![[WWW]](/wiki/htdocs/classic/img/moin-www.png)
-
EC2 does not support multicast traffic within the cloud, making it difficult to use both cluster membership services and dynamic routing protocols such as OSPF.
-
EC2 supports the IP protocols ICMP, TCP, and UDP, but not GRE, AH, or ESP.
-
IPSec won't work between most private networks and EC2, because the instances live behind a network address translation firewall. Even if EC2 supported passing the AH and ESP protocols, you could not connect an external host to EC2 via IPSec because AH would detect an IP address mismatch and refuse to proceed.
-
Instances may show up on different subnets, so very simple routing schemes may not work.
Routing Into The Cloud
Dmitriy Samovskiy wrote a Linux Journal article,
Building a Multisourced Infrastructure Using OpenVPN, that explains how to use
OpenVPN to connect a private network to EC2. The article explained that they used a custom dynamic routing protocol called
cube-routed to propagate routing information within the cloud.
EC2, OSPF, OpenVPN, and vtun
Many enterprise networks already use OSPF as a dynamic routing protocol, and instead of adopting a new, custom routing protocol to communicate routes between EC2 and a private network, one should be able to use OSPF. As a standard protocol, more tools exist to troubleshoot problems and more people know how to use it. However, using OSPF within the EC2 cloud poses some challenges, given that EC2 instances can't multicast to each other. A possible workaround is to set up a network of tunnels using either OpenVPN or vtun within EC2, and then run OSPF on each interior node.
To test this, I set up two EC2 instances that I'll call "EC2Gateway" and "Interior", using the Fedora 8 public images Amazon publishes. My plan was to connect this network to a private internetwork across the Internet that already used OSPF, through a router called "PrivateGateway".
PrivateGateway already ran OSPF to help manage dynamic routing within its network. I used yum to install OpenVPN packages on both PrivateGateway and EC2Gateway. On another machine behind the firewall, I generated SSL keys and certificates for both ends of the OpenVPN tunnel. I added a security group to EC2 called "VPN", and added UDP port 1194 to it, and opened up port 1194 on PrivateGateway by editing /etc/sysconfig/iptables and restarting the iptables service. The OpenVPN tunnel came without a hitch, connecting PrivateGateway and EC2Gateway using two private IP addresses.
To get OSPF to work between the two servers, I configured GNU Quagga to exchange routes over the OpenVPN tunnel.
TODO: finish this