Get Started with AWS

18 Sep 2019

VPC (Virtual Private Cloud)

1. What Is Amazon VPC?

2. Getting Started with IPv4 for Amazon VPC

3. Scenario 2: VPC with Public and Private Subnets (NAT)

4. Recommended Network ACL Rules for Your VPC

5. Security Groups for Your VPC

6. Network ACLs

• VPCs
  • Subnets
    • public subnet
    • private subnet
  • Accessing the Internet
    • private IP & public IP & EIP & route table
    • IGW (Internet Gateway)
    • NAT (network address translation)
  • Security
    • Security Groups & EC2 Instances
      • **If you specify a single IPv4 address, specify the address using the /32 prefix length. If you specify a single IPv6 address, specify it using the /128 prefix length. **
      • Some systems for setting up firewalls let you filter on source ports. Security groups let you filter only on destination ports.
    • Network ACLs & Subnets

ELB (Elastic Load Balancing)

1. How Elastic Load Balancing Works
   • With Application Load Balancers, cross-zone load balancing is always enabled.
   • **With Network Load Balancers, cross-zone load balancing is disabled by default. After you create a Network Load Balancer, you can enable or disable cross-zone load balancing at any time. **

• ELBs
  • NLB (Network Load Balancer)
    • https://www.awsfeed.com/2019/08/09/using-a-network-load-balancer-with-the-nginx-ingress-controller-on-eks/

EC2 (Elastic Compute Cloud)

• Install Docker

  $ sudo amazon-linux-extras install docker -y
  

  $ cat /etc/docker/daemon.json 
  {
    "data-root": "/data/docker",
    "exec-opts": ["native.cgroupdriver=systemd"],
    "log-driver": "json-file",
    "log-opts": {
      "max-size": "100m"
    },
    "storage-driver": "overlay2"
  }
  

  $ sudo systemctl enable docker.service
  

  $ sudo systemctl start docker.service
  

  $ sudo docker info
  

  $ sudo yum install amazon-ecr-credential-helper -y
  

  $ sudo cat /root/.docker/config.json
  {
    "credHelpers": {
      "[aws_account_id].dkr.ecr.[region].amazonaws.com.cn": "ecr-login"
    }
  }
  

Install Kubernetes

• Set bash completion

  $ sudo sh -c "kubeadm completion bash > /etc/profile.d/kubeadm.sh"
  $ source /etc/profile.d/kubeadm.sh
  

  $ sudo sh -c "kubectl completion bash > /etc/profile.d/kubectl.sh"
  $ source /etc/profile.d/kubectl.sh
  

• Set kubelet root-dir

  The file that can contain user-specified flag overrides with KUBELET_EXTRA_ARGS is sourced from /etc/default/kubelet (for DEBs), or /etc/sysconfig/kubelet (for RPMs). KUBELET_EXTRA_ARGS is last in the flag chain and has the highest priority in the event of conflicting settings

  #KUBELET_EXTRA_ARGS=--root-dir=/opt/lib/kubelet
  

• Enable kubelet service

  $ sudo systemctl enable kubelet.service
  

• kube init

  $ sudo kubeadm init --pod-network-cidr=[10.244.0.0/16] --image-repository=[aws_account_id].dkr.ecr.[region].amazonaws.com.cn/k8s --kubernetes-version=[v1.15.0] [--ignore-preflight-errors=NumCPU]
  

• Check required ports

  https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#check-required-ports

• Nginx Ingress Controller & ALB & NLB

  [23/Sep/2019:09:03:56 +0000] remote_addr=10.244.0.4 https= host=alb-449876832.cn-north-1.elb.amazonaws.com.cn request="GET /remote_addr?lb=alb HTTP/1.1" content_length=- request_id=11995321529ae2f4ba05f626d1b2bdce request_time=0.000 referer=- user_agent="curl/7.64.0" x_forwarded_for="10.0.2.71" status=404 bytes_sent=190 body_bytes_sent=21 upstream_addr=- upstream_status=- upstream_response_time=- upstream_connect_time=- upstream_header_time=-
  [23/Sep/2019:09:05:06 +0000] remote_addr=10.244.0.4 https= host=nlb-49353abebcd88735.elb.cn-north-1.amazonaws.com.cn request="GET /remote_addr?lb=nlb HTTP/1.1" content_length=- request_id=6c3ea368830abef17296502d98e797f8 request_time=0.000 referer=- user_agent="curl/7.64.0" x_forwarded_for="140.206.187.194" status=404 bytes_sent=190 body_bytes_sent=21 upstream_addr=- upstream_status=- upstream_response_time=- upstream_connect_time=- upstream_header_time=-