Lab - Networking on AWS and Azure
[TOC]
Lab 1: Basic Networking on AWS and Azure
AWS CLI Steps:
Create a VPC:
1
2<TEXT>
aws ec2 create-vpc --cidr-block 10.0.0.0/16Create subnets:
1
2<TEXT>
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24Create an internet gateway:
1
2<TEXT>
aws ec2 create-internet-gatewayAttach the internet gateway to the VPC:
1
2<TEXT>
aws ec2 attach-internet-gateway --vpc-id <vpc-id> --internet-gateway-id <internet-gateway-id>Create a route table and add a route:
1
2
3<TEXT>
aws ec2 create-route-table --vpc-id <vpc-id>
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0 --gateway-id <internet-gateway-id>
Azure CLI Steps:
Create a VNet:
1
2<TEXT>
az network vnet create --name <vnet-name> --resource-group <resource-group-name> --address-prefixes 10.0.0.0/16Create subnets:
1
2<TEXT>
az network vnet subnet create --name <subnet-name> --vnet-name <vnet-name> --resource-group <resource-group-name> --address-prefixes 10.0.1.0/24Create a network security group (NSG):
1
2<TEXT>
az network nsg create --name <nsg-name> --resource-group <resource-group-name>Associate the NSG with the subnet:
1
2<TEXT>
az network vnet subnet update --name <subnet-name> --vnet-name <vnet-name> --resource-group <resource-group-name> --network-security-group <nsg-name>Create a virtual network gateway (for VPN or ExpressRoute connectivity) if needed:
1
2<TEXT>
az network vnet-gateway create --name <gateway-name> --resource-group <resource-group-name> --vnet <vnet-name> --public-ip-address <public-ip-name> --gateway-type <gateway-type> --sku <sku-type>
Lab 2: High Availability and Load Balancing
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12<TEXT>
+-------------------+
| Internet |
+-------------------+
|
+-------------------+
| Load Balancer |
+-------------------+
|
+-------------------+
| Web Servers |
+-------------------+AWS CLI Steps:
Create an application load balancer:
1
2<TEXT>
aws elbv2 create-load-balancer --name <load-balancer-name> --subnets <subnet-ids> --security-groups <security-group-ids>Create target groups and register the web servers:
1
2
3<TEXT>
aws elbv2 create-target-group --name <target-group-name> --protocol HTTP --port 80 --vpc-id <vpc-id>
aws elbv2 register-targets --target-group-arn <target-group-arn> --targets <instance-ids>
Azure CLI Steps:
Create a load balancer:
1
2<TEXT>
az network lb create --name <lb-name> --resource-group <resource-group-name> --frontend-ip-name <frontend-ip-name> --backend-pool-name <backend-pool-name> --sku <lb-sku>Create load balancing rules and probe:
1
2
3<TEXT>
az network lb rule create --name <rule-name> --resource-group <resource-group-name> --lb-name <lb-name> --protocol TCP --frontend-port <frontend-port> --backend-port <backend-port> --frontend-ip-name <frontend-ip-name> --backend-pool-name <backend-pool-name>
az network lb probe create --name <probe-name> --resource-group <resource-group-name> --lb-name <lb-name> --protocol TCP --port <port> --interval <interval> --threshold <threshold>
Lab 3: Hybrid Cloud Networking
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17<TEXT>
+------------------------+
| On-Premises Network |
+------------------------+
|
+-------------------+
| VPN/ExpressRoute Gateway |
+-------------------+
|
+-------------------------+
| VPN/ExpressRoute |
| Connection |
+-------------------------+
|
+-------------------+
| VPC/VNet |
+-------------------+AWS CLI Steps:
Create a customer gateway for VPN or an AWS Direct Connect gateway for Direct Connect:
1
2<TEXT>
aws ec2 create-customer-gateway --bgp-asn <bgp-asn> --public-ip <ip-address> --type <gateway-type>Create a VPN gateway and attach it to the VPC:
1
2
3<TEXT>
aws ec2 create-vpn-gateway --type <gateway-type> --vpc-id <vpc-id>
aws ec2 attach-vpn-gateway --vpc-id <vpc-id> --vpn-gateway-id <vpn-gateway-id>Create a VPN connection and specify the customer gateway and VPN gateway:
1
2<TEXT>
aws ec2 create-vpn-connection --customer-gateway-id <customer-gateway-id> --vpn-gateway-id <vpn-gateway-id> --type <connection-type> --static-routes-only
Azure CLI Steps:
Create a virtual network gateway and specify the VPN gateway type:
1
2<TEXT>
az network vnet-gateway create --name <gateway-name> --resource-group <resource-group-name> --vnet <vnet-name> --public-ip-address <public-ip-name> --gateway-type <gateway-type> --sku <sku-type>Create a connection object and specify the shared key and gateway IDs:
1
2<TEXT>
az network vpn-connection create --name <connection-name> --resource-group <resource-group-name> --vnet-gateway1 <gateway-name> --shared-key <shared-key> --remote-vnet <remote-vnet-id>
Lab 4: Multi-Region Networking
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12<TEXT>
+-----------------------+ +-----------------------+
| Region 1 | | Region 2 |
+-----------------------+ +-----------------------+
| |
+-------------------+ +-------------------+
| Subnet 1 | | Subnet 2 |
+-------------------+ +-------------------+
| |
+-------------------+ +-------------------+
| Instances | | Instances |
+-------------------+ +-------------------+AWS CLI Steps:
Create a VPC in each region:
1
2<TEXT>
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --region <region-name>Create subnets in each region:
1
2<TEXT>
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24 --availability-zone <availability-zone> --region <region-name>Configure VPC peering between the two VPCs:
1
2<TEXT>
aws ec2 create-vpc-peering-connection --peer-vpc-id <peer-vpc-id> --vpc-id <vpc-id> --region <region-name>
Azure CLI Steps:
Create a VNet in each region:
1
2<TEXT>
az network vnet create --name <vnet-name> --resource-group <resource-group-name> --address-prefixes 10.0.0.0/16 --location <region-name>Create subnets in each VNet:
1
2<TEXT>
az network vnet subnet create --name <subnet-name> --vnet-name <vnet-name> --resource-group <resource-group-name> --address-prefixes 10.0.1.0/24Establish peering between the two VNets:
1
2<TEXT>
az network vnet peering create --name <peering-name> --resource-group <resource-group-name> --vnet-name <vnet-name> --remote-vnet <remote-vnet-id> --allow-vnet-access
Lab 5: Inter-Cloud Networking
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12<TEXT>
+-------------------+ +-----------------------+
| AWS VPC | | Azure VNet |
+-------------------+ +-----------------------+
| |
+-------------------+ +-------------------+
| Subnet 1 | | Subnet 2 |
+-------------------+ +-------------------+
| |
+-------------------+ +-------------------+
| Instances | | Instances |
+-------------------+ +-------------------+AWS CLI Steps:
Create a VPC in AWS:
1
2<TEXT>
aws ec2 create-vpc --cidr-block 10.0.0.0/16Create subnets in the VPC:
1
2<TEXT>
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24Create a virtual private gateway and attach it to the VPC:
1
2
3<TEXT>
aws ec2 create-vpn-gateway --type <gateway-type>
aws ec2 attach-vpn-gateway --vpc-id <vpc-id> --vpn-gateway-id <gateway-id>Create a customer gateway and specify the public IP address and BGP ASN of the Azure gateway:
1
2<TEXT>
aws ec2 create-customer-gateway --bgp-asn <bgp-asn> --public-ip <ip-address> --type <gateway-type>Create a VPN connection and specify the customer gateway and virtual private gateway:
1
2<TEXT>
aws ec2 create-vpn-connection --customer-gateway-id <customer-gateway-id> --vpn-gateway-id <vpn-gateway-id> --type <connection-type> --static-routes-only
Azure CLI Steps:
Create a VNet in Azure:
1
2<TEXT>
az network vnet create --name <vnet-name> --resource-group <resource-group-name> --address-prefixes 10.0.0.0/16Create subnets in the VNet:
1
2<TEXT>
az network vnet subnet create --name <subnet-name> --vnet-name <vnet-name> --resource-group <resource-group-name> --address-prefixes 10.0.1.0/24Create a virtual network gateway and specify the VPN gateway type:
1
2<TEXT>
az network vnet-gateway create --name <gateway-name> --resource-group <resource-group-name> --vnet <vnet-name> --public-ip-address <public-ip-name> --gateway-type <gateway-type> --sku <sku-type>Create a connection object and specify the shared key and gateway IDs:
1
2<TEXT>
az network vpn-connection create --name <connection-name> --resource-group <resource-group-name> --vnet-gateway1 <gateway-name> --shared-key <shared-key> --remote-vnet <remote-vnet-id>
Lab 6: Security and Compliance
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12<TEXT>
+-------------------+ +-----------------------+
| AWS VPC | | Azure VNet |
+-------------------+ +-----------------------+
| |
+-------------------+ +-------------------+
| Subnet 1 | | Subnet 2 |
+-------------------+ +-------------------+
| |
+-------------------+ +-------------------+
| Instances | | Instances |
+-------------------+ +-------------------+AWS CLI Steps:
Create security groups and specify inbound/outbound rules:
1
2
3<TEXT>
aws ec2 create-security-group --group-name <group-name> --description <description> --vpc-id <vpc-id>
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol <protocol> --port <port> --source <source-ip>
Azure CLI Steps:
Create network security groups (NSGs) and specify inbound/outbound rules:
1
2
3<TEXT>
az network nsg create --name <nsg-name> --resource-group <resource-group-name>
az network nsg rule create --name <rule-name> --resource-group <resource-group-name> --nsg-name <nsg-name> --protocol <protocol> --direction <direction> --source-address-prefixes <source-ip> --destination-port-ranges <port-range>
Please note that you should replace the placeholders (e.g.,
<vpc-id>,<subnet-name>,<region-name>, etc.) with the actual values specific to your setup. These steps and commands provide a general guideline, and you should consult the official documentation of AWS and Azure for detailed instructions and variations based on your specific requirements and configurations.
Lab 7: Transit Gateway on AWS
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30<TEXT>
+-------------------+ +-----------------------+
| VPC 1 | | VPC 2 |
+-------------------+ +-----------------------+
| |
+-------------------+ +-------------------+
| Subnet 1 | | Subnet 2 |
+-------------------+ +-------------------+
| |
+-------------------+ +-------------------+
| Instances | | Instances |
+-------------------+ +-------------------+
\ /
\ /
\ /
+-------------------+
| Transit Gateway |
+-------------------+
|
+-------------------+
| VPC 3 |
+-------------------+
|
+-------------------+
| Subnet 3 |
+-------------------+
|
+-------------------+
| Instances |
+-------------------+AWS CLI Steps:
Create three VPCs (VPC 1, VPC 2, VPC 3) with subnets in each VPC.
Create a transit gateway:
1
2<TEXT>
aws ec2 create-transit-gateway --description <description> --options <options>Attach the VPCs to the transit gateway:
1
2<TEXT>
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <transit-gateway-id> --vpc-id <vpc-id> --subnet-ids <subnet-ids> --options <options>Create route tables in the transit gateway and associate them with the attachments:
1
2
3<TEXT>
aws ec2 create-transit-gateway-route-table --transit-gateway-id <transit-gateway-id> --tag-specifications <tag-specifications>
aws ec2 create-transit-gateway-route --transit-gateway-route-table-id <transit-gateway-route-table-id> --destination-cidr-block <destination-cidr-block> --transit-gateway-attachment-id <transit-gateway-attachment-id>Update the VPC route tables to point to the transit gateway:
1
2<TEXT>
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <destination-cidr-block> --transit-gateway-id <transit-gateway-id>
Lab 8: Virtual WAN on Azure
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30<TEXT>
+-------------------+ +-----------------------+
| VNet 1 | | VNet 2 |
+-------------------+ +-----------------------+
| |
+-------------------+ +-------------------+
| Subnet 1 | | Subnet 2 |
+-------------------+ +-------------------+
| |
+-------------------+ +-------------------+
| Instances | | Instances |
+-------------------+ +-------------------+
\ /
\ /
\ /
+-------------------+
| Virtual WAN |
+-------------------+
|
+-------------------+
| VNet 3 |
+-------------------+
|
+-------------------+
| Subnet 3 |
+-------------------+
|
+-------------------+
| Instances |
+-------------------+Azure CLI Steps:
Create three VNets (VNet 1, VNet 2, VNet 3) with subnets in each VNet.
Create a virtual WAN hub:
1
2<TEXT>
az network vhub create --name <vhub-name> --resource-group <resource-group-name> --location <location>Create VPN sites and associate them with the VNets:
1
2
3<TEXT>
az network vpn-site create --name <site1-name> --resource-group <resource-group-name> --location <location> --ip-address <ip-address> --vnet <vnet1-name>
az network vpn-site create --name <site2-name> --resource-group <resource-group-name> --location <location> --ip-address <ip-address> --vnet <vnet2-name>Create connections between the virtual WAN hub and VNets:
1
2
3<TEXT>
az network vhub connection create --name <connection1-name> --resource-group <resource-group-name> --vhub-name <vhub-name> --remote-vnet <vnet1-name> --allow-hub-to-vnet-transit true
az network vhub connection create --name <connection2-name> --resource-group <resource-group-name> --vhub-name <vhub-name> --remote-vnet <vnet2-name> --allow-hub-to-vnet-transit trueUpdate the VNet route tables to point to the virtual WAN hub:
1
2<TEXT>
az network route-table route create --resource-group <resource-group-name> --route-table-name <route-table-name> --name <route-name> --address-prefix <destination-cidr-block> --next-hop-type VirtualHub --next-hop-ip-address <vhub-ip-address>
Lab 9: Network Monitoring on AWS
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12<TEXT>
+-------------------+
| VPC |
+-------------------+
|
+-------------------+
| Subnet |
+-------------------+
|
+-------------------+
| EC2 Instances |
+-------------------+AWS Services:
- Enable VPC Flow Logs to capture network traffic:
- Enable VPC Flow Logs for the desired VPC and subnet.
- Configure the flow log destination to an Amazon S3 bucket or Amazon CloudWatch Logs.
- Set up CloudWatch Metrics and Alarms for network monitoring:
- Create custom CloudWatch metrics to track specific network performance metrics (e.g., network throughput, packet loss).
- Configure CloudWatch Alarms to trigger notifications or automated actions based on predefined thresholds.
- Enable VPC Flow Logs to capture network traffic:
Lab 10: Network Monitoring on Azure
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12<TEXT>
+-------------------+
| VNet |
+-------------------+
|
+-------------------+
| Subnet |
+-------------------+
|
+-------------------+
| VM Instances |
+-------------------+Azure Services:
- Enable Network Watcher to monitor network traffic and connectivity:
- Enable Network Watcher for the desired VNet and subnet.
- Use the “IP Flow Verify” feature to test connectivity between resources within the VNet and to external endpoints.
- Utilize the “Connection Monitor” feature to monitor and troubleshoot network connections between VMs.
- Configure Traffic Analytics to gain insights into network traffic patterns:
- Enable Traffic Analytics for the desired subnet.
- Analyze traffic flow, identify top talkers, and detect anomalies using Traffic Analytics logs and dashboards.
- Utilize Azure Monitor for network monitoring:
- Configure Azure Monitor to collect and analyze diagnostic logs and metrics from VMs, load balancers, and other network resources.
- Set up alerts and notifications based on predefined conditions to proactively monitor network performance and availability.
- Enable Network Watcher to monitor network traffic and connectivity:
Lab 11: Network Monitoring for Transit Gateway on AWS
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30<TEXT>
+-------------------+ +-----------------------+
| VPC 1 | | VPC 2 |
+-------------------+ +-----------------------+
| |
+-------------------+ +-------------------+
| Subnet 1 | | Subnet 2 |
+-------------------+ +-------------------+
| |
+-------------------+ +-------------------+
| EC2 Instances | | EC2 Instances |
+-------------------+ +-------------------+
\ /
\ /
\ /
+-------------------+
| Transit Gateway |
+-------------------+
|
+-------------------+
| VPC 3 |
+-------------------+
|
+-------------------+
| Subnet 3 |
+-------------------+
|
+-------------------+
| EC2 Instances |
+-------------------+AWS Services:
- Enable VPC Flow Logs for transit gateway:
- Enable VPC Flow Logs for the transit gateway attachment VPCs and subnets.
- Configure the flow log destination to an Amazon S3 bucket or Amazon CloudWatch Logs.
- Set up CloudWatch Metrics and Alarms for transit gateway monitoring:
- Create custom CloudWatch metrics to track transit gateway performance metrics (e.g., bytes in/out, packets in/out).
- Configure CloudWatch Alarms to trigger notifications or automated actions based on predefined thresholds.
- Use Amazon CloudWatch Logs Insights to analyze VPC Flow Logs:
- Query and analyze VPC Flow Logs data using CloudWatch Logs Insights.
- Identify patterns, anomalies, and potential network issues within the transit gateway traffic.
- Enable VPC Flow Logs for transit gateway:
Lab 12: Network Monitoring for Transit Network on Azure
Topology Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30<TEXT>
+-----------------------+ +-----------------------+
| VNet 1 | | VNet 2 |
+-----------------------+ +-----------------------+
| |
+-------------------+ +-------------------+
| Subnet 1 | | Subnet 2 |
+-------------------+ +-------------------+
| |
+-------------------+ +-------------------+
| VM Instances | | VM Instances |
+-------------------+ +-------------------+
\ /
\ /
\ /
+-------------------+
| Transit Gateway |
+-------------------+
|
+-------------------+
| VNet 3 |
+-------------------+
|
+-------------------+
| Subnet 3 |
+-------------------+
|
+-------------------+
| VM Instances |
+-------------------+Azure Services:
- Enable Traffic Analytics for transit gateway:
- Enable Traffic Analytics for the transit gateway subnet.
- Analyze traffic flow, identify top talkers, and detect anomalies using Traffic Analytics logs and dashboards.
- Utilize Azure Monitor for transit gateway monitoring:
- Configure Azure Monitor to collect and analyze diagnostic logs and metrics from the transit gateway and associated resources.
- Set up alerts and notifications based on predefined conditions to proactively monitor transit gateway performance and availability.
- Use Azure Network Watcher for troubleshooting and diagnostics:
- Utilize Network Watcher’s “IP Flow Verify” feature to test connectivity between resources within and across VNets via the transit gateway.
- Use the “Connection Monitor” feature to monitor and troubleshoot network connections between VMs across VNets.
- Enable Traffic Analytics for transit gateway:
Lab - Networking on AWS and Azure
https://blog.excelsre.com/2023/11/07/lab-networking-on-aws-and-azure/