问题
I am wondering is the role of router in AWS-VPC played by a virtual machine ? This vm may have several nics. If not, then how is the router in vpc designed ? Thanks a lot.
回答1:
No, it isn't played by a virtual machine, or even a set of virtual machines.
Thinking about it for a moment, a VPC router couldn't possibly be a single "thing" because that wouldn't be redundant... it would have to be at least six "things" (3 availability zones x 2 devices minimum per availability zone for redundancy, plus all of the requisite interconnections)... and those things would have to be infinitely and transparently scalable... and then don't forget that your instances are typically not the only machine on their physical host, and can be scattered throughout the physical facility that comprises each availability zone.
So, no.
"A Day in the Life of a Billion Packets (CPN401)" -- the talk and slides are linked below -- goes into intricate detail how the virtual networking in VPC operates.
This is an extreme oversimplification, but my interpretation of the material presented there indicates that the packets are essentially tunneled between hosts by the VPC infrastructure, using a mapping service that decouples the VPC subnet allocation from the AWS physical network connectivity.
When host "A" arps for host "B," it does get a response, but that response doesn't come from "B" because the request never arrives at "B". It's captured and handled by the mapping service... so there's no broadcast domain even between machines on the same VPC subnet.
"Tunnel" is probably not a precisely correct term for what's happening here, but it's accurate in the sense that the inner (VPC) networking topology, which you control, is independent of the outer (AWS data center) networking topology, which doesn't need to understand the VPC routes.
When a VPC instance wants to communicate with another instance, it learns the tunnel destination from the mapping service. The receiving host also validates with the mapping service that the sender is authentic. The system is secure against incursions of traffic between VPCs because what I'm calling the tunnel layer is not accessible to the instances.
So the VPC "router" is essentially a "virtual machine" of infinite capacity, but not a "virtual machine" in the normal sense (virtual computer). It's a virtual router made up of the entire network of routers and switches in the AWS region, with the help of the mapping infrastructure that provides the glue that allows VPC traffic to traverse it.
http://www.youtube.com/watch?v=Zd5hsL-JNY4
http://www.slideshare.net/AmazonWebServices/a-day-in-the-life-of-a-billion-packets-cpn401-aws-reinvent-2013
来源:https://stackoverflow.com/questions/21907030/is-the-role-of-router-in-aws-vpc-played-by-a-virtual-machine