4. Others
Home / Archive by Category "4. Others" (Page 5)

东莞市领导赴镇街督导安全生产大排查(25-29/6/2018)

by Posted in 4. Others Leave a comment

因今年东莞市发生多起安全事故:

  1. 2018年4月12日11时许,高埗三联村一钢筋结构构筑物发生坍塌,造成1死1伤,4人被困。
  2. 2018年5月26日上午9时30分许,大岭山大沙村的东莞市华业鞋材有限公司发生一起有限空间气体中毒事故,造成4人死亡。
  3. 2018年5月26日晚上8时许,塘厦镇发生一起溺水事故,造成2人死亡。
  4. 2018年5月27日凌晨6时许,樟木头镇发生一起交通事故,造成2人死亡。

因此夏季安全形式严峻,东莞市领导会赴镇街督导安全生产大排查。

Setup of Ant Miner A3 Machine Mining with sia.tech pool

by Posted in 4. Others Tagged 2 Comments

Step 1. Download sia program from https://sia.tech/get-started

sia-tech-pict1

Step 2. Start the Sia-UI program, and wait for “synchronizing” done, which we may wait for one or two days, so you have better run it in a stable computer.

sia-pict1

Step 3. Create a wallet, mark down the seek and passphrase, and unlock it.

Click on the Wallet tab on the left. You’ll see two options – “Create a new wallet” or “Load a wallet from a seed”. If this is your first time creating a wallet, you’ll select Create a new wallet. It is also recommended to check the box to Use custom passphrase first, and create a password for your wallet. If you don’t, your wallet password will be the same as your wallet seed, which is not ideal, especially if you plan on hosting.

sia-tech-pict3

The wallet will say it’s scanning the blockchain, which may take several minutes. Wait for it to complete, or go grab a snack.

sia-tech-pict4

sia-tech-pict5

Step 4. Create a wallet address

A receiving address will be automatically generated for you in the top box, and you can give it a name in the bottom box if you want. Click Save to add it to the list of “Prior Addresses”. You can create as many addresses as you want, and they’ll all point to your wallet. Sia makes a new wallet address by default every time you click “Receive Siacoin” in order to help protect your privacy, but you can use any of your previous addresses at any time and they’ll still work.

sia-tech-pict6

Step 5. Backup your sia wallet

There is no option to backup the wallet in the sia-ui software! But you can backup the files by yourself!The files location is configured in the config.json file. The config.json is located in “Sia-UI-v1.2.0-win32-x64resourcesapp” folder. Open the file with text editor,you can see the “datadir” item.This item describe the backup files location! in the default the files location is in the C:userusernameAppDataRoamingSia-UI! Please do not go at manually backing up files from the Sia-UI folder as these are not guarenteed to work if placed back in a newer version of Sia-UI, above method is documented and always will work.

All you need to recover your wallet is to write down on a physical paper your seed, which is the same as your wallet password.
Step 6. Register account from antpool.com, and then select siacoin in the top right hand corner.

And then create account, sub-account, and worker as below:

sia-tech-pict7a

sia-tech-pict8

Step 7. Setup in mining machine as below:

Change from original default setting below:

sia-tech-pict9

To:

sia-tech-pict10

Step 8: Once you’ve started mining, you can check your stats from miner status as below example:

sia-tech-pict11

Step 9. My earning monitor screen from antpool as below:

sia-tech-pict12

How to Fix The procedure entry point ucrtbase.terminate is missing or could not be located

by Posted in 4. Others Leave a comment

Error The procedure entry point ucrtbase.terminate could not be located in the dynamic link library api-ms-win-crt-runtime-l1-1-0.dll or The program can’t start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer.  Try reinstalling the program to fix this problem. is usually caused by corrupt or outdated Visual C++ Redist where another program has overwritten the libraries, or the program you are trying to run requires a newer version of the Visual C++. The latest one is 2017. The second most common for this issue to occur is when Windows Updates are outdated or the KB2999226 (Universal CRT) has failed. You cannot install Microsoft Visual C++ 2015 redist (runtime) unless you have Windows Update KB2999226 installed (at least on Windows 7 64-bit SP1).

Method 1: Repair Corrupt System Files

Download and run Reimage Plus to scan and restore corrupt and missing files from here, and then see if the issue is fixed if not then try the other methods listed below.

Method 2: Check for and Install Windows Updates

On Windows 10

  1. Click Start
  2. Choose Settings
  3. Choose Update and Security
  4. Choose Windows Updates
  5. Click Check for Updates
  6. If there are updates, you’ll see a message telling you that important or optional updates are available, or telling you to review important or optional updates, click the message to view the updates to install.
  7. In the list, enable the checkboxes for the updates Important or Optional, and then click Install.

On Windows 7

  1. Click Start
  2. Type Updates
  3. Choose Windows Updates
  4. Choose Check for Updates
  5. Install the Updates, and Reboot the PC.

The one we are looking for through Windows Update is the Universal CRT Update KB2999226 which can also be downloaded and installed as a stand alone package from (here).

For Windows 7 Only:

If the issue is still not resolved on Windows 7 after running the updates and install the KB2999226 manually, then follow these steps:

PRO TIP: If the issue is with your computer or a laptop/notebook you should try using the Reimage Plus Software which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Reimage Plus by Clicking Here
  1. Hold the Windows Key and Press R. In the Run Dialog, type cmd and Click OK.
  2. In the command prompt window, type net stop wuauserv
  3. Then type ren c:windowsSoftwareDistributionWuRedir WuRedir1

Then run the Windows Update again, reboot multiple times and check to make sure that all the updates are installed.

 

The procedure entry point ucrtbase.terminate could not be located in the dynamic link library api-ms-win-crt-runtime-l1-1-0.dll

Modified on: Fri, 23 Jun, 2017 at 11:18 AM

When opening EasyWorship the following error appears “the procedure entry point ucrtbase.terminate could not be located in the dynamic link library api-ms-win-crt-runtime-l1-1-0.dll”.

This is a problem with a Windows library that is missing or corrupted. In many cases this can be fixed by installing the “Update for Universal C Runtime in Windows“.

Convert between xls and xlsx by python and compile python

by Posted in 4. Others Tagged 2 Comments

1. To convert xls to xlsx:

$ pip install pyexcel pyexcel-xls pyexcel-xlsx

Run Python Script as:

import pyexcel as p

p.save_book_as(file_name='your-file-in.xls',
               dest_file_name='your-new-file-out.xlsx')

If you do not need a program, you could install one additinal package pyexcel-cli::

$ pip install pyexcel-cli
$ pyexcel transcode your-file-in.xls your-new-file-out.xlsx

The transcoding procedure above uses xlrd and openpyxl.

2. To convert between xlsx and xls vice and versa:

You need to have win32com installed on your machine. Here is the code for python 2.7 and 3.5:
import win32com.client as win32
fname = "full+path+to+xls_file"
excel = win32.gencache.EnsureDispatch('Excel.Application')
wb = excel.Workbooks.Open(fname)

wb.SaveAs(fname+"x", FileFormat = 51)    #FileFormat = 51 is for .xlsx extension
wb.Close()                               #FileFormat = 56 is for .xls extension
excel.Application.Quit()

3. Compile via py2exe

3.1. Create your setup script (setup.py)

py2exe extends Distutils with a new “command”. If you’ve installed third party Python modules then there’s a good chance you’ve seen at least one distutils command:

C:Tutorial>python setup.py install

“install” is a Distutils command that installs something (typically a Python module or package). The details Distutils needs to do that installation are contained in setup.py (and sometimes other associated files).

“py2exe” is a new Distutils command that is added when you import py2exe. To use py2exe you need to create a setup.py file to tell Distutils and py2exe what you want to do. Here’s a setup.py whose simplicity is appropriate for our sample program…

   1 from distutils.core import setup
   2 import py2exe
   3 
   4 setup(console=['hello.py'])

3.2. Run your setup script

The next step is to run your setup script. Make sure to give the py2exe command and expect to see lots and lots of output:

C:Tutorial>python setup.py py2exe

3.3. Test your executable

Now that the package has been created it is ready to test:

C:Tutorial>cd dist

C:Tutorialdist>hello.exe
Hello World

4. Compile via pyinstaller

[Anaconda3] C:Usersgoldmanau>pip install pyinstaller

[Anaconda3] C:Usersgoldmanau>pyinstaller --version
3.3.1

[Anaconda3] C:Usersgoldmanau>pyinstaller --onefile conv.py
418 INFO: PyInstaller: 3.3.1
418 INFO: Python: 3.5.1
418 INFO: Platform: Windows-7-6.1.7601-SP1
420 INFO: wrote C:Usersgoldmanauconv.spec
424 INFO: UPX is not available.
428 INFO: Extending PYTHONPATH with paths
['C:\Users\goldmanau', 'C:\Users\goldmanau']
428 INFO: checking Analysis
429 INFO: Building Analysis because out00-Analysis.toc is non existent
429 INFO: Initializing module dependency graph...
434 INFO: Initializing module graph hooks...
438 INFO: Analyzing base_library.zip ...
12259 INFO: running Analysis out00-Analysis.toc
14333 INFO: Caching module hooks...
14347 INFO: Analyzing C:Usersgoldmanauconv.py
14350 INFO: Processing pre-safe import module hook win32com
15341 INFO: Loading module hooks...
15342 INFO: Loading module hook "hook-pydoc.py"...
15343 INFO: Loading module hook "hook-pythoncom.py"...
15913 INFO: Loading module hook "hook-pywintypes.py"...
16460 INFO: Loading module hook "hook-win32com.py"...
16770 INFO: Loading module hook "hook-encodings.py"...
16970 INFO: Loading module hook "hook-xml.py"...
17803 INFO: Looking for ctypes DLLs
17879 INFO: Analyzing run-time hooks ...
17884 INFO: Including run-time hook 'pyi_rth_win32comgenpy.py'
17897 INFO: Looking for dynamic libraries
19407 INFO: Looking for eggs
19407 INFO: Using Python library c:usersgoldmanauappdatalocalcontinuumanac
onda3python35.dll
19408 INFO: Found binding redirects:
[]
19415 INFO: Warnings written to C:Usersgoldmanaubuildconvwarnconv.txt
19520 INFO: Graph cross-reference written to C:Usersgoldmanaubuildconvxref-
conv.html
19587 INFO: checking PYZ
19587 INFO: Building PYZ because out00-PYZ.toc is non existent
19588 INFO: Building PYZ (ZlibArchive) C:Usersgoldmanaubuildconvout00-PYZ.p
yz
21378 INFO: Building PYZ (ZlibArchive) C:Usersgoldmanaubuildconvout00-PYZ.p
yz completed successfully.
21402 INFO: checking PKG
21403 INFO: Building PKG because out00-PKG.toc is non existent
21404 INFO: Building PKG (CArchive) out00-PKG.pkg
21752 INFO: Updating manifest in C:UsersgoldmanauAppDataRoamingpyinstaller
bincache00_py35_64bitpython35.dll
21753 INFO: Updating resource type 24 name 2 language 1033
27241 INFO: Building PKG (CArchive) out00-PKG.pkg completed successfully.
27253 INFO: Bootloader c:usersgoldmanauappdatalocalcontinuumanaconda3lib
site-packagesPyInstallerbootloaderWindows-64bitrun.exe
27254 INFO: checking EXE
27255 INFO: Building EXE because out00-EXE.toc is non existent
27256 INFO: Building EXE from out00-EXE.toc
27258 INFO: Appending archive to EXE C:Usersgoldmanaudistconv.exe
27345 INFO: Building EXE from out00-EXE.toc completed successfully.

Compile program in    C:Usersgoldmanaudistconv.exe

Custom TinyWebDB Service

by Posted in 4. Others Tagged Leave a comment

Creating a Custom TinyWebDB Service

TinyWebDB is an App Inventor component that allows you to store data persistently in a database on the web. Because the data is stored on the web instead of a particular phone, TinyWebDB can be used to facilitate communication between phones and apps (e.g., multi-player games).

By default, the TinyWebDB component stores data on a test service provided by App Inventor, http://appinvtinywebdb.appspot.com/ . This service is helpful for testing, but it is shared by all App Inventor users, and it has a limit of 1000 entries. If you use it, your data will be overwritten eventually.

For most apps you write, you’ll want to create a custom web service that isn’t shared with other App Inventor apps and programmers. You need not be a programmer to do so– just follow the instructions below and you’ll have your own service within minutes.

To create your own web service, follow these instructions:

  • Download App Engine for Python at http://code.google.com/appengine/ . After installing it, run the GoogleAppEngineLauncher by clicking its icon.
  • Download this sample code. It is a zip file containing the source code for your custom tinywebdb web service
  • This code is setup to run with App Engine using Python 2.7, so you’ll need Python 2.7 on your computer. To check your version of Python, open up your Terminal and type in python. If you don’t have the right version, you can download it from here
  • To make sure that App Engine is configured to use it, in App Engine Launcher, choose Preferences and then put in path to Python2.7 (On a Mac, this might be something like /usr/local/bin/python2.7 )
  • Unzip the downloaded zip file. It will create a folder named customtinywebdb. You can rename it if you want.
  • In the GoogleAppEngineLauncher, choose File | Add Existing Application. Browse to set the Path to the customtinywebdb folder you just unzipped. Then click the Run button. This will launch a test web service that runs on your local machine.
  • You can test the service by opening a browser and entering “localhost:8080” as the URL. (NOTE: if you’ve already created a web service, the port number (8080) may be different the second time, check the table in Google App Engine Launcher to see what Port number you should use).
  • You’ll see the web page interface to your web service. The end-goal of this service is to communicate with a mobile app created with App Inventor. But the service provides a web page interface to the service to help programmers with debugging. You can invoke the get and store operations by hand, view the existing entries, and also delete individual entries. NOTE: If you are having problems creating a web page, click the Logs on the App Engine screen to diagnose the error.

Congrats, you’ve now made a webpage for your app. But your app is not yet on the web, and thus not yet accessible to an App Inventor app. To get it there, you need to upload it to Google’s App Engine servers.

  • In the GoogleAppEngineLauncher, choose Dashboard. Enter your Google account information and you’ll be taken to an App Engine dashboard.
  • Choose Create an Application. You’ll need to specify a globally unique Application Identifier. Remember the Application identifier as you’ll need it later. Provide a name to your app and click Create Application to submit. If your Identifier was unique, you now have a new, empty app on Google’s servers.
  • Open a text editor on your local computer and open the file app.yaml within the customtinywebdb folder you unzipped. Modify the first line so that the application matches the application identifier you set at Google.
  • In GoogleAppEngineLauncher, choose Deploy and follow the steps for deploying your app.
  • Test to see if your app is running on the web. In a browser, enter myapp.appspot.com, only substitute your application identifier for myapp. The app should look the same as when you ran it on the local test server. Only now, it’s on the web and you can access it from your App Inventor for Android app.

Your App Inventor apps can store and retrieve data using your new service. Just do the following:

  • Drag in a TinyWebDB component into the Component Designer.
  • Modify the ServiceURL property from the default http://appinvtinywebdb.appspot.com/ to your web service.
  • Any StoreValue operations (blocks) will store data at your service, and any GetValue operations will retrieve from your service.

Information source: 1) http://appinventor.mit.edu/explore/content/custom-tinywebdb-service.html

2)  https://cloud.google.com/appengine/docs/standard/python/download?hl=zh-CN

东莞实施“明厨亮灶”

by Posted in 4. Others Leave a comment

东莞实施“明厨亮灶”的餐饮单位数达11899家

Source: http://www.o769.cn/baixing/Info.asp?ID=7129

民以食为天,食品安全问题总是牵动大众的神经。记者7日从东莞市食药监局获悉,目前越来越多餐饮服务单位主动把后厨“亮”给市民看,全市实施“明厨亮灶”的餐饮单位数已达11899家,覆盖全市餐饮单位逾三分之一。

“明厨亮灶”分六种类别

不少餐馆的后厨门口都贴着“厨房重地,闲人免进”的提示,厨房的卫生状况和食品加工过程并不透明。“谁知道后厨到底卫不卫生呢?所以有时外出吃饭难免会提心吊胆。”很多市民担心。

“为了创新监管模式,强化餐饮服务单位的责任意识,早在2013年,我局就在部分中小学校、幼儿园食堂等餐饮单位率先试点开展‘明厨亮灶’工作。”据市食药监局相关负责人介绍,“明厨亮灶”就是将餐饮服务单位的操作间、凉菜间、洗消间等食品加工制作的关键部位和原料清洗、切配、烹饪、餐具洗消、凉菜加工等重要环节,通过透明玻璃窗(或玻璃幕墙)、电子显示屏、隔断矮墙等方式展示给消费者,实现阳光操作、透明化管理。

据了解,广东省去年也已出台了“明厨亮灶”规范指引——按照新修订的《广东省食品安全条例》第三十二条有关规定,将餐饮“明厨亮灶”建设分为透明式、开放式、视频监控式、参观通道式、组合式、其他形式等六种类别,并结合建设“餐饮服务食品安全信息公示栏”,向消费者展示食品加工制作关键过程,接受消费者监督。

用餐不再“眼不见为净”

昨日中午,记者走进厚街万达广场发现,作为厚街食品安全示范创建对象,这里已经实现“明厨亮灶”工程全覆盖。45家餐饮服务企业,均通过视频监控或透明式厨房等方式,让用餐顾客能看到厨房内部的操作。放眼望去,很多家餐厅在门口挂出了他们的监控电视,上面播放着厨房的实时画面。

记者在一家顺德菜餐厅看到,门口的监控电视中,两个画面对准了原料清洗和切配区域,另有两个画面显示着角落与地面的状况,看起来都比较整洁。餐厅里面还有一个监控电视,这样一来,顾客在选择餐厅前和用餐过程中,都能看到厨房内部的实时情况。

带着全家老小一同用餐的顾女士说:“以前外出吃饭都看不到这些后台操作,‘眼不见为净’。现在食客能直观地看到后面的卫生状况,的确会更放心,但是我们只能看到后厨的卫生情况和厨师的操作过程,食物的用料和材质看不到,希望接下来餐饮单位能公示原材料和辅料来源。”

“食药监部门已经叫我们去开过会,对此事我既支持又担心。”南城一家餐馆的负责人认为,一是会增加企业成本,二是担心泄露一些大厨的炒菜秘方,让竞争对手钻了空子。“如果同行都‘明厨亮灶’,而我们不这样做,那竞争力就弱了很多。所以现在正在考虑,究竟要怎么改。”

学校食堂过半“明厨亮灶”

据市食药监局相关负责人透露,东莞将坚持按照“企业自愿、行业自发、政府引导、主动参与、因地制宜”的工作思路,确定一些新开办基础设施好的餐饮单位、学校食堂、大型以上餐馆及其他高风险类餐饮服务单位作为“明厨亮灶”建设的重点,以点带面,逐步推行,力争用三年时间基本完成全市餐饮服务单位“明厨亮灶”工作目标。

“目前全市已经实施‘明厨亮灶’的餐饮单位数达11899家,其中学校食堂达927家,占学校食堂总数一半以上。”该负责人表示,东莞会严把许可准入,对新开办餐饮服务单位,引导按“明厨亮灶”工程的要求指导建设;对所有餐饮服务单位换发证时,强调“明厨亮灶”作为必要条件重新进行现场核查,建成开放式厨房、使用透明玻璃隔断、采用视频传输等技术。

东莞实施“明厨亮灶”的方案:
“明厨亮灶”实施方案一是用玻璃隔断展现,实现透明厨房 通过玻璃窗口消费者可以看到餐厅后厨师傅做菜的烹饪过程!这也是明厨亮灶最早的展现方式!同时跟据食品安全信息公示牌让监控管理人员和食客及时了解到食品的采购信息。

“明厨亮灶”实施方案二是通过后厨安装高清远程监控摄像设备实时直播将厨房生态——食材选择、烹饪加工、剩菜处理、餐具消毒等所有环节,以及厨房卫生情况、厨师仪表穿着等,一一呈现给食客,保障其知情权与监督权,让他们吃得更放心、吃得更安全。

“明厨亮灶”实施方案三是通过后厨安装高清远程监控摄像设备实时直播将厨房生态——食材选择、烹饪加工、剩菜处理、餐具消毒等所有环节,以及厨房卫生情况、厨师仪表穿着等,一一呈现给食客,保障其知情权与监督权,让他们吃得更放心、吃得更安全。

“明厨亮灶”实施方案四是实现了第三的所有功能还增加了从食品食材种植环境,食材储存、厨房环境、配菜烹调加工等过程就实现了全程透明化,实时性、公开性、透明性的阳光透明厨房,让消费者更放心!

How to start mining via Antpool & BTC.com

by Posted in 4. Others Tagged Leave a comment 
information source: https://support.bitmain.com/hc/en-us/articles/115000211774-Connect-Antminer-S9-T9-S7-to-Pools-Antpool-BTC-com

Connect Antminer S9/T9/S7 to Pools – Antpool/BTC.com

Connect to Antpool


1.Login:https://www.antpool.com/

1.png

 


2. Enter your User ID and password for Bitmain.com to log into Antpool or register a new account.

2.png


3. Click the “Bitcoin”at the upper left of the page. Go to the Settings tab and add a Sub-Account via the button on the right.

3.png


Sub-account must contain only the letters or numbers

4.png


4. Enter the default IP address of the ANTMINER  – Go to the login page, enter the user ID: root, password: root.

5.png
5. Click Miner Configuration, you can fill in 3 groups of mining pool. If the first group is dead, then, it will automatically pointed to the second group. You could fill first 2 groups with Antpool, the third one with BTC.com.

Below is the configuration of Antpool:

stratum+tcp://stratum.antpool.com:3333
stratum+tcp://stratum.antpool.com:443
stratum+tcp://stratum.antpool.com:25

Worker Format: sub-account.miner name

Example: If your sub-account is “antminer”, then your miners could be set up as antminer.1, antminer_1, antminer.2, etc. The miner order will be sorted by the miner name.

Password: (Blank). if you change addresses in bulk, fill it as 123.

 

Click Save & Apply to mine, the miners will be restart.

 

6.png

 

Connect to BTC.com

Account Registration

1. Login the home page: https://pool.btc.com

2. Click the “Sign Up Now ” button:

 

 

3. Complete the informtaion required and create a new account:

 

Sub-Account Configuration

1. Click the user name on the top right and choose create sub-account:

 

2. Fill the blanks and complete creating sub-account:

 

Miner Configuration

1. Node Selection

There is network delay when users connecting miners to different nodes in different area. Selecting the nearest nodes can provide the most stable connection.

North China Mining Address

    stratum+tcp://cn.ss.btc.com:1800
    stratum+tcp://cn.ss.btc.com:443
    stratum+tcp://cn.ss.btc.com:25

South China Mining Address

    stratum+tcp://us.ss.btc.com:1800
    stratum+tcp://us.ss.btc.com:443
    stratum+tcp://us.ss.btc.com:25

America Mining Address

    stratum+tcp://us.ss.btc.com:1800
    stratum+tcp://us.ss.btc.com:443
    stratum+tcp://us.ss.btc.com:25

Europe Mining Address

    stratum+tcp://us.ss.btc.com:1800
    stratum+tcp://us.ss.btc.com:443
    stratum+tcp://us.ss.btc.com:25

 

2. Miner Setting

Format: sub-account.miner name

Example: If your sub-account is “btcminer”, then your miners could be set up as btcminer.001, btcminer.002, etc. The miner order will be sorted by the miner name. Password: (Blank). if you change addresses in bulk, fill it as 123.

3. Miner Conection Setting

Type the IP address of miners into the address bar with a web browser under the local area network. The default account is: username ‘root’, password ‘root’.


Sub-Account Management

1. After signing up on BTC pool, uses can establish multiple sub-accounts for different needs.

Click the current sub-account on top right corner:

 

2. Users can edit every sub-account on this page, such as modifying address and setting alert:

 

 

Information Modification

Click “settings” button on top right of the website, you can modify your account and address as follows:

 

Payment Confirmation

Payment Time

BTC Pool settles all the earnings of last day at UTC 00:00 and sends the payment in 2 hours.

Confirmation Time

The confirmation of TX takes time on Bitcoin Network. The time could be 1 minute or up to 2 hours, which depends on the network status. BTC Pool promises that users receive the payment in the shortest time.

Quality Management Concept – Quality vs Grade & Accuracy vs Precision

by Posted in 4. Others 82 Comments

Difference between Quality and Grade

Quality and grade is difference. Quality as a delivered performance or result is “the degree to which a set of inherent characteristics fulfill requirements” (ISO 9000). Grade as a design intent is a category assigned to deliverables having the same functional use but different technical characteristics. While a quality level that fails to meet quality requirements is always a problem, a low grade of quality may not be a problem. For example:

  • It may not be a problem if a suitable low-grade software product (one which a limited number of features) is a high quality (no obvious defects, readable manual). In this example, the product would be appropriate for its general purpose of use.
  • It may be a problem if a high-grade software product (one which numerous features) is of low quality (many defects, poorly organized user documentation). In essence, its high-grade feature set would prove ineffective and/or inefficient due to its low quality.

Difference between Accuracy and Precision

The project management team should determine the appropriate levels of accuracy and precision for use in the quality management plan. Precision is a measure of exactness. Accuracy is an assessment of correctness. For example, if the measured value of an item is very close to the true value of the characteristic being meansured. the measurement is more accurate. An illustration of this concept is the comparison of archery targets. Arrows clustered tightly in one area of the target, even if they are not clustered in the bull’s eye, are considered to have high precision. Targets where the arrows are more spread out but equidistant from the bull’s eye are considered to have the same degree of accuracy. Targets were the arrows are both tightly grouped and within the bull’s eye are considered to be both accurate and precise. Precise measurements are not necessary accurate measurements, are accurate measurements are not necessarily precise measurements.

AWS Managed VPN Connections

by Posted in 4. Others Tagged 2 Comments

Source: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

AWS Managed VPN Connections

By default, instances that you launch into a virtual private cloud (VPC) can’t communicate with your own network. You can enable access to your network from your VPC by attaching a virtual private gateway to the VPC, creating a custom route table, updating your security group rules, and creating an AWS managed VPN connection.

Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network. AWS supports Internet Protocol security (IPsec) VPN connections.

Your AWS managed VPN connection is either an AWS Classic VPN or an AWS VPN. For more information, see AWS Managed VPN Categories.

Important

We currently do not support IPv6 traffic through a VPN connection.

Topics

For information about how you’re charged for using a VPN connection with your VPC, see the Amazon VPC product page.

Components of Your VPN

A VPN connection consists of the following components. For more information about VPN limits, see Amazon VPC Limits.

Virtual Private Gateway

virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection.

When you create a virtual private gateway, you can specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. If you don’t specify an ASN, the virtual private gateway is created with the default ASN (64512). You cannot change the ASN after you’ve created the virtual private gateway. To check the ASN for your virtual private gateway, view its details in the Virtual Private Gateways screen in the Amazon VPC console, or use the describe-vpn-gateways AWS CLI command.

Note

If you create your virtual private gateway before 2018-06-30, the default ASN is 17493 in the Asia Pacific (Singapore) region, 10124 in the Asia Pacific (Tokyo) region, 9059 in the EU (Ireland) region, and 7224 in all other regions.

Customer Gateway

customer gateway is a physical device or software application on your side of the VPN connection.

To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device. The following table describes the information you’ll need to create a customer gateway resource.

Item Description
Internet-routable IP address (static) of the customer gateway’s external interface. The public IP address value must be static. If your customer gateway is behind a network address translation (NAT) device that’s enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.
The type of routing—static or dynamic. For more information, see VPN Routing Options.
(Dynamic routing only) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway. You can use an existing ASN assigned to your network. If you don’t have one, you can use a private ASN (in the 64512–65534 range).If you use the VPC wizard in the console to set up your VPC, we automatically use 65000 as the ASN.

To use Amazon VPC with a VPN connection, you or your network administrator must also configure the customer gateway device or application. When you create the VPN connection, we provide you with the required configuration information and your network administrator typically performs this configuration. For information about the customer gateway requirements and configuration, see the Your Customer Gateway in the Amazon VPC Network Administrator Guide.

The VPN tunnel comes up when traffic is generated from your side of the VPN connection. The virtual private gateway is not the initiator; your customer gateway must initiate the tunnels. If your VPN connection experiences a period of idle time (usually 10 seconds, depending on your configuration), the tunnel may go down. To prevent this, you can use a network monitoring tool to generate keepalive pings; for example, by using IP SLA.

For a list of customer gateways that we have tested with Amazon VPC, see Amazon Virtual Private Cloud FAQs.

AWS Managed VPN Categories

Your AWS managed VPN connection is either an AWS Classic VPN connection or an AWS VPN connection. Any new VPN connection that you create is an AWS VPN connection. The following features are supported on AWS VPN connections only:

  • NAT traversal
  • 4-byte ASN (in addition to 2-byte ASN)
  • CloudWatch metrics
  • Reusable IP addresses for your customer gateways
  • Additional encryption options; including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
  • Configurable tunnel options
  • Custom private ASN for the Amazon side of a BGP session

You can find out the category of your AWS managed VPN connection by using the Amazon VPC console or a command line tool.

To identify the VPN category using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose VPN Connections.
  3. Select the VPN connection, and check the value for Category in the details pane. A value of VPN indicates an AWS VPN connection. A value of VPN-Classic indicates an AWS Classic VPN connection.

To identify the VPN category using a command line tool

  • You can use the describe-vpn-connections AWS CLI command. In the output that’s returned, take note of the Category value. A value of VPN indicates an AWS VPN connection. A value of VPN-Classic indicates an AWS Classic VPN connection.In the following example, the VPN connection is an AWS VPN connection. 
    aws ec2 describe-vpn-connections --vpn-connection-ids vpn-1a2b3c4d
    {
    "VpnConnections": [
        {
            "VpnConnectionId": "vpn-1a2b3c4d", 

            ...

            "State": "available", 
            "VpnGatewayId": "vgw-11aa22bb", 
            "CustomerGatewayId": "cgw-ab12cd34", 
            "Type": "ipsec.1",
            "Category": "VPN"
        }
    ]
}

Alternatively, use one of the following commands:

Migrating to AWS VPN

If your existing VPN connection is an AWS Classic VPN connection, you can migrate to an AWS VPN connection by creating a new virtual private gateway and VPN connection, detaching the old virtual private gateway from your VPC, and attaching the new virtual private gateway to your VPC.

If your existing virtual private gateway is associated with multiple VPN connections, you must recreate each VPN connection for the new virtual private gateway. If there are multiple AWS Direct Connect private virtual interfaces attached to your virtual private gateway, you must recreate each private virtual interface for the new virtual private gateway. For more information, see Creating a Virtual Interface in the AWS Direct Connect User Guide.

If your existing AWS managed VPN connection is an AWS VPN connection, you cannot migrate to an AWS Classic VPN connection.

Note

During this procedure, connectivity over the current VPC connection is interrupted when you disable route propagation and detach the old virtual private gateway from your VPC. Connectivity is restored when the new virtual private gateway is attached to your VPC and the new VPN connection is active. Ensure that you plan for the expected downtime.

To migrate to an AWS VPN connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Virtual Private GatewaysCreate Virtual Private Gateway and create a virtual private gateway.
  3. In the navigation pane, choose VPN ConnectionsCreate VPN Connection. Specify the following information, and choose Yes, Create.
    • Virtual Private Gateway: Select the virtual private gateway that you created in the previous step.
    • Customer Gateway: Choose Existing, and select the existing customer gateway for your current AWS Classic VPN connection.
    • Specify the routing options as required.
  4. Select the new VPN connection and choose Download Configuration. Download the appropriate configuration file for your customer gateway device.
  5. Use the configuration file to configure VPN tunnels on your customer gateway device. For examples, see the Amazon VPC Network Administrator Guide. Do not enable the tunnels yet. Contact your vendor if you need guidance on keeping the newly configured tunnels disabled.
  6. (Optional) Create test VPC and attach the virtual private gateway to the test VPC. Change the encryption domain/source destination addresses as required, and test connectivity from a host in your local network to a test instance in the test VPC.
  7. If you are using route propagation for your route table, choose Route Tables in the navigation pane. Select the route table for your VPC, and choose Route PropagationEdit. Clear the check box for the old virtual private gateway and choose Save.

    Note

    From this step onwards, connectivity is interrupted until the new virtual private gateway is attached and the new VPN connection is active.

  8. In the navigation pane, choose Virtual Private Gateways. Select the old virtual private gateway and choose Detach from VPCYes, Detach. Select the new virtual private gateway, and choose Attach to VPC. Specify the VPC for your VPN connection, and choose Yes, Attach.
  9. In the navigation pane, choose Route Tables. Select the route table for your VPC and do one of the following:
    • If you are using route propagation, choose Route PropagationEdit. Select the new virtual private gateway that’s attached to the VPC and choose Save.
    • If you are using static routes, choose RoutesEdit. Modify the route to point to the new virtual private gateway, and choose Save.
  10. Enable the new tunnels on your customer gateway device and disable the old tunnels. To bring the tunnel up, you must initiate the connection from your local network.If applicable, check your route table to ensure that the routes are being propagated. The routes propagate to the route table when the status of the VPN tunnel is UP.

    Note

    If you need to revert to your previous configuration, detach the new virtual private gateway and follow steps 8 and 9 to re-attach the old virtual private gateway and update your routes.

  11. If you no longer need your AWS Classic VPN connection and do not want to continue incurring charges for it, remove the previous tunnel configurations from your customer gateway device, and delete the VPN connection. To do this, go to VPN Connections, select the VPN connection, and choose Delete.

    Important

    After you’ve deleted the AWS Classic VPN connection, you cannot revert or migrate your new AWS VPN connection back to an AWS Classic VPN connection.

VPN Configuration Examples

The following diagrams illustrate single and multiple VPN connections. The VPC has an attached virtual private gateway, and your network includes a customer gateway, which you must configure to enable the VPN connection. You set up the routing so that any traffic from the VPC bound for your network is routed to the virtual private gateway.

When you create multiple VPN connections to a single VPC, you can configure a second customer gateway to create a redundant connection to the same external location. You can also use it to create VPN connections to multiple geographic locations.

Single VPN Connection

<br /> VPN layout<br />

Multiple VPN connections

<br /> Multiple VPN layout<br />

VPN Routing Options

When you create a VPN connection, you must do the following:

  • Specify the type of routing that you plan to use (static or dynamic)
  • Update the route table for your subnet

Static and Dynamic Routing

The type of routing that you select can depend on the make and model of your VPN devices. If your VPN device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your VPN connection. If your device does not support BGP, specify static routing. For a list of static and dynamic routing devices that have been tested with Amazon VPC, see the Amazon Virtual Private Cloud FAQs.

When you use a BGP device, you don’t need to specify static routes to the VPN connection because the device uses BGP to advertise its routes to the virtual private gateway. If you use a device that doesn’t support BGP, you must select static routing and enter the routes (IP prefixes) for your network that should be communicated to the virtual private gateway.

We recommend that you use BGP-capable devices, when available, because the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. Devices that don’t support BGP may also perform health checks to assist failover to the second tunnel when needed.

Route Tables and VPN Route Priority

Route tables determine where network traffic is directed. In your route table, you must add a route for your network and specify the virtual private gateway as the target. This enables traffic destined for your network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.

Only IP prefixes that are known to the virtual private gateway, whether through BGP advertisements or static route entry, can receive traffic from your VPC. The virtual private gateway does not route any other traffic destined outside of received BGP advertisements, static route entries, or its attached VPC CIDR.

When a virtual private gateway receives routing information, it uses path selection to determine how to route traffic to your network. Longest prefix match applies; otherwise, the following rules apply:

  • If any propagated routes from a VPN connection or AWS Direct Connect connection overlap with the local route for your VPC, the local route is most preferred even if the propagated routes are more specific.
  • If any propagated routes from a VPN connection or AWS Direct Connect connection have the same destination CIDR block as other existing static routes (longest prefix match cannot be applied), we prioritize the static routes whose targets are an Internet gateway, a virtual private gateway, a network interface, an instance ID, a VPC peering connection, a NAT gateway, or a VPC endpoint.

If you have overlapping routes within a VPN connection and longest prefix match cannot be applied, then we prioritize the routes as follows in the VPN connection, from most preferred to least preferred:

  • BGP propagated routes from an AWS Direct Connect connection
  • Manually added static routes for a VPN connection
  • BGP propagated routes from a VPN connection

In this example, your route table has a static route to an internet gateway (that you added manually), and a propagated route to a virtual private gateway. Both routes have a destination of 172.31.0.0/24. In this case, all traffic destined for 172.31.0.0/24 is routed to the internet gateway — it is a static route and therefore takes priority over the propagated route.

Destination Target
10.0.0.0/16 Local
172.31.0.0/24 vgw-1a2b3c4d (propagated)
172.31.0.0/24 igw-11aa22bb

Configuring the VPN Tunnels for Your VPN Connection

You use a VPN connection to connect your network to a VPC. Each VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. It is important to configure both tunnels for redundancy. When one tunnel becomes unavailable (for example, down for maintenance), network traffic is automatically routed to the available tunnel for that specific VPN connection.

The following diagram shows the two tunnels of the VPN connection.

When you create a VPN connection, you download a configuration file specific to your customer gateway device that contains information for configuring the device, including information for configuring each tunnel. You can optionally specify some of the tunnel options yourself when you create the VPN connection. Otherwise, AWS provides default values.

The following table describes the tunnel options that you can configure.

Item Description AWS-provided default value
Inside tunnel CIDR The range of inside IP addresses for the VPN tunnel. You can specify a size /30 CIDR block from the 169.254.0.0/16range. The CIDR block must be unique across all VPN connections that use the same virtual private gateway.The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/30
  • 169.254.1.0/30
  • 169.254.2.0/30
  • 169.254.3.0/30
  • 169.254.4.0/30
  • 169.254.5.0/30
  • 169.254.169.252/30
 A size /30 CIDR block from the 169.254.0.0/16range.
Pre-shared key (PSK) The pre-shared key (PSK) to establish the initial IKE Security Association between the virtual private gateway and customer gateway.The PSK must be between 8 and 64 characters in length and cannot start with zero (0). Allowed characters are alphanumeric characters, periods (.), and underscores (_). A 32-character alphanumeric string.

You cannot modify tunnel options after you create the VPN connection. To change the inside tunnel IP addresses or the PSKs for an existing connection, you must delete the VPN connection and create a new one. You cannot configure tunnel options for an AWS Classic VPN connection.

Using Redundant VPN Connections to Provide Failover

As described earlier, a VPN connection has two tunnels to help ensure connectivity in case one of the VPN connections becomes unavailable. To protect against a loss of connectivity in case your customer gateway becomes unavailable, you can set up a second VPN connection to your VPC and virtual private gateway by using a second customer gateway. By using redundant VPN connections and customer gateways, you can perform maintenance on one of your customer gateways while traffic continues to flow over the second customer gateway’s VPN connection. To establish redundant VPN connections and customer gateways on your network, you need to set up a second VPN connection. The customer gateway IP address for the second VPN connection must be publicly accessible.

The following diagram shows the two tunnels of each VPN connection and two customer gateways.

Dynamically routed VPN connections use the Border Gateway Protocol (BGP) to exchange routing information between your customer gateways and the virtual private gateways. Statically routed VPN connections require you to enter static routes for the network on your side of the customer gateway. BGP-advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs. We recommend that you configure your network to use the routing information provided by BGP (if available) to select an available path. The exact configuration depends on the architecture of your network.

 

Source: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/SetUpVPNConnections.html

Setting Up an AWS VPN Connection

Use the following procedures to manually set up the VPN connection. Alternatively, you can let the VPC creation wizard take care of many of these steps for you. For more information about using the VPC creation wizard to set up the virtual private gateway, see Scenario 3: VPC with Public and Private Subnets and AWS Managed VPN Access or Scenario 4: VPC with a Private Subnet Only and AWS Managed VPN Access.

To set up a VPN connection, you need to complete the following steps:

These procedures assume that you have a VPC with one or more subnets.

Create a Customer Gateway

A customer gateway provides information to AWS about your customer gateway device or software application. For more information, see Customer Gateway.

To create a customer gateway using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Customer Gateways, and then Create Customer Gateway.
  3. Complete the following and then choose Create Customer Gateway:
    • (Optional) For Name, type a name for your customer gateway. Doing so creates a tag with a key of Name and the value that you specify.
    • For Routing, select the routing type.
    • For dynamic routing, for BGP ASN, type the Border Gateway Protocol (BGP) Autonomous System Number (ASN).
    • For IP Address, type the static, internet-routable IP address for your customer gateway device. If your customer gateway is behind a NAT device that’s enabled for NAT-T, use the public IP address of the NAT device.

To create a customer gateway using the command line or API

Create a Virtual Private Gateway

When you create a virtual private gateway, you can optionally specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. The ASN must be different from the BGP ASN specified for the customer gateway.

After you create a virtual private gateway, you must attach it to your VPC.

To create a virtual private gateway and attach it to your VPC

  1. In the navigation pane, choose Virtual Private GatewaysCreate Virtual Private Gateway.
  2. (Optional) Type a name for your virtual private gateway. Doing so creates a tag with a key of Name and the value that you specify.
  3. For ASN, leave the default selection to use the default Amazon ASN. Otherwise, choose Custom ASN and type a value. For a 16-bit ASN, the value must be in the 64512 to 65534 range. For a 32-bit ASN, the value must be in the 4200000000 to 4294967294 range.
  4. Choose Create Virtual Private Gateway.
  5. Select the virtual private gateway that you created, and then choose ActionsAttach to VPC.
  6. Select your VPC from the list and choose Yes, Attach.

To create a virtual private gateway using the command line or API

To attach a virtual private gateway to a VPC using the command line or API

Enable Route Propagation in Your Route Table

To enable instances in your VPC to reach your customer gateway, you must configure your route table to include the routes used by your VPN connection and point them to your virtual private gateway. You can enable route propagation for your route table to automatically propagate those routes to the table for you.

For static routing, the static IP prefixes that you specify for your VPN configuration are propagated to the route table when the status of the VPN connection is UP. Similarly, for dynamic routing, the BGP-advertised routes from your customer gateway are propagated to the route table when the status of the VPN connection is UP.

Note

If your connection is interrupted, any propagated routes in your route table are not automatically removed. You may have to disable route propagation to remove the propagated routes; for example, if you want traffic to fail over to a static route.

To enable route propagation using the console

  1. In the navigation pane, choose Route Tables, and then select the route table that’s associated with the subnet; by default, this is the main route table for the VPC.
  2. On the Route Propagation tab in the details pane, choose Edit, select the virtual private gateway that you created in the previous procedure, and then choose Save.

Note

For static routing, if you do not enable route propagation, you must manually enter the static routes used by your VPN connection. To do this, select your route table, choose RoutesEdit. For Destination, add the static route used by your VPN connection . For Target, select the virtual private gateway ID, and choose Save.

To disable route propagation using the console

  1. In the navigation pane, choose Route Tables, and then select the route table that’s associated with the subnet.
  2. Choose Route PropagationEdit. Clear the Propagate check box for the virtual private gateway, and choose Save.

To enable route propagation using the command line or API

To disable route propagation using the command line or API

Update Your Security Group

To allow access to instances in your VPC from your network, you must update your security group rules to enable inbound SSH, RDP, and ICMP access.

To add rules to your security group to enable inbound SSH, RDP and ICMP access

  1. In the navigation pane, choose Security Groups, and then select the default security group for the VPC.
  2. On the Inbound tab in the details pane, add rules that allow inbound SSH, RDP, and ICMP access from your network, and then choose Save. For more information about adding inbound rules, see Adding, Removing, and Updating Rules.

For more information about working with security groups using the AWS CLI, see Security Groups for Your VPC.

Create a VPN Connection and Configure the Customer Gateway

After you create the VPN connection, download the configuration information and use it to configure the customer gateway device or software application.

To create a VPN connection and configure the customer gateway

  1. In the navigation pane, choose VPN ConnectionsCreate VPN Connection.
  2. Complete the following information, and then choose Create VPN Connection:
    • (Optional) For Name tag, type a name for your VPN connection. Doing so creates a tag with a key of Name and the value that you specify.
    • Select the virtual private gateway that you created earlier.
    • Select the customer gateway that you created earlier.
    • Select one of the routing options based on whether your VPN router supports Border Gateway Protocol (BGP):
      • If your VPN router supports BGP, choose Dynamic (requires BGP).
      • If your VPN router does not support BGP, choose Static. For Static IP Prefixes, specify each IP prefix for the private network of your VPN connection.
    • Under Tunnel Options, you can optionally specify the following information for each tunnel:
      • A size /30 CIDR block from the 169.254.0.0/16 range for the inside tunnel IP addresses.
      • The IKE pre-shared key (PSK).

      For more information about these options, see Configuring the VPN Tunnels for Your VPN Connection.

    It may take a few minutes to create the VPN connection. When it’s ready, select the connection and choose Download Configuration.

  3. In the Download Configuration dialog box, select the vendor, platform, and software that corresponds to your customer gateway device or software, and then choose Yes, Download.
  4. Give the configuration file to your network administrator, along with this guide:Amazon VPC Network Administrator Guide. After the network administrator configures the customer gateway, the VPN connection is operational.

To create a VPN connection using the command line or API

Editing Static Routes for a VPN Connection

For static routing, you can add, modify, or remove the static routes for your VPN configuration.

To add, modify, or remove a static route

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose VPN Connections.
  3. Choose Static RoutesEdit.
  4. Modify your existing static IP prefixes, or choose Remove to delete them. Choose Add Another Rule to add a new IP prefix to your configuration. When you are done, choose Save.

Note

If you have not enabled route propagation for your route table, you must manually update the routes in your route table to reflect the updated static IP prefixes in your VPN connection. For more information, see Enable Route Propagation in Your Route Table.

To add a static route using the command line or API

To delete a static route using the command line or API

Replacing Compromised Credentials

If you believe that the tunnel credentials for your VPN connection have been compromised, you can change the IKE pre-shared key. To do so, delete the VPN connection, create a new one using the same virtual private gateway, and configure the new keys on your customer gateway. You can specify your own pre-shared keys when you create the VPN connection. You also need to confirm that the tunnel’s inside and outside addresses match, because these might change when you recreate the VPN connection. While you perform the procedure, communication with your instances in the VPC stops, but the instances continue to run uninterrupted. After the network administrator implements the new configuration information, your VPN connection uses the new credentials, and the network connection to your instances in the VPC resumes.

Important

This procedure requires assistance from your network administrator group.

To change the IKE pre-shared key

  1. Delete the VPN connection. For more information, see Deleting a VPN Connection. You don’t need to delete the VPC or the virtual private gateway.
  2. Create a new VPN connection and specify your own pre-shared keys for the tunnels or let AWS generate new pre-shared keys for you. For more information, see Create a VPN Connection and Configure the Customer Gateway.
  3. Download the new configuration file.

 

Source: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html

Scenario 4: VPC with a Private Subnet Only and AWS Managed VPN Access

The configuration for this scenario includes a virtual private cloud (VPC) with a single private subnet, and a virtual private gateway to enable communication with your own network over an IPsec VPN tunnel. There is no Internet gateway to enable communication over the Internet. We recommend this scenario if you want to extend your network into the cloud using Amazon’s infrastructure without exposing your network to the Internet.

This topic assumes that you’ll use the VPC wizard in the Amazon VPC console to create the VPC and the VPN connection.

This scenario can also be optionally configured for IPv6—you can use the VPC wizard to create a VPC and subnet with associated IPv6 CIDR blocks. Instances launched into the subnet can receive IPv6 addresses. Currently, we do not support IPv6 communication over a VPN connection; however, instances in the VPC can communicate with each other via IPv6. For more information about IPv4 and IPv6 addressing, see IP Addressing in Your VPC.

Topics

Overview

The following diagram shows the key components of the configuration for this scenario.

<br /> Diagram for scenario 4: VPC with only a virtual private gateway<br />

Important

For this scenario, the Amazon VPC Network Administrator Guide describes what your network administrator needs to do to configure the Amazon VPC customer gateway on your side of the VPN connection.

The configuration for this scenario includes the following:

  • A virtual private cloud (VPC) with a size /16 CIDR (example: 10.0.0.0/16). This provides 65,536 private IP addresses.
  • A VPN-only subnet with a size /24 CIDR (example: 10.0.0.0/24). This provides 256 private IP addresses.
  • A VPN connection between your VPC and your network. The VPN connection consists of a virtual private gateway located on the Amazon side of the VPN connection and a customer gateway located on your side of the VPN connection.
  • Instances with private IP addresses in the subnet range (examples: 10.0.0.5, 10.0.0.6, and 10.0.0.7), which enables the instances to communicate with each other and other instances in the VPC.
  • A custom route table associated with the subnet. The route table contains a route that enables instances in the subnet to communicate with other instances in the VPC, and a route that enables instances in the subnet to communicate directly with your network.

For more information about subnets, see VPCs and Subnets and IP Addressing in Your VPC. For more information about your VPN connection, see AWS Managed VPN Connections. For more information about configuring a customer gateway, see the Amazon VPC Network Administrator Guide.

Overview for IPv6

You can optionally enable IPv6 for this scenario. In addition to the components listed above, the configuration includes the following:

  • A size /56 IPv6 CIDR block associated with the VPC (example: 2001:db8:1234:1a00::/56). AWS automatically assigns the CIDR; you cannot choose the range yourself.
  • A size /64 IPv6 CIDR block associated with the VPN-only subnet (example: 2001:db8:1234:1a00::/64). You can choose the range for your subnet from the range allocated to the VPC. You cannot choose the size of the IPv6 CIDR.
  • IPv6 addresses assigned to the instances from the subnet range (example: 2001:db8:1234:1a00::1a).
  • A route table entry in the custom route table that enable instances in the private subnet to use IPv6 to communicate with each other.
<br /> IPv6-enabled VPC with a VPN-only subnet<br />

Routing

Your VPC has an implied router (shown in the configuration diagram for this scenario). In this scenario, the VPC wizard creates a route table that routes all traffic destined for an address outside the VPC to the VPN connection, and associates the route table with the subnet.

The following describes the route table for this scenario. The first entry is the default entry for local routing in the VPC; this entry enables the instances in this VPC to communicate with each other. The second entry routes all other subnet traffic to the virtual private gateway (for example, vgw-1a2b3c4d).

Destination Target
10.0.0.0/16 local
0.0.0.0/0 vgw-id

The VPN connection is configured either as a statically-routed VPN connection or as a dynamically routed VPN connection (using BGP). If you select static routing, you’ll be prompted to manually enter the IP prefix for your network when you create the VPN connection. If you select dynamic routing, the IP prefix is advertised automatically to your VPC through BGP.

The instances in your VPC can’t reach the Internet directly; any Internet-bound traffic must first traverse the virtual private gateway to your network, where the traffic is then subject to your firewall and corporate security policies. If the instances send any AWS-bound traffic (for example, requests to Amazon S3 or Amazon EC2), the requests must go over the virtual private gateway to your network and then to the Internet before reaching AWS. Currently, we do not support IPv6 for VPN connections.

Routing for IPv6

If you associate an IPv6 CIDR block with your VPC and subnets, your route table includes separate routes for IPv6 traffic. The following describes the custom route table for this scenario. The second entry is the default route that’s automatically added for local routing in the VPC over IPv6.

Destination Target
10.0.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 vgw-id

Security

AWS provides two features that you can use to increase security in your VPC: security groups and network ACLs. Security groups control inbound and outbound traffic for your instances, and network ACLs control inbound and outbound traffic for your subnets. In most cases, security groups can meet your needs; however, you can also use network ACLs if you want an additional layer of security for your VPC. For more information, see Security.

For scenario 4, you’ll use the default security group for your VPC but not a network ACL. If you’d like to use a network ACL, see Recommended Rules for Scenario 4.

Your VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between the instances assigned to the security group. For this scenario, we recommend that you add inbound rules to the default security group to allow SSH traffic (Linux) and Remote Desktop traffic (Windows) from your network.

Important

The default security group automatically allows assigned instances to communicate with each other, so you don’t have to add a rule to allow this. If you use a different security group, you must add a rule to allow this.

The following table describes the inbound rules that you should add to the default security group for your VPC.

Default Security Group: Recommended Rules

Inbound
Source Protocol Port Range Comments
Private IPv4 address range of your network TCP 22 (Linux instances) Allow inbound SSH traffic from your network.
Private IPv4 address range of your network TCP 3389 (Windows instances) Allow inbound RDP traffic from your network.

Security for IPv6

If you associate an IPv6 CIDR block with your VPC and subnets, you must add separate rules to your security group to control inbound and outbound IPv6 traffic for your instances. In this scenario, the database servers cannot be reached over the VPN connection using IPv6; therefore, no additional security group rules are required.

Implementing Scenario 4

To implement scenario 4, get information about your customer gateway, and create the VPC using the VPC wizard, The VPC wizard creates a VPN connection for you with a customer gateway and virtual private gateway.

To prepare your customer gateway

  1. Determine the device you’ll use as your customer gateway. For information about the devices that we’ve tested, see Amazon Virtual Private Cloud FAQs. For more information about the requirements for your customer gateway, see the Amazon VPC Network Administrator Guide.
  2. Obtain the Internet-routable IP address for the customer gateway’s external interface. The address must be static and may be behind a device performing network address translation (NAT).
  3. If you want to create a statically-routed VPN connection, get the list of internal IP ranges (in CIDR notation) that should be advertised across the VPN connection to the virtual private gateway. For more information, see VPN Routing Options.

Use the VPC wizard to create your VPC and a VPN connection.

To create a VPC using the VPC wizard

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. On the dashboard, choose Start VPC Wizard.
  3. Select the fourth option, VPC with a Private Subnet Only and Hardware VPN Access, and then choose Select.
  4. On the first page of the wizard, confirm the details for your VPC and private subnet. Naming your VPC and subnet helps you identify them later in the console.
  5. (Optional, IPv6-only) For IPv6 CIDR block, choose Amazon-provided IPv6 CIDR block. For Private subnet’s IPv6 CIDR, choose Specify a custom IPv6 CIDR. Specify the hexadecimal pair value for the IPv6 subnet or leave the default value (00).
  6. Choose Next.
  7. On the Configure your VPN page, do the following, and then choose Create VPC:
    • In Customer Gateway IP, specify the public IP address of your VPN router.
    • Optionally specify a name for your customer gateway and VPN connection.
    • In Routing Type, select one of the routing options as follows:
      • If your VPN router supports Border Gateway Protocol (BGP), select Dynamic (requires BGP).
      • If your VPN router does not support BGP, choose Static. In IP Prefix, add each IP range for your network in CIDR notation.

      For more information, see VPN Routing Options.

  8. When the wizard is done, choose VPN Connections in the navigation pane. Select the VPN connection that the wizard created, and choose Download Configuration. In the dialog box, select the vendor for the customer gateway, the platform, and the software version, and then choose Yes, Download.
  9. Save the text file containing the VPN configuration and give it to the network administrator along with this guide: Amazon VPC Network Administrator Guide. The VPN won’t work until the network administrator configures the customer gateway.

For this scenario, you need to update the default security group with new inbound rules that allow SSH and Remote Desktop (RDP) access from your network. If you don’t want instances to initiate outbound communication, you can also remove the default outbound rule.

To update the rules for the default security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Choose Security Groups in the navigation pane, and then select the default security group for the VPC. The details pane displays the details for the security group, plus tabs for working with its inbound and outbound rules.
  3. On the Inbound Rules tab, choose Edit and add rules for inbound traffic as follows:
    1. Select SSH from the Type list, and enter your network’s private IP address range in the Source field; for example, 172.0.0.0/8.
    2. Choose Add another rule, then select RDP from the Type list, and enter your network’s private IP address range in the Source field.
    3. Choose Save.
  4. (Optional) On the Outbound Rules tab, choose Edit, locate the default rule that enables all outbound traffic, choose Remove, and then choose Save.

After your network administrator configures your customer gateway, you can launch instances into your VPC. If you’re already familiar with launching instances outside a VPC, then you already know most of what you need to know to launch an instance into a VPC.

To launch an instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. Choose Launch Instance on the dashboard.
  3. Follow the directions in the wizard. Choose an AMI, choose an instance type, and then choose Next: Configure Instance Details.

    Note

    If you intend to use your instance for IPv6 communication, you must choose a supported instance type; for example, T2. For more information, see Amazon EC2 Instance Types.

  4. On the Configure Instance Details page, select the VPC that you created earlier from the Network list, and then select the subnet. Choose Next: Add Storage.
  5. On the next two pages of the wizard, you can configure storage for your instance, and add tags. On the Configure Security Group page, select the Select an existing security group option, and select the default security group. Choose Review and Launch.
  6. Review the settings that you’ve chosen. Make any changes that you need, and then choose Launch to choose a keypair and launch your instance.

In scenario 4, you need a DNS server that enables your VPN-only subnet to communicate with servers in your network. You must create a new set of DHCP options that includes your DNS server and then configure the VPC to use that set of options.

Note

Your VPC automatically has a set of DHCP options with domain-name-servers=AmazonProvidedDNS. This is a DNS server that Amazon provides to enable any public subnets in your VPC to communicate with the Internet over an Internet gateway. Scenario 4 doesn’t have any public subnets, so you don’t need this set of DHCP options.

To update the DHCP options

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose DHCP Options Sets.
  3. Choose Create DHCP Options Set.
  4. In the Create DHCP Options Set dialog box, in the Domain name servers box, enter the address of your DNS server, and then choose Yes, Create. In this example, your DNS server is 192.0.2.1.
  5. In the navigation pane, choose Your VPCs.
  6. Select the VPC, and then choose Edit in the Summary tab.
  7. Select the ID of the new set of options from the DHCP options set list and then choose Save.
  8. (Optional) The VPC now uses this new set of DHCP options and therefore uses your DNS server. If you want, you can delete the original set of options that the VPC used.

You can now use SSH or RDP to connect to your instance in the VPC. For information about how to connect to a Linux instance, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances. For information about how to connect to a Windows instance, see Connect to Your Windows Instance in the Amazon EC2 User Guide for Windows Instances.

Privacy Policy
Site Map

Widget Ready

This right column is widget ready! Add one in the admin panel.

Powered By Goldman Design