Versions Compared

Old Version 1

changes.mady.by.user John Hill

Saved on

compared with

New Version Current

changes.mady.by.user Xavier Schildwachter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Prior to switching to a VPC, each EC2 and Database in the Synapse stack was issued a public IP address and was visible to the public internet.  This means the While each machine was still protected by a firewall (one or more Security Groups), SSH keys and passwords, were the only protections from hackersit was theoretically possible for hackers to probe the public visible machines for weaknesses.  By deploying machines into switching to a VPC, it becomes is possible to completely hide the EC2s and Databases instances from the public internet.

...

At a high level, a VPC is a named container for virtual network.  For example, the Synapse production VPC was assigned a CIDR of 10.2220.0.0/16.  This means Synapse networks contains 65,536 IP address between 10.2220.0.0 and 10.2220.255.255.  The VPC is then further divided into subnets which can be declared as either Private or Public.  Instances contained in Public subnets can be assigned public IP addresses and therefore can be seen on the public internet.  Conversely, instances deployed in private subnets do not have public IP address and cannot be seen by the public internet.  In fact, instance Instance in private subnets are only visible to machines deployed within the containing VPC.  We will cover how internal developers can access to machines in private subnets in the next a later section.Image Added

Image Removed

Figure 1. Synapse VPC

The Synapse VPC is divided into two six public and six twenty-four private subnets that span two six Availability Zone (AZ): us-east-1a and , us-east-b, us-east-c, us-east-d, us-east-e, us-east-f (see Figure 1).   The deployment of all instances (EC2s and Databases) across two six zones ensure redundancy should an outage occur in a single zone (such as the event in April 2011), and broadens the availablity of instance types. For details on each subnet see Table 1.


Subnet NameTypeCIDRFirstLastTotal
PublicUsEast1aPublic10.
22
20.0.0/
20
2110.
22
20.0.010.
22
20.
15
7.255
4096
2048
PublicUsEast1bPublic10.
22
20.
16
8.0/
20
2110.
22
20.
16
8.010.
22
20.
31
15.255
4096
2048
RedPrivateUsEast1a
PublicUsEast1cPrivate10.
22
20.
32
16.0/2110.
22
20.
32
16.010.
22
20.
39
23.2552048
RedPrivateUsEast1b
PublicUsEast1dPrivate10.
22
20.
40
24.0/2110.
22
20.
40
24.010.
22
20.
47
31.2552048
BluePrivateUsEast1a
PublicUsEast1ePrivate10.
22
20.
48
32.0/2110.
22
20.48.010.
22
20.
55
39.2552048
BluePrivateUsEast1b
PublicUsEast1fPrivate10.
22
20.
56
40.0/2110.
22
20.
56
40.010.
22
20.
63
47.2552048
GreenPrivateUsEast1a
RedPrivateUsEast1aPrivate10.
22
20.
64
48.0/
21
2410.
22
20.
64
48.010.
22
20.
71
48.255
2048
256
GreenPrivateUsEast1b
RedPrivateUsEast1bPrivate10.
22
20.
72
49.0/
21
2410.
22
20.
72
49.010.
22
20.
79
49.255256
2048

...

RedPrivateUsEast1cPrivate10.

...

20.

...

50.0/

...

Given that subnet address cannot overlap and must be allocated from a fix range of IP addresses (defined by the VPC), it would be awkward to dynamical allocate new subnets for each new stack.  Instead, we decided to create fixed/permanent subnets to deploy new stacks into each week, thus returning to the blue green naming scheme.  Since we occasionally, need to have three concurrently production-capable stacks we included red subnets.  While we will continue to give each new stack a numeric designation, we will now also assign a color to each new stack.  For example, stack 226 will be deployed to Red, 227 to Blue, 228 to Green, 229 to Red etc..

Public subnets

Any machine that must be publicly visible must be deployed to a public subnet.  Since it is not possible to isolate public subnets from each other, there was little value in creating a public subnet for each color.  One public subnet per availability zone is the minimums number possible.  Each public subnet will contain the Elastic Beanstalk loadbalancers for each environment (portal, repo, works) of each stack.  There is also a NAT Gateway deployed to each public subnet (need one NAT per AZ).  We will cover the details of the NAT Gateways in the next section.

Each subnet has a Route Table that answers the question of how network traffic flows out of the subnet.  Table 2 shows the route table used by both public subnets.  Note: The most selective route will always be used.

...

Table 2. Public subnet route table entries

Each loadbalancer deployed in the public subnets is protected by the Security Groups that blocks access to all ports except 80 (HTTP) and 443 (HTTPS).  See Table 3 for the details of the loadbalancer security groups.

...

Table 3. Security Groups for Elastic Beanstalk Loadbalancers deployed to public subnets

Private Subnets

As stated above, any machine deployed to a private subnet is not visible from outside the VPC.  All Synapse EC2 and MySQL database instances are deployed within private subnets.  More specifically, when a stack will be deployed to the permanent private subnets matching its configured color.  For example, if stack 226 is configured to be Red,  the EC2s and databases for that stack will be deployed to both of the Red private subnets.  The private subnets for each color are assigned CIDRs such that all of the address within both private subnets fall within a CIDR for each color (see Table 4). This means the CIDR of each color can be used to isolate each stack.  For example, instances in red subnets cannot see instances in blue subnets, or vise versa.  Table 5 shows an example of the Security group applied to the EC2 instances within the red subnet using the color group CIDR.  Table 6 shows an example of the Security Group applied to the MySQL databases deployed in the red private subnets.

...

Table 4. CIDR for each Color Group

...

Table 5.  Security Group applied to EC2 instances in Red Private Subnets

...

Table 6. Security Group applied to MySQL RDS instances in Red Private Subnets

Just like with public subnets, each private subnet has a Route Table that describes how network traffic flows out of the subnet.  Table 7 shows an example of the Route Table on the RedPrivateUsEast1a subnet.

...

Table 7.  The Route Table on RedPrivateUsEast1a subnet

Internet Access from Within a Private Subnet

All of the EC2 instances deployed as part of Synapse need to make calls to AWS, Google, Jira, etc..  However, each instances is deployed in a private subnet without a public IP address so how does the response to and outside request make it back to the private machine?  The answer is the Network Address Translator (NAT) Gateway.  Figure 1 shows that each public subnet has a NAT Gateway, and Table 7 shows each private subnets has a route to  0.0.0.0/0 that points to the NAT Gateway within the same AZ.  Each NAT has a public IP address and acts a proxy for outgoing requests from instances in the private subnets.  When NAT receives an outgoing request from a private instance, it will replace the response address of the request with its own public address before forwarding the request.  That way, the response goes back to the NAT, which then forwards the response to the original caller within the private subnet.  Note: The NAT will not respond to requests that originate from the outside world so it cannot be used by gain access to the private machines.

While setting up the Synapse VPC it was our plan to utilizes Network Access Control Lists (Network ACLs) to further isolate each private subnet.   In fact, we originally setup Network ACL similar to the security groups in Tables 3, 5, and 6.  With the Network ACLs in place the EC2 instances were unable to communicate with the outside world (ping amazon.com failed).  The following document outlines the important differences between Security Groups and Network ACLs: Comparison of Security Groups and Network ACLs.  The explanation of the observed communication failures is summarized in Table 8..  In short, if a private subnet needs outgoing access on to 0.0.0.0/0, then you must also allow incoming access to 0.0.0.0/0 in the Network ACL.

...

Table 8. Important difference between Security Groups and Network ACLs

VPN Access to Private Subnets

Earlier we stated that instances deployed to private subnets are only visible to machines within the same VPC.  This is a true statement.  So how does a developer connect to an instances deployed in a private subnet?  The short answer: the developer must tunnel into the target VPC.  Assume a developer needs to connect to the MySQL database at 10.22.47.107 as shown in Figure 2.

Image Removed

Figure 2. VPN tunnel to private subnet of a VPC

When a developer makes a VPN connection to vpn.sagebase.org, the VPN client will add a route for 10.22.0.0/16 on the developer's machine.  This route will direct all network traffic with a destination within 10.22.0.0/16 to Sage-Admin-Central firewall.  Once connected to the VPN, an attempt to connect to 10.22.47.107 will proceed as follows:

...

2410.20.50.010.20.50.255256
RedPrivateUsEast1dPrivate10.20.51.0/2410.20.51.010.20.51.255256
RedPrivateUsEast1ePrivate10.20.52.0/2410.20.52.010.20.52.255256
RedPrivateUsEast1fPrivate10.20.53.0/2410.20.53.010.20.53.255256
BluePrivateUsEast1aPrivate10.20.56.0/2410.20.56.010.20.56.255256
BluePrivateUsEast1bPrivate10.20.57.0/2410.20.57.010.20.57.255256
BluePrivateUsEast1cPrivate10.20.58.0/2410.20.58.010.20.58.255256
BluePrivateUsEast1dPrivate10.20.59.0/2410.20.59.010.20.59.255256
BluePrivateUsEast1ePrivate10.20.60.0/2410.20.60.010.20.60.255256
BluePrivateUsEast1fPrivate10.20.61.0/2410.20.61.010.20.61.255256
GreenPrivateUsEast1aPrivate10.20.64.0/2410.20.64.010.20.64.255256
GreenPrivateUsEast1bPrivate10.20.65.0/2410.20.65.010.20.65.255256
GreenPrivateUsEast1cPrivate10.20.66.0/2410.20.66.010.20.66.255256
GreenPrivateUsEast1dPrivate10.20.67.0/2410.20.67.010.20.67.255256
GreenPrivateUsEast1ePrivate10.20.68.0/2410.20.68.010.20.68.255256
GreenPrivateUsEast1fPrivate10.20.69.0/2410.20.69.010.20.69.255256
OrangePrivateUsEast1aPrivate10.20.72.0/2410.20.72.010.20.72.255256
OrangePrivateUsEast1bPrivate10.20.73.0/2410.20.73.010.20.73.255256
OrangePrivateUsEast1cPrivate10.20.74.0/2410.20.74.010.20.74.255256
OrangePrivateUsEast1dPrivate10.20.75.0/2410.20.75.010.20.75.255256
OrangePrivateUsEast1ePrivate10.20.76.0/2410.20.76.010.20.76.255256
OrangePrivateUsEast1fPrivate10.20.77.0/2410.20.77.010.20.77.255256

Table 1.  Synapse VPC 10.22.0.0/16 subnets


Given that subnet address cannot overlap and must be allocated from a fix range of IP addresses (defined by the VPC), it would be awkward to dynamical allocate new subnets for each new stack.  Instead, we decided to create fixed/permanent subnets to deploy new stacks into each week, thus returning to the blue green naming scheme.  Since we occasionally need to have three production-capable stacks running at a time, we included a red subnets.  We will continue to give each new stack a numeric designation, but we will also assign a color to each new stack.  Each color will be assigned in a round-robin manner.  For example, stack 226 will be deployed to Red, 227 to Blue, 228 to Green, 229 to Red etc.. The Orange subnets are reserved for shared resources such as the ID generator database.


Public subnets

Any machine that must be publicly visible must be deployed to a public subnet.  Since it is not possible to isolate public subnets from each other, there was little value in creating a public subnet for each color.  Instead, one public subnet per availability zone was created.  Each public subnet will contain the Elastic Beanstalk loadbalancers for each environment (portal, repo, works) of each stack.  There is also a NAT Gateway deployed to each public subnet (need one NAT per AZ).  We will cover the details of the NAT Gateways in a later section.

Each subnet has a Route Table that answers the question of how network traffic flows out of the subnet.  Table 2 shows the route table used by both public subnets.  Note: The most selective route will always be used.


DestinationTargetDescription
10.20.0.0/16localThe default entry that identifies all address within this VPC (10.20.0.0/16) can be found within this VPC (local)
10.1.0.0/16VPN Peering ConnectionIf the destination IP address in the VPN VPC (10.1.0.0/16), then use the VPC peering connection that connects the two VPCs
0.0.0.0/0Internet GatewayIf the destination is any other IP address (0.0.0.0/0), then use the VPC's Internet Gateway.

Table 2. Public subnet route table entries


Each loadbalancer deployed in the public subnets is protected by firewall called a Security Groups that blocks access to all ports except 80 (HTTP) and 443 (HTTPS).  See Table 3 for the details of the loadbalancer security groups.


TypeCIDRPort RangeDescription
HTTP0.0.0.0/080Allow all traffic in on port 80 (HTTP)
HTTPS0.0.0.0/0443Allow all traffic in on port 443 (HTTPS)

Table 3. Security Groups for Elastic Beanstalk Loadbalancers deployed to public subnets


Private Subnets

As stated above, any machine deployed to a private subnet is not visible from outside the VPC.  Each EC2 and database instances of a stack will be deployed to the two private subnets of a single color.  For example, if stack 226 is configured to be Red,  the EC2s and databases for that stack will be deployed to both RedPrivateUsEast1a and RedPrivateUsEast1b.  The private subnets for each color are assigned CIDRs such that all of the address within both private subnets fall within a single CIDR (see Table 4). This means the CIDR of each color can be used to isolate each stack.  For example, instances in red subnets cannot see instances in blue subnets, or vise versa.  Table 5 shows an example of the Security group applied to the EC2 instances within the red subnet using the color group CIDR.  Table 6 shows an example of the Security Group applied to the MySQL databases deployed in the red private subnets.


Color GroupCIDRFirstLastTotal
Red10.20.48.0/2110.20.48.010.20.53.2552048
Blue10.20.56.0/2110.20.56.010.22.63.2552048
Green10.20.64.0/2110.20.64.010.22.69.2552048

Table 4. CIDR for each Color Group


TypeCIDR/SGPort RangDescription
HTTP10.20.48.0/2180Allow machines within either Red private subnet to connect with HTTP
SSH10.1.0.0/1622Allows traffic from the Sage VPN (10.1.0.0/16) to connect with SSH
HTTPLoadbalancer Security Group80Allow the loadbalancers from this stack to connect with HTTP

Table 5.  Security Group applied to EC2 instances in Red Private Subnets


TypeCIDRPort RangeDescription
MySQL10.20.48.0/213306Allows machines within either Red private subnet to connect on port 3306
MySQL10.1.0.0/163306Allows traffic from the Sage VPN (10.1.0.0/16) to connect on port 3306

Table 6. Security Group applied to MySQL RDS instances in Red Private Subnets


Just like with public subnets, each private subnet has a Route Table that describes how network traffic flows out of the subnet.  Table 7 shows an example of the Route Table on the RedPrivateUsEast1a subnet.


DestinationTargetDescription
10.20.0.0/16localThe default entry that identifies all address within this VPC (10.20.0.0/16) can be found within this VPC (local)
10.1.0.0/16VPN Peering ConnectionIf the destination IP address in the VPN VPC (10.1.0.0/16), then use the VPC peering connection that connects the two VPCs
0.0.0.0/0NAT Gateway us-east-1aIf the destination is any other IP address (0.0.0.0/0), then use the NAT Gateway that is within the same availability zone.

Table 7.  The Route Table on RedPrivateUsEast1a subnet


Internet Access from Within a Private Subnet

All of the EC2 instances of Synpase need to make calls to AWS, Google, Jira, etc..  However, each instances is deployed in a private subnet without a public IP address so how does the response to and outside request make it back to the private machine?  The answer is the Network Address Translator (NAT) Gateway.  Figure 1 shows that each public subnet has a NAT Gateway, and Table 7 shows each private subnets has a route to  0.0.0.0/0 that points to the NAT Gateway within the same AZ.  Each NAT has a public IP address and acts a proxy for outgoing requests from instances in the private subnets.  When NAT receives an outgoing request from a private instance, it will replace the response address of the request with its own public address before forwarding the request.  As a result, the response goes back to the NAT, which then forwards the response to the original caller within the private subnet.  Note: The NAT will not respond to requests that originate from the outside world so it cannot be used by gain access to the private machines.


While setting up the Synapse VPC it was our plan to utilizes Network Access Control Lists (Network ACLs) to further isolate each private subnet.   In fact, we originally setup Network ACL similar to the security groups in Tables 3, 5, and 6.  With the Network ACLs in place the EC2 instances were unable to communicate with the outside world (for example, 'ping amazon.com' would hang).  The following document outlines important differences between Security Groups and Network ACLs: Comparison of Security Groups and Network ACLs.  The explanation of the observed communication failures is summarized in Table 8..  In short, if a private subnet needs outgoing access on to 0.0.0.0/0, then you must also allow incoming access to 0.0.0.0/0 in the Network ACL.


Security GroupNetwork ACL
is stateful: Return traffic is automatically allowed, regardless of any rulesIs stateless: Return traffic must be explicitly allowed by rules

Table 8. Important difference between Security Groups and Network ACLs


VPN Access to Private Subnets

Earlier we stated that instances deployed to private subnets are only visible to machines within the same VPC.  This is a true statement.  So how does a developer connect to an instances deployed in a private subnet?  The short answer: the developer must tunnel into the target VPC.  Figure 2. shows an example of an of how a developer connects to the MySQL database at 10.20.47.107 contained within a private subnet.

Image Added

Figure 2. VPN tunnel to private subnet of a VPC


When a developer makes a VPN connection to vpn.sagebase.org, the VPN client will add a route for 10.20.0.0/16 on the developer's machine.  This route will direct all network traffic with a destination within 10.20.0.0/16 to Sage-Admin-Central firewall.  Once connected to the VPN, an attempt to connect to 10.20.47.107 will proceed as follows:

  1. The call to 10.20.47.107 will be directed to the Sage Firewall
  2. If the VPN users belongs to the 'Synapse Developers' group the request will be forwarded to the SNAT
  3. The SNAT (a type of NAT) will replace the caller's real address with its own address: 10.1.33.107 and forward the request
  4. A route table entry directs all traffic with a destination of 10.20.0.0/16 to the Synapse VPC Peering connection.
  5. The peering connection has been granted access to allow all traffic between the two VPC (10.1.0.0/16 and 10.20.0.0/16) so the request can tunnel to the Synapse VPC
  6. Once in the Synapse VPC, requestor's address will be 10.1.33.107.  Since the database security group allows 10.1.0.0/16 to connect on port 3306, the connection is allowed if the correct database username/password is provided.

Cloudformation

The entire Synapse stack is built using the Java code from the Synapse-Stack-Builder project.  In the past, the stack builder would create AWS resources by directly calling AWS services via the AWS Java client.  One of the stated goals for switching Synapse to use a VPC included switching the stack building process to Cloudeformation templates.  While cloudformation templates can be awkward to create, using them to build/manage a stack has several advantages:

  • A template can be read to discover exactly how a stack was created.
  • The creation or update of a template acts as a quasi-transaction, so either all of the changes are either applied successfully or rolled-back completely.
  • Cleaning up a stack is now as simple as deleting the stack.  Deleting the resources of a stack was previously a manual process.

The resources of the Synapse stack are manged as five separate cloud formation stacks templates shown in Table 9..  All template JSON files are created by merging actual templates with input parameters using Apache's Velocity.

Stack NameFrequencyDescriptionExample
synapse-prod-vpcone timeA one-time stack to create the Synapse VPC and associated subnets, route tables, network ACLs, security groups, and VPC peering
View file
namesynapse-prod-vpc.json
height250
prod-<instance>-shared-resourcesonce per weekCreated once each week (i.e. prod-226-shared-resources) to build all of the of the shared resources of a given stack including MySQL databases and the Elastic Beanstalk Application.
View file
nameprod-226-shared-resources.json
height250
repo-prod-<instance>-<number>one per version per weekCreated for each version of the repository-services deployed per week.  For example, if we needed two separate instances of repository services for prod-226, then the first would be repo-prod-226-0 and the second would be repo-prod-226-1.  Creates the Elastic Beanstalk Environment and CNAME for the repository-services.
View file
nameworkers-prod-226-0.json
height250
workers-prod-<instance>-<number>one per version per weekCreated for each version of the workers deployed per week.  Similar to repo-prod.  Creates the Elastic Beanstalk Environment and CNAME for the workers.
View file
nameworkers-prod-226-0.json
height250
portal-prod-<instance>-<number>one per version per weekCreated for each version of the portal deployed per week.  Similar to repo-prod.  Creates the Elastic Beanstalk Environment and CNAME for the portal.
View file
nameportal-prod-226-0.json
height250

Table 9.  The cloudformation templates of Synapse