Amazon EC2 VPC with multiple subnets to host compute cluster supported web application

StackOverflow https://stackoverflow.com/questions/23225675

Question

I have been trying to port a web application set-up to EC2 using VPC. The application requires an externally accessible web server which is to talk to a number of back end servers managing a database and other data resources within a subnet of the VPC. In addition to this I require a compute head node which should connect to a grid of EC2 worker nodes hosted in another subnet of the VPC accessible only through the head node which should act as a router between the two subnets of the VPC using NAT.

The basic configuration should be something similar to the below schematic:

-
-  External Connection ----------+
-                                |
-                            Web Server (Externally Facing + VPC Subnet 1)
-                                |
-          +---------------------+-----------------+
-          |                     |                 |
- Data Services Server    Database Server   Compute Headnode
-    (VPC Subnet 1)       (VPC Subnet 1)   (VPC Subnet 1 & 2)
-                                                  |
-                                   +--------------+--------------+
-                                   |              |              |
-                            Worker Node 01  Worker Node 02  Worker Node 03
-                            (VPC Subnet 2)  (VPC Subnet 2)  (VPC Subnet 2)

At the moment I have been able to configure the two subnets and set-up the required EC2 nodes.

I have set up the Network ACL within the two subnets to prevent the EC2 instances in subnet 1 from directly communicating with any IPs within subnet 2 by setting rules within the two subnets as follows:

Subnet 1:

  • 99 ALL Traffic ALL ALL 10.81.82.0/24 DENY
  • 100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
  • * ALL Traffic ALL ALL 0.0.0.0/0 DENY

Subnet 2:

  • 80 ALL Traffic ALL ALL 10.81.82.0/24 ALLOW
  • 100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
  • * ALL Traffic ALL ALL 0.0.0.0/0 DENY

The issue I seem to be having with this set-up is that I don't see any obvious way of allowing the compute node, which is attached to both subnet 1 and subnet 2, from not giving precedence to the 10.81.82.0/24 DENY rule of subnet 1 over the 10.81.82.0/24 ALLOW rule of subnet 2.

I have read most of the pages from Amazon's VPC networking documentation however I am still struggling to work out how to achieve this kind of hierarchical setup. Any help or pointers in the right direction would be much appreciated.

Was it helpful?

Solution 2

Issue resolved.

It turned out the problem of precedence was not directly due to the Network ACL configuration but instead the configuration of network (in terms of subnet arrangement) as well as the need to set up the Web Server and Compute Headnode to perform NAT between the different subnets.

With regards to the subnet arrangement it would seem, from closer inspection of the AWS documentation, that one has to set up such a network as follows:

  • Subnet 1: For the external connection to the Web Server (in my case 10.0.1.0/24). This subnet was configured to route 0.0.0.0/0 to an internet gateway.
  • Subnet 2: For the machines not directly connected to an external connection, excluding worker nodes (in my case 10.0.2.0/24). This subnet was configured to route 0.0.0.0/0 to a secondary network interface on the Web Server (within the subnet). The Web Server then was configured to perform NAT between it's 10.0.2.0/24 and 10.0.1.0/24 interfaces.
  • Subnet 3: For the worker nodes only (in my case 10.0.30/24). This subnet was configured to route 0.0.0.0/0 to a secondary network interface on the Compute Headnode. The Compute Headnode was then configured to perform NAT between it's 10.0.3.0/24 and 10.0.2.0/24 interfaces.

I was then able to restrict traffic between these subnets to enforce the NAT hierarchy as follows using the Network ACLs for both incoming and outgoing data:

  • Subnet 1: 90 ALL Traffic ALL ALL 10.0.2.0/24 DENY, 91 ALL Traffic ALL ALL 10.0.3.0/24 DENY and 100 ALL Traffic ALL ALL 0.0.0.0/0
  • Subnet 2: 90 ALL Traffic ALL ALL 10.0.1.0/24 DENY, 91 ALL Traffic ALL ALL 10.0.3.0/24 DENY and 100 ALL Traffic ALL ALL 0.0.0.0/0
  • Subnet 3: 90 ALL Traffic ALL ALL 10.0.1.0/24 DENY, 91 ALL Traffic ALL ALL 10.0.2.0/24 DENY and 100 ALL Traffic ALL ALL 0.0.0.0/0

As I wanted to use FreeBSD rather than Linux for my EC2s I had quite a few headaches getting the required NAT instances setup.

I eventually found a very helpful guide to doing this in the November 2012 issue of FreeBSD Magazine. Whilst some of the configuration steps in this were no longer required for the latest FreeBSD AMIs detailed on Daemonology.net, the basic configuration steps haven't changed since publication.

I imagine anyone looking to do something similar using Linux AMIs for NAT would find the process a little easier but as I've not tried I can't say for sure.

Anyway, I hope this helps with anyone having similar issues.

OTHER TIPS

You can use security groups here Associate the instances with the Security groups and control the traffic at the instance level itself and for the compute node you can play with the traffic using NACL

Regards Dev

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top