Inter-Region VPC Peering


來自 AWS News 的訊息,Inter-Region VPC Peering 多了九個 Region,而且總算有亞洲了!不用再自己幹 Site to Site VPN 了!

整理基本資訊、實測的數據、規劃上的考量等。

基本資訊

這次新增支援 Inter-Region VPC Peering 的 Regions 清單如下:

  • EU: London, Ireland, Paris
  • Asia Pacific: Mumbai, Sydney, Singapore, Tokyo
  • Canada: Central
  • South America: São Paulo

上次 先 Enable 的 Regions 清單:

  • US East: Northern Virgina, Ohio
  • US West: Northern California, Oregon

看來全球主要的 region 都已經支援,是相當有誠意的!

這部分,總算可以跟 GCP 的 VPC Network 直接對打了!更多請參考 Compare GCP VPC Network with AWS, Study Notes - VPC Network in GCP

依照官方文件的描述,Inter-Region VPC Peering 會走 AWS 自己的 Backbone,包含擴展、容錯、高可用性 … 都包含了。擷取 官方描述 如下:

Built on the same horizontally scaled, redundant, and highly available technology that powers VPC today, Inter-Region VPC Peering encrypts inter-region traffic with no single point of failure or bandwidth bottleneck.

有了這功能,規劃 Multiple VPC cross Multiple Regions 時,可以有更多的彈性與考量!應該也不用搞 Transit VPC 這麼複雜的東西了吧?!

建立 VPC Peering Connections

如果要使用 awscli 建立,建議先升級版本,我實驗的版本:1.14.4

升級 awscli: sudo pip install --upgrade awscli

以下為環境變數,REQUESTER 送出 peering 的 region,ACCEPTER 是接受 peering 的 region。
這裡使用 us-east-1ap-northeast-1 當例子。

1
2
3
4
5
6
7
# Requester: N. Virginia (us-east-1)
REQUESTER_VPC_ID="vpc-1234567"
REQUESTER_REGION="us-east-1"

# Accepter: Tokyo (ap-northeast-1)
ACCEPTER_VPC_ID="vpc-7654321"
ACCEPTER_REGION="ap-northeast-1"

建立 Peering Connection Requester

建立 peering connection 請求,記得指定 --region ,確保送出的 region 是正確的。

1
2
3
4
5
aws ec2 create-vpc-peering-connection \
--vpc-id ${REQUESTER_VPC_ID} \
--peer-vpc-id ${ACCEPTER_VPC_ID} \
--peer-region ${ACCEPTER_REGION} \
--region ${REQUESTER_REGION}

如果是跨 AWS Account,則需要另外用 --peer-owner-id 指定 Requester Account ID:

建立成功後,回傳的結果,裡面最重要的就是 VpcPeeringConnectionId

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
{
"VpcPeeringConnection": {
"Status": {
"Message": "Initiating Request to 1234567890A",
"Code": "initiating-request"
},
"Tags": [],
"RequesterVpcInfo": {
"VpcId": "vpc-1234567",
"OwnerId": "1234567890A",
"Region": "us-east-1",
"CidrBlockSet": [
{
"CidrBlock": "172.30.0.0/16"
}
],
"CidrBlock": "172.30.0.0/16"
},
"VpcPeeringConnectionId": "pcx-12345678912345678",
"ExpirationTime": "2018-03-01T13:36:21.000Z",
"AccepterVpcInfo": {
"OwnerId": "1234567890A",
"Region": "ap-northeast-1",
"VpcId": "vpc-7654321"
}
}
}

如果是透過 AWS Console 操作,結果如下圖:

接受 Peering Connection Requester

1
2
3
aws ec2 accept-vpc-peering-connection \
--vpc-peering-connection-id pcx-12345678912345678 \
--region ${ACCEPTER_REGION}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
"VpcPeeringConnection": {
"Status": {
"Message": "Provisioning",
"Code": "provisioning"
},
"Tags": [],
"AccepterVpcInfo": {
"VpcId": "vpc-7654321",
"OwnerId": "1234567890A",
"Region": "ap-northeast-1",
"CidrBlockSet": [
{
"CidrBlock": "172.40.0.0/16"
}
],
"CidrBlock": "172.40.0.0/16"
},
"VpcPeeringConnectionId": "pcx-12345678912345678",
"RequesterVpcInfo": {
"VpcId": "vpc-1234567",
"OwnerId": "1234567890A",
"Region": "us-east-1",
"CidrBlockSet": [
{
"CidrBlock": "172.30.0.0/16"
}
],
"CidrBlock": "172.30.0.0/16"
}
}
}

如果是透過 AWS Console 操作,結果如下圖:

最後的確認結果:

AWS CLI Reference

相關的 AWS CLI

調整 Route Table

兩邊的 Route Table 都要加入彼此 CIDR 的範圍,Target 則指定 Peering ID: pcx-12345678912345678

這邊的範例:

  • ap-northeast-1: 加入 us-east-1 VPC CIDR 172.30.0.0/16
  • us-east-1: 加入 ap-northeast-1 VPC CIDR 172.40.0.0/16

調整 Security Groups

我的 VPC 是依照 Plan and Design Multiple VPCs in Different Regions 提到的規劃,所以新增 VPC 的時候, Private-Default-EC2 就要新增其他 VPC CIDR ,允許彼此可以互通。

這邊的範例:

  • Private-Default-EC2 in ap-northeast-1: 加入 us-east-1 VPC CIDR 172.30.0.0/16
  • Private-Default-EC2 in us-east-1: 加入 ap-northeast-1 VPC CIDR 172.40.0.0/16

這些調整每個公司會有不同的資安政策,上述只是我的方法而已。

調整 Network ACLs

如果 VPC 規劃也有控管 Network ACLs,同樣的,也要針對不同的 VPC 來源作配置。

測試傳輸速度

使用兩個方法測試:

  1. iperf3 直接對測
  2. 傳檔案: 10MB, 100MB, 1000MB

先在兩邊 EC2 Instance 準備以下資料:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
## Install iperf3
sudo yum install iperf3
sudo apt-get install iperf3

## generate the dummy files
truncate -s 10M 10M.dummy
truncate -s 100M 100M.dummy
truncate -s 1000M 1000M.dummy

## Confirm size
~$ ls -l *.dummy
-rw-r--r-- 1 root root 1048576000 Feb 22 14:28 1000M.dummy
-rw-r--r-- 1 root root 104857600 Feb 22 14:28 100M.dummy
-rw-r--r-- 1 root root 10485760 Feb 22 14:23 10M.dummy

因為我本來就有開一台 t2.micro,所以弄了另外一組,測了以下兩個組合:

  1. 東京 (c4.xlarge) <---> 美東 t2.micro
  2. 東京 (c4.xlarge) <---> 美東 c5.large

因為東京還沒有 c5 可以測,所以預期上限會在 c4.xlarge.

t2.micro (us-east-1) to c4.xlarge (ap-northeast-1)

東京:c4.xlarge, Network High
美東:t2.micro, Network Low

實測:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@ip-172-30-3-94:~# iperf3 -c 172.40.0.73
Connecting to host 172.40.0.73, port 5201
[ 4] local 172.30.3.94 port 39869 connected to 172.40.0.73 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 1.88 MBytes 15.8 Mbits/sec 0 433 KBytes
[ 4] 1.00-2.00 sec 6.13 MBytes 51.4 Mbits/sec 763 1.70 MBytes
[ 4] 2.00-3.00 sec 8.68 MBytes 72.8 Mbits/sec 418 998 KBytes
[ 4] 3.00-4.00 sec 5.94 MBytes 49.8 Mbits/sec 0 1.04 MBytes
[ 4] 4.00-5.00 sec 5.96 MBytes 50.0 Mbits/sec 0 1.09 MBytes
[ 4] 5.00-6.00 sec 7.19 MBytes 60.3 Mbits/sec 0 1.12 MBytes
[ 4] 6.00-7.00 sec 5.88 MBytes 49.3 Mbits/sec 57 857 KBytes
[ 4] 7.00-8.00 sec 4.53 MBytes 38.0 Mbits/sec 0 909 KBytes
[ 4] 8.00-9.00 sec 5.78 MBytes 48.5 Mbits/sec 0 945 KBytes
[ 4] 9.00-10.00 sec 5.96 MBytes 50.0 Mbits/sec 0 967 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 57.9 MBytes 48.6 Mbits/sec 1238 sender
[ 4] 0.00-10.00 sec 55.8 MBytes 46.8 Mbits/sec receiver

傳檔案:us-east-1 to ap-northeast-1

1
2
3
4
5
6
7
8
scp -i gtcafe-dev.japan.lab.pem 10M.dummy ec2-user@172.40.0.73:/tmp
10M.dummy 100% 10MB 5.0MB/s 00:02

scp -i gtcafe-dev.japan.lab.pem 100M.dummy ec2-user@172.40.0.73:/tmp
100M.dummy 100% 100MB 6.3MB/s 00:16

scp -i gtcafe-dev.japan.lab.pem 1000M.dummy ec2-user@172.40.0.73:/tmp
1000M.dummy 100% 1000MB 6.5MB/s 02:35

小結: 整體速度上限在 6.5MB/s 的速度

c5.large (us-east-1) to c4.xlarge (ap-northeast-1)

東京:c4.xlarge, Network High
美東:c5.large, Network Up to 10 Gigabit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[ec2-user@ip-172-30-3-42 ~]$ iperf3 -c 172.40.0.73
Connecting to host 172.40.0.73, port 5201
[ 4] local 172.30.3.42 port 38622 connected to 172.40.0.73 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 1.85 MBytes 15.5 Mbits/sec 0 602 KBytes
[ 4] 1.00-2.00 sec 12.5 MBytes 105 Mbits/sec 861 1.05 MBytes
[ 4] 2.00-3.00 sec 13.8 MBytes 115 Mbits/sec 334 1.91 MBytes
[ 4] 3.00-4.00 sec 12.5 MBytes 105 Mbits/sec 0 2.02 MBytes
[ 4] 4.00-5.00 sec 15.0 MBytes 126 Mbits/sec 0 2.10 MBytes
[ 4] 5.00-6.00 sec 15.0 MBytes 126 Mbits/sec 0 2.16 MBytes
[ 4] 6.00-7.00 sec 15.0 MBytes 126 Mbits/sec 0 2.20 MBytes
[ 4] 7.00-8.00 sec 16.2 MBytes 136 Mbits/sec 0 2.23 MBytes
[ 4] 8.00-9.00 sec 15.0 MBytes 126 Mbits/sec 0 2.24 MBytes
[ 4] 9.00-10.00 sec 16.2 MBytes 136 Mbits/sec 0 2.25 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 133 MBytes 112 Mbits/sec 1195 sender
[ 4] 0.00-10.00 sec 132 MBytes 111 Mbits/sec receiver

傳檔案: us-east-1 to ap-northeast-1

1
2
3
4
5
6
7
8
scp -i gtcafe-dev.japan.lab.pem 10M.dummy ec2-user@172.40.0.73:/tmp
10M.dummy 100% 10MB 5.3MB/s 00:01

scp -i gtcafe-dev.japan.lab.pem 100M.dummy ec2-user@172.40.0.73:/tmp
100M.dummy 100% 100MB 11.6MB/s 00:08

scp -i gtcafe-dev.japan.lab.pem 1000M.dummy ec2-user@172.40.0.73:/tmp
1000M.dummy 100% 1000MB 11.4MB/s 01:28

小結: 整體速度上限在 11.5MB/s 的速度

結論

整體的速度大概會跟 Inter-Region VPC Peering 的限制有關係,所以實測上的數字,很難超過 EC2 本身提供的 Network Performance.

規劃的考量

  • 調整 Route Table, Security Groups, Network ACLs 的配置
    • 未來管控的 Policy 要重新 Review
  • Review VPC 的 Topology
  • 實測 Throughput,是否能夠滿足特定應用的需求,像是 Database Replication
  • 確認有資料加密
  • 成本:
    • 連接的成本:No
    • 資料傳輸的成本:標準跨區域資料傳輸費用計算 – 沒有寫得很清楚,待查
  • CIDR Planning: CIDR 空間不能 overlap

延伸閱讀 (站內)

相關資料


Comments