native environment – 3-tier architecture intro – alternative methods of resource connection: – Bastion host – SSM – EC2 Instance Connect – demo Why we should care? – brute force attacks – exploitation NatGateway – regular resource access become more annoying solution one - bastion host Host Instance ProxyJump Bastion PreferredAuthentications publickey IdentitiesOnly=yes IdentityFile Port 22 Host Bastion PreferredAuthentications publickey IdentitiesOnly=yes IdentityFile /Users/kuba/.ssh/id_ed25519_gowaw56 User kuba Hostname 35.158.161.105 Port 22bastion host - props

Subnet 3 CIDR PublicSubnet3CIDR 10.0.160.0/20 可用区 3 中的公有⼦网的 CIDR 块。 10 Allowed Bastion External Access CIDR RemoteAccessCIDR 必填项 允许对堡垒主机进⾏外部 SSH 访 问的 CIDR IP 范围。我们建议您 11 Key Name KeyPairName 必填项 EC2 密钥对，用于连接 EC2 实 例。 Linux Bastion Configuration 堡垒机配置 Page 9 of 18 12 Bastion AMI Operating System BastionAMIOS AmazonLinuxHV M WEB SERVICES Marketplace 中的 CentOS AMI。 13 Bastion Instance Type BastionInstanceType t2.micro 堡垒机实例的 EC2 实 例类型。 14 Number of Bastion Hosts NumBastionHosts 1 堡垒机数量。Auto Scaling

Subnet 3 CIDR PublicSubnet3CIDR 10.0.160.0/20 可⽤区 3 中的公有⼦⽹的 CIDR 块。 10 Allowed Bastion External Access CIDR RemoteAccessCIDR 必填项 允许对堡垒主机进⾏外部 SSH 访问的 CIDR IP 范围。我们建 of 21 11 Key Name KeyPairName 必填项 EC2 密钥对，⽤于连接 EC2 实 例。 Linux Bastion Configuration 堡垒机配置 12 Bastion AMI Operating System BastionAMIOS AmazonLinux HVM 堡垒机实例使⽤ AMI WEB SERVICESMarketplace 中的 CentOS AMI。 13 Bastion Instance Type BastionInstanceType t2.micro 堡垒机实例的 EC2 实 例类型。 14 Number of Bastion Hosts NumBastionHosts 1 堡垒机数量。Auto Scaling

Operations Istio Other Orchestrators Concepts Component Overview Terminology Address Management Multi Host Networking Security Datapath Failure Behavior Architecture Datapath Scale Kubernetes Integration clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

Operations Istio Other Orchestrators Concepts Component Overview Terminology Address Management Multi Host Networking Security Datapath Failure Behavior Architecture Datapath Scale Kubernetes Integration clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

"etcd", "worker" ] addon_job_timeout: 30 authentication: strategy: x509 authorization: {} bastion_host: ssh_agent_auth: false cloud_provider: {} ignore_docker_version: true # # # Currently only nginx rancher_kubernetes_engine_config: addon_job_timeout: 30 authentication: strategy: x509 authorization: {} bastion_host: ssh_agent_auth: false cloud_provider: {} ignore_docker_version: true # # # Currently only

—Restricted execution framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270 30.2 Bastion —Restricting access to objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273 (1)>) is a poor email matching pattern, which will match with 'host.com>' as well as 'user@host.com', but not with 'host.com'. 2.4 新版功能. The special sequences consist of '\' and a character ACE， 例 如 www. xn--alliancefranaise-npb.nu)。随后此域名的 ACE 形式可以用于所有由于特定协议而不允许使 用任意字符的场合，例如 DNS 查询，HTTP Host 字段等等。此转换是在应用中进行的；如有可能将对用户 可见：应用应当透明地将 Unicode 域名标签转换为线上的 IDNA，并在 ACE 标签被呈现给用户之前将其转换 回 Unicode。 If

—Restricted execution framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270 30.2 Bastion —Restricting access to objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273 (1)>) is a poor email matching pattern, which will match with 'host.com>' as well as 'user@host.com', but not with 'host.com'. 2.4 新版功能. The special sequences consist of '\' and a character ACE， 例 如 www. xn--alliancefranaise-npb.nu)。随后此域名的 ACE 形式可以用于所有由于特定协议而不允许使 用任意字符的场合，例如 DNS 查询，HTTP Host 字段等等。此转换是在应用中进行的；如有可能将对用户 可见：应用应当透明地将 Unicode 域名标签转换为线上的 IDNA，并在 ACE 标签被呈现给用户之前将其转换 回 Unicode。 If

—Restricted execution framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270 30.2 Bastion —Restricting access to objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273 (1)>) is a poor email matching pattern, which will match with 'host.com>' as well as 'user@host.com', but not with 'host.com'. 2.4 新版功能. The special sequences consist of '\' and a character ACE， 例 如 www. xn--alliancefranaise-npb.nu)。随后此域名的 ACE 形式可以用于所有由于特定协议而不允许使 用任意字符的场合，例如 DNS 查询，HTTP Host 字段等等。此转换是在应用中进行的；如有可能将对用户 可见：应用应当透明地将 Unicode 域名标签转换为线上的 IDNA，并在 ACE 标签被呈现给用户之前将其转换 回 Unicode。 If