|Local
    Route53-->|Private DNS|Local
    GuardDuty-->|Threat Intel|Local
  end
 ```
 ---
 ### **🚀 Step 1: Local Core Infrastructure**  
 #### **1. Hypervisor (Proxmox/KVM)**  
 - **Role**: Host VMs for networking, K8s, and workloads.  
 - **Networking**:  
  ```bash
  # Create a bridge for VMs (vmbr0)
  sudo ip link add name vmbr0 type bridge
  sudo ip link set vmbr0 up
  ```
 #### **2. Networking (VyOS/FRRouting)**  
 - **Role**: Simulate AWS TGW/VPC routing.  
 - **Config**:  
  ```bash
  # BGP with AWS (over VPN)
  set protocols bgp 65001 neighbor 169.254.100.1 remote-as 64512
  set protocols bgp 65001 network 192.168.1.0/24
  ```
 #### **3. Kubernetes (k3s/EKS Anywhere)**  
 - **Role**: Run containerized apps locally.  
 - **Integration**:  
  ```bash
  # Use AWS ECR for images (but run locally)
  aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com
  ```
 ---
 ### **🔗 Step 2: Strategic AWS Integrations**  
 #### **1. IAM for Authentication**  
 - **Local Services Auth via AWS IAM**:  
  ```bash
  # Use AWS CLI to generate temp credentials for local apps
  aws sts assume-role --role-arn arn:aws:iam::123456789012:role/LabAdmin --role-session-name lab-cli
  ```
 #### **2. Route 53 Private DNS**  
 - **Hybrid DNS Resolution**:  
  ```bash
  # On VyOS/Ubuntu DNS server
  cat <<EOF > /etc/resolv.conf
  search us-east-1.compute.internal
  nameserver 10.0.0.2  # AWS DNS
  nameserver 192.168.1.1  # Local DNS
  EOF
  ```
 #### **3. GuardDuty for Threat Detection**  
 - **Forward Local Logs to AWS**:  
  ```bash
  # Install AWS agent to send syslogs to GuardDuty
  sudo amazon-cloudwatch-agent-ctl -a fetch-config -m onPremise -s -c ssm:AmazonCloudWatch-linux.json
  ```
 ---
 ### **💡 Step 3: Cost-Free AWS Services**  
 | Service          | Free Tier Usage                          | Local Integration Command               |  
 |------------------|------------------------------------------|------------------------------------------|  
 | **IAM**         | 1000+ free API calls/month              | `aws iam list-users`                     |  
 | **Route 53**    | 1 private hosted zone                   | `aws route53 list-hosted-zones-private`  |  
 | **GuardDuty**   | 30-day free trial                       | `aws guardduty list-detectors`           |  
 | **CloudTrail**  | 1 free trail                            | `aws cloudtrail lookup-events`           |  
 ---
 ### **🔬 Sample Lab Exercises**  
 #### **1. Authenticate Local K8s to AWS ECR**  
 ```bash
 # On local K8s node
 aws eks get-token --cluster-name my-local-cluster | kubectl config set-credentials aws-user --token
 ```
 #### **2. Hybrid DNS Debugging**  
 ```bash
 # Query AWS Route 53 from local VM
 dig +short myapp.internal.aws  # Should resolve to local IP
 ```
 #### **3. GuardDuty Alert Simulation**  
 ```bash
 # Trigger a fake threat locally
 sudo nmap -sS 192.168.1.1  # GuardDuty detects port scans
 ```
 ---
 ### **⚡ Why This Works**  
 - **Zero Compute Costs**: All heavy lifting is local.  
 - **Real AWS Integration**: IAM, DNS, and logging work like production.  
 - **Portable**: Replace Proxmox with Raspberry Pis for edge testing.  
 **Pro Tip**: Use Terraform to define AWS resources, then `terraform destroy` daily to avoid costs.  
 Want the **exact Terraform configs** to auto-setup this lab? Here’s a snippet:  
 ```hcl
 # AWS Route 53 private zone
 resource "aws_route53_zone" "local_lab" {
  name          = "internal.aws"
  vpc {
    vpc_id     = "vpc-123"  # Dummy VPC (not used locally)
  }
 }
 ```
 ---
 ### **Final Thought**  
 This setup gives you **production-grade AWS patterns** (IAM roles, centralized DNS) without paying for EC2/VPCs. You’re only charged for API calls (which stay free-tier compliant).  
 **Need a full terraform config or Proxmox setup script?** I can package it all into a GitHub repo!
 ---
 ### **The Ultimate Linux Networking & CLI Fluency Guide for AWS Professionals**  
 *(A tactical, no-fluff manual for mastering the fundamentals that power AWS under the hood)*