AWS Transit Gateway

AWS Transit Gateway is a highly available and scalable service that provides interconnectivity between VPCs and your on-premises network. Within a Region, AWS Transit Gateway provides a method for consolidating and centrally managing routing between VPCs with a hub-and-spoke network architecture.

Between Regions, AWS Transit Gateway supports inter-regional peering with other transit gateways. It does this to facilitate routing network traffic between VPCs of different Regions over the AWS global backbone. This removes the need to route traffic over the internet. AWS Transit Gateway also integrates with hybrid network configurations when a Direct Connect or AWS Site-to-Site VPN connection is connected to the transit gateway.

AWS Transit Gateway concepts

Attachments

AWS Transit Gateway supports the following connections: 

  • One or more VPCs
  • A compatible Software-Defined Wide Area Network (SD-WAN) appliance
  • A Direct Connect gateway
  • A peering connection with another transit gateway
  • A VPN connection to a transit gateway

AWS Transit Gateway MTU

AWS Transit Gateway supports an MTU of 8,500 bytes for:

  • VPC connections
  • Direct Connect connections
  • Connections to other transit gateways
  • Peering connections

AWS Transit Gateway supports an MTU of 1,500 bytes for VPN connections.

AWS Transit Gateway route table

A transit gateway has a default route table and can optionally have additional route tables. A route table includes dynamic and static routes that decide the next hop based on the destination IP address of the packet. The target of these routes can be any transit gateway attachment. 

Associations

Each attachment is associated with exactly one route table. Each route table can be associated with zero to many attachments.

Route propagation

A VPC, VPN connection, or Direct Connect gateway can dynamically propagate routes to a transit gateway route table. With a Direct Connect attachment, the routes are propagated to a transit gateway route table by default.

With a VPC, you must create static routes to send traffic to the transit gateway.


With a VPN connection or a Direct Connect gateway, routes are propagated from the transit gateway to your on-premises router using BGP.

With a peering attachment, you must create a static route in the transit gateway route table to point to the peering attachment.

AWS Transit Gateway inter-regional peering

AWS offers two types of peering connections for routing traffic between VPCs in different Regions: VPC peering and transit gateway peering. Both peering types are one-to-one, but transit gateway peering connections have a simpler network design and more consolidated management. 

Suppose a customer has multiple VPCs in three different Regions. As the following diagram illustrates, to permit network traffic to route between each VPC requires creating 72 VPC peering connections. Each VPC needs 8 different routing configurations and security policies. 

With AWS Transit Gateway, the same environment only needs three peering connections. The transit gateway in each Region facilitates routing network traffic to all the VPCs in its Region. Because all routing can be managed by the transit gateway, the customer only needs to maintain three routing configurations, simplifying management.

Cheers

Osama

AWS Site-to-Site VPN and AWS Client VPN

AWS VPN is comprised of two services: 

  • AWS Site-to-Site VPN enables you to securely connect your on-premises network to Amazon VPC, for example your branch office site. 
  • AWS Client VPN enables you to securely connect users to AWS or on-premises networks, for example remote employees. 

AWS Site-to-Site VPN

ased on IPsec technology, AWS Site-to-Site VPN uses a VPN tunnel to pass data from the customer network to or from AWS.

One AWS Site-to-Site VPN connection consists of two tunnels. Each tunnel terminates in a different Availability Zone on the AWS side, but it must terminate on the same customer gateway on the customer side. 

AWS Site-to-Site VPN components

Customer gateway

A resource you create and configure in AWS that represents your on-premise gateway device. The resource contains information about the type of routing used by the Site-to-Site VPN, BGP, ASN and other optional configuration information.

Customer gateway device

A customer gateway device is a physical device or software application on your side of the AWS Site-to-Site VPN connection. 

Virtual private gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the AWS Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the AWS Site-to-Site VPN connection.

Transit gateway

A transit gateway is a transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the AWS Site-to-Site VPN connection.

AWS Site-to-Site VPN limitations

  • IPv6 traffic is partially supported. AWS Site-to-Site VPN supports IPv4/IPv6-Dualstack through separate tunnels for inner traffic. IPv6 for outer tunnel connection not supported.
  • AWS Site-to-Site VPN does not support Path MTU Discovery. The greatest Maximum Transmission Unit (MTU) available on the inside tunnel interface is 1,399 bytes.
  • Throughput of AWS Site-to-Site VPN connections is limited. When terminating on a virtual private gateway, only one tunnel out of the pair can be active and carry a maximum of 1.25 Gbps. However, real-life throughput will be about 1 Gbps. When terminating on AWS Transit Gateway, both tunnels in the pair can be active and carry an aggregate maximum of 2.5 Gbps. However, real-life throughput will be 2 Gbps. Each flow (for example, TCP stream) will still be limited to a maximum of 1.25 Gbps, with a real-life value of about 1 Gbps.
  • Maximum packets per second (PPS) per VPN tunnel is 140,000.
  • AWS Site-to-Site VPN terminating on AWS Transit Gateway supports equal-cost multi-path routing (ECMP) and multi-exit discriminator (MED) across tunnels in the same and different connection. ECMP is only supported for Site-to-Site VPN connections activated on an AWS Transit Gateway. MED is used to identify the primary tunnel for Site-to-Site VPN conncetions that use BGP. Note, BFD is not yet supported on AWS Site-to-Site VPN, though it is supported on Direct Connect. 
  • AWS Site-to-Site VPN endpoints use public IPv4 addresses and therefore require a public virtual interface to transport traffic over Direct Connect. Support for AWS Site-to-Site VPN over private Direct Connect is not yet available. 
  • For globally distributed applications, the accelerated Site-to-Site VPN option provides a connection to the global AWS backbone through AWS Global Accelerator. Because the Global Accelerator IP space is not announced over a Direct Connect public virtual interface, you cannot use accelerated Site-to-Site VPN with a Direct Connect public virtual interface.

In addition, when you connect your VPCs to a common on-premises network, it’s recommend that you use nonoverlapping CIDR blocks for your networks. 

Client VPN

Based on OpenVPN technology, Client VPN is a managed client-based VPN service that lets you securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client. 

Client VPN components

Client VPN endpoint

Your Client VPN administrator creates and configures a Client VPN endpoint in AWS. Your administrator controls which networks and resources you can access when you establish a VPN connection. 

VPN client application

This is the software application that you use to connect to the Client VPN endpoint and establish a secure VPN connection.

Client VPN endpoint configuration file

This is a configuration file that is provided to you by your Client VPN administrator. The file includes information about the Client VPN endpoint and the certificates required to establish a VPN connection. You load this file into your chosen VPN client application. 

Client VPN limitations

  • Client VPN supports IPv4 traffic only. IPv6 is not supported.
  • Security Assertion Markup Language (SAML) 2.0-based federated authentication only works with an AWS provided client v1.2.0 or later. 
  • SAML integration with AWS Single Sign-On requires a workaround. Better integration is being worked on. 
  • Client CIDR ranges must have a block size of at least /22 and must not be greater than /12. 
  • A Client VPN endpoint does not support subnet associations in a dedicated tenancy VPC. 
  • Client VPN is not compliant with Federal Information Processing Standards (FIPS).
  • Client CIDR ranges cannot overlap with the local CIDR of the VPC in which the associated subnet is located. It also cannot overlap any routes manually added to the Client VPN endpoint’s route table.
  • A portion of the addresses in the client CIDR range is used to support the availability model of the Client VPN endpoint and cannot be assigned to clients. Therefore, we recommend that you assign a CIDR block that contains twice the number of required IP addresses. This will ensure the maximum number of concurrent connections that you plan to support on the Client VPN endpoint. 
  • The client CIDR range cannot be changed after you create the Client VPN endpoint. 
  • The subnets associated with a Client VPN endpoint must be in the same VPC.
  • You cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint. 
  • AWS Certificate Manager (ACM) certificates are not supported with mutual authentication because you cannot extract the private key. You can use an ACM server as the server-side certificate. But, to add a client certificate to your customer configuration, you cannot use a general ACM certificate because you can’t extract the required private key details. So you must access the keys in one of two ways. Either generate your own certificate where you have the key or use AWS Certificate Manager Private Certificate Authority (ACM PCA), which gives the private keys. If the customer is authenticating based on Active Directory or SAML, they can use a general ACM-generated certificate because only the server certificate is required.

Cheers
Osama

CRS-5013 RAC 12c

When starting Oracle RAC 12c the following error appears :-

[root@—— bin]# ./crsctl check cluster
CRS-4535: Cannot communicate with Cluster Ready Services
CRS-4530: Communications failure contacting Cluster Synchronization Services daemon
CRS-4534: Cannot communicate with Event Manager

CRS-5013: Agent “ORAROOTAGENT” failed to start process “/grid/app/12.1.0.2/bin/osysmond” for action “start”: details at “(:CLSN00008:)” in “/grid/app/oracle/diag/crs/……/crs/trace/ohasd_orarootagent_root.trc”

The cause :- DB Node was reboot.

To solve this issue :-

CRS-2672: Attempting to start ‘ora.crf’ on CRS-2674: Start of ‘ora.crf’ on failed CRS-2679: Attempting to clean ‘ora.crf’ on (Doc ID 1902447.1)

Thanks
Osama

EBS R12.2. not able to clone due adlonk.sh

The EBS R12.2 failed due to the below error :-

Ouicli.pl INSTE8_APPLY 255
AutoConfig is exiting with status 1
RC-50013: Fatal: Instantiate driver did not complete successfully.

The Solution :-

The error happened to perl version while trying to execute this, if you check the following :-

which perl
/usr/bin/perl 

to solve this issue :-

export PATH=$ORACLE_HOME/perl/bin:$PATH

Now, run adcfgclone.pl again

Thanks
Osama mustafa

Import hangs On index level.

Today some customer contact me complaining that they are trying to sync the development with UAT, when i check the issue everything was normal for the first time, but the alert logs indicate that database could complete the checkpoint.

so this what i did to make the import faster ( which i completed it as well ) :-

  • Change database to no archive mode.
  • increase sga_target temporary.
  • use parallel command depend on cpu core.
  • Use commit=N with import parameters.
  • you can exclude indexes by exclude=indexes but i don’t prefer this at all.
  • increase db_cache_size.
This simple steps that could help someone to make import little faster or solve hang issue.
let me know if you need anything 🙂
Cheers
Merry Christmas guys 
Osama

System is in manitance mode. Please try again later OBIEE

When trying to update any reports in OBIEE the below errors appears :-

to solve this issue just follow the screen :-

1- Access to OBIEE Link http://ip-hostname:9704/analytics
2- Choose Administration from the upper right corner.

3- Turn Maintenance mode to off by press the link.

Good Luck.

Cheers
Osama