AWS Advanced Networking Course | FREE AWS Full Course | AWS Networking Training | AWS BGP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome everyone this is michael gibbs from go cloud architects if some of you could let me know if you can hear me by signaling with say i'm here or i can hear you okay wonderful leonard thank you for letting me know welcome everyone my name is michael gibbs and i'm the founder and ceo of go cloud architects and we are dedicated towards building high performance cloud computing careers i've been working in technology now for well over 25 years 1993 to be exact but i don't like talking about it because it makes me feel old so i've been working in tech now for 25 years and one of the things that i've done for well over two decades is i've worked with people to help them find their first tech jobs get promoted in tech and there's no better feeling let me tell you after 20 years of helping people find their first jobs is when you get that phone call and someone says guess what i've got my first tech job so this is something we've done forever and it's near and dear to our heart and it's our complete and total mission so what we're going to talk about today is this following we're going to be discussing the aws advanced networking curriculum now i want to let you guys know we're going to cover this from an architecture perspective and the reason we're going to cover this from an architecture perspective is we're architects so we're going to talk about the network from a system design perspective how the pieces and parts work together how the network is necessary of putting the architecture together the network may be the most critical thing you actually learn in your entire cloud computing career and here's why the cloud is nothing more than a virtualized network in a data center and if the network doesn't work nothing works i mean literally nothing works and i can tell you this from a lifetime working in data centers networking and cloud computing so the network is dear and dear to my heart you should always always always listen to the source of information prior to actually making any kind of uh what's the word i'm looking for prior to actually determining you know the source of information so i'll let you know a little bit about me i am one of the original cisco certified internet experts back when it was a two-day test 20 some years ago with a 90 failure rate i was uh one of the first cisco certified internet experts in fact my number is 7417 so to put it into context i've been know this networking thing for a long time the format that we're going to use for this bootcamp is as follows we're going to have approximately 20 minutes of discussion 10 minutes of questions and answer 20 minutes of discussion 10 uh 10 minutes a question and answer for the remaining time the format will be 12 p.m to 3 p.m eastern standard time monday through friday this week you will periodically hear from me um and what's going to happen is it's a pretty big interactive group and it's going to be really hard for me to really go through the comments so what's going to happen is chris from my team is going to be looking at your comments they're going to be aggregating bring up questions he's going to be sending them to me on slack which is another way and i'm going to be answering questions as they occur so super excited that you're all here let's go start to have some fun so as we begin today we want to make sure we give you the fundamentals because what we're going to do is we're going to start slow and we are going to ramp up really fast so we're going to begin with what is networking then we're going to talk a little bit about the structure aws and how the cloud's organized and then we're going to gradually ramp up but when we do this we're going to assume that you know nothing we're going to do this because there's a lot of network engineers like me that want to move to the cloud and we want to know that you are solid with cloud knowledge you might come from another cloud and not this cloud so we wanted to make sure that you know the aws cloud environment as we're doing it and we want to make sure that at any time you're good and you're good to go so ask us any questions anywhere and we'll answer them i want it to be as much like a classroom experience so anything we can do let us know periodically if you're enjoying this conversation please leave a like or some comments just because it helps us know that we're doing a good job because everything we want to do is to take care of you all so what is networking let's begin from the beginning networking is simply the connecting of multiple computer systems if you've got one computer and you wanted to talk to another computer you need a network so that is networking networking for people like me look at it as plumbing realistically speaking networking is the set of plumbing that enables your systems to talk to each other what is networking networking is going to include the following components your routers your switches your cabling and your lan and wind connections this is real networking now in the cloud there'll be some logical networking but it is pure networking is routers switches cables and lans and wands and welcome to you all that are there so what is networking look like in action now if you're a network engineer some of this is going to be review these first couple of slides but if you're not we want to make sure you get it so please bear with me we're going to show you what networking is like at the high level this is really networking in action let's say you've got a system and we'll walk through how all these things work throughout the training program but let's look at this graphic that we have here we have two pcs we have pc1 which is identified by its ip address of 172.16.1.2 sitting on one subnet now if this pc wants to reach pc2 which is on the 172 16.5.9 subnet slash 24 the pc can't reach it the pc can't reach it because it's not on that network so what will ultimately happen is that the pc wants to reach something that's off of its network the pc is going to look in its routing table so pc1 is going to look at its routing table and say do i have a route to get to 172 172.5 16.5.0 and the pc is going to say no so what will happen is the pc is going to look in its routing table and say but i have a default gateway which is a route that basically says go to this router if you don't know where to go so pc1 on the way to pc2 will say let me send my packet to router 2. now router 2 is going to do something interesting and it's going to look in its routing table and it's going to say do i have a route for 172 16.5.0 and if the answer is no the packet gets dropped and everything is done now if the answer is yes then things are really great and ultimately what's going to happen is the packet will be sent out the interface that's next closest so in this particular case router 2 is going to say i can't reach it um but i know that router 3 can reach it so let me send my packet out ethernet interface ge0 to router 2. now router 2 is going to look at this and say do i have a row and if router 2 has a route it'll it'll send it if it doesn't the traffic will be dropped router 2 is going to say yes i know how to reach 172 16.5.9 send it over to router 3 over gig and ethernet 0 0. so the next thing that happens is router 3 says i have a route to the subnet it's directly connected so this router will do something called an arp it'll send an arc browse cusp which is who has this mac address for 172 16.5.9 pc172 15.5.9 is going to respond to this arp who has with i have this mac address and then the pc will respond to the router and and then the connection will be established now because wrap pc1 send information to pc2 pc2 is going to answer it and say yes pc1 here's the answer to your query and this is going to happen by pc2 is going to say do i have a route to pc1 and it's going to say no i don't and because i don't have a pc route to router 1 what it's going to do is it's going to look in its default gateway and it's going to say i have a default route to router 3. so now router 3 is going to say do i have a route to pc1 and router 3 is going to say yes i do i know how to go to pc1 i'm going to go through this interface i'm going to drop it off at router 2. and then router 2 is going to say do i have a route to pc1 and it's going to say yes i do send it to router 1 and that's what's going to happen and that's what happens traffic flows through your routers and your network and that's going to occur based upon routing table so what routing tables are are a map of the network to get from point a to point b and we'll talk much more about some routing protocols and we'll talk about much more about how these kind of things are going to work and in order to make this work with routing tables the routers need a map so routers are like gps's they communicate to each other and they say i have these addresses i have these subnets i have these subnets now they communicate to each other with things called the routing protocol we will talk about one of the routing protocols used throughout this called bgp but i just wanted you to understand the way networking works it's basically hot potato pass something from router to router to router to router based upon the map that exists in the routing table so now you know what routers do so let's like look over some of the basics of networking communication we're going to cover the osi model we're probably going to cover it twice the reason we're going to cover it twice is we're going to do it once in the introductory section we're going to do it once again in the aws networking section and we're going to cover this twice for the following reasons it's important so why does anybody care about this osi model the reason people care about the osi model is it's how communication occurs across the network but more importantly in terms of just communicating across the network it's how we troubleshoot things if you can't figure out what's going on you can't troubleshoot or break so troubleshooting this is important so seven layers of this model layer one of the physical layer is cabling that's it cabling so it could be a copper wire your meaning and what you're going to be sending on the wire is electrons in the form of bits but where it could be a fiber optic cable and what you're going to be sending is light or photons across the cable so these are the kind of things that will work so physical layer layer 1. the next layer in networking is layer 2 or the data link layer this is the physical card so think of the ethernet card on your computer as layer two and at layer two we're dealing with things like mac addresses or frames at least with regards to ethernet layer two we're dealing with frames now layer three of this protocol is realistically speaking where you're talking about the network layer and what is the network layer this is the logical layer this is where we put our ip addresses this is where we do most of our routing the network layers basically ip addresses and the next layer we'll talk about is the transport layer and this is where we're going to determine whether to use tcp udp icmp or something like that so we're going to cover the entire osi model very shortly but because we're just doing the intro to networking we're going to go over the first four layers which is really networking now when we go into the aws cloud a little bit in about 10 minutes we'll cover it a little more depth especially because we know people come in and come out but for right now since we're just talking about networking we're only talking about the bottom four layers which are the physical layer wire cable we're trending bits over the wire layer two data link ethernet card ethernet card and because it's an ethernet card it's going to be data link and we're going to be dealing with mac addresses layer 3 or network layer ip addresses layer 4 or transport layer you know you're determining the session and you're going to be sending segments so layer 1 bits layer 2 frames layer three uh what do you call it packets layer four segments so these are the things that are going to do and i see there's some questions coming in it's hard for me to do the questions and teach but we're going to take a 10 minute break in about 10 minutes and we'll answer any questions that are there chris my team is aggregating them so at this point let's go start talking about the types of transport control protocols and realistically speaking we have two three kinds that we're using predominantly and it's going to be tcp udp and icmp so tcip is the main protocol stack that we're talking about with regards to networking communications so what is it by mean protocol stack so it's not just tcp ip there's a suite of protocols that are involved in here arp is involved in here there's an entire protocol stack but at the transport layer which is what we're going to talk about there's really only three ways you would send your travel predominantly two we're really talking about tcp and udp so what are we talking about here when we're talking about sending data we're talking about flow control so if i wanted to send streaming video like we're doing right now sending large amounts of data to people all over the world in real time by doing this i want to use udp so we're using some form of real-time streaming or udp datagrams and the reason we're using udp is we're sending non-reliable transport with real live stream what do i mean by this if i send one of you data and we lose a couple of packets along the way nothing happens maybe your video goes on not as perfect as it looks but nothing bad happens by comparison well we'll talk about that so udp reliable non-reliable transport things like streaming media things like audio things like live video streaming media is super important that's where we're going to use edp udp real time here's what happens if i send something to somebody on the other end and they don't receive it with udp i have no idea to know how so that's why it's called non-reliable transport now by comparison if we use tcp or reliable transport something different happens here's what's so different about what happens with tcp versus udp when we're dealing with tcp we're using reliable transport so for example at tcp here's the way it works let's say harry's on the call and i send harry a message and hari says mike i got it so then i sent harry two messages and harry says mike i got it so then i send harry three messages and harry says i got it and i keep sending messages to harry until harry doesn't respond and say i've got a message then i slow down and i restart transforming so tcp or transmission control protocol is used when you need reliable what makes it reliable is the acknowledgement protocol so by acknowledging that you've seen it that you've sent it that you've received it we know that you've actually gotten access to the data so udp real time tcp reliable and then there's this other layer for protocol called icmp or internet control messaging protocol let's say for example i want to see if a website exists and i do ping www.amazon.com i'm sending an icmp echo message which is by the way are you there and i'm going to get an icmp echo reply which says i'm here so let's go through it again this is important udp uniform date is set for non-reliable transport real time when you need things in real time tcp like if you're going to send a file or something important send it via transmission control protocol because you need to know what's out there icmp network testing and that's it so let's get off of this topic let's get more into some more fun things so let's talk about let's define some of these network connections we're going to define lands and when's and a little bit so a lan is a local area network what do i mean by a local inside your same building inside of your building you've got a network they're all plugged into each other via switches and high fiber connections there are short connections that is a lan or a local area network think of your campus think of your data center or in aws think of an availability zone every data center that aws has is a lan it's an example land and it's an availability zone so now you know what an atlanta's a local area network lands are high performance why because it's a cable and you can push a lot of speed over a cable and you're not paying that much for the cable by comparison a wan or a wide area network is over a long distance and because you're basically purchasing a wire or the equivalent of a wire from a service provider lands getting or winds or weather networks get expensive because you're paying for speed and distance lands are typically much slower than lens especially at cost it could easily be you know a hundred thousand dollars a month for a wind connection length at 100 gigabit per second over a distance whereas in a land link 100 gigabit connection by the time you're dealing with the cards and the cables locally might be 5 000 one time forever so when connection is much more expensive and slower as a rule now we'll talk about cabling but when it comes to cable versions yes it does matter a lot for lands for example you know if we're going to be dealing with 100 gigabit we need this but we need a type of cable versus different than 10 gigabit which is different than one gigabit also when it comes to lands and it comes to cabling you know there's a lot of idiosyncrasies based upon the distance that you're going determines what kind of fiber but lands local high speed winds long distance you pay for them make expensive things you've got to pay for someone else so let's now look at what a land would look like conceptually this is a pretty common land that you would see let's say you've got a campus and in the campus you've got two buildings and they're connected to each other with some fiber underground still land local area network you've got site one and you've got site two they're plugged into their switches and they're routed in between them conceptually this is what a land looks like everybody is constrained in a small geographic area that's your typical land now when we're introducing the concept of lands or local area networks we're also introducing a concept of a switch and what a switch is it's a device where people plug in now by default most people plug in their servers into a switch and each switch for example and joe will talk to you later but a direct connect is a win and we'll definitely get to all these things in lots of devices but when people are plugging into a switch they're plugging into a lan now out of the box when you're dealing with a switch we told you what routers do routers forward packets switch is where you plug your stuff in so typically speaking in a standard switch or an unmanaged switch if you plug in every port in the switch is all in the same switch meaning you own the same lan which means if i've got 100 ports and a switch and i do nothing with the switch everybody in that entire switch could talk to each other right no big deal make sense to everybody right so what if you wanted to make multiple lands and you didn't want people talking to each other you'd have to keep them separate so you would so let's look at virtualization of the network which started 25 plus years ago which oh by the way is now how the cloud's built and it's all coming from this virtualization concept and it all started with the virtual lan now let's look at what vlans are because it's part of our introduction to networking and it's also going to be how you're going to connect to aws let's do this real quick let's pretend for an example we have a switch and it's got 500 ports in this switch now big high density you know real expensive switch we got it from cisco or juno for a great quality switch 500 ports on the line cards if we plugged all the ports into each other everybody would be able to communicate with each other assuming they're on the same subnet but what if we didn't want that what if we wanted users in accounting to be separated from the finance people which were separated from the developers which were separated from a development and test environment like a lab we could chop that switch into multiple logical switches looks like server virtualization but 20 years prior to server virtualization guess what it is so about 25 years ago when i first started with virtualization um what was actually going on was we would take a switch and we would logically add we would chop the switch into logical switches by creating a virtual lan and all the virtual lan is let's say the switch has 100 ports let's say you put port 0 through 24 in one lan vlan and ports 25 to 49 in another one and 50 to 74 in another virtual lan and 75 to 99 in another virtual land you would have four complete logically isolated switches in the same switch how cool is that one switch chopped into four switches hey by the way one server chopped into logical servers virtualization one operating system swapped into multiple containers virtualization all old technology the cloud's old it's just new because for not everybody's been building it like me for 25 years so virtual lens take a switch chop it down into multiple logical lands now you've got a virtual len so what if you've got multiple switches well you've got a couple ways you could do this i want to show you how you could create communication between two switches the reason we're going to go into this in this step here this is going to be particularly important later when we start talking about direct connections and how to get there let's say for example we had two switches and we had we created four vlans in each switch a vlan a in each switch a vlan b in each switch b lens c in each switch and a vlan dna switch just like we've done here so because we've got multiple switches and multiple vlans realistically speaking they're logically equal isolated from each other so if you've got two switches that are separated from each other and you wanted them talk you could run a cable directly from vlan a to vlan a you could run a cable from vlan b to vlan b you could run a cable from vlan c to vlan c and you can run a cable from vlan d to vlan d and guess what everybody's talking to everybody this will work this by the way would be the old way we used to do it we would have switches and we'd run cables from vlan to vlan works perfectly here's the problem what if you only have one cable well now you got some challenge so what are we doing with vlans when we want to connect one switch to another switch we've got to make it do something called the trunk port and what is a trunk port a trunk port is a port that enables you to put multiple vlans on a single cable multiple vlans on a single cable so because you're putting multiple vlans on a single cable you gotta segregate your traffic so how does this stuff work when you're segregating your traffic what's going on is you put it you're taking your packet or your frame and you're putting your frame into something else you're encapsulating it so when it leaves the first switch it's wrapped in another frame called an 802.1q tag and when the receiving switch receives it it pulls the tag off and then places the data in its appropriate vlan so when you're dealing with multiple vlans and multiple trunks what you're actually doing is you're tagging a packet or a frame i should say and you're using it to put all the same things on the same wire but keep them securely separated so virtualization or vlans is virtualizing a switch 802.1q tagging is adding a tag so that when you center across the trunk port or the single wire between two switches you can share your information so that's realistically the way these things are working so now you know how vlans work look like there are questions with regards to software and hardware on a good switch vlans are hardware now the configuration is done in software but the work is done on fpgas or asx on good switches all this stuff is done in hardware software-based switches not really unless we're talking about software-defined networking which is another thing which are basically these cheap commodity switches with powerful cpus that are doing things in in software but good switches do all the stuff in hardware all the big core important stuff now i initially talked a little bit about what wide area networks look like conceptually this is realistically speaking what it actually looks like basically you've got a customer you've got an environment where you purchase your purchase from a service provider or a telco a wire from point a to point b and then you connect across the link so that's kind of the way these sort of things work where you basically have a wire that you're purchasing that you're purchasing through the phone provider switches and things and yet it's it's transparent to you now it used to be that we used serial interfaces like t1 t3 and then we were using atm and then optical interfaces for the most part everything's ethernet my team at riverstone we were working very heavily 20 years ago on layer 2 tunneling on ethernet frames over an rp network and that's what we're doing now so in today's world we're typically dealing with pseudo wires and what our pseudo wires it's basically the service providers giving you a wire over their network now in this particular example that i showed you um what we're talking about is we're using a standard standard standard one where basically you would buy a fiber optic connection to your service provider's local plane of presence on both sides of your link and then you would ride across the service providers land service so basically you're just buying a wire now more in a more modern kind of environment we're dealing with ethernet over mpls and what ethernet over mpls really is is we're just tunneling ip traffic over an mpls network so when i told you when we were doing vlans where we basically took our frame and we encapsulated in another frame in an ethernet over mpls environment we're doing the same thing we're taking our frames we're encapsulating in another frame and that's how things go so that's all ethernet over mpls is now two more things on ip then we'll take a break we'll answer any questions then we're going to get a little bit into aws and that's when the funding is but we've got to start with the baseline for somewhere so let's go back to that routing example i gave you in the beginning and let's look at it let's say pc1 wants to send something to pc2 what does pc do one do pc1 says how do i get to pc2 pc1 says do i have a rod in my routing table and if pc1 says that has a router and a routing table it would go there if pc1 doesn't have a router in its routing table it's going to look for the route in its routing table that most closely matches it which most pcs have a default gateway and if you're not sure and you're on a unix machine do something like an ifconfig and if you're in a windows machine go to the command prompt and type ipconfig all and you will find your default gateway and your default gateway is the router where you send your traffic for which you don't have a destination so pc1 wants to go to pc2 it's going to see if it has a route if it doesn't it'll use its default route when it gets to router 1 it's going to say do i have a route in the routing table the pc2 subnet and it's going to look and if it doesn't it'll drop it if it does it's going to say wow i have a route it's through router 2. it'll send it to router 2 and once it gets to router 2 router 2 will say i have a route to this and because i have a route to this i'm going to because it's directly connected i know that it's connected to me i will send an art broadcast arp who has the mac address for pc2 pc2 will respond with its ip address and its mac address and it will send it back and forth and that's how much the communication works back and forth so that's how routing works now one last piece of housekeeping to cover the introductory section is what's going on in the header what's going on the header as follows every packet has a header now what's going on in this packet header is going to be really important why is me a practical guy an architect covering all this basic fundamental header stuff because the stuff in that header is going to be really important when we start talking about packet filtering and access lists and quality of service and important things that's why we're doing it so the header which is a part of the packet which basically tells the packet where it should send its data is as follows it first gives you the destination address that's where your data is going that's how you know how do you think the access control list looks at your routers looking for the destination ip address it also tells you the source address the source address is your address through started the sourcing the data again an access controllers can look at your source address if you've got an attacker attacking your system block their source address they can't get in the next things that are in the pack the packet header are his following the time to live what is the time to live every time a packet goes through a router it has something called the ttl which is degraded the time to live is how many packets a router how many routes how many how many routers the packet can go through before it times out see if we had packets and they didn't have a time to live and there was no route to the destination the packets might be floating around forever until they got lost or if you had a routing loop packets might be going around forever and filling up your network so the time to live basically means that if you can't deliver your traffic in a reasonable period of time like a real reasonable period but your traffic gets dropped and it can be as high as 255 hops it could be a large number now the protocol is tcp udp icmp just like we talked about now what's this header check something the header check sum is basically something that will tell you it's a mathematical calculation that will tell you if the packet got there okay meaning is it did the data get there right so that's what the heading is so that you can see the destination and source addresses the ttl the protocol and then the packet length what is the packet length how long it is how many bytes like 1500 bytes for example and then the last things we'll talk about is the version is the tcip version and then we'll talk about this ds field so what is this ds field of the degree of service the degree of service field tells you how important the data is so if you want to use your application to prioritize data or you want to use your network to mark this data as prioritized you can then start up a queueing policy that says mike's data goes before ned's data who goes before nix data who goes before deep data or vice versa or any policy you want that's what this ds field is so we've been talking for approximately 20 minutes actually looks like my camera's doing something pretty funny so i'm gonna go mute the camera and saw it cleared itself up don't know what happened there so clean that up a little bit so let's open it up for any questions for a few minutes who has some questions for me so uh we talked about it does matter which cable version you use for the len the next question is uh sdwan um we're not going to talk too much about sd-wan in here because sd-wan is a completely separate topic but if you guys like perhaps we'll do an sd-wan training session coming in the next month or so pretty big topic um but something we can happily talk about um joe white is direct connection to when yes joe a direct connection is absolutely awan and when we talk about it we will show you all the module components and a direct connection is around because the direct connection is awanjo and that is a really great question it adds a lot of latency so as a cloud architect you're going to have to look at the applications and say can the application actually tolerate the latency of the web in 98 percent of the use cases the answer is yes but in two percent the answer is probably no because it's a wham so when you're designing your architectures whether they be multi-cloud or hybrid cloud or all in the data center or through or a combination thereof you got to look at that because it's a way they've got to think about that we answered the coolest question vlans are typically done at the hardware level where you configure them as software but all this forwarding and all these really good routers and switches at least the high performance ones are all done in hardware and uh deep the difference between a router and a modem well here's what a modem really does a modem is a means to take a digital signal and send it over an analog line it used to be a dial up modem which we used and basically these things would connect and they go and then by tones they would actually send our data that was a modem because we were trying to send digital data over an analog line then we started using dsl and basically we were using modem to send digital data over an analog copper wire and then we're still using modems with cable because cable is not really designed to do digital so when we're using a modem is to translate digital to analog over a digital signal over an analog line a router by comparison is a computer with lots of interfaces pretend i have like 20 different arms and they're all going in different directions and a router builds the map and says to reach destination one go this way to reach destination two go this way to reach destination three go this way to reach destination four and go this way so that's what a router does or router builds a map of the network uses an algorithm to determine how to get the best locations and our owner does that now in certain home user environments now this isn't really networking this is basically home stuff you can get like a fiber optic connection to the home they give you a modem and it's got a router and wi-fi in there but that's combining it but when we're talking about switches and we're talking about routers and we're talking about architecture we are talking about these big hundred thousand dollar plus devices that have redundant power supplies redundant modems all kinds of incredible things so now you kind of get a good example of what's actually going on in these environments so let me go through before we answer before we go to the next topic does anybody have any more questions because if you've got any more questions let me know and the reason it may look like i'm sitting here waiting for you guys to ask any questions is uh because there's a 30 second delay william wallace is the ip header which you would use for a wife or any firewall yes these firewalls are looking at the iep headers to actually determine source destination type of service and everything what raphael was alluding to which is something i didn't really talk about um here's what goes on you realistically speaking you can only put a certain number of hosts in a subnet and what's going on here is all these hosts every computer they do these broadcasts one of them is arp who has this who has this who has this then you've got these net building up bios there's all these other weird windows and apple things where they're like i'm here i'm here i'm here and all these devices are broadcasting broadcasting screaming screaming screaming full of information to let everybody know that exists and once you get above about 250 devices in a network they're all screaming i'm here i'm here i'm here you got a lot of broadcast traffic on your network broadcast traffic is something one person says that everybody has to receive whether they want to receive it or not so what's going on this broadcast traffic is coming in it's going on broadcast broadcast broadcast every host in the system is looking at it is looking at these things and they go i process it our process that i process and the problem of processing all these things after you process all the data it hits the cpu so broadcast traffic affects your routers your switches and your servers so what you do is by creating subnets and routing between the limit broadcast domains and that's why people are using routers so it used to be and then i'll talk about if you guys want a broadcast domain versus a collision domain um so realistically what's going on 25 30 years ago we have something called a hub nobody's used to hub in 25 years they were a horrible idea what happened is everybody would plug into the hub and when they were all plugging into the hub every what would happen is they use these things by the way wi-fi uses this it was called csmacd and basically what happens if you had 10 people in a hub and i tried to transfer and somebody else was trying to transfer we both couldn't center data at the same time our data would collide we'd both stop sending and then we would randomly back off and it would be like oh maybe i'll try and then maybe somebody else would try and we'd both be trying to send data and proof our data would collide and we'd restart again so it used to be that these hub things were a broadcast domain and by using or i mean a collision domain so we got rid of hubs 25 years ago and replaced them with switches when we went to switches the concept of collisions completely went away because everybody's in their every port is in its own collision domain and the only thing that got left there was a broadcast domain everybody in a vlan can see each other's broadcast and that's it unless you do other things but that's to constrain that but that's realistically what's going on so how much of the cloud networks are adopting ipv6 well ipv6 is the majority of things what we're using right now but ipv6 is largely used by every mobile phone has an ipv6 address and new networks are adopting ipv6 slowly but almost all iphones are there william wireless with sqs it has nothing to do with the router at all routers have their own queuing systems for data sqs is an aws thing that was designed more for our servers and things totally unrelated rob dwighton where does the autonomous system come into play that is only used with regards to bgp routing we will have lots of fun with bgp throughout this program where i know it's not not completely covered in the aws advanced networking but it's expected to be you know how to use it in networking and cloud you're going to be using bgp everywhere so we will include a pretty good amount of knowledge in terms of how to do bgp way above this we're not going to be like a certification program that says read this bgp book but we're not teaching it to you we are going to teach you the basics of bgp and how to tune in how to optimize and how to perform it because we want you guys to be fantastic cloud architects okay it looks like we're ready to go to the next section let's start talking about the aws cloud and how it's organized now again some of this may be refreshment refreshment refresh refreshing the content and some of it may be new depending upon your background but we want to make sure that everybody's good all the time so let's go talk about how the cloud and how it's organized now one more quest um the last question was does aws have their own ids ips system they do um but which if you're really designing a high performance high availability system you're going to be using something that comes from the marketplace and we're not going to be using wow we're going to be using something much stronger than that for enterprise clients that matter so we can teach you how to do that when we get to these sections laugh is fine but if you organizations need real security and real ids ips systems they're going to be doing much more sophisticated things than waff and shield and we can talk about how that works throughout the program like i said we're teaching you how to be architects not just passive certification exam so let's talk a little bit about the cloud and how it's going to be organized the cloud is going to be broken down into multiple sections and most of you know most of these but we're going to cover the other ones in case we're going to talk about regions we're going to talk about availability zones we're going to talk about local zones and then we're going to talk about edge locations now think of it this way the re a region is an incredibly large geographical area think like a continent or part of a continent an availability zone is nothing more than a data center inside of that region we're going to talk and show you more about local zones but local zones are really an extension of a region remember i told you that you're using a wan connection to connect to the service provider wang connections have latency latency is the enemy of some applications so if you've got a real-time application or a latency sensitive application you need to basically do something that has less latency and that's what the local zones for by getting closer to the user and then we'll talk about edge location so let's walk through visually speaking what some of these things are let's look at the cloud so aws cloud large geographic region and inside of them data centers called availability zones no big deal region u.s or east coast us or what have you data centers availability zones now let's talk about a local zone now the local zone is kind of more on this networking thing the local zone is pretty important the local zone is getting kind of cool so what is the local zone the local zone is a place where you can run your latency sensitive applications closer to you so what is it really think of it as a data center that that's closer to you than the aws availability zone in the region so just extending the region so you're gonna have the opportunity to have computing power closer to where you're actually at and by doing this you don't have less latency reduced latency improved application performance wonderful wonderful wonderful things that's what we're talking about with local zone now in order to use these local zones and i'll show you visually what they do they're not enabled by default in fact you're going to have to opt into them and that is fine it's great opt into them local zones are terrific lower latency better performance the cloud's starting to feel almost like the network and the data center remember that cloud's just a virtualized network in the data center with much lower performance when you start adding things like local zones that cloud starts to perform a lot closer to the real-life environment which are really fantastic so we're excited by local zones what happens is you opt into the local zones you're going to create a subnet to use them and in these local zones you place your ec2 instances your load balancers your containers and if you're lucky enough to be one of these local zones like la for example you can put in a file system for windows elastic map reduce elastic cache rds systems even dedicated hosts so some of these environments are going to get pretty great so let's look about visually how you're going to use them whether you're going to use them so if you want to use these locals on edge computing first you enable them then you extend your vps into the local zone and then you're going to build and run your low latency applications and that's how it's going to work so let's look at it from another perspective here's your region and inside of your region you're going to have your availability zones but this local zone think of it as let's say there's a local zone in miami and i'm in palm beach over here instead of me having to send my traffic all the way to ohio to the closest availability zone i could just send it to miami which is like 60 miles away which is going to give me fantastic latency and performance the last thing that we'll talk about are actually edge locations and when we're talking about edge locations but we're really talking about is cloud front cloud front so cloud front which we'll talk about much later which is the content delivery network is really a place where we provide local access to the cache for cloudfront and we'll talk about it so the edge locations or cloudfront is and i'm going to show you exactly what that means but basically speaking there's a cloud front edge location in almost every city so architecturally looking at it this way got your availability zones inside of your regions and you've got these edge locations so these edge locations are typically speaking what you call point of presences and what a point of presence is it's a place where you've got large numbers of internet service products lots and lots and lots of them and they're all in the same building why would you put so many internet service providers in the same building well they can just run a cable between their routers and then they can all talk to each other so if you need a lot of network bandwidth and your top 10 isps are in the same room and you want to put multiple 100 gig links between them real simple just a simple cable cross connect high speed high performance and by setting it up in this way if i'm on a t and i need to jump off at t's network to the verizon network we're in the same building it's these point of presence with our bgp pairing locations so that's what edge locations were always in networking but edge locations are here or really in the concepts of users accessing their data and here's how it's going to work and we're going to cover content delivery networks and cloud front in much much much more depth coming soon trust me i promise but until we get there um the way it's going to work is if a user wants to request a web page the user is going to go straight to their edge location and if the information is cached in the edge location it's going to be sent back to the user but if it's not and the user goes to the edge location and the edge location doesn't have it it'll send it then to the regional cache and if the reason all cache doesn't have it it'll send it to the web server and then it'll send back to the web location that's location and then i'll send it back to the user now the next time my user tries to access the same thing they'll hit that same edge location and it'll be the data is already out because somebody requested it'll get sent straight to the user so that's what edge locations are so now we're going to start talking about some basic networking concepts but before we do that let's just make sure nobody has any questions on the edge locations local zones or other places so if anybody has some questions great otherwise if you enjoy networking please type networking and if you want more training like this more free training type type cloud architect some way that we know that you're there and we can listen to what you're hearing we know what you want we want to give you guys as much training as we possibly can to help you guys out for your careers my team has also asked me to ask you all to like and subscribe if that's appropriate for you so i've been asked to do it so i'm asking the questions so please like subscribe and hit the bell and yes edge locations are part of the content delivery network the true content delivery network is uh we'll talk about that in a minute but edge locations are part of the content delivery network but not the entire content delivery network eric i am so happy to see you on this call on the session you have no idea eric so thank you for being here i'm thrilled and thankful that you're able to be here today i know you've been very busy in your life so the question came through is a local zone the same as a data center the local zone is like a data center at the edge of the network so yes it's going to be a data center actually great question on a rock let's see i want to make sure there's no more questions before we move on what is an edge location okay an edge location is i will give you as follows um and then i'll give you an answer for those next questions so an edge location is where a user would access cloud front so a user comes they hit the cloud front edge location the cloud edge location is basically a point of presence or a little mini data center in every city where your things are which then gets forwarded to a regional cache which then goes to an availability zone so an edge location is where users access the cloudfront content delivery network a content delivery network is not just an edge location a content delivery network has a network so with regards to the internet all traffic on the internet is what's called best effort delivery if i buy a private line from new york to london at one gigabit i know that when i'm buying a leg when i'm buying a gigabit ethernet i'm going to get one gigabit the latency will never change because it's a wire it will never change because it's a wire and that's what's realistically speaking what's going on the latency won't change by comparison if it's the internet as soon as i buy traffic there's no guarantee of the performance my traffic none zero zero zero because there's no guarantees of my traffic then uh the internet performance cannot be guaranteed so what goes on as organizations build high performance content deliver networks when is that let's assume that you didn't want to use the internet if i wanted to use the internet and i wanted to go straight on to the edge location if it exists in the edge location it's cached it's going to send it to me but if not from the edge location is going to take me across the content delivery network's private backbone so it would ride the aws backbone instead of cloudfront as opposed to internet so once i jump on the content delivery network i'm off on the internet so i hit my edge location which for me is in miami instantly i ride the aws high speed backbone back to aws so the content delivery networks not only does caching it gets my traffic off of the public internet and onto the private network which really enhances speed performance and everything else hope i answered your question so ec2 instances exist in local zones not edge locations next question is a local error network part of a specific az a local area network is anything that is local meaning it's typically in your data center if your devices are all inside of an availability zone and you can guarantee the part of that availability zone that is inside of a local area network yes if you're going across availability zones if they're in the same part if they're in the same uh what they call it if they're in the same building where it's just a fiber optic connection it's again like buildings across the street local area network if the availability zones are separated by 500 miles it is not a local network then it becomes a wide area network okay if you make a change to a website hosted on your content delivery network how long will we in your network how long will it take to propagate to your content delivery network it's based upon the ttl of your caching if you have a ttl of 24 hours it'll take 24 hours for new data to be moved over if your ttl is one minute it'll be over in a minute so that's with regards to that ec2 instances are reside in local zones not edge locations how do you start learning as a network professional well there's two ways to do that i've been a networking professional forever the first and best answer i can actually give you is we have created a complete cloud architect career development program and it's a 16-week program and it's designed to take people regardless of their background and teach them how to become cloud architects we start at the beginning we cover every component of the network every component the data center every component of the servers virtualization firewall switches security everything then we cover all the applications that are used in these environments how to build them and how to design them we spend six three hours twice per week with our students designing live cloud architectures we do it every week we do it on mondays and fridays we do six hours of live training in between classes personal we have videos on demand and what we do in between sessions is we have our students build and do labs when our students do labs they do things that matter they learn server virtualization they learn containers they build firewalls vpn devices all the such in addition to doing all these kind of things they set up linux apache mysql php stack literally everything they set up file servers and linux and windows they set up microsoft active directory they learn every piece of the network in the data center you can't design a cloud architecture if you don't know the data center because the cloud's just a data center it's virtualized and then we even have our students build their own clouds i'm not joking our students build their own cloud computing environments from scratch because when it comes to getting your own your first cloud architect job you need to be good you need to be solid and you need to be super confident when you lack experience so we do that we also teach presentation skills writing skills and emotional intelligence interview skills it's all included on our training program i'll drop a link of our training program i'll try a link of our training program because you asked over here and then actually better yet so this is a link to our training program i'll drop a coupon code and then i'll go back to answering questions and if other people are curious about our training or want to know how to do things they can always call our office and we're always happy to work with new students uh people call us we'll work with you so that's how you would move into uh this now the last question is regarding transfer acceleration none of this has anything to do with transfer acceleration transfer acceleration is actually used when you're dealing with files that are uploaded to s3 um it's basically but that's neither here nor there but it does use something similar to this where you're jumping onto a closer location to do it very similar concept but it's different everybody's ready to get back to it let's start talking about some aws networking [Music] so now we're going to get into some aws networking concepts and in this section we're going to cover all lot we're going to cover the cloud which means uh and and then we're going to cover the vpc and when we start covering the vpc we're going to cover a lot everything from ip addressing to you name it it's all part of the vpc so we're going to begin so what is the cloud first and foremost the cloud is nothing more than a virtualized network in a data center it's going to have your lan and your wind fully integrated it's going to have your servers it's going to have your storage it's going to be our security it's going to have all your dns all your load balancers so the virtual private cloud people like to call it a virtual private network but i like to view it as a virtual private data center because it includes your network and your data center so and it's going to be logically isolated so whatever you have in your data center is going to be isolated and separate from all the other aws customers remember how i told you when you'd create a virtual virtual layout virtual virtual land where your things are logically separated from everybody else well same thing um your things are kept separate and that's what's going on our traditional network engineers like us going out um we have to migrate to the cloud because the cloud has basically made everything so simple um that we need to be there lots of jobs for cloud architects in the network engineering space so much of it there but we need to migrate towards the cloud and that's why we're doing that and yes we do help people with resumes as well as introducing them to recruiters as part of our program going back to the cloud i want to go talk about it one more time i'm going to go back to this osi model and i know i talked about it before i only went from layer one to layer four so we're gonna go real fast here because we know people aren't always necessarily here for the entire session and they come back in real quick layer one the physical layer it's the wire the cable fiber optic or copper otherwise layer two data link hardware or mac address layer three ip addressing and routing layer four transport layer tcp udp layer five that session basically controls the connection and layer six is presentation what goes on at layer six encryption and what goes on at layer seven that's the stuff you use that's the applications you say once layer one you're pushing bits and bytes layer and that's physical containers it's gonna be getting electrons or photons based on what's going on in the wire layer two data link that's the mac address of your ethernet card we're sending frames layer three ip addressing and routing packets ip packets layer 3 logical addresses layer 4 the transport layer protocol tcp udp icmp layer 5 recession controls what's going on at layer 4 and we're talking about sockets here layer six think presentation layer think encryption layer seven this is what you use so when you go to google chrome that's a layer seven application it's an application so let's go back and talk about you know when you start addressing your things so when we start looking in these environments you know what is an ip address since i keep talking about layer 3 ip addresses i want to get make sure everybody gets foundations strong and solid an ip address is just a logical address that identifies a computer on a system every system with the exception when we talk about any cast and we'll talk about any coast must have a unique address just like the mail imagine if i wanted to send mail to you and you didn't have a unique address your mail might go to everybody else that has the same address same thing here if you don't have a unique address how will the network identify you it won't so every computer has to have a unique ip address and they can be real similar but in the end they're going to be a little different so just like you could have the same address but you have a different postal code or zip code same thing goes on with ip addresses and subnetting and such so for the internet to work every device that has to talk to any other device must have a unique ip address and we'll talk about workarounds for this and all kinds of things now we're talking about ip addressing we're talking about two versions ipv4 and ipv6 now when we're dealing with ipv4 or the original addresses we're dealing with a 32 peta drive which is the most common address we're dealing with ipv6 we're dealing with the newer form address and we'll talk a lot more about both of those kinds of addresses so when i began there was no ipv6 we were all using ipv4 and ipv4 was perfect but it's a 32-bit address which gave us a whole lot of addresses but no one really thought the internet was going to go anywhere you know the internet was this experimental military university thing that was small real small and organizations were given things like a class a address with 60 million addresses just for one system and uh you know these kind of things kind of existed but you know now that's not the case anymore so now what's realistically speaking what's going on is are you going to be migrating to ipv6 but let's go back to this ipv4 because mostly the dresses are still going to be used because we ran out of internet so addresses so fast and we were going to the internet engineering task force came up with an rfc 1918 which specified private ip addresses what were these private i p addresses these were ip addresses to be used internal to your organization so what would happen is organizations internally will be using these private ip addresses and then externally they're going to be using public id addresses which is fine so that way internally organizations didn't have to waste ip addresses what a great idea so what happened is all these organizations use these private rfc 1918 addresses internally and when they had to connect externally they would use public addresses this worked great and it's helped save us for years remember private ip addresses are used internally they are not globally routable they are not unique used inside of your network but not outside of your network so then we had something crazy called ip classes and this was another silly thing to think about we used to have this concept of a class a address which basically was a slash eight and then we had a class b address which was basically a slash 16 and then there was this concept of death class c address which is basically a slash 24 and then class d addresses are used for ip multicast and they're still used and then class e is reserved so what ultimately happened was if somebody was given a class a address like 1.1.1.1 with a subnet mask of 255.0.0.0 sorry i don't necessarily make all my own slides i have some people that help me with the slides um actually no nevermind i could see let's see what they did here that was my reading it wrong so wonderful to hear this joshua so the class a addresses would give you 16 million potential hosts but if you put that class a address on an ethernet interface that was it they were all used up because every subnet like if you have a server with two subnets the server needs two interfaces and they each need to be on a different subnet so if you use the slash eight which is 16 million addresses on a single subnet poof it was gone it was 100 wasted so obviously you can't waste 16 million addresses on a single subnet the next thing you do is the class b address and a class b address was a slash 16 which gives you about 65 000 possible ip addresses and again if you would stick that on an interface you'd be wasting 65 000 addresses now from a practical perspective you're never going to get more than about 250 addresses in a subnet because of broadcast so just look at it that way next on the list came these class c addresses and we use class cs all the time although there are other addresses basically subnetted down to a class c and a class c with a slash 24 and they would give you basically 253 hosts per subnet perfectly good perfect environment and class d we still use for multicast so all this would be great but obviously that didn't work so in today's world what's really going on is we're dealing with classless addresses what do classless addresses mean classmates dresses means we're just not sticking to the silly little classical boundaries the slash eight slash 16-24 it means we can subnet and what subnetting does is enables you to take one network and break it down into smaller networks or smaller networks and bring it into bigger networks so thank you so much cool dude 56.99 i really appreciate it so that's the way these kind of things work so let's go work on what's going on so what's going on is all these say these so these subnets are going to be all these networks are going to be broken down in the subnets the routers are going to be exchanging information hi i'm here hi i'm here these are the links that i know about these are links that you know about these links you know about they're going to build a map and that's how they're going to get your data training from point a to point b that's how we're going to get it there by building a map that's what routing protocols do so with aws they use classless inner domain rallying called cider now i need to know what that cider stuff is that's it customers are given a block and you have to subnet that block for your ip addresses that's pretty much it so what is subnetting subnetting is a way where you take one network and you chop it down into metal numbers by borrowing host bits and subnet bits so let's look at submitting an action let's look at this particular example let's say i've got this class a i'm sorry class cip address 192.168.1.04 perfect great now let's say that's the only subnet i have in my site or range what if i have three interfaces i've got a problem what i have a problem because i can only use one ip subnet per interface so what's going on here in this particular you use environment i took the 192 168 1.0 subnet and i further subnet it down or mathematically reduced it to the 192 168 1.0 28 which will then give me the 192 192.168.1.16 28 and then i'll have the 192.168.1.32 28 and then i'll have the 192.168.1.48 28 all the way up so i took my network and i broke it down now by breaking your network into smaller networks you're going to support less hosts and that's okay so you have to understand that as well so here's where it gets kind of interesting and here's where it gets iffy and this is where network engineers like me we gotta look at it because it's a little on the ugly side so typically speaking you lose two hosts per subnet and what's going on here if you wanted to calculate the number of subnets per host you have two options you can do 256 minus your subnet mask so two five six minus two four zero equals 16 subtract two the first address the last address and you would find out that you'd have 14 available hosts that works alternatively you could do two to the power of the number of subnet that's what you'd lose which in this case is four two to the fourth is 16 minus two and again you would figure out that you have 13 available hosts in real life but in aws you're only going to have 11. now this is really important remember this test question test question test question you run into any kind of subnetting problems in aws it's because of this remember this reminder in your head aws uses the first four reserves the first wear addresses and the last last address so not just the first one which is the subnet and the last one which is the broadcast they reserve the first floor and the last one and by doing that they take away five addresses which means a slash 28 you only have 11 available addresses in aws you have 14 anywhere else but only 11 aws or some of these cloud providers which means if you've used the subnet that's a slash 28 and you've got basically eight or nine servers and a couple of load balancers and they go to attempt auto scaling and they don't have enough ip addresses because you run out you won't be able to scale up they won't auto skills so understand that if auto stealing stops because you probably ran out of enough emails so understand that completely so normally two to the whatever power minus two but with aws you lose five addresses so we talked about subnetting which i didn't mean to do that we talked about subnetting which is basically taking a subnet and breaking it down into little networks now what if we have a bunch of little networks and we want to turn into a big network well why would we do that maybe we thought we only needed 10 servers in the subnet and realized we needed more well we can expand the size of the server in the subnet or more realistically when do we really do it routing we create something called supernuts which is route summarization i'm going to show you what's going on for those of you that were hearing that beginning or actually no for the people that were on my my training session this morning and we talked about connecting to the internet with 10 different under service providers and running bgp and pulling in three quarters of a million routes in from each service provider to determine the best path to a destination something's different here aws only allows a hundred roots that's it a hundred routes it's nothing only nothing typical enterprise with twenty thousand remote locations might have fifty thousand routes on the routing table now you're with aws and you've only got 100 uh-oh what are you going to do well you're going to have to be really careful with your ip rooting and you're going to be really smart with your ipad dressing and you're going to come up with a dress block that you can summarize and share this summary to the rest of the world that's what you're gonna be doing here route summarization so super netting is designed for route summarization so you can send one route which promotes reachability now this topic is important and when we deal with bgp and load sharing and traffic engineering which is really important this really matters so if anybody is lost here i want you to all ask questions because i don't want anybody lost here so look what we've done here we've taken the address or the subnet 192.168.0.0.24 1.0 2.0 and 3.0 now we can aggregate or superna or route summarize that into 192.168.0.0.20 see when we do this and we're submitting it this way what's going on is we're only sending one route so if you only have 100 routes with aws look how awesome this is only a single route and that's how you're going to work around the aws routing limitations you're going to super nut super netting is just taking multiple subnets and super net again you send one route we will have a lot of fun with traffic engineering here and it's going to be really really really fun my team has sent me a message asking me to ask everyone to like comment and subscribe if you're having fun let us know if you're enjoying it like it and that signals algorithms and all kinds of things to be happy let's just talk a little bit about ipv6 we're talk discussing ipv6 it's a newer form of ip address now i want to put this in the context ipv4 is a 32-bit binary address you know what binary means zero and one that's it so if you want to figure out exactly how many ip addresses we have our number of ip addresses that are available with ipv2 is 2 to the 32nd minus 2. you wonder how many in ipv6 it's a 128-bit hexadecimal address hexadecimal means 0 1 2 3 4 5 6 7 8 9 a b c d e f all the way to 15. so hex decimal eight times the number of addresses times 128 versus 32 i mean exponentially 38. so huge huge different so now we talked about some ip addresses we talked about some aws things now we're going to get to the vpc stuff and all the cool stuff that's really the heavy duty cloud routing stuff before we do anybody have any questions so now the question for knowledge drive before we do there we provide completely free certification training for the certified solution architect associate the certified solution architect professional and the aws advanced networking we have free books for the certified solution architect associate they're listed in the description below and we have the professional now knowledge i will tell you this certification alone is not enough to get hired you must understand how all the systems work how to design them how to communicate them certification alone is not enough but we do provide free certification for all the major certification things and if you guys would like us to do more free boot camps of things let us know um say boot camp or something below and we'll try and find something to do each month to base your careers i'll never be able to do for free what we can do with our internal students but if you guys are interested in us doing more boot camps type bootcamps below and we will try and make a point of doing a bootcamp of the month so let us know so shakula um a slash 16 basically gives you 65 how can you break that down into multiple subnets um our team will send you a video on how to do that um because there's never a chance that you're actually ever going to be able to work in in architecture without understanding subnetting um you have access to ushakulas our team will send you a good video on that that video we kind of assumed that people at least had that basic kind of knowledge in order to do this but uh we can definitely i'll send you something for that since you're definitely part of our team so so anytime you're on a certain subnet where you buy a certain number of host bits then the answer is yes for example it'll be subnet specific so how does aws take five means from the subnet here's what they do pro here's what they do the first one is normally reserved for the subnet and then they reverse the next three for amazon only purposes and then the broadcast address is reserved so amazon just chooses to reserve some extra ones can i show the side for the super nine again absolutely so really what's going on here is we've got 192 168 0.0 and then 192 192.168.1.0 and then 192.168.2.0 and then we've got 192.168.3.0. so you're all with me there right so if we if we were to borrow some hosts so let's say we did 192 168 0.0 and 0.1 we could supernote that in terms of the slash 23. we could also supernate 192.168.2. and 192.168.3.0 there's a 192.168.0.0 i'm sorry it's a 192.168.2.0 23. now we can so we can aggregate all these in search of the slash 24. now what if we wanted to go 192 168 0.0 all the way through 192 168.7.0 what do you think the subnet bask would be there instead of slash 22 we'd borrow an additional subnet in order to do that to do that so what would that change the subnet to everybody a slash to what if you want to include the 192 168 0.0 all the way to 0.7 or 2.7 oh if we want to go 192 168 0.0624 all the way to 192.168.7.0.24 what would that subnet be they would aggregate all these things slash 21 exactly net knowledge drive a boot camp is like this where we get and we do teaching every day for a couple days to try and provide some free training education srinivas great job yes this is a boot camp this is day one for alexandra and somebody asked earlier about transcripts i'm assuming i think youtube automatically enables a transcript for this after it's been done so it should be there yes alexandria lots of places would charge multiple thousands of dollars for this when we actually charge for training we want to make sure that people not only get hired but they get massive promotions and they have really good career accelerations and that's what we built our career development program review certification is about 10 of the process and the other part we also understand that certification does help you get an interview and because the interview is super important um we try and make sure that everybody has the certifications we also understand that you know there's a lot of things you need to learn emotional intelligence executive presence and we want to give you free certification so you don't have to waste any financial resources doing it we like to do our certifications like this is in a live interactive forum because one should be able to ask questions we saw some udemy type courses where basically people bought training and they couldn't ask questions i couldn't learn that way and i would never want anybody to have to learn that way so we do as many of these as we can for free that's why we do them so we will put a link to our training if everybody is interested and then we will get back to the content at hand okay william wallace why a slash 21 instead of a slash 22 the slash 22 would cover from 192.168 all the way to 192.168.3.0.24 but we were looking for a mathematical way to cover 192.168.0.0 all the way to 192.168.7.0 and in order to do that we need to borrow an additional bit and to do that we need to go from the slash 22 to a slash 28. leupold i think we're gonna have to get you a video and enter the subnetting so chris from my team chris uh please nate take note of the people that need access to a video on intro to subnetting and we'll make sure that we take care of them chris and uh for the intro to subnetting um people like leupold is one of our students uh shukula so he's got some questions so make sure you take a list lupo just joined us yesterday so we're pretty sure that he'll learn it real soon but we want to make sure that nobody has any time waiting to learn anything okay so let's go talk about start talking about the cloud and your vpc so what is the vpc let's start looking about the vpc and the components of the vp site so this is going to be a pretty heavy duty section the components of the vpc and in here we're going to start talking about routing and routing tables fun stuff we'll talk about internet gateways we'll talk about an egress only internet gateway we'll talk about nod instances and not gateways we'll talk about elastic ip addresses we'll talk about vpc endpoints we'll talk about vpc pairing we'll talk about network access control lists and we're going to talk about security groups so take care of these things in this section first and foremost we're going to begin with a routing table and everything when you actually sign up for a vpc or you start using the cloud you get your virtual private cloud which is basically your own virtual private data center and normally you have a bunch of routers and switches from cisco or juniper and they work great with aws what's going to happen is they're going to give you a virtual router now because it's a virtualized router it's theoretically high availability which means it shouldn't be going down and should be working great so it's going to be a virtual router and the virtual router just like any router is going to help to determine the path to get your traffic from point a to point b that's it so when you do this they're going to be they'll build and map and previously i showed you what it looks like but it's going to look a little different in aws basically what you're going to have is you're going to have a wrap that's going to be like like one it's going to have a route that's going to say this route is local meaning directly connected here's a route you know here's how you reach it here's another route but here's how you reach it and here's a default route pointing to your internet gateway now look at this look at these two routes look at this 192.168.0.0 16. now look at the 192.168.1.0 1.0 24. both one if you the 192.168.0.0.16 would also technically include the 192.168.1.0 but why wha why what's different 192 160 1.0 is much more specific than 192.168.0.0 so you can have two routes in your routing table with overlapping subnets the aggregate router the slash 16 and the slash 24 and the router is going to always use the most specific route so if you've got two routes that are overlapping but one's more specific routers take the most specific route when it comes to traffic engineering and that's coming that is the fun spot and we will be doing a lot of it so let me know you heard me and comment most specific route below so now let's talk about building the map now when we're building the map we're going to be using a routing protocol bgp and the routing protocol that's going to be building this map and the routing table whenever you're going to connecting information is going to be coming from bgp and aws lets you use bgp in a lot of different places now the bgp that we're actually talking about is going to be ebgp or exterior bgp and you will be using bgp to do your direct connections you will be using your bgp in order to connect to multiple entities you will be using bgp for bpc pairing you will be using vpsc for remote access type vpns you are going to be using bbgp for everything everything in the cloud is going to be using bgp and the way your routing tables are going to be built is they're going to look like this you're going to have these data center and the cloud so typically speaking this is the way it would look so in ed let's assume on the right side of this you've got ao you've got the underlying network for aws because they're all designed this way they typically have what's called an interior gateway protocol which is almost exclusively ospf or intermediate systems to intermediate systems for internal routing and network layer reachability information as we call it and they typically run ebgp or exterior bgp to other external providers that's how organizations exchange information between the data center and the cloud now so internally in igp or an interior gateway protocol externally ebgp or exterior gateway protocol to connect to them now we're kind of at a point as i'm ready to go to the vp see things that i kind of had a thought we're going to be talking about bgp everywhere how many of you have worked with bgp could you let me know say i've worked with bgp and if you've not worked with bgp let me know i've not worked with bgp because i have the opportunity to start and talk about bgp for approximately 45 minutes which i think could be a massive improvement to your careers but i don't want to do it if you've all worked with bgp so let me know say i've worked with bgp or i've not worked bgp and then i'll determine whether i should discuss bgp before moving on to the remaining vpc things i want to make sure you get the best experience so help me god help me help you it's only heard from five people there's 140 some people on this call okay so okay okay only heard from about 50 of the 150 um but it looks like it is people have not worked with bgp because bgp is such a critical routing protocol would you like me to stop take 45 to 60 minutes cover bgp to make you guys all some pretty awesome cloud architects because if so just let me know and i'll do that right now otherwise i'll continue to adjust the aws only stuff if you want bgp just tell me because i'll do about 45 minute in good intro to bgp right now and i think that could be pretty helpful for you all okay let's do this sounds like everybody wants some bgp we'll do this we're doing the advanced networking from an architecture perspective how can you design stuff you don't understand let's do some bgp bgp is fun so bgp everybody one of my favorite topics by the way i've spent over 10 000 hours working in bgp so i absolutely love it so bgp it is so let's talk about bgp what is bgp bgp is an exterior gateway protocol it is a protocol that you use to connect to external entities so inside of your entity you use an interior gateway protocol exterior organizations you use bgp bgp is an external gateway protocol that's it when you connect to external you do it so what so bgp is a routing protocol what makes it so special it's scalable routing protocols are like the gps in your car the gps in your car tells you how to go to point a to point b and it reroutes you bgp does the same thing bgp is a scalable routing protocol and it's a routing protocol that's designed to connect you to external entities and in the process of doing that it enables you to truly truly truly connect to lots and lots of different environments so let's talk about this routing protocol it's a dynamic running protocol a static routing protocol you'd have to manually say route route route route route whereas with the dynamic routing protocol you don't you just configure it and it starts learning kind of like the machine learning the adaptiveness and the ar of the world grounding protocols did this stuff 30 years ago they determined how to get point a to point b awesome awesome stuff so routing protocols are that are dynamic and they're going to build a map called the routing table now when we're talking about bgp it's different than other routing protocols normally rod and chronopods identify each other with like a hello i exist hello hello i'm here and they form a neighbor relationship and they exchange routes like ospf not bgp bgp does not use multicast to discover its neighborhoods like ospf for example you have to tell it who its neighbors are so when i'm using vgp it's using unicast between two hosts that you manually specify them which means it's secure because you're manually specifying sender receiver and you can authenticate the vg's messages too and you will bgp because it's a session between the locations needs to be reliable if i sent routing information and the person didn't receive it i didn't know if they didn't get it they might not have to get to the destination so bgp is reliable what do we use for reliable transport tcp so bgp is unicast unlike the rest which are multicast and it uses tcp now it also uses tcp port 179 bgp tcp port 179 bgp tcp port 179 why did i repeat this three times test question first but more importantly than the test question because i'm not real big on tests i'm real big on function if you've got a firewall and your bgp session has to go through the firewall and you don't open tcp 4179 it will never work and trust me i have seen more people mess up bgp because they didn't understand to open the ports on the firewall more problems i've sold then organizations did that tcp port 179 bgp is used because it is scalable beyond belief i can connect to an internet service provider pick up three quarters of a million routes and i'll get them and i can handle it in the router can't do that with any other routing protocol not only can i take in these millions of routes i can very carefully share them with the people that i want them to so fantastic lots of flexibility here bgp is fantastic so it's used for scalability and tunability it enables you to customize things beyond anything you can possibly believe blade gp is cool bgp customization so you can literally say one route preferable one link another upper front and another link you can tune it like you wouldn't imagine that's what bgp is cool so bgp uses this thing called the finite state machine so for those of you guys that are software developers will make more sense basically you've got one thing that goes around in a cycle and different things that can happen bgp is this tcp based connection thing and because it's this tcp based connection thing it has to send a session between two locations first thing that happens is the session comes up and there's several messages that are exchanged in between the peers the first message is something called an open message what happens is you basically configure your neighbors basically source destination and on the router it would be like router bgp 65001 neighbor 172 16.1.2 autonomous system whatever so that's how you're setting up the session when the btp neighbors basically say hello i exist welcome welcome welcome they basically sent an open message and in that open message they set up their bgp version like version 3 versus version 4. four their autonomous system there are identifiers which is the uh basically the loopback address or whatever address you've chosen to use as your bgp identifier and that's basically how the vgp people id speakers identify each other this is a little dry here and it's complicated protocol but you know it's going to help you in your career so bear with me a few minutes when we cover it now you send an open message to basically welcome welcome welcome this is who we are now when you've got a tcp session you've got to keep the session up you can't just leave it an empty session forever and expect it to stay up so routers send a message called they keep alive to each other which basically says keep them a session open but if the keyblade does something else it verifies the router's still there so you know how you're using a load balancer and they're basically running a health check to the servers are you there are you there are you there and the servers found yes i'm here yes i'm here and they stay as part of the rotation and the load balancer will basically um what do you call it the load balancer will remove them if they don't respond to a health check same thing the keep alive is ways that you can determine that your bgp neighbor is still there so open establish the session keep alive make sure everything works if the session does not the neighbor doesn't respond to the keep light just like a load balancer gets removed from the location and the session will be taken down the next kind of message we'll talk about between them is something called an update message what is this so we've got two routers they establish a relationship they're now peers they're sending information periodically to make sure they're all up and running bgp computer school says i learned a new route let me go tell my neighbor that's what gets put in update message so you learn a new route you don't get your neighbor you lose a route you get rid of it that's what's going on an update message basically you're saying that's what's going on so the last message is a notification message so this is not a good thing so when you're dealing with uh notification messages if something bad happens you're notified hey by the way sessions closed so open basically your sessions come up your sessions come up they exchange all kinds of things autonomous system numbers bgp various numbers hold times bgp identifiers that kind of thing then they maintain the session through a keep alive it says i'm here i'm here i'm here if one of the things doesn't respond to the keep alive it gets removed from the location just like dns with a health check or a load balancer with a health check then in your bgp message you just had an update learned a new route got rid of a new route and that update's going to have a lot of information it's going to include like your route origin the as path next up what have you and then finally a notification if things don't go well not a good sign and that's when you get an update so keeping what's going on here i had mentioned that bgp forms neighbor relationship this is where this ugly finite state machine comes in but that's okay you can learn it so when you're working with bgp and you're going you're on a router you're looking at the route and you're doing like a show up your route and you're looking at the routing tables and then you're looking at a show ipbgp and all of a sudden you don't see stuff what's going on so when you're troubleshooting these things and you're actually working for example with a router and you do like a show ipbgp neighbor because you're not getting routes you want to figure out what's going on and when you're doing the show ipbgp neighborhood you're looking at the neighbor it's going to be in one of these states idle connect active open sent open confirmed or established now what you want to see is established if it's established routes and messages are going to be sent but if it's not established you've got problems going on so let's talk about excuse me what these states actually are first we'll talk about idle when you first turn on your router and you call and you just enable bgp it starts at an idle state this is initial this is basically where your router is just waiting for the tcp session to get established this is completely normal the second you just turn on the bgp on your routing protocol instant it's supposed to happen this way but if this does not connect it'll stay on all those bad things so it's supposed to start this way now if you misconfigured bgp it's going to go back to idle if anything is wrong it's going to go back to idle idle happens either an initial or something bad happen and it goes back to idle so when you're looking at it and evaluating and troubleshooting it if it's initially idle okay but it should transition to open up but if it doesn't transition you got a problem go figure it out the next phase is something called connect so if you initially try to send a message and its connection bgp will process that open message and things are going to go well and it's going to transition to open sent which is awesome this basically means your bgp thing came up you sent your open message it's now open sent and things are getting really great now at this point you're going to wait for a connection now if the connection becomes unsuccessful things are going to transition back to a state called active which is not good and if it goes to active it's going to keep retrying now if it goes to connect good if it doesn't it's going to go back to idle so as you can see things should go from idle to connect to opet sen and then hopefully open confirmed and established but if they don't they always go back to idle so if we're idle you've got a problem unless it's initially so we talked about what happens with connect and then let's talk about active we talked about things if you can't get your connection it goes to active then it's going to retry to connect and if it does great if not goes back to idle so now open send we talked about you send your message you go from idle to connect you send your packet it hears it on the other side it goes to open sent all is good this is what's supposed to happen and if the open message is sent to the other side if anything goes wrong you'll go back to idle but if things go right you're going to go to open confirm and what goes on and open confirm the bgp process gets keep alive from the far end now you're not open confined because both people are there now you hit an established state and when these things are established they start exchanging rooting information so let's talk about it how does it work you start with idle idle things nobody's talking to anybody from idle assuming if things are good you go to connect if you send that message and it connects good it goes to open sent then you get a response back open confirm your establish you exchange rails if anything happens along the way it'll try and trying another stage so if you're in connect and you go to send a message if it doesn't work you go to active from active you're going to try and resend if it resends and it goes through you go to open sent which will go to open confirm and transition to establish you're good but if it doesn't you go back to idle so when you're inactive and you're in idle things aren't working so that's what you need to remember from a troubleshooting perspective now this is some pretty heavy duty bgp for an introductory level bgp so we're going to talk a little bit about the attributes that we're going to tune it together and have some real fun so bear with me for about five more minutes of this academic challenges apologies this is hard stuff but you can learn it it can all be great cloud architects this is part of the job so make sure we all get it so since we know how to form a rel how the bgp performs in relationship why i told you that people are using bgp because you can tune it and because you can tune it you can do lots of cool things so let's start looking at the things that are actually tunable in the attribute-wise so actually i don't want to talk about i don't i don't want to give you this i think so when you're actually looking at the these bgp attributes let's talk about them because when you know the attribute you know we can tune so bgp messages command line um so william wallace most of this stuff for people like me has done in the command line the good news for you guys is when you're doing it with aws it will spit out a router configuration for you that you can cut paste it to your router but it may not be optimal so you may actually need to know how to do this for people like me that really love this stuff there's a book called internet routing architectures by bassam halabi sometimes he goes by the name sama lobby ccies like me have been using this book for well probably 30 years now but let's just say 25 because i don't i feel better about it that way so let's talk about these bgp attributes every message that you get in bgp every time you learn an update from a neighbor it's going to have certain things in it and we're going to cover what these things are first we will learn the origin of the root what is the origin it's how we learned it what does that really mean did we learn around it because it was part of our internal network did we learn about it via bgp or did we learn about it via some other way that we're not sure the next attribute that we're going to look at is things like as path what happens is a path vector protocol that's going to determine how many places it went through so the path will be something that will determine the best route to the destination so all things being equal the shorter the path the better um so all things being equal the shorter the path the more preferred the root is makes sense right if you've got a hundred mile trip to somebody's house versus a 50 mile trip the shorter the path makes sense now you might not want to use the shorter path why not what if the shorter path is on dirt roads but the the faster pass is on a car that's on a road that has nobody there and you can drive your car legally at 200 kilometers an hour you might take the longer route because it's shorter well the same thing with internet routing you want to be able to manipulate the pass based upon it so the path determines the number of internet service providers happening but you can tune the path the author's name is sam halabi and the book is named internet brought in architecture this is an old buck but we're all cci's are still using it so the shorter the path generally speaking but you can tune it the next thing is the next hop remember i told you routers basically look at the world in terms of next top meaning go out this interface go out this interface go out this interface and that's why i made weird kind of movements to pretend that i was a router that had like 40 arms same thing bgp next hop here's the thing with the next bgp you could learn a route but not reach the next hop but that means you can't reach it so it won't be put in the routing table the next thing which was the cisco proprietary thing but apparently aws supports analysis to a few other people is weight routers prefer the path with the largest weight what does this mean if you want to traffic engineer your thing modify the weight i'll show you what that means in a second the next part of it is uh now we're going to give you the algorithm here's the algorithm prefer the past with the largest weight meaning weight first if the weights are equal provide the past with the largest local preference again i'll show you what that means and how to tune that if the local preferences are the same prefer the route that was originated on the router we'll talk about what that means if the local preference was the same and neither route was locally originated or further out with the shortest eighth path okay what does that mean i'll show you in a minute if the aos paths are the same length prefer the lowest argin code meaning igp egp what have you and then when that is the same you know that's when you start getting into funny things so the next thing would basically be you know take prefer the past with the largest med and then after that that's when it gets really funny like if the meds the same prefer an ebgp route over an ibtp route and then if your routes are still equal prefer the past one with the shortest next hot path and then when then we're going to get into the funny business of so i'm not even going to cover that so let's look at how we traffic engineer our traffic view bgp if we're looking for simple and arrogant this is what you're going to do in this particular environment let's say you have two direct connections to aws and you want to load chair across your two direct connections if you don't do anything basically what's gonna happen is you're gonna have a primary link and you're gonna another link and your data could be going off on coming over the top link and coming back in the bottom link now why do we care if you do something like that if you're doing that and your traffic is going in one link and out another link what can ultimately happen is you can get what's called out of order traffic meaning if your traffic comes in in one place and comes out another place you're going to find yourself in a position where you could be losing data and if you're losing data or you're getting out of order trackets that's not in a situation where you really want to be so what we're talking about over here is we need to prioritize one link over another link we have to so what are the best ways to do this the best way to do this is basically to put a more specific route on one link and a more specific route on another link and by doing this we'll be able to prioritize traffic so let's look at this top link 172.16.0.0 is very is more specific than 172.16.0.0.15. why because it's got a longer subnet mask 172.17.0.0.16 also is more specific than 172 16.0.0 is that obvious to everybody does everybody understand how the slash 16 subnet masks are more um what do they call it more specific than the slash 15 subnet mask if you guys please let me know that yes i get this or no i don't get it because this part is critical for the next part of traffic engineering you guys can let me know in the comment section okay so i see one yes i see one no let's try and look at it this way the longer your subnet mask is the more specific the route is so if you've got two routes and one's a slash 16 it will be more specific than the slash 15 assuming it's the same overlapping information if we have a slash 20 it'll be more specific so let's do this let's make ourselves a new slide and let's work some through together so let's take these two routes i'm going to ask some of you guys from the crowd so let's say we've got a 192.168.1.0 24. and 192.168.0.0.16. and a 192.168.1.0.0.30 which is the most specific route here let's say let's say my destination ip address that's my destination okay if my destiny address is this which is the most specific route route a route b and route c which is most specific so excellent it's the slash 30 and yes bgp equals border gateway protocol absolutely good job guys so let's do another one because i want everybody to get this i don't want anyone to miss this let's say now which is the least specific route to this a b or c [Music] what's the the least specific route see exactly okay now what's the most specific route after you guys tell me the so the slash 16 is the least specific route now what's the most specific route okay you guys told me the least you did good a would be the most specific c would be the least specific you guys did great on that so okay we're getting the most specifics we're getting the least specifics now let's do a little cider thing real quick 172 172.16.0.0 16. 172.16 dot 1.0 slash 16. anybody know how we can anybody know what we can do to summarize these two um these two routes with a single route to supernet them which is what we're going to be doing in bgp if i wanted to put this and this into the most specific single route for for both both both one of these if i wanted to summarize both of these routes what would it look like if i wanted a single route to include both of these subnets yes flash 15 we're borrowing an additional subnet bed good job everyone now let's have a little more fun with this whole subnetting cider thing before we move on 172 oops once 172.16.2.0 16. and 172.16.3.0 16. now let's come up with a summary root for all of them both the subnet and the subnet mask this time guys are doing good real good making me happy and proud it's not uh it's gonna be a different subnet now that we've got four now that we've got four that we need to take care of now we're getting into slightly different it's not gonna be a slash 15 anymore when you got it right slash 15 covered zero and one but it doesn't cover two and three so ah good job ali so slash 14 because the slash 14 is borrowing two additional subnet bits and a slash 14 will give you all four of these slash 15 was two because at zero and one slash 14 gives you zero one two three four great job you guys are starting to get it now what if we did 172.16.4.0 and then 172.16.5.0 172.16.6.0 and 172.16.7.0 now what would it be because you know slash 14 gave us zero slash 15 gave us zero through three so zero and one so let's look at it this way zero and one bar is one subnet mask and these two can be aggregated as a 172.165 1.0 15. now we can we can aggregate the next two and bundle them from zero through three with the slash fourteen two four eight so what's one what's going to be one bit less than 15 i mean less than 14. when you got it [Music] well it's going to be a slash 13. so what this tells me is we need to provide some subnetting training on mondo we will come up with some subnetting training for everybody um not going to necessarily fit real nicely in a advanced networking course but what we're going to do is so keep doing the slash networking course what we'll do is we'll create an intro to networking training session we'll stream in and we'll make sure everybody does it we'll do it on youtube or zoom and we'll invite everybody that's been part of this so make sure that you let us know that you're here if you're interested put subnetting please you may have already put it chris or my team is going to aggregate it what chris does is he basically looks for things that people need help with and yes we can do a subnetting bootcamp happy to do so chris is going to copy information down and make sure that he collects information so let's make sure we give you guys the information that you need the rest of these will be super easy for you guys to understand but these will be on the challenge so let's get back to fun bgp manipulation so we can do two things in order to make this thing work we can put the more specific we can the best way to load share and the simplest and most elegant way to do it is as follows basically what you do is you take two routers and you put a more specific route on one link and a more specific route on the other link by using a more specific route on one link it becomes the preferred link by using a more specific route on the other link that becomes the preferred link and by having multiple preferred links we can load shower so basically by doing it this way with this exact environment we're talking about the top link has a more specific route for 172 16.0.0 16. so this route will be taken to reach 172.16. now on the bottom we have a 172 17.0.0 16. that will also be more specific so for traffic destined from the data center for destined for that so when the cloud sends data from the cloud to the data center it's going to use the top link for 172.16.0.0 and it's going to use the bottom link for 172.17.0.0 now what happens if either one of these links fails that's why we have that summary address or that 172.16.0.0.15. the reason we do that is in case the main link fails we've got another route to promote reachability so this is the most simplest and most elegant way to load or traffic engineer your data in the cloud but since a lot of people need to learn subnetting understand this is here go back to this we'll set up some time to teach subnetting and we'll do it real soon because it's a real important topic so just understand how that works more specific route less specific route now the next way we can do this in my reminder anytime we're dealing with bgp we have to do this in both directions both on and back so you have to manipulate your policy from the routes you receive from somebody else and you have to help them manipulate the routes that they receive from you if you want to tune it but that's pretty big topic so the next way you can do these things is just very simply is adjusting the weight what is the weight the weight is something that's associated with the route that can help you determine if it's preferred or not preferred so how do you do this kind of stuff you adjust the weight how do you adjust the weight you just basically set a policy so if you look at this here the higher the weight the more preferred so look what's going on here by tuning the weight on the top link you have 172 16.1.0 with a weight of 35 000. now look at that link on the bottom it has a 176.0.0 with a 32 000. which is more 35 000 is greater than 32 000 so the top link is going to be preferred one for 172 16. now the bottom link is has a higher weight for 172 17 and the top length has a lower weight for 172 17. so in this environment by tuning the weight on one side as opposed to tuning the weight on the other side we've load shared across two equal cost lengths we can toot it another way local preference why do we tune local preference it's easy what's so good about local preference we can basically send a commuter to someone else for them to map local preference or what have you but local preference the higher the local preference the more preferred the weight no different than weight we could basically just take the world that we learned and we can modify the local preference meaning raise the local preference from the link you want so what do we do here the local preference on the top link is greater than the local preference on the bottom link for the same route so top link is preferred for 172.16. bottom link is preferred for 172.17 and you've got a backup route that's not preferred of course we could just change the ais path too so when you learn her out via bgp and when you learn around via bgp you get what's called the autonomous system path which basically is hop hop hop all the companies it went through so you can just basically make one path like ugly by what's called prepending or adding additional ass pads again tune this make it look ugly make the one route that you want to take prefer make the one that you don't want to take look ugly and do the same thing on both sides and that's how you could load chair or of course you could just change the matter the multi-exit discriminator lower mid preferred path higher med less preferred so change the matter the metric to which one you link you want top link has a lower amount for 172.16. that's the preferred link for 172.16. bottom link preferred lower med for 17217 uglier med for 170 to 16. that's how your traffics are so all right i bombarded you guys without about uh 200 pages with the bgp materials inside of a few minutes so wow we did that so let's just look at it this way last thing we're going to talk about bgp and then we're going to do more fun stuff but we'll take a break and answer bgp questions bgp is going to be required whenever you use a direct connection so you must know how to use it bgp has all these tuning options we talked about tuning the med the as pass the local preference adjusting the weight more specific route you can tune in any of these ways oh this is covered in internet routing architectures and if you come back to this it'll make sense and i made a beach couple of bgp videos for this and we're going to be releasing a very strong bgp paper next week for everybody to use it should be next week worst case scenario is the week after that it will be a big extensive bgp guide so you will know how to manipulate traffic so if you desire that send it down but let it know that we want the bgp book and we'll get you uh at least you know a very good bgp document next week or the week after that just let us know so when you're dealing with aws it supports weight local preference as path just like any other good routing implementation and uh just remember that aws is bgp implementation is like junior junior junior intraday junior they only take 100 routes so it is nothing like what you would typically deal with it's a junior implement bgp implementation so you're gonna have to do your addresses wisely so you can do some route summarizations okay so we're gonna get talking about internet gateways and all these cool things but we just did a lot of talk on bgp so in case anybody has a bgp headache and trust me i've had a whole lot of egp headaches in my life until i found out i love bgp who has questions moving forward does anybody have any questions moving forward chris we'll get you a bgp document we'll make sure that happens we've got a nice one that's been pretty planned i think the bgp will actually be easier to understand from the document that actually will be from a training course because that's the kind of thing you really need to look at and go back to a couple times so we'll get you guys some good strong bgp training very quickly okay so while we're here before we get into internet gateways does anybody have any bgp questions that we didn't answer i know we covered it quickly okay so gopal asked a question with regards to administrative distance administrative distance as a cisco only thing and when you're using administrative distance typically speaking the cisco routers have determined that certain routing protocols are more valuable than others in terms of accuracy so it's determined that ebgp is a value of 20 and ibtp has a value of 200 which basically means believability that is just a cisco thing and it's not really relevant in terms of aws it's not really relevant in terms of any other router for that so it's just regards to just uh um cisco so it's just a way that cisco routers use it and you can tune administrative distance and that's only if you learn about via ospf and bgp for example which one do you prefer empty new values or maximum transition unit really has nothing to do with bgp realistically speaking is you know how much that you can actually send a packet on a lan derek thank you so much really did try to put some effort into making some good vgp videos for people so thank you and i'll definitely have that bgp document coming soon so now let's move on to internet gateway so an internet gateway is going to be a highly redundant highly available way to connect to the internet so according to aws they say there's no bandwidth constraints or performance limitations you know there's no such thing as no bandwidth constraints or performance limitations but that's the way they like to describe it and the internet gateway is just a router that's going to connect your network to the internet now when you're connecting your router to the internet using an internet gateway when you're connecting your vpc to the internet you have to understand this is real internet access and what do you mean by real internet access i mean you are really connected to the internet and i'll talk about ingress only egress only and bi-directional internet access but when you're using an internet gateway you're getting true access to the internet which means you're really on the internet which means your systems are on the internet which what that should tell you is they're hackable easily hackable when they're on the public internet so an internet gateway gives you real high performance connection to the internet why would you use an internet gateway you might have web servers that need to be reachable on the internet that's when you're using an internet gateway how's the internet work you basically attach it to your vpc very simply and you just create a default route which basically says all unknown traffic send it to the internet gateway that's it unknown traffic a default route looks like 0.0. that's it default route your internet gateway has to have a public ip address why because it's sitting on the public internet and remember when you're using internet gateway your systems are publicly available so what does this really look like let's say you got a bunch of ec2 instances let's say you've got a you've got a you've got an external ip address that's placed on your load balancers external ip address which connects to the virtual router which then has a default route to the gateway all your unknown traffic is going to go directly to your default router to your internet gateway to the internet and you'll have you can see you're having a routing table you're going to have your locally connected subnets and then you're gonna have a default route which goes to the internet gateway all unknown traffic is attached to the internet that's how you set up a web server that's how you set up any kind of front-end web services in the cloud through your internet gateway that's full full-fledged communication let's talk about partial communication let's talk about egress only internet gateways now there's two kinds of egress on the internet gateways they don't looks like three kinds that aws has they name them all complicated ridiculous funny things what does egress mean exit egress means exit so egress only internet gateways only allow for exit only traffic and the return so egress only internet gateways and aws terms only refer to ipv6 now when you're dealing with ipv6 there really is no concept of public and private ip addresses they're all public so when you're setting up an egress only internet gateway it's providing exterior external only access to ipv6 and the aws cloud so an egress only underneath gateway is only allowing outbound traffic and it's stateful so what's going on here is what's actually going on is egress only internet traffic goes out and its return traffic is allowed in like a firewall but no exterior traffic is going to be allowed in so that's the way an exterior us only internet gateway works it is 100 exterior only and that's moving forward before we move on jbgp is not proprietary it is an open standard specified in an rfc and it's been around for about 30 years cisco does have some proprietary enhancements to it i'm just like other people do but it's not proprietary and you'll be able to watch this later on youtube we're recording this and it'll be on youtube you can share it with any friends you desire or watch it later so this is going to be recorded to youtube so since we know we talked about an egress only internet gateway being egress only for ipv6 let's talk about the other types of egress only internet access which aws causes different things the next type of egress only internet access is a legacy thing which aws no longer recommends and it's called the nat instance and basically what an ad instance does you create a custom it's basically an ec2 instance it's a virtual machine and it translates your public your private eye tree addresses into a public ip address so basically what happens you set up an ad instance you it has a it translates your private ip addresses into a public ip address and then you give that a default route to the internet gateway and your traffic works perfectly so your traffic goes out and comes back that instances only allow egress only which means it allows your internal traffic to go out to the internet and come back from the internet but your systems are not reachable from the internet so where is this useful for let's look in this environment let's say you've got servers and you want them to go to the internet to cut to update their patches for example fantastic this is great servers go to the internet they update the patches great but you don't want them reachable from the internet so this is what's referred to egress only internet excess aws doesn't call it they call it a not instance but a non-instance lets you go out and come back but it keeps you isolated from the internet so but in that instance in order to use it you see you've got a not instance you've got an internet gateway it works um it's a legacy way aws doesn't recommend this anymore and we don't either because of the complexity of using it here's what aws recommends instead and that gateway and in reality and that gateway is far simpler basically it's a fully managed nut service it's redundant you don't have to worry about needing backups of these things and he created a public subnet and basically what goes on you set up a nat gateway per availability zone and enables your systems to reach out to the internet to update their operating system and allows the return traffic to come back perfect so if you get a test question what do you have to do to let your systems reach out to the internet and update their operating system but not be reached what's the preferred way it is with a nat gateway nat gateway is the preferred way of traffic on the internet that is the optimal way to do these things so these are what's going on is the net gateway so what does a net gateway look like in actuality it is simple and elegant you basically just set it whoops didn't mean to do this you just basically set it out and when you set it up you go from your basically private subnets to your knock away to the internet egress only meaning systems not hackable from the internet but they are reachable but you can go out to the internet to get updates but you're not reachable so let's look at your three alternatives alternative one internet gateway use an internet gateway with the public ip address you're completely reachable through the internet in and out this is where you're gonna put your web servers this is your demilitarized zone where your public services are using an internet gateway egress only internet gateway when you're using ipv6 you want to go out to the internet you want your return traffic but you don't want to be publicly reachable on the internet not an instance ec2 instance that does network address translation translates a public address into a private address that requires an internet gateway it's egress only meaning you can go out to the internet your return traffic got a low back but nothing else that's your egress only here that's your not instance not gateway all in one device placed in it's logical high availability basically connects you to the internet in a single device you go out to the internet come back but your systems are not reachable from the internet so now you know how that sort of works now that we're talking about all these other components in your vpc let's start talking about network interfaces so time you put a card in a server it's to connect it to the network and when you're dealing with virtual servers you're going to deal with virtual network interfaces for the most part so an elastic network interface is as follows it's a virtual network interface that's basically going to be attached to your ec2 instance by default there's going to be an elastic network interface created the second you launch an ec2 instance and it's going to be eth0 that's going to be your eni or elastic interface now let's say you want to place your systems into two subnets or multiple subnets then you're going to have to add elastic network interfaces now for low security environments where people are setting up bastion hosts they would use one of these things in the public side and one of these things on the private side we don't recommend actually in hosts we recommend using secure access to your systems over your direct connection or a vpn not a bastion hose but for organizations that are not set up properly that have to use a bastion host to access their system they're going to put two subnets in well maybe on the outside they enable ssh which is kind of a no-no but they may be doing that and on the inside network they'll enable access to their web server that's how you would set up a bastion host to setup elastic network interface but you might have a server that you want on three subnets for performance purposes you'd add multiple asset network interfaces just like you've got real servers that exist on things so now you know what it is that lasts so an elastic network interface is it's just a virtual network card that you stick in the computer so what about an elastic ip address when you are on the internet you need a globally routable public ip address public address not a private address the public address now typically speaking in order to get these public addresses what you'd have to do is you'd have to get one you'd have to register for one get your autonomous system number get your ip addresses you typically have to register um in order to get these addresses now when you're with aws they make it really easy they have a pool of public addresses called elastic ip addresses and when you need a public ip address it is simple you're not going to iron you're not going to write you're not going on anybody to register these things you're basically just borrowing an elastic rp address it gets used by your systems as long as you need it when you're done you don't need it anymore just return to aws this is the most simple and elegant solution this is one of these things that makes the cloud beautiful because it's just so darn easy we love this so as we're kind of referring to here so going along with this you get an elastic ip address you are borrowing just specifically borrowing from aws a public ip address so what does it look like it looks just like this you basically have an elastic ip address that you borrowing directly from amazon and when you're done with it you give it away you put that and you're basically it could be on your load balancer directly in front of your web servers and now they're publicly reachable because we've got an internet gateway now remember they are publicly reachable publicly reachable means hackable publicly reachable means hackable so if you're going to do this you are going to need a lot of security we'll talk about how to secure customs in depth throughout this process but not right now so now we're going to talk about this concept of end points and endpoints actually before we cover implants you guys doing okay do you guys need five minutes to ask questions let me know before we discuss endpoints you guys have any questions on internet gateways before we go over to endpoints i don't see any questions coming up for end planes but i just wanted to make sure prior to discussing endpoints to make sure i see one know which makes it look like you guys are doing okay i just don't want to leave people stuck that's why we try and check in so often okay thank you green logic thank you guy i'm gonna keep going then i just i know what it's like where people buy a course and then they can't ask questions i i would never want to be in that position so even when we do free training i would never want any you guys to be in that position either i just don't think it's a great position rob is the erp assigned to the gateway or the issue too okay so the internet gateway is going to need an external ip address but um you're also getting an external ip address on anything that needs to be reachable as well such as your web servers or your load balancers so you'll put an external ip address on your load balancer typically in front of your web servers as well so let's start having some fun talking about endpoints then so there are times where you want to connect to another service or another vpc now one of the benefits of the cloud is really this kind of great thing um that things scale easily and because the other people are on your cloud and because every time you're using a public ip address including a not gateway it's still going to use an elastic ip address and i use router symbols because you know it's a virtual router so i use router symbols uh there are aws symbols but i'm a routing and switching person william wallace so when i'm dealing with the router i use a router symbol and it may or may not be the aws symbol so that's why i do it that way makes the network engineers and architects like me understand it plus i don't really draw my own pictures i draw knock on sketches and i hand it to the graphic people on my team so um one of the privileges of uh being around for a long period of time is you can have other people diagram your things for you and when you work as an architect and you move up to the senior level levels at some point you're going to have other people that will actually do your things for you like when i worked at cisco i would design my systems documental on paper or and i handed somebody else to professionally draw it for me so that's why i'm used to doing it this way so whatever is convenient to try and graphically represent it so but when you're dealing with an end point it's because you want to connect to a public service or somebody else look at it this way let's pretend you wanted to create connections to a thousand remote locations and you're welcome p and you and i'm really grateful so you want to connect to a thousand remote locations what people like me do is we get a thousand routers we buy a thousand wan connections we set up this really complicated routing and it works perfectly but it's expensive what if your thousand people are already in the cloud and they're all connected to the cloud you don't have to build a network anymore wow this is awesome because you don't have to connect to the network anymore because it's all built wow this is really exciting all you need to do is just connect to the other people and how are you going to connect to these other people you are going to do it through an endpoint by using an endpoint you're going to be able to connect to other organizations across the aws backbone which means private it means secure and it means high performance unlike the internet where you can't guarantee performance when you're using an endpoint you're riding the aws network for which they can do qos policies to make sure your traffic gets through so endpoints are this awesome way to connect to multiple entities on the inter over the aws network this keeps you from needing to buy land connections it keeps if you need to buy a lan connection it basically lets you use their network so end points are good they give you high performance highlight low latency good security and low costs so what's it all look like let's just take the most simplest use case let's say s3 if we weren't going to use an endpoint and we were in our vpc and we wanted to connect to s3 we'd have to go out to the internet across the internet and back into aws now let's look about this from a routing perspective first internet routing is best effort meaning no guarantees of your data which means low performance compared to direct connections so by going to the internet we've got to go to the internet we have to deal with internet performance where if we could just ride the aws network and go straight from the aws vpc to s3 your communication is better but it's worse than that aws charges you for everything so they're going to charge you to send your data out to the internet and then come back in the internet so by doing uh using the internet you've got to pay more to have lower performance and less security so then you have to encrypt your traffic so that's a disaster so you create an end point to basically just connect your vpc to s3 over the high performance aws network that's the whole point of endpoints they are awesome they keep performing to build your own network because you're going to ride amazon's network so when you're creating endpoints in your systems you've got two options you've got a gateway end plan and an interface endpoint and endpoints are highly available virtual devices that scale so these are really great ways to connect to other services so let's talk about the endpoint types so endpoint type one is a gateway inplane and this is going to be really a high speed high security access to an aws service and it's going to do this by placing a route on the routing table so think of a gateway as endpoint is basically aws s3 and uh and we'll answer your question pn you please bear with me i will answer your questions as well as teach you how to definitely get a job on within your lacking experience and chris can send you some information as well so please don't go away i promise to answer that so regarding your gateway endpoints they're high-speed high-security systems to aws services and you create a route on the routing table and what's going to happen is it's going to give you like something called the prefix list and you're typically going to see your gateway and point to s3 and it's going to look like a pl and you're going to have a bunch of numbers and that's what you're going to see in your routing table so let's give you a look at what a gateway endpoint would look like in action so let's say you've got your data center and we've connected to the cloud over say a vpn in this case and we want to uh provide shared services to our s3 buckets what we could do is we'd create an endpoint to the s3 bucket and then we would connect our data center and the data center would be accessing the endpoint through our through our wide area connection which in this case happens to be a vpn so this would enable the vpc to basically connect to the s3 bucket and then connect it back to our data's and so let's talk about you know gateway endpoint security so basically if you're going to be using this remember some tenants are routing if you don't have a route in your routing table you couldn't possibly reach it even if you desired so don't put it don't share a route so then that you you to the things you don't want so but just by filtering routing information you can really limit your endpoint security so minimize who has access to which information and pnu will get to you shortly so part of your security is just don't let the routes be available and obviously you can figure endpoint policies as well to limit who can access well you've got all your iam and other things i'm just telling you im's great but if you don't have a route you can't reach it so definitely make sure that you uh have uh routes the next type of endpoint is an interface endpoint and this is really when you're going to connect to lots of different things maybe an ec2 systems manager kinesis load balancer apis this is going to be how you connect to other things so also how you want to connect to other vpcs so an interface implant is kind of different when you're connecting to an interface endpoint what it really does is it places like an elastic network interface in your in your in your vpc so it's going to put it on a different subnet so what's going on it basically enables your interface to be part of the same network for which you're connecting to and when you do this it creates like an endpoint specific name so an interface endpoint defect directly connects you to somebody else and it does this by placing an interface in your system and using the service called private link and what private link is and excuse me i may have to sneeze here okay what excuse me excuse me excuse me sorry i have this really great little cat which i love my cat that i adopted recently but i'm highly allergic to her but you know she follows me around the house and sleeps with me and my wife every night so the cat's always around me so apologies for the allergies so anyways you create this interface endpoint and basically it uses a service called private link which is basically creating a private line over the aws network and by doing this you're able to connect yourself thank you to this vpc or this other aws service whatever the adwords private net connection gives you lots of high performance lots of private connectivity thank you again so much and it's private so you're creating an interface endpoint to reach another service restricts all traffic to the private line and guess what it does something called net network address translation why do organizations use net here's how we find people that are ready for cloud architect job versus just certified that is used anytime you need to translate one address into another address not just for the internet why is endpoint why do why does private link use that well let me tell you rfc 1918 specified some private ip addresses slashes the 10 8 the 172 16 all the way to the 172 31 slash 16 the 192 168.0.0 16. guess what everybody's using them so if you want to connect your vpc to someone else's vpc and using the same addresses you've got problems so when you connect your vpc to someone else's you use private link and it uses not to make sure that everything is good so let's look at our end plan options again gateway endpoint connect to s3 places a route in the routing table interface endpoint connect to pretty much everything else creates an elastic network interface so you're on a subnet creates a private link between you and you everybody else it's a single direction link so if you went bi-directional communications you enable them in both directions and that's how you send your information from point a to point b over the private link connection it restricts all traffic between your organization and the partner organization here's what it looks like basically you set up your your vpc you set up your endpoint and your devices basically connect to your end plane and that's it and it runs perfectly private connectivity high performance high security love it great thing end points may be the primary endpoints in auto scaling may be the two best reasons that organizations even move to the cloud only specifically for this these two things might be the big enough reason of themselves to adopt the cloud so now here's where it could get a little potentially kind of confusing to people gateway endpoint s3 interface endpoint other vpcs for example so what's the difference between vpc pairing which we'll talk about a lot more and private link a lot so let's talk about the difference when you connect one vpc to another vpc via vpc pairing that's your pc pairing it's quite simple but when you're doing vpc pairing vpc one and vpc they're appeared together they can communicate everything when you're using private link it only allows access to one service so if you need full communication between two organizations you can use vpc pairing but if you only need access to one little mini service use private link now whenever would you use private link versus vpc pairing let's talk about this for the following examples with vpc peering you're dealing with many too many services but private link enables you much more scalability you can't do above 100 more than 125 epc pairing connections in aws but you have a lot more um you can do thousands of uh private link connections between your organization and external organizations so because of that vpc pairing scales much better so i mean i'm sorry private link scale is better so if you need full communication of everything do pc pairing if you need one access to one service use private link private link much more scalable and the limits of private link are only related to the max throughput achieved by your load balancers or servers so you've got a lot of scalability there so some more differences when you're doing vpc peering it would be great if you're using if you're all using different ip addresses but remember i said most organizations use overlapping ip addresses private addresses so vpc pairing does not work with overlapping ip addresses you would need to use nat but private link automatically does not and and overlapping address space with the bpc pairing has not supported so that's another thing so let's stop here for a second we covered the interface endpoints we covered the gateway endpoints and privately now we're going to talk about vpc peering and shared services pvcs and i'm going to get there in a minute we just covered a lot of stuff really quick i saw there were a couple questions that were there so i'm going to do this we're going to stop we're going to ask some questions and to bring in your questions i also saw some questions i stole them from pnu and i started to see them coming in pnu mike could you tell us where someone without experience and i t should start before getting into the cloud well i would start directly in the cloud pnu which search should you go for before getting cloud search thanks so pnu what i would do is what with you is what i do with everybody else is we have a 16-week program where we take people from no background and by the time we're done we teach them everything they need to know to be a cloud architect a cloud architect needs to know the network and the data center so we teach you the network in the data center as part of our cloud architect program and then we teach you all the other skills that are necessary so i don't recommend you getting any other job prior to the cloud because they're not going to be related a cloud for example a cloud architect is a systems designer you have to know the network so certifications that we typically do with our people might be a cisco certified network associate or professional a linux one and the aws certified security i the aws certified solutions architect professional is the bare minimum certification as a general rule to get your first cloud architect job when you don't have experience it's not just enough to get certified that isn't even close to enough that is ten percent of what's necessary when it's your first job and your lacking experience you must work on your executive presence your emotional intelligence your communication skills you must talk about presentation you must work on your interviewing skills all this stuff is critical when you want to take a big job and you have less experience you have to polish yourself up you have to look so good that they can't help but hire you so for the last two decades when we've been helping people get their first tech job and we never tell anybody look you need to be help desk virus we don't do that we don't start people off with those types of jobs we start people off with bigger types of jobs why time is money the average cloud architect earns 600 a day in the us and a good one can easily earn double that easily and much more than that so don't waste your time doing things that you don't desire to do if you desire to be on the cloud work on the cloud learn the network learn the data center if you train with us you'll be in great shape because we have a system it's a 250 hour training program from start to finish if you're on your own we'll be honest with you learn networking from cisco or dns and load balancers from f5 learn virtualization from vmware learn security from cisco palo alto checkpoint unfortunately lots of good training there when you've done that you're going to need to learn how to present like an executive jerry weissman has some very good courses there are a few thousand dollars but they're great speak easy does it as well when you're done that you need to do some emotional intelligence training when you've done that some business writing training if you're training with us it's all included but make sure you do that and if you're training with us great and if you're not training with us buy yourself a 16 core xeon server with at least 128 gigs of ram and on that server you got to learn the network in the data center so set up vmware asxi set up some containers build a firewall build an open access vpn set up microsoft active directory built the linux apache mysql php style build the cloud i mean it build your own openstack ansible or nutanix called that's going to give you some competency that you can show employers that matter you don't need to start with junior level jobs you can start straight with a great cloud job and get paid for it as well but you gotta have the skills and those are the skills that are necessary chris popped a link to our training program that's how we train people for people that have questions about our training or desire to train with us they can call us um we have people that answer questions constantly um we'll be a little slow this week to respond to voice calls um because you know we've got this boot camp list we do the free training we do every morning plus we've got a lot of students we work with on our own but for anybody that's curious then we answer that so pneu we answered your questions uh ebay is a good place to buy servers for cheap having said that gz my program is cheaper than the servers actually would cost you but if you're not training with us definitely get yourself a server and ebay is a great place to find them so call is there any requirement for bashing host well lots of people use them but from a security perspective they shouldn't be so i wouldn't design anything with the bastion host i would do things properly but lots of people still use them guy wooden house aws only allocates public addresses to the client um that asks for them yes they don't come naturally when you're using private links and vpc pairing you're going to have to create a cross-account rose muhammad and vpc is very different than thatting vpc is your own private data center not is that is what do you call it nat is designed to translate one address to another augustine how much does a junior cloud architect make you're dealing with about a hundred twenty hundred three thousand dollars a year a good cloud architect earns well over three hundred thousand dollars a year but i will tell you the difference because i've been architects of all schemes on the junior and in the senior end the difference between a junior architect and a senior architect is the following ninety percent of it is communication skills presentation skills executive presence the ability to do roi modeling that is ninety percent of what's necessary to go from a regular cloud architect to see more senior side of it the second side of it is knowledge the people that are hirable and paid the most are the people that have lots of knowledge in the small area we're experts i'm a networking expert i've spent 10 000 hours in bgp 5 000 hours in pim for multicast it makes me an expert it takes 10 000 hours and something to become an expert i've spent my 10 ton hours plus in bgp that's what it takes so you want to be an expert you want to earn a lot become an expert in something and yes uh william our training course covers everything at about 10 of what it would cost to trade on your own so yes we did it because we're a cross between a mission and a business we're like a charity and that's why we do all these free training courses we know not everybody can afford it and when we truly take in paid students william we want to know that basically we're giving them about a thousand times more than they're paying us we basically cover our costs we cover our employees we cover our technologies and we can change the world and it's something we love to do so that's why we do this that way but uh don't consume our channeling but it's a one-stop shop and there is a lot to learn beyond you but so the other way you can enhance your career as an architect and we'll get back into detectives to specialize in an industry here's an example i used to work in the service provider industry i spent 10 years designing systems for internet service providers loved it and then one day i was designing system for bank and i love that too now for those of you that don't know me i used to practice medicine before i went into tech 25 years ago and that's kind of a specialty i spent seven years in school for that so here's what happened cisco decided they were going to start a healthcare consulting division and i became the lead architect for healthcare that's what my career did this why did it do it they sent me for executive coaches um they sent me for communication skills training they sent me for presentation training and oh by the way i was an expert in healthcare because i could practice medicine so that's what i was referring to oh gopal we provide training and lab experience our students even build clouds like setting up an ec2 instance or an s3 bucket nobody cares but when you build a cloud and you tell an employer that they care our students build their own cloud they build their own aws like environment so yeah we've got labs labs labs hundreds and hundreds of hours of training in our program and anybody that's got questions in our training program can call us if you desire it's cool when do you need to use private link any example use cases yes so cola you're in an environment let's say you you created a vpc and you wanted your vpc to connect to a thousand partners that's when you're going to use private link to connect to all thousand locations if you want to connect to any aws service that's not s3 you're going to be using you're going to be using private links so pretty much you're going to be using interface endpoints and private link anytime you want to connect to someone with the exception of vpc pairing i'm trying to see if there's any more questions over here um prior to going back into things because i want to make sure sure we give you guys all the questions i think pnu here's my perspective of certifications before we move on certifications can help make your portfolio look better to get an interview but certifications have nothing to do with you getting hired only interviewed 10 years ago i would tell you get a lot of certifications and they matter here's what happened a few years ago exam dumps popped up everywhere literally everywhere and made the value of certifications go really low because you can completely get certified in a million things and no zero so between the types of courses that you know you can buy for 10 bucks that can teach you how to pass the exam and still know nothing and exam dumps it made certifications not that meaningful so we pick the ones that really matter so a good cisco one um a professional one and then maybe another one from the industry is typically for cloud architects but certifications are based on exactly the job you want if you guys want to tell us when the jobs you want tomorrow i will do a cloud architect career question and answer session at 9 00 am chris can provide that information he'll prop it in a link i will let you ask any career questions you desire tomorrow if you want and then thursday morning we'll have how to get your first tech job cloud architect job seminar and i will tell you every step necessary to get hired from the beginning we'll do all this for free this week for you so tomorrow morning clark to career question and answer session thursday morning um we will have a free how to get your first cloud architect job webinar chris can provide that information for that too for you so hopefully answer those questions so and william um i've done this for 20 years i'm helping people get their first tech job and well over 90 percent of my students have gotten their jobs i will tell you we launched this program 14 weeks ago based upon what i've done on a one-on-one basis for 15 years prior to even graduating my co my company the 15th one of my students told me they were hired so 15 people that haven't even had a chance to fully graduate my program out of about 125 have already been hired the remaining ones are very close so i hope i answered your question and therefore chris provided the link for tomorrow's session i highly recommend you join us you can sign up that's on and then the thursday one's going to be on zoom that's a real fun one so please sign up everybody we will get to uh transit gateways that's part of something we're doing the slack group is only available for our professional development students augustine so let's do a little more tech stuff for the day because tech is cool and tech is fun so let's definitely do some tech stuff so let's get back to here and let's start talking about shared services vpcs so let's say you're an organization and you're on the cloud now let's say while you're on the cloud i'm also going to provide our number for you while we're out in case anybody needs to talk to us or ask questions so let's say you're on the cloud and you want to be a service provider say you've got a service that you want to provide to other people and you want to create other people that are connecting to you can create what something is called the shared service vpc so maybe you see you provide a service of some kind so what happens you're going to create a vpc and then when you create the vpc inside of your vpc you'll place a load balancer and the load balancer will be pointing to your services so i'll give you a picture of what this is actually going to look like alonzo thank you alonzo is one of my students and i and what's going on here is let's say you've got multiple vpcs you basically set up the shared vpc and you point all your vpcs to the shared vpc this enables you to pretty much basically set up an environment where inside of the cloud all these remote locations can connect to your shared service pretty cool what would this shared services vpc look like off of the cloud you take your data center and you have to build all these really expensive wide area connections so why do you not have to do this here because aws has the network that already exists so if you want to be a service provider if you've got some kind of service let me tell you it's awesome on the cloud love this set up your services vpcs set up your private link or vpc pairing to all these remote locations depending upon what you're going to do in this case we're going to use private link and poof i'm usually going to use private link you can connect everybody to your shared services vpc and now you've built an environment where you can literally share your information with so many people and you don't have to build your own network so when people ask me should i move this to the cloud i always say it depends and where does the cloud shine auto scaling which we'll talk about when we talk about more agility and business planning disaster recovery and the network it's pre-built so when you're in the cloud you need less cci's like me and more people that maybe are at a ccnp level in terms of knowledge to do these kind of things huge savings in terms of cost and it's really hard to find a guy like me that does nothing other than bgp here you can get someone that's got a mid-level person on networking knowledge and has some cloud knowledge and they can do both roles so that's why these things are going network engineers like me all have to learn the cloud because our jobs are kind of getting reduced so for network people like me learn the cloud that's what we did and that's why most of the network people that i know are all moving towards the cloud as well so now that we understand what a shared services vpc is we covered vpc endpoints again this stuff's going to be up there so you can review it again look this system can be a little far and so we're moving a little fast but you know we're always around and these things can be viewed again so now let's talk about vpc pairing vpc pairing is another really great way so vp searing pc pairing is a way that you can take your private network and connect it to other people's networks kind of cool across the aws network and thank you so much being you so if you didn't have epc pairing you'd have to buy private link and private want line connections just like we've done for years so but you don't have to do those with pc pairing now things to know when you're dealing with vpc pairing is it provides non-transitive routing now when we talk about non-transit routing i will show you what that means in a minute non-transitive routing means if i learn around from someone i don't tell it to somebody else so if if this is i'm trying to find a place if this is a and this is b and there's a c afterwards if a tells a route to b b won't tell it to c and non-transit of routing which means c won't be able to reach a through b and we'll show you exactly what that means so when you're using vpc pairing it is not transitive which means it is ugly ugly just like ibgp and i will show you how and then we'll show you how to make vpc peering not ugly so let's look at what vpc pairing real estate looks like at its simplest term let's say you've got your organization the 10.x which is specified by the vpc on the left with the 10.0.0.16 address space and then let's say on the right you've got your vpc environment set up with the 172 31.0.0.16 address space all this stuff is great everything's working happy good wonderful awesome now that's one set of epc pairing and this is really simple and easy why is it simple and easy um because it's only one site connected to another site routing works perfectly this is really really really smooth think about it this way with if you're on the cloud and your partners on the cloud all you have to do is vpc pairing and you're talking to each other um green logic this is different than loosely decoupled we'll probably get to that at another point but a very different concept basically just connectivity across the aws network now aws high speed network so it's not like using the internet we don't need to use a vpn because we're using the aws network it's a private network because it's the aws network there's quality of service that's guaranteed in performance and guaranteed vpc pairing is awesome but remember bpc pairing is non-transitive and i'm going to show you about that so if any of you guys are familiar with ibgp and ibg fully meshing your ibgp pairs this is the same problem and and if you're familiar with bgp and ibgp and the route reflector environment that's what we're gonna have to do here as well so let's talk about what vb what what it actually looks like and what i really mean by this so let's pretend for two minutes we are not in aws and we created a hub and spoke environment for those of you that are not familiar with hub and spoke environments if any of you've ever taken airplanes and you've had to go through a hub airport like atlanta or jfk or houston or dallas or london heathrow or dubai what happens is when you want to reach a destination you go through a hub so if i want to go to my home in greece just visit my family i go from miami which is a haber park i fly to london heathrow from london heathrow i take a flight to athens and then i visit my family london heathrow is the hub there is no direct flights from miami to athens because athens is not a hub but when i go see athens i go to i go to london and from london i go to athens that's how i visit my family in greece so by comparison that's the way hub and spoke works so going through this that would work perfectly but the problem is when we're dealing with vpc pairing it is not transitive and being non-transitive let's look at it this way we have vpc in the center in a not in a normal world like the airplanes that we're talking about if vpca is connected to b c d e f and g b will be able to reach c through a in normal rounding just like c will be able to reach b through a but because aws routing is non-transitive and rounds are not exchanged a will be able to reach c a will be able to reach b it will be able to reach g a will be able to reach f and a b a little bit reach e and a b able to reach d but b and c will not be able to talk to each other through a so realistically speaking v p c a has communication with everyone but nobody can talk to anybody now if you want this to occur this way this is great you've got a high security environment automatically done for you by aws's routing limitations because they assume you don't know better but what if you want everybody to communicate with everybody well then and peony will get your answer as well on the next break so then if you want everybody to talk to everybody here's what's going to have to happen you're going to have to fully match them what do i mean by fully matched everybody is going to need a connection to everybody well obviously this isn't going to scale and if anybody doesn't know why this is going to scale i'm going to tell you quite frankly when you determine the number of connections that have to connect to each other when you've got a lot of people they rise exponentially the formula is n times n minus one divided by two so with with uh three vpcs you don't need that many connections it's no big deal because it's going to be three times two divided by so now let's imagine you have 20 connections for 10 connections 10 times 10 minus 1 equals 90 divided by 2 is 45. now 20 connections 20 times 20 minus 1 divided by 2. now you need a 90 connection so if you've got 30 vpcs you're going to have to have 435 connections to fully mass connect everybody to everybody that won't scale that'll be a nightmare could you imagine setting up 435 vpc pairing connections just to have 30 people to talk to everybody it's crazy so it doesn't work so for those of you guys that are familiar with bgp and route reflectors we came up with something called a route reflector and what a route reflector would do is it would remove the concept of the non-transitive routing so with aws when you need to do this kind of vpc pairing you have two options cloud hub and transit gateway there are two versions of the same thing i'll explain to you why they're the same thing from a networking perspective from the pure aws perspective they're a little different so i'll explain the subtle differences between them for you but you need to know this if you've got multiple vpcs and you want to connect them to each other what you need to do is you enable hubspoke and i'm sorry cloudhub and what cloudhubba will enable you to do is it will enable you to use a hub and spoke environment and by being able to create a hub and spoke environment and still enable people to talk to each other so let me show you what's really going on here with cloud hope when you're using cloud hub and cloud up is explicitly for vpns to connect your environments it could be data centers could be vpcs what have you um so what's going on is you're basically going to peer your locations so by using it this way with vpn cloud hub you're going to run what's called ebgp or exterior bgp and cloudhub is going to break the aws non-transitive rules which means that new york's information will be passed to the vpc which will also be passed to the london location which will also be passed to this to the san francisco location because routing information is going to be exchanged between these subnets through cloudhub everybody will be able to reach everybody which means new york will be able to speak to san francisco through the vpc and london will be able to speak to new york through the vpc and london will be able to speak through terms of cisco by enabling cloud up so what cloudhub dubs is it breaks the non-transitive routing that aws put in place for you because they assumed that if you didn't understand transitive and non-translated routing the entire internet's traffic would go through you so understand that cloud hub enables you to create a homeless book environment but cloud hub only works with vpns so let's say you didn't want to work with vpns and you wanted to work with something different you wanted to work with private lines then you couldn't use cloud hub you'd have to use transit gateway so the transient gateway is effectively the same route reflector environment that's being used by cloudhub but transit gateway is used explicitly for creating hub and spoken environments that allow for transit so when you're doing this in this environment everybody will be able to reach everybody through through hub and spoke so when i actually know it we've got a couple more things that are part of this vpc before we get into the next concept so let's just keep motoring through them and i'll answer some questions towards the end a couple minutes left everyone the next part of what we're dealing with in the vpc is something called an access list now this is easy for those of us that have ever worked on routers and we put an access list which is a non-stateful list which is just basically a packet filter which basically looks at your source and dust and address addresses protocol and part number and says allow or deny traffic that's what you can do so tomorrow what we'll do at some point is we will map out a real high security architecture that's used in the cloud environment it won't really be part of the aws advanced networking but i feel like it's important for all of you to know how to create high security high availability environments and since we're running our course any way we want we want to make you guys great cloud architects we're going to teach you how to do it anyway even though it's not part of the curriculum so remind me to do that tomorrow talk about how to build high availability high security high performance systems with you guys so one of the ways to keep your systems secure is you keep traffic out of the subnets that you don't want there so at a router in a normal environment you'd put it you on an access so you put an access list around that would say keep this traffic from going to this subnet that'll be perfect now in this particular case you don't have a real router you got a logical router in the cloud so you're going to create something called the network access controller and on the network access control list what you're going to be doing is you're going to be basically saying which traffic is allowed in and out of a subnet so a network access control list in aws blocks traffic from going into a subnet i'm going to say this again it's a test question network access control list protect a subnet security groups we'll talk about later protect a host network access list controller subnet security groups protect a host now when you're dealing with network access lists two things they are not stateful and order matters by non-stateful it means they don't track the state of the connection let's look at a firewall if i'm behind a firewall and i am and i want to go to the internet here's what happens my pc goes to my firewall and my firewall says mike is initiating traffic out to the internet let it out and when the traffic comes back say i'm going to the cisco website i'm always on the cisco website researching something and i have been for the last two and a half decades so i go to the cisco website and then the traffic comes back from the cisco website to me and when the traffic comes back the firewall says look the traffic is mike initiated the traffic for cisco cisco's sending the traffic back to mike mike traffic is allowed back through the firewall why does the firewall know it's stateful it's watching everything i'm doing it's watching everything that's going through it so the firewall knows to allow my retired traffic out i might turn traffic back that's why i don't have to put any policy on the firewall that says allow in because it already knows it's smart access less are not smart they're very dumb they're not paying attention to anything that's going on in the system so they don't know to allow my return traffic because they're not stateful so stateful does not mean apply in both directions stateful means tracking the state of the connection network access lists are not stateful so you must enable them in both directions now going back to these non-stateful access lists order matters and what do i mean by order matters as soon as the packet hits a rule it's going to be permitted or denied and that's it so outer matters so let's look at it this way let's assume we didn't know anything about it and we created a rule 100 and the rule 100 says deny everything and then after that we had a rule that says permit web traffic well in theory that would work great but it won't and here's why the rule 100 says denial traffic the traffic's already dropped long before it even hits rule 110 so this is not the way you build an access control list so if you want to do it right the proper technique is as follows first you don't need to deny anything because unless you wanted to for specific purposes because there's an explicit tonight instead just permit the traffic you want in so if you've got a web server only allow port 80 or port 443 port 43 in and that's it and nothing happening nothing else you'll be more secure inbound outbound that's what you need to do what does it look like architecturally speaking architecturally speaking what you can do is you can see how this you've got an internet gateway you've got a router we're protecting the subnet with the network acl now we're going to protect the hosts with the security group so incumbent you're going to use both it's not an either or but a network acl protects the subnet and a security group protects the hosts so now let's talk about a security group it's kind of like a host-based firewall where it only allows certain traffic inside of a host and that's exactly what a security group actually is so security group is like a host-based firewall a security group is part of the aws environment you set it up to only allow traffic inside of your your host that you absolutely desire so host-based firewall inside of these things um basically to allow services to your thing a good security architecture is going to have a combination of network acls and security groups with the network acls protecting the subnets and the security groups protecting the instances now security groups allow or support allow rules only so just say the stuff that you want allowed and everything else is going to be blocked now the good news about these security groups is they're a little smarter than the network acls they're stateful because they're stateful you only allow them inbound allow port 80 traffic in allow the return traffic out you don't have to do it at stateful so you only have to apply them in one direction because it's stateful because it knows to allow the return traffic so what does it look like i'll show you going back to here network acl is protecting the subnet security groups protecting the hosts now the last topic we'll talk about today and then i'll open up the questions our vpc flow logs so for any of you that have ever worked in cisco networking or networking there's the concept of cisco netflow and cisco netflow would let you kind of see the traffic that's kind of moving through your systems you know a capacity plan troubleshoot well you need visibility into your network and you're going to have a lot less visibility into your network in the cloud than the data center because it's not like you can create what's called the span port on a switch we can mirror what's going on in a vlan and then put a protocol analyzer or a sniffer and figure it out so you need a lot more work to do these things in the cloud so that's the concept of the vpc flow log and the vcpc prolog is similar to cisco netflow and basically your data and your flow information can be sent to cloudwatch or x3 s3 and we'll talk about much more of those things later but you know basically be useful to diagnose connection problems maybe you've got a security group that's blocking traffic maybe you've got a network access class is blocking traffic and when you set up your vpc flight logs you're going to have a lot of information that you can capture and your flow log is basically going to take your capture your traffic and let you know whether it's accepting it rejecting it and you're going to be able to look at the basically your interface your source of desk the search address destination address source and destination part numbers protocol packets and it's going to look like this actually we borrowed this directly from amazon so we've listed the site of where we've taken it from basically you're going to have your account id your elastic network identifier you can have your source address your destination address your protocol and your port number and this is really where you're going to get a really good feel for the traffic that's going through things so you can see what traffic's accepted what traffic's rejected so that's what you're going to use as flow logs for so we've covered a whole lot of topic for today so i'm going to answer some questions any questions that you desire so i see the first ones do you have to expose allow package to leave the region that's going to be based upon your routing you can't go anywhere with you don't have a route if you have a route for your traffic to get out of the reason you'll still be going there can load wear out work in conjunctions with prior to internet traffic so you wouldn't really design it that way so you would design it more of a high security environment uh we've got uh well we can design a high security environment now if you guys want for a few minutes or we can save it for another time um do you before we get into those do you guys have any more questions for me about this topic so i'll wait for that in terms of pnu can i comment on ccna knowledge is it enough no it is not enough um regarding certifications um ccna is probably good enough for the cloud computing people ccna does not cover bgp um ccna is very late on the routing ccna is kind of an introduction to things but it does look good on a resume and it'll make sure you understand subnetting real well it'll make sure you understand vlans covered real well it'll make sure you understand the basics of routing and more specific routes and less significant routes very well it'll teach you about one queue tagging so the ccna covers a lot of the fundamental components is in a good introductory level um the ccnp knowledge is really what's necessary to actually do any work in networking including this thank you gopal thank you joe so what i will do is this if anybody tomorrow we are going to have it i'm going to drop the link of this if i can find it we are going to have a completely um bear with me free um question and answer session on youtube live bear with me i will i will give you the link to this right now just give me one moment tomorrow is the 15th right oh tomorrow's the 14th so tomorrow we will be doing a cloud architect career question and answer session for any career questions you may have we will do that bear with me i'll paste the link to that okay so actually green logic let me cut let me try and give you some guidance and maybe uh um try and save you some time to your career okay so regarding the the link i just sent us for the free training tomorrow regarding the cloud practitioner green logic we strongly recommend people skip the cloud practitioner exam whenever possible the reason we recommend people skip the cloud practitioner exam whenever possible it is basically near impossible to ever get a job with the cloud practitioner exam unless you want to be a sales rep the aws certified solution architect associate exam is nearly the same level of difficulty of the color practitioner aws makes all these exams hard no matter what so it'll typically take you about two months to do the cloud practitioner and it'll still take you two months to do the certified solution architect associate given the average cloud architect earns 600 a day and there is zero benefit to doing the cloud practitioner by skipping the cloud practitioner and going straight to the certified solutions architect associate you've saved yourself two months of time which is worth twenty four thousand dollars on average for the average cloud architect so i strongly recommend skipping the club practitioner going straight to the certified solution architect associate understand that's not enough the professional is kind of the bare minimum level of cloud certification necessary but it will not be enough for knowledge of the network the data center presentation skills communication skills and those other things all of it is mine and here's why when people ask me if certification is enough i say let's take a doctor i said certification training teaches you the name of the service and how to configure it so uh imagine training a doctor and saying these are the pills that exist and these are the dosages of the pills without teaching the doctor how to diagnose the patient ask the right questions assess the patient or do anything other than pills you'd be running into a doctor's office and give you their favorite pill without knowing what they're using it for certification training is the name of the surface how to configure it as the cloud architect you got to meet with a client you got to ask the right questions business goals legal goals communicate with them then you gotta evaluate their systems understand how they all work and then move that systems to the cloud how can you do that if you don't understand the systems like the doctor that doesn't understand how to diagnose evaluate or examine a patient so it's the same kind of thing so skip the practitioner go straight to the associate but you still need cloud architect training train with us train with somebody else but make sure you get cloud architect training if you want to be a cloud architect and we provide a tremendous amount of free training and we are always happy to do so we just want you to understand whether you're with us or without us the way to get your goals as fast as possible and as cheaply as possible and that's why we created our training programs so i will do this i will see if anybody else has any more questions and that is a salesman sir that's the reason they're teaching that so and if you guys have any questions about your career or want to work with us we have a pro we're leaving you our phone number here tomorrow we've got a lot of fun things coming at 9 00 a.m we have the completely free cloud architect question and answer session um for which we've got you after that we've got the uh what do you call it we've got the uh free boot camp thursday morning we're gonna have the free how to get your first cloud architect job webinar chris posted the link we'd love to see you there thursday afternoon we're going to go back to this we're going to do this training on friday and it sounds like you guys want more free boot camps i'll do for more free bootcamps and i'm happy to do that anything we can do to raise the level of the cloud architect community it's an honor and privilege to be with you guys and i don't take it lightly but if you want to be a cloud architect try and get some cloud architect training with us or with somebody else we've provided the links to our training but i want to make sure you all know how to get there so any questions for me before we close out the day while we're waiting if you had fun today can you type cloud network architect and if you've enjoyed this video please leave a like please subscribe to our channel hit the bell to be informed the new free things that we do when we do them if you've enjoyed this and you're willing to share this with somebody else please let other people know about what we're doing we're really trying to elevate the cloud architect community so they know what to do and can be horrible why people did it for me when i started networking many years ago and i loved it so please help us share spread the word of the free mission that we have to provide free certification training throughout the world so cool it's totally dependent upon the use case if you need to use if you're using vpns you use cloud hub if you're using private lines use transit gateway of course you're great having you chicola great having you gz william uh love that name um saw the monument in scotland um always happy to have you all here any more questions before we close the day thank you ktari appreciate everything and if you know anybody that would like access to any of this please share the links to this and uh let us know thank you all everyone it's been a real honor and a privilege to spend the afternoon with you i will see you all tomorrow um if you want to let us know how you found us that's great we want to be in the places that you're out so we can provide access to the most up-to-date highest quality training information and look out for that bgp book the bgp document that's coming next week we think you're going to like them and uh as chris from my team said if you are in the position to basically fill out this form to let us know how you found us please let us know thank you all so much such a privilege and i'll see you all tomorrow take care everybody take you're welcome here in you now thank you i'll talk to you soon wonderful thank you you're welcome you

Info

Channel: Go Cloud Architects

Views: 15,062

Rating: undefined out of 5

Keywords: aws bgp, AWS Advanced Networking Course, what is bgp, networking for cloud computing, cloud network training, cloud networking overview, networking and cloud computing, cloud computing technical skills, networking skills training, cloud architect skills, cloud architect training, cloud architect career tips, cloud architect, cloud career tips, cloud career training, cloud as a career, cloud career, aws full course, free aws certification training, aws networking training

Id: -ROt92cKX5c

Channel Id: undefined

Length: 187min 12sec (11232 seconds)

Published: Tue Jul 13 2021