説明
以下スライドの2で行う、directconnect接続の実演に使用するカンニングペーパーです。
http://www.slideshare.net/TomoakiHira/let-us-make-clear-the-aws-directconnect
実演
環境確認 (DirectConnect利用者側アカウント)
VPCの確認
コマンド
aws ec2 describe-vpcs
レスポンス
{
"Vpcs": [
{
"VpcId": "vpc-9968****",
"InstanceTenancy": "default",
"State": "available",
"DhcpOptionsId": "dopt-622a****",
"CidrBlock": "172.31.0.0/16",
"IsDefault": true
}
]
}
サブネットの確認
コマンド
aws ec2 describe-subnets
レスポンス
{
"Subnets": [
{
"VpcId": "vpc-9968****",
"CidrBlock": "172.31.0.0/20",
"MapPublicIpOnLaunch": true,
"DefaultForAz": true,
"State": "available",
"AvailabilityZone": "ap-northeast-1c",
"SubnetId": "subnet-b509****",
"AvailableIpAddressCount": 4091
},
{
"VpcId": "vpc-9968****",
"CidrBlock": "172.31.16.0/20",
"MapPublicIpOnLaunch": true,
"DefaultForAz": true,
"State": "available",
"AvailabilityZone": "ap-northeast-1a",
"SubnetId": "subnet-4aeb****",
"AvailableIpAddressCount": 4090
}
]
}
VPNゲートウェイ(仮想ゲートウェイ)の確認
コマンド
aws ec2 describe-vpn-gateways
レスポンス
{
"VpnGateways": [
{
"State": "available",
"Tags": [
{
"Value": "test",
"Key": "Name"
}
],
"Type": "ipsec.1",
"VpnGatewayId": "vgw-abbd****",
"VpcAttachments": [
{
"State": "attached",
"VpcId": "vpc-9968****"
}
]
}
]
}
ルートテーブルの確認
コマンド
aws ec2 describe-route-tables
レスポンス
{
"RouteTables": [
{
"Associations": [
{
"RouteTableAssociationId": "rtbassoc-02bf****",
"Main": true,
"RouteTableId": "rtb-4998****"
}
],
"RouteTableId": "rtb-4998****",
"VpcId": "vpc-9968****",
"PropagatingVgws": [],
"Tags": [],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "172.31.0.0/16",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "igw-aa9b****",
"DestinationCidrBlock": "0.0.0.0/0",
"State": "active",
"Origin": "CreateRoute"
}
]
}
]
}
コネクションの確認 (DirectConnect管理者側アカウント)
コマンド
aws directconnect describe-connections
レスポンス
{
"connections": [
{
"ownerAccount": "1790********",
"connectionId": "dxcon-********",
"connectionState": "available",
"bandwidth": "10Gbps",
"location": "EqTY2",
"connectionName": "********",
"region": "ap-northeast-1"
},
{
"ownerAccount": "1790********",
"connectionId": "dxcon-********",
"connectionState": "available",
"bandwidth": "10Gbps",
"location": "EqTY2",
"connectionName": "********",
"region": "ap-northeast-1"
}
]
}
ユーザアカウントにVirtualInterfaceを割当(DirectConnect管理者側アカウント)
コマンド
CONNECTION='dxcon-********'
VIFNAME='NWG-HIRA-BK'
ACCOUNTID='5651********'
VLANID='511'
ROUTERIP='169.254.15.213/30'
AMAZONIP='169.254.15.214/30'
BGPASN='65000'
BGPMD5='fr3gUCLDLS6MQsVLVBw9zgdt'
cat <<ETX
CONNECTION: $CONNECTION
VIFNAME : $VIFNAME
ACCOUNTID : $ACCOUNTID
VLANID : $VLANID
ROUTERIP : $ROUTERIP
AMAZONIP : $AMAZONIP
BGPASN : $BGPASN
BGPMD5 : $BGPMD5
ETX
aws directconnect allocate-private-virtual-interface --connection-id $CONNECTION --owner-account $ACCOUNTID --new-private-virtual-interface-allocation virtualInterfaceName=$VIFNAME,vlan=$VLANID,asn=$BGPASN,authKey=$BGPMD5,amazonAddress=$AMAZONIP,customerAddress=$ROUTERIP
レスポンス
{
"virtualInterfaceState": "confirming",
"asn": 65000,
"vlan": 511,
"customerAddress": "169.254.15.213/30",
"ownerAccount": "5651********",
"connectionId": "dxcon-********",
"virtualInterfaceId": "dxvif-********",
"authKey": "fr3gUCLDLS6MQsVLVBw9zgdt",
"routeFilterPrefixes": [],
"location": "EqTY2",
"customerRouterConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<logical_connection id=\"dxvif-********\">\n <vlan>511</vlan>\n <customer_address>169.254.15.213/30</customer_address>\n <amazon_address>169.254.15.214/30</amazon_address>\n <bgp_asn>65000</bgp_asn>\n <bgp_auth_key>fr3gUCLDLS6MQsVLVBw9zgdt</bgp_auth_key>\n <amazon_bgp_asn>10124</amazon_bgp_asn>\n <connection_type>private</connection_type>\n</logical_connection>\n",
"amazonAddress": "169.254.15.214/30",
"virtualInterfaceType": "private",
"virtualInterfaceName": "NWG-HIRA-BK"
}
VirtualInterfaceのConfirm (DirectConnectユーザ側アカウント)
コマンド
VGWID=`aws ec2 describe-vpn-gateways | jq .VpnGateways[0].VpnGatewayId | tr -d '\"'`
VIFID=`aws directconnect describe-virtual-interfaces | jq .virtualInterfaces[0].virtualInterfaceId | tr -d '\"'`
cat <<ETX
VGWID: $VGWID
VIFID: $VIFID
ETX
aws directconnect confirm-private-virtual-interface --virtual-interface-id $VIFID --virtual-gateway-id $VGWID
レスポンス
{
"virtualInterfaceState": "pending"
}
追加確認コマンド
watch -n 10 "aws directconnect describe-virtual-interfaces"
レスポンス
{
"virtualInterfaces": [
{
"virtualInterfaceState": "available",
"asn": 65000,
"vlan": 511,
"customerAddress": "169.254.15.213/30",
"ownerAccount": "5651********",
"connectionId": "dxcon-********",
"virtualGatewayId": "vgw-abbd****",
"virtualInterfaceId": "dxvif-********",
"routeFilterPrefixes": [],
"location": "EqTY2",
"amazonAddress": "169.254.15.214/30",
"virtualInterfaceType": "private",
"virtualInterfaceName": "NWG-HIRA-BK"
}
]
}
その他の設定/確認 (DirectConnectユーザ側アカウント)
セキュリティグループにてDataCenterNetworkからの着信接続が許可されているか確認
コマンド
aws ec2 describe-security-groups | jq .SecurityGroups[2].IpPermissions[1]
レスポンス
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "172.30.100.0/24"
}
],
"UserIdGroupPairs": [],
"PrefixListIds": []
}
ルートテーブルにてRoutePropagateを有効化
コマンド
RTID=`aws ec2 describe-route-tables | jq .RouteTables[0].RouteTableId | tr -d '\"'`
VGWID=`aws ec2 describe-vpn-gateways | jq .VpnGateways[0].VpnGatewayId | tr -d '\"'`
cat <<ETX
RTID : $RTID
VGWID: $VGWID
ETX
aws ec2 enable-vgw-route-propagation --route-table-id $RTID --gateway-id $VGWID
レスポンス
なし
追加確認コマンド
aws ec2 describe-route-tables
レスポンス
{
"RouteTables": [
{
"Associations": [
{
"RouteTableAssociationId": "rtbassoc-02bf****",
"Main": true,
"RouteTableId": "rtb-4998****"
}
],
"RouteTableId": "rtb-4998****",
"VpcId": "vpc-9968****",
"PropagatingVgws": [
{
"GatewayId": "vgw-abbd****"
}
],
"Tags": [],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "172.31.0.0/16",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "igw-aa9b****",
"DestinationCidrBlock": "0.0.0.0/0",
"State": "active",
"Origin": "CreateRoute"
},
{
"GatewayId": "vgw-abbd****",
"DestinationCidrBlock": "172.30.100.0/24",
"State": "active",
"Origin": "EnableVgwRoutePropagation"
}
]
}
]
}
VirtualInterfaceの削除 (DirectConnectユーザ側アカウント)
コマンド
VIFID=`aws directconnect describe-virtual-interfaces | jq .virtualInterfaces[0].virtualInterfaceId | tr -d '\"'`
cat <<ETX
VIFID: $VIFID
ETX
aws directconnect delete-virtual-interface --virtual-interface-id $VIFID
レスポンス
{
"virtualInterfaceState": "deleting"
}
追加確認コマンド
aws directconnect describe-virtual-interfaces
レスポンス
{
"virtualInterfaces": [
{
"virtualInterfaceState": "deleted",
"asn": 65000,
"vlan": 511,
"customerAddress": "169.254.15.213/30",
"ownerAccount": "5651********",
"connectionId": "dxcon-********",
"virtualGatewayId": "vgw-abbd****",
"virtualInterfaceId": "dxvif-********",
"routeFilterPrefixes": [],
"location": "EqTY2",
"amazonAddress": "169.254.15.214/30",
"virtualInterfaceType": "private",
"virtualInterfaceName": "NWG-HIRA-BK"
}
]
}