Tutorial: Simulate a connectivity event
You can use AWS Fault Injection Service (AWS FIS) to simulate a variety of connectivity events. AWS FIS simulates connectivity events by blocking network connections in one of the following ways:
-
all
– Denies all traffic entering and leaving the subnet. Note that this option allows intra-subnet traffic, including traffic to and from network interfaces in the subnet. -
availability-zone
– Denies intra-VPC traffic to and from subnets in other Availability Zones. -
dynamodb
– Denies traffic to and from the Regional endpoint for DynamoDB in the current Region. -
prefix-list
– Denies traffic to and from the specified prefix list. -
s3
– Denies traffic to and from the Regional endpoint for Amazon S3 in the current Region. -
vpc
– Denies traffic entering and leaving the VPC.
Use this tutorial to create an experiment template that uses the AWS FIS
aws:network:disrupt-connectivity
action to introduce connectivity loss with
Amazon S3 in a target subnet.
Topics
Prerequisites
Before beginning this tutorial, you need a role with the appropriate permissions in your AWS account, and a test Amazon EC2 instance:
A role with permissions in your AWS account
Create a role and attach a policy that enables AWS FIS to perform the
aws:network:disrupt-connectivity
action on your behalf.
Your IAM role requires the following policy:
-
AWSFaultInjectionSimulatorNetworkAccess
– Grants AWS FIS service permission in Amazon EC2 networking and other required services to perform AWS FIS actions related to network infrastructure.
Note
For simplicity, this tutorial uses an AWS managed policy. For production use, we recommend that you instead grant only the minimum permissions necessary for your use case.
For more information about how to create an IAM role, see IAM roles for AWS FIS experiments (AWS CLI) or Creating an IAM role (console) in the IAM User Guide.
A test Amazon EC2 instance
Launch and connect to a test Amazon EC2 instance. You can use the following tutorial to launch and connect to an Amazon EC2 instance: Tutorial: Get started with Amazon EC2 Linux instances in the Amazon EC2 User Guide.
Step 1: Create an AWS FIS experiment template
Create the experiment template by using the AWS FIS AWS Management Console. An AWS FIS template is made up of actions, targets, stop conditions, and an experiment role. For more information about how the templates work, see Experiment templates for AWS FIS.
Before you begin, make sure you have the following ready:
-
An IAM role with the correct permissions.
-
An Amazon EC2 instance.
-
The subnet ID of your Amazon EC2 instance.
To create an experiment template
Open the AWS FIS console at https://console.aws.amazon.com/fis/
. -
In the left navigation pane, choose Experiment templates.
-
Choose Create experiment template.
-
For Step 1, Specify template details, do the following:
-
For Description and name, enter a description for the template, such as
Amazon S3 Network Disrupt Connectivity
. -
Choose Next, and move to Step 2, Specify actions and targets.
-
-
Under Actions, choose Add action.
For the Name, enter
disruptConnectivity
.For Action type, select aws:network:disrupt-connectivity.
Under Action parameters, set the Duration to
2 minutes
.Under Scope, select s3.
At the top, choose Save.
-
Under Targets, you should see the target that has been created automatically. Choose Edit.
Verify that Resource type is
aws:ec2:subnet
.Under Target method, select Resource IDs, and then choose the subnet that you used when creating your Amazon EC2 instance in the Prerequisites steps.
Verify that Selection mode is All.
Choose Save.
-
Choose Next to move to Step 3, Configure service access.
-
Under Service Access, select the IAM role that you created as described in the Prerequisites for this tutorial. If your role is not displayed, verify that it has the required trust relationship. For more information, see IAM roles for AWS FIS experiments.
-
Choose Next to move to Step 4, Configure optional settings.
-
(Optional) Under Stop conditions, you can select a CloudWatch alarm to stop the experiment if the condition occurs. For more information, see Stop conditions for AWS FIS.
-
(Optional) Under Logs, you can select an Amazon S3 bucket, or send logs to CloudWatch for your experiment.
-
Choose Next to move to Step 5, Review and create.
-
Review the template and choose Create experiment template. When prompted for confirmation, enter
create
, Then choose Create experiment template.
Step 2: Ping an Amazon S3 endpoint
Verify that your Amazon EC2 instance is able to reach an Amazon S3 endpoint.
-
Connect to the Amazon EC2 instance that you created in the Prerequisites steps.
For troubleshooting, see Troubleshoot connecting to your instance in the Amazon EC2 User Guide.
-
Check to see the AWS Region where your instance is located. You can do this in the Amazon EC2 console or by running the following command.
hostname
For example, if you launched an Amazon EC2 instance in
us-west-2
, you'll see the following output.[ec2-user@ip-172.16.0.0 ~]$ hostname ip-172.16.0.0.us-west-2.compute.internal
-
Ping an Amazon S3 endpoint in your AWS Region. Replace
AWS Region
with your Region.ping -c 1 s3.
AWS Region
.amazonaws.comFor the output, you should see a successful ping with 0% packet loss, as shown in the following example.
PING s3.us-west-2.amazonaws.com (x.x.x.x) 56(84) bytes of data. 64 bytes from s3-us-west-2.amazonaws.com (x.x.x.x: icmp_seq=1 ttl=249 time=1.30 ms --- s3.us-west-2.amazonaws.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.306/1.306/1.306/0.000 ms
Step 3: Start your AWS FIS experiment
Start an experiment with the experiment template that you just created.
Open the AWS FIS console at https://console.aws.amazon.com/fis/
. -
In the left navigation pane, choose Experiment templates.
-
Select the ID of the experiment template that you created to open its details page.
-
Choose Start experiment.
-
(Optional) In the confirmation page, add tags for your experiment.
-
In the confirmation page, choose Start experiment.
Step 4: Track your AWS FIS experiment progress
You can track the progress of a running experiment until the experiment is completed, stopped, or has failed.
-
You should be on the details page for the experiment that you just started. If you're not, choose Experiments, and then select the ID of the experiment to open its details page.
-
To view the state of the experiment, check the State in the details pane. For more information, see Experiment states.
-
When the state of the experiment is Running, move to the next step.
Step 5: Verify Amazon S3 network disruption
You can validate the experiment progress by by pinging the Amazon S3 endpoint.
-
From your Amazon EC2 instance, ping the Amazon S3 endpoint in your AWS Region. Replace
AWS Region
with your Region.ping -c 1 s3.
AWS Region
.amazonaws.comFor the output, you should see an unsuccessful ping with 100% packet loss, as shown in the following example.
ping -c 1 s3.us-west-2.amazonaws.com PING s3.us-west-2.amazonaws.com (x.x.x.x) 56(84) bytes of data. --- s3.us-west-2.amazonaws.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 5: Clean up
If you no longer need the Amazon EC2 instance that you created for this experiment or the AWS FIS template, you can remove them.
To remove the Amazon EC2 instance
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Instances.
-
Select the test instance, choose Instance state, and then choose Terminate instance.
-
When prompted for confirmation, choose Terminate.
To delete the experiment template using the AWS FIS console
Open the AWS FIS console at https://console.aws.amazon.com/fis/
. -
In the navigation pane, choose Experiment templates.
-
Select the experiment template, and then choose Actions, Delete experiment template.
-
When prompted for confirmation, enter
delete
, and then choose Delete experiment template.