VPC is undoubtedly the most important part of AWS's core services. The user needs to define a CIDR network range for the virtual machine, and divide the subnet and configure the firewall and routing among them. So how can different network scopes access each other?
Currently, AWS can be divided into the following situations:
1. By default, subnets in the same VPC can access each other. You only need to perform access control on the ACL and Security Group;
2. if you want to connect your company's data center network with AWS, you can configure Virtual Private gateway in the VPC by configuring VPN connection, configure customer gateway in the company's data center, and then connect it through IPSec. The customer gateway can be a Cisco Or juniper hardware firewall, or a Microsoft Server (software firewall), as long as it meets the relevant technical requirements.
3. the same as the VPC network under AWS, but in different region, such as a website in Sydney and Hong Kong, as long as there is no conflict between them, you can configure a VPN instance in the public network of your VPC to achieve IPSec connection.
Http://aws.amazon.com/articles/5472675506466066
This bean will be configured in the next blog.
4. In the last case, different VPC networks under the same region need to access each other. This can be achieved through VPC peering. That is, the following bean experiment.
VPC peering should be regarded as a relatively new feature. It was less than four months since I wrote this blog. In the past, even VPC connections under the same region can only use the third solution, which is difficult to configure and will incur additional costs. After all, two EC2 instances are added, now it's easy. Just a few mouse clicks and you can do it in 5 minutes.
First, create two different VPC networks, namely Syd and Mel.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/43/6C/wKioL1Pa4hKDqds_AABJBuVDul4957.png "style =" float: none; "Title =" 1.png" alt = "wkiol1pa4hkdqds_aabjbuvdul4957.png"/>
After the creation, as shown below:
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/6C/wKioL1Pa4hKhKSK7AABKsrQwfv0758.png "style =" float: none; "Title =" 2.png" alt = "wkiol1pa4hkhksk7aabksrqwfv0758.png"/>
Select VPC peering on the VPC dashboard and click Create
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/6C/wKioL1Pa4hTziqsGAAA-1dY8Y1M891.png "style =" float: none; "Title =" 3.png" alt = "wKioL1Pa4hTziqsGAAA-1dY8Y1M891.png"/>
As shown in the following figure, you can connect the VPC network under the same account or different accounts. But note that it must be in the same region
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/6C/wKiom1Pa4PqgKkfeAAA48fKHWJc818.png "style =" float: none; "Title =" 4.png" alt = "wkiom1pa4pqgkkfeaaa48fkhwjc818.png"/>
Confirm and send request
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/43/6C/wKiom1Pa4PvwD3UFAABB9EWia7w260.png "style =" float: none; "Title =" 5.png" alt = "wkiom1pa4pvwd3ufaabb9ewia7w260.png"/>
You must accept the request to connect
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/6C/wKioL1Pa4hXjAGrHAABMfTYCIF8293.png "style =" float: none; "Title =" 6.png" alt = "wkiol1pa4hxdjrhaabmftycif8293.png"/>
After the connection, the status changes to active.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/6C/wKioL1Pa4hWBTHCbAABLDQizKdk256.png "style =" float: none; "Title =" 7.png" alt = "wkiol1pa4hwbthcbaabldqizkdk256.png"/>
Next, you need to change the route table and switch to the route table settings. I have two default route tables.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/6C/wKiom1Pa4PzRzI3rAABA6Olm--M080.png "style =" float: none; "Title =" 8.png" alt = "wKiom1Pa4PzRzI3rAABA6Olm--M080.png"/>
Enter the address of the Peer VPC respectively, and the gateway selects the ID of the created VPC peering.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/6C/wKiom1Pa4PyRx2ibAAA5ChMvFpE875.png "style =" float: none; "Title =" 9.png" alt = "wkiom1pa4pyrx2ibaaa5chmvfpe875.png"/>
Create an EC2 instance under each VPC.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/6C/wKioL1Pa4heg21FSAACtTgYf0Dk701.png "style =" float: none; "Title =" 11.png" alt = "wkiol1pa4heg21fsaacttgyf0dk701.png"/>
To test Ping, ICMP must be enabled in the corresponding security group.
Please note !!! Because it is a different VPC, it is impossible to pass the security group numbers of different vpcs when passing IDs. It can only display the SG in the VPC.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/43/6C/wKiom1Pa4P7ygS_3AAAy9AxEnjE127.png "style =" float: none; "Title =" 12.png" alt = "wkiom1pa4p7ygs_3aaay9axenje127.png"/>
I can only use the CIDR network format for filtering.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/43/6D/wKioL1Pa4hiSxAqhAAApJWfp-Kk861.png "style =" float: none; "Title =" 13.png" alt = "wKioL1Pa4hiSxAqhAAApJWfp-Kk861.png"/>
Finally, I can ping 10.1.1.47 from the instance 172.31.11.121.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/43/6D/wKioL1Pa4hjAYsprAABDdKatgKw930.png "style =" float: none; "Title =" 14.png" alt = "wkiol1pa4hjayspraabddkatgkw930.png"/>
Lab successful!
Next, let's look at a complicated setup. How can we configure a VPN instance on a VPC across region?
This article from the "Mapo tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1533510