Amazon Virtual Private Cloud (VPC) | AWS Tutorial For Beginners | AWS Training Video | Simplilearn

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi this is the fourth lesson of the AWS Solutions Architect course migrating to the cloud doesn't mean that resources become completely separated from the local infrastructure in fact running applications in the cloud will be completely transparent to your end-users AWS offers a number of services to fully and seamlessly integrate your local resources with the cloud one such service is the Amazon virtual private cloud this lesson talks about creating virtual networks that closely resemble the ones that operate in your own data centers but with the added benefit have been able to take full advantage of AWS so let's get started you in this lesson you'll learn all about virtual private clouds and understand their concept you'll know the difference between public private and elastic IP addresses you'll learn about what a public and private subnet is and you'll understand what an Internet gateway is and how it's used you'll learn what route tables are and when they are used you'll understand what and that gateway is we'll take a look at security groups and their importance and we'll take a look at Network ACLs and how they're used in Amazon VPC also review the Amazon VPC best practices and also the costs associated with running a B PC in the Amazon Cloud welcome to the Amazon virtual private cloud and subnet section in this section we're going to have an overview of what Amazon V PC is and how you use it and we're also going to have a demonstration of how to create your own custom virtual private cloud we're going to look at IP addresses and the use of elastic IP addresses in AWS and finally we'll take a look at subnets and there'll be a demonstration about how to create your own subnets in an Amazon V PC and here are some other terms that are used in V pcs there's subnets root tables elastic IP addresses Internet gateways NAT gateways Network ACLs and security groups and then the next sections we're going to take a look at each of these and build our own custom V PC that we'll use throughout this course Amazon defines a V PC as a virtual private cloud that enables you to launch AWS resources into a virtual network that you've defined this virtual network closely resembles a traditional network that you'd operate in your own data center but with the benefits of using the scalable infrastructure of AWS a V PC is your own virtual network in the Amazon Cloud which is used as the network layer for your ec2 resources and this is a diagram of default B PC now there's a lot going on there so don't worry about that what we're going to do is break down each of the individual items in this default V PC over the coming lesson but what you need to know is that a V PC is a critical part of the exam and you need to know all the concepts and how it differs from your own networks throughout this lesson we're going to create our own V PC from scratch which you'll need to replicate at the end of this so you can do well in the exam each V PC that you create is logically isolated from other virtual networks in the AWS cloud it's fully customizable you can select the IP address range create subnets configure root tables setup network gateways define security settings using security groups and network access control lists so each Amazon account comes with a default V PC that's pre-configured for you to start using straight away so you can launch your ec2 instances without having to think about anything we mentioned in the opening section a V PC can span multiple availability zones in a region and here's a very basic diagram of a V PC it isn't this simple in reality and as we saw in the first section here's the default Amazon V PC which looks kind of complicated but what we need to know at this stage is that the CIDR block for the default V PC is always a 16 subnet mask so in this example it's 172 3100 / 16 what that means is this V PC will provide up to 65,536 private IP addresses so in the coming sections we'll take a look at all of these different items that you can see on this default V PC but why wouldn't you just use the default V PC well the default V PC is great for launching new instances when you're testing AWS but creating a custom V PC allows you to make things more secure and you can customize your virtual network as you can define your own our IP address range you can create your own subnets that are both private and public and you can tighten new security settings by default instances that you launch into a V PC can't communicate with your own network so you can connect your V pcs to your existing data center using something called hardware VPN access so that you can effect of the extend your data center into the cloud and create a hybrid environment now to do this you need a virtual private gateway and this is the VPN concentrator on the Amazon side of the VPN connection then on your side in your data center you need a customer gateway which is either a physical device or a software application that sits on your side of the VPN connection so in you create a VPN connection a VPN tunnel comes up when traffic is generated from your side of the connection VPC peering is an important concept to understand appear in connection could be made between your own V pcs or with a V PC in another AWS account as long as it's in the same region so what that means is if you have instances in V PC a they wouldn't be able to communicate with instant is in V PC B or C and less you set up appear in connection peering is a one-to-one relationship a V PC can have multiple peering connections to other V pcs but and this is important transitive peering is not supported in other words V PC a can connect to B and C in this diagram but C wouldn't be able to communicate with B unless they were directly paired also v pcs with overlapping CI DRS cannot be paired so in this diagram you can see they all have different IP ranges which is fine but if they have the same IP arranges they wouldn't be able to be paired and finally for this section if you delete the default V PC you have to contact AWS support to get it back again so be careful with it and only delete it if you have good reason to do so and know what you're doing this is a demonstration of how to create a custom V PC you so here we are back at the amaz services management console and this time we're going to go down to the bottom left where the networking section is I'm going to click on V PC and the V PC dashboard will load up now there's a couple of ways you can create a custom V PC there's something called the V PC wizard which will build V pcs on your behalf from a selection of different configurations for example a V PC with a single public subnet or a V PC with public and private subnets now this is great because you click about and type in a few details and it does the work for you however you're not going to learn much or pass the exam if this is how you do it so we'll cancel that and we'll go to your V pcs and we'll click on create a V PC and we're presented with the create a V PC window so let's give our V PC a name I'm going to call it simply learn underscore V PC and this is the kind of naming convention I'll be using throughout this course next we need to give it the CIDR block or the classless inter-domain routing block so we're going to give it a very simple one 10.0.0.0 and then we need to give it the subnet mask so you're not allowed to go larger than 15 so if I try to put 15 in it says no not going to happen for in reference subnet mask of 15 would give you around 130 1000 IP addresses and subnet 16 will give you 65,536 which is probably more than enough for what we're going to do next you get to choose the tenancy there's two options default and dedicated if you select dedicated then your ec2 instances will reside on hardware there's dedicated to you see performance is going to be great but your cost is going to be significantly higher so I'm going to stick with default and we just click on yes create it'll take a couple of seconds and then in our BPC dashboard we can see our simply learned vp c has been created now if we go down to the bottom here to see the information about our new VP C we can see it has a root table associated with it which is our default route table so there it is and we can see that it's only allowing local traffic at the moment we go back to the VP C again we can see it's being given a default Network ACL and we'll click on that and have a look and you can see this is very similar to what we looked at in the lesson so it's allowing all traffic from all sources inbound and outbound now if we go to the subnets section and just widen the VPC area here you can see there's no subnets associated with the vp c which is created so that means we won't better launch any instances into our vp c and to prove it I'll just show you we'll go to the ec2 section so this is a glimpse into your future this is what we'll be looking at in the next lesson and we'll just quickly try and launch an instance we'll select any instance it doesn't matter any size not important so here the network section if I try and select simply learned EPC is saying no subnets farmed this is not going to work so we basically need to create some subnet in our V PC and that is what we're going to look at in the next lesson now private IP addresses are IP addresses that are not reachable over the internet and they used for communication between instances in the same network when you launch a new instance is given a private IP address and an internal DNS hostname that resolves to the private IP address of the instance but if you one connect to this from the Internet it's not going to work so then you'd need a public IP address which is reachable from the internet you can use public IP addresses for communication between your instances and the Internet each instance that receives a public IP address is also given an external DNS hostname public IP addresses are associated with your instances from the Amazon pool of public IP addresses when you stop will terminate your instance the public IP address is released and a new one is associated when the instance starts so if you want your instance to retain this public IP address you need to use something called an elastic IP address an elastic IP address is a static or persistent public IP address there's allocated your account and can be associated to and from your instances as required an elastic IP address remains in your account until you choose to release it there is a charge associated with an elastic IP address if it's in your account but not actually allocated to an instance this is a demonstration of how to create an elastic IP address so we're back at the Amazon where this management console we're going to head back down to the networking VPC section and we'll get to the VPC dashboard on the left hand side will click on elastic IPS now you'll see a list of any elastic IPS that you have associated in your account and remember any the elastic IP address that you're using that isn't allocated to something you'll be charged for so I have one available and that is allocated to an instance currently so we want to allocate a new address and it reminds you that there's a charge if you're not using it I'm saying yes allocate and it takes a couple of seconds and there's our new elastic IP address now we'll be using this IP address to associate with than that gateway when we build that AWS defines a subnet as a range of IP addresses in your B PC you can launch AWS resources into a subnet that you select you can use a public subnet for resources that must be connected to the Internet and a private subnet for resources that won't be connected to the Internet the net mask for the default subnet in your V PC is always 20 which provides up to 4096 addresses per subnet and a few of them are reserved for AWS use the PC can span multiple availability zones but the subnet is always mapped to a single availability zone this is important to know so here's our basic diagram which we're now going to start adding to so we can see the virtual private cloud and you can see the availability zones and now inside each availability zone we've rated a subnet now you won't be able to launch any instances unless there are subnets in your B PC so it's good to spread them across availability zones for redundancy and failover purposes there's two different types of subnet public and private you use a public subnet for resources that must be connected to the Internet for example web servers a public subnet is made public because the main route table sends two subnets traffic that is destined for the Internet to the internet gateway and we'll touch on Internet gateways next private subnets are for resources that don't need an internet connection or that you want to protect from the internet for example database instances so in this demonstration we're going to create some subnets a public and a private subnet and we're going to put them in our custom VPC in different availability zones so we'll head to networking and PC wait for the V PC dashboard to load up will click on subnets will go to create subnet and I'm going to give the subnet and name so it's good to give them meaningful names so I'm going to call this first one for the public subnet ten dot zero dot one dot zero and I'm going to put this one in the US east one B availability zone and I'm going to call it simply learn public so it's quite a long name I understand but at least it makes it clear for what what's going on in this example so we need to choose a V PC so we obviously want to put it in our simply learned V PC and I said I wanted to put it in US East one B I'm using the North Virginia region by the way so we click on that then we need to give it the CIDR block now as I mentioned earlier when I typed in the name that's the range I want to use and then we need to give it the subnet mask and we're going to go with 24 which should give us two hundred and fifty-one addresses in this range which obviously is going to be more than enough if I try and put a different value in that's unacceptable to Amazon is going to say this can give me an error and tell me not to do that let's go back to 24 and click and a cut and paste this by the way just go I need to type something very similar for the next one click create it takes a few seconds okay so there's our new subnet and I'll just widen this you can see so that's the IP range that's the availability zone it's for simpler than an its public so now we want to create the private so I'm put the name in I'm going to give the private the IP address block that I'm going to put this one in u.s. the east one see and it's going to be the private sub now obviously I wanted to be in the same be PC by the bit is using of us the East 1c and we're going to give it 10.0 2.0 - 24 and will click yes create again it takes a few seconds okay let me sort by name so we can see now we've got our private subnet and our public seven air right let me just type in simply learnt that we are so now you can see them both there and you can see they're both in the same V PC simply learn V PC now if we go down to the bottom you can see the root table associated with these V pcs and you can see that they can communicate with each other internally but there's no internet access so that's what we need to do next in the next lesson you're going to learn about Internet gateways and how we can make these subnets have internet access you welcome to the networking section in this section we're going to take a look at Internet gateways route tables and NAT devices and we'll have a demonstration on how to create each of these AWS VPC items you so to allow your VPC the ability to connect to the internet you need to attach an Internet gateway and you can only attach one Internet gateway pervy pc so attaching an Internet gateway is the first stage in permitting Internet access to instances in your V PC now here's our diagram again and now we've added the Internet gateway which is providing the connection to the Internet to your V PC but before you can configure internet correctly there's a couple more steps for an ec2 instance to be internet connected you have to adhere to the following rules firstly you have to an attach an Internet gateway to your V PC which we just discussed then you need to ensure that your instances have public IP addresses or elastic IP addresses so they're able to connect to the internet then you need to ensure that your subnets root table points to the Internet gateway and you need to ensure that your network access control and security group rules allow relevant traffic to flow to and from your instance so you need to allow the rules to let in the traffic you want for example HTTP traffic after the demonstration for this section we're going to look at how route tables access control lists and security groups are used in this demonstration we're going to create an Internet gateway and attach it to our custom V PC you you so let's get a networking EPC bring up the VP see dashboard and on the left hand side we click on Internet gateways so here's a couple of Internet gateways I have already but I need to create a new one so create Internet gateway I'll give it a name which is going to be simply learn Internet gateway igw now I'm going to click create so this is an Internet gateway which will connect a V PC to the Internet because at the moment our custom V PC has no internet access so there it is created simply than i GW but this state is detached because it's not attached to anything so let me try and attach it to a V PC and it gives me an option of all the V pcs that have no internet gateway attached to them currently so I only have one which is simply than V PC yes attached now you can see our V PC has internet attached and you can see that down here so let's click on that and it will take us to our V PC but before any instances in our V PC can access the Internet we need to ensure that our subnet root table points to the Internet gateway and we don't want to change the main root table we want to create a custom root table and that's what you're going to learn about next you a room table determines where network traffic is directed it does this by defining a set of rules every subnet has to be associated with a route table and a subnet can only be associated with one route table however multiple subnets can be associated with the same route table every VPC has a default route table and it's good practice to leave this in its original state and create a new route able to customize the network traffic routes associated with your VPC so here's our example and we've added two route tables the main route table and the custom route table the new route table or the custom route table will tell the internet gateway to direct Internet traffic to the public subnet but the private subnet is still associated to the default route table the main route table which does not allow Internet traffic to it all traffic inside the private subnet is just remaining local in this demonstration we're going to create a custom route table associate it with our internet gateway and associate our public subnet with it you you so let's go to networking and be PC - bulb will load and we're going to go to round tables now our V PC only has its main round table at the moment the default one it was given at the time it was created so we want to create a new root table and we want to give it a name so we're going to call it simply learn we call it root table RVT for sure and then we get to pick which V PC we want to put it in so obviously we want to use simply learn V PC so we click create we'll take a couple of seconds and here you are here's our new root table so what we need to do now is change its root so that it points to the Internet gateway so if we go down here to root at a minute you can see it's just like our main root table it just has local access so we want to click on edit and we want to add another root so the destination is the Internet is all the zeros and our target and we click on this it gives us the option of our Internet gateway which we want to do so now we have internet access to this subnet Tory to this root table and we click on save save was successful so now we can see that as well as local access we have internet access now at the moment if we click on subnet associations you do not have any subnet associations so basically both both our subnets the public and private subnets are associated with the main root table which doesn't have internet access so we want to change this will click on edit and we want our public subnet to be associated with this root table so click on save so it's just saving that so now we can see that our public subnet is associated with this route table and this route table is associated with the Internet gateway so now anything we launch into the public subnet will have internet access but what if we wanted our in instances in the private subnet to have internet access well there's a way of doing that with an app device and that's what we're going to look at in the next lecture you you can use an app device to enable instances in a private subnet to connect to the internet or rubber AWS services but prevent the internet from initiating connections with the instances in the private subnet so we talked earlier about public and private subnets to protect your assets from be directly connected to the Internet for example your web server would sit in the public subnet in your database in the private subnet which has no internet connectivity however your private subnet database instance might still need internet access or the ability to connect to other AWS resources if so you can use a network address translation device or an app device to do this and that device forwards traffic from your private subnet to the internet or other AWS services and then sends the response back to the instances when traffic goes to the Internet the source IP address of your instance is replaced with the NAT device address and when the Internet traffic comes back again then that device translates the address to your instances private IP address so here's our diagram which is getting ever more complicated and if you look in the public subnet you can see we've now added and that device and you have to put NAT devices in the public subnet so that they get internet connectivity AWS provides two kinds of NAT devices and that gateway and in that instance AWS recommends in that gateway as it's a managed service that provides better availability and bandwidth than that instances each NAT gateway is created in a specific availability zone and is implemented with redundancy in that zone and that instance is launched from a NAT ami an Amazon machine image and runs as an instance in your V PC so is something else you have to look after whereas in that gateway being a fully managed service means once it's installed you can pretty much forget about it and that gateway must be launched into a public subnet because it needs internet connectivity it also needs an elastic IP address which you can select at the time of launch once created you need to update the root table associated with your private subnet the point internet bound traffic to the NAT gateway this way the instances in your private subnet can communicate with the Internet so if you remember back to the diagram when we had the custom root table which was pointed to the Internet gateway now we're pointing our main root table to the NAT gateway so that the private subnet also gets internet access but in a more secure manner welcome to the create and that gateway demonstration where we're going to create an that gateway so that the instances and our private subnet can get internet access so we'll start by going to Network VPC and the first thing we're going to do is take a look at our subnets and you'll see why shortly so here are simply learn subnets this is the private subnet that we want to give Internet access but if you remember from the section that gateways need to be placed in public subnets so I'm just going to copy the name of this subnet ID for the public subnet and you'll see why in a moment so then we go to NAT gateways on the left-hand side and we want to create a new NAT gateway so we have to put a subnet in there so we want to choose our public subnet as you can see it truncates a lot of the subnet names on this option so it's a bit confusing so we know that we want to put it in our simply learn VPC in the public subnet but you can see it's truncated so it's actually this one at the bottom but what I'm going to do is just paste in the subnet ID which I copied earlier so there's no confusion then we need to give it an elastic IP address now if you remember from the earlier demonstration we created one so that select that but if you hadn't allocated one you could click on the create new VIP button so we'll do that okay so it's telling me my NAT gateway has been created and in order to use you on that gateway ensure that you edit your route table to include a route with a target of and then on that gateway ID so it's given us the option to click on our edit route tables so we'll go straight there now here's our here's our route tables now here's the custom route table that we created earlier and this is the default the main route table which was created when we launched out when we created our BPC so we should probably give this a name so that we know what it is so we just call this simply learn RTB main so now we know that's our main route table so if you look at the main root table and the subnet associations you can see that our private subnet is associated with this table so what we need to do is put a root in here that points to the NAT gateway so if we click on routes and edit and we want to add another root and we want to say that all traffic can either go to the simply man Internet gateway which we don't want to do we want to point it to on that instance which is this and that ID here and we click Save so now any instances launched in our private subnet will be able to get internet access via around that gateway you welcome to the using security groups and network ACL section in this section we're going to take a look at security groups and network ACLs and we're going to have a demonstration on how you create both of these items in the Amazon Web Services console the security group acts as a virtual firewall that controls the traffic for one or more instances you add rules to each security group that add our traffic to or from its associated instances basically a security group controls the inbound and outbound traffic for one or more ec2 instances security groups can be found on both the ec2 and V PC dashboards in the AWS web management console we're going to cover them here in this section and you'll see them crop up again in the ec2 lesson and here is our diagram and you can see we've now added security groups to it and you can see that ec2 instances are sitting inside the security groups and the security groups will control what traffic flows in and out so let's take a look at some examples and we'll start with a security group for a web server now obviously a web server needs HTTP and HTTPS traffic as a minimum to be able to access it so here is an example of the security group table and you can see we're allowing HTTP and HTTPS the ports that are associated with those two and the sources and we're allowing it from the Internet we're basically allowing all traffic to those ports and that means any other traffic that comes in on different ports would be unable to reach the security group and the instances insider let's take a look at an example for a database server security group now imagine you have a sequel server database then you would need to open up the sequel server port so that people can access it which is port 1433 by default so we've added that to the table and we've allowed the source to come from the internet now because it's a Windows machine you might want to RDP access so you can log on and do some administration so we've also added RDP access to the security group now you could leave it open to the internet but that would mean anyone could try and hack their way into your box so in this example we've added a source IP address of 10.0.0.0 so only IP arranges from that address can RDP to the instance now there's a few rules associated with security groups by default security groups allow all outbound traffic so if you want to tighten that down you can do so in a similar way to you can define the inbound traffic security group rules are always permissive you can't create rules that deny access so you're allowing access rather than denying it security groups are stateful so if you send a request from your instance the response traffic for that request is allowed to flow in regardless of the inbound security group rules and you can modify the rules of a security group at any time and the rules are applied immediately welcome to the create security group demonstration where we're going to create two security groups one the host DB servers and one the hosts web servers now if you remember from the best section it said it was always a good idea to tear your applications into security groups and that's exactly what we're going to do so if we go to networking and be PC to bring up the V PC dashboard on the left hand side under security we'll click on security groups now you can also get to security groups from the ec2 dashboard as well so here's a list of my existing security groups but we want to create a new security group and we're going to call that simply learn web server SG security group and we'll give the group name is the same and our description is going to be simply learn web servers security groups okay and then we need to select our B PC now it defaults to the default V PC but obviously we want to put it in our simply learn V PC so click yes create takes a couple of seconds and there it is as our new security group now if we go down to the rules the inbound rules you can see there are none so by default a new security group has no inbound rules what about outbound rules if you remember from the lesson a new security group by default allows all traffic to be outbound and they are all traffic has destination of everywhere so all traffic is allowed we want to add some rules so let's click on inbound rules click on edit now this is going to be a web server so if we click on the drop down we need to give at HTTP so you can either choose custom TCP rule and type in your own port ranges or you can just use the ones they have for you so HTTP this pre-populates the port range and then here you can add the sauce now if I click on it it's given me the option to saying allow access from different security groups so you could create a security group and say I only accept traffic from a different security group which is a nice way of securing things down you could also put in here just your IP address so that only you could do HTTP request to the instance but because it's a web server we want people to better see our website otherwise it's not going to be much used so we're going to say all traffic so all source traffic can access our instance on port HTTP 80 I want to add another all because we also want to do HTTP which is hiding from me now we are and again we want to do the same and also because this is going to be a Linux instance we want to be able to connect to the Linux instance to do some work and configuration so we need to give it SSH access and again it would be good practice to tie it down to your specific IP or an IP range but we're just going to do all for now and then we click on save and now we are there we have our ranges so now we want to create our security group for our DB servers let's click create security group and then we'll go through and give it a similar name simply learn DB servers st and the description is going to be simpler than TV servers security group and our V PC is obviously going to be simpler than the PC let's click yes pray wait a few seconds and here's our new security group as you can see it has no inbound rules by default and outbound rules allow all traffic so this is going to be a sequel server a database server and so we need to allow sequel server traffic into the instance so we need to give it Microsoft sequel port access now the default port for Microsoft sequel server is 1433 now in reality I'd probably change the port the sequel server is running on to make it more secure but we'll go over this for now and then the source so we can choose the IP arranges again but what we want to do is place the DB server in the private subnet and allow the traffic to come from the web server so the web server will accept traffic and the web server will then go to the database to get the information it needs to display on its web on the website or if people are entering information into the web site we want the information to be stored in our DB server so basically we want to say that this the DB servers can only accept sequel server traffic from the web server security group so we can select the simply then web server security group has the source traffic but Microsoft sequel server data so we'll select that now our sequel server is also going to be a Windows instance so from time to time we might night what we might need to log in and configure it so we want to skip RDP access now again you would probably put a specific IP range in there we're just going to do all traffic for now then we click Save and there we are so now we have two security groups DB servers and web servers a network ACL is a network access control list and it's an optional layer of security for your V PC that acts as a firewall for controlling traffic in and out of one or more of your subnets you might set up Network ACLs with rules similar to your security groups in order to add an additional layer of security to your V PC here is our network diagram and we've added Network ACLs to the mix now you can see they sit somewhere between the root tables and the subnets this diagram makes it a little bit clearer and you can see that a network ACL sits in between a root table and a subnet and also you can see an example of the default network ACL which is configured to allow all traffic to flow in and out of the subnets to which its associated each network ACL includes a rule whose rule number is an asterisk this rule ensures that if a packet doesn't match any of the other numbered rules is denied you can't modify or remove this rule so if you take a look at this table you can see on the inbound some traffic would come in and it would look for the first rule which is 100 and that's saying I'm allowing all traffic from all sources so that's fine the traffic comes in if that rule 100 wasn't there it would go to the asterix rule and the Aztecs are all is saying traffic from all sources is denied let's take a look at the network ACL rules each subnet in your V PC must be associated with an ACL if you don't assign it to a custom ACL it will automatically be associated to your default ACL a subnet can only be associated with one ACL however an ACL can be associated with multiple subnets an ACL contains a list of numbered rules which are evaluated in order starting with the lowest as soon as a rule matches traffic is supplied regardless of any higher numbered rules that may contradict ur AWS recommends incrementing your rules by a factor of 100 so there's plenty of room to implement new rules at a later date unlike security grooves ACLs are stateless responses to allowed inbound traffic a subject to the rules for outbound traffic welcome to the network PCL demonstration but we're just going to have an overview of ACLs where they are in a dashboard you now you don't need to know a huge amount about them for the exam you just need to know how they work and where they are so let's go to networking and VPC and on when the dashboard loads on the left hand side under security there's Network ACLs let's click on that now you can see some ACLs that are in my my AWS account so we want the one that's associated with our simply learned V PC so if we extend this V PC column that's our network ACLs simply then V PC now let's give it a name because it's not very clear to see otherwise also I'm kind of an obsessive tagger so it's call it simply learn ACL and click on the tick so yeah so now it's much easier to see so click on inbound rules so this is exactly what we showed you in the lesson the rule is 100 so that's the first rule that's going to get evaluated and is saying allow all traffic from all sources and the outbound rules are the same so if you wanted to tighten down the new rule you could click Edit we've give it a new rule number say which would be 200 so you should always increment them in 100 so that means if you have 99 more rules you needed to be put in place you would have space to put them in in between these two and then you could do whatever you wanted you could say you know we are allowing HTTP access from all traffic and we're allowing or you could say actually you know what we're going to deny it so this is the way of blacklisting traffic into your V PC now I'm not going to save that because we don't need it but this is where the network ACL set and this is where you would make any changes it's also worth having a look at the subnet associations with your ACL so we have two subnets in our simple env PC so we would expect to see both of them associated with this network ACL because it's the default and there they are it's both our public and our private subnets are associated and you can also see up here on the on the dashboard it says default so this is telling us this is our default ACL if you did want to create a new network ACLU would click right Network ACL you've give it a name just saying new ACL and then you would associate it with your V PC so we would say simply then DPC takes a few seconds and now we are there we have our new one you can see this one says default no because it obviously isn't the default ACL file are simply Len V PC and it has no subnets associated with it so let's just delete that because we don't need it but they are there's a very brief overview of network PC else welcome to the Amazon VPC best practices and costs where we're going to take a look at the best practices and the costs associated with the Amazon virtual private cloud always use public and private subnets you should use private subnets to secure resources that don't need to be available to the Internet such as database services to provide secure internet access to the instances that reside in your private subnets you should provide an app device when using that devices you should use in that gateway over nat instances because there are managed service and require less administration effort you should choose your cidr blocks carefully Amazon VPC can contain from 16 to 65,536 IP addresses so you should choose your CIDR block according to how many instances you think you'll need you should also create separate Amazon v pcs for development staging test and production or create one Amazon V PC with separate subnets with a subnet each for production development staging and tests you should understand the Amazon V PC limits there are various limitations on the V PC components for example you're allowed 5 B pcs per region 200 subnets per VPC 200 route tables per V PC 500 security groups per V PC 50 in and outbound rules per V PC however some of these rules can be increased by raising a ticket with AWS support you should use security groups and network ACLs to secure the traffic coming in and out of your V PC Amazon advises to use security groups for whitelisting traffic and network ACLs the blacklisting traffic Amazon recommends tearing your security groups you should create different security groups for different tiers of your infrastructure architecture inside V PC if you have web tears and DB tears you should create different security groups for each of them creating tear wise security groups running the infrastructure security inside the Amazon VPC so if you launch all your web servers in the web server security group that means they'll automatically all have HTTP and HTTPS open conversely the database security group will have sequel server pots already open you should also standardize your security group naming conventions following a security group naming convention allows Amazon VPC operation and management for large scale deployments to become much easier always span your Amazon VPC across multiple subnets in multiple availability zones inside a region this helps in architecting high availability inside your VPC if you choose to create a hardware VPN connection to your B PC using Virtual Private Gateway you are charged for each VPN connection hour that your VPN connection is provisioned and available each partial VPN connection hour consumed is billed as a full hour you'll also incur standard AWS data transfer charges for all data transferred via the VPN connection if you choose to create an that gateway in your V PC you are charged for each NAT gateway hour that you're on that gateway is provisioned and available data processing charges apply for each gigabyte processed through than that gateway each partial nap gateway hour consumed is billed as a full hour this is the practice assignment for designing a custom V PC where you will create a custom V PC using the concepts learned in this lesson using the concepts learned in this lesson recreate the custom V PC as shown in the demonstrations the V PC name should be simply learned V PC the CIDR block should be 10.0.0.0 slash 16 it should be 2 subnets 1 public with a range of 10.0 1.0 and one private of a range of 10 0 to 0 and they should be placed in separate availability zones there should be one Internet gateway and one nap gateway and also one custom root table for the public subnet also create two security groups simply then web server security group and simply learn DB server security group so let's review the key takeaways from this lesson Amazon virtual private cloud or VPC enables you to launch AWS resources into a virtual network that you've defined this virtual network closely resembles a traditional network that you'd operate in your own data center but with the benefits of using scalable infrastructure of AWS there are three types of IP address in AWS a private IP address this is an IP address that's not reachable over the Internet and it's used for communication between instances in the same network a public IP address is reachable from the internet which you can use for communication between your instances and the internet and there's an elastic IP address this is a static public persistent IP address that persists after an instance restarts whereas a public IP address is risked associated after each restart Amazon defines a subnet as a range of IP addresses in your B PC you can launch AWS resources into a subnet that you select and a subnet is always mapped to a single availability zone use a public sub natural resources that must be connected to the Internet and a private subnet for resources that won't be connected to the Internet to allow your V PC the ability to connect to the internet you need to unattach an Internet gateway to it and you can only attach one Internet gateway / V PC a root table determines where network traffic is directed it does this by defining a set of rules every subnet has to be associated with a root table and a sudden that can only have an association with one root table however multiple subnets can be associated to the same root table and you can use a NAT device to enable instances in a private subnet to connect to the internet or other AWS services but and that device will prevent the internet from initiating connections with instances inside your private subnet a security group acts as a virtual firewall that controls the traffic for one or more instances you add rules to each security group that allow traffic to or from it's associated instances a network access control list or network ACL is an optional layer of security your V PC that acts as a firewall for controlling traffic in and out of one or more of your subnets this concludes the Amazon VPC lesson the next lesson is Amazon ec2

Info

Channel: Simplilearn

Views: 337,204

Rating: 4.9068995 out of 5

Keywords: aws vpc, aws vpc tutorial, Amazon Virtual Private Cloud, VPC, vpc in aws, vpc aws tutorial, aws tutorial for beginners, amazon vpc, aws vpc deep dive, aws training videos, what is aws vpc, vpc aws, aws certified solutions architect associate level, aws tutorial, aws vpc peering, aws vpc endpoint, aws vpc setup, aws vpc configuration, aws vpc masterclass, vpc fundamentals, Amazon VPC and Subnets, Amazon VPC Best Practices, simplilearn, simplilearn aws

Id: fpxDGU2KdkA

Channel Id: undefined

Length: 55min 56sec (3356 seconds)

Published: Thu Jun 23 2016