AWS CLIカンファレンス2016 講演2 見せます!aws directconnect ~カンペ

  • 10
    いいね
  • 0
    コメント
この記事は最終更新日から1年以上が経過しています。

説明

以下スライドの2で行う、directconnect接続の実演に使用するカンニングペーパーです。
http://www.slideshare.net/TomoakiHira/let-us-make-clear-the-aws-directconnect

実演

環境確認 (DirectConnect利用者側アカウント)

VPCの確認

コマンド
aws ec2 describe-vpcs
レスポンス
{
    "Vpcs": [
        {
            "VpcId": "vpc-9968****",
            "InstanceTenancy": "default",
            "State": "available",
            "DhcpOptionsId": "dopt-622a****",
            "CidrBlock": "172.31.0.0/16",
            "IsDefault": true
        }
    ]
}

サブネットの確認

コマンド
aws ec2 describe-subnets
レスポンス
{
    "Subnets": [
        {
            "VpcId": "vpc-9968****",
            "CidrBlock": "172.31.0.0/20",
            "MapPublicIpOnLaunch": true,
            "DefaultForAz": true,
            "State": "available",
            "AvailabilityZone": "ap-northeast-1c",
            "SubnetId": "subnet-b509****",
            "AvailableIpAddressCount": 4091
        },
        {
            "VpcId": "vpc-9968****",
            "CidrBlock": "172.31.16.0/20",
            "MapPublicIpOnLaunch": true,
            "DefaultForAz": true,
            "State": "available",
            "AvailabilityZone": "ap-northeast-1a",
            "SubnetId": "subnet-4aeb****",
            "AvailableIpAddressCount": 4090
        }
    ]
}

VPNゲートウェイ(仮想ゲートウェイ)の確認

コマンド
aws ec2 describe-vpn-gateways
レスポンス
{
    "VpnGateways": [
        {
            "State": "available",
            "Tags": [
                {
                    "Value": "test",
                    "Key": "Name"
                }
            ],
            "Type": "ipsec.1",
            "VpnGatewayId": "vgw-abbd****",
            "VpcAttachments": [
                {
                    "State": "attached",
                    "VpcId": "vpc-9968****"
                }
            ]
        }
    ]
}

ルートテーブルの確認

コマンド
aws ec2 describe-route-tables
レスポンス
{
    "RouteTables": [
        {
            "Associations": [
                {
                    "RouteTableAssociationId": "rtbassoc-02bf****",
                    "Main": true,
                    "RouteTableId": "rtb-4998****"
                }
            ],
            "RouteTableId": "rtb-4998****",
            "VpcId": "vpc-9968****",
            "PropagatingVgws": [],
            "Tags": [],
            "Routes": [
                {
                    "GatewayId": "local",
                    "DestinationCidrBlock": "172.31.0.0/16",
                    "State": "active",
                    "Origin": "CreateRouteTable"
                },
                {
                    "GatewayId": "igw-aa9b****",
                    "DestinationCidrBlock": "0.0.0.0/0",
                    "State": "active",
                    "Origin": "CreateRoute"
                }
            ]
        }
    ]
}

コネクションの確認 (DirectConnect管理者側アカウント)

コマンド
aws directconnect describe-connections
レスポンス
{
    "connections": [
        {
            "ownerAccount": "1790********",
            "connectionId": "dxcon-********",
            "connectionState": "available",
            "bandwidth": "10Gbps",
            "location": "EqTY2",
            "connectionName": "********",
            "region": "ap-northeast-1"
        },
        {
            "ownerAccount": "1790********",
            "connectionId": "dxcon-********",
            "connectionState": "available",
            "bandwidth": "10Gbps",
            "location": "EqTY2",
            "connectionName": "********",
            "region": "ap-northeast-1"
        }
    ]
}

ユーザアカウントにVirtualInterfaceを割当(DirectConnect管理者側アカウント)

コマンド
CONNECTION='dxcon-********'
VIFNAME='NWG-HIRA-BK'
ACCOUNTID='5651********'
VLANID='511'
ROUTERIP='169.254.15.213/30'
AMAZONIP='169.254.15.214/30'
BGPASN='65000'
BGPMD5='fr3gUCLDLS6MQsVLVBw9zgdt'

cat <<ETX

    CONNECTION: $CONNECTION
    VIFNAME   : $VIFNAME
    ACCOUNTID : $ACCOUNTID
    VLANID    : $VLANID
    ROUTERIP  : $ROUTERIP
    AMAZONIP  : $AMAZONIP
    BGPASN    : $BGPASN
    BGPMD5    : $BGPMD5

ETX

aws directconnect allocate-private-virtual-interface --connection-id $CONNECTION --owner-account $ACCOUNTID --new-private-virtual-interface-allocation virtualInterfaceName=$VIFNAME,vlan=$VLANID,asn=$BGPASN,authKey=$BGPMD5,amazonAddress=$AMAZONIP,customerAddress=$ROUTERIP
レスポンス
{
    "virtualInterfaceState": "confirming",
    "asn": 65000,
    "vlan": 511,
    "customerAddress": "169.254.15.213/30",
    "ownerAccount": "5651********",
    "connectionId": "dxcon-********",
    "virtualInterfaceId": "dxvif-********",
    "authKey": "fr3gUCLDLS6MQsVLVBw9zgdt",
    "routeFilterPrefixes": [],
    "location": "EqTY2",
    "customerRouterConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<logical_connection id=\"dxvif-********\">\n  <vlan>511</vlan>\n  <customer_address>169.254.15.213/30</customer_address>\n  <amazon_address>169.254.15.214/30</amazon_address>\n  <bgp_asn>65000</bgp_asn>\n  <bgp_auth_key>fr3gUCLDLS6MQsVLVBw9zgdt</bgp_auth_key>\n  <amazon_bgp_asn>10124</amazon_bgp_asn>\n  <connection_type>private</connection_type>\n</logical_connection>\n",
    "amazonAddress": "169.254.15.214/30",
    "virtualInterfaceType": "private",
    "virtualInterfaceName": "NWG-HIRA-BK"
}

VirtualInterfaceのConfirm (DirectConnectユーザ側アカウント)

コマンド
VGWID=`aws ec2 describe-vpn-gateways | jq .VpnGateways[0].VpnGatewayId | tr -d '\"'`
VIFID=`aws directconnect describe-virtual-interfaces | jq .virtualInterfaces[0].virtualInterfaceId | tr -d '\"'`

cat <<ETX

    VGWID: $VGWID
    VIFID: $VIFID

ETX

aws directconnect confirm-private-virtual-interface --virtual-interface-id $VIFID --virtual-gateway-id $VGWID
レスポンス
{
    "virtualInterfaceState": "pending"
}
追加確認コマンド
watch -n 10 "aws directconnect describe-virtual-interfaces"
レスポンス
{
    "virtualInterfaces": [
        {
            "virtualInterfaceState": "available",
            "asn": 65000,
            "vlan": 511,
            "customerAddress": "169.254.15.213/30",
            "ownerAccount": "5651********",
            "connectionId": "dxcon-********",
            "virtualGatewayId": "vgw-abbd****",
            "virtualInterfaceId": "dxvif-********",
            "routeFilterPrefixes": [],
            "location": "EqTY2",
            "amazonAddress": "169.254.15.214/30",
            "virtualInterfaceType": "private",
            "virtualInterfaceName": "NWG-HIRA-BK"
        }
    ]
}

その他の設定/確認 (DirectConnectユーザ側アカウント)

セキュリティグループにてDataCenterNetworkからの着信接続が許可されているか確認

コマンド
aws ec2 describe-security-groups | jq .SecurityGroups[2].IpPermissions[1]
レスポンス
{
  "IpProtocol": "-1",
  "IpRanges": [
    {
      "CidrIp": "172.30.100.0/24"
    }
  ],
  "UserIdGroupPairs": [],
  "PrefixListIds": []
}

ルートテーブルにてRoutePropagateを有効化

コマンド
RTID=`aws ec2 describe-route-tables | jq .RouteTables[0].RouteTableId | tr -d '\"'`
VGWID=`aws ec2 describe-vpn-gateways | jq .VpnGateways[0].VpnGatewayId | tr -d '\"'`

cat <<ETX

    RTID : $RTID
    VGWID: $VGWID

ETX

aws ec2 enable-vgw-route-propagation --route-table-id $RTID --gateway-id $VGWID
レスポンス
なし
追加確認コマンド
aws ec2 describe-route-tables
レスポンス
{
    "RouteTables": [
        {
            "Associations": [
                {
                    "RouteTableAssociationId": "rtbassoc-02bf****",
                    "Main": true,
                    "RouteTableId": "rtb-4998****"
                }
            ],
            "RouteTableId": "rtb-4998****",
            "VpcId": "vpc-9968****",
            "PropagatingVgws": [
                {
                    "GatewayId": "vgw-abbd****"
                }
            ],
            "Tags": [],
            "Routes": [
                {
                    "GatewayId": "local",
                    "DestinationCidrBlock": "172.31.0.0/16",
                    "State": "active",
                    "Origin": "CreateRouteTable"
                },
                {
                    "GatewayId": "igw-aa9b****",
                    "DestinationCidrBlock": "0.0.0.0/0",
                    "State": "active",
                    "Origin": "CreateRoute"
                },
                {
                    "GatewayId": "vgw-abbd****",
                    "DestinationCidrBlock": "172.30.100.0/24",
                    "State": "active",
                    "Origin": "EnableVgwRoutePropagation"
                }
            ]
        }
    ]
}

VirtualInterfaceの削除 (DirectConnectユーザ側アカウント)

コマンド
VIFID=`aws directconnect describe-virtual-interfaces | jq .virtualInterfaces[0].virtualInterfaceId | tr -d '\"'`

cat <<ETX

    VIFID: $VIFID

ETX

aws directconnect delete-virtual-interface --virtual-interface-id $VIFID
レスポンス
{
    "virtualInterfaceState": "deleting"
}
追加確認コマンド
aws directconnect describe-virtual-interfaces
レスポンス
{
    "virtualInterfaces": [
        {
            "virtualInterfaceState": "deleted",
            "asn": 65000,
            "vlan": 511,
            "customerAddress": "169.254.15.213/30",
            "ownerAccount": "5651********",
            "connectionId": "dxcon-********",
            "virtualGatewayId": "vgw-abbd****",
            "virtualInterfaceId": "dxvif-********",
            "routeFilterPrefixes": [],
            "location": "EqTY2",
            "amazonAddress": "169.254.15.214/30",
            "virtualInterfaceType": "private",
            "virtualInterfaceName": "NWG-HIRA-BK"
        }
    ]
}