AWS Manged NAT & VPC Network Troubleshooting

Managing Windows instances in the Cloud

Sponsors

Presented by Adam Book from

Find me on LinkedIn

News Recap 2014

NAT vs NAT GatewaysComparisonAttribute NAT Gateway NAT InstanceAvailability Highly Available. Nat Gateways in

each Availability Zone are implemented with redundancy. *

Use a script to manage failover between instances

Bandwidth Supports Bursts of up to 10 Gbps Instance type and size dependent

Maintenance Managed by AWS Managed by you, installing software updates, system patches etc.

Performance Software is optimized for handling NAT traffic

A generic Amazon Linux AMI that’s configured to perform NAT.

Cost Charged depending on the number of NAT gateways you use, duration of use and amount of data sent.

Charged depending on # of Nat Instances used duration or use and size

NAT vs NAT GatewaysComparisonAttribute NAT Gateway NAT InstancePublic IP addresses

Choose the Elastic IP address to associate with the Gateway during creation

Use an Elastic IP or public IP address with a NAT instance. You can change the IP by associating a new Elastic IP address.

Security Groups

Cannot be associated with a NAT Gateway, associate with your resources behind the Gateway

Can be assouciated with the NAT instance and the instances behind the NAT

Flow Logs Use Flow logs to capture the traffic Use Flow logs to capture the traffic

Bastion Servers

Not Supported A generic Amazon Linux AMI that’s configured to perform NAT.

Traffic metrics

Not Supported View CloudWatch Metrics

What about pricing?

Region Name Price per Hour Price per GB data processed ($)US East (N Virginia) 0.045 0.045

US West (Oregon) 0.045 0.045

US West (N California) 0.048 0.048

EU (Ireland) 0.048 0.048

EU(Frankfurt) 0.052 0.059

Asia Pacific (Singapore)

0.059 0.059

Asia Pacific (Tokyo) 0.062 0.062

Asia Pacific (Sydney) 0.059 0.059* Prices as of 3/21/2016

What about pricing?

Region Name Price per Hour t2.small Price per HourUS East (N Virginia) 0.045 0.026

US West (Oregon) 0.045 0.026

US West (N California) 0.048 0.034

EU (Ireland) 0.048 0.028

EU(Frankfurt) 0.052 0.03

Asia Pacific (Singapore)

0.059 0.04

Asia Pacific (Tokyo) 0.062 0.04

Asia Pacific (Sydney) 0.059 0.04* Prices as of 3/21/2016

Nat Gateway vs Nat Instance (t2.small)

Old NAT HA Architecture

Previously in an old HA Nat Archicture, one way of doing it would be to have a NAT in each AZ and then have a script that would check the heart beat checking the status of the other.

Creating the NAT Gateway

For more info http://docs.aws.amazon.com/cli/latest/reference/ec2/create-nat-gateway.html

If you would like to create your NAT Gateway via the CLI then use the following syntax:

$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d --region eu-west-1

Creating the NAT Gateway

If you would like to create your NAT Gateway via the CLI then use the following syntax:

$ aws ec2 allocate-address --domain vpc --region us-west-2 --profile myprofile

$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d –allocation-id eipalloc-dl3648b5 --region us-west-2 --profile myprofile

{ "PublicIp": "52.54.70.124", "Domain": "vpc", "AllocationId": "eipalloc-d1e648b5"}

Creating the NAT Gateway

If you would like to create your NAT Gateway via the CLI then use the following syntax:

{ "NatGateway": { "NatGatewayAddresses": [ { "AllocationId": "eipalloc-37fc1a52" } ], "VpcId": "vpc-1122aabb", "State": "pending", "NatGatewayId": "nat-08d48af2a8e83edfd", "SubnetId": "subnet-1a2b3c4d", "CreateTime": "2015-12-17T12:45:26.732Z” } }

$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d –allocation-id eipalloc-dl3648b5 --region us-west-2 --profile myprofile

Below is an example of how to create a NAT Gateway with an EIP (elastic IP)

Creating with CloudFormation

"NAT" : { "DependsOn" : "VPCGatewayAttach", "Type" : "AWS::EC2::NatGateway", "Properties" : { "AllocationId" : { "Fn::GetAtt" : ["EIP", "AllocationId"]}, "SubnetId" : { "Ref" : "Subnet"} } },

"EIP" : { "Type" : "AWS::EC2::EIP", "Properties" : { "Domain" : "vpc" } },

"Route" : { "Type" : "AWS::EC2::Route", "Properties" : { "RouteTableId" : { "Ref" : "RouteTable" }, "DestinationCidrBlock" : "0.0.0.0/0", "NatGatewayId" : { "Ref" : "NAT" } } }

Migrating to A NAT Gateway Demo Time

Photo curtesyof Stephen Radford via http://snap.io

Have you ever dealt with

Image by http://www.gratisography.com/

My private instance

can’t reach the internet

Check to make sure your routing table are intact for your private routes.

First Steps

By default the Amazon Linux instance does not have telenet installed

Tips if you using aNAT Instance

It does however have NetCat which can provide instant troubleshooting abilities

nc 10.0.022 22 &> /dev/null; echo $?

Will output 0 if port 22 is open, and 1 if it's closed.

Other ways of using NetCat

Tips if you using aNAT Instance

Try using netcat to open a connection and listen to a port and then connect from your other instance using telnet

>nc –l 80

See if you can reach the outside world

Tips if you using aNAT Instance

Try using nslookup to see if you can get out and get a response to a known dns name

nslookup google.comServer: 10.0.0.2Address: 10.0.0.2#53

Non-authoritative answer:Name: google.comAddress: 216.58.193.78

Make sure that the source-dest check is set to:FALSE on the NAT instance

Tips if you using aNAT Instance

VPC FlowLogs includes

1) Information about allowed and denied traffic(based on security group and ACL rules)

2) Source and Destination Addresses 3) Ports, Protocol Number4) Packet and byte counts

VPC FlowLogs don’t include

For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html

1) Traffic to Amazon DNS Servers 2) Windows license activation traffic for licenses

provided by Amazon 3) Requests for instance metadata4) DHCP requests or responses

Turning on VPC Flow Logs

For more info http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

First Step:Create a Role that can publish to CloudWatch logs { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams” ], "Effect": "Allow", "Resource": "*" } ] }

Turning on VPC Flow LogsFrom the AWS Console Go to CloudWatch Choose Logs Go to Actions Create Log Group

Turning on VPC Flow Logs

For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html

From the AWS Console Go to VPC Choose your VPC Go to Actions Create Flow Log

Turning on VPC Flow Logs

VPC FlowLog Limitations

• You cannot enable flow logs for network interfaces that are in the EC2-Classic Platform

• You cannot enable flow logs for VPCs that are peered with their VPC unless the peer VPC is in your account

• You cannot tag a flow log. • After you’ve created a flow log, you cannot change it’s

configuration; for example, you can’t associate a different IAM role with the flow log.

• If your network interface has multiple IP addresses and traffic is sent to a secondary private IP address, the flow log displays the primary IP address in the destination IP address field.

Questions?

Image by http://www.gratisography.com/