For the last post I was working in a local environment on my home network. After a busy Sunday of research and architecting I've moved into a VPC on Amazon Web Services. Still much to do, but the fundamentals are in place.
To get the full experience of AWS networking I decided to build a full blown VPC. The architecture I decided on is similar to this one from the VPC documentation: public and private subnets + site-to-site IPSec VPN to the "data center" (in my living room.) It's very similar to the scenario my team built for vocativ.com, however I was observing the process more than getting involved in building it hands on so it's nice to be able to put all the pieces together myself.
The first thing I tried to get working after walking through the VPC wizard was getting the IPSec VPN up and running. My initial plan was to connect my home network to the VPC via a strongSwan instance running on a machine behind my router. Unfortunately this failed quickly. The IP address of the customer gateway "must be static and can't be behind a device performing network address translation (NAT)" as per Amazon's documentation. I heard rumors that it might be possible to hack around this restriction but I'm hardly an IPSec expert so didn't venture into exploring this option further.
My current router is consumer grade, a Netgear WNDR4500 so it doesn't have any sort of IPSec connectivity out of the box. Flashing the router with DD-WRT was the first solution I considered. After some research however I discovered that DD-WRT on this device can knock WAN performance down by 66%, so it didn't seem promising enough to actually take the time to do it.
So on to plan B, which was a new router. The Cisco RV220W seemed like a good option, but some reviews said it couldn't operate the Wi-Fi in 2GHz and 5GHz modes simultaneously, which means I'd have to run it in 2GHz mode at home to accomodate some older devices. Also, the price wasn't very high but high enough that making the jump to a device with full iOS didn't seem like such a big leap. I'm certain I'm the only one in my IT department that doesn't have any idea how to work with iOS, so grabbing one of these was a good opportunity to learn. I ended up with a Cisco 892FSP, which was the most basic model with gigabit ethernet and 8 ports. Will come back to the VPN after it arrives.
highly available nat
With the out of the box setup all the instances in the private subnet don't have Internet access. To get internet access, you need to set up a NAT instance in the public subnet that routes traffic to and from instances in the private subnet. The NAT instance in turn is given an Elastic IP and then you can do nice things like say install software on the instances in the private subnet.
Building the NAT from scratch is easy enough - it's literally a half dozen kernel and IP tables configurations - but there's a community AMI provided that has it ready out of the box so I used that (the commity nat instances are tagged with amzn-ami-vpc-nat.) Here also I took the first baby step toward creating a robust cloud architecture for the applications: relying on a single NAT instance to provide internet to the private subnet creates a single point of failure. Amazon has a nice blog article with a pretty robust solution (not without caveats) which is very easy to implement, so I followed that procedure and have an automatic failover NAT in a separate availability zone. Tested it by shutting down each instance in turn and watched the automatic failover kick in and the instance restart automatically.
In the end I ended up with:
- 2 nat instances in the public VPC
- MySql server in the private VPC
- 2 webservers in the public VPC, each with elastic IPs (one for blog, one for comments)
- 1 load balancer with one of the web servers instance attached
- 1 salt master in the private VPC
- 1 Windows 2012 R2 box which will be the VPC domain controller once the IPSec site-to-site is working
Nothing to write home about yet but a first step.
- script out building the webserver, database server and nat servers and comment server with salt
- cloudformation for the whole architecture