本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Cross-Region: Connectivity
您可以使用 Cross-Region: Connectivity 场景来阻止从实验区域到目标区域的应用程序网络流量,并暂停 Amazon S3 和 Amazon DynamoDB 的跨区域复制。“跨区域:连接”会影响您运行实验所在区域(实验区域)的出站应用程序流量。可能不会阻止源自您希望与实验区域隔离的区域(目标区域)的无状态入站流量。可能不会阻止源自 AWS 托管服务的流量。
此场景可用于进行如下演示:当无法从实验区域访问目标区域中的资源时,多区域应用程序能够按预期运行。它包括通过以中转网关和路由表为目标来阻止从实验区域到目标区域的网络流量。它还会暂停 S3 和 DynamoDB 的跨区域复制。默认情况下,未找到目标的操作将被跳过。
操作
以下操作相结合,会阻止所含 AWS 服务的跨区域连接。这些操作并行运行。默认情况下,该场景会阻止流量 3 小时,您最多可以将时间延长到 12 小时。
中断中转网关连接
Cross Region: Connectivity 包括 aws:network:transit-gateway-disrupt-cross-region-connectivity,用于阻止从实验区域中的 VPC 到目标区域中的 VPC 之间(通过中转网关连接)的跨区域网络流量。这不会影响对实验区域中的 VPC 端点的访问,但会阻止从实验区域发往目标区域中的 VPC 端点的流量。
此操作以连接实验区域和目标区域的中转网关为目标。默认情况下,它以标签名为 DisruptTransitGateway、值为 Allowed 的中转网关为目标。您可以将此标签添加到中转网关中,也可以在实验模板中用自己的标签替换默认标签。默认情况下,如果找不到有效的中转网关,则会跳过此操作。
中断子网连接
Cross Region: Connectivity 包括 aws:network:route-table-disrupt-cross-region-connectivity,用于阻止从实验区域中的 VPC 到目标区域中的公有 AWS IP 块之间的跨区域网络流量。这些公有 IP 块包括目标区域中的 AWS 服务端点(如 S3 区域端点)和托管服务的 AWS IP 块(如用于负载均衡器和 Amazon API Gateway 的 IP 地址)。此操作还会阻止通过跨区域 VPC 对等连接从实验区域到目标区域的网络连接。它不会影响对实验区域中 VPC 端点的访问,但会阻止从实验区域发往目标区域中 VPC 端点的流量。
此操作以实验区域中的子网为目标。默认情况下,它以标签名为 DisruptSubnet、值为 Allowed 的子网为目标。您可以将此标签添加到子网中,也可以在实验模板中用自己的标签替换默认标签。默认情况下,如果找不到有效的子网,则会跳过此操作。
暂停 S3 复制
Cross Region: Connectivity 包括 aws:s3:bucket-pause-replication,用于暂停目标存储桶从实验区域到目标区域的 S3 复制。从目标区域到实验区域的复制将不受影响。该场景结束后,存储桶复制将从暂停之处恢复。请注意,复制直至所有对象保持同步所需的时间将因实验持续时间和对象上传到存储桶的速度而异。
此操作的目标是实验区域中启用了跨区域复制(CRR)到目标区域 S3 存储桶的 S3 存储桶。默认情况下,它以标签名为 DisruptS3、值为 Allowed 的存储桶为目标。您可以将此标签添加到存储桶中,也可以在实验模板中用自己的标签替换默认标签。默认情况下,如果找不到有效的存储桶,则会跳过此操作。
暂停 DynamoDB 复制
Cross-Region: Connectivity包括 aws: dynamodb: global-table-pause-replic ation,用于暂停实验区域与包括目标区域在内的所有其他区域之间的复制。这可防止进出实验区域的复制,但不会影响其他区域之间的复制。该场景结束后,表复制将从暂停之处恢复。请注意,复制使所有数据保持同步所需的时间将因实验持续时间和表的变化速度而异。
此操作针对实验区域中的 D ynamoDB 全局表。默认情况下,它以标签名为 DisruptDynamoDb、值为 Allowed 的表为目标。您可以将此标签添加到表中,也可以在实验模板中用自己的标签替换默认标签。默认情况下,如果找不到有效的全局表,则会跳过此操作。
限制
-
此场景不包括停止条件。应将适用于您应用程序的正确停止条件添加到实验模板中。
要求
-
向 AWS FIS 实验角色添加所需的权限。
-
必须将资源标签应用于实验的目标资源。它们可以使用您自己的标签约定,也可以使用场景中定义的默认标签。
权限
以下策略授予 AWS FIS 在 Cross-Region: Connectivity 场景中执行实验所需的权限。必须将此策略附加到实验角色。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RouteTableDisruptConnectivity1", "Effect": "Allow", "Action": "ec2:CreateRouteTable", "Resource": "arn:aws:ec2:*:*:route-table/*", "Condition": { "StringEquals": { "aws:RequestTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity2", "Effect": "Allow", "Action": "ec2:CreateRouteTable", "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Sid": "RouteTableDisruptConnectivity21", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:route-table/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateRouteTable", "aws:RequestTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity3", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateNetworkInterface", "aws:RequestTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity4", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:prefix-list/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateManagedPrefixList", "aws:RequestTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity5", "Effect": "Allow", "Action": "ec2:DeleteRouteTable", "Resource": [ "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:vpc/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity6", "Effect": "Allow", "Action": "ec2:CreateRoute", "Resource": "arn:aws:ec2:*:*:route-table/*", "Condition": { "StringEquals": { "ec2:ResourceTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity7", "Effect": "Allow", "Action": "ec2:CreateNetworkInterface", "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "aws:RequestTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity8", "Effect": "Allow", "Action": "ec2:CreateNetworkInterface", "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid": "RouteTableDisruptConnectivity9", "Effect": "Allow", "Action": "ec2:DeleteNetworkInterface", "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "ec2:ResourceTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity10", "Effect": "Allow", "Action": "ec2:CreateManagedPrefixList", "Resource": "arn:aws:ec2:*:*:prefix-list/*", "Condition": { "StringEquals": { "aws:RequestTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity11", "Effect": "Allow", "Action": "ec2:DeleteManagedPrefixList", "Resource": "arn:aws:ec2:*:*:prefix-list/*", "Condition": { "StringEquals": { "ec2:ResourceTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity12", "Effect": "Allow", "Action": "ec2:ModifyManagedPrefixList", "Resource": "arn:aws:ec2:*:*:prefix-list/*", "Condition": { "StringEquals": { "ec2:ResourceTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity13", "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeManagedPrefixLists", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:DescribeVpcEndpoints" ], "Resource": "*" }, { "Sid": "RouteTableDisruptConnectivity14", "Effect": "Allow", "Action": "ec2:ReplaceRouteTableAssociation", "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:route-table/*" ] }, { "Sid": "RouteTableDisruptConnectivity15", "Effect": "Allow", "Action": "ec2:GetManagedPrefixListEntries", "Resource": "arn:aws:ec2:*:*:prefix-list/*" }, { "Sid": "RouteTableDisruptConnectivity16", "Effect": "Allow", "Action": "ec2:AssociateRouteTable", "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:route-table/*" ] }, { "Sid": "RouteTableDisruptConnectivity17", "Effect": "Allow", "Action": "ec2:DisassociateRouteTable", "Resource": [ "arn:aws:ec2:*:*:route-table/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity18", "Effect": "Allow", "Action": "ec2:DisassociateRouteTable", "Resource": [ "arn:aws:ec2:*:*:subnet/*" ] }, { "Sid": "RouteTableDisruptConnectivity19", "Effect": "Allow", "Action": "ec2:ModifyVpcEndpoint", "Resource": [ "arn:aws:ec2:*:*:route-table/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/managedByFIS": "true" } } }, { "Sid": "RouteTableDisruptConnectivity20", "Effect": "Allow", "Action": "ec2:ModifyVpcEndpoint", "Resource": [ "arn:aws:ec2:*:*:vpc-endpoint/*" ] }, { "Sid": "TransitGatewayDisruptConnectivity1", "Effect": "Allow", "Action": [ "ec2:DisassociateTransitGatewayRouteTable", "ec2:AssociateTransitGatewayRouteTable" ], "Resource": [ "arn:aws:ec2:*:*:transit-gateway-route-table/*", "arn:aws:ec2:*:*:transit-gateway-attachment/*" ] }, { "Sid": "TransitGatewayDisruptConnectivity2", "Effect": "Allow", "Action": [ "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGateways" ], "Resource": "*" }, { "Sid": "S3CrossRegion1", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "S3CrossRegion2", "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": "*" }, { "Sid": "S3CrossRegion3", "Effect": "Allow", "Action": [ "s3:PauseReplication" ], "Resource": "arn:aws:s3:::*", "Condition": { "StringLike": { "s3:DestinationRegion": "*" } } }, { "Sid": "S3CrossRegion4", "Effect": "Allow", "Action": [ "s3:GetReplicationConfiguration", "s3:PutReplicationConfiguration" ], "Resource": "arn:aws:s3:::*", "Condition": { "BoolIfExists": { "s3:isReplicationPauseRequest": "true" } } }, { "Sid": "DdbCrossRegion1", "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": "*" }, { "Sid": "DdbCrossRegion2", "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable" ], "Resource": [ "arn:aws:dynamodb:*:*:table/*", "arn:aws:dynamodb:*:*:global-table/*" ] }, { "Sid": "DdbCrossRegion3", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GetKeyPolicy", "kms:PutKeyPolicy" ], "Resource": "arn:aws:kms:*:*:key/*" } ] }
场景内容
以下内容定义了场景。可以保存此 JSON,并将其与 AWS 命令行界面(AWS CLI)中的 create-experiment-template
{ "targets": { "Transit-Gateway": { "resourceType": "aws:ec2:transit-gateway", "resourceTags": { "TgwTag": "TgwValue" }, "selectionMode": "ALL" }, "Subnet": { "resourceType": "aws:ec2:subnet", "resourceTags": { "SubnetKey": "SubnetValue" }, "selectionMode": "ALL", "parameters": {} }, "S3-Bucket": { "resourceType": "aws:s3:bucket", "resourceTags": { "S3Impact": "Allowed" }, "selectionMode": "ALL" }, "DynamoDB-Global-Table": { "resourceType": "aws:dynamodb:encrypted-global-table", "resourceTags": { "DisruptDynamoDb": "Allowed" }, "selectionMode": "ALL" } }, "actions": { "Disrupt-Transit-Gateway-Connectivity": { "actionId": "aws:network:transit-gateway-disrupt-cross-region-connectivity", "parameters": { "duration": "PT3H", "region": "eu-west-1" }, "targets": { "TransitGateways": "Transit-Gateway" } }, "Disrupt-Subnet-Connectivity": { "actionId": "aws:network:route-table-disrupt-cross-region-connectivity", "parameters": { "duration": "PT3H", "region": "eu-west-1" }, "targets": { "Subnets": "Subnet" } }, "Pause-S3-Replication": { "actionId": "aws:s3:bucket-pause-replication", "parameters": { "duration": "PT3H", "region": "eu-west-1" }, "targets": { "Buckets": "S3-Bucket" } }, "Pause-DynamoDB-Replication": { "actionId": "aws:dynamodb:encrypted-global-table-pause-replication", "parameters": { "duration": "PT3H" }, "targets": { "Tables": "DynamoDB-Global-Table" } } }, "stopConditions": [ { "source": "none" } ], "roleArn": "", "logConfiguration": { "logSchemaVersion": 2 }, "tags": { "Name": "Cross-Region: Connectivity" }, "experimentOptions": { "accountTargeting": "single-account", "emptyTargetResolutionMode": "skip" }, "description": "Block application network traffic from experiment Region to target Region and pause cross-Region replication" }
