Ejercicio: Configuración de Red AWS y Conectividad Híbrida ​

Arquitectura ​

On-Premises <---> AWS Direct Connect <---> VPC
                     |
                     +--> VPN Backup
Internet        <---> NAT Gateway    <---> Private Subnet

Parte 1: Configuración de VPC ​

1. Crear VPC ​

1. Ve a VPC Dashboard:

   • En la barra de búsqueda superior escribe "VPC"
   • O en el menú Services > Networking & Content Delivery > VPC

2. Clic en "Create VPC":

   Resources to create: VPC and more
   Name tag: hybrid-network
   IPv4 CIDR block: 10.0.0.0/16
   
   Subnets:
   Public subnet 1: 10.0.1.0/24 (AZ1)
   Public subnet 2: 10.0.2.0/24 (AZ2)
   Private subnet 1: 10.0.3.0/24 (AZ1)
   Private subnet 2: 10.0.4.0/24 (AZ2)
   
   NAT Gateway: 1 per AZ
   VPN Gateway: Yes

   • Clic en "Create VPC"

2. Configurar Tablas de Rutas ​

1. Ve a Route Tables:

   Para subnets públicas:

   Name: public-rt
   Routes:
   - 0.0.0.0/0 -> Internet Gateway
   - 10.0.0.0/16 -> local

   Para subnets privadas:

   Name: private-rt
   Routes:
   - 0.0.0.0/0 -> NAT Gateway
   - 10.0.0.0/16 -> local
   - 172.16.0.0/12 -> Virtual Private Gateway (on-premises)

Parte 2: Configurar Direct Connect ​

1. Solicitar Direct Connect ​

1. Ve a Direct Connect Console
2. Create Connection:

   Name: primary-dx
   Location: [Tu ubicación más cercana]
   Port speed: 1Gbps

2. Configurar Virtual Interface ​

1. Create Private Virtual Interface:

   Name: main-vif
   Connection: primary-dx
   VLAN: 100
   BGP ASN: 65000
   BGP authentication key: [genera una clave]

Parte 3: Configurar VPN como Backup ​

1. Crear Customer Gateway ​

1. En VPC Dashboard > Customer Gateways:

   Name: on-prem-gateway
   Routing: Static
   IP Address: [IP pública de tu router on-premises]

2. Configurar Site-to-Site VPN ​

1. Create VPN Connection:

   Name: backup-vpn
   Target Gateway: Virtual Private Gateway
   Customer Gateway: on-prem-gateway
   Routing Options: Static
   Static IP Prefixes: 172.16.0.0/12

3. Configurar Failover ​

1. Ve a Route Tables
2. Edita la tabla de rutas privada:

   Add route:
   172.16.0.0/12 -> Virtual Private Gateway
   (Se usará DX por defecto, VPN como backup)

Parte 4: Security Groups y NACLs ​

1. Crear Security Group para EC2 ​

1. En VPC > Security Groups:

   Name: web-server-sg
   Inbound Rules:
   - HTTP (80) from 0.0.0.0/0
   - HTTPS (443) from 0.0.0.0/0
   - SSH (22) from [tu IP]

2. Configurar NACL ​

1. En VPC > Network ACLs:

   Name: web-tier-nacl
   Inbound Rules:
   100: Allow HTTP/HTTPS (80,443) from 0.0.0.0/0
   200: Allow SSH (22) from [tu IP]
   * Deny all
   
   Outbound Rules:
   100: Allow Ephemeral ports (1024-65535) to 0.0.0.0/0
   * Deny all

Validación y Monitoreo ​

1. Monitorear Estado Direct Connect ​

1. En Direct Connect Dashboard:
   • Verifica estado de conexión
   • Verifica BGP status
   • Revisa métricas de CloudWatch

2. Monitorear VPN ​

1. En VPN Connections:
   • Verifica estado de túneles
   • Revisa logs de conexión
   • Configura alarmas CloudWatch

3. Probar Failover ​

1. Simula falla de DX:
   • Monitorea logs
   • Verifica tiempo de failover
   • Confirma conectividad via VPN