aws-cli

AWS CLIカンファレンス2016 講演2 見せます!aws directconnect ~カンペ

More than 1 year has passed since last update.


説明

以下スライドの2で行う、directconnect接続の実演に使用するカンニングペーパーです。

http://www.slideshare.net/TomoakiHira/let-us-make-clear-the-aws-directconnect


実演


環境確認 (DirectConnect利用者側アカウント)


VPCの確認


コマンド

aws ec2 describe-vpcs



レスポンス

{

"Vpcs": [
{
"VpcId": "vpc-9968****",
"InstanceTenancy": "default",
"State": "available",
"DhcpOptionsId": "dopt-622a****",
"CidrBlock": "172.31.0.0/16",
"IsDefault": true
}
]
}


サブネットの確認


コマンド

aws ec2 describe-subnets



レスポンス

{

"Subnets": [
{
"VpcId": "vpc-9968****",
"CidrBlock": "172.31.0.0/20",
"MapPublicIpOnLaunch": true,
"DefaultForAz": true,
"State": "available",
"AvailabilityZone": "ap-northeast-1c",
"SubnetId": "subnet-b509****",
"AvailableIpAddressCount": 4091
},
{
"VpcId": "vpc-9968****",
"CidrBlock": "172.31.16.0/20",
"MapPublicIpOnLaunch": true,
"DefaultForAz": true,
"State": "available",
"AvailabilityZone": "ap-northeast-1a",
"SubnetId": "subnet-4aeb****",
"AvailableIpAddressCount": 4090
}
]
}


VPNゲートウェイ(仮想ゲートウェイ)の確認


コマンド

aws ec2 describe-vpn-gateways



レスポンス

{

"VpnGateways": [
{
"State": "available",
"Tags": [
{
"Value": "test",
"Key": "Name"
}
],
"Type": "ipsec.1",
"VpnGatewayId": "vgw-abbd****",
"VpcAttachments": [
{
"State": "attached",
"VpcId": "vpc-9968****"
}
]
}
]
}


ルートテーブルの確認


コマンド

aws ec2 describe-route-tables



レスポンス

{

"RouteTables": [
{
"Associations": [
{
"RouteTableAssociationId": "rtbassoc-02bf****",
"Main": true,
"RouteTableId": "rtb-4998****"
}
],
"RouteTableId": "rtb-4998****",
"VpcId": "vpc-9968****",
"PropagatingVgws": [],
"Tags": [],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "172.31.0.0/16",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "igw-aa9b****",
"DestinationCidrBlock": "0.0.0.0/0",
"State": "active",
"Origin": "CreateRoute"
}
]
}
]
}


コネクションの確認 (DirectConnect管理者側アカウント)


コマンド

aws directconnect describe-connections



レスポンス

{

"connections": [
{
"ownerAccount": "1790********",
"connectionId": "dxcon-********",
"connectionState": "available",
"bandwidth": "10Gbps",
"location": "EqTY2",
"connectionName": "********",
"region": "ap-northeast-1"
},
{
"ownerAccount": "1790********",
"connectionId": "dxcon-********",
"connectionState": "available",
"bandwidth": "10Gbps",
"location": "EqTY2",
"connectionName": "********",
"region": "ap-northeast-1"
}
]
}


ユーザアカウントにVirtualInterfaceを割当(DirectConnect管理者側アカウント)


コマンド

CONNECTION='dxcon-********'

VIFNAME='NWG-HIRA-BK'
ACCOUNTID='5651********'
VLANID='511'
ROUTERIP='169.254.15.213/30'
AMAZONIP='169.254.15.214/30'
BGPASN='65000'
BGPMD5='fr3gUCLDLS6MQsVLVBw9zgdt'

cat <<ETX

CONNECTION: $CONNECTION
VIFNAME : $VIFNAME
ACCOUNTID : $ACCOUNTID
VLANID : $VLANID
ROUTERIP : $ROUTERIP
AMAZONIP : $AMAZONIP
BGPASN : $BGPASN
BGPMD5 : $BGPMD5

ETX

aws directconnect allocate-private-virtual-interface --connection-id $CONNECTION --owner-account $ACCOUNTID --new-private-virtual-interface-allocation virtualInterfaceName=$VIFNAME,vlan=$VLANID,asn=$BGPASN,authKey=$BGPMD5,amazonAddress=$AMAZONIP,customerAddress=$ROUTERIP



レスポンス

{

"virtualInterfaceState": "confirming",
"asn": 65000,
"vlan": 511,
"customerAddress": "169.254.15.213/30",
"ownerAccount": "5651********",
"connectionId": "dxcon-********",
"virtualInterfaceId": "dxvif-********",
"authKey": "fr3gUCLDLS6MQsVLVBw9zgdt",
"routeFilterPrefixes": [],
"location": "EqTY2",
"customerRouterConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<logical_connection id=\"dxvif-********\">\n <vlan>511</vlan>\n <customer_address>169.254.15.213/30</customer_address>\n <amazon_address>169.254.15.214/30</amazon_address>\n <bgp_asn>65000</bgp_asn>\n <bgp_auth_key>fr3gUCLDLS6MQsVLVBw9zgdt</bgp_auth_key>\n <amazon_bgp_asn>10124</amazon_bgp_asn>\n <connection_type>private</connection_type>\n</logical_connection>\n",
"amazonAddress": "169.254.15.214/30",
"virtualInterfaceType": "private",
"virtualInterfaceName": "NWG-HIRA-BK"
}


VirtualInterfaceのConfirm (DirectConnectユーザ側アカウント)


コマンド

VGWID=`aws ec2 describe-vpn-gateways | jq .VpnGateways[0].VpnGatewayId | tr -d '\"'`

VIFID=`aws directconnect describe-virtual-interfaces | jq .virtualInterfaces[0].virtualInterfaceId | tr -d '\"'`

cat <<ETX

VGWID: $VGWID
VIFID: $VIFID

ETX

aws directconnect confirm-private-virtual-interface --virtual-interface-id $VIFID --virtual-gateway-id $VGWID



レスポンス

{

"virtualInterfaceState": "pending"
}


追加確認コマンド

watch -n 10 "aws directconnect describe-virtual-interfaces"



レスポンス

{

"virtualInterfaces": [
{
"virtualInterfaceState": "available",
"asn": 65000,
"vlan": 511,
"customerAddress": "169.254.15.213/30",
"ownerAccount": "5651********",
"connectionId": "dxcon-********",
"virtualGatewayId": "vgw-abbd****",
"virtualInterfaceId": "dxvif-********",
"routeFilterPrefixes": [],
"location": "EqTY2",
"amazonAddress": "169.254.15.214/30",
"virtualInterfaceType": "private",
"virtualInterfaceName": "NWG-HIRA-BK"
}
]
}


その他の設定/確認 (DirectConnectユーザ側アカウント)


セキュリティグループにてDataCenterNetworkからの着信接続が許可されているか確認


コマンド

aws ec2 describe-security-groups | jq .SecurityGroups[2].IpPermissions[1]



レスポンス

{

"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "172.30.100.0/24"
}
],
"UserIdGroupPairs": [],
"PrefixListIds": []
}


ルートテーブルにてRoutePropagateを有効化


コマンド

RTID=`aws ec2 describe-route-tables | jq .RouteTables[0].RouteTableId | tr -d '\"'`

VGWID=`aws ec2 describe-vpn-gateways | jq .VpnGateways[0].VpnGatewayId | tr -d '\"'`

cat <<ETX

RTID : $RTID
VGWID: $VGWID

ETX

aws ec2 enable-vgw-route-propagation --route-table-id $RTID --gateway-id $VGWID



レスポンス

なし



追加確認コマンド

aws ec2 describe-route-tables



レスポンス

{

"RouteTables": [
{
"Associations": [
{
"RouteTableAssociationId": "rtbassoc-02bf****",
"Main": true,
"RouteTableId": "rtb-4998****"
}
],
"RouteTableId": "rtb-4998****",
"VpcId": "vpc-9968****",
"PropagatingVgws": [
{
"GatewayId": "vgw-abbd****"
}
],
"Tags": [],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "172.31.0.0/16",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "igw-aa9b****",
"DestinationCidrBlock": "0.0.0.0/0",
"State": "active",
"Origin": "CreateRoute"
},
{
"GatewayId": "vgw-abbd****",
"DestinationCidrBlock": "172.30.100.0/24",
"State": "active",
"Origin": "EnableVgwRoutePropagation"
}
]
}
]
}


VirtualInterfaceの削除 (DirectConnectユーザ側アカウント)


コマンド

VIFID=`aws directconnect describe-virtual-interfaces | jq .virtualInterfaces[0].virtualInterfaceId | tr -d '\"'`

cat <<ETX

VIFID: $VIFID

ETX

aws directconnect delete-virtual-interface --virtual-interface-id $VIFID



レスポンス

{

"virtualInterfaceState": "deleting"
}


追加確認コマンド

aws directconnect describe-virtual-interfaces



レスポンス

{

"virtualInterfaces": [
{
"virtualInterfaceState": "deleted",
"asn": 65000,
"vlan": 511,
"customerAddress": "169.254.15.213/30",
"ownerAccount": "5651********",
"connectionId": "dxcon-********",
"virtualGatewayId": "vgw-abbd****",
"virtualInterfaceId": "dxvif-********",
"routeFilterPrefixes": [],
"location": "EqTY2",
"amazonAddress": "169.254.15.214/30",
"virtualInterfaceType": "private",
"virtualInterfaceName": "NWG-HIRA-BK"
}
]
}