实验环境准备

先在ec2中创建一个Key pair,命名为keypair-seoul:

image-20230905080114354

部署CloudFormation Stack

我们将使用CloudFormation部署以下四个VPC:

architecture

四个VPC分别为Seoul-VPC-HQSeoul-VPC-PRDSeoul-VPC-STGSeoul-VPC-DEV.yml

使用CloudFormation部署:

git clone https://github.com/whchoi98/tgw.git
cd tgw

KeyName="keypair-seoul"

aws cloudformation deploy \
  --stack-name "Seoul-VPC-HQ" \
  --template-file "Seoul-VPC-HQ.yml" \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides "KeyPair=${KeyName}" --region ap-northeast-2 &
  
  
aws cloudformation deploy \
  --stack-name "Seoul-VPC-PRD" \
  --template-file "Seoul-VPC-PRD.yml" \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides "KeyPair=${KeyName}" --region ap-northeast-2 &
  
aws cloudformation deploy \
  --stack-name "Seoul-VPC-STG" \
  --template-file "Seoul-VPC-STG.yml" \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides "KeyPair=${KeyName}" --region ap-northeast-2 &
  
aws cloudformation deploy \
  --stack-name "Seoul-VPC-DEV" \
  --template-file "Seoul-VPC-DEV.yml" \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides "KeyPair=${KeyName}" --region ap-northeast-2 &

在CloudFormation中看到四个Stack正在被创建:

image-20230905081314810

创建完成后在VPC页面会显示对应的VPC:

image-20230905081702308

等创建完成后,执行以下命令,创建TGW:

aws cloudformation deploy \
  --stack-name "Seoul-TGW" \
  --template-file "Seoul-TGW.yml" \
  --capabilities CAPABILITY_NAMED_IAM --region ap-northeast-2 &

等待这个Stack创建完成后。检查创建出来的资源

在EC2页面会有8台EC2实例:

image-20230905081645286

在TGW页面,会有一个tgw被创建出来:

image-20230905081832819

Transit gateway attachments资源:

image-20230905081852398

检查TGW的路由表, 在本实验中总共有两个路由表,一个用于东西流量,一个用于南北流量:

image-20230905082125125

先检查南北路由表,我们已将Seoul-VPC-HQ附加到南北路由表。Seoul-VPC-HQ CIDR (10.0.0.0/16) 已经被传播:

image-20230905082210843

检查 East-To-West 路由表,确认三个 VPC(Seoul-VPC-PRD、Seoul-VPC-STG 和Seoul-VPC-DEV)已关联:

image-20230905082256286

检查EC2

本实验有的EC2部署在私有子网,要登录到上面要借助SSM Agent。

先安装ssm plugin:

curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm"
sudo yum install -y session-manager-plugin.rpm

获取当前region下的EC2:

aws ec2 describe-instances --query 'Reservations[].Instances[].[Tags[?Key==`Name`] | [0].Value, Placement.AvailabilityZone,InstanceId, InstanceType, ImageId,State.Name, PrivateIpAddress, PublicIpAddress ]' --output table --region ap-northeast-2

image-20230905084235273

将四个VPC下的私有子网EC2的实例ID保存到环境变量:

#!/bin/bash
# command ./tgw_basic_ssm.sh
export AWS_DEFAULT_REGION=ap-northeast-2
aws ec2 describe-instances --filters 'Name=tag:Name,Values=Seoul-VPC-HQ-Private-10.0.21.101' 'Name=instance-state-name,Values=running' --region ap-northeast-2| jq -r '.Reservations[].Instances[].InstanceId'
export Seoul_VPC_HQ_Private_10_0_21_101=$(aws ec2 describe-instances --filters 'Name=tag:Name,Values=Seoul-VPC-HQ-Private-10.0.21.101' 'Name=instance-state-name,Values=running' --region ap-northeast-2| jq -r '.Reservations[].Instances[].InstanceId')
echo "export Seoul_VPC_HQ_Private_10_0_21_101=${Seoul_VPC_HQ_Private_10_0_21_101}"| tee -a ~/.bash_profile

aws ec2 describe-instances --filters 'Name=tag:Name,Values=Seoul-VPC-PRD-Private-10.1.21.101' 'Name=instance-state-name,Values=running' --region ap-northeast-2 | jq -r '.Reservations[].Instances[].InstanceId'
export Seoul_VPC_PRD_Private_10_1_21_101=$(aws ec2 describe-instances --filters 'Name=tag:Name,Values=Seoul-VPC-PRD-Private-10.1.21.101' 'Name=instance-state-name,Values=running' --region ap-northeast-2| jq -r '.Reservations[].Instances[].InstanceId')
echo "export Seoul_VPC_PRD_Private_10_1_21_101=${Seoul_VPC_PRD_Private_10_1_21_101}"| tee -a ~/.bash_profile

aws ec2 describe-instances --filters 'Name=tag:Name,Values=Seoul-VPC-STG-Private-10.2.21.101' 'Name=instance-state-name,Values=running' --region ap-northeast-2| jq -r '.Reservations[].Instances[].InstanceId'
export Seoul_VPC_STG_Private_10_2_21_101=$(aws ec2 describe-instances --filters 'Name=tag:Name,Values=Seoul-VPC-STG-Private-10.2.21.101' 'Name=instance-state-name,Values=running' --region ap-northeast-2| jq -r '.Reservations[].Instances[].InstanceId')
echo "export Seoul_VPC_STG_Private_10_2_21_101=${Seoul_VPC_STG_Private_10_2_21_101}"| tee -a ~/.bash_profile

aws ec2 describe-instances --filters 'Name=tag:Name,Values=Seoul-VPC-DEV-Private-10.3.21.101' 'Name=instance-state-name,Values=running' --region ap-northeast-2| jq -r '.Reservations[].Instances[].InstanceId'
export Seoul_VPC_DEV_Private_10_3_21_101=$(aws ec2 describe-instances --filters 'Name=tag:Name,Values=Seoul-VPC-DEV-Private-10.3.21.101' 'Name=instance-state-name,Values=running' --region ap-northeast-2| jq -r '.Reservations[].Instances[].InstanceId')
echo "export Seoul_VPC_DEV_Private_10_3_21_101=${Seoul_VPC_DEV_Private_10_3_21_101}"| tee -a ~/.bash_profile

执行完成后,查看~/.bash_profile文件,会发现最后有四个变量,对应四个VPC中私有子网中的EC2:

image-20231206203408553

分别打开四个terminal,登录到这四台EC2上:

aws ssm start-session --target $Seoul_VPC_HQ_Private_10_0_21_101 --region ap-northeast-2

aws ssm start-session --target $Seoul_VPC_PRD_Private_10_1_21_101 --region ap-northeast-2

aws ssm start-session --target $Seoul_VPC_STG_Private_10_2_21_101 --region ap-northeast-2

aws ssm start-session --target $Seoul_VPC_DEV_Private_10_3_21_101 --region ap-northeast-2

在这四台机器上,将要测试的主机注册到hosts文件中:

sudo -s
echo 10.0.21.101 SEOUL-VPC-HQ-Private >> /etc/hosts
echo 10.1.21.101 SEOUL-VPC-PRD-Private >> /etc/hosts
echo 10.2.21.101 SEOUL-VPC-STG-Private >> /etc/hosts
echo 10.3.21.101 SEOUL-VPC-DEV-Private >> /etc/hosts

image-20231206203701974