本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Cross-Region: Connectivity
您可以使用 Cross-Region: Connectivity案例來封鎖從實驗區域到目的地區域的應用程式網路流量,並暫停 Amazon S3 和 Amazon DynamoDB 多區域全域資料表的跨區域複寫。跨區域:連線會影響來自您執行實驗之區域的傳出應用程式流量 (*實驗區域*)。來自您想要隔離實驗區域 (*目的地**區域*) 之區域的無狀態傳入流量可能不會遭到封鎖。來自 AWS 受管服務的流量可能無法封鎖。
當無法從實驗區域存取目的地區域中的資源時,此案例可用來示範多區域應用程式可如預期運作。它包括透過鎖定傳輸閘道和路由表,封鎖從實驗區域到目的地區域的網路流量。它也會暫停 S3 和 DynamoDB 全域資料表的跨區域複寫。預設會略過找不到目標的動作。
## 動作
下列動作會共同封鎖所包含 AWS 服務的跨區域連線。動作會平行執行。根據預設,此案例會封鎖流量 3 小時,最多可增加 12 小時的持續時間。
### 中斷傳輸閘道連線
Cross Region: Connectivity 包含 [aws:network:transit-gateway-disrupt-cross-region-connectivity](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#network-actions-reference),以封鎖從*實驗區域中* VPCs 到傳輸閘道所連接*目的地區域中* VPCs 的跨區域網路流量。這不會影響對*實驗區域內* VPC 端點的存取,但會封鎖來自目的地區域中 VPC 端點目的地之*實驗**區域的*流量。
此動作以連接*實驗區域*和*目的地區域的*傳輸閘道為目標。根據預設,它會以具有[標籤](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-tagging)名為 `DisruptTransitGateway`且值為 的傳輸閘道為目標`Allowed`。您可以在實驗範本中將此標籤新增至傳輸閘道,或以您自己的標籤取代預設標籤。根據預設,如果找不到有效的傳輸閘道,則會略過此動作。
### 中斷子網路連線
Cross Region: Connectivity 包含 [aws:network:route-table-disrupt-cross-region-connectivity](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#network-actions-reference),以封鎖從*實驗區域中* VPCs 到*目的地區域中*公有 AWS IP 區塊的跨區域網路流量。這些公有 IP 區塊包括*目的地*區域中的 AWS 服務端點,例如 S3 區域端點,以及受管服務的 AWS IP 區塊,例如用於負載平衡器和 Amazon API Gateway 的 IP 地址。此動作也會封鎖從*實驗區域*到*目的地區域的*跨區域 VPC 對等連線網路連線。它不會影響對*實驗*區域中 VPC 端點的存取,但會封鎖來自目的地區域中 VPC 端點目的地之*實驗**區域的*流量。
此動作以實驗區域中的子網路為目標。根據預設,它會以[標籤](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html)名為 `DisruptSubnet` 且值為 的子網路為目標`Allowed`。您可以在實驗範本中將此標籤新增至子網路,或以您自己的標籤取代預設標籤。根據預設,如果找不到有效的子網路,則會略過此動作。
### 中斷 VPC 端點連線
Cross Region: Connectivity 包含 [aws:network:disrupt-vpc-endpoint](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#network-actions-reference) 中斷與目標 VPC 端點相關聯之服務的連線。例如,如果 VPC 端點建立 com.amazonaws.us-east-1.ec2 的私有連結,則該服務的連線將會中斷。
此動作以實驗區域中的 VPC 端點為目標。根據預設,它會以具有名為 DisruptVpcEndpoint [標籤](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html)的介面 VPC 端點為目標,其值為 `Allowed`。您可以在實驗範本中將此標籤新增至 VPC 端點,或以您自己的標籤取代預設標籤。根據預設,如果找不到有效的 VPC 端點,則會略過此動作。
### 暫停 S3 複寫
Cross Region: Connectivity 包含 [aws:s3:bucket-pause-replication](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#s3-actions-reference-fis),以暫停從*實驗區域*到目標儲存貯體*目的地區域的* S3 複寫。從*目的地區域*到*實驗區域的*複寫將不受影響。案例結束後,儲存貯體複寫會從暫停的時間點繼續。請注意,複寫保持所有物件同步所需的時間,會根據實驗持續時間以及物件上傳至儲存貯體的速率而有所不同。
此動作將啟用[跨區域複寫 ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html)(CRR) 的實驗區域中的 S3 儲存貯體目標設為目的地區域中的 S3 儲存貯體。根據預設,它會以標籤名為 且值`DisruptS3`為 的[儲存](https://docs.aws.amazon.com/AmazonS3/latest/userguide/view-bucket-properties.html)貯體為目標`Allowed`。您可以在實驗範本中將此標籤新增至儲存貯體,或以您自己的標籤取代預設標籤。根據預設,如果找不到有效的儲存貯體,則會略過此動作。
### 暫停 DynamoDB 複寫
Cross-Region: Connectivity 包含 [aws:dynamodb:global-table-pause-replication](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#dynamodb-actions-reference),以暫停實驗區域與所有其他區域之間的複寫,包括目的地區域。這可防止複寫到*實驗區域*內外,但不會影響其他區域之間的複寫。案例結束後,資料表複寫會從暫停的時間點繼續。請注意,複寫保持所有資料同步所需的時間,會根據實驗持續時間和資料表的變更率而有所不同。
此動作以實驗區域中 DynamoDB 多區域強式和最終一致全域資料表為目標。根據預設,它會以[標籤](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html)名為 `DisruptDynamoDb`且值為 的資料表為目標`Allowed`。您可以在實驗範本中將此標籤新增至資料表,或以您自己的標籤取代預設標籤。根據預設,如果找不到有效的全域資料表,則會略過此動作。
### 暫停 MemoryDB 多區域複寫
Cross-Region: Connectivity 包含 [aws:memorydb:multi-region-cluster-pause-replication](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#memorydb-actions-reference),以暫停從實驗區域中的區域成員叢集複寫到目標多區域叢集中其他叢集的複寫。其他區域成員叢集之間的複寫將不受影響。案例結束後,複寫會從暫停的時間點繼續。請注意,複寫在成員叢集之間同步資料的時間會根據實驗持續時間以及寫入叢集的資料速率而有所不同。
此動作以實驗區域中具有區域成員的 MemoryDB 多區域叢集為目標。根據預設,它以具有[https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html)標籤名為 `DisruptMemoryDB`且值為 的多區域叢集為目標`Allowed`。您可以在實驗範本中將此標籤新增至多區域叢集,或以您自己的標籤取代預設標籤。根據預設,如果找不到有效的叢集,則會略過此動作。
## 限制
+ 此案例不包含[停止條件](https://docs.aws.amazon.com/fis/latest/userguide/stop-conditions.html)。應用程式正確的停止條件應新增至實驗範本。
## 要求
+ 將必要的許可新增至 AWS FIS [實驗角色](https://docs.aws.amazon.com/fis/latest/userguide/getting-started-iam-service-role.html)。
+ 資源標籤必須套用到實驗目標的資源。這些可以使用您自己的標記慣例或案例中定義的預設標籤。
## 許可
下列政策授予 AWS FIS 必要的許可,以執行具有 Cross-Region: Connectivity案例的實驗。此政策必須連接到[實驗角色](https://docs.aws.amazon.com/fis/latest/userguide/getting-started-iam-service-role.html)。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RouteTableDisruptConnectivity1",
"Effect": "Allow",
"Action": "ec2:CreateRouteTable",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity2",
"Effect": "Allow",
"Action": "ec2:CreateRouteTable",
"Resource": "arn:aws:ec2:*:*:vpc/*"
},
{
"Sid": "RouteTableDisruptConnectivity21",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateRouteTable",
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity3",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface",
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity4",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:prefix-list/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateManagedPrefixList",
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity5",
"Effect": "Allow",
"Action": "ec2:DeleteRouteTable",
"Resource": [
"arn:aws:ec2:*:*:route-table/*",
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity6",
"Effect": "Allow",
"Action": "ec2:CreateRoute",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity7",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterface",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity8",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterface",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid": "RouteTableDisruptConnectivity9",
"Effect": "Allow",
"Action": "ec2:DeleteNetworkInterface",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity10",
"Effect": "Allow",
"Action": "ec2:CreateManagedPrefixList",
"Resource": "arn:aws:ec2:*:*:prefix-list/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity11",
"Effect": "Allow",
"Action": [
"ec2:DeleteManagedPrefixList",
"ec2:ModifyManagedPrefixList"
],
"Resource": "arn:aws:ec2:*:*:prefix-list/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "EC2DescribeResources",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "RouteTableDisruptConnectivity14",
"Effect": "Allow",
"Action": "ec2:ReplaceRouteTableAssociation",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:route-table/*"
]
},
{
"Sid": "RouteTableDisruptConnectivity15",
"Effect": "Allow",
"Action": "ec2:GetManagedPrefixListEntries",
"Resource": "arn:aws:ec2:*:*:prefix-list/*"
},
{
"Sid": "RouteTableDisruptConnectivity16",
"Effect": "Allow",
"Action": "ec2:AssociateRouteTable",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:route-table/*"
]
},
{
"Sid": "RouteTableDisruptConnectivity17",
"Effect": "Allow",
"Action": "ec2:DisassociateRouteTable",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity18",
"Effect": "Allow",
"Action": "ec2:DisassociateRouteTable",
"Resource": "arn:aws:ec2:*:*:subnet/*"
},
{
"Sid": "RouteTableDisruptConnectivity19",
"Effect": "Allow",
"Action": "ec2:ModifyVpcEndpoint",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "TransitGatewayDisruptConnectivity1",
"Effect": "Allow",
"Action": [
"ec2:DisassociateTransitGatewayRouteTable",
"ec2:AssociateTransitGatewayRouteTable"
],
"Resource": [
"arn:aws:ec2:*:*:transit-gateway-route-table/*",
"arn:aws:ec2:*:*:transit-gateway-attachment/*"
]
},
{
"Sid": "S3CrossRegion1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "S3CrossRegion3",
"Effect": "Allow",
"Action": "s3:PauseReplication",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringLike": {
"s3:DestinationRegion": "*"
}
}
},
{
"Sid": "S3CrossRegion4",
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:PutReplicationConfiguration"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"BoolIfExists": {
"s3:isReplicationPauseRequest": "true"
}
}
},
{
"Sid": "DynamoDbPauseReplication",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:PutResourcePolicy",
"dynamodb:GetResourcePolicy",
"dynamodb:DeleteResourcePolicy"
],
"Resource": [
"arn:aws:dynamodb:*:*:table/*"
]
},
{
"Sid": "DynamoDbMrscPauseReplication",
"Effect": "Allow",
"Action": [
"dynamodb:InjectError"
],
"Resource": ["*"]
},
{
"Sid": "ResolveResourcesViaTags",
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
},
{
"Sid": "MemDbCrossRegion",
"Effect": "Allow",
"Action": [
"memorydb:DescribeMultiRegionClusters",
"memorydb:PauseMultiRegionClusterReplication"
],
"Resource": [
"arn:aws:memorydb::*:multiregioncluster/*"
]
},
{
"Sid": "DisruptVPCE1",
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": [
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid": "DisruptVPCE2",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup",
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "DisruptVPCE3",
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "DisruptVPCE4",
"Effect": "Allow",
"Action": "vpce:AllowMultiRegion",
"Resource": "arn:aws:ec2:*:*:vpc-endpoint/*"
},
{
"Sid": "ModifyVPCE",
"Effect": "Allow",
"Action": "ec2:ModifyVpcEndpoint",
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*",
"arn:aws:ec2:*:*:security-group/*"
]
}
]
}
```
## 案例內容
下列內容定義了案例。此 JSON 可用來儲存,並使用 AWS 命令列界面 (AWS CLI) 中的 [create-experiment-template](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/fis/create-experiment-template.html) 命令來建立[實驗範本](https://docs.aws.amazon.com/fis/latest/userguide/experiment-templates.html)。如需最新版本的案例,請造訪 FIS 主控台中的案例程式庫。
```
{
"targets": {
"Transit-Gateway": {
"resourceType": "aws:ec2:transit-gateway",
"resourceTags": {
"TgwTag": "TgwValue"
},
"selectionMode": "ALL"
},
"Subnet": {
"resourceType": "aws:ec2:subnet",
"resourceTags": {
"SubnetKey": "SubnetValue"
},
"selectionMode": "ALL",
"parameters": {}
},
"VPC-Endpoint": {
"resourceType": "aws:ec2:vpc-endpoint",
"resourceTags": {
"DisruptPrivateLink": "Allowed"
},
"selectionMode": "ALL"
},
"S3-Bucket": {
"resourceType": "aws:s3:bucket",
"resourceTags": {
"S3Impact": "Allowed"
},
"selectionMode": "ALL"
},
"DynamoDB-Global-Table": {
"resourceType": "aws:dynamodb:global-table",
"resourceTags": {
"DisruptDynamoDb": "Allowed"
},
"selectionMode": "ALL"
},
"MemoryDB-Multi-Region-Cluster": {
"resourceType": "aws:memorydb:multi-region-cluster",
"resourceTags": {
"DisruptMemoryDb": "Allowed"
},
"selectionMode": "ALL"
}
},
"actions": {
"Disrupt-Transit-Gateway-Connectivity": {
"actionId": "aws:network:transit-gateway-disrupt-cross-region-connectivity",
"parameters": {
"duration": "PT3H",
"region": "eu-west-1"
},
"targets": {
"TransitGateways": "Transit-Gateway"
}
},
"Disrupt-Subnet-Connectivity": {
"actionId": "aws:network:route-table-disrupt-cross-region-connectivity",
"parameters": {
"duration": "PT3H",
"region": "eu-west-1"
},
"targets": {
"Subnets": "Subnet"
}
},
"Disrupt-Vpc-Endpoint": {
"actionId": "aws:network:disrupt-vpc-endpoint",
"parameters": {
"duration": "PT3H"
},
"targets": {
"VPCEndpoints": "VPC-Endpoint"
}
},
"Pause-S3-Replication": {
"actionId": "aws:s3:bucket-pause-replication",
"parameters": {
"duration": "PT3H",
"region": "eu-west-1"
},
"targets": {
"Buckets": "S3-Bucket"
}
},
"Pause-DynamoDB-Replication": {
"actionId": "aws:dynamodb:global-table-pause-replication",
"parameters": {
"duration": "PT3H"
},
"targets": {
"Tables": "DynamoDB-Global-Table"
}
},
"Pause-MemoryDB-Multi-Region-Cluster-Replication": {
"actionId": "aws:memorydb:multi-region-cluster-pause-replication",
"parameters": {
"duration": "PT3H",
"region": "eu-west-1"
},
"targets": {
"MultiRegionClusters": "MemoryDB-Multi-Region-Cluster"
}
}
},
"stopConditions": [
{
"source": "none"
}
],
"roleArn": "",
"logConfiguration": {
"logSchemaVersion": 2
},
"tags": {
"Name": "Cross-Region: Connectivity"
},
"experimentOptions": {
"accountTargeting": "single-account",
"emptyTargetResolutionMode": "skip"
},
"description": "Block application network traffic from experiment Region to target Region and pause cross-Region replication"
}
```