本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Cross-Region: Connectivity
您可以使用该Cross-Region: Connectivity场景来阻止从实验区域到目标区域的应用程序网络流量,并暂停 Amazon S3 和 Amazon DynamoDB 多区域全局表的跨区域复制。“跨区域:连接”会影响您运行实验所在区域(*实验区域*)的出站应用程序流量。可能不会阻止源自您希望与*实验区域*隔离的区域(*目标区域*)的无状态入站流量。可能不会阻止源自 AWS 托管服务的流量。
此场景可用于进行如下演示:当无法从实验区域访问目标区域中的资源时,多区域应用程序能够按预期运行。它包括通过以中转网关和路由表为目标来阻止从实验区域到目标区域的网络流量。它还会暂停 S3 和 DynamoDB 全局表的跨区域复制。默认情况下,未找到目标的操作将被跳过。
## 操作
以下操作相结合,会阻止所含 AWS 服务的跨区域连接。这些操作并行运行。默认情况下,该场景会阻止流量 3 小时,您最多可以将时间延长到 12 小时。
### 中断中转网关连接
Cross Region: Connectivity包括 [aws: network: transit-gateway-disrupt-cross-region-connectivity,用于阻止从 VPCs 实验区域到 VPCs 通过公交网关连接](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#network-actions-reference)*的目标区域**的跨区域*网络流量。这不会影响对*实验区域*中的 VPC 端点的访问,但会阻止从*实验区域*发往*目标区域*中的 VPC 端点的流量。
此操作以连接*实验区域*和*目标区域*的中转网关为目标。默认情况下,它以[标签](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-tagging)名为 `DisruptTransitGateway`、值为 `Allowed` 的中转网关为目标。您可以将此标签添加到中转网关中,也可以在实验模板中用自己的标签替换默认标签。默认情况下,如果找不到有效的中转网关,则会跳过此操作。
### 中断子网连接
Cross Region: Connectivity*包括 [aws: network: route-table-disrupt-cross-region-connec](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#network-actions-reference) tivity,用于阻止从 VPCs 实验区域*到目标区域*公有 AWS IP 区块的跨区域网络流量。*这些公有 IP 块包括*目标区域*中的 AWS 服务端点(如 S3 区域端点)和托管服务的 AWS IP 块(如用于负载均衡器和 Amazon API Gateway 的 IP 地址)。此操作还会阻止通过跨区域 VPC 对等连接从*实验区域*到*目标区域*的网络连接。它不会影响对*实验区域*中 VPC 端点的访问,但会阻止从*实验区域*发往*目标区域*中 VPC 端点的流量。
此操作以实验区域中的子网为目标。默认情况下,它以[标签](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html)名为 `DisruptSubnet`、值为 `Allowed` 的子网为目标。您可以将此标签添加到子网中,也可以在实验模板中用自己的标签替换默认标签。默认情况下,如果找不到有效的子网,则会跳过此操作。
### 中断 VPC 终端节点连接
Cross Region: Connectivity包括 [aws: network:](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#network-actions-reference)中disrupt-vpc-endpoint断与目标 VPC 终端节点关联的服务的连接。例如,如果 VPC 终端节点创建了指向 com.amazonaws.us-east-1.ec2 的私有链接,则与该服务的连接将中断。
此操作的目标是实验区域中的 VPC 终端节点。默认情况下,它以接口 VPC 终端节点为目标, DisruptVpcEndpoint 其[标签](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html)名为值`Allowed`。您可以将此标签添加到您的 VPC 终端节点,也可以将默认标签替换为实验模板中您自己的标签。默认情况下,如果未找到有效的 VPC 终端节点,则会跳过此操作。
### 暂停 S3 复制
Cross Region: Connectivity包括 [aws: s3: bucket-pause-replication](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#s3-actions-reference-fis) 用于暂停 S3 从*实验区域*向目标存储桶的*目标区域*的复制。从*目标区域*到*实验区域*的复制将不受影响。该场景结束后,存储桶复制将从暂停之处恢复。请注意,复制直至所有对象保持同步所需的时间将因实验持续时间和对象上传到存储桶的速度而异。
此操作的目标是实验区域中启用了[跨区域复制](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html)(CRR)到目标区域 S3 存储桶的 S3 存储桶。默认情况下,它以[标签](https://docs.aws.amazon.com/AmazonS3/latest/userguide/view-bucket-properties.html)名为 `DisruptS3`、值为 `Allowed` 的存储桶为目标。您可以将此标签添加到存储桶中,也可以在实验模板中用自己的标签替换默认标签。默认情况下,如果找不到有效的存储桶,则会跳过此操作。
### 暂停 DynamoDB 复制
Cross-Region: Connectivity包括 [aws: dynamodb: global-table-pause-replication](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#dynamodb-actions-reference) 用于暂停实验区域与所有其他区域(包括目标区域)之间的复制。这可防止进出*实验区域*的复制,但不会影响其他区域之间的复制。该场景结束后,表复制将从暂停之处恢复。请注意,复制直至所有数据保持同步所需的时间将因实验持续时间和表的更改速率而异。
此操作同时针对实验区域中的 DynamoDB 多区域以及最终一致的全局表。默认情况下,它以[标签](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html)名为 `DisruptDynamoDb`、值为 `Allowed` 的表为目标。您可以将此标签添加到表中,也可以在实验模板中用自己的标签替换默认标签。默认情况下,如果找不到有效的全局表,则会跳过此操作。
### 暂停 MemoryDB 多区域复制
Cross-Region: Connectivity包括 [aws: memorydb: multi-region-cluster-pause-replic](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#memorydb-actions-reference) ation,用于暂停从实验区域中的区域成员集群向目标多区域集群中其余集群的复制。其他区域成员集群之间的复制将不受影响。场景结束后,复制将从暂停点开始恢复。请注意,在成员集群之间同步数据的复制时间将因实验持续时间和写入集群的数据速率而异。
此操作的目标是 MemoryDB 多区域集群,其区域成员位于实验区域。默认情况下,它以多区域集群为目标,其[标签](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html)名`DisruptMemoryDB`为,值为。`Allowed`您可以将此标签添加到您的多区域集群中,也可以将默认标签替换为实验模板中您自己的标签。默认情况下,如果找不到有效的集群,则会跳过此操作。
## 限制
+ 此场景不包括[停止条件](https://docs.aws.amazon.com/fis/latest/userguide/stop-conditions.html)。应将适用于您应用程序的正确停止条件添加到实验模板中。
## 要求
+ 向 AWS FIS [实验角色](https://docs.aws.amazon.com/fis/latest/userguide/getting-started-iam-service-role.html)添加所需的权限。
+ 必须将资源标签应用于实验的目标资源。它们可以使用您自己的标签约定,也可以使用场景中定义的默认标签。
## Permissions
以下策略授予 AWS FIS 在 Cross-Region: Connectivity 场景中执行实验所需的权限。必须将此策略附加到[实验角色](https://docs.aws.amazon.com/fis/latest/userguide/getting-started-iam-service-role.html)。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RouteTableDisruptConnectivity1",
"Effect": "Allow",
"Action": "ec2:CreateRouteTable",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity2",
"Effect": "Allow",
"Action": "ec2:CreateRouteTable",
"Resource": "arn:aws:ec2:*:*:vpc/*"
},
{
"Sid": "RouteTableDisruptConnectivity21",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateRouteTable",
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity3",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface",
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity4",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:prefix-list/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateManagedPrefixList",
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity5",
"Effect": "Allow",
"Action": "ec2:DeleteRouteTable",
"Resource": [
"arn:aws:ec2:*:*:route-table/*",
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity6",
"Effect": "Allow",
"Action": "ec2:CreateRoute",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity7",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterface",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity8",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterface",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid": "RouteTableDisruptConnectivity9",
"Effect": "Allow",
"Action": "ec2:DeleteNetworkInterface",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity10",
"Effect": "Allow",
"Action": "ec2:CreateManagedPrefixList",
"Resource": "arn:aws:ec2:*:*:prefix-list/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity11",
"Effect": "Allow",
"Action": [
"ec2:DeleteManagedPrefixList",
"ec2:ModifyManagedPrefixList"
],
"Resource": "arn:aws:ec2:*:*:prefix-list/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "EC2DescribeResources",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "RouteTableDisruptConnectivity14",
"Effect": "Allow",
"Action": "ec2:ReplaceRouteTableAssociation",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:route-table/*"
]
},
{
"Sid": "RouteTableDisruptConnectivity15",
"Effect": "Allow",
"Action": "ec2:GetManagedPrefixListEntries",
"Resource": "arn:aws:ec2:*:*:prefix-list/*"
},
{
"Sid": "RouteTableDisruptConnectivity16",
"Effect": "Allow",
"Action": "ec2:AssociateRouteTable",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:route-table/*"
]
},
{
"Sid": "RouteTableDisruptConnectivity17",
"Effect": "Allow",
"Action": "ec2:DisassociateRouteTable",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "RouteTableDisruptConnectivity18",
"Effect": "Allow",
"Action": "ec2:DisassociateRouteTable",
"Resource": "arn:aws:ec2:*:*:subnet/*"
},
{
"Sid": "RouteTableDisruptConnectivity19",
"Effect": "Allow",
"Action": "ec2:ModifyVpcEndpoint",
"Resource": "arn:aws:ec2:*:*:route-table/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "TransitGatewayDisruptConnectivity1",
"Effect": "Allow",
"Action": [
"ec2:DisassociateTransitGatewayRouteTable",
"ec2:AssociateTransitGatewayRouteTable"
],
"Resource": [
"arn:aws:ec2:*:*:transit-gateway-route-table/*",
"arn:aws:ec2:*:*:transit-gateway-attachment/*"
]
},
{
"Sid": "S3CrossRegion1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "S3CrossRegion3",
"Effect": "Allow",
"Action": "s3:PauseReplication",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringLike": {
"s3:DestinationRegion": "*"
}
}
},
{
"Sid": "S3CrossRegion4",
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:PutReplicationConfiguration"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"BoolIfExists": {
"s3:isReplicationPauseRequest": "true"
}
}
},
{
"Sid": "DynamoDbPauseReplication",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:PutResourcePolicy",
"dynamodb:GetResourcePolicy",
"dynamodb:DeleteResourcePolicy"
],
"Resource": [
"arn:aws:dynamodb:*:*:table/*"
]
},
{
"Sid": "DynamoDbMrscPauseReplication",
"Effect": "Allow",
"Action": [
"dynamodb:InjectError"
],
"Resource": ["*"]
},
{
"Sid": "ResolveResourcesViaTags",
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
},
{
"Sid": "MemDbCrossRegion",
"Effect": "Allow",
"Action": [
"memorydb:DescribeMultiRegionClusters",
"memorydb:PauseMultiRegionClusterReplication"
],
"Resource": [
"arn:aws:memorydb::*:multiregioncluster/*"
]
},
{
"Sid": "DisruptVPCE1",
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": [
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid": "DisruptVPCE2",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup",
"aws:RequestTag/managedByFIS": "true"
}
}
},
{
"Sid": "DisruptVPCE3",
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/managedByFIS": "true"
}
}
},
{
"Sid": "DisruptVPCE4",
"Effect": "Allow",
"Action": "vpce:AllowMultiRegion",
"Resource": "arn:aws:ec2:*:*:vpc-endpoint/*"
},
{
"Sid": "ModifyVPCE",
"Effect": "Allow",
"Action": "ec2:ModifyVpcEndpoint",
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*",
"arn:aws:ec2:*:*:security-group/*"
]
}
]
}
```
## 场景内容
以下内容定义了场景。可以保存此 JSON,并使用 AWS [create-experiment-template](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/fis/create-experiment-template.html)命令行界面 (AWS CLI) Line CLI 中的命令创建[实验模板](https://docs.aws.amazon.com/fis/latest/userguide/experiment-templates.html)。有关该场景的最新版本,请访问 FIS 控制台中的场景库。
```
{
"targets": {
"Transit-Gateway": {
"resourceType": "aws:ec2:transit-gateway",
"resourceTags": {
"TgwTag": "TgwValue"
},
"selectionMode": "ALL"
},
"Subnet": {
"resourceType": "aws:ec2:subnet",
"resourceTags": {
"SubnetKey": "SubnetValue"
},
"selectionMode": "ALL",
"parameters": {}
},
"VPC-Endpoint": {
"resourceType": "aws:ec2:vpc-endpoint",
"resourceTags": {
"DisruptPrivateLink": "Allowed"
},
"selectionMode": "ALL"
},
"S3-Bucket": {
"resourceType": "aws:s3:bucket",
"resourceTags": {
"S3Impact": "Allowed"
},
"selectionMode": "ALL"
},
"DynamoDB-Global-Table": {
"resourceType": "aws:dynamodb:global-table",
"resourceTags": {
"DisruptDynamoDb": "Allowed"
},
"selectionMode": "ALL"
},
"MemoryDB-Multi-Region-Cluster": {
"resourceType": "aws:memorydb:multi-region-cluster",
"resourceTags": {
"DisruptMemoryDb": "Allowed"
},
"selectionMode": "ALL"
}
},
"actions": {
"Disrupt-Transit-Gateway-Connectivity": {
"actionId": "aws:network:transit-gateway-disrupt-cross-region-connectivity",
"parameters": {
"duration": "PT3H",
"region": "eu-west-1"
},
"targets": {
"TransitGateways": "Transit-Gateway"
}
},
"Disrupt-Subnet-Connectivity": {
"actionId": "aws:network:route-table-disrupt-cross-region-connectivity",
"parameters": {
"duration": "PT3H",
"region": "eu-west-1"
},
"targets": {
"Subnets": "Subnet"
}
},
"Disrupt-Vpc-Endpoint": {
"actionId": "aws:network:disrupt-vpc-endpoint",
"parameters": {
"duration": "PT3H"
},
"targets": {
"VPCEndpoints": "VPC-Endpoint"
}
},
"Pause-S3-Replication": {
"actionId": "aws:s3:bucket-pause-replication",
"parameters": {
"duration": "PT3H",
"region": "eu-west-1"
},
"targets": {
"Buckets": "S3-Bucket"
}
},
"Pause-DynamoDB-Replication": {
"actionId": "aws:dynamodb:global-table-pause-replication",
"parameters": {
"duration": "PT3H"
},
"targets": {
"Tables": "DynamoDB-Global-Table"
}
},
"Pause-MemoryDB-Multi-Region-Cluster-Replication": {
"actionId": "aws:memorydb:multi-region-cluster-pause-replication",
"parameters": {
"duration": "PT3H",
"region": "eu-west-1"
},
"targets": {
"MultiRegionClusters": "MemoryDB-Multi-Region-Cluster"
}
}
},
"stopConditions": [
{
"source": "none"
}
],
"roleArn": "",
"logConfiguration": {
"logSchemaVersion": 2
},
"tags": {
"Name": "Cross-Region: Connectivity"
},
"experimentOptions": {
"accountTargeting": "single-account",
"emptyTargetResolutionMode": "skip"
},
"description": "Block application network traffic from experiment Region to target Region and pause cross-Region replication"
}
```