Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS
633 Views
December 26, 22
スライド概要
presentation material for JAWS Pankration 2021
関連スライド
AWS シングルサインオンのすゝめ
難波和生
2.9K
KH Coder 3 チュートリアル
HIGUCHI Koichi
728.1K
各ページのテキスト
AWS AS A WEEKEND HOBBY Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS
◆ Kazuo Namba@JAWS-UG Okayama RHIZOME CO.,LTD Twitter:@kazu_0 ⚫ Occupation ⚫ System Administrator ⚫ In charge of cloud and On-Premises Infrastructure ◼ Certification ◼ Chief Telecommunications Engineer Transmissionand Switching and Line Engineer ◼ On-The-Ground I-Category Special Radio Operator ◼ Technical Engineer Network My favorite AWS Service :Transit Gateway/VPC/DX :Global Accelerator
IPV4/IPV6 DUAL STACK • Since it was released about Decade, have you ever used VPC function that IPv4 and IPv6 dual stack? • Let's consider about use case for IPv6 solution on the AWS environment.
IPV4/IPV6 DUAL STACK • Since it was released about Decade, have you ever used VPC function that IPv4 and IPv6 dual stack? Elastic Load Balancing – IPv6, Zone Apex Support, Additional Security | AWS News Blog (amazon.com)
IPV4/IPV6 DUAL STACK • World IPv6 Day IPv6が本格的に展開していくことに弾みをつけるための試み として、Internet Society (ISOC)が2011年6月8日の1日だけ、 サービス事業者が一斉にIPv6を有効化してみることを呼びか けたのがWorld IPv6 Dayです As an attempt to give momentum to the full-scale deployment of IPv6, the Internet Society (ISOC) held World IPv6 Day on June 8, 2011, to encourage service providers to enable IPv6 simultaneously for one day. https://www.worldipv6launch.org/ https://blog.nic.ad.jp/2021/6406/
IPV4/IPV6 DUAL STACK • Let's consider about use case to IPv6 solution on the AWS environment below 2 cases • Internet-facing Application Load Balancer • Site to Site VPN connectivity with AWS Transit Gateway
IPV4/IPV6 DUAL STACK • Let's consider about use case to IPv6 solution on the AWS environment below 2 cases • Internet-facing Application Load Balancer • Site to Site VPN connectivity with AWS Transit Gateway
IPV4/IPV6 DUAL STACK • Let's consider about use case to IPv6 solution on the AWS environment below 2 cases • Internet-facing Application Load Balancer • Site to Site VPN connectivity with AWS Transit Gateway
INTERNET-FACING APPLICATION LOAD BALANCER festa-ghost.us-west-2.elasticbeanstalk.com ↓ festa2017.std-adhocracy.net certificate 5. Route 53 manager 1. VPC 172.22.218.0/24 2600:1f14:260:1d00::/56 2. Subnet 172.22.218.64/26 2600:1f14:260:1d10::/64 deployment EC2 compute container 3. route table 4. Application Load Balancer 2. Subnet 172.22.218.128/26 2600:1f14:260:1d11::/64 EC2 compute container deployment Elastic Beanstalk container 1. 2. 3. 4. 5. Configure VPC for dual stack Configure subnet for dual stack Configure internet connectivity by adding the default routes for IPv4 and IPv6 in pubic subnet Configure Application Load Balancer (ALB)for dual stack Configure DNS resolution for application endpoints with route53. AWS ElasticBeanstalk ELB Health Cheack Type (slideshare.net)
INTERNET-FACING APPLICATION LOAD BALANCER festa-ghost.us-west-2.elasticbeanstalk.com ↓ festa2017.std-adhocracy.net certificate 5. Route 53 manager 1. VPC 172.22.218.0/24 2600:1f14:260:1d00::/56 2. Subnet 172.22.218.64/26 2600:1f14:260:1d10::/64 deployment EC2 compute container 3. route table 4. Application Load Balancer 2. Subnet 172.22.218.128/26 2600:1f14:260:1d11::/64 EC2 compute container deployment Elastic Beanstalk container 1. 2. 3. 4. 5. Configure VPC for dual stack Configure subnet for dual stack Configure internet connectivity by adding the default routes for IPv4 and IPv6 in pubic subnet Configure Application Load Balancer (ALB)for dual stack Configure DNS resolution for application endpoints with route53. AWS ElasticBeanstalk ELB Health Cheack Type (slideshare.net)
INTERNET-FACING APPLICATION LOAD BALANCER festa-ghost.us-west-2.elasticbeanstalk.com ↓ festa2017.std-adhocracy.net certificate 5. Route 53 manager 1. VPC 172.22.218.0/24 2600:1f14:260:1d00::/56 2. Subnet 172.22.218.64/26 2600:1f14:260:1d10::/64 deployment EC2 compute container 3. route table 4. Application Load Balancer 2. Subnet 172.22.218.128/26 2600:1f14:260:1d11::/64 EC2 compute container deployment Elastic Beanstalk container 1. 2. 3. 4. 5. Configure VPC for dual stack Configure subnet for dual stack Configure internet connectivity by adding the default routes for IPv4 and IPv6 in pubic subnet Configure Application Load Balancer (ALB)for dual stack Configure DNS resolution for application endpoints with route53. AWS ElasticBeanstalk ELB Health Cheack Type (slideshare.net)
INTERNET-FACING APPLICATION LOAD BALANCER festa-ghost.us-west-2.elasticbeanstalk.com ↓ festa2017.std-adhocracy.net certificate 5. Route 53 manager 1. VPC 172.22.218.0/24 2600:1f14:260:1d00::/56 2. Subnet 172.22.218.64/26 2600:1f14:260:1d10::/64 deployment EC2 compute container 3. route table 4. Application Load Balancer 2. Subnet 172.22.218.128/26 2600:1f14:260:1d11::/64 EC2 compute container deployment Elastic Beanstalk container 1. 2. 3. 4. 5. Configure VPC for dual stack Configure subnet for dual stack Configure internet connectivity by adding the default routes for IPv4 and IPv6 in pubic subnet Configure Application Load Balancer (ALB)for dual stack Configure DNS resolution for application endpoints with route53. AWS ElasticBeanstalk ELB Health Cheack Type (slideshare.net)
INTERNET-FACING APPLICATION LOAD BALANCER festa-ghost.us-west-2.elasticbeanstalk.com ↓ festa2017.std-adhocracy.net certificate 5. Route 53 manager 1. VPC 172.22.218.0/24 2600:1f14:260:1d00::/56 2. Subnet 172.22.218.64/26 2600:1f14:260:1d10::/64 deployment EC2 compute container 3. route table 4. Application Load Balancer 2. Subnet 172.22.218.128/26 2600:1f14:260:1d11::/64 EC2 compute container deployment Elastic Beanstalk container 1. 2. 3. 4. 5. Configure VPC for dual stack Configure subnet for dual stack Configure internet connectivity by adding the default routes for IPv4 and IPv6 in pubic subnet Configure Application Load Balancer (ALB)for dual stack Configure DNS resolution for application endpoints with route53. AWS ElasticBeanstalk ELB Health Cheack Type (slideshare.net)
1. CONFIGURE VPC FOR DUAL STACK • VPC IPv6 setting is very simple • Action - Edit CIDRs • Add new IPv6 CIDR • you can get /56 IPv6 prefix
1. CONFIGURE VPC FOR DUAL STACK • VPC IPv6 setting is very simple • Action - Edit CIDRs • Add new IPv6 CIDR • you can get /56 IPv6 prefix
1. CONFIGURE VPC FOR DUAL STACK • What’s /56 prefix address like? • can create 256 subnets what have 64 power of 2 = 1844,6744,0737,0955,1616 address • 1844京6744兆0737億0955万1616
2. CONFIGURE SUBNET FOR DUAL STACK • Subnet IPv6 setting is very simple same as VPC • Action - Edit IPv6 CIDRs • Add IPv6 CIDR
2. CONFIGURE SUBNET FOR DUAL STACK • Subnet ipv6 setting is very simple same as VPC • you can set up /64 IPv6 prefix subnet in to the /56 VPC IPv6 prefix network
3. CONFIGURE ROUTE TABLE • Internet-facing VPC Route Tables Setting • set up the IPv6 default Route (::/0) to internet gateway
3. CONFIGURE ROUTE TABLE • VPC Route Tables Setting When you want to permit only outbound traffic, recommendation is using Egress-only internet gateways
4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK • in the case of creating a new ELB • Edit IP address type • please choose dualstack
4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK • setting change existing ELB • Action - Edit IP address type • please choose dualstack
4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK • setting change existing ELB • Action - Edit IP address type • please choose dualstack
4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK > Resolve-DnsName -name Oreg-VPC218-alb-511053037.us-west2.elb.amazonaws.com Name ---- Type TTL Section ---- --- ------- IPAddress --------- Oreg-VPC218-alb-511053037.us-west-2.elb.amazon AAAA 60 2600:1f14:260:1d10:90c0:cae5:77ff:6cb3 Answer aws.com Oreg-VPC218-alb-511053037.us-west-2.elb.amazon A 44.240.137.147 aws.com 60 Answer
4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK • ELB Security Group Setting • Plese set up port range what you want to permit e.g. HTTP(80) ::/0 HTTPS(443) ::/0
5. DNS RESOLUTION FOR APPLICATION ENDPOINTS WITH ROUTE53 • Record type - AAAA • you can set up alias record to target that routing traffic to ELB
INTERNET-FACING APPLICATION LOAD BALANCER festa-ghost.us-west-2.elasticbeanstalk.com ↓ festa2017.std-adhocracy.net certificate manager 1. 5. Route 53 VPC 172.22.218.0/24 2600:1f14:260:1d00::/56 2. Subnet 172.22.218.64/26 2600:1f14:260:1d10::/64 deployment EC2 compute container 3. route table 4. Application Load Balancer 3. Subnet 172.22.218.128/26 2600:1f14:260:1d11::/64 EC2 compute container deployment Elastic Beanstalk container 1. 2. 3. 4. 5. Configure VPC for dual stack Configure subnet for dual stack Configure internet connectivity by adding the default routes for IPv4 and IPv6 in pubic subnet Configure Application Load Balancer (ALB)for dual stack Configure DNS resolution for application endpoints with route53. AWS ElasticBeanstalk ELB Health Cheack Type (slideshare.net)
IPV4/IPV6 DUAL STACK • Let's consider about use case to IPv6 solution on the AWS environment below 2 cases • Internet-facing Application Load Balancer • Site to Site VPN connectivity with AWS Transit Gateway
VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY Corporate data center AWS Cloud VPC A fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.VPC Route table VPN connection for ipv6 Site to Site VPN connections VPC B 2.Customer gateway 2001:db8:1::1/64 2600:1f14:aff:e000::/56 VPN connection for ipv4 1.Transit Gateway 3.TGW Route table 3.VPC Route table 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments
TRANSIT GATEWAY ATTACHMENT AND ROUTE TABLE • Route Table • Transit gateway route table and VPC route table • Transit gateway can has some route table like VRF. • (I won't explain this session.) • Attachments • Connection point to Transit Gateway from VPC/VPN/DX-GW • Associations • Propagations
TRANSIT GATEWAY ATTACHMENT AND ROUTE TABLE • Route Table • Transit gateway route table and VPC route table • Transit gateway can has some route table like VRF. • (I won't explain this session.) • Attachments • Connection point to Transit Gateway from VPC/VPN/DX-GW • Associations • Propagations
TRANSIT GATEWAY ATTACHMENT AND ROUTE TABLE • Route Table • Transit gateway route table and VPC route table • Transit gateway can has some route table like VRF. • (I won't explain this session.) • Attachments • Connection point to Transit Gateway from VPC/VPN/DX-GW • Associations • Propagations
VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY Corporate data center AWS Cloud VPC A fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.VPC Route table VPN connection for ipv6 Site to Site VPN connections VPC B 2.Customer gateway 2001:db8:1::1/64 2600:1f14:aff:e000::/56 VPN connection for ipv4 1.Transit Gateway 3.TGW Route table 3.VPC Route table 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments
VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY Corporate data center AWS Cloud VPC A fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.VPC Route table VPN connection for ipv6 Site to Site VPN connections VPC B 2.Customer gateway 2001:db8:1::1/64 2600:1f14:aff:e000::/56 VPN connection for ipv4 1.Transit Gateway 3.TGW Route table 3.VPC Route table 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments
VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY Corporate data center AWS Cloud VPC A fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.VPC Route table VPN connection for ipv6 Site to Site VPN connections VPC B 2.Customer gateway 2001:db8:1::1/64 2600:1f14:aff:e000::/56 VPN connection for ipv4 1.Transit Gateway 3.TGW Route table 3.VPC Route table 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments
VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY Corporate data center AWS Cloud VPC A fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.VPC Route table VPN connection for ipv6 Site to Site VPN connections VPC B 2.Customer gateway 2001:db8:1::1/64 2600:1f14:aff:e000::/56 VPN connection for ipv4 1.Transit Gateway 3.TGW Route table 3.VPC Route table 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments
VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY Corporate data center AWS Cloud VPC A fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.VPC Route table VPN connection for ipv6 Site to Site VPN connections VPC B 2.Customer gateway 2001:db8:1::1/64 2600:1f14:aff:e000::/56 VPN connection for ipv4 1.Transit Gateway 3.TGW Route table 3.VPC Route table 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments
VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY Corporate data center AWS Cloud VPC A fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.VPC Route table VPN connection for ipv6 Site to Site VPN connections VPC B 2.Customer gateway 2001:db8:1::1/64 2600:1f14:aff:e000::/56 VPN connection for ipv4 1.Transit Gateway 3.TGW Route table 3.VPC Route table 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments
1. CONFIGURE TRANSIT GATEWAY ATTACHMENT FOR DUAL STACK SITE TO SITE VPN • you can't set up site to site VPN ipv6 support via Transit gateway attachment menu
1. CONFIGURE TRANSIT GATEWAY ATTACHMENT FOR DUAL STACK SITE TO SITE VPN • you can't set up site to site VPN ipv6 support via Transit gateway attachment menu
1. CONFIGURE TRANSIT GATEWAY ATTACHMENT FOR DUAL STACK SITE TO SITE VPN • for that reason please set up from Site-to-Site VPN Connections menu
1. CONFIGURE TRANSIT GATEWAY ATTACHMENT FOR DUAL STACK SITE TO SITE VPN • for that reason please set up from Site-to-Site VPN Connections menu
2.CUSTUMER GATEWAY CONFIG • RTX Static route sample ikev2/nat-t ip route default gateway 10.1.0.254 ipv6 routing on ipv6 route default gateway tunnel 1 ipv6 prefix 1 2001:db8:1::/64 ip lan1 address 10.1.100.61/16 ipv6 lan1 address 2001:db8:1::1/64 • The outer address of the IPSec tunnel is IPv4, so set the default route to IPv4 internet gateway. • IPv6 default route is configured to the virtual tunnel interface.
2.CUSTUMER GATEWAY CONFIG • RTX Static route sample ikev2/nat-t tunnel select 1 ipsec tunnel 201 ipsec sa policy 201 1 esp aes256-cbc sha256-hmac ipsec ike version 1 2 ipsec ike duration ipsec-sa 1 3600 subnet fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 ipsec ike duration isakmp-sa 1 28800 ipsec ike encryption 1 aes256-cbc AWS side fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7d/126 ipsec ike group 1 modp1536 CGW side fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7e/126 ipsec ike hash 1 sha256 ipsec ike keepalive log 1 on ipsec ike keepalive use 1 on rfc4306 10 3 ipsec ike local name 1 10.1.100.61 ipv4-addr ipsec ike nat-traversal 1 on type=2 ipsec ike pfs 1 on ipsec ike message-id-control 1 on ipsec ike pre-shared-key 1 text tunnel1-Pre-Shared Key ipsec ike remote address 1 52.33.151.55 ipsec ike remote name 1 52.33.151.55 ipv4-addr ipsec ike negotiation receive 1 off ipsec auto refresh 1 on ipsec tunnel outer df-bit clear tunnel backup tunnel 2 switch-interface=on ip tunnel tcp mss limit auto ipv6 tunnel address fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7e/126 tunnel enable 1
2.CUSTUMER GATEWAY CONFIG • Site-to-Site VPN Connection (Static route) When the Customer Gateway configuration is complete, the connection status will be Up as shown in the figure.
3.SET UP ROUTE TABLE FOR TRANSIT GATEWAY AND EACH VPC ATTACHMENTS • Transit gateway route table Configure the IPv6 route to the on-premises network via Transit Gateway VPN attachment.
5.SET UP ROUTE TABLE FOR TRANSIT GATEWAY AND EACH VPC ATTACHMENTS • VPC route table need to set up static route to On-Pre to VPC route table because ,it does not registered automatic.
TRANSIT GATEWAY ATTACHMENT AND ROUTE TABLE TGW route table Associations Propagations Up_till_Down-tgw-rt VPC-A, VPC-B,VPN VPC-A, VPC-B,VPN VPC-A Route table Destination Target 2600:1f13:964:c100::/56 TGW 2001:db8:1:0:0:0:0:0/64 TGW 2600:1f14:aff:e000::/56 local VPC-B Route table Attachments A Transit Gateway Attachments B Attachments VPN On-prem Route table Destination Target 2600:1f14:aff:e000::/56 TGW Destination Target 2001:db8:1:0:0:0:0:0/64 TGW ::/0 TGW 2600:1f13:964:c100::/56 local 2001:db8:1:0:0:0:0:0/64 local
AWS AS A WEEKEND HOBBY • Summary • Internet-facing Application Load Balancer • Site to Site VPN connectivity with AWS Transit Gateway • Reference • IPv6 Reference Architectures for AWS and Hybrid Networks (awsstatic.com)
AWS as a weekend hobby Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS