上記、「AWS Transit Gateway ハンズオン」 をAWS CLIでやってみる
ハンズオンから引用
Lab1: トランジットゲートウェイによるVPC間接続
ハンズオンから引用
1. CloudFormation Template の展開
1-1. 変数設定
コマンド
# スタック名
STACK_NAME_LAB1="wstgw-lab1"
echo ${STACK_NAME_LAB1}
# VPC名
ACCOUNT1_VPC_NAME="wstgwBoundaryVpc" \
&& echo ${ACCOUNT1_VPC_NAME}
ACCOUNT1_VPC1_NAME="wstgwPrivateVpc1" \
&& echo ${ACCOUNT1_VPC1_NAME}
# サブネット名
## wstgwBoundaryVpc
ACCOUNT1_VPC_SUBNET1_NAME="wstgwBoundaryVpcNatSubnet" \
&& echo ${ACCOUNT1_VPC_SUBNET1_NAME}
ACCOUNT1_VPC_SUBNET2_NAME="wstgwBoundaryVpcPrivateSubnet" \
&& echo ${ACCOUNT1_VPC_SUBNET2_NAME}
ACCOUNT1_VPC_SUBNET3_NAME="wstgwBoundaryVpcTgwSubnet" \
&& echo ${ACCOUNT1_VPC_SUBNET3_NAME}
## wstgwPrivateVpc1
ACCOUNT1_VPC1_SUBNET1_NAME="wstgwPrivateVpc1PrivateSubnet" \
&& echo ${ACCOUNT1_VPC1_SUBNET1_NAME}
ACCOUNT1_VPC1_SUBNET2_NAME="wstgwPrivateVpc1TgwSubnet" \
&& echo ${ACCOUNT1_VPC1_SUBNET2_NAME}
## トランジットゲートウェイ名
ACCOUNT1_TGW1_NAME=wstgwTgw \
&& echo ${ACCOUNT1_TGW1_NAME}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # スタック名
[cloudshell-user@ip-10-130-53-115 ~]$ STACK_NAME_LAB1="wstgw-lab1"
[cloudshell-user@ip-10-130-53-115 ~]$ echo ${STACK_NAME_LAB1}
wstgw-lab1
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # VPC名
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC_NAME="wstgwBoundaryVpc" \
> && echo ${ACCOUNT1_VPC_NAME}
wstgwBoundaryVpc
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC1_NAME="wstgwPrivateVpc1" \
> && echo ${ACCOUNT1_VPC1_NAME}
wstgwPrivateVpc1
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # サブネット名
[cloudshell-user@ip-10-130-53-115 ~]$ ## wstgwBoundaryVpc
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC_SUBNET1_NAME="wstgwBoundaryVpcNatSubnet" \
> && echo ${ACCOUNT1_VPC_SUBNET1_NAME}
wstgwBoundaryVpcNatSubnet
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC_SUBNET2_NAME="wstgwBoundaryVpcPrivateSubnet" \
> && echo ${ACCOUNT1_VPC_SUBNET2_NAME}
wstgwBoundaryVpcPrivateSubnet
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC_SUBNET3_NAME="wstgwBoundaryVpcTgwSubnet" \
> && echo ${ACCOUNT1_VPC_SUBNET3_NAME}
wstgwBoundaryVpcTgwSubnet
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ## wstgwPrivateVpc1
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC1_SUBNET1_NAME="wstgwPrivateVpc1PrivateSubnet" \
> && echo ${ACCOUNT1_VPC1_SUBNET1_NAME}
wstgwPrivateVpc1PrivateSubnet
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC1_SUBNET2_NAME="wstgwPrivateVpc1TgwSubnet" \
> && echo ${ACCOUNT1_VPC1_SUBNET2_NAME}
wstgwPrivateVpc1TgwSubnet
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW1_NAME=wstgwTgw \
> && echo ${ACCOUNT1_TGW1_NAME}
wstgwTgw
1-2. CloudFomation Templateの展開
コマンド
aws cloudformation create-stack \
--stack-name ${STACK_NAME_LAB1} \
--template-body file://${STACK_NAME_LAB1}.template \
--capabilities CAPABILITY_NAMED_IAM
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws cloudformation create-stack \
> --stack-name ${STACK_NAME_LAB1} \
> --template-body file://${STACK_NAME_LAB1}.template \
> --capabilities CAPABILITY_NAMED_IAM
{
"StackId": "arn:aws:cloudformation:ap-northeast-1:999999999999:stack/wstgw-lab1/19952db0-3ac5-11ef-94a6-06d40bdb5af9"
}
1-3. ID取得
コマンド
# VPC
## wstgwBoundaryVpc
ACCOUNT1_VPC_ID=$( \
aws ec2 describe-vpcs \
--filters "Name=tag:Name,Values=${ACCOUNT1_VPC_NAME}" \
--query "Vpcs[*].VpcId" \
--output text\
)\
&& echo ${ACCOUNT1_VPC_ID}
## wstgwPrivateVpc1
ACCOUNT1_VPC1_ID=$( \
aws ec2 describe-vpcs \
--filters "Name=tag:Name,Values=${ACCOUNT1_VPC1_NAME}" \
--query "Vpcs[*].VpcId" \
--output text\
)\
&& echo ${ACCOUNT1_VPC1_ID}
# サブネット
## wstgwBoundaryVpc
ACCOUNT1_VPC_SUBNET1_ID=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${ACCOUNT1_VPC_ID} \
Name=tag:Name,Values="${ACCOUNT1_VPC_SUBNET1_NAME}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${ACCOUNT1_VPC_SUBNET1_ID}
ACCOUNT1_VPC_SUBNET2_ID=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${ACCOUNT1_VPC_ID} \
Name=tag:Name,Values="${ACCOUNT1_VPC_SUBNET2_NAME}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${ACCOUNT1_VPC_SUBNET2_ID}
ACCOUNT1_VPC_SUBNET3_ID=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${ACCOUNT1_VPC_ID} \
Name=tag:Name,Values="${ACCOUNT1_VPC_SUBNET3_NAME}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${ACCOUNT1_VPC_SUBNET3_ID}
## wstgwPrivateVpc1
ACCOUNT1_VPC1_SUBNET1_ID=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${ACCOUNT1_VPC1_ID} \
Name=tag:Name,Values="${ACCOUNT1_VPC1_SUBNET1_NAME}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${ACCOUNT1_VPC1_SUBNET1_ID}
ACCOUNT1_VPC1_SUBNET2_ID=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${ACCOUNT1_VPC1_ID} \
Name=tag:Name,Values="${ACCOUNT1_VPC1_SUBNET2_NAME}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${ACCOUNT1_VPC1_SUBNET2_ID}
ACCOUNT1_TGW1_ID=$(
aws ec2 describe-transit-gateways \
--filters Name=tag:Name,Values="${ACCOUNT1_TGW1_NAME}" \
--query "TransitGateways[*].TransitGatewayId" \
--output text
) \
&& echo ${ACCOUNT1_TGW1_ID}
## Transit Gateway ルートテーブルID
ACCOUNT1_TGW1_ROUTETABLE_ID=$(
aws ec2 describe-transit-gateway-route-tables \
--filters "Name=transit-gateway-id,Values=${ACCOUNT1_TGW1_ID}" \
"Name=default-association-route-table,Values=true" \
--query "TransitGatewayRouteTables[*].TransitGatewayRouteTableId" \
--output text
) \
&& echo ${ACCOUNT1_TGW1_ROUTETABLE_ID}
# VPC IDに関連付けられたTransit Gateway Attachment IDを取得
TGW_ATTACHMENT_ID=$(
aws ec2 describe-transit-gateway-attachments \
--filters "Name=resource-id,Values=${ACCOUNT1_VPC_ID}" \
--query "TransitGatewayAttachments[0].TransitGatewayAttachmentId" \
--output text
) \
&& echo ${TGW_ATTACHMENT_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # VPC
[cloudshell-user@ip-10-130-53-115 ~]$ ## wstgwBoundaryVpc
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC_ID=$( \
> aws ec2 describe-vpcs \
> --filters "Name=tag:Name,Values=${ACCOUNT1_VPC_NAME}" \
> --query "Vpcs[*].VpcId" \
> --output text\
> )\
> && echo ${ACCOUNT1_VPC_ID}
vpc-09eae5bdd8ff4b663
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ## wstgwPrivateVpc1
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC1_ID=$( \
> aws ec2 describe-vpcs \
> --filters "Name=tag:Name,Values=${ACCOUNT1_VPC1_NAME}" \
> --query "Vpcs[*].VpcId" \
> --output text\
> )\
> && echo ${ACCOUNT1_VPC1_ID}
vpc-00cef602390e56814
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # サブネット
[cloudshell-user@ip-10-130-53-115 ~]$ ## wstgwBoundaryVpc
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC_SUBNET1_ID=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${ACCOUNT1_VPC_ID} \
> Name=tag:Name,Values="${ACCOUNT1_VPC_SUBNET1_NAME}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${ACCOUNT1_VPC_SUBNET1_ID}
subnet-0c6cac3f3e93d58e5
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC_SUBNET2_ID=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${ACCOUNT1_VPC_ID} \
> Name=tag:Name,Values="${ACCOUNT1_VPC_SUBNET2_NAME}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${ACCOUNT1_VPC_SUBNET2_ID}
subnet-00a357d3cb44a4235
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC_SUBNET3_ID=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${ACCOUNT1_VPC_ID} \
> Name=tag:Name,Values="${ACCOUNT1_VPC_SUBNET3_NAME}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${ACCOUNT1_VPC_SUBNET3_ID}
subnet-0ec551f1d2e256792
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ## wstgwPrivateVpc1
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC1_SUBNET1_ID=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${ACCOUNT1_VPC1_ID} \
> Name=tag:Name,Values="${ACCOUNT1_VPC1_SUBNET1_NAME}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${ACCOUNT1_VPC1_SUBNET1_ID}
subnet-0f2a08b3697c83458
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_VPC1_SUBNET2_ID=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${ACCOUNT1_VPC1_ID} \
> Name=tag:Name,Values="${ACCOUNT1_VPC1_SUBNET2_NAME}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${ACCOUNT1_VPC1_SUBNET2_ID}
subnet-0840f812f20a9f977
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ## Transit Gateway ID
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW1_ID=$(
> aws ec2 describe-transit-gateways \
> --filters Name=tag:Name,Values="${ACCOUNT1_TGW1_NAME}" \
> --query "TransitGateways[*].TransitGatewayId" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW1_ID}
tgw-07df15247c1b17801
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ## Transit Gateway ルートテーブルID
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW1_ROUTETABLE_ID=$(
> aws ec2 describe-transit-gateway-route-tables \
> --filters "Name=transit-gateway-id,Values=${ACCOUNT1_TGW1_ID}" \
> "Name=default-association-route-table,Values=true" \
> --query "TransitGatewayRouteTables[*].TransitGatewayRouteTableId" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW1_ROUTETABLE_ID}
tgw-rtb-039d20e8aa3326006
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # VPC IDに関連付けられたTransit Gateway Attachment IDを取得
[cloudshell-user@ip-10-130-53-115 ~]$ TGW_ATTACHMENT_ID=$(
> aws ec2 describe-transit-gateway-attachments \
> --filters "Name=resource-id,Values=${ACCOUNT1_VPC_ID}" \
> --query "TransitGatewayAttachments[0].TransitGatewayAttachmentId" \
> --output text
> ) \
> && echo ${TGW_ATTACHMENT_ID}
tgw-attach-0731ed17e025f0c4d
2. 疎通確認
BoundaryVPC(192-168-1-100)
コマンド
bash -I
ping 10.0.1.100
ping aws.amazon.com
出力
sh-4.2$ bash -I
[ssm-user@ip-192-168-1-100 bin]$
[ssm-user@ip-192-168-1-100 bin]$ ping 10.0.1.100 -c 4
PING 10.0.1.100 (10.0.1.100) 56(84) bytes of data.
64 bytes from 10.0.1.100: icmp_seq=1 ttl=254 time=1.38 ms
64 bytes from 10.0.1.100: icmp_seq=2 ttl=254 time=0.662 ms
64 bytes from 10.0.1.100: icmp_seq=3 ttl=254 time=0.662 ms
64 bytes from 10.0.1.100: icmp_seq=4 ttl=254 time=0.692 ms
--- 10.0.1.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3026ms
rtt min/avg/max/mdev = 0.662/0.849/1.380/0.306 ms
[ssm-user@ip-192-168-1-100 bin]$
[ssm-user@ip-192-168-1-100 bin]$ ping aws.amazon.com -c 4
PING dr49lng3n1n2s.cloudfront.net (18.65.168.18) 56(84) bytes of data.
64 bytes from server-18-65-168-18.nrt57.r.cloudfront.net (18.65.168.18): icmp_seq=1 ttl=246 time=1.89 ms
64 bytes from server-18-65-168-18.nrt57.r.cloudfront.net (18.65.168.18): icmp_seq=2 ttl=246 time=1.23 ms
64 bytes from server-18-65-168-18.nrt57.r.cloudfront.net (18.65.168.18): icmp_seq=3 ttl=246 time=1.42 ms
64 bytes from server-18-65-168-18.nrt57.r.cloudfront.net (18.65.168.18): icmp_seq=4 ttl=246 time=1.29 ms
--- dr49lng3n1n2s.cloudfront.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.231/1.462/1.899/0.263 ms
PrivteVPC1(10-0-1-100)
コマンド
bash -I
ping 192.168.1.100
ping aws.amazon.com
出力
sh-4.2$ bash -I
[ssm-user@ip-10-0-1-100 bin]$
[ssm-user@ip-10-0-1-100 bin]$ ping 192.168.1.100 -c 4
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=254 time=0.847 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=254 time=1.67 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=254 time=8.05 ms
64 bytes from 192.168.1.100: icmp_seq=4 ttl=254 time=0.771 ms
--- 192.168.1.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3016ms
rtt min/avg/max/mdev = 0.771/2.838/8.058/3.034 ms
[ssm-user@ip-10-0-1-100 bin]$
[ssm-user@ip-10-0-1-100 bin]$ ping aws.amazon.com -c 4
PING dr49lng3n1n2s.cloudfront.net (18.65.168.56) 56(84) bytes of data.
--- dr49lng3n1n2s.cloudfront.net ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3078ms
3. ルートの確認
wstgwBoundaryVpc
コマンド
# wstgwBoundaryVpcNatSubnet
aws ec2 describe-route-tables \
--filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC_SUBNET1_ID}" \
--output table
# wstgwBoundaryVpcPrivateSubnet
aws ec2 describe-route-tables \
--filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC_SUBNET2_ID}" \
--output table
# wstgwBoundaryVpcTgwSubnet
aws ec2 describe-route-tables \
--filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC_SUBNET3_ID}" \
--output table
# Main
aws ec2 describe-route-tables \
--filters Name=vpc-id,Values=${ACCOUNT1_VPC_ID} \
Name=association.main,Values=true \
--output table
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # wstgwBoundaryVpcNatSubnet
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 describe-route-tables \
> --filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC_SUBNET1_ID}" \
> --output table
---------------------------------------------------------------------------------------------------------------------------------------------------
| DescribeRouteTables |
+-------------------------------------------------------------------------------------------------------------------------------------------------+
|| RouteTables ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| OwnerId | RouteTableId | VpcId ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| 999999999999 | rtb-01f53646f1f16ca49 | vpc-09eae5bdd8ff4b663 ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
||| Associations |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| Main | RouteTableAssociationId | RouteTableId | SubnetId |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| False | rtbassoc-08ba6f48894962fe0 | rtb-01f53646f1f16ca49 | subnet-0c6cac3f3e93d58e5 |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
|||| AssociationState ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
|||| State | associated ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
||| Routes |||
||+-------------------------------+---------------------------------+---------------------------+-------------+---------------------------------+||
||| DestinationCidrBlock | GatewayId | Origin | State | TransitGatewayId |||
||+-------------------------------+---------------------------------+---------------------------+-------------+---------------------------------+||
||| 192.168.0.0/16 | local | CreateRouteTable | active | |||
||| 10.0.0.0/8 | | CreateRoute | active | tgw-07df15247c1b17801 |||
||| 0.0.0.0/0 | igw-045c6a8d780a878e7 | CreateRoute | active | |||
||+-------------------------------+---------------------------------+---------------------------+-------------+---------------------------------+||
||| Tags |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| Key | Value |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| aws:cloudformation:stack-id | arn:aws:cloudformation:ap-northeast-1:999999999999:stack/wstgw-lab1/19952db0-3ac5-11ef-94a6-06d40bdb5af9 |||
||| Name | wstgwRtbBoundaryVpcNatSubnet |||
||| aws:cloudformation:logical-id| wstgwRtbBoundaryVpcNatSubnet |||
||| aws:cloudformation:stack-name| wstgw-lab1 |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # wstgwBoundaryVpcPrivateSubnet
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 describe-route-tables \
> --filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC_SUBNET2_ID}" \
> --output table
---------------------------------------------------------------------------------------------------------------------------------------------------
| DescribeRouteTables |
+-------------------------------------------------------------------------------------------------------------------------------------------------+
|| RouteTables ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| OwnerId | RouteTableId | VpcId ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| 999999999999 | rtb-0ef4abda53e390254 | vpc-09eae5bdd8ff4b663 ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
||| Associations |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| Main | RouteTableAssociationId | RouteTableId | SubnetId |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| False | rtbassoc-0cd64a488884c260b | rtb-0ef4abda53e390254 | subnet-00a357d3cb44a4235 |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
|||| AssociationState ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
|||| State | associated ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
||| Routes |||
||+---------------------------+---------------+------------------------------+-----------------------+-----------+------------------------------+||
||| DestinationCidrBlock | GatewayId | NatGatewayId | Origin | State | TransitGatewayId |||
||+---------------------------+---------------+------------------------------+-----------------------+-----------+------------------------------+||
||| 192.168.0.0/16 | local | | CreateRouteTable | active | |||
||| 10.0.0.0/8 | | | CreateRoute | active | tgw-07df15247c1b17801 |||
||| 0.0.0.0/0 | | nat-027e94079028c0ee2 | CreateRoute | active | |||
||+---------------------------+---------------+------------------------------+-----------------------+-----------+------------------------------+||
||| Tags |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| Key | Value |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| aws:cloudformation:logical-id| wstgwRtbBoundaryVpcPrivateSubnet |||
||| aws:cloudformation:stack-name| wstgw-lab1 |||
||| Name | wstgwRtbBoundaryVpcPrivateSubnet |||
||| aws:cloudformation:stack-id | arn:aws:cloudformation:ap-northeast-1:999999999999:stack/wstgw-lab1/19952db0-3ac5-11ef-94a6-06d40bdb5af9 |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # wstgwBoundaryVpcTgwSubnet
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 describe-route-tables \
> --filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC_SUBNET3_ID}" \
> --output table
---------------------------------------------------------------------------------------------------------------------------------------------------
| DescribeRouteTables |
+-------------------------------------------------------------------------------------------------------------------------------------------------+
|| RouteTables ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| OwnerId | RouteTableId | VpcId ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| 999999999999 | rtb-038a8b50e6999f1ea | vpc-09eae5bdd8ff4b663 ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
||| Associations |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| Main | RouteTableAssociationId | RouteTableId | SubnetId |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| False | rtbassoc-0780f5bd18887ac14 | rtb-038a8b50e6999f1ea | subnet-0ec551f1d2e256792 |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
|||| AssociationState ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
|||| State | associated ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
||| Routes |||
||+-----------------------------------+-------------------+--------------------------------------+------------------------------+---------------+||
||| DestinationCidrBlock | GatewayId | NatGatewayId | Origin | State |||
||+-----------------------------------+-------------------+--------------------------------------+------------------------------+---------------+||
||| 192.168.0.0/16 | local | | CreateRouteTable | active |||
||| 0.0.0.0/0 | | nat-027e94079028c0ee2 | CreateRoute | active |||
||+-----------------------------------+-------------------+--------------------------------------+------------------------------+---------------+||
||| Tags |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| Key | Value |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| aws:cloudformation:logical-id| wstgwRtbBoundaryVpcTgwSubnet |||
||| Name | wstgwRtbBoundaryVpcTgwSubnet |||
||| aws:cloudformation:stack-id | arn:aws:cloudformation:ap-northeast-1:999999999999:stack/wstgw-lab1/19952db0-3ac5-11ef-94a6-06d40bdb5af9 |||
||| aws:cloudformation:stack-name| wstgw-lab1 |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # Main
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 describe-route-tables \
> --filters Name=vpc-id,Values=${ACCOUNT1_VPC_ID} \
> Name=association.main,Values=true \
> --output table
-------------------------------------------------------------------------
| DescribeRouteTables |
+-----------------------------------------------------------------------+
|| RouteTables ||
|+---------------+--------------------------+--------------------------+|
|| OwnerId | RouteTableId | VpcId ||
|+---------------+--------------------------+--------------------------+|
|| 999999999999 | rtb-0d87c7e77f8363cde | vpc-09eae5bdd8ff4b663 ||
|+---------------+--------------------------+--------------------------+|
||| Associations |||
||+-------+--------------------------------+--------------------------+||
||| Main | RouteTableAssociationId | RouteTableId |||
||+-------+--------------------------------+--------------------------+||
||| True | rtbassoc-09f33d14447554b39 | rtb-0d87c7e77f8363cde |||
||+-------+--------------------------------+--------------------------+||
|||| AssociationState ||||
|||+------------------------+----------------------------------------+|||
|||| State | associated ||||
|||+------------------------+----------------------------------------+|||
||| Routes |||
||+-----------------------+------------+--------------------+---------+||
||| DestinationCidrBlock | GatewayId | Origin | State |||
||+-----------------------+------------+--------------------+---------+||
||| 192.168.0.0/16 | local | CreateRouteTable | active |||
||+-----------------------+------------+--------------------+---------+||
wstgwPrivateVpc1
コマンド
# wstgwBoundaryVpcNatSubnet
aws ec2 describe-route-tables \
--filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC1_SUBNET1_ID}" \
--output table
# wstgwBoundaryVpcPrivateSubnet
aws ec2 describe-route-tables \
--filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC1_SUBNET2_ID}" \
--output table
# Main
aws ec2 describe-route-tables \
--filters Name=vpc-id,Values=${ACCOUNT1_VPC1_ID} \
Name=association.main,Values=true \
--output table
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # wstgwBoundaryVpcNatSubnet
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 describe-route-tables \
> --filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC1_SUBNET1_ID}" \
> --output table
---------------------------------------------------------------------------------------------------------------------------------------------------
| DescribeRouteTables |
+-------------------------------------------------------------------------------------------------------------------------------------------------+
|| RouteTables ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| OwnerId | RouteTableId | VpcId ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| 999999999999 | rtb-0743fb4a9196e94ab | vpc-00cef602390e56814 ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
||| Associations |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| Main | RouteTableAssociationId | RouteTableId | SubnetId |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| False | rtbassoc-0d0ddd671eb524a2c | rtb-0743fb4a9196e94ab | subnet-0f2a08b3697c83458 |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
|||| AssociationState ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
|||| State | associated ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
||| Routes |||
||+-----------------------------------+-------------------+------------------------------+---------------+--------------------------------------+||
||| DestinationCidrBlock | GatewayId | Origin | State | TransitGatewayId |||
||+-----------------------------------+-------------------+------------------------------+---------------+--------------------------------------+||
||| 10.0.0.0/16 | local | CreateRouteTable | active | |||
||| 0.0.0.0/0 | | CreateRoute | active | tgw-07df15247c1b17801 |||
||+-----------------------------------+-------------------+------------------------------+---------------+--------------------------------------+||
||| Tags |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| Key | Value |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| Name | wstgwRtbPrivateVpc1PrivateSubnet |||
||| aws:cloudformation:stack-id | arn:aws:cloudformation:ap-northeast-1:999999999999:stack/wstgw-lab1/19952db0-3ac5-11ef-94a6-06d40bdb5af9 |||
||| aws:cloudformation:logical-id| wstgwRtbPrivateVpc1PrivateSubnet |||
||| aws:cloudformation:stack-name| wstgw-lab1 |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # wstgwBoundaryVpcPrivateSubnet
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 describe-route-tables \
> --filters "Name=association.subnet-id,Values=${ACCOUNT1_VPC1_SUBNET2_ID}" \
> --output table
---------------------
|DescribeRouteTables|
+-------------------+
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # Main
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 describe-route-tables \
> --filters Name=vpc-id,Values=${ACCOUNT1_VPC1_ID} \
> Name=association.main,Values=true \
> --output table
-------------------------------------------------------------------------
| DescribeRouteTables |
+-----------------------------------------------------------------------+
|| RouteTables ||
|+---------------+--------------------------+--------------------------+|
|| OwnerId | RouteTableId | VpcId ||
|+---------------+--------------------------+--------------------------+|
|| 999999999999 | rtb-01df7996b9bb82878 | vpc-00cef602390e56814 ||
|+---------------+--------------------------+--------------------------+|
||| Associations |||
||+-------+--------------------------------+--------------------------+||
||| Main | RouteTableAssociationId | RouteTableId |||
||+-------+--------------------------------+--------------------------+||
||| True | rtbassoc-0ff9bd8b1629d363f | rtb-01df7996b9bb82878 |||
||+-------+--------------------------------+--------------------------+||
|||| AssociationState ||||
|||+------------------------+----------------------------------------+|||
|||| State | associated ||||
|||+------------------------+----------------------------------------+|||
||| Routes |||
||+-----------------------+------------+--------------------+---------+||
||| DestinationCidrBlock | GatewayId | Origin | State |||
||+-----------------------+------------+--------------------+---------+||
||| 10.0.0.0/16 | local | CreateRouteTable | active |||
||+-----------------------+------------+--------------------+---------+||
Transit Gateway
コマンド
aws ec2 search-transit-gateway-routes \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--filters Name=state,Values=active \
--output table
出力
[cloudshell-user@ip-10-130-41-251 ~]$ aws ec2 search-transit-gateway-routes \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --filters Name=state,Values=active \
> --output table
----------------------------------------------------------------------------------------------
| SearchTransitGatewayRoutes |
+----------------------------------------------------------------------+---------------------+
| AdditionalRoutesAvailable | False |
+----------------------------------------------------------------------+---------------------+
|| Routes ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| 10.0.0.0/16 | active | | propagated ||
|+-----------------------+---------+------------------------------------------+-------------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-0d7230840c45ff03d | vpc | tgw-attach-0941045dab1885a45 |||
||+-----------------------------+-------------------+--------------------------------------+||
|| Routes ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| 192.168.0.0/16 | active | | propagated ||
|+-----------------------+---------+------------------------------------------+-------------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-05b9bb2b5432e9a72 | vpc | tgw-attach-08eb19553439c6e6a |||
||+-----------------------------+-------------------+--------------------------------------+||
4. ルートを追加
4-1. ルートを追加
コマンド
aws ec2 create-transit-gateway-route \
--destination-cidr-block 0.0.0.0/0 \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--transit-gateway-attachment-id ${TGW_ATTACHMENT_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route \
> --destination-cidr-block 0.0.0.0/0 \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --transit-gateway-attachment-id ${TGW_ATTACHMENT_ID}
{
"Route": {
"DestinationCidrBlock": "0.0.0.0/0",
"TransitGatewayAttachments": [
{
"ResourceId": "vpc-09eae5bdd8ff4b663",
"TransitGatewayAttachmentId": "tgw-attach-0731ed17e025f0c4d",
"ResourceType": "vpc"
}
],
"Type": "static",
"State": "active"
}
}
4-2. ルート確認
コマンド
aws ec2 search-transit-gateway-routes \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--filters Name=state,Values=active \
--output table
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 search-transit-gateway-routes \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --filters Name=state,Values=active \
> --output table
----------------------------------------------------------------------------------------------
| SearchTransitGatewayRoutes |
+----------------------------------------------------------------------+---------------------+
| AdditionalRoutesAvailable | False |
+----------------------------------------------------------------------+---------------------+
|| Routes ||
|+-----------------------+----------+--------------------------------------------+----------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+----------+--------------------------------------------+----------+|
|| 0.0.0.0/0 | active | | static ||
|+-----------------------+----------+--------------------------------------------+----------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-09eae5bdd8ff4b663 | vpc | tgw-attach-0731ed17e025f0c4d |||
||+-----------------------------+-------------------+--------------------------------------+||
|| Routes ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| 10.0.0.0/16 | active | | propagated ||
|+-----------------------+---------+------------------------------------------+-------------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-00cef602390e56814 | vpc | tgw-attach-07bed2f5bd17f690a |||
||+-----------------------------+-------------------+--------------------------------------+||
|| Routes ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| 192.168.0.0/16 | active | | propagated ||
|+-----------------------+---------+------------------------------------------+-------------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-09eae5bdd8ff4b663 | vpc | tgw-attach-0731ed17e025f0c4d |||
||+-----------------------------+-------------------+--------------------------------------+||
5. 疎通確認その2
コマンド
ping aws.amazon.com
出力
[ssm-user@ip-10-0-1-100 bin]$ ping aws.amazon.com -c 4
PING dr49lng3n1n2s.cloudfront.net (18.65.168.56) 56(84) bytes of data.
64 bytes from server-18-65-168-56.nrt57.r.cloudfront.net (18.65.168.56): icmp_seq=1 ttl=242 time=2.68 ms
64 bytes from server-18-65-168-56.nrt57.r.cloudfront.net (18.65.168.56): icmp_seq=2 ttl=242 time=1.35 ms
64 bytes from server-18-65-168-56.nrt57.r.cloudfront.net (18.65.168.56): icmp_seq=3 ttl=242 time=1.42 ms
64 bytes from server-18-65-168-56.nrt57.r.cloudfront.net (18.65.168.56): icmp_seq=4 ttl=242 time=1.33 ms
--- dr49lng3n1n2s.cloudfront.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 1.334/1.701/2.689/0.571 ms
fping のセットアップ
BoundaryVPC(192-168-1-100)
コマンド
bash -I
sudo amazon-linux-extras install epel -y
sudo yum-config-manager --enable epel
sudo yum install fping -y
echo -n -e \
"192.168.1.100\n"\
"10.0.1.100\n"\
"10.1.1.100\n"\
"10.2.1.100\n"\
"aws.amazon.com\n" > /tmp/hosts.txt
cat /tmp/hosts.txt
出力
[ssm-user@ip-192-168-1-100 bin]$ bash -I
[ssm-user@ip-192-168-1-100 bin]$ sudo amazon-linux-extras install epel -y
Installing epel-release
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel
12 metadata files removed
4 sqlite files removed
0 metadata files removed
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.6 kB 00:00:00
amzn2extra-docker | 2.9 kB 00:00:00
amzn2extra-epel | 3.0 kB 00:00:00
(1/7): amzn2-core/2/x86_64/group_gz | 2.7 kB 00:00:00
(2/7): amzn2-core/2/x86_64/updateinfo | 940 kB 00:00:00
(3/7): amzn2extra-epel/2/x86_64/primary_db | 1.8 kB 00:00:00
(4/7): amzn2extra-docker/2/x86_64/updateinfo | 16 kB 00:00:00
(5/7): amzn2extra-epel/2/x86_64/updateinfo | 76 B 00:00:00
(6/7): amzn2extra-docker/2/x86_64/primary_db | 102 kB 00:00:00
(7/7): amzn2-core/2/x86_64/primary_db | 69 MB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
epel-release noarch 7-11 amzn2extra-epel 15 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
2 httpd_modules available [ =1.0 =stable ]
3 memcached1.5 available \
[ =1.5.1 =1.5.16 =1.5.17 ]
9 R3.4 available [ =3.4.3 =stable ]
10 rust1 available \
[ =1.22.1 =1.26.0 =1.26.1 =1.27.2 =1.31.0 =1.38.0
=stable ]
18 libreoffice available \
[ =5.0.6.2_15 =5.3.6.1 =stable ]
19 gimp available [ =2.8.22 ]
20 †docker=latest enabled \
[ =17.12.1 =18.03.1 =18.06.1 =18.09.9 =stable ]
21 mate-desktop1.x available \
[ =1.19.0 =1.20.0 =stable ]
22 GraphicsMagick1.3 available \
[ =1.3.29 =1.3.32 =1.3.34 =stable ]
24 epel=latest enabled [ =7.11 =stable ]
25 testing available [ =1.0 =stable ]
26 ecs available [ =stable ]
27 †corretto8 available \
[ =1.8.0_192 =1.8.0_202 =1.8.0_212 =1.8.0_222 =1.8.0_232
=1.8.0_242 =stable ]
32 lustre2.10 available \
[ =2.10.5 =2.10.8 =stable ]
33 †java-openjdk11 available [ =11 =stable ]
34 lynis available [ =stable ]
36 BCC available [ =0.x =stable ]
37 mono available [ =5.x =stable ]
38 nginx1 available [ =stable ]
40 mock available [ =stable ]
43 livepatch available [ =stable ]
44 †python3.8 available [ =stable ]
45 haproxy2 available [ =stable ]
46 collectd available [ =stable ]
47 aws-nitro-enclaves-cli available [ =stable ]
48 R4 available [ =stable ]
49 kernel-5.4 available [ =stable ]
50 selinux-ng available [ =stable ]
52 tomcat9 available [ =stable ]
53 unbound1.13 available [ =stable ]
54 †mariadb10.5 available [ =stable ]
55 kernel-5.10 available [ =stable ]
56 redis6 available [ =stable ]
58 †postgresql12 available [ =stable ]
59 †postgresql13 available [ =stable ]
60 mock2 available [ =stable ]
61 dnsmasq2.85 available [ =stable ]
62 kernel-5.15 available [ =stable ]
63 †postgresql14 available [ =stable ]
64 firefox available [ =stable ]
65 lustre available [ =stable ]
66 †php8.1 available [ =stable ]
67 awscli1 available [ =stable ]
68 †php8.2 available [ =stable ]
69 dnsmasq available [ =stable ]
70 unbound1.17 available [ =stable ]
72 collectd-python3 available [ =stable ]
† Note on end-of-support. Use 'info' subcommand.
[ssm-user@ip-192-168-1-100 bin]$ sudo yum-config-manager --enable epel
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
=========================================================== repo: epel ===========================================================
[epel]
async = True
bandwidth = 0
base_persistdir = /var/lib/yum/repos/x86_64/2
baseurl =
cache = 0
cachedir = /var/cache/yum/x86_64/2/epel
check_config_file_age = True
compare_providers_priority = 80
cost = 1000
deltarpm_metadata_percentage = 100
deltarpm_percentage =
enabled = True
enablegroups = True
exclude =
failovermethod = priority
ftp_disable_epsv = False
gpgcadir = /var/lib/yum/repos/x86_64/2/epel/gpgcadir
gpgcakey =
gpgcheck = True
gpgdir = /var/lib/yum/repos/x86_64/2/epel/gpgdir
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
hdrdir = /var/cache/yum/x86_64/2/epel/headers
http_caching = all
includepkgs =
ip_resolve =
keepalive = True
keepcache = False
mddownloadpolicy = sqlite
mdpolicy = group:small
mediaid =
metadata_expire = 21600
metadata_expire_filter = read-only:present
metalink = https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64
minrate = 0
mirrorlist =
mirrorlist_expire = 86400
name = Extra Packages for Enterprise Linux 7 - x86_64
old_base_cache_dir =
password =
persistdir = /var/lib/yum/repos/x86_64/2/epel
pkgdir = /var/cache/yum/x86_64/2/epel/packages
priority = 99
proxy = False
proxy_dict =
proxy_password =
proxy_username =
repo_gpgcheck = False
report_instanceid = False
retries = 7
skip_if_unavailable = False
ssl_check_cert_permissions = True
sslcacert =
sslclientcert =
sslclientkey =
sslverify = True
throttle = 0
timeout = 5.0
ui_id = epel/x86_64
ui_repoid_vars = releasever,
basearch
username =
[ssm-user@ip-192-168-1-100 bin]$ sudo yum install fping -y
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Existing lock /var/run/yum.pid: another copy is running as pid 3356.
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 122 M RSS (415 MB VSZ)
Started: Wed Jul 3 13:10:49 2024 - 00:05 ago
State : Running, pid: 3356
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 304 M RSS (598 MB VSZ)
Started: Wed Jul 3 13:10:49 2024 - 00:07 ago
State : Running, pid: 3356
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 364 M RSS (659 MB VSZ)
Started: Wed Jul 3 13:10:49 2024 - 00:09 ago
State : Running, pid: 3356
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 367 M RSS (661 MB VSZ)
Started: Wed Jul 3 13:10:49 2024 - 00:11 ago
State : Running, pid: 3356
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 367 M RSS (661 MB VSZ)
Started: Wed Jul 3 13:10:49 2024 - 00:13 ago
State : Running, pid: 3356
230 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package fping.x86_64 0:3.10-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
fping x86_64 3.10-4.el7 epel 46 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 46 k
Installed size: 104 k
Downloading packages:
warning: /var/cache/yum/x86_64/2/epel/packages/fping-3.10-4.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fping-3.10-4.el7.x86_64.rpm is not installed
fping-3.10-4.el7.x86_64.rpm | 46 kB 00:00:01
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@amzn2extra-epel)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : fping-3.10-4.el7.x86_64 1/1
Verifying : fping-3.10-4.el7.x86_64 1/1
Installed:
fping.x86_64 0:3.10-4.el7
Complete!
[ssm-user@ip-192-168-1-100 bin]$ echo -n -e \
> "192.168.1.100\n"\
> "10.0.1.100\n"\
> "10.1.1.100\n"\
> "10.2.1.100\n"\
> "aws.amazon.com\n" > /tmp/hosts.txt
[ssm-user@ip-192-168-1-100 bin]$ cat /tmp/hosts.txt
192.168.1.100
10.0.1.100
10.1.1.100
10.2.1.100
aws.amazon.com
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-192-168-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720012446.534582] 192.168.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720012446.560580] 10.0.1.100 : [0], 84 bytes, 0.92 ms (0.92 avg, 0% loss)
[1720012446.637600] aws.amazon.com : [0], 84 bytes, 2.53 ms (2.53 avg, 0% loss)
[1720012447.535565] 192.168.1.100 : [1], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720012447.561319] 10.0.1.100 : [1], 84 bytes, 0.66 ms (0.79 avg, 0% loss)
[1720012447.638083] aws.amazon.com : [1], 84 bytes, 2.03 ms (2.28 avg, 0% loss)
[1720012448.536522] 192.168.1.100 : [2], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720012448.562835] 10.0.1.100 : [2], 84 bytes, 1.23 ms (0.93 avg, 0% loss)
[1720012448.639077] aws.amazon.com : [2], 84 bytes, 2.09 ms (2.21 avg, 0% loss)
[1720012449.537502] 192.168.1.100 : [3], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720012449.563211] 10.0.1.100 : [3], 84 bytes, 0.64 ms (0.86 avg, 0% loss)
[1720012449.639956] aws.amazon.com : [3], 84 bytes, 2.00 ms (2.16 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.03/0.04
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.64/0.86/1.23
10.1.1.100 : xmt/rcv/%loss = 4/0/100%
10.2.1.100 : xmt/rcv/%loss = 4/0/100%
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 2.00/2.16/2.53
wstgwEc2Instance10-0-1-100
コマンド
bash -I
sudo amazon-linux-extras install epel -y
sudo yum-config-manager --enable epel
sudo yum install fping -y
echo -n -e \
"192.168.1.100\n"\
"10.0.1.100\n"\
"10.1.1.100\n"\
"10.2.1.100\n"\
"aws.amazon.com\n" > /tmp/hosts.txt
cat /tmp/hosts.txt
出力
[ssm-user@ip-10-0-1-100 bin]$ bash -I
[ssm-user@ip-10-0-1-100 bin]$ sudo amazon-linux-extras install epel -y
Installing epel-release
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel
0 metadata files removed
0 sqlite files removed
0 metadata files removed
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.6 kB 00:00:00
amzn2extra-docker | 2.9 kB 00:00:00
amzn2extra-epel | 3.0 kB 00:00:00
(1/7): amzn2-core/2/x86_64/group_gz | 2.7 kB 00:00:00
(2/7): amzn2-core/2/x86_64/updateinfo | 940 kB 00:00:00
(3/7): amzn2extra-epel/2/x86_64/primary_db | 1.8 kB 00:00:00
(4/7): amzn2extra-epel/2/x86_64/updateinfo | 76 B 00:00:00
(5/7): amzn2extra-docker/2/x86_64/updateinfo | 16 kB 00:00:00
(6/7): amzn2extra-docker/2/x86_64/primary_db | 102 kB 00:00:00
(7/7): amzn2-core/2/x86_64/primary_db | 69 MB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
epel-release noarch 7-11 amzn2extra-epel 15 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
2 httpd_modules available [ =1.0 =stable ]
3 memcached1.5 available \
[ =1.5.1 =1.5.16 =1.5.17 ]
9 R3.4 available [ =3.4.3 =stable ]
10 rust1 available \
[ =1.22.1 =1.26.0 =1.26.1 =1.27.2 =1.31.0 =1.38.0
=stable ]
18 libreoffice available \
[ =5.0.6.2_15 =5.3.6.1 =stable ]
19 gimp available [ =2.8.22 ]
20 †docker=latest enabled \
[ =17.12.1 =18.03.1 =18.06.1 =18.09.9 =stable ]
21 mate-desktop1.x available \
[ =1.19.0 =1.20.0 =stable ]
22 GraphicsMagick1.3 available \
[ =1.3.29 =1.3.32 =1.3.34 =stable ]
24 epel=latest enabled [ =7.11 =stable ]
25 testing available [ =1.0 =stable ]
26 ecs available [ =stable ]
27 †corretto8 available \
[ =1.8.0_192 =1.8.0_202 =1.8.0_212 =1.8.0_222 =1.8.0_232
=1.8.0_242 =stable ]
32 lustre2.10 available \
[ =2.10.5 =2.10.8 =stable ]
33 †java-openjdk11 available [ =11 =stable ]
34 lynis available [ =stable ]
36 BCC available [ =0.x =stable ]
37 mono available [ =5.x =stable ]
38 nginx1 available [ =stable ]
40 mock available [ =stable ]
43 livepatch available [ =stable ]
44 †python3.8 available [ =stable ]
45 haproxy2 available [ =stable ]
46 collectd available [ =stable ]
47 aws-nitro-enclaves-cli available [ =stable ]
48 R4 available [ =stable ]
49 kernel-5.4 available [ =stable ]
50 selinux-ng available [ =stable ]
52 tomcat9 available [ =stable ]
53 unbound1.13 available [ =stable ]
54 †mariadb10.5 available [ =stable ]
55 kernel-5.10 available [ =stable ]
56 redis6 available [ =stable ]
58 †postgresql12 available [ =stable ]
59 †postgresql13 available [ =stable ]
60 mock2 available [ =stable ]
61 dnsmasq2.85 available [ =stable ]
62 kernel-5.15 available [ =stable ]
63 †postgresql14 available [ =stable ]
64 firefox available [ =stable ]
65 lustre available [ =stable ]
66 †php8.1 available [ =stable ]
67 awscli1 available [ =stable ]
68 †php8.2 available [ =stable ]
69 dnsmasq available [ =stable ]
70 unbound1.17 available [ =stable ]
72 collectd-python3 available [ =stable ]
† Note on end-of-support. Use 'info' subcommand.
[ssm-user@ip-10-0-1-100 bin]$ sudo yum-config-manager --enable epel
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
=========================================================== repo: epel ===========================================================
[epel]
async = True
bandwidth = 0
base_persistdir = /var/lib/yum/repos/x86_64/2
baseurl =
cache = 0
cachedir = /var/cache/yum/x86_64/2/epel
check_config_file_age = True
compare_providers_priority = 80
cost = 1000
deltarpm_metadata_percentage = 100
deltarpm_percentage =
enabled = True
enablegroups = True
exclude =
failovermethod = priority
ftp_disable_epsv = False
gpgcadir = /var/lib/yum/repos/x86_64/2/epel/gpgcadir
gpgcakey =
gpgcheck = True
gpgdir = /var/lib/yum/repos/x86_64/2/epel/gpgdir
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
hdrdir = /var/cache/yum/x86_64/2/epel/headers
http_caching = all
includepkgs =
ip_resolve =
keepalive = True
keepcache = False
mddownloadpolicy = sqlite
mdpolicy = group:small
mediaid =
metadata_expire = 21600
metadata_expire_filter = read-only:present
metalink = https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64
minrate = 0
mirrorlist =
mirrorlist_expire = 86400
name = Extra Packages for Enterprise Linux 7 - x86_64
old_base_cache_dir =
password =
persistdir = /var/lib/yum/repos/x86_64/2/epel
pkgdir = /var/cache/yum/x86_64/2/epel/packages
priority = 99
proxy = False
proxy_dict =
proxy_password =
proxy_username =
repo_gpgcheck = False
report_instanceid = False
retries = 7
skip_if_unavailable = False
ssl_check_cert_permissions = True
sslcacert =
sslclientcert =
sslclientkey =
sslverify = True
throttle = 0
timeout = 5.0
ui_id = epel/x86_64
ui_repoid_vars = releasever,
basearch
username =
[ssm-user@ip-10-0-1-100 bin]$ sudo yum install fping -y
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Existing lock /var/run/yum.pid: another copy is running as pid 3403.
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 123 M RSS (417 MB VSZ)
Started: Wed Jul 3 13:15:39 2024 - 00:03 ago
State : Running, pid: 3403
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 305 M RSS (599 MB VSZ)
Started: Wed Jul 3 13:15:39 2024 - 00:05 ago
State : Running, pid: 3403
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 352 M RSS (645 MB VSZ)
Started: Wed Jul 3 13:15:39 2024 - 00:07 ago
State : Running, pid: 3403
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 368 M RSS (662 MB VSZ)
Started: Wed Jul 3 13:15:39 2024 - 00:09 ago
State : Running, pid: 3403
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 368 M RSS (662 MB VSZ)
Started: Wed Jul 3 13:15:39 2024 - 00:11 ago
State : Running, pid: 3403
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 368 M RSS (662 MB VSZ)
Started: Wed Jul 3 13:15:39 2024 - 00:13 ago
State : Running, pid: 3403
230 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package fping.x86_64 0:3.10-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
fping x86_64 3.10-4.el7 epel 46 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 46 k
Installed size: 104 k
Downloading packages:
warning: /var/cache/yum/x86_64/2/epel/packages/fping-3.10-4.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fping-3.10-4.el7.x86_64.rpm is not installed
fping-3.10-4.el7.x86_64.rpm | 46 kB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@amzn2extra-epel)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : fping-3.10-4.el7.x86_64 1/1
Verifying : fping-3.10-4.el7.x86_64 1/1
Installed:
fping.x86_64 0:3.10-4.el7
Complete!
[ssm-user@ip-10-0-1-100 bin]$ echo -n -e \
> "192.168.1.100\n"\
> "10.0.1.100\n"\
> "10.1.1.100\n"\
> "10.2.1.100\n"\
> "aws.amazon.com\n" > /tmp/hosts.txt
[ssm-user@ip-10-0-1-100 bin]$ cat /tmp/hosts.txt
192.168.1.100
10.0.1.100
10.1.1.100
10.2.1.100
aws.amazon.com
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-0-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720012646.320331] 192.168.1.100 : [0], 84 bytes, 0.82 ms (0.82 avg, 0% loss)
[1720012646.344619] 10.0.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720012646.422423] aws.amazon.com : [0], 84 bytes, 2.49 ms (2.49 avg, 0% loss)
[1720012647.321242] 192.168.1.100 : [1], 84 bytes, 0.76 ms (0.79 avg, 0% loss)
[1720012647.345598] 10.0.1.100 : [1], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720012647.422434] aws.amazon.com : [1], 84 bytes, 1.45 ms (1.97 avg, 0% loss)
[1720012648.322128] 192.168.1.100 : [2], 84 bytes, 0.68 ms (0.75 avg, 0% loss)
[1720012648.346598] 10.0.1.100 : [2], 84 bytes, 0.03 ms (0.02 avg, 0% loss)
[1720012648.423374] aws.amazon.com : [2], 84 bytes, 1.42 ms (1.78 avg, 0% loss)
[1720012649.323125] 192.168.1.100 : [3], 84 bytes, 0.69 ms (0.73 avg, 0% loss)
[1720012649.347574] 10.0.1.100 : [3], 84 bytes, 0.03 ms (0.02 avg, 0% loss)
[1720012649.424372] aws.amazon.com : [3], 84 bytes, 1.43 ms (1.69 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.68/0.73/0.82
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.02/0.03
10.1.1.100 : xmt/rcv/%loss = 4/0/100%
10.2.1.100 : xmt/rcv/%loss = 4/0/100%
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.42/1.69/2.49
Lab2: 別のアカウントからVPCを追加する
ハンズオンから引用
1. CloudFormation Template の展開
1-1. 変数設定
コマンド
# スタック名
STACK_NAME_LAB2="wstgw-lab2"
echo ${STACK_NAME_LAB2}
# VPC名
ACCOUNT2_VPC2_NAME="wstgwPrivateVpc2" \
&& echo ${ACCOUNT2_VPC2_NAME}
# サブネット名
## wstgwPrivateVpc2
ACCOUNT2_VPC2_SUBNET1_NAME="wstgwPrivateVpc2TgwSubnet" \
&& echo ${ACCOUNT2_VPC2_SUBNET1_NAME}
ACCOUNT2_VPC2_SUBNET2_NAME="wstgwPrivateVpc2PrivateSubnet" \
&& echo ${ACCOUNT2_VPC2_SUBNET2_NAME}
出力
[cloudshell-user@ip-10-130-58-249 ~]$ # スタック名
[cloudshell-user@ip-10-130-58-249 ~]$ STACK_NAME_LAB2="wstgw-lab2"
[cloudshell-user@ip-10-130-58-249 ~]$ echo ${STACK_NAME_LAB2}
wstgw-lab2
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ # VPC名
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_VPC2_NAME="wstgwPrivateVpc2" \
> && echo ${ACCOUNT2_VPC2_NAME}
wstgwPrivateVpc2
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ # サブネット名
[cloudshell-user@ip-10-130-58-249 ~]$ ## wstgwPrivateVpc2
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_VPC2_SUBNET1_NAME="wstgwPrivateVpc2TgwSubnet" \
> && echo ${ACCOUNT2_VPC2_SUBNET1_NAME}
wstgwPrivateVpc2TgwSubnet
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_VPC2_SUBNET2_NAME="wstgwPrivateVpc2PrivateSubnet" \
> && echo ${ACCOUNT2_VPC2_SUBNET2_NAME}
wstgwPrivateVpc2PrivateSubnet
1-2. CloudFomation Templateの展開
コマンド
aws cloudformation create-stack \
--stack-name ${STACK_NAME_LAB2} \
--template-body file://${STACK_NAME_LAB2}.template \
--capabilities CAPABILITY_NAMED_IAM
出力
[cloudshell-user@ip-10-130-58-249 ~]$ aws cloudformation create-stack \
> --stack-name ${STACK_NAME_LAB2} \
> --template-body file://${STACK_NAME_LAB2}.template \
> --capabilities CAPABILITY_NAMED_IAM
{
"StackId": "arn:aws:cloudformation:ap-northeast-1:888888888888:stack/wstgw-lab2/758bc430-3acf-11ef-84e3-0e04ff244d63"
}
1-3. ID取得
コマンド
# VPC ID
ACCOUNT2_VPC2_ID=$( \
aws ec2 describe-vpcs \
--filters "Name=tag:Name,Values=${ACCOUNT2_VPC2_NAME}" \
--query "Vpcs[*].VpcId" \
--output text\
)\
&& echo ${ACCOUNT2_VPC2_ID}
# サブネット1 ID
ACCOUNT2_VPC2_SUBNET1_ID=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${ACCOUNT2_VPC2_ID} \
Name=tag:Name,Values="${ACCOUNT2_VPC2_SUBNET1_NAME}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${ACCOUNT2_VPC2_SUBNET1_ID}
# サブネット2 ID
ACCOUNT2_VPC2_SUBNET2_ID=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${ACCOUNT2_VPC2_ID} \
Name=tag:Name,Values="${ACCOUNT2_VPC2_SUBNET2_NAME}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${ACCOUNT2_VPC2_SUBNET2_ID}
出力
[cloudshell-user@ip-10-130-58-249 ~]$ # VPC ID
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_VPC2_ID=$( \
> aws ec2 describe-vpcs \
> --filters "Name=tag:Name,Values=${ACCOUNT2_VPC2_NAME}" \
> --query "Vpcs[*].VpcId" \
> --output text\
> )\
> && echo ${ACCOUNT2_VPC2_ID}
vpc-086f0422edc91e1b0
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ # サブネット1 ID
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_VPC2_SUBNET1_ID=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${ACCOUNT2_VPC2_ID} \
> Name=tag:Name,Values="${ACCOUNT2_VPC2_SUBNET1_NAME}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${ACCOUNT2_VPC2_SUBNET1_ID}
subnet-0faa994fbfe1391f7
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ # サブネット2 ID
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_VPC2_SUBNET2_ID=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${ACCOUNT2_VPC2_ID} \
> Name=tag:Name,Values="${ACCOUNT2_VPC2_SUBNET2_NAME}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${ACCOUNT2_VPC2_SUBNET2_ID}
subnet-0aa6840d6c98e2e92
2. トランジットゲートウェイのリソース共有
コマンド (アカウント1で実施)
# 共有リソース名
TGW_RESORCE_SHARE="wstgw-RAM" \
&& echo ${TGW_RESORCE_SHARE}
## Transit Gateway ARN
ACCOUNT1_TGW1_ARN=$(
aws ec2 describe-transit-gateways \
--query "TransitGateways[*].TransitGatewayArn" \
--output text
) \
&& echo ${ACCOUNT1_TGW1_ARN}
# アカウント2 ID
ACCOUNT2_ID="888888888888" \
&& echo ${ACCOUNT2_ID}
# リソース共有
aws ram create-resource-share \
--name ${TGW_RESORCE_SHARE} \
--resource-arns ${ACCOUNT1_TGW1_ARN} \
--principals ${ACCOUNT2_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # 共有リソース名
[cloudshell-user@ip-10-130-53-115 ~]$ TGW_RESORCE_SHARE="wstgw-RAM" \
> && echo ${TGW_RESORCE_SHARE}
wstgw-RAM
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ## Transit Gateway ARN
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW1_ARN=$(
> aws ec2 describe-transit-gateways \
> --query "TransitGateways[*].TransitGatewayArn" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW1_ARN}
arn:aws:ec2:ap-northeast-1:999999999999:transit-gateway/tgw-07df15247c1b17801 arn:aws:ec2:ap-northeast-1:999999999999:transit-gateway/tgw-0d46809c9423fbb62
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # アカウント2 ID
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT2_ID="888888888888" \
> && echo ${ACCOUNT2_ID}
888888888888
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # リソース共有
[cloudshell-user@ip-10-130-53-115 ~]$ aws ram create-resource-share \
> --name ${TGW_RESORCE_SHARE} \
> --resource-arns ${ACCOUNT1_TGW1_ARN} \
> --principals ${ACCOUNT2_ID}
{
"resourceShare": {
"resourceShareArn": "arn:aws:ram:ap-northeast-1:999999999999:resource-share/4b15f1e8-4597-4d97-b527-1e8ee08c2e39",
"name": "wstgw-RAM",
"owningAccountId": "999999999999",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"tags": [],
"creationTime": "2024-07-05T13:12:33.784000+00:00",
"lastUpdatedTime": "2024-07-05T13:12:33.784000+00:00"
}
}
3. トランジットゲートウェイのリソース共有の承諾
コマンド (アカウント2で実施)
# 承認待ちのリソースシェア招待のARNを取
RESOURCE_INVITATION_ARN=$(
aws ram get-resource-share-invitations \
--query "resourceShareInvitations[*].resourceShareInvitationArn" \
--output text
) \
&& echo ${RESOURCE_INVITATION_ARN}
# リソースシェアを承認
aws ram accept-resource-share-invitation \
--resource-share-invitation-arn ${RESOURCE_INVITATION_ARN}
出力
[cloudshell-user@ip-10-130-58-249 ~]$ # 承認待ちのリソースシェア招待のARNを取
[cloudshell-user@ip-10-130-58-249 ~]$ RESOURCE_INVITATION_ARN=$(
> aws ram get-resource-share-invitations \
> --query "resourceShareInvitations[*].resourceShareInvitationArn" \
> --output text
> ) \
> && echo ${RESOURCE_INVITATION_ARN}
arn:aws:ram:ap-northeast-1:999999999999:resource-share-invitation/c6849baf-35dd-488d-90e2-88b2dd8ed67e
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ # リソースシェアを承認
[cloudshell-user@ip-10-130-58-249 ~]$ aws ram accept-resource-share-invitation \
> --resource-share-invitation-arn ${RESOURCE_INVITATION_ARN}
{
"resourceShareInvitation": {
"resourceShareInvitationArn": "arn:aws:ram:ap-northeast-1:999999999999:resource-share-invitation/c6849baf-35dd-488d-90e2-88b2dd8ed67e",
"resourceShareName": "wstgw-RAM",
"resourceShareArn": "arn:aws:ram:ap-northeast-1:999999999999:resource-share/4b15f1e8-4597-4d97-b527-1e8ee08c2e39",
"senderAccountId": "999999999999",
"receiverAccountId": "888888888888",
"invitationTimestamp": "2024-07-05T13:26:05.515000+00:00",
"status": "ACCEPTED"
}
}
4. トランジットゲートウェイのアタッチメント
コマンド (アカウント2で実施)
# Transit Gateway ID
ACCOUNT2_TGW_ID=$(
aws ec2 describe-transit-gateways \
--query "TransitGateways[*].TransitGatewayId" \
--output text
) \
&& echo ${ACCOUNT2_TGW_ID}
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id ${ACCOUNT2_TGW_ID} \
--vpc-id ${ACCOUNT2_VPC2_ID} \
--subnet-ids ${ACCOUNT2_VPC2_SUBNET1_ID}
出力
[cloudshell-user@ip-10-130-58-249 ~]$ # Transit Gateway ID
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_TGW_ID=$(
> aws ec2 describe-transit-gateways \
> --query "TransitGateways[*].TransitGatewayId" \
> --output text
> ) \
> && echo ${ACCOUNT2_TGW_ID}
tgw-07df15247c1b17801
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ aws ec2 create-transit-gateway-vpc-attachment \
> --transit-gateway-id ${ACCOUNT2_TGW_ID} \
> --vpc-id ${ACCOUNT2_VPC2_ID} \
> --subnet-ids ${ACCOUNT2_VPC2_SUBNET1_ID}
{
"TransitGatewayVpcAttachment": {
"TransitGatewayAttachmentId": "tgw-attach-0641e395643f0c84c",
"TransitGatewayId": "tgw-07df15247c1b17801",
"VpcId": "vpc-086f0422edc91e1b0",
"VpcOwnerId": "888888888888",
"State": "pending",
"SubnetIds": [
"subnet-0faa994fbfe1391f7"
],
"CreationTime": "2024-07-05T13:27:09+00:00",
"Options": {
"DnsSupport": "enable",
"Ipv6Support": "disable",
"ApplianceModeSupport": "disable"
}
}
}
5. VPCサブネットのルートテーブルを編集
5-1. ルートの確認
コマンド(アカウント2で実施)
[cloudshell-user@ip-10-130-58-249 ~]$ # wstgwPrivateVpc2PrivateSubnet
[cloudshell-user@ip-10-130-58-249 ~]$ aws ec2 describe-route-tables \
> --filters "Name=association.subnet-id,Values=${ACCOUNT2_VPC2_SUBNET2_ID}" \
> --output table
---------------------------------------------------------------------------------------------------------------------------------------------------
| DescribeRouteTables |
+-------------------------------------------------------------------------------------------------------------------------------------------------+
|| RouteTables ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| OwnerId | RouteTableId | VpcId ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| 888888888888 | rtb-03f81fa0c832d10ec | vpc-086f0422edc91e1b0 ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
||| Associations |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| Main | RouteTableAssociationId | RouteTableId | SubnetId |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| False | rtbassoc-0a7026f4feebb8863 | rtb-03f81fa0c832d10ec | subnet-0aa6840d6c98e2e92 |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
|||| AssociationState ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
|||| State | associated ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
||| Routes |||
||+-------------------------------------------------+---------------------------+------------------------------------------+--------------------+||
||| DestinationCidrBlock | GatewayId | Origin | State |||
||+-------------------------------------------------+---------------------------+------------------------------------------+--------------------+||
||| 10.1.0.0/16 | local | CreateRouteTable | active |||
||+-------------------------------------------------+---------------------------+------------------------------------------+--------------------+||
||| Tags |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| Key | Value |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| aws:cloudformation:stack-id | arn:aws:cloudformation:ap-northeast-1:888888888888:stack/wstgw-lab2/758bc430-3acf-11ef-84e3-0e04ff244d63 |||
||| aws:cloudformation:logical-id| wstgwRtbPrivateVpc2PrivateSubnet |||
||| aws:cloudformation:stack-name| wstgw-lab2 |||
||| Name | wstgwRtbPrivateVpc2PrivateSubnet |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
5-2. ルートを追加
コマンド(アカウント2で実施)
ACCOUNT2_ROUTE_TABLE_NAME='wstgwRtbPrivateVpc2PrivateSubnet' \
&& echo ${ACCOUNT2_ROUTE_TABLE_NAME}
ACCOUNT2_ROUTE_TABLE_ID=$( \
aws ec2 describe-route-tables \
--filters Name=vpc-id,Values=${ACCOUNT2_VPC2_ID} \
Name=tag:Name,Values="${ACCOUNT2_ROUTE_TABLE_NAME}" \
--query "RouteTables[].RouteTableId" \
--output text \
) \
&& echo ${ACCOUNT2_ROUTE_TABLE_ID}
aws ec2 create-route \
--route-table-id ${ACCOUNT2_ROUTE_TABLE_ID} \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id ${ACCOUNT2_TGW_ID}
出力
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_ROUTE_TABLE_NAME='wstgwRtbPrivateVpc2PrivateSubnet' \
> && echo ${ACCOUNT2_ROUTE_TABLE_NAME}
wstgwRtbPrivateVpc2PrivateSubnet
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ ACCOUNT2_ROUTE_TABLE_ID=$( \
> aws ec2 describe-route-tables \
> --filters Name=vpc-id,Values=${ACCOUNT2_VPC2_ID} \
> Name=tag:Name,Values="${ACCOUNT2_ROUTE_TABLE_NAME}" \
> --query "RouteTables[].RouteTableId" \
> --output text \
> ) \
> && echo ${ACCOUNT2_ROUTE_TABLE_ID}
rtb-03f81fa0c832d10ec
[cloudshell-user@ip-10-130-58-249 ~]$
[cloudshell-user@ip-10-130-58-249 ~]$ aws ec2 create-route \
> --route-table-id ${ACCOUNT2_ROUTE_TABLE_ID} \
> --destination-cidr-block 0.0.0.0/0 \
> --gateway-id ${ACCOUNT2_TGW_ID}
{
"Return": true
}
5-3. ルートの確認
コマンド(アカウント2で実施)
# wstgwPrivateVpc2PrivateSubnet
aws ec2 describe-route-tables \
--filters "Name=association.subnet-id,Values=${ACCOUNT2_VPC2_SUBNET2_ID}" \
--output table
出力
[cloudshell-user@ip-10-130-58-249 ~]$ # wstgwPrivateVpc2PrivateSubnet
[cloudshell-user@ip-10-130-58-249 ~]$ aws ec2 describe-route-tables \
> --filters "Name=association.subnet-id,Values=${ACCOUNT2_VPC2_SUBNET2_ID}" \
> --output table
---------------------------------------------------------------------------------------------------------------------------------------------------
| DescribeRouteTables |
+-------------------------------------------------------------------------------------------------------------------------------------------------+
|| RouteTables ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| OwnerId | RouteTableId | VpcId ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
|| 888888888888 | rtb-03f81fa0c832d10ec | vpc-086f0422edc91e1b0 ||
|+---------------------------------+------------------------------------------------------+------------------------------------------------------+|
||| Associations |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| Main | RouteTableAssociationId | RouteTableId | SubnetId |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
||| False | rtbassoc-0a7026f4feebb8863 | rtb-03f81fa0c832d10ec | subnet-0aa6840d6c98e2e92 |||
||+-----------+----------------------------------------------+--------------------------------------+-------------------------------------------+||
|||| AssociationState ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
|||| State | associated ||||
|||+-----------------------------------------------------+-------------------------------------------------------------------------------------+|||
||| Routes |||
||+-----------------------------------+-------------------+------------------------------+---------------+--------------------------------------+||
||| DestinationCidrBlock | GatewayId | Origin | State | TransitGatewayId |||
||+-----------------------------------+-------------------+------------------------------+---------------+--------------------------------------+||
||| 10.1.0.0/16 | local | CreateRouteTable | active | |||
||| 0.0.0.0/0 | | CreateRoute | active | tgw-07df15247c1b17801 |||
||+-----------------------------------+-------------------+------------------------------+---------------+--------------------------------------+||
||| Tags |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| Key | Value |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
||| aws:cloudformation:stack-id | arn:aws:cloudformation:ap-northeast-1:888888888888:stack/wstgw-lab2/758bc430-3acf-11ef-84e3-0e04ff244d63 |||
||| aws:cloudformation:logical-id| wstgwRtbPrivateVpc2PrivateSubnet |||
||| aws:cloudformation:stack-name| wstgw-lab2 |||
||| Name | wstgwRtbPrivateVpc2PrivateSubnet |||
||+-------------------------------+-------------------------------------------------------------------------------------------------------------+||
6. 疎通確認(wstgwEc2Instance10-1-1-100)
コマンド
bash -I
ping aws.amazon.com
出力
sh-4.2$ bash -I
[ssm-user@ip-10-1-1-100 bin]$
[ssm-user@ip-10-1-1-100 bin]$ ping aws.amazon.com -c 4
PING dr49lng3n1n2s.cloudfront.net (18.65.168.18) 56(84) bytes of data.
64 bytes from server-18-65-168-18.nrt57.r.cloudfront.net (18.65.168.18): icmp_seq=1 ttl=244 time=2.71 ms
64 bytes from server-18-65-168-18.nrt57.r.cloudfront.net (18.65.168.18): icmp_seq=2 ttl=244 time=2.25 ms
64 bytes from server-18-65-168-18.nrt57.r.cloudfront.net (18.65.168.18): icmp_seq=3 ttl=244 time=2.22 ms
64 bytes from server-18-65-168-18.nrt57.r.cloudfront.net (18.65.168.18): icmp_seq=4 ttl=244 time=2.24 ms
--- dr49lng3n1n2s.cloudfront.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 2.226/2.360/2.714/0.207 ms
fping のセットアップ
コマンド
bash -I
sudo amazon-linux-extras install epel -y
sudo yum-config-manager --enable epel
sudo yum install fping -y
echo -n -e \
"192.168.1.100\n"\
"10.0.1.100\n"\
"10.1.1.100\n"\
"10.2.1.100\n"\
"aws.amazon.com\n" > /tmp/hosts.txt
cat /tmp/hosts.txt
出力
[ssm-user@ip-10-1-1-100 bin]$ bash -I
[ssm-user@ip-10-1-1-100 bin]$ sudo amazon-linux-extras install epel -y
Installing epel-release
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel
0 metadata files removed
0 sqlite files removed
0 metadata files removed
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.6 kB 00:00:00
amzn2extra-docker | 2.9 kB 00:00:00
amzn2extra-epel | 3.0 kB 00:00:00
(1/7): amzn2-core/2/x86_64/group_gz | 2.7 kB 00:00:00
(2/7): amzn2-core/2/x86_64/updateinfo | 940 kB 00:00:00
(3/7): amzn2extra-epel/2/x86_64/primary_db | 1.8 kB 00:00:00
(4/7): amzn2extra-docker/2/x86_64/updateinfo | 16 kB 00:00:00
(5/7): amzn2extra-epel/2/x86_64/updateinfo | 76 B 00:00:00
(6/7): amzn2extra-docker/2/x86_64/primary_db | 102 kB 00:00:00
(7/7): amzn2-core/2/x86_64/primary_db | 69 MB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
epel-release noarch 7-11 amzn2extra-epel 15 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
2 httpd_modules available [ =1.0 =stable ]
3 memcached1.5 available \
[ =1.5.1 =1.5.16 =1.5.17 ]
9 R3.4 available [ =3.4.3 =stable ]
10 rust1 available \
[ =1.22.1 =1.26.0 =1.26.1 =1.27.2 =1.31.0 =1.38.0
=stable ]
18 libreoffice available \
[ =5.0.6.2_15 =5.3.6.1 =stable ]
19 gimp available [ =2.8.22 ]
20 †docker=latest enabled \
[ =17.12.1 =18.03.1 =18.06.1 =18.09.9 =stable ]
21 mate-desktop1.x available \
[ =1.19.0 =1.20.0 =stable ]
22 GraphicsMagick1.3 available \
[ =1.3.29 =1.3.32 =1.3.34 =stable ]
24 epel=latest enabled [ =7.11 =stable ]
25 testing available [ =1.0 =stable ]
26 ecs available [ =stable ]
27 †corretto8 available \
[ =1.8.0_192 =1.8.0_202 =1.8.0_212 =1.8.0_222 =1.8.0_232
=1.8.0_242 =stable ]
32 lustre2.10 available \
[ =2.10.5 =2.10.8 =stable ]
33 †java-openjdk11 available [ =11 =stable ]
34 lynis available [ =stable ]
36 BCC available [ =0.x =stable ]
37 mono available [ =5.x =stable ]
38 nginx1 available [ =stable ]
40 mock available [ =stable ]
43 livepatch available [ =stable ]
44 †python3.8 available [ =stable ]
45 haproxy2 available [ =stable ]
46 collectd available [ =stable ]
47 aws-nitro-enclaves-cli available [ =stable ]
48 R4 available [ =stable ]
49 kernel-5.4 available [ =stable ]
50 selinux-ng available [ =stable ]
52 tomcat9 available [ =stable ]
53 unbound1.13 available [ =stable ]
54 †mariadb10.5 available [ =stable ]
55 kernel-5.10 available [ =stable ]
56 redis6 available [ =stable ]
58 †postgresql12 available [ =stable ]
59 †postgresql13 available [ =stable ]
60 mock2 available [ =stable ]
61 dnsmasq2.85 available [ =stable ]
62 kernel-5.15 available [ =stable ]
63 †postgresql14 available [ =stable ]
64 firefox available [ =stable ]
65 lustre available [ =stable ]
66 †php8.1 available [ =stable ]
67 awscli1 available [ =stable ]
68 †php8.2 available [ =stable ]
69 dnsmasq available [ =stable ]
70 unbound1.17 available [ =stable ]
72 collectd-python3 available [ =stable ]
† Note on end-of-support. Use 'info' subcommand.
[ssm-user@ip-10-1-1-100 bin]$ sudo yum-config-manager --enable epel
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
=========================================================== repo: epel ===========================================================
[epel]
async = True
bandwidth = 0
base_persistdir = /var/lib/yum/repos/x86_64/2
baseurl =
cache = 0
cachedir = /var/cache/yum/x86_64/2/epel
check_config_file_age = True
compare_providers_priority = 80
cost = 1000
deltarpm_metadata_percentage = 100
deltarpm_percentage =
enabled = True
enablegroups = True
exclude =
failovermethod = priority
ftp_disable_epsv = False
gpgcadir = /var/lib/yum/repos/x86_64/2/epel/gpgcadir
gpgcakey =
gpgcheck = True
gpgdir = /var/lib/yum/repos/x86_64/2/epel/gpgdir
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
hdrdir = /var/cache/yum/x86_64/2/epel/headers
http_caching = all
includepkgs =
ip_resolve =
keepalive = True
keepcache = False
mddownloadpolicy = sqlite
mdpolicy = group:small
mediaid =
metadata_expire = 21600
metadata_expire_filter = read-only:present
metalink = https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64
minrate = 0
mirrorlist =
mirrorlist_expire = 86400
name = Extra Packages for Enterprise Linux 7 - x86_64
old_base_cache_dir =
password =
persistdir = /var/lib/yum/repos/x86_64/2/epel
pkgdir = /var/cache/yum/x86_64/2/epel/packages
priority = 99
proxy = False
proxy_dict =
proxy_password =
proxy_username =
repo_gpgcheck = False
report_instanceid = False
retries = 7
skip_if_unavailable = False
ssl_check_cert_permissions = True
sslcacert =
sslclientcert =
sslclientkey =
sslverify = True
throttle = 0
timeout = 5.0
ui_id = epel/x86_64
ui_repoid_vars = releasever,
basearch
username =
[ssm-user@ip-10-1-1-100 bin]$ sudo yum install fping -y
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Existing lock /var/run/yum.pid: another copy is running as pid 3323.
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 112 M RSS (406 MB VSZ)
Started: Wed Jul 3 13:46:10 2024 - 00:03 ago
State : Sleeping, pid: 3323
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 120 M RSS (414 MB VSZ)
Started: Wed Jul 3 13:46:10 2024 - 00:05 ago
State : Running, pid: 3323
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 303 M RSS (597 MB VSZ)
Started: Wed Jul 3 13:46:10 2024 - 00:07 ago
State : Running, pid: 3323
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 363 M RSS (657 MB VSZ)
Started: Wed Jul 3 13:46:10 2024 - 00:09 ago
State : Running, pid: 3323
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 366 M RSS (660 MB VSZ)
Started: Wed Jul 3 13:46:10 2024 - 00:11 ago
State : Running, pid: 3323
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 366 M RSS (660 MB VSZ)
Started: Wed Jul 3 13:46:10 2024 - 00:13 ago
State : Running, pid: 3323
230 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package fping.x86_64 0:3.10-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
fping x86_64 3.10-4.el7 epel 46 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 46 k
Installed size: 104 k
Downloading packages:
warning: /var/cache/yum/x86_64/2/epel/packages/fping-3.10-4.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fping-3.10-4.el7.x86_64.rpm is not installed
fping-3.10-4.el7.x86_64.rpm | 46 kB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@amzn2extra-epel)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : fping-3.10-4.el7.x86_64 1/1
Verifying : fping-3.10-4.el7.x86_64 1/1
Installed:
fping.x86_64 0:3.10-4.el7
Complete!
[ssm-user@ip-10-1-1-100 bin]$ echo -n -e \
> "192.168.1.100\n"\
> "10.0.1.100\n"\
> "10.1.1.100\n"\
> "10.2.1.100\n"\
> "aws.amazon.com\n" > /tmp/hosts.txt
[ssm-user@ip-10-1-1-100 bin]$ cat /tmp/hosts.txt
192.168.1.100
10.0.1.100
10.1.1.100
10.2.1.100
aws.amazon.com
fping の実行
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-1-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720014435.843335] 192.168.1.100 : [0], 84 bytes, 0.82 ms (0.82 avg, 0% loss)
[1720014435.868412] 10.0.1.100 : [0], 84 bytes, 0.79 ms (0.79 avg, 0% loss)
[1720014435.892737] 10.1.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720014435.945857] aws.amazon.com : [0], 84 bytes, 2.94 ms (2.94 avg, 0% loss)
[1720014436.844097] 192.168.1.100 : [1], 84 bytes, 0.61 ms (0.71 avg, 0% loss)
[1720014436.869352] 10.0.1.100 : [1], 84 bytes, 0.77 ms (0.78 avg, 0% loss)
[1720014436.893715] 10.1.1.100 : [1], 84 bytes, 0.03 ms (0.02 avg, 0% loss)
[1720014436.946226] aws.amazon.com : [1], 84 bytes, 2.31 ms (2.62 avg, 0% loss)
[1720014437.845028] 192.168.1.100 : [2], 84 bytes, 0.62 ms (0.68 avg, 0% loss)
[1720014437.870095] 10.0.1.100 : [2], 84 bytes, 0.60 ms (0.72 avg, 0% loss)
[1720014437.894621] 10.1.1.100 : [2], 84 bytes, 0.03 ms (0.02 avg, 0% loss)
[1720014437.947080] aws.amazon.com : [2], 84 bytes, 2.22 ms (2.49 avg, 0% loss)
[1720014438.845596] 192.168.1.100 : [3], 84 bytes, 0.69 ms (0.68 avg, 0% loss)
[1720014438.870636] 10.0.1.100 : [3], 84 bytes, 0.62 ms (0.69 avg, 0% loss)
[1720014438.895143] 10.1.1.100 : [3], 84 bytes, 0.03 ms (0.02 avg, 0% loss)
[1720014438.947496] aws.amazon.com : [3], 84 bytes, 2.20 ms (2.41 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.61/0.68/0.82
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.60/0.69/0.79
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.02/0.03
10.2.1.100 : xmt/rcv/%loss = 4/0/100%
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 2.20/2.41/2.94
Lab3: ルートテーブルを使用してトラフィックを分離する
ハンズオンから引用
1. Transit Gateway ルートテーブルの作成
1-1. ルートテーブルの作成
コマンド
ACCOUNT1_TGW_ROUTE_NAME="wstgwTgw" \
&& echo ${ACCOUNT1_TGW_ROUTE_NAME}
aws ec2 create-transit-gateway-route-table \
--transit-gateway-id ${ACCOUNT1_TGW1_ID} \
--tag-specifications "ResourceType=transit-gateway-route-table,Tags=[{Key=Name,Value=${ACCOUNT1_TGW_ROUTE_NAME}}]"
出力
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW_ROUTE_NAME="wstgwTgw" \
> && echo ${ACCOUNT1_TGW_ROUTE_NAME}
wstgwTgw
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route-table \
> --transit-gateway-id ${ACCOUNT1_TGW1_ID} \
> --tag-specifications "ResourceType=transit-gateway-route-table,Tags=[{Key=Name,Value=${ACCOUNT1_TGW_ROUTE_NAME}}]"
{
"TransitGatewayRouteTable": {
"TransitGatewayRouteTableId": "tgw-rtb-00308e50348bd4196",
"TransitGatewayId": "tgw-07df15247c1b17801",
"State": "pending",
"DefaultAssociationRouteTable": false,
"DefaultPropagationRouteTable": false,
"CreationTime": "2024-07-05T13:40:13+00:00",
"Tags": [
{
"Key": "Name",
"Value": "wstgwTgw"
}
]
}
}
1-2. ID取得
コマンド
ACCOUNT1_TGW_ROUTE_ID=$(
aws ec2 describe-transit-gateway-route-tables \
--filters "Name=tag:Name,Values=${ACCOUNT1_TGW_ROUTE_NAME}" \
--query "TransitGatewayRouteTables[*].TransitGatewayRouteTableId" \
--output text
) \
&& echo ${ACCOUNT1_TGW_ROUTE_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW_ROUTE_ID=$(
> aws ec2 describe-transit-gateway-route-tables \
> --filters "Name=tag:Name,Values=${ACCOUNT1_TGW_ROUTE_NAME}" \
> --query "TransitGatewayRouteTables[*].TransitGatewayRouteTableId" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW_ROUTE_ID}
tgw-rtb-00308e50348bd4196
2. デフォルトルートテーブルからPrivateVPCアタッチメントの関連付けを削除する
2-1. ID取得
コマンド
# VPCアタッチメントの関連付けIDを取得
ACCOUNT1_TGW_VPC_ATTACHMENT_ID=$(
aws ec2 describe-transit-gateway-attachments \
--filters "Name=resource-id,Values=${ACCOUNT1_VPC_ID}" \
--query "TransitGatewayAttachments[*].TransitGatewayAttachmentId" \
--output text
) \
&& echo ${ACCOUNT1_TGW_VPC_ATTACHMENT_ID}
ACCOUNT1_TGW_VPC1_ATTACHMENT_ID=$(
aws ec2 describe-transit-gateway-attachments \
--filters "Name=resource-id,Values=${ACCOUNT1_VPC1_ID}" \
--query "TransitGatewayAttachments[*].TransitGatewayAttachmentId" \
--output text
) \
&& echo ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
ACCOUNT2_TGW_VPC2_ATTACHMENT_ID=$(
aws ec2 describe-transit-gateway-attachments \
--filters "Name=resource-owner-id,Values=${ACCOUNT2_ID}" \
--query "TransitGatewayAttachments[*].TransitGatewayAttachmentId" \
--output text
) \
&& echo ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # VPCアタッチメントの関連付けIDを取得
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW_VPC_ATTACHMENT_ID=$(
> aws ec2 describe-transit-gateway-attachments \
> --filters "Name=resource-id,Values=${ACCOUNT1_VPC_ID}" \
> --query "TransitGatewayAttachments[*].TransitGatewayAttachmentId" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW_VPC_ATTACHMENT_ID}
tgw-attach-0731ed17e025f0c4d
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW_VPC1_ATTACHMENT_ID=$(
> aws ec2 describe-transit-gateway-attachments \
> --filters "Name=resource-id,Values=${ACCOUNT1_VPC1_ID}" \
> --query "TransitGatewayAttachments[*].TransitGatewayAttachmentId" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
tgw-attach-07bed2f5bd17f690a
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT2_TGW_VPC2_ATTACHMENT_ID=$(
> aws ec2 describe-transit-gateway-attachments \
> --filters "Name=resource-owner-id,Values=${ACCOUNT2_ID}" \
> --query "TransitGatewayAttachments[*].TransitGatewayAttachmentId" \
> --output text
> ) \
> && echo ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
tgw-attach-0641e395643f0c84c
2-2. 関連付けを削除
コマンド
aws ec2 disassociate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
aws ec2 disassociate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 disassociate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-039d20e8aa3326006",
"TransitGatewayAttachmentId": "tgw-attach-07bed2f5bd17f690a",
"ResourceId": "vpc-00cef602390e56814",
"ResourceType": "vpc",
"State": "disassociating"
}
}
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 disassociate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-039d20e8aa3326006",
"TransitGatewayAttachmentId": "tgw-attach-0641e395643f0c84c",
"ResourceId": "vpc-086f0422edc91e1b0",
"ResourceType": "vpc",
"State": "disassociating"
}
}
3. PrivateVPC アタッチメント を作成したルートテーブルに関連付ける
コマンド
aws ec2 associate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
aws ec2 associate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
--transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 associate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-00308e50348bd4196",
"TransitGatewayAttachmentId": "tgw-attach-07bed2f5bd17f690a",
"ResourceId": "vpc-00cef602390e56814",
"ResourceType": "vpc",
"State": "associating"
}
}
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 associate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-00308e50348bd4196",
"TransitGatewayAttachmentId": "tgw-attach-0641e395643f0c84c",
"ResourceId": "vpc-086f0422edc91e1b0",
"ResourceType": "vpc",
"State": "associating"
}
}
4. ルートを追加
コマンド
aws ec2 create-transit-gateway-route \
--destination-cidr-block 0.0.0.0/0 \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC_ATTACHMENT_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route \
> --destination-cidr-block 0.0.0.0/0 \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC_ATTACHMENT_ID}
{
"Route": {
"DestinationCidrBlock": "0.0.0.0/0",
"TransitGatewayAttachments": [
{
"ResourceId": "vpc-09eae5bdd8ff4b663",
"TransitGatewayAttachmentId": "tgw-attach-0731ed17e025f0c4d",
"ResourceType": "vpc"
}
],
"Type": "static",
"State": "active"
}
}
5. Blackhole ルートを追加
コマンド
# CIDRブロック
DESTINATION_CIDR_BLOCK="10.0.0.0/15" \
&& echo ${DESTINATION_CIDR_BLOCK}
# Blackhole ルートを追加
aws ec2 create-transit-gateway-route \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
--destination-cidr-block ${DESTINATION_CIDR_BLOCK} \
--blackhole
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # CIDRブロック
[cloudshell-user@ip-10-130-53-115 ~]$ DESTINATION_CIDR_BLOCK="10.0.0.0/15" \
> && echo ${DESTINATION_CIDR_BLOCK}
10.0.0.0/15
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # Blackhole ルートを追加
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
> --destination-cidr-block ${DESTINATION_CIDR_BLOCK} \
> --blackhole
{
"Route": {
"DestinationCidrBlock": "10.0.0.0/15",
"Type": "static",
"State": "blackhole"
}
}
6. 疎通確認
BoundaryVPC(192-168-1-100)
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-192-168-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720015460.263768] 192.168.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720015460.289853] 10.0.1.100 : [0], 84 bytes, 1.02 ms (1.02 avg, 0% loss)
[1720015460.314787] 10.1.1.100 : [0], 84 bytes, 0.84 ms (0.84 avg, 0% loss)
[1720015460.366515] aws.amazon.com : [0], 84 bytes, 2.33 ms (2.33 avg, 0% loss)
[1720015461.264719] 192.168.1.100 : [1], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720015461.290412] 10.0.1.100 : [1], 84 bytes, 0.64 ms (0.83 avg, 0% loss)
[1720015461.315518] 10.1.1.100 : [1], 84 bytes, 0.63 ms (0.73 avg, 0% loss)
[1720015461.367277] aws.amazon.com : [1], 84 bytes, 2.13 ms (2.23 avg, 0% loss)
[1720015462.265647] 192.168.1.100 : [2], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720015462.291319] 10.0.1.100 : [2], 84 bytes, 0.63 ms (0.76 avg, 0% loss)
[1720015462.316386] 10.1.1.100 : [2], 84 bytes, 0.61 ms (0.69 avg, 0% loss)
[1720015462.368052] aws.amazon.com : [2], 84 bytes, 2.06 ms (2.17 avg, 0% loss)
[1720015463.266035] 192.168.1.100 : [3], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720015463.291894] 10.0.1.100 : [3], 84 bytes, 0.76 ms (0.76 avg, 0% loss)
[1720015463.316775] 10.1.1.100 : [3], 84 bytes, 0.52 ms (0.65 avg, 0% loss)
[1720015463.368499] aws.amazon.com : [3], 84 bytes, 2.04 ms (2.14 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.03/0.04
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.63/0.76/1.02
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.52/0.65/0.84
10.2.1.100 : xmt/rcv/%loss = 4/0/100%
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 2.04/2.14/2.33
PrivateVPC1(10.0.1.100)
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-0-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720015503.409899] 192.168.1.100 : [0], 84 bytes, 0.94 ms (0.94 avg, 0% loss)
[1720015503.434136] 10.0.1.100 : [0], 84 bytes, 0.04 ms (0.04 avg, 0% loss)
[1720015503.511685] aws.amazon.com : [0], 84 bytes, 2.06 ms (2.06 avg, 0% loss)
[1720015504.410674] 192.168.1.100 : [1], 84 bytes, 0.75 ms (0.84 avg, 0% loss)
[1720015504.435093] 10.0.1.100 : [1], 84 bytes, 0.04 ms (0.04 avg, 0% loss)
[1720015504.512153] aws.amazon.com : [1], 84 bytes, 1.64 ms (1.85 avg, 0% loss)
[1720015505.410751] 192.168.1.100 : [2], 84 bytes, 0.76 ms (0.81 avg, 0% loss)
[1720015505.435169] 10.0.1.100 : [2], 84 bytes, 0.04 ms (0.04 avg, 0% loss)
[1720015505.512072] aws.amazon.com : [2], 84 bytes, 1.45 ms (1.71 avg, 0% loss)
[1720015506.411913] 192.168.1.100 : [3], 84 bytes, 0.94 ms (0.84 avg, 0% loss)
[1720015506.436153] 10.0.1.100 : [3], 84 bytes, 0.04 ms (0.04 avg, 0% loss)
[1720015506.513105] aws.amazon.com : [3], 84 bytes, 1.46 ms (1.65 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.75/0.84/0.94
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.04/0.04/0.04
10.1.1.100 : xmt/rcv/%loss = 4/0/100%
10.2.1.100 : xmt/rcv/%loss = 4/0/100%
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.45/1.65/2.06
wstgwEc2Instance10-1-1-100
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-1-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720015585.774182] 192.168.1.100 : [0], 84 bytes, 0.71 ms (0.71 avg, 0% loss)
[1720015585.823710] 10.1.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720015585.877514] aws.amazon.com : [0], 84 bytes, 3.59 ms (3.59 avg, 0% loss)
[1720015586.774988] 192.168.1.100 : [1], 84 bytes, 0.58 ms (0.64 avg, 0% loss)
[1720015586.824641] 10.1.1.100 : [1], 84 bytes, 0.03 ms (0.02 avg, 0% loss)
[1720015586.877896] aws.amazon.com : [1], 84 bytes, 3.00 ms (3.29 avg, 0% loss)
[1720015587.775965] 192.168.1.100 : [2], 84 bytes, 0.60 ms (0.63 avg, 0% loss)
[1720015587.825609] 10.1.1.100 : [2], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720015587.877308] aws.amazon.com : [2], 84 bytes, 1.47 ms (2.68 avg, 0% loss)
[1720015588.776898] 192.168.1.100 : [3], 84 bytes, 0.60 ms (0.62 avg, 0% loss)
[1720015588.826529] 10.1.1.100 : [3], 84 bytes, 0.03 ms (0.02 avg, 0% loss)
[1720015588.878113] aws.amazon.com : [3], 84 bytes, 1.41 ms (2.36 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.58/0.62/0.71
10.0.1.100 : xmt/rcv/%loss = 4/0/100%
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.02/0.03
10.2.1.100 : xmt/rcv/%loss = 4/0/100%
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.41/2.36/3.59
lab4: トランジットゲートウェイピアリングでTGW同士を接続する
ハンズオンから引用
1. CloudFormation Template の展開
1-1. 変数設定
コマンド
# スタック名
STACK_NAME_LAB4="wstgw-lab4"
echo ${STACK_NAME_LAB4}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # スタック名
[cloudshell-user@ip-10-130-53-115 ~]$ STACK_NAME_LAB4="wstgw-lab4"
[cloudshell-user@ip-10-130-53-115 ~]$ echo ${STACK_NAME_LAB4}
wstgw-lab4
1-2. CloudFomation Templateの展開
コマンド
aws cloudformation create-stack \
--stack-name ${STACK_NAME_LAB4} \
--template-body file://${STACK_NAME_LAB4}.template \
--capabilities CAPABILITY_NAMED_IAM \
--region us-east-1
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws cloudformation create-stack \
> --stack-name ${STACK_NAME_LAB4} \
> --template-body file://${STACK_NAME_LAB4}.template \
> --capabilities CAPABILITY_NAMED_IAM \
> --region us-east-1
{
"StackId": "arn:aws:cloudformation:us-east-1:999999999999:stack/wstgw-lab4/50e60940-3ad6-11ef-834b-0affc12befb3"
}
1-3. ID取得
コマンド
## Transit Gateway ID
ACCOUNT1_TGW2_ID=$(
aws ec2 describe-transit-gateways \
--query "TransitGateways[*].TransitGatewayId" \
--output text \
--region us-east-1
) \
&& echo ${ACCOUNT1_TGW2_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ ## Transit Gateway ID
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW2_ID=$(
> aws ec2 describe-transit-gateways \
> --query "TransitGateways[*].TransitGatewayId" \
> --output text \
> --region us-east-1
> ) \
> && echo ${ACCOUNT1_TGW2_ID}
tgw-081ce3bfec0746aaa
2. Transit Gateway ピアリングアタッチメントの作成
コマンド
# アカウント1 ID
ACCOUNT1_ID="999999999999" \
&& echo ${ACCOUNT1_ID}
ACCOUNT1_TGW2_NAME="wstgwTgwVpcAttachment-peer" \
&& echo ${ACCOUNT1_TGW2_NAME}
aws ec2 create-transit-gateway-peering-attachment \
--transit-gateway-id ${ACCOUNT1_TGW1_ID} \
--peer-transit-gateway-id ${ACCOUNT1_TGW2_ID} \
--peer-account-id ${ACCOUNT1_ID} \
--peer-region us-east-1 \
--tag-specifications "ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=${ACCOUNT1_TGW2_NAME}}]"
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # アカウント1 ID
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_ID="999999999999" \
> && echo ${ACCOUNT1_ID}
999999999999
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW2_NAME="wstgwTgwVpcAttachment-peer" \
> && echo ${ACCOUNT1_TGW2_NAME}
wstgwTgwVpcAttachment-peer
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-peering-attachment \
> --transit-gateway-id ${ACCOUNT1_TGW1_ID} \
> --peer-transit-gateway-id ${ACCOUNT1_TGW2_ID} \
> --peer-account-id ${ACCOUNT1_ID} \
> --peer-region us-east-1 \
> --tag-specifications "ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=${ACCOUNT1_TGW2_NAME}}]"
{
"TransitGatewayPeeringAttachment": {
"TransitGatewayAttachmentId": "tgw-attach-01883600c0a871396",
"RequesterTgwInfo": {
"TransitGatewayId": "tgw-07df15247c1b17801",
"OwnerId": "999999999999",
"Region": "ap-northeast-1"
},
"AccepterTgwInfo": {
"TransitGatewayId": "tgw-081ce3bfec0746aaa",
"OwnerId": "999999999999",
"Region": "us-east-1"
},
"State": "initiatingRequest",
"CreationTime": "2024-07-05T14:01:11+00:00",
"Tags": [
{
"Key": "Name",
"Value": "wstgwTgwVpcAttachment-peer"
}
]
}
}
3. ピアリングリクエストアタッチメントの承認
コマンド
# アタッチメントID
ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID=$(
aws ec2 describe-transit-gateway-peering-attachments \
--filters Name=tag:Name,Values="${ACCOUNT1_TGW2_NAME}" \
--query "TransitGatewayPeeringAttachments[].TransitGatewayAttachmentId" \
--output text
) \
&& echo ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
aws ec2 accept-transit-gateway-peering-attachment \
--transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID} \
--region us-east-1
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # アタッチメントID
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID=$(
> aws ec2 describe-transit-gateway-peering-attachments \
> --filters Name=tag:Name,Values="${ACCOUNT1_TGW2_NAME}" \
> --query "TransitGatewayPeeringAttachments[].TransitGatewayAttachmentId" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
tgw-attach-01883600c0a871396
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 accept-transit-gateway-peering-attachment \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID} \
> --region us-east-1
{
"TransitGatewayPeeringAttachment": {
"TransitGatewayAttachmentId": "tgw-attach-01883600c0a871396",
"RequesterTgwInfo": {
"TransitGatewayId": "tgw-07df15247c1b17801",
"OwnerId": "999999999999",
"Region": "ap-northeast-1"
},
"AccepterTgwInfo": {
"TransitGatewayId": "tgw-081ce3bfec0746aaa",
"OwnerId": "999999999999",
"Region": "us-east-1"
},
"Options": {
"DynamicRouting": "disable"
},
"State": "pending",
"CreationTime": "2024-07-05T14:01:16+00:00"
}
}
4. Transit Gateway ルートテーブルの関連付けの確認
(バージニア北部リージョン)
コマンド
# Transit Gateway ルートテーブルID
ACCOUN1_TGW2_ROUTETABLE_ID=$(
aws ec2 describe-transit-gateway-route-tables \
--filters "Name=default-association-route-table,Values=true" \
--query "TransitGatewayRouteTables[*].TransitGatewayRouteTableId" \
--output text \
--region us-east-1
) \
&& echo ${ACCOUN1_TGW2_ROUTETABLE_ID}
aws ec2 search-transit-gateway-routes \
--transit-gateway-route-table-id ${ACCOUN1_TGW2_ROUTETABLE_ID} \
--filters Name=state,Values=active \
--output table \
--region us-east-1
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # Transit Gateway ルートテーブルID
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUN1_TGW2_ROUTETABLE_ID=$(
> aws ec2 describe-transit-gateway-route-tables \
> --filters "Name=default-association-route-table,Values=true" \
> --query "TransitGatewayRouteTables[*].TransitGatewayRouteTableId" \
> --output text \
> --region us-east-1
> ) \
> && echo ${ACCOUN1_TGW2_ROUTETABLE_ID}
tgw-rtb-0ba0cd7b2198dff3b
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 search-transit-gateway-routes \
> --transit-gateway-route-table-id ${ACCOUN1_TGW2_ROUTETABLE_ID} \
> --filters Name=state,Values=active \
> --output table \
> --region us-east-1
----------------------------------------------------------------------------------------------
| SearchTransitGatewayRoutes |
+----------------------------------------------------------------------+---------------------+
| AdditionalRoutesAvailable | False |
+----------------------------------------------------------------------+---------------------+
|| Routes ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| 10.2.0.0/16 | active | | propagated ||
|+-----------------------+---------+------------------------------------------+-------------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-0534e983961b05d5d | vpc | tgw-attach-0892d512866fd8d6c |||
||+-----------------------------+-------------------+--------------------------------------+||
(東京リージョン)
コマンド
aws ec2 search-transit-gateway-routes \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--filters Name=state,Values=active \
--output table
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 search-transit-gateway-routes \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --filters Name=state,Values=active \
> --output table
----------------------------------------------------------------------------------------------
| SearchTransitGatewayRoutes |
+----------------------------------------------------------------------+---------------------+
| AdditionalRoutesAvailable | False |
+----------------------------------------------------------------------+---------------------+
|| Routes ||
|+-----------------------+----------+--------------------------------------------+----------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+----------+--------------------------------------------+----------+|
|| 0.0.0.0/0 | active | | static ||
|+-----------------------+----------+--------------------------------------------+----------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-09eae5bdd8ff4b663 | vpc | tgw-attach-0731ed17e025f0c4d |||
||+-----------------------------+-------------------+--------------------------------------+||
|| Routes ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| 10.0.0.0/16 | active | | propagated ||
|+-----------------------+---------+------------------------------------------+-------------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-00cef602390e56814 | vpc | tgw-attach-07bed2f5bd17f690a |||
||+-----------------------------+-------------------+--------------------------------------+||
|| Routes ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| 10.1.0.0/16 | active | | propagated ||
|+-----------------------+---------+------------------------------------------+-------------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-086f0422edc91e1b0 | vpc | tgw-attach-0641e395643f0c84c |||
||+-----------------------------+-------------------+--------------------------------------+||
|| Routes ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| DestinationCidrBlock | State | TransitGatewayRouteTableAnnouncementId | Type ||
|+-----------------------+---------+------------------------------------------+-------------+|
|| 192.168.0.0/16 | active | | propagated ||
|+-----------------------+---------+------------------------------------------+-------------+|
||| TransitGatewayAttachments |||
||+-----------------------------+-------------------+--------------------------------------+||
||| ResourceId | ResourceType | TransitGatewayAttachmentId |||
||+-----------------------------+-------------------+--------------------------------------+||
||| vpc-09eae5bdd8ff4b663 | vpc | tgw-attach-0731ed17e025f0c4d |||
||+-----------------------------+-------------------+--------------------------------------+||
5. ルートの追加
(東京リージョン)
コマンド
aws ec2 create-transit-gateway-route \
--destination-cidr-block 10.2.0.0/16 \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route \
> --destination-cidr-block 10.2.0.0/16 \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
{
"Route": {
"DestinationCidrBlock": "10.2.0.0/16",
"TransitGatewayAttachments": [
{
"ResourceId": "tgw-081ce3bfec0746aaa",
"TransitGatewayAttachmentId": "tgw-attach-01883600c0a871396",
"ResourceType": "peering"
}
],
"Type": "static",
"State": "active"
}
}
コマンド
aws ec2 create-transit-gateway-route \
--destination-cidr-block 10.2.0.0/16 \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID}\
--transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route \
> --destination-cidr-block 10.2.0.0/16 \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID}\
> --transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
{
"Route": {
"DestinationCidrBlock": "10.2.0.0/16",
"TransitGatewayAttachments": [
{
"ResourceId": "tgw-081ce3bfec0746aaa",
"TransitGatewayAttachmentId": "tgw-attach-01883600c0a871396",
"ResourceType": "peering"
}
],
"Type": "static",
"State": "active"
}
}
(バージニア北部リージョン)
コマンド
aws ec2 create-transit-gateway-route \
--destination-cidr-block 0.0.0.0/0 \
--transit-gateway-route-table-id ${ACCOUN1_TGW2_ROUTETABLE_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID} \
--region us-east-1
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route \
> --destination-cidr-block 0.0.0.0/0 \
> --transit-gateway-route-table-id ${ACCOUN1_TGW2_ROUTETABLE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID} \
> --region us-east-1
{
"Route": {
"DestinationCidrBlock": "0.0.0.0/0",
"TransitGatewayAttachments": [
{
"ResourceId": "tgw-07df15247c1b17801",
"TransitGatewayAttachmentId": "tgw-attach-01883600c0a871396",
"ResourceType": "peering"
}
],
"Type": "static",
"State": "active"
}
}
6. 疎通確認
BoundaryVPC(192-168-1-100)
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-192-168-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720020650.282550] 192.168.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720020650.308555] 10.0.1.100 : [0], 84 bytes, 0.91 ms (0.91 avg, 0% loss)
[1720020650.333799] 10.1.1.100 : [0], 84 bytes, 1.05 ms (1.05 avg, 0% loss)
[1720020650.385001] aws.amazon.com : [0], 84 bytes, 1.93 ms (1.93 avg, 0% loss)
[1720020650.505781] 10.2.1.100 : [0], 84 bytes, 147 ms (147 avg, 0% loss)
[1720020651.283409] 192.168.1.100 : [1], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720020651.309150] 10.0.1.100 : [1], 84 bytes, 0.66 ms (0.78 avg, 0% loss)
[1720020651.334209] 10.1.1.100 : [1], 84 bytes, 0.62 ms (0.83 avg, 0% loss)
[1720020651.385098] aws.amazon.com : [1], 84 bytes, 1.25 ms (1.59 avg, 0% loss)
[1720020651.504502] 10.2.1.100 : [1], 84 bytes, 145 ms (146 avg, 0% loss)
[1720020652.284251] 192.168.1.100 : [2], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720020652.310115] 10.0.1.100 : [2], 84 bytes, 0.76 ms (0.77 avg, 0% loss)
[1720020652.335180] 10.1.1.100 : [2], 84 bytes, 0.71 ms (0.79 avg, 0% loss)
[1720020652.385941] aws.amazon.com : [2], 84 bytes, 1.24 ms (1.47 avg, 0% loss)
[1720020652.505469] 10.2.1.100 : [2], 84 bytes, 145 ms (146 avg, 0% loss)
[1720020653.285105] 192.168.1.100 : [3], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720020653.310868] 10.0.1.100 : [3], 84 bytes, 0.70 ms (0.75 avg, 0% loss)
[1720020653.335929] 10.1.1.100 : [3], 84 bytes, 0.66 ms (0.76 avg, 0% loss)
[1720020653.386732] aws.amazon.com : [3], 84 bytes, 1.20 ms (1.40 avg, 0% loss)
[1720020653.506105] 10.2.1.100 : [3], 84 bytes, 145 ms (146 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.03/0.04
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.66/0.75/0.91
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.62/0.76/1.05
10.2.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 145/146/147
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.20/1.40/1.93
PrivateVPC1(10.0.1.100)
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-0-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720020843.415922] 192.168.1.100 : [0], 84 bytes, 0.93 ms (0.93 avg, 0% loss)
[1720020843.440153] 10.0.1.100 : [0], 84 bytes, 0.04 ms (0.04 avg, 0% loss)
[1720020843.517720] aws.amazon.com : [0], 84 bytes, 2.16 ms (2.16 avg, 0% loss)
[1720020843.636272] 10.2.1.100 : [0], 84 bytes, 145 ms (145 avg, 0% loss)
[1720020844.416528] 192.168.1.100 : [1], 84 bytes, 0.67 ms (0.80 avg, 0% loss)
[1720020844.441015] 10.0.1.100 : [1], 84 bytes, 0.05 ms (0.04 avg, 0% loss)
[1720020844.517893] aws.amazon.com : [1], 84 bytes, 1.52 ms (1.84 avg, 0% loss)
[1720020844.634144] 10.2.1.100 : [1], 84 bytes, 142 ms (144 avg, 0% loss)
[1720020845.417361] 192.168.1.100 : [2], 84 bytes, 0.66 ms (0.75 avg, 0% loss)
[1720020845.441840] 10.0.1.100 : [2], 84 bytes, 0.03 ms (0.04 avg, 0% loss)
[1720020845.518768] aws.amazon.com : [2], 84 bytes, 1.49 ms (1.72 avg, 0% loss)
[1720020845.635136] 10.2.1.100 : [2], 84 bytes, 143 ms (143 avg, 0% loss)
[1720020846.418251] 192.168.1.100 : [3], 84 bytes, 0.69 ms (0.73 avg, 0% loss)
[1720020846.442710] 10.0.1.100 : [3], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720020846.520711] aws.amazon.com : [3], 84 bytes, 2.60 ms (1.94 avg, 0% loss)
[1720020846.636013] 10.2.1.100 : [3], 84 bytes, 143 ms (143 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.66/0.73/0.93
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.03/0.03/0.05
10.1.1.100 : xmt/rcv/%loss = 4/0/100%
10.2.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 142/143/145
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.49/1.94/2.60
PrivateVPC2(10.1.1.100)
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-1-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720020935.730251] 192.168.1.100 : [0], 84 bytes, 0.97 ms (0.97 avg, 0% loss)
[1720020935.779573] 10.1.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720020935.832720] aws.amazon.com : [0], 84 bytes, 2.95 ms (2.95 avg, 0% loss)
[1720020935.951408] 10.2.1.100 : [0], 84 bytes, 146 ms (146 avg, 0% loss)
[1720020936.730878] 192.168.1.100 : [1], 84 bytes, 0.73 ms (0.85 avg, 0% loss)
[1720020936.780388] 10.1.1.100 : [1], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720020936.832851] aws.amazon.com : [1], 84 bytes, 2.24 ms (2.59 avg, 0% loss)
[1720020936.949404] 10.2.1.100 : [1], 84 bytes, 143 ms (145 avg, 0% loss)
[1720020937.731767] 192.168.1.100 : [2], 84 bytes, 0.79 ms (0.83 avg, 0% loss)
[1720020937.781214] 10.1.1.100 : [2], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720020937.833686] aws.amazon.com : [2], 84 bytes, 2.21 ms (2.46 avg, 0% loss)
[1720020937.950342] 10.2.1.100 : [2], 84 bytes, 144 ms (144 avg, 0% loss)
[1720020938.732706] 192.168.1.100 : [3], 84 bytes, 0.84 ms (0.83 avg, 0% loss)
[1720020938.782179] 10.1.1.100 : [3], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720020938.834597] aws.amazon.com : [3], 84 bytes, 2.19 ms (2.39 avg, 0% loss)
[1720020938.951224] 10.2.1.100 : [3], 84 bytes, 143 ms (144 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.73/0.83/0.97
10.0.1.100 : xmt/rcv/%loss = 4/0/100%
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.02/0.02
10.2.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 143/144/146
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 2.19/2.39/2.95
PrivateVPC3(10.2.1.100)
コマンド
bash -I
sudo amazon-linux-extras install epel -y
sudo yum-config-manager --enable epel
sudo yum install fping -y
echo -n -e \
"192.168.1.100\n"\
"10.0.1.100\n"\
"10.1.1.100\n"\
"10.2.1.100\n"\
"aws.amazon.com\n" > /tmp/hosts.txt
cat /tmp/hosts.txt
出力
sh-4.2$ bash -I
[ssm-user@ip-10-2-1-100 bin]$ sudo amazon-linux-extras install epel -y
Installing epel-release
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel
0 metadata files removed
0 sqlite files removed
0 metadata files removed
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.6 kB 00:00:00
amzn2extra-docker | 2.9 kB 00:00:00
amzn2extra-epel | 3.0 kB 00:00:00
(1/7): amzn2-core/2/x86_64/group_gz | 2.7 kB 00:00:01
(2/7): amzn2extra-epel/2/x86_64/updateinfo | 76 B 00:00:01
(3/7): amzn2-core/2/x86_64/updateinfo | 940 kB 00:00:02
(4/7): amzn2extra-docker/2/x86_64/updateinfo | 16 kB 00:00:01
(5/7): amzn2extra-epel/2/x86_64/primary_db | 1.8 kB 00:00:00
(6/7): amzn2extra-docker/2/x86_64/primary_db | 102 kB 00:00:02
(7/7): amzn2-core/2/x86_64/primary_db | 69 MB 00:00:15
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
epel-release noarch 7-11 amzn2extra-epel 15 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
2 httpd_modules available [ =1.0 =stable ]
3 memcached1.5 available \
[ =1.5.1 =1.5.16 =1.5.17 ]
9 R3.4 available [ =3.4.3 =stable ]
10 rust1 available \
[ =1.22.1 =1.26.0 =1.26.1 =1.27.2 =1.31.0 =1.38.0
=stable ]
18 libreoffice available \
[ =5.0.6.2_15 =5.3.6.1 =stable ]
19 gimp available [ =2.8.22 ]
20 †docker=latest enabled \
[ =17.12.1 =18.03.1 =18.06.1 =18.09.9 =stable ]
21 mate-desktop1.x available \
[ =1.19.0 =1.20.0 =stable ]
22 GraphicsMagick1.3 available \
[ =1.3.29 =1.3.32 =1.3.34 =stable ]
24 epel=latest enabled [ =7.11 =stable ]
25 testing available [ =1.0 =stable ]
26 ecs available [ =stable ]
27 †corretto8 available \
[ =1.8.0_192 =1.8.0_202 =1.8.0_212 =1.8.0_222 =1.8.0_232
=1.8.0_242 =stable ]
32 lustre2.10 available \
[ =2.10.5 =2.10.8 =stable ]
33 †java-openjdk11 available [ =11 =stable ]
34 lynis available [ =stable ]
36 BCC available [ =0.x =stable ]
37 mono available [ =5.x =stable ]
38 nginx1 available [ =stable ]
40 mock available [ =stable ]
43 livepatch available [ =stable ]
44 †python3.8 available [ =stable ]
45 haproxy2 available [ =stable ]
46 collectd available [ =stable ]
47 aws-nitro-enclaves-cli available [ =stable ]
48 R4 available [ =stable ]
49 kernel-5.4 available [ =stable ]
50 selinux-ng available [ =stable ]
52 tomcat9 available [ =stable ]
53 unbound1.13 available [ =stable ]
54 †mariadb10.5 available [ =stable ]
55 kernel-5.10 available [ =stable ]
56 redis6 available [ =stable ]
58 †postgresql12 available [ =stable ]
59 †postgresql13 available [ =stable ]
60 mock2 available [ =stable ]
61 dnsmasq2.85 available [ =stable ]
62 kernel-5.15 available [ =stable ]
63 †postgresql14 available [ =stable ]
64 firefox available [ =stable ]
65 lustre available [ =stable ]
66 †php8.1 available [ =stable ]
67 awscli1 available [ =stable ]
68 †php8.2 available [ =stable ]
69 dnsmasq available [ =stable ]
70 unbound1.17 available [ =stable ]
72 collectd-python3 available [ =stable ]
† Note on end-of-support. Use 'info' subcommand.
[ssm-user@ip-10-2-1-100 bin]$ sudo yum-config-manager --enable epel
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
=========================================================== repo: epel ===========================================================
[epel]
async = True
bandwidth = 0
base_persistdir = /var/lib/yum/repos/x86_64/2
baseurl =
cache = 0
cachedir = /var/cache/yum/x86_64/2/epel
check_config_file_age = True
compare_providers_priority = 80
cost = 1000
deltarpm_metadata_percentage = 100
deltarpm_percentage =
enabled = True
enablegroups = True
exclude =
failovermethod = priority
ftp_disable_epsv = False
gpgcadir = /var/lib/yum/repos/x86_64/2/epel/gpgcadir
gpgcakey =
gpgcheck = True
gpgdir = /var/lib/yum/repos/x86_64/2/epel/gpgdir
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
hdrdir = /var/cache/yum/x86_64/2/epel/headers
http_caching = all
includepkgs =
ip_resolve =
keepalive = True
keepcache = False
mddownloadpolicy = sqlite
mdpolicy = group:small
mediaid =
metadata_expire = 21600
metadata_expire_filter = read-only:present
metalink = https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64
minrate = 0
mirrorlist =
mirrorlist_expire = 86400
name = Extra Packages for Enterprise Linux 7 - x86_64
old_base_cache_dir =
password =
persistdir = /var/lib/yum/repos/x86_64/2/epel
pkgdir = /var/cache/yum/x86_64/2/epel/packages
priority = 99
proxy = False
proxy_dict =
proxy_password =
proxy_username =
repo_gpgcheck = False
report_instanceid = False
retries = 7
skip_if_unavailable = False
ssl_check_cert_permissions = True
sslcacert =
sslclientcert =
sslclientkey =
sslverify = True
throttle = 0
timeout = 5.0
ui_id = epel/x86_64
ui_repoid_vars = releasever,
basearch
username =
[ssm-user@ip-10-2-1-100 bin]$ sudo yum install fping -y
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
epel/x86_64/metalink | 16 kB 00:00:00
epel | 4.3 kB 00:00:00
(1/3): epel/x86_64/group | 399 kB 00:00:02
(2/3): epel/x86_64/primary_db | 8.7 MB 00:00:02
(3/3): epel/x86_64/updateinfo | 1.0 MB 00:00:02
230 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package fping.x86_64 0:3.10-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
fping x86_64 3.10-4.el7 epel 46 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 46 k
Installed size: 104 k
Downloading packages:
warning: /var/cache/yum/x86_64/2/epel/packages/fping-3.10-4.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fping-3.10-4.el7.x86_64.rpm is not installed
fping-3.10-4.el7.x86_64.rpm | 46 kB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@amzn2extra-epel)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : fping-3.10-4.el7.x86_64 1/1
Verifying : fping-3.10-4.el7.x86_64 1/1
Installed:
fping.x86_64 0:3.10-4.el7
Complete!
[ssm-user@ip-10-2-1-100 bin]$ echo -n -e \
> "192.168.1.100\n"\
> "10.0.1.100\n"\
> "10.1.1.100\n"\
> "10.2.1.100\n"\
> "aws.amazon.com\n" > /tmp/hosts.txt
[ssm-user@ip-10-2-1-100 bin]$ cat /tmp/hosts.txt
192.168.1.100
10.0.1.100
10.1.1.100
10.2.1.100
aws.amazon.com
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-2-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720189325.334919] 10.2.1.100 : [0], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720189325.405530] 192.168.1.100 : [0], 84 bytes, 146 ms (146 avg, 0% loss)
[1720189325.432756] 10.0.1.100 : [0], 84 bytes, 148 ms (148 avg, 0% loss)
[1720189325.457535] 10.1.1.100 : [0], 84 bytes, 147 ms (147 avg, 0% loss)
[1720189325.649391] aws.amazon.com : [0], 84 bytes, 289 ms (289 avg, 0% loss)
[1720189326.335614] 10.2.1.100 : [1], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720189326.404255] 192.168.1.100 : [1], 84 bytes, 144 ms (145 avg, 0% loss)
[1720189326.432053] 10.0.1.100 : [1], 84 bytes, 146 ms (147 avg, 0% loss)
[1720189326.456254] 10.1.1.100 : [1], 84 bytes, 145 ms (146 avg, 0% loss)
[1720189326.648580] aws.amazon.com : [1], 84 bytes, 287 ms (288 avg, 0% loss)
[1720189327.336348] 10.2.1.100 : [2], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720189327.405031] 192.168.1.100 : [2], 84 bytes, 144 ms (144 avg, 0% loss)
[1720189327.432990] 10.0.1.100 : [2], 84 bytes, 146 ms (147 avg, 0% loss)
[1720189327.456903] 10.1.1.100 : [2], 84 bytes, 145 ms (146 avg, 0% loss)
[1720189327.649265] aws.amazon.com : [2], 84 bytes, 287 ms (288 avg, 0% loss)
[1720189328.337065] 10.2.1.100 : [3], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720189328.405728] 192.168.1.100 : [3], 84 bytes, 144 ms (144 avg, 0% loss)
[1720189328.433463] 10.0.1.100 : [3], 84 bytes, 146 ms (147 avg, 0% loss)
[1720189328.457614] 10.1.1.100 : [3], 84 bytes, 145 ms (146 avg, 0% loss)
[1720189328.649975] aws.amazon.com : [3], 84 bytes, 287 ms (288 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 144/144/146
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 146/147/148
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 145/146/147
10.2.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.03/0.03/0.04
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 287/288/289
lab5(option): セキュリティ VPC で全ての VPC 間トラフィックを監査する
ハンズオンから引用
1. CloudFormation Template の展開
1-1. 変数設定
コマンド
# スタック名
STACK_NAME_LAB5="wstgw-lab5"
echo ${STACK_NAME_LAB5}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # スタック名
[cloudshell-user@ip-10-130-53-115 ~]$ STACK_NAME_LAB5="wstgw-lab5"
[cloudshell-user@ip-10-130-53-115 ~]$ echo ${STACK_NAME_LAB5}
wstgw-lab5
1-2. CloudFomation Templateの展開
コマンド
aws cloudformation create-stack \
--stack-name ${STACK_NAME_LAB5} \
--template-body file://${STACK_NAME_LAB5}.template
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws cloudformation create-stack \
> --stack-name ${STACK_NAME_LAB5} \
> --template-body file://${STACK_NAME_LAB5}.template
{
"StackId": "arn:aws:cloudformation:ap-northeast-1:999999999999:stack/wstgw-lab5/39c89430-3adb-11ef-bfee-0ec94480ed61"
}
2. Transit Gateway ルートテーブルの作成
2-1. Transit Gateway ルートテーブルを作成
コマンド
ACCOUNT1_TGW_ROUTE_LAB5_NAME="wstgwRtbSecurityAccess " \
&& echo ${ACCOUNT1_TGW_ROUTE_LAB5_NAME}
aws ec2 create-transit-gateway-route-table \
--transit-gateway-id ${ACCOUNT1_TGW1_ID} \
--tag-specifications "ResourceType=transit-gateway-route-table,Tags=[{Key=Name,Value=${ACCOUNT1_TGW_ROUTE_LAB5_NAME}}]"
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route-table \
> --transit-gateway-id ${ACCOUNT1_TGW1_ID} \
> --tag-specifications "ResourceType=transit-gateway-route-table,Tags=[{Key=Name,Value=${ACCOUNT1_TGW_ROUTE_LAB5_NAME}}]"
{
"TransitGatewayRouteTable": {
"TransitGatewayRouteTableId": "tgw-rtb-0d18046dd316c61ea",
"TransitGatewayId": "tgw-07df15247c1b17801",
"State": "pending",
"DefaultAssociationRouteTable": false,
"DefaultPropagationRouteTable": false,
"CreationTime": "2024-07-05T14:47:48+00:00",
"Tags": [
{
"Key": "Name",
"Value": "wstgwRtbSecurityAccess"
}
]
}
}
2-2. ルートテーブルID取得
コマンド
ACCOUNT1_TGW_ROUTE_LAB5_ID=$(
aws ec2 describe-transit-gateway-route-tables \
--filters Name=tag:Name,Values="${ACCOUNT1_TGW_ROUTE_LAB5_NAME}" \
--query "TransitGatewayRouteTables[*].TransitGatewayRouteTableId" \
--output text
) \
&& echo ${ACCOUNT1_TGW_ROUTE_LAB5_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW_ROUTE_LAB5_ID=$(
> aws ec2 describe-transit-gateway-route-tables \
> --filters Name=tag:Name,Values="${ACCOUNT1_TGW_ROUTE_LAB5_NAME}" \
> --query "TransitGatewayRouteTables[*].TransitGatewayRouteTableId" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW_ROUTE_LAB5_ID}
tgw-rtb-0d18046dd316c61ea
2-3. アタッチメントID取得
コマンド
# アタッチメント名
ACCOUNT1_TGW_ATTACHMENT_LAB5_NAME="wstgwTgwVpcAttachmentSecurityVpc" \
&& echo ${ACCOUNT1_TGW_ATTACHMENT_LAB5_NAME}
# VPC IDに関連付けられたTransit Gateway Attachment IDを取得
ACCOUNT1_TGW_ATTACHMENT_LAB5_ID=$(
aws ec2 describe-transit-gateway-attachments \
--filters Name=tag:Name,Values="${ACCOUNT1_TGW_ATTACHMENT_LAB5_NAME}" \
--query "TransitGatewayAttachments[*].TransitGatewayAttachmentId" \
--output text
) \
&& echo ${ACCOUNT1_TGW_ATTACHMENT_LAB5_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ # アタッチメント名
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW_ATTACHMENT_LAB5_NAME="wstgwTgwVpcAttachmentSecurityVpc" \
> && echo ${ACCOUNT1_TGW_ATTACHMENT_LAB5_NAME}
wstgwTgwVpcAttachmentSecurityVpc
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ # VPC IDに関連付けられたTransit Gateway Attachment IDを取得
[cloudshell-user@ip-10-130-53-115 ~]$ ACCOUNT1_TGW_ATTACHMENT_LAB5_ID=$(
> aws ec2 describe-transit-gateway-attachments \
> --filters Name=tag:Name,Values="${ACCOUNT1_TGW_ATTACHMENT_LAB5_NAME}" \
> --query "TransitGatewayAttachments[*].TransitGatewayAttachmentId" \
> --output text
> ) \
> && echo ${ACCOUNT1_TGW_ATTACHMENT_LAB5_ID}
tgw-attach-0ea61314234a7cf51
2-4. 静的ルートを作成
コマンド
aws ec2 create-transit-gateway-route \
--destination-cidr-block 0.0.0.0/0 \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW_ATTACHMENT_LAB5_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 create-transit-gateway-route \
> --destination-cidr-block 0.0.0.0/0 \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW_ATTACHMENT_LAB5_ID}
{
"Route": {
"DestinationCidrBlock": "0.0.0.0/0",
"TransitGatewayAttachments": [
{
"ResourceId": "vpc-0dce67c4463a2a490",
"TransitGatewayAttachmentId": "tgw-attach-0ea61314234a7cf51",
"ResourceType": "vpc"
}
],
"Type": "static",
"State": "active"
}
}
3. デフォルトルートテーブルから BoundaryVPC 、VPC Peering アタッチメントの関連付けを削除する
コマンド
aws ec2 disassociate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC_ATTACHMENT_ID}
aws ec2 disassociate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 disassociate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-039d20e8aa3326006",
"TransitGatewayAttachmentId": "tgw-attach-0731ed17e025f0c4d",
"ResourceId": "vpc-09eae5bdd8ff4b663",
"ResourceType": "vpc",
"State": "disassociating"
}
}
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 disassociate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW1_ROUTETABLE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-039d20e8aa3326006",
"TransitGatewayAttachmentId": "tgw-attach-01883600c0a871396",
"ResourceId": "tgw-081ce3bfec0746aaa",
"ResourceType": "peering",
"State": "disassociating"
}
}
4. wstgwRtbPrivateVPC ルートテーブルから PrivateVPC1 、PrivateVPC2 アタッチメントの関連付けを削除する
コマンド
aws ec2 disassociate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
--transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
aws ec2 disassociate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 disassociate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-00308e50348bd4196",
"TransitGatewayAttachmentId": "tgw-attach-0641e395643f0c84c",
"ResourceId": "vpc-086f0422edc91e1b0",
"ResourceType": "vpc",
"State": "disassociating"
}
}
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 disassociate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-00308e50348bd4196",
"TransitGatewayAttachmentId": "tgw-attach-07bed2f5bd17f690a",
"ResourceId": "vpc-00cef602390e56814",
"ResourceType": "vpc",
"State": "disassociating"
}
}
5. wstgwRtbSecurityAccess ルートテーブルに BoundaryVPC 、PrivateVPC1 、PrivateVPC2 、wstgwTgwVpcAttachment-peer アタッチメントを関連付ける
コマンド
aws ec2 associate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC_ATTACHMENT_ID}
aws ec2 associate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
aws ec2 associate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
--transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
aws ec2 associate-transit-gateway-route-table \
--transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
--transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 associate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-0d18046dd316c61ea",
"TransitGatewayAttachmentId": "tgw-attach-0731ed17e025f0c4d",
"ResourceId": "vpc-09eae5bdd8ff4b663",
"ResourceType": "vpc",
"State": "associating"
}
}
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 associate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW_VPC1_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-0d18046dd316c61ea",
"TransitGatewayAttachmentId": "tgw-attach-07bed2f5bd17f690a",
"ResourceId": "vpc-00cef602390e56814",
"ResourceType": "vpc",
"State": "associating"
}
}
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 associate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
> --transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-0d18046dd316c61ea",
"TransitGatewayAttachmentId": "tgw-attach-0641e395643f0c84c",
"ResourceId": "vpc-086f0422edc91e1b0",
"ResourceType": "vpc",
"State": "associating"
}
}
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws ec2 associate-transit-gateway-route-table \
> --transit-gateway-route-table-id ${ACCOUNT1_TGW_ROUTE_LAB5_ID} \
> --transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID}
{
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-0d18046dd316c61ea",
"TransitGatewayAttachmentId": "tgw-attach-01883600c0a871396",
"ResourceId": "tgw-07df15247c1b17801",
"ResourceType": "peering",
"State": "associating"
}
}
6. 疎通確認
wstgwEc2Instance192-168-1-100
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-192-168-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720195073.924992] 192.168.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720195073.954219] 10.0.1.100 : [0], 84 bytes, 4.12 ms (4.12 avg, 0% loss)
[1720195073.978730] 10.1.1.100 : [0], 84 bytes, 3.51 ms (3.51 avg, 0% loss)
[1720195074.027274] aws.amazon.com : [0], 84 bytes, 1.85 ms (1.85 avg, 0% loss)
[1720195074.151373] 10.2.1.100 : [0], 84 bytes, 151 ms (151 avg, 0% loss)
[1720195074.925890] 192.168.1.100 : [1], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720195074.952168] 10.0.1.100 : [1], 84 bytes, 1.20 ms (2.66 avg, 0% loss)
[1720195074.977346] 10.1.1.100 : [1], 84 bytes, 1.27 ms (2.39 avg, 0% loss)
[1720195075.027552] aws.amazon.com : [1], 84 bytes, 1.23 ms (1.54 avg, 0% loss)
[1720195075.147451] 10.2.1.100 : [1], 84 bytes, 146 ms (148 avg, 0% loss)
[1720195075.926736] 192.168.1.100 : [2], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720195075.952989] 10.0.1.100 : [2], 84 bytes, 1.18 ms (2.16 avg, 0% loss)
[1720195075.978227] 10.1.1.100 : [2], 84 bytes, 1.31 ms (2.03 avg, 0% loss)
[1720195076.028486] aws.amazon.com : [2], 84 bytes, 1.30 ms (1.46 avg, 0% loss)
[1720195076.148356] 10.2.1.100 : [2], 84 bytes, 146 ms (147 avg, 0% loss)
[1720195076.927597] 192.168.1.100 : [3], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720195076.953901] 10.0.1.100 : [3], 84 bytes, 1.18 ms (1.92 avg, 0% loss)
[1720195076.979238] 10.1.1.100 : [3], 84 bytes, 1.41 ms (1.87 avg, 0% loss)
[1720195077.029370] aws.amazon.com : [3], 84 bytes, 1.24 ms (1.40 avg, 0% loss)
[1720195077.149427] 10.2.1.100 : [3], 84 bytes, 146 ms (147 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.03/0.04
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.18/1.92/4.12
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.27/1.87/3.51
10.2.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 146/147/151
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.23/1.40/1.85
wstgwEc2Instance10-0-1-100
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-0-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720195143.386760] 192.168.1.100 : [0], 84 bytes, 2.50 ms (2.50 avg, 0% loss)
[1720195143.409423] 10.0.1.100 : [0], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720195143.621696] 10.2.1.100 : [0], 84 bytes, 162 ms (162 avg, 0% loss)
[1720195144.386369] 192.168.1.100 : [1], 84 bytes, 1.28 ms (1.89 avg, 0% loss)
[1720195144.410236] 10.0.1.100 : [1], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720195144.618808] 10.2.1.100 : [1], 84 bytes, 158 ms (160 avg, 0% loss)
[1720195145.387297] 192.168.1.100 : [2], 84 bytes, 1.36 ms (1.71 avg, 0% loss)
[1720195145.411059] 10.0.1.100 : [2], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720195145.619870] 10.2.1.100 : [2], 84 bytes, 158 ms (159 avg, 0% loss)
[1720195146.388016] 192.168.1.100 : [3], 84 bytes, 1.23 ms (1.59 avg, 0% loss)
[1720195146.411922] 10.0.1.100 : [3], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720195146.620613] 10.2.1.100 : [3], 84 bytes, 158 ms (159 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.23/1.59/2.50
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.02/0.03
10.1.1.100 : xmt/rcv/%loss = 4/0/100%
10.2.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 158/159/162
aws.amazon.com : xmt/rcv/%loss = 4/0/100%
wstgwEc2Instance10-1-1-100
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-1-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720195215.892807] 192.168.1.100 : [0], 84 bytes, 3.60 ms (3.60 avg, 0% loss)
[1720195215.939394] 10.1.1.100 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
[1720195216.113169] 10.2.1.100 : [0], 84 bytes, 148 ms (148 avg, 0% loss)
[1720195216.891439] 192.168.1.100 : [1], 84 bytes, 1.39 ms (2.49 avg, 0% loss)
[1720195216.940304] 10.1.1.100 : [1], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720195217.112010] 10.2.1.100 : [1], 84 bytes, 146 ms (147 avg, 0% loss)
[1720195217.892363] 192.168.1.100 : [2], 84 bytes, 1.47 ms (2.15 avg, 0% loss)
[1720195217.941189] 10.1.1.100 : [2], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720195218.112555] 10.2.1.100 : [2], 84 bytes, 146 ms (147 avg, 0% loss)
[1720195218.893136] 192.168.1.100 : [3], 84 bytes, 1.40 ms (1.96 avg, 0% loss)
[1720195218.941986] 10.1.1.100 : [3], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720195219.113635] 10.2.1.100 : [3], 84 bytes, 146 ms (147 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 1.39/1.96/3.60
10.0.1.100 : xmt/rcv/%loss = 4/0/100%
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.02/0.03/0.04
10.2.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 146/147/148
aws.amazon.com : xmt/rcv/%loss = 4/0/100%
wstgwEc2Instance10-2-1-100
コマンド
fping -l -f /tmp/hosts.txt -D
出力
[ssm-user@ip-10-2-1-100 bin]$ fping -l -f /tmp/hosts.txt -D
[1720195334.476409] 10.2.1.100 : [0], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720195334.547507] 192.168.1.100 : [0], 84 bytes, 146 ms (146 avg, 0% loss)
[1720195334.575211] 10.0.1.100 : [0], 84 bytes, 149 ms (149 avg, 0% loss)
[1720195334.601254] 10.1.1.100 : [0], 84 bytes, 150 ms (150 avg, 0% loss)
[1720195334.791282] aws.amazon.com : [0], 84 bytes, 289 ms (289 avg, 0% loss)
[1720195335.477126] 10.2.1.100 : [1], 84 bytes, 0.04 ms (0.03 avg, 0% loss)
[1720195335.546219] 192.168.1.100 : [1], 84 bytes, 144 ms (145 avg, 0% loss)
[1720195335.572558] 10.0.1.100 : [1], 84 bytes, 145 ms (147 avg, 0% loss)
[1720195335.599673] 10.1.1.100 : [1], 84 bytes, 147 ms (148 avg, 0% loss)
[1720195335.788671] aws.amazon.com : [1], 84 bytes, 286 ms (288 avg, 0% loss)
[1720195336.477771] 10.2.1.100 : [2], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720195336.546763] 192.168.1.100 : [2], 84 bytes, 144 ms (145 avg, 0% loss)
[1720195336.573156] 10.0.1.100 : [2], 84 bytes, 145 ms (146 avg, 0% loss)
[1720195336.600294] 10.1.1.100 : [2], 84 bytes, 147 ms (148 avg, 0% loss)
[1720195336.789511] aws.amazon.com : [2], 84 bytes, 286 ms (287 avg, 0% loss)
[1720195337.478502] 10.2.1.100 : [3], 84 bytes, 0.03 ms (0.03 avg, 0% loss)
[1720195337.547454] 192.168.1.100 : [3], 84 bytes, 144 ms (144 avg, 0% loss)
[1720195337.573798] 10.0.1.100 : [3], 84 bytes, 145 ms (146 avg, 0% loss)
[1720195337.600907] 10.1.1.100 : [3], 84 bytes, 147 ms (148 avg, 0% loss)
[1720195337.790207] aws.amazon.com : [3], 84 bytes, 286 ms (287 avg, 0% loss)
^C
192.168.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 144/144/146
10.0.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 145/146/149
10.1.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 147/148/150
10.2.1.100 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 0.03/0.03/0.04
aws.amazon.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 286/287/289
wstgwEc2Instance10-0-1-100 (https)
コマンド
curl https://aws.amazon.com/ -X GET -I -w '%{http_code}\n' -o /dev/null -m 3 -s
curl https://docs.aws.amazon.com/ -X GET -I -w '%{http_code}\n' -o /dev/null -m 3 -s
出力
[ssm-user@ip-10-0-1-100 bin]$ curl https://aws.amazon.com/ -X GET -I -w '%{http_code}\n' -o /dev/null -m 3 -s
200
[ssm-user@ip-10-0-1-100 bin]$
[ssm-user@ip-10-0-1-100 bin]$ curl https://docs.aws.amazon.com/ -X GET -I -w '%{http_code}\n' -o /dev/null -m 3 -s
000
wstgwEc2Instance10-1-1-100 (https)
コマンド
curl https://aws.amazon.com/ -X GET -I -w '%{http_code}\n' -o /dev/null -m 3 -s
curl https://docs.aws.amazon.com/ -X GET -I -w '%{http_code}\n' -o /dev/null -m 3 -s
出力
[ssm-user@ip-10-1-1-100 bin]$ curl https://aws.amazon.com/ -X GET -I -w '%{http_code}\n' -o /dev/null -m 3 -s
000
[ssm-user@ip-10-1-1-100 bin]$ curl https://docs.aws.amazon.com/ -X GET -I -w '%{http_code}\n' -o /dev/null -m 3 -s
200
ハンズオン環境のクリーニング
1. Account2 環境のクリーニング
1.1 Transit Gateway アタッチメントの削除
コマンド
aws ec2 delete-transit-gateway-vpc-attachment \
--transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
出力
[cloudshell-user@ip-10-132-70-211 ~]$ aws ec2 delete-transit-gateway-vpc-attachment \
> --transit-gateway-attachment-id ${ACCOUNT2_TGW_VPC2_ATTACHMENT_ID}
{
"TransitGatewayVpcAttachment": {
"TransitGatewayAttachmentId": "tgw-attach-0641e395643f0c84c",
"TransitGatewayId": "tgw-07df15247c1b17801",
"VpcId": "vpc-086f0422edc91e1b0",
"VpcOwnerId": "888888888888",
"State": "deleting",
"CreationTime": "2024-07-05T13:27:09+00:00"
}
}
1.2 VPCの削除
コマンド
aws cloudformation delete-stack \
--stack-name ${STACK_NAME_LAB2}
出力
[cloudshell-user@ip-10-132-70-211 ~]$ aws cloudformation delete-stack \
> --stack-name ${STACK_NAME_LAB2}
2. Account1 環境のクリーニング
2.1 Transit Gateway アタッチメントの削除 (バージニア北部リージョン)
コマンド
aws ec2 delete-transit-gateway-vpc-attachment \
--transit-gateway-attachment-id ${ACCOUNT1_TGW2_PEERING_ATTACHMENTS_ID} \
--region us-east-1
出力
An error occurred (InvalidTransitGatewayAttachmentID.NotFound) when calling the DeleteTransitGatewayVpcAttachment operation: Transit Gateway VPC Attachment tgw-attach-01883600c0a871396 was deleted or does not exist.
エラーになったので管理コンソールから削除を実施。調査中
2.2 VPC、トランジットゲートウェイの削除 (バージニア北部リージョン)
コマンド
aws cloudformation delete-stack \
--stack-name ${STACK_NAME_LAB4} \
--region us-east-1
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws cloudformation delete-stack \
> --stack-name ${STACK_NAME_LAB4} \
> --region us-east-1
2.3 VPC、トランジットゲートウェイの削除 (東京リージョン)
コマンド
aws cloudformation delete-stack \
--stack-name ${STACK_NAME_LAB5}
aws cloudformation delete-stack \
--stack-name ${STACK_NAME_LAB1}
出力
[cloudshell-user@ip-10-130-53-115 ~]$ aws cloudformation delete-stack \
> --stack-name ${STACK_NAME_LAB5}
[cloudshell-user@ip-10-130-53-115 ~]$
[cloudshell-user@ip-10-130-53-115 ~]$ aws cloudformation delete-stack \
> --stack-name ${STACK_NAME_LAB1}
2.4 リソースの共有の削除 (東京リージョン)
コマンド
# 変数設定
TGW_RESORCE_SHARE_ARN=$(
aws ram get-resource-shares \
--resource-owner SELF \
--query "resourceShares[?name=='${TGW_RESORCE_SHARE}'].resourceShareArn" \
--output text
) \
&& echo ${TGW_RESORCE_SHARE_ARN}
# 削除
aws ram delete-resource-share --resource-share-arn ${TGW_RESORCE_SHARE_ARN}
出力
[cloudshell-user@ip-10-130-58-213 ~]$ TGW_RESORCE_SHARE_ARN=$(
> aws ram get-resource-shares \
> --resource-owner SELF \
> --query "resourceShares[?name=='${TGW_RESORCE_SHARE}'].resourceShareArn" \
> --output text
> ) \
> && echo ${TGW_RESORCE_SHARE_ARN}
arn:aws:ram:ap-northeast-1:999999999999:resource-share/4b15f1e8-4597-4d97-b527-1e8ee08c2e39
[cloudshell-user@ip-10-130-58-213 ~]$
[cloudshell-user@ip-10-130-58-213 ~]$ # 削除
[cloudshell-user@ip-10-130-58-213 ~]$ aws ram delete-resource-share --resource-share-arn ${TGW_RESORCE_SHARE_ARN}
{
"returnValue": true
}