AWS and VXLAN

Hi Support Team,

I would like to if it is possible to create a new EC2 instance dynamically say, if a certain flagged of traffic triggers it.

thanks-
latenaite
LateNaiteCEO and FounderAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Maidine FouadEngineerCommented:
Via Cloudwatch you can set up autoscaling , by any metric you want , Cpu utilization  latency , network in/out , Disk IO ...

You create an Alarm on the AWS management console ,on the alarm Interface Select EC2 aggregated by auto scaling group , type your auto scaling group , choose your metrics ...
btanExec ConsultantCommented:
Can leverage exist capability like
- AWS CloudWatch serves to creates alarm and triggers.
- AWS OpsWorks users leverage Chef recipes to automate operations like software configurations, package installations, database setups, server scaling, and code deployment.

E.g. OpsWorks sends metrics from all your resources to CloudWatch. The latter alarm that was created to act on upon threshold will for example sends an AWS Simple Notification Service, SNS message when the alarm changes state.

Possible use cases include
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/AlarmThatSendsEmail.html

Set Up Amazon Simple Notification Service
Create an Alarm
Send Email Based on CPU Usage Alarm
Send Email Based on Load Balancer Alarm
Send Email Based on Storage Throughput Alarm
Create Alarms That Stop, Terminate, Reboot, or Recover an Instance
Monitor Your Estimated Charges Using Amazon CloudWatch
LateNaiteCEO and FounderAuthor Commented:
So it appears the request is more related to this:

“IP Spoofing: Creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system”

Is there a workaround to IP spoofing for AWS?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

btanExec ConsultantCommented:
I read it as you are asking on whether AWS can detect IP spoofing.

First off,  is to establish a baseline defence controls for maintain a secure posture. For example,
a) configure VPC to control access to your applications and minimize public entry points by configuring security groups and network access control lists (ACLs).
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
b) configure security groups in the VPC so that you can control inbound and outbound traffic to your instances by specifically allowing communication only on the ports and protocols required for your applications. Any other access to any other port or protocol is automatically denied.
c) Ensure you drop packets which arrive at your external interface (e.g. in AWS, the interface of the EIP allocated to) with an internal IP address. However, this has caveat as AWS routers with internal addresses which pass on the external packets from the EIP will be blocked causing disruption due to false positive.

Note that by default, AWS has IP spoofing outbound from EC2 instances blocked. ARP and DNS spoofing inbound is also blocked. So left with IP spoofing inbound (from external sources) to be blocked and this will required the above baseline at network layer of each instance to trigger off the detection on the spoofing attempts .

On the CloudWatch side, it is probably to monitor the log and trigger off action upon the dropping of traffic due to spoofing attempts
CloudWatch Logs can track the number of errors that occur in your application logs and send you a notification whenever the rate of errors exceeds a threshold you specify. CloudWatch Logs uses your log data for monitoring;
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatchLogs.html

And to probably ask support on such event type or pattern type
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/EventTypes.html
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/CloudWatchEventsandEventPatterns.html
LateNaiteCEO and FounderAuthor Commented:
Thanks for the suggestion so far. Sorry for keeping topic but I was misinformed.

The goal is to use OVS with VXLAN to create a tunnel from the on-premise site to AWS's OVS so that the hosts are seen with AWS as neighboring hosts (as if they are on the same subnet).

Is this possible?
btanExec ConsultantCommented:
So far, I understand AWS has Direct connect to establish a dedicated network connection from your premises to AWS. But this is different from establishing a VPN to AWS that is using internet. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC.
http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

I have not seen it stating VxLAN by AWS though most of the time you need some sort of broker to be the middleman. Like the case shown in https://www.ravellosystems.com/blog/vxlan-nvf-testing-aws-google/ which shared VMs connected to each other in different site (or cloud in this case) via a bridge node (vxlan1 for AWS and vxlan2 for Google Cloud) configured.

May be good to ask more on the AWS side otherwise has to have some broker and I believe F5 Networks may have some inkling on this "bridging"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LateNaiteCEO and FounderAuthor Commented:
Hi Btan,

Do you know who has tested this solution:  https://www.ravellosystems.com/blog/vxlan-nvf-testing-aws-google/.  

Also, have you tried the F5 solution as well?

thanks,
btanExec ConsultantCommented:
I am not aware but the company for this blog and author may help. As for F5, hear it from them if you want more details. Here is one of their article for ita native support of vxlan
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-0/10.html
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.