AWS Advanced Networking Course | FREE AWS Full Course | AWS Networking Training | AWS BGP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

uh welcome everyone this is michael gibbs from gold cloud architects can you hear me if you can please let me know in the comment section 4d robotics hello can you hear me could you let me know 4d robotics i want to make sure people can actually hear me welcome guy welcome alex um alonzo so great to have you here i see alex said yes okay um so you can hear me that's fantastic wonderful wonderful wonderful um we're gonna come back for day three of the aws advanced networking boot camp um fam welcome everyone good morning evening and night we've got audience from all over the world when we do these and lots more people will be joining in the next few minutes typically speaking when we first kick it off what will ultimately happen is an announcement will be sent to people and when the announcement is sent to people that's when we know exactly when uh what things are going on so we'll be with you in a few as you begin so good morning welcome everyone since this is day three of the go cloud architects architectural version of the aws advanced networking training i'll remind you all in case you're just joining for the first time that my name is michael gibbs i'm the ceo of go cloud architects and i've been working in tech now for over 25 years now 1993 to be exact but we don't talk about that too often because it makes me feel kind of old but i've been working in tech for that long um i've been working in networking for ever in fact i'm one of the original cisco certified internet experts in fact my ccie number is 7417 back when it was this impossible long two day test um two decades ago so that's about us as far as globe car architects we train cloud architects meaning we take people from regardless of their current stat status and we train them to be cloud architects that's the business we're in certification is something that we do just to help the community certification is about 10 percent of the process to being hired and becoming a great cloud architect and the remaining part of the process is actually business acumen communication skills emotional intelligence and knowledge of the network and the data center because the cloud is nothing more than just a virtualized network in a data center so now that you know about that and we have the cloud architect career development program which chris from the team can show you about and we'll let you guys know in case you're interested i'm going to get back to doing fun stuff we're going to go talk about aws advanced networking training so today what we're going to begin with is we're going to begin with a discussion of cloud front and cloud front is realistically an amazon content delivery network and we're going to talk about cloudfront in a fair amount of depth here because it's a pretty important service so to begin when we discuss cloudfront we're going to be talking about a content delivery network so what is a content delivery network i'll tell you quite frankly a content delivery network is basically a group of network hardware and servers that are going to provide fast con fast delivery internet content so speeding up your internet reducing your load on servers and improving your performance that's what content delivery networks do we'll talk about how and why they work and why they're so essential to improve your performance your availability your information security so what's going on here is that a content delivery network is basically going to provide a series of caching as well as a secondary network that's going to be off literally off of the internet now the reason we're going to talk about content delivery networks being off of the internet is when we talked about private lines yesterday remember how we said when you're dealing with private lines you've got guaranteed performance and remember how we said with guaranteed performance and guaranteed latency you can do something and we talked about the internet and said internet performance is not guaranteed and we talked about how internet performance is technically what's called best effort what i mean by best effort is best effort means the internet will attempt to deliver messages but there's no guarantees no guarantee no latency no guarantees or performance so internet traffic is not super reliable but private network traffic is reliable so when we talk about content delivering networks we're talking about both caching which we'll talk about in much more depth but we're also taking about taking the user getting them off of the internet and on to the content delivery network's private high performance network backbone so that's realistic what's going on but cloud content delivery networks can also significantly enhance security and in some cases enhanced availability so here's what's going on when it comes to a cdn if people are attacked going to the web server day in and day out it places load on the web server and if invalid requests are sent to the web server it could potentially hurt the web server i use the web server's capacity but guess what with the content delivery network it's only going to forward legitimate requests to the web server and or requests to the web server that weren't there in the first place so the cdn is really doing some pretty great things along the way and that's one of the reasons content delivery networks can enhance security but content delivery networks can also increase performance as well because you're going to be off the network but they can also potentially help with availability here's what i mean by a content delivery network enhancing availability let's say you wanted to go to the go cloudarchitects.com webpage now let's say for example for a very short period of time the go cloud architect's webpage say the google cloud architect was down but i was on a content delivery network so if the go cloud architect's web page was down but the web page was cached in the content delivery network users if it's in the cache might still be able to actually be able to view my actual training meaning they might be able to see it if it is uh what's going on if it's cached so that's kind of where um what we're talking about um content delivery networks improving availability so now that we know that um let's actually talk about like cloudfront in a lot more depth because that's pretty important kind of thing so bear with me i'm trying to actually play this live so that i can actually see how much the delay is at certain point so i can see you know what you're saying versus what i'm speaking so cloudfront because it's a content delivery network will actually improve your website hosting performance and the good news at least with aws this is one of those services it's pretty much integrated into everything so improve your hosting performance and what cloudfront is is because it's a content delivery network it's going to be like anybody else's content delivery network and it's going to have caching servers spread throughout the world now if you'll recall in day one when we talked about the organization of the cloud we talked about the um the region being a large geographic area we talked about the availability zones being a data center in this large geographic area and then we talked about edge locations and edge locations are where users jump onto the content delivery network and get access to their information so that's where the caching servers are the cloudfront caching servers are in these edge locations with the exception of the original caching server but that's neither here there so here's the way this is going to work um in my house i want to go to a website www.goldcloudarchitects.com for example or go cloudcareers.com our primary site i'm going to leave my house what will happen is as soon as my request is made my location is going to be determined how is my location determined by my source i pay address my source ip address will put me in the palm beach florida region so the next thing that's going to happen is the routing of my traffic will say wow mike gibbs palm beach region closest cloudfront server miami send mike's traffic to miami and that's what's going to happen my traffic is going to go to the miami clock front server and there lots of cool things are going to happen so i'll talk about it and then i'll show you so when i go to the go cloud careers webpage the first thing i do is i hit the miami cloudfront server now if someone else in the miami region has already requested um the go cloud careers page it's instantly going to be in the cloudfront server i'll go to from miami it'll go back to my house and i'm never going to touch the website i'll instantly get it because it's been requested and cached meaning stored there for temporary storage until i request it now if the data for the website if i went to go cloud careers and nobody else had gone to that page that day in the miami region it's not there on the cache so here's what's going to happen the cache is then going to go to the regional cache and then it's going to say let's ride our private network our high-speed backbone straight back to the web source of the website or the cloudfront network it'll then be delivered through the cloudfront network brought to the edge location and then delivered to me and now additional people that want to access it that go to the miami webpage instantly instantly instantly are going to get access to it so cloudfront not only reduces the load on your servers through caching but it gets your users off of the internet onto a private network where they can have really good performance that's what makes this super exciting the ability to get great performance i mean truly great performance because you're getting off of the network so let's visually look at this now in this visual case i didn't actually talk about going to the regional cloud front area but let's still give you an idea so here's what's going on my first request for a website hits the cloudfront distribution now if it's already there as you can see it's going to be sent right back to the client but if it's not cloudfront across its own private network they'll send the request to the web server in this case it could be a static website hosted but s3 bucket and then from there it will be sent completely and directly to the cloudfront origin and then it'll be sent to the client now on subsequent requests for the same content things are going to change they're going to be a lot different these subsequent requests for the same content are just going to go to the cloudfront distribution and simpactini so that's really how these content delivery networks work so because cloudfront is providing caching it provides scalability hmm caching of read replicas when it comes to relational databases making sure you don't hit those replicas as much for frequently accessing information same thing no different same technology so the reason i like my students to really learn the fundamentals in the building blocks of networking and data centers is this is all the same the same same network and data center technology they just keep reusing it in a thousand different places that's why fundamentals matter so much and so that's how caching is going to help it's going to offload these frequent requests to the cache so lots of lots of scalability gained on your web servers if you're if you have millions of users accessing the same content your web servers don't have to process millions of requests because it's already there in the cache that's why we love this kind of stuff it looks like my screen's getting a little fuzzy so i'm going to blacken my camera real quick and i'm going to force it to refocus and i think now we're going to have good clarity so there we go so caching is super helpful for frequently rugs access concept now if everything going to the cache was new content and there was no repetitiveness in the content not only will caching not help but it's going to add an additional step which means additional latency so caching is wonderful just understand the use case of homework to use and why so let's talk about you know cloudfront with aws so cloudfront is integrated with a whole lot of aws services so if you have a static website you can put a cloudfront front end excellent by comparison if you've got a dynamic website you can use cloudfront to host a website that's based on ec2 instances assuming an elastic load balancer is part of the architecture so when you is cloud front the front end of that distribution is going to be your load balancer so low balancer with your ec2 instances in the back that's how these kind of things work so cloud front can be used but it can be used with static or dynamic or the combination of static directly in front of an s3 bucket dynamic directly in front of their load balancer which has got some ec2 instances behind it so what could this look like in reality architecturally speaking architecturally speaking it'll look like users are coming in the cloud front which you can see their static content will be pulled from this s3 bucket and their dynamic content would be pulled from ec2 and it would be pulled from the ec2 instances through the load balancers so now we're going to talk about some heavy-duty aws stuff i'm working on architect when i look at things with the big picture but you gotta understand how the big picture look works so let's go talk about it so when we're talking about cloud front we're really talking about three things going on in the setup we're dealing with the distribution and origin and couch control now you know we're we're more build cloud architects and build certification certifications but certifications will help you get an interview and once you get an interview it's your knowledge that really helps you get hired but they do help you get an interview nobody's going to hire anyone for a certification but they will give you an interview with the certifications and behind that is your chance to get hired so let's talk about these concepts as distributions origins and couch controls because not only will they show up on exams it's important part for setting these things up or designing them so when it comes to cloudfront distributions you have to set up the distribution and here's what the distribution is it's going to be identified by the dns name and don't get me wrong these cloudfront dns names are ugly if you don't believe me do an nslookup of amazon.com you're going to see this thing it could be like a b c d e f g one one one one one dot cloudfront.net is ugly so when you use cloudfront you're gonna get a new distribution that's going to be your dns name and it's going to be ugly as can be so you've got two options you can use this ugly website abcdefg111.gocloudcareers.com i wouldn't or what you could basically do is create a senior record that will map go cloud careers to this abcdefg111.cloudfront.com or net and obviously i'm making up the goofy cloudfront name here but the point is there's going to be some ugly looking name like that so you can choose to use that url don't recommend it anywhere anytime or you can use a cname record which maps one domain to another pick a domain name that makes sense and mac it map that to the actual dns fully qualified domain name of the platform distribution that's what i would do the next thing that you need to do when you set up cloudfront is to set up an origin what is an origin quite simply where your stuff is coming from where is your content so basically your origin can be an s3 bucket or it can be an ec2 instance it could be the low balancer free website that's it and it's really your origin and your origin is going to point to the dns name of the location so what is the dns name of your bucket and that way if things change it's based on dns so cloudfront distribution remember the concept quite frankly is the name of it cloudfront origin is where your stuff or your content is coming from so since you know the distribution and you know the origin let's talk about the cache control so i mentioned that cloudfront caches your data a cache is a temporary store of your data for use so cloudfront does this which really reduces the load on your servers but you know when you're dealing with caching you've got a lot of things to consider if you had a one month cash for example let's say i go today to go cloud careers and i hit the miami cloudfront distribution my cash was one month when i go tomorrow it's still going to be there when i go the next day it's still going to be there three weeks from now the data is still going to be there my data will be there for a month which means if i update the go cloud career page no one's going to see it for a month why the old content will be cashed and be served so cash control when you're dealing with the cash the longer your items are in the cash the more scalable your website's going to be because it's going to be accessed less because the content will be stored on the cache which is great now the downside of that is the longer the cache the less likely new content will be seen so if you're a new site and you were to cache everything and you had a cache of the month no one seen new news for a month so your cash has to time out in a time that makes sense based upon your content update strategy so if an organization updates content once a day the cash has to time out within 24 hours now when you're dealing with cloudfront it's got a default cash time this as it turns out it's 24 hours so realistically what's going on is that's the way the cash works so longer cashes reduce server load longer caches more static data is going to be there so you can modify how long data stays in the cache by simply modifying the tto now when you're dealing with caching sometimes the cache gets corrupted and you've got bad data in the cache and sometimes you need to clear the cache and you can do that via the cli or the api if you need to close the cat that clear the cache and normally speaking we're not big on commands because we're architects but you know when you're dealing with caching every once in a while cache gets corrupted you'll have to clear the cash you can clear the cash with the command that we just dropped in here this is the cash clearing command it's so important to be able to know how to do that that we actually wanted a list of the command so getting front all set up and ready to go what are you gonna do you set up the web servers and you put your content on them you create your cloud front distribution amazon will give you a domain name either accept that ugly domain name which i strongly recommend against we'll create a dns scene name record which points a friendly name to that aws uh cname to the cloudfront distribution you're going to be in great shape so let's look about what this looks like remember yesterday or the first day we talked about edge locations and availability zones and such well here's the way you should look at it when you're dealing with the aws architecture of their environment you're dealing with this large global region being called a region like a continent or a percentage of a continent you're looking at data centers which are called availability zones and you're looking at edge locations which i believe there's 217 of them at the time we made this video which are points of presence where your caching servers are located throughout the throughout the world now i know we showed this on day one but we want to go back to it because it kind of matters here what you're dealing with here here's the users the users hit their edge location if it's stored in the edge location the information goes back to the user that's not stored in the edge location it hits the original cache if it's not stored on the razon cache it goes to the servers like the s3 buckets or the ac2 instances and then gets stored in the cache location now let's talk about some private content typically speaking you're using cloudfront to serve a public website but what if you don't when you use a public website maybe you want to restrict access to the content maybe to pay to website subscribers maybe you want to use the cdn for some private applications there's a couple ways you can do this you can set up an origin access identity for example to restrict the s3 bucket to certain individuals possibility one you can use assigned url possibility2 and you can use a signed cookie so just understand if you're going to use cloudfront for private content you can set up an origin access identity and restrict the content to certain places you can use signed urls or you can use signed cookies now when you use pre-signed urls for a content it could be for s3 or something else realistically speaking you know you're pre-signing things with your encryption key so just just keep that in mind so to talk about you know some cloudfront and closing you know cloudfront because is the aws content delivery network and when you're using cloudfront you can enable some of the aws security services directly on your cloudfront distribution should you be using wife or web application firewall if that's your security policy you can enable it on cloudfront could you be using shield or shield advanced for details protection the answer is yes this might be the kind of thing you want to use on cloudfront that's shield because ddos protection is always always valuable regarding the aws web application firewall you can choose that if your security requirements will be accommodated by that or you can choose to go to the marketplace and get something more robust like a cisco palo alto kind of firewall so let's work through some things you know cloudfront can help pretend ddos attacks because it only forwards um the requests that are legitimate so if it's not a good http or https request it will not be set the attacker can't really launch a ddos attack by sending a million one invalid request because they're not going to be afforded the server so that's kind of great and it distributes your content through multiple points of process now it's also kind of cool when you're using cloudfront it can do the encryption and transit for you so anytime you're on a server and you're doing encrypt 10 this stuff really gets cpu computationally expensive and it can use really run your server load high but you know the reality is this it's not such a concern here and what i mean by that is the cloud front distribution can actually enforce the ssl tlas so it can do a lot of the work right there and it can integrate with certificate manager for your ssl tls certificate and even support server name identification so normally i would stop here but i want to cover lambda edge and then we'll stop and we'll take questions for about 10 to 15 minutes and then we'll move forward so when we talk about lambda edge you know when this because this is realistically speaking where this is a network one versus more of a solution architect training course we're going to talk about lambda edge just because it's part of cloudfront lambda with aws is just a serverless mini compute function and lambda enables you to automate some very very basic things you know remediate something look at something it's just a one little step in the process think of it as like a little manuscript and if you wanted to run a little mini script kind of lambda type function typically speaking you would do it inside of your vpc but if you want to run a lambda function close to your user for example you can actually deal with cloudfront that's basically called lambda edge and basically lambda edge enables you to run these basically simple simple lambda functions very close to your customer on the content delivery network and because you're able to do it closer to the customer your performance is greater and your latency is less so just kind of remember that so think of lambda as a serverless computing service you just basically upload the code and it just works no servers to manage no operating system but it's you know it's light coding it's not serious it's just light stuff so if you've got something in c sharp go java node.js or python this is the kind of thing but it's a simple simple function when things to remember with lambda it's completely stateless which means you know one function gets done and that's it there's no stator control remember this and then this and then this and this so if you want one thing to happen you're gonna have to set up one function if you want two things to happen you're gonna set up two lambda functions so just try and remember that and just think of lambda being useful in situations where you want to automate something maybe processing data across systems maybe patching an operating system remediation of the security that kind of thing so lambda can be re wrist on a response so something going on so just kind of remember those things but lambda is really an automated kind of function and typically speaking you know this is what it looks like i do a lot of work with video so i could use lambda functions to basically upload a video into s3 then i could have that video transcribed because i got to land the function and move it to amazon transcribed it could then have another lambda function basically send it to say an s3 bucket after an uncompressed video would be compressed and i could even have another and then the function is fanning out to basically send it send an email that says video is ready for download these are the kinds of things that you can do with lambda functions now at this point uh what i'm going to actually do i'm going to take a break for a few minutes in this break we're going to ask questions um chris from my team is probably going to quit aggregating questions and if not you know from here i will take some questions so let's see if there's any questions okay does anybody have any questions thank you a room very much alex cloudfront is only for web stuff so web pages caching of web pages arun generally speaking um if you were to go purely cloud native to go from one cloud to another cloud it's incredibly challenging if you go cloud native because lambda functions are so basic and they're so simple lambda functions are the kind of thing that can be moved quickly and easily to another lambda function equivalent on another cloud provider so this is one of those functions that you can actually get away with that are simple to use that are not the kind of thing that necessarily has to result in multi multi multi millions of dollars of refactoring should you have a problem with the cloud provider so lambda functions can fit into an architecture quite nicely in a lot of places so bow wonders question is are all cdn set up at low edge locations all cdns have some version of an edge location where they're closer to the user they may call them different things but they're basically set up in a similar sort of fashion yes let's see arun um thank you so much we really work hard to make everybody become a great cloud architect so thank you for noticing and sharing i'm jeannie welcome i'm so glad to see you here i know uh i know where you're at right now so welcome welcome welcome and uh alonzo why is lambda limited to 15 minute capacity i am completely not sure that i don't want to give you bad information alonzo oh when it comes to are the charges of cloud cdn's cheaper than non-clouds out it's going to be on a case-by-case basis um is it cheaper to use cloud front versus akamai that's going to be dependent upon so many things you know what negotiated rate you get from each one your actual pattern of usage that data so i can't necessarily say the cloud is too core i can't even say that cloud is cheaper in general it can be under certain use cases and certain traffic patterns in other cases the cloud could be more expensive so it's really about your architecture in the actual use case that determines you know whether it's better faster and cheaper on the cloud or off of the cloud who else has a question william wallace uh i think we got we're able to clear this up um but uh by your message but if we didn't make sure you ask another question i want to be very clear for you okay i'm going to give you guys another minute or two see if there's any questions and if not i'm going to get right back into the content always happy to get into content chris from my team is letting people know you know about our training as well as you know how to get it and uh what else was i going to say and we're also going to list a list to list our office in case anybody is interested in our training now i see another question popping in so i'll be thrilled to uh to do this um all you know is is uh cloud cd that increases latency definitely but it costs yes so anytime you're dealing with a content delivery network it will add an additional step anytime you add an additional step for example it could add latency having said that if for example you don't have to go straight to the cloudfront distribution instead of hitting the web server and writing the entire internet latency will be reduced dramatically so it all depends on what's going on if i go to the miami cloudfront distribution and it sends it right back to me very low latency this is awesome but for example if and it would be much less latency than if i went to the page that exists in california but if i went to the cloudfront location and the web is in california and it was new content that i was having asking for instead of established content that was already there it would have an additional step of latency which may be mitigated by writing the content delivery network's backbone as a path to the internet but it could go either way derek i do not know the inner workings of the way amazon actually uses cloudfront with prime um they will definitely not publish that data they will give you little bits and samples where they can show the efficiency the caching of the information but how they internally architect their site um i'm not going to know and they will keep intentionally keep the main components of that very private they'll publish the things that are good for sales and they'll hide the 90 secret sauce because they don't want people copying not only their website but more importantly they don't want the weaknesses of their website exposed when you publish too much information about what you have you get hacked so that information is not there for us to see cloudfront supports cache control i do not configure cloudfront headers since most of the work that i do as a cloud infrastructure architect is designing system and designing networks um i'm not really playing with cloudfront cache controls there's a different team that was typically involved in that but it does support cache control regarding things in the header not something i've necessarily worked with i'm gonna make sure we give you honest ethical answers but also we give you correct answers on everything we do and when it comes to little things like pricing things that are very frequently ready to change strongly recommend you go to the amazon pricing page every single time these things could change in a day a week or months and you really want to access really good information so what i use route 53 routing policies um you would use route 53 for example to to set up your c name record um you would use route 53 for your dns policies so you sure would be using route 53 if you were using aws's dns um william otherwise you could be using somebody else's dns or your own dns okay so a couple things if you use a nat gateway with cloudfront your systems will not be usable so nat gateway is egress only meaning if you want your users to be able to get to the internet and then have their return traffic back around you can use an and not gateway but if you want your servers to be reachable from the internet you can't use in that gateway you must use an internet gateway along with something that has an elastic ip address like the front end of the load balancer so not gateway egress only you go out to the internet and your traffic's allowed back but if you want your web servers to be reachable from the internet you need an internet gateway and a public address and that's what's realistically going on cloudfront is pointing to the distribution of the public id address of the load balancer everyone if you've got more questions on how to answer that so cert rs how do you go from a traditional network engineer to a cloud network engineer or a security engineer very easily the network is a virtu the cloud is a virtual network in a virtual data center so if you are a network engineer and the type of network engineer that i'm referring to is a network engineer that is really heavily based upon routing so network engineering things that you need to be really good at are understanding vlans which most people do understand 802.12 tagging which most network people do understanding route summarization and route aggregation with which most senior engineers do understanding qos the port ch aggregation protocols ether channel that kind of sort of thing is super important for users to need to know certs rs then bgp is a must and bgp in enough depth to traffic engineer these kind of things is super critical and then if you're a network engineer you probably only focused on routing protocols and switching protocols like me in fact i spent five years doing nothing other than bgp and another couple years doing nothing other than i'm ip multicast routing so then you need to learn the network in the data center so now that you know the network you need to learn the data center that means server virtualization that means containers that means learning firewells and vpn concentrators which you may or may not have worked with after you've learned these things you need to learn microsoft because you probably never use microsoft stuff so you got to learn microsoft active directory because network engineers we don't touch anything that's not a router or a switch then you may or may not need to learn dns because most network people do not because they focus on routers and switches and it's usually cis admins that are doing the dns you need to know that then after that you need to understand the way these applications and pieces of parts are put together you don't need to be a programmer but you need to understand that and then coming from a network engineer to a cloud architect means now you got to remember engineering is building stuff and architecture is designing stuff so you have to learn architectural design search rs how to build and how to design things which we teach obviously in our architecture training programs so you've got to learn design and then you've got to learn how to present these designs to the ceos the cfos ctos cios and then speak to the communications manager and get all your business legal and technical requirements for the executives that's how you go from network engineer to this i've done it i've got a tremendous tremendous number of friends that have done it and it's very easy for people to go from a network engineering role to a principal or distinguished architect well as a cloud architect because we have such strong fundamentals that's the process there's a training program that we have that helps people do it we do it every day um i listed the link to that for you search rs so okay search you answer yours i think the last question is caesar api gateway can be configured and used on cloudfront or as regional if users in the same region location is regional faster every situation is case dependent um there are so many different variables that i can't give you a blanket yes or no answer you've really got to know your traffic flow in every way say performance user okay my team has told me time to go back to teaching so we'll go back to teaching and in about 20 minutes we'll come back to questions so let's start talking about securing the cloud we're going to talk about stuff from a lot of different perspectives personally speaking i love talking about security because i've worked in it for a long period of time and when you're designing five nine systems getting 99.99 available of which there's only a small subset of us in the world that have actually ever done this before but when you're part of those organizations that are doing that you've got to have security why if you get hacked you're down and if you've only got five minutes and 15 seconds of downtime per year which is all you getting five nines availability 99.999 percent of the time available and you're and you have a security hack you lost your five nines in one hack so this kind of stuff is really really really important so make sure you get there so there's lots of ways people look at security but we're networking people today in knowledge drive i have uh technically 28 years experience almost 29. and uh 20 year plus years helping people find their first tech job so it's been a long time long enough and i'm not afraid to say what i know but i don't know and uh so let's talk about network security networking is one of the absolute best places you can see your qr systems and networking people we know this and non-networking people think security is actually iam it's part of it but it's only a small pieces we're not going to cover iam here because that's covered in our free aws certified solutions architect associate and certified solutions architect professional training program so it kind of gives you that kind of concept there so today we're going to cover network security so this is going to put you guys in the forefront of knowledge of security and when we're here we're going to talk about the lots of different things we're going to talk about the principle of least privilege we'll talk about multi-account strategies we'll talk about network acls security groups wow we'll talk about ids ips systems we'll talk about ddos attacks we'll talk a little bit about cloud formation we'll talk about the service catalogs and we'll talk about the system monitor parameter store and of course my favorite we'll talk routing too so when it comes to securing your systems who's responsible now the first thing is this concept of this aws shared security security path now let's take it from the traditional world in your data center you know like it's so obvious it's up to you you manage it all now when you take this stuff to the cloud aws or gcp or azure or oracle or palo alto or cisco or dell any company or ibm any of these companies with a cloud um you're kind of in these these environments um three hours today knowledge guru is the total session for every day we're doing this week knowledge right so when you're doing these kind of environments you're responsible for half and aws is responsible for have so of course aws has got these big long complicated charts and we'll show you what it is but let's really look at it from a practical perspective from a practical perspective i call an egg and egg i call it catacat i don't make up names for things along the way so here's what it means aws secures the cloud and you secure your stuff meaning your vpc and everything inside of that so they secure the cloud you secure their things so aws will manage their infrastructure and all of the underlying technology and you manage yours so what are you responsible for exactly your iam roles patching your operating systems maintaining the security of your own apps configuration of your aws or marketplace security options and physical security of your devices that connect to the cloud you could have the biggest best security system in the world and if your network connection to the cloud is in a closet which is open all i need to do is plug in a cable on your system unless you're using 802.1x so i thought okay so mac address authentication so with that understand there's that's how it works if you do so now architecturally speaking we can look at it so they're managing their servers um the big server the big databases like dynamodb and the mounted services they're managing their rate arrays they're managing their network you won't be able to see the thirty or forty thousand or fifty thousand or a hundred thousand cisco and juniper routers they have running through their data centers you're never going to see it you're probably never going to see their 8 000 million load balancers which are probably from f5 you're probably not going to see the servers which most likely come from dell you're not going to see the firewalls they're actually using to protect their systems which i'm sure are coming from one of the big firewall providers you're just not going to see that it's all hidden you're going to see the virtualized stuff so now let's talk about some things whenever you're talking about security look at it this way if in the military they have a concept it's called need to know and what's meant by need to know if you need access to the information you're giving it and if you don't need the information you're not giving it do you know why the military doesn't give you access to information you don't need to know so you don't cause damage with it you know what same thing with your employees give your employees just enough information to be able to do their job now granted if they're a leader in your organization they need a lot more information than if they're just doing the work but if you give people too much information they can and will use that information to hurt you so you gotta use the principle of least privilege so when you bring somebody under your systems give them permissions or use for everything they need but nothing else just what they need so principle of least privilege need to know and if you can guys let me know you're hearing you're still awake alert and oriented if you can type cloud architect in the comment section or at least the chat box i know you're here so let's talk about another type of way that you can actually enhance the security of your vpc on your organization as a rule the more stuff you've got in your organization the more things that can go wrong happens all the time more stuff more things to break so if by comparison you took your things and you chopped it up into thank you for alex and sarah for letting me know you're still there let me know cloud architect if you guys are here so in order to secure your stuff you could conceivably break into different organizations break into different vpcs and if you did that things would be great the problem would be if you broker things into things that would be separate is you wouldn't gain the benefit of the purchasing of an economy of scale see what goes on in these organizations is when you buy stuff and volume they give you a discount so what aws enables you to do is something called a multi-account strategy and in these multi-account strategies you're basically buying a single entity and chopping it up into little ones so what's going on is you're going to get the billing benefit of having all the services you're purchasing but you effectively have segregated or separated parts of your architecture by segregating or separating parts of your architecture if something happens in one region it won't affect another so let me show you what this is going to look like architecturally speaking over here when you're dealing with organizations in aws you're dealing with something that limits the blast radius i put that in quotes because you could see that on the exam organizations are designed to limit blast radius what do we mean by a limiting blast radius it means if something happens in one organizational unit it might not necessarily affect another organizational unit so you're basically putting everything inside of the big parent organization and then you're separating each of these organizational units so what goes on one does not affect another then what you're doing is you're allowing a policy the service control policy that determines the information that can be shared from one organizational unit to a second organizational unit so that's what's going on in these multi-account strategies take your account chop it up with the money pitches and separate and then use a policy called the service control policy to determine who can access what so here's what it looks like at the top of the account a route that's the main account the parent basically what happens you have these little child accounts called organizational units and inside of them you can further reduce them so big giant purchased economy of scale discounts while simultaneously getting the protection of chopping up your network into pieces so let's talk a little more about multi-account strategies multiple multi-account strategies are really good um by because they isolate things so you can reduce the visibility workloads between one part of your organization reduces the blast radios and let's say you've got some private or sensitive data by using an environment like this you're going to keep your sensitive data sensitive so lots of great things come from happening from using multi-account strategies now the next thing we're going to talk about are firewalls but before we talk about firewalls i want to talk about network security so in order to reach something you need to route to it if you don't have a route to it you can't reach it so for example if i wanted to keep someone from reaching something all i would have to do is keep you from having a route i'm going to say this again from a networking perspective you can't reach it if you don't have a row i see ian is here ian's in england there's no road for me to reach ian and have a red stripe beer with ian for example or some jerk chicken with ian ian happens to be jamaican i love jamaican food i cook jamaican food when i have the chance so it's not like i can just drive my car to see ian because there's no room i have no melody to get to ian unless i take an airplane the airplane has a route how hard is it for me to say in not that bad i call and buy an airplane ticket can i see them but what if there was no plane and no boats i couldn't see ian well that's what happens with routing if you don't have a route to something it's not reachable so the first tenant of security when i look at things control your routing don't share routes with people that don't need it if you don't share your routes with people that don't need it they can't reach you you can't hack something you can't reach so before we talk about im and multi-account strategies and firewalls isolate your routing and we do it all the time so when you're providing routing information to your vpc only give this routing information to the people that truly truly need it and that's how you can limit things so networking great place to do it now we're talking about network security what else can we do on the data center that connects to the network we can do qos so remember we're going to have these direct connections and why would we use qos people might say mike we've got a 100 gig connection between our data center and the cloud why do we use qos we've got a big fat pipe we could never fill it up well here's why you use qos so about 18 years ago i designed a voice over ipa solution for one of the largest banks in the world and i said to them you need to use qos and they said we don't need qos we're running gigabit ethernet to the desktop and i said you need qos and they said why do you need qs i said what happens if you get a worm and the worm fills up your pipe you won't even be able to place a phone call to say hey my phone's not working company didn't believe me they bought the phone solution with the exception of the qos one worm and virus came and took down the entire voice network and they couldn't even call anybody to say anything about it so qos you run qos and your link between your data center and the cloud you get it with the worm and you limit traffic to prioritize things that are not refreshed over non-priority if you've got qos coming you can literally protect yourself against some adages so what do we talk about on the network side qos policies and limiting routing information lots of things you're doing on the network side long before we start talking about network acls and things like that so what about authentication we need to make sure that users cannot get on the systems unless they're allowed in the data center where people plug in their computers remember the data center has direct connection or vpn to the cloud if people get on there they can access it 802.1x meaning authentic don't let it when a user plugs in their computer to the network check their mac address see if their mac address is allowed onto the network if it's not or they're ethernet of drives there's not a lot on the network don't let them on so these are some of the things you can do with the network so granted we talked about the normal things but i want you guys to know the network things that we can do as well there's a lot more networking things we can do and if you guys want to know about deep network security architecture comment network security architecture and we will have a webinar we will focus two to five hours and nothing other than high performance network security architecture as well big party so if you want that come out network security architecture while we're waiting uh for that now let's talk about firewalls so what is a firewall a firewall is simply a device that you stick at the perimeter of your network to keep bad guys out firewalls basically block all incoming things unless you permit it otherwise so how do you protect the edge of your network you add a firewall firewall limits all access to everything at the edge of the network and when you're using a firewall they're stateful what is a stateful firewall a state for firewell is a firewall that tracks what's going on what i mean by tracking what's going on if i'm behind a firewall right now when i want to go to the internet i go to the internet i go to www.cisco.com i traverse i go right through my firewall when i go through my firewall the firewall says mike just went to cisco.com through my firewall because it's staple it's keeping track of what's going on then when cisco.com answers me it goes through it goes through and the firewall says oh it's mike's traffic going to cisco.com coming back he's allowed so the firewall lets me back because it's stateful so far well as our traffic goes out through the firewall comes back in through the firewall it's allowed so use a firewall at the edge of your network block everything at the edge of the network except what you want in which means if you've got a place where there's some web servers that are using port 443 for example and you create a demilitarized zone which is where your web servers are and your firewall allows port 443 in and that's it that's all you allow through the firewall so don't allow anything through the firewall unless it really matters unless you have to because firewall protects your limit so use the firewall to limit routing information so use the firewall to keep bad guys out now when you're dealing with firewalls there's basically original firewalls and newer modern firewalls original firewalls work exactly like i described to you they're completely stateful they watch your traffic out and they allow your traffic back in according to policy now there's newer firewalls it's adaptive next generation i hate that term but next generation but these adaptive firewalls the new ones are awesome what they do is a little bit different they watch patterns of behavior and they allow my traffic out traffic then then they start seeing something out there on the internet and it doesn't like it this doesn't look right literally what will happen is these firewalls will adapt dynamically they'll create new rules and they'll thwart an attack automatically so modern firewalls are awesome so when you're dealing with aws and you're dealing with needing a firewall and you're naming dealing with needing a high security environment you know what kind of firewall strategy are you going to use are you going to use wealthy aws branded web you might or are you going to use something bigger better and stronger like a cisco firewall a palo alto firewall or fortinet firewall it depends on your security requirements so if you need something substantial go to the marketplace if you can get away with the basic cloud services use wow at least you need to know so let's talk about waff waff is a web application firewall that protects against attacks and what's going on is it's looking at http requests for exploits and you know waffle work with cloudfront distribution amazon gateways rest apis or application load balancer but basically what's going on it's going to block connections that are in an edge location hope bully excuse me long before they get to your network and you can control content that you specify so wav provides granular access so it's relatively good in terms of the creation of access control lists rules or rule groups and what's going on is you're basically putting in stateful access control list that either no allow or deny and you're just creating rules or rule groups which are collections of rules and you can look at the metrics of what's going on here so you enable wealth on the application of the device you create a policy that's what you want to use wife will be looking at your traffic based on the policy that you've created and it's either going to permit or you deny your traffic and if an attack occurs new rules will be created that'll mitigate the attack so remember wealth integrates to basically provide lots of extra visibility and things that are going on architecturally speaking you know what does it look like it looks like as follows you place waff at the perimeter you stick it on cloud front load balancers with the such set your policies and theoretically should monitor you and this is what it's typically going to look like here you could place you know your wife and shield and a low balance or your internet gateway you know something on your cloudfront distribution but you're popping it here on the front of your network and you're protecting it and then you're going to protect your subnets with the network acl and you're still going to protect your servers with the security group okay let's see let's do this let's talk about ddos attacks and then we'll take a few minute break answer some questions so let's talk about the distributed denial of service attacks and how you prevent them first and foremost what is a ddos attack a ddos attack is when a hacker will break into multiple systems on the internet and they'll use these multiple systems that are compromised to attack you and the reason it's distributed is you need these multiple systems to kind of overwhelm your servers so what's going on is the goal is to overwhelm your servers with so many requests that your servers can't work anymore and when your servers are too busy and they're not working properly what can ultimately happen when things get that busy is you can actually you know override systems and violate our permissions when systems get busier closing getting ready to crash lots of bad things happen so preventing these things is a multi multi multi-step process so here's what the attack looks like you can see this bad guy in red gets contr takes his server he then controls a whole bunch of things and then he attacks you so what's going on is let's say this web application can handle 5000 requests per second in this ddos attack to work this attacker basically has to launch more than 5000 web requests per second because he has to completely overwhelm your systems so if the attacker launches 5000 web requests per second and you can only handle 5000 you're down let alone the other customers that are trying to reach you so that's how these ddos attacks work so let's talk about what you can do about them following first use the firewall it's hard for stuff to get through you if it's blocked by the firewall next use some ddos protection there's lots of services like cloudflare with aws they've got shield and shielded vents they are services that will literally stop ddos attacks and or prevent them so these are really great things so let's talk about shield there's a basic one which comes free when you use waff and there's a more advanced one let's talk about the basic one shield standard is free when you use wow and it protects against common ddos attacks according to aws i trust aws but in general inventors talk about their products you know there's usually some inflation of numbers they say that'll protect against 96 percent of the most common attacks which is pretty darn good and this will include syn attacks and flat attacks reflection attacks http slow reads pretty common attacks and what's going on is it's blocking based upon policy but it's also static meaning it's going to work based on the policy and nothing else now if you're dealing for example with advanced shield this is where it's going to get a lot better because the advanced shield basically is much more substantial and again it's an additional cost but advanced shield is more intelligent so we'll do attack detection and mitigation it's closer to the things you'd be getting with the next generation firewall where there's some adaptivity there and it gives you some visibility into layer three four and seven attacks and the good news if you're using shield advanced you've got a ddos team with a hemisome that you can call 24x7 assuming assuming you're a member of business or enterprise support so while we didn't talk about it here part of going to the next topic i want to talk about auto scaling and the concept of details protection auto scaling may be one of the best absolute best forms of deja's protection and here's why and i always talk about this and people always say mike ddos protection autoscaling you sound a little nuts here so let's go back to this attack that i was telling you about before and i want you to understand why auto scaling is so helpful in this attack the let's say this web server web application can handle 5 000 web records per second and the attacker is attacking with a rate of 10 000 this completely overwhelmed the server and let's say the attacker is capable of attacking with 10 000 web requests per second right now let's say if this web server which can handle 5000 auto skills and can now handle 50 000 because it added 10 web servers and the attack is only coming at 10 000 web requests per second auto scaling can actually scale up in many cases faster and better and larger than the attack actually can so i'm not going to say hey auto scaling is your solution to ddos no but when you're using firewalls at the edge of your network and then you're using ids ips systems and then you're using network acls to protect your subnets and then after that when you're done protecting your subnets you're adding security groups then on your servers you're you're adding a host-based firewall and disabling unnecessary services because i'm going to scaling all this goes into a big awesome security policy and that's what i'm trying to show you here none of this works by itself all of it is part of a big happy family by being part of a big happy family you get to put yourself in a position where you can build the perfect perfect solution so that's where you need to start thinking about these things so i'm going to stop it here and then here what we're going to do we're going to take a break to answer some questions chris from my team will make sure i got to the right questions and i didn't mess any along the way and from there and then i'll make sure that i stay on track time wise so 10 minutes of questions guys let's see you know it's really interesting knowledge drive so i've been working with security appliances for decades now and all these vendors they come up with really really really cool names for new services palo alto's firewalls are fantastic i've got good friends that work their friends that are trained to work there love it cisco's firewalls do the same thing meraki firewalls do the same thing fortunate firewalls all do the same thing um all these guys are i would say at that level like kind of a parody which is each other cisco fortunate um palo alto and what i mean by that is one of them will make a better solution product for one day and then the next one will be better for three months and the one after that will be better through three months so they all go back and forth but the palo alto firewalls are fantastic use them in a lot of cases and absolutely love them william wallace is it worth paying for advanced shield or go to the marketplace well generally speaking the kind of designs i would work with i would uh do the following i would probably use an a firewall out of the marketplace an ids ips system from the marketplace i would probably use shield advanced for ddos protection because you need to kind of layer them all together williams so you need a lot of layers you might need six or seven eight security things especially if you're dealing with a bank when you're dealing with the bank you're dealing with eight nine ten plus layers of security and i deal with a lot of banks and doing that i'd probably use advance shield then i would probably use a palo alto or cisco firewall because of the two that i find the best in my experience of working with them then after that i will use an ids ips system then after that i'd be using network acls then i'd be using security groups then i'd be using host-based firewalls my linux systems because they'd be the only system that i have would be hardened be running anti-malware protection host-based firewalls be locked down in every way unnecessary services would just be disabled you name it i'd be running minimal installs of my operating system i'd have incredibly incredibly um strong functions and those kind of things so the answer that would be yes maximum semester i don't really understand the difference in functions between security groups and what can i explain chris i've got six minutes right okay so let's do this let's actually walk through what these things look like from a layered perspective bear with me one second and i will draw them out for you so let's do a nice little whiteboard session here maxim let's answer your questions so let's look at it this way maxim so we're going to start from the edge and work our way in from the edge of our network right over here let's say we would use shield this is in front of the network maxim right behind the network this we're going to use a firewall a firewall is going to keep bad guys or hackers out of your systems so at the end of the network firewall now the firewall is like the wall around the castle and the wall around the capsule keeps bad guys out now in a castle yeah some should somebody get past the castle while they typically have this big thing of water it's called the moat and there's like alligators and sharks and they're all these evil things that'll eat you if you get past the firewall that's called the moat and right behind the moat there's typically these knights and they're on armor and they've got all these swords and javelins and things like that in a castle that's your intrusion detection intrusion prevention system so what's going on is at the edge you've got some ddos protection then you've got a firewall that's keeping bad guys out then right past that you've got your knights or your soldiers which are you're doing your intrusion detection intrusion prevention they're going to get you should you get past the firewall and the moats with the alligators and the crocodiles now this protects entry into your network now once they're on your network you've got subnets in your network so you've got to protect those subnets so those subnets are being protected by a network acl or an access control list that protects the subnets and then after your network acl is maxim you've got your servers so this is going to be your servers but how do you protect the servers you put a security group in front of them so network acls protect the subnet security protect the server so then on your server what you're going to do is you're going to put a security group then you're probably also going to put a host-based firewall you're also going to put some anti-malware like antivirus you're going to disable unnecessary services that's kind of the way you're going to schlock this thing from the outside in maxim did i answer your question with regards to the difference of maximum shields so chris thank you so much for what you're saying we really do everything we can try and account to help this cloud computing community cloud architect community we love this community and william what i described would be included in pretty much every single architecture that i would design now william would this architect the security architecture be everywhere no this is the kind of architecture that i'm talking about is a big global enterprise security architecture if you're working in the finance space they will be using this every time if you're dealing with a global retailer they'll be using this every time if you're dealing with a company the size of aws they're going to need something like this every single time if you're going to be dealing with any big global enterprise the kind of people that are going to pay a cloud architect real money they're going to be doing these kind of things if you're taking a 50-person company online they're not going to be doing this if you're taking a 500 person company online they're probably not going to be doing this but if you're taking any customer that has real big security requirements any banking requirements any fintech kind of environment they're going to be doing this and more and this is going to be on every architecture and because william wallace i have not worked in architectures that are not big banking big global industry ones in 20 some years i haven't designed an architecture that doesn't needed something like this in decades so lots of different places and generally speaking juniper networks made some really good ideas ipo systems said cisco and palo alto knowledge driving a lot of these cases some of these things are actually now integrated into the firewalls and it's becoming blurry lines but there's still different options for different cases and you gotta look at it in a use case by use case basis did i miss anybody is there a need for waff knowledge drive there's always a need for a firewall anytime you're connecting to the internet need to protect your systems if you want to use aws only things you'll be using wef if you want to be using things that are more enterprising and more robust and bigger you're going to be using things from the marketplace probably cheaper to use aws things than it is from the marketplace and when you start using things in the marketplace you need to know what you're doing a lot more for example the aws devices like wife are are redundant automatically meaning if one fails you have no problem but when you're using a a really robust security solution in your enterprise it's no big deal these are redundant devices but when you're doing it in the cloud these are virtual devices meaning they're running on an ec2 instance so then you might need to manage the availability of your firewall ec2 instances with things like gateway load balancers and other things so trying to do standard security in the cloud this kind of basic security is very challenging because you've got to go work around the limitations of the cloud so i hope i kind of helped you out with that so let's talk about cloud formation now i'm not mr cloud formation because cloud formation is much more of a sysops thing to do than an architecture thing to do but we're talking about security and i want everybody to know from an architectural perspective security and cloud formation can kind of go together so when you're dealing with high security environments you're going to be trying to do a lot of things first you want to keep bad guys out then you want to make sure the users inside your things can't break anything due to accidental things or malicious and you want to make sure your systems are are hardened meaning they're less vulnerable so i will tell you in my life experience what i like used to like to do was i used to do experimentation days when i was younger and when i was a junior networking entrepreneur i was a senior networking i've never been junior but before i was an architect that was the most junior job i had i'd run around the network i'd create span ports or mirroring parts on switches and i'd be plugging my sniffer in everywhere a sniffer is a protocol analyzer and what i was actually doing is i was looking for things that were plugged into the network and let me tell you the things that i found i found what the network was used for music streaming services users were buying stuff all day users were posting illicit materials and videos on the internet users were doing all kinds of things guys had backdoor servers that they plugged in so they they could watch tv from home over video streaming you never know what you're going to find on the network until you look for it and trust me your users will create 8 million back doors to your network and security holes and network holes like you can't possibly imagine so when you can automate what people are allowed to place on your network and limited to that it's helpful so if you have some form of a cloud formation template or some kind of template set up where basically you can have a image or a hardened operating system for your servers and everything that's been designed exactly the way you told it to be um and you can deploy that same operating system in the exact same way every time fully patched known vulnerability is closed now you're in a more secure situation and cloudformation enables you to do that it enables you to template a good configuration and because you can template a good configuration guess what you can make sure that only the good one is what's launched so love the concept of using cloudformation to template good known good configurations of your services because it'll help you make sure that everything you place on your system is what it's supposed to be so now you know about cloud formation and why we use it in the context of security or we talk about in the concepts of security so there's templates available for a multitude of options and when you're writing these things typically think of a yaml format like you would for a container or json like an im policy what you're going to do is you're going to store your basic code on an s3 bucket and you use the code be the console cli or api and realistically speaking the cloud formation is going to provision your thing so and rob will get your question very soon chris take this question down please so while we're here and going through some of these uh aws services let's talk next about the service catalog the service catalog is another good way to limit what's placed on your systems can you tell what i'm trying to do here we're trying to limit all the stuff you can stick to the system so the stuff that's safe not the non-safe though that's all so when you're using the service control product catalog you can basically limit what's placed on the network here's what you do you create a list of approved things amazon machine images servers software databases architectures and that's it and you limit the ability for systems administrators to turn on anything that was that is outside of the service catalog you can only do things that are allowed because you're only doing things that are allowed you can only allow highly secure things onto your systems how cool is that only secure stuff wow keeps you from having non-secure stuff in your systems and yes i use the term stuff english is not spoken as a primary language in my house greek is and i have this really sweet mother-in-law she's 82 years old and she learned the word stuff and it kind of stuck with me it's how she describes lots of content i absolutely love it so anyway it's been integrated into my vocabulary as one of those completely non-professional words that i just think is cute so anyway let's talk more about the service catalog here's what it's going to look like you got a user they hit the service catalog it says you can do this cloudformation template and it allows them to launch a certain number of things that's how these things kind of work keeping you limited to installing things that are safe lots of environments where you're allowed to be in places where things are safe they lock you down for the things you're allowed to do that's all the service control catalog does so now we're at looking at some of these kind of concepts let's start uh looking at the next thing and this is the systems manager parameter store so what's going on here and i don't make up these names these names are crazy let's say for example passwords are part of your security policy and you know the more secure your systems are the more secure passwords are if you if and when you need them you're going to use they knew the better so if you have to use passwords and there are passwords that are required or database strings or license codes where do you put them do you put them on a sticky note on your monitor trust me and all the organizations i've seen i've seen a lot of that not recommended if you store them on notepad and store the file on your desktop again not really recommended do you store them up all there on your hard drive got recommended do you have a folder there's a contact glass in your phone not really recommended so you know this is what goes on if you've got to maintain password database strings licenses you got to do something and aws has a secure environment to store your passwords they call it the systems manager parameter store of course if they were like me they'd call it password store but you know they've got to make it complicated they're going to have the marketing team make it sound cool they've got to make it so complicated that you need in the certification exam to understand the name of the service and what it actually is so system from a parameter store place to store your passwords that's really all it is so if you've got sensitive information store it there you can encrypt your information so separate by doing it here it keeps your code away from your passwords provides a great way to audit access so in other words it's going to store your passwords for you that sounds great stuff william that sounds some like some great music in the background so let's talk about the next service and this is called aws config so config is a service that's going to enable the assessment auditing and the evaluation of your aws configurations the good news is it provides an opportunity to see what changes are made and by whom so when a change is made basically these systems can send an sms lure i will tell you from almost 30 years experience but we're going to call it 25 that most problems occur when somebody does something that breaks something else it is so common and typically speaking when you draw and ask who made what change the world and the room gets mom everybody's quiet and now you got to spend the next three hours fixing something where someone could just say whoops i did this so this stuff happens like literally all the time and i've worked in bangs where one minute of downtime cost well over a million dollars and you're spending six hours trying to figure out what one person did well if the person just told you what they did it's no big deal when you have to spend six hours because the person's hiding it well that person is no longer working there in the end because the end of it you could have dealt with a half a billion dollar mistake and i've seen it happen time and time again so aws config enables you to figure out who made changes great way to fix things pretty quickly what aws config does is it looks for your configurations and it's constantly monitoring them and if something is against policy pool it'll send you an alert like an sms alert it's great or a cloud watch event terrific helps you find a way to see what's going on now when you're going to a five nines available network meaning 99.99 available which means five minutes and 15 seconds of downtime per year that's it now think of a reboot of a windows computer taking a minute and a half perhaps you don't have a lot of downtime when you're dealing with five nines and a bank needs five nines a healthcare organization needs five nines a big global retailer like amazon needs five nines so when you're dealing with this kind of architecture you need to know what's going on change management is the biggest part of the process any change that i make can affect someone else the network the body they're the same the reason coming from medicine made networking so easy for me is i looked at it okay we've got a cardiovascular system we've got a circulatory system which gets the blood to the body networks like the circulatory system one system affects another system if you stop breathing your heart stops if you lose a limb you bleed to death well the same thing happens in networking when you break one side it affects the rest of the body or the rest of the network so config helps you sort that stuff out so when you're setting up config think about it this way a change is made config notes to change and records it then it'll check the changes against the policy to see if it matches the policy and if it does not it will notify systems administrators maybe with an sns alert or a cloud watch event so yes you're going to use sns with config that's typically the way i would typically do it so realistically speaking visually you see visually speaking you can see what it looks like over here and what's going over here you can see a configuration change has been made um config will monitor the change and it will notify you it'll so let's talk about the certificate manager now this is another aws service that you can use with security and the certificate manager is basically a service to manage your ssl tls certificate so if you needed to get a certificate you can get it straight from the certificate manager these are the certificates that you would put on your website for ssl or tls purposes so the aws certificate manager basically enables the simple provisioning management and deployment of certificates and it's going to allow users to deploy certificates and their resources quickly and easily and certificate manager provides free and public certificates for your load balancers and things so what's it going to look like you need a certificate for your devices you go to the certificate manager and you get an ssl tls certificate for your cloud front distribution or your load balancer no big deal so let's talk a little more and more about it i've got two options with the certificate manager you've got the basic certificate manager and this is for you as a customer when you want a certificate as we described to secure your external solutions but there are times where internally you might want to use a web-based web-based interface not for the public internet to see but for your internal employees to do that and if that's the case what you're trying to do is you're going to use something called private ca and this is basically an internal certificate used internally so you can put them for computers servers more devices and basically it's a private certificate you buy but these you have to pay for if you want to use a certificate internally you purchase it versus the certificate manager for public things are free so what we're going to do is talk about two or three more services then we'll take a few questions even though it's only been 10 minutes then we're going to put the security pieces together one more time we've already started to do it and then we'll move on to the next topic which gets to some fun stuff so let's talk about some aw more aws security services the first one you're going to talk about is guard duty now guard duty is an aws service that's going to help monitor your aws accounts and it's going to look at your cloud trail which means your logs your dns or your domain stuff and it's going to look at your vpc flow logs which was we showed you yesterday was the traffic going through your network so you could see what's going on and guard duty is going to look for patterns of behavior associated with bad stuff like a compromise system and if something bad happens guard duty is going to send a cloud watch alert so you know about them the next one we'll talk about is inspector amazon inspector is another automated security assessment service that helps improve security and compliance what does it do it and it constantly assesses your applications for vulnerabilities exploits deviations from best practices and ultimately what happens is after inspector does its thing it's going to give you a detailed list of things that it doesn't love so it's automated and when you get automated anything it's questionable remember that you're going to get a list of a million and one things some are real some are not it's up to you as the architect actually know what matters and what they actually really are so inspector automation owning things automated and then amazon macy amazon macy is another fully managed uh security service but this one uses machine learning to look at powder matchings and protect your data from sensitive things macy's going to provide an inventory of things that are in your s3 buckets for example unencrypted encrypted and if something goes wrong nice you can actually do something about it by helping you know about you know things like personally identifiable information being released so realistically speaking these are kind of the things that are going on so stop it right there let's open this up for questions the first question i actually see is what is the difference between waff and a host-based firewall so i'm gonna answer that laugh is something you use at the edge of your network to keep bad guys out of your network so figure out this way external network ids ips system network acl protector subnet security group protects your host on the host you can install a host-based firewall that means if everybody passed your wef and your ids system and your network acl and your security group it's additional level of protection on side that you install inside the server so host based firewall is just additional security that you put on your servers after you passed all those other security violations do that so ra rob doing did i answer your question there i hope i did and if you've got more questions i'll ask you for such a good question i'm happy to answer it in more depth next question is from knowledge drive what is sns so aws sns is simple notification service it's a way to alert you of something for example let's say that something bad is going on in your system you can set yourself to get a text message notification to tell you to go do something about it so sns means it's a messaging service which can be used for a lot of different things but they call it simple notification services because look at it this way get a text message to say problem going on in your systems so that's what sns is let's see another one so william wallace when i'm actually doing the kind of systems that i'd be describing in a bank um a bank's gonna have such tight control policies that things like macy and config and all these other things it's not going to hurt them they're definitely going to use them because they're going to employ everything but they're going to be much much much better on their own than any of these aws services that you're going to use these services are like icing on the proverbial cake and the bank's cake is going to be this thick in terms of security and these little little services are like this thick in terms of protection versus this thick or what the bank's going to be using so understand what these services are each one of these additional adjunct services are things to help you and they're the less you know the bigger help these things actually are the more capable company you are the more experienced you are the less useful these things will be finding a highly qualified network and security cloud architect is really tough so you know anything they can do to help people they do it along the way but if you're really good you're going to be using much better than this and a good bank is going to have some really strong highly paid highly capable cloud architects that are going to be in a position where they know all this material because they're really studying stunning and they're studying it a lot any more questions before we talk about like you know kind of the protection overall from beginning to end because i'm going to give the mics high security step one step two steps through substantial step five cookbook you guys ready for the cloud security architect cookbook if you're ready for the cloud security architect cookbook and you're still awake let me know i i'm looking for cloud architecture cloud security architect there's 63 people here i want to make sure you're still awake so let me know and then we'll go into the cookbook if that's if you guys want to learn how to secure your systems i don't know there's a little bit of a delay here you guys out there chris there could be a huge delay today um there's a fair typically find a fair amount of delay make sure that i can still see this since it's looking quiet okay knowledge drive i can hear you there let me know you guys are out there and then if i see enough people that are out there what i'll do is i'll give you mike's college security architect cookbook make take a take a lot of the complexity out of it and give you kind of a summary of 25 years of security background experience 11 p.m thank you for participating and staying there knowledge drive in india um aws if exactly oh alex very good clefty means thief in greek nice job keep we'll keep the thief out nice job there alex arun wonderful i see you guys are here makes me happy so guys are here becoming great cloud architects you're landing network architecture security architecture let's party so let's put all these pieces together i just talked about a million and one aws security services so we're gonna map it out again so here's the rule first keep everything out of your systems that you don't want to be there what's the best way to do that don't give the routing information if you don't have a route to it you can't reach it then we're going to talk about that step by step use ddos protection why ddos is one of the most common attacks per done then we're going to talk about firewalls and protecting the badge keeping the bad stuff out then we'll talk about the network acls then we'll talk about keeping traffic out of the host and then we'll talk about making sure your systems can self-heal themselves so routing my first and favorite tenant is this don't let anybody have a route to anything you don't want reachable plainly it you don't want people coming into your house and you live in the middle of the ocean don't build a road to it that's it so you want to be completely isolated only give routing information to those who need it what do i mean this let's look at it this way when you connect your systems to the cloud maybe the operations people need to reach them maybe the development people need to reach them maybe the testing people need to reach them maybe no one else in your 100 000 percent enterprise actually needs to reach your cloud-based systems other than those three departments and in many cases that's going to be true so what's the recommendation only provide routing information to this subject needed and block all those routes from being given to any subnet outside of those that need it so lock it down so provide the routing information to the cloud of the three subnets the people that need it when you and you're going to advertise those subnets into bgp so only advertise those three subnets and from when they're taking the routing information from bgp from aws don't redistribute those routes into other places that actually don't need it so make it very clear only routing information to those who need it by doing this you could probably knock out 50 of all your security vulnerabilities right there because if you don't have a route you can't hike up so be the isolated island in the middle of the ocean as opposed to the house in the middle of the ocean with a bridge for example if you're in dubai they've got this beautiful hotel called the burs al arab it's sitting a couple hundred meters into the arabian sea and it's beautiful they've got a long bridge to get there now if they didn't have that bridge you'd have to arrive on the helicopter or a boat but they've got a bridge so you want to be out there and be isolated don't give routing information to those that don't need it so that's part of it now that you know that place the people in a specific place so lock down your users that need access and a specific vlan now when your users are accessing a system and they're in a vlan we need to further secure that vlan so a vlan of or a virtual lan is basically when you take a two switch and you chop a big switch up within a logical switch with little ports everybody in a vlan can talk to each other which normally speaking is good let's say every last one of us were in a vlan and let's say steve is in a vlan and brenda's in a vlan and williams and vlan and ragus and willam and rajiv is in the vlan in our room and balwinder are all in the same vlan they can talk to each other which would be good but let's say bow winder has a cold and bellwender and arun are in the same blimp bow winder could give the cold to a room which generally speaking it's part of life no big deal we all get colds but if bowel wind or system is hacked with malware or a virus and she's in the same place as a room a room can now be hacked now if a room is now hacked and he's in the same vlan as rajiv rajiv can be hacked who's in the same vlan as david the next thing you realize every one of these hosts and the same vlan is all hacked and now they can attack our systems so you know what where your systems matter use private vlans what is a private vlan it's when you put 200 users and a single broadcast amount and they can't talk to each other unless you create its policies so lock your vlans down further make sure nobody can talk to anybody that doesn't need to further isolating your system so no route use vlans to segment your network and lock your users in the vlan so they can't talk to each other unless they have to by doing this you're going to knock down even a greater percentage of things and we haven't even touched things that people call security yet so only give the routes that are needed the last thing that's really important is in your data center where your users are connecting to the cloud because if your stuff's hosted on the cloud your users still plug in and they're going to connect to your cloud services via the direct connection your vpns make sure that you only allow users into those vlans that are even the right users so of course at some point we'll talk about iam but we're still talking about the network if i plug in my computer to the network and i'm blocked by 802.1x authentication and i'm a hacker even if i have access to the servers i'm not in because i'm not authenticated somebody comes into my house and they try and plug in their ethernet card to one of my switches they can't because i'm using 802.1x authentication so when guests come to my home i have to put them on a specific vlan where they're allowed to not be able to hurt me because this is what you need to do so no routes use via private vlan and don't let anything on your vlans that's not properly authenticated so let's talk about some more so that's now how you lock down your systems from a network security perspective this rides throughout your systems and every vln environment you have limit your routing information private v loans interesting development x authentication now the edge of your network and we're going to map it out again we're going to draw this picture again in a few minutes everybody understands it map it out at the edge so at the edge of your network block it with a firewall firewalls keep bad guys out fire well at the edge of your network everybody's out and prior to your firewall if you're doing any kind of web things and provide some ddos protection because ddos stuff happens ddos then firewall viral bad guys out behind the firewall the firewalls the cat wall castle walls bring some navy seals or sas commandos with you if anything gets past the castle firewalls let your navy seals in your uk sas commandos go take out the bad guys that's your ids ips system now if anything is ready to get past your firewall and your commandos now they can get to your subnet but don't let them so use an access control list or next work access control list on your subnet keep them out so firewall castle walls navy seals and you and british sas commandos behind that network access list no can you get past that keep them out of your system by using security groups and keep them out of your system by adding a second host-based firewall lock it down by disabling unnecessary services lock all these ports down and patch your systems so now you got a concept of what the outside in looks like but what about ddos ddos is pretty nasty stuff use some ddos protection ddos protection is a lot of things now the world will try and tell you ddos protection is just shield it's nonsense everything we talked about so far is data protection it is layers when you're dealing with network security it's like dressing for sub zero degree weather layer after layer after layer so prevent your ddos attacks use some form of d-dust protection cloud flower shield shield advance whatever protect your subnets like i told you with network acos and and then finally lock your systems down put a host-based firewall on them and when you're done ideally add some intrusion detection to your host-based firewalls and what happens you're gonna install an agent on these systems we'll map it up one by one and if anything happens again these things can support toward the attack because they can tell your ids ips systems hey something's gone haywire so lock it down lock it down lock it down add rules reset tpap connections these are the things in your ids ips systems and if you've got your host involved in it they can give better information to your systems so how does an ids ips system work what is it going to do to thwart the attack it'll do the following it'll drop bad packets it'll block tcp addresses like an access less it can reset a tcp connection and it can alert systems administrators so we're going to map it out one more time this concept of network security is super important so let's map out all the components before we move on to the next things so i want everybody to truly get those so let's look at our overall security policy for an organization starting with the outside i know we did this once before but i want to do it once more and i want to do it a little more thoroughly this time now that we've all covered these services so let's look on the outside ddos protection ddos so with aws it's called shield you know what if we're using another cloud provider you can go to the google chart and find google's replacement for shield or azure's replacement for shield when you know the modules the brand the vendor of the cloud is completely irrelevant you just pick the name of the service so we're going to use some ddos protection we're going to call it shield so after shield we need a firewall so pick a firewall and if we're going to do all aws let's just pretend it's all aws right now we'll use wef no big deal actually let's not let's let's create a banking enterprise architecture let's use an enterprise grade firewall so let's say marketplace let's say palo alto now let's say cisco because i worked for them for decades and i love cisco i think they're one of the best tech companies in the world and then let's say we wanted to use let's say marketplace let's say palo alto so what do we got over here we've got our firewall we've got our ids idea ips now we're getting into some serious security work here now over here we're going to have a security group which is going to which is going to protect our actually now we're going to have a network acl we're going to protect the subnets we're going to say protects subnet and then after the network acl we're going to protect the service or the host with a security group and we're safe protect server or host and then because that's not enough we're going to put in some we're going to go to the host or the server and we're going to put a host-based firewall maybe some host-based anti-virus ids ips systems again to some managers and agents let's put on some anti um malware whatever you want to call it and we're going to disable everything like if you don't need ssh running on that service shut ssh off it's a security violation if you don't need a web server running shut it off so we disable services and then we patch constantly so this kind of gives you the cookbook approach to this but this still isn't enough so what do we need to do we need to be really careful with our authentication methods so we need some good form of iam which in most of these enterprises is going to typically be microsoft active directory with some form of federation so it's typically going to be microsoft ad now what about our hard drives and our servers like or or any equivalent like if somebody were breaking the aws data center and steal our stuff we'd have a problem so we want to make sure that our storage is encrypted and how do we do that neoncrypt i'm not a great speller we enabled the key management system and aws to do that so we've got some kind of an im policy but wait can't we make can we do additional things over here can we add things like what were those adaptive services called things like macy to kind of increase the security inspector why not use it oops inspector config you know use these things you've got access to more information use these things so this is now you're starting to look at what goes on this but we still haven't let's get the networking things so on the network side so on the network side we're going to have we're going to segment the network then what we're going to do is we're going to we're going to limit routing then we're going to we're going to use private vlans then we're going to add um mac address authentication now what you see here now we're starting to get into a security policy and let me tell you this kind of security that we're talking about over here along with training your users for prevention against phishing scams this is serious network security and this is the kind of security you can propose to a global bank and they'll adopt it and they'll like it because they're going to use it so this is industrial scale network security when it looks like when you put all the pieces together this is the kind of system i've designed now for 25 years it works for almost everywhere and i've been reprimanding this forever this is the way i would say 95 of all global enterprise security designs are done by the cis is p or the cci population like me i've been a ccie for 20 plus years i maintain the cissp for a long period of time cisco one plane said every architect we have is going to become security architects so we all did it um love security is part of everything that i've done and lots of security training in my life so lots of great feelings for these kind of things but that's kind of where this work so now we've got some security architecture stuff that we've talked about and we're going to be talking about some network performance and improving these kind of things which is going to be some fun stuff but before we do that anybody that knows me knows that i want to make sure that people are not lost and that's why i try and do these with 20 minutes of discussion presentation 10 minutes of questions so any questions for me before we move on thank you delroy any more questions before we move on i know there's about this 45 second delay which is so hard to contend with okay william how long with that scenario to take set up and could one person do it so um realistically speaking of the situation that i'm talking about here the ddos protection could be set up in minutes the firewall you know could be set up relatively quickly the ids ips system is relatively simple planning out your network acl security groups you know it's not necessarily so challenging to do this it does take some time so sorry about nation about being overwhelmed we are doing some relatively advanced security functionality here and we're doing some very advanced uh network functions um if you're feeling overwhelmed i'm actually what i'm going to do right now is i'm going to invite every person to my free tuesday webinar and what we're going to do on this webinar if you're not one of my students i'd love you to join it it is on tuesday next week and i'm going to give you the link for it right now and what we do on this webinar is we will literally have you guys interview me just like you would in a real architectural environment and when you do that what's going to happen is i will present a case situation to you exactly exactly exactly as it would be in real life you will interrogate me you will ask me questions just like you would in an architecture environment and then you will architect the solution so vibe nation and others if you're overwhelmed by this and by the way i would expect all of this stuff to be overwhelming to people unless you're coming from a network background or a data center background then realistically speaking please feel free to join us here's the this is a free webinar it'll be on tuesday and of course if you're new and you have less cloud background you can take our free aws advanced uh our aws certified solution architect associate training program the link is in the description below and it's free and our aws uh certified solution architect professional again the link for that course is completely for free um vibe nation the security plus is an okay place to start um wait are you is it okay place to start but when it comes to security architectural worlds we're typically looking at a cissp or a ceh is the minimum necessary certification for someone to be hirable with a security background so william wallace is an architect would you do any of that or will you design as an architect you're going to design at william wallace architects are designing positions the architect position and i've held it for years initially i started working out as an engineer as an engineering you build it but as an architect what's actually going on is you're designing it people pay you as an architect for your knowledge it's a very different kind of position it's a knowledge position you're going in there to go meet with a client to basically ask them what are their current systems what are their business goals what are the legal regulatory requirements and based upon that you're going to go solve their business challenges with technology so william wallace you're not going to be programming you're not going to be configuring it's all design design design now will you be doing some roi modeling of the solution sure will you be doing lots of presentations of the solution sure so the mba background type of thing or the ability to understand the financial industry and do an ro model and present that to an executive with budget is far more important than the knowledge necessary to go configure something you still need to know how to do it because you can never be in a position where you don't know how things work but as an architect you are the expert expert expert in making these things work by designing them right if you don't have the right design nothing will ever work so please uh join me for one of those free webinars so knowledge drive um i think we would you would do great in our program um chris from my team actually listed the uh provided the link to the training program and if you click to the link to the training program you will see the cost of the training program as well as a 20 coupon to make it cheaper and if you've got any additional questions on that or would like to ask us i will provide the link to our office and feel free to call us let me go to the next question five nation cloud architect is a great career so sambat aws comes at what layer of security so that would be considered a firewall or perimeter or edge protection is aws raf appropriate in a lot of cases it is in a lot of cases it is not if i'm designing a system for a bank i'm not using wef i'm using from something from the marketplace if i'm designing the system for a company um meaning if i'm designing systems for like an organization that's small that's got 100 users 200 years i'm going to use wav so whenever you're dealing with security architectures and this is a good question i'll hold on to it before we go to the next thing you really have to look at what are you protecting so if you're protecting a billion dollars the security are necessary is greater than if you're protecting a hundred dollars so what you're actually doing is what you have to do is you need to basically go out there and solve a problem that needs to be solved so if you're going to protect a massive asset like a nuclear bomb you're going to need a whole bunch of security and what you're protecting is very minimal like a like my kitten i love my kitten but actually my kitten gets lots of security but outside of my kit and if you're going to protect the straight kitten outside you're probably going to use less security to protect the straight kitten than you would a billion dollars my kittens kind of like my little child my kids got a martial artist expert father that's you know another story so my kids got protection but you know normally speaking you know um what's going on is you know you protect an asset with what matters so i can't say to pick one versus another it's based upon the needs and the security requirements of exactly what you're trying to secure and that's kind of how you can figure it out now i'm trying to find my mouse to go back to beginning but i am not necessarily sure what's going on with my mouse so please bear with me oh i found it um when you have three monitors occasionally you lose your mouth so let me check and see if there's any more questions okay perfectly any more questions or are we ready to go back and start talking about some cool tech okay these are two really good questions is it better to go for ccnp enterprise or ccdnp data center generally speaking for routing and switching people i would say enterprise although the data center one is pretty good because the cloud is nothing more than a network of data centers been virtualized so that would be a really good one so enterprise is primarily the main one that i would typically say once your design is approved what do you do next um thank you mr mack um or yeah i think you're i think you're maurithi i'm but i'm not sure but it's anyway i'm thrilled that you're here so once your design is approved what do you do next typically speaking um what's actually going on is i'm sorry once your design is approved typically you'll either be the leader while the engineering team builds it or you'll go on and move to the next design with the next client typically speaking a guy like me i design systems and i move on design systems and i design systems and after i'm done designing i'm a program manager leads it and i'm really moving on to the next things but if you're more junior you might be involved in managing the design with a project manager david the next q a session is as follows on monday and thursday we have a completely free how to get your first cloud architect job webinar and we present for an hour and you can ask any questions that you desire then on wednesdays we do a youtube live and on tuesdays we do an absolutely completely free webinar where we give you a cloud architect experience webinar so i listed the thing for the cloud architect experience webinar this is the how to get your first tech cloud or tech job webinar and i hope i answered your questions there knowledge drive um is there a need to learn sd-wan at some point sure in the short term i would focus more on bgp um because it's more important for the average user right now philip for a whiteboard interview will companies have you design for their company or in general more generally for a general architecture i have been philip before we move on i've been actually on a job interview at one point and on that job interview actually twice in my life i was solving problems that no one the company had ever been able to solve before but you know that's rare typically speaking you're solving things that are that are typically different uh and chris said for my team the link is everything so cloud on rep sd van with the viptela you know i get out uh you know is really good to create transit vpc yes it absolutely can be done viptela is a good option meraki's got a good option versus networks has got a good option there's lots of good sd-wan options out there but for most part let's keep it to bgp because that's the majority of what's going on where most people tend to struggle so let's get back to our tech content thank you uh william wells and uh uh i don't know what you mean by gib friendly um gi bill things are typically loan based uh we're beyond gi bill for only vibe nation our pricing is effectively the cost of one day of work um for the average cloud architect so happy to discuss unique military things with you we've got some special military initiatives and if that's the case with your if your ex military give us a call put our phone number down and any of these firewalls ids ips systems will block your system from sql inject injection attacks done properly from the full architecture okay so let's go back just to to the content and now we're going to get involved in network performance so to me the world's all network and the reason the world's all network is if you don't have a network nothing works and the reason i love kids or teaching people to be involved in the network and the reason the networking is so important to me is it's the foundation for everything and because you know i'm an mba and because i'm an economist and a psychology person you know when i studied medicine i almost did a degree in psychology because i loved it so much so my whole life i read about psychology and sociology and part of that is economic because i'm a finance guy too and i worked on wall street for a period of time watching what actually goes on is great now then network is the key here's what's so great about the network almost nobody understands it and nothing works without the network so when you add networking and security to your portfolio you now place yourself in an elite leak of your own you've got no competition out there and the reason is everybody in college learns programming so there's a million to one programming people it's not a special skill no one knows the network so almost no one so when you know the network and you know the cloud you're going to be in a beautiful position so the network is the key and i'm going to tell you this of all the people that thought the network was not the key i've spent 25 years fixing things for all these organizations and we're not talking little mini organizations i've worked with organizations that do a couple hundred billion dollars of revenue a year and we're still fixing their network so big global organizations the network is the key it's the place that people don't think about until it doesn't work almost every problem i've ever seen in the last 25 to 30 years is networking related the performance wasn't there the latency was too high the bandwidth couldn't be supported there was no qos policies there was no security network problems routing errors routing loops those kind of things or switching stuff so the network is the key now when you're dealing with network typically speaking there's a couple of challenges that you could be contending with and the types of challenges that you're actually contending with are going to be typically one of the following they're either going to be latency jitter bandwidth or packet lost now latency is the first one and i'm going to show you what i mean by latency and how bad it can be or not be latency is how long it takes to go from point a to point b latency generally speaking is related to the distance on the processing that has to occur when you're using a cable of some kind what's actually going on and so bear with me when you're using a cable of some kind what's ultimately going to be going on is as follows that you have to send if it's fiber optic a photon which is coming from a laser it's a unit of light or if it's going over a wire it's an electron and again it takes time for the electron to cross the wire so latency over a private line is going to be the time it takes to get there plus every time you go through a router or a switch or a server what's going to ultimately happen is it's going to there's going to be a time element to get these things completely perfectly straight so that's the latency latency if it's consistent is generally speaking not a problem yes this is recorded but when latency is not um consistent typically speaking there's a lot of problems so let's look real quickly at a line with good consistent latency now in this particular case this is actually my home i used my internet and i went to cloudfront now i've got a very big fat internet pipe in my home i've got a gigabit connection to the internet both up and down my my link is not congested and look at what my latency is if i ping amazon.com and i send an icmp echo message to them by the time it gets back it's 20 milliseconds no not fast at all but consistent and if you look i sent 28 packets to them i got all 28 back and i lost none so this is a good consistent line and i could use it because it's consistent we can work with this now this is usable let's look at my firewall this is my firewall that's connected to the internet you can get some information here here you can see i've got relatively consistent latency i've got a good connection my average latency is around 8 to 10 milliseconds it looks good and i've got low packet closed but you can see i've got a gig that's usable and you can see what am i using uplink traffic 25 30 megs i'm not using it but now you know what my network can do so that's consistent my network right now is relatively consistent and i can do most applications over a consistent network like this because it's good now let me say this what happens if things change for example what happens if there's inconsistencies of our networking that's called jitter so if it's one millisecond for one packet and 10 milliseconds for the nx and then three milliseconds that's a problem why is that a problem because if i send a thousand packets and each one takes a different amount of time to get there they're going to show up out of order not good video out of order packets problem voice problems so if you've ever had a cell phone connection that sounded pretty bad here's what's going on when you're watching tv and you get little pixels and it looks like and you're saying something like that you've got packet loss and drastically speaking that's what's going on so that's latency so latency if it's consistent less problematic but if there's variations on languages called jenner big big problem so now let's look at a high latency line and this is why you'll my wireless is not good here what i did is i took my mac pro and i searched it through my 5g iphone 12 what have you r12 pro plus whatever they call it the big thing that i can barely type on because my hands are already too big for the silly phone but that's neither there so i sourced my mac pro to go out using my iphone 5g network now look at what's going on previously i had 20 milliseconds of latency round trip time now my first one is 62 my next one's 59 the next one's 68 my next one's 47 the next one is 76 milliseconds the one after that's 92 milliseconds this is terrible um anywhere from 92 to 50 to 44 my packets are arriving all over the place out of order this is a disaster now look i sent 33 packets and only got 32 back i lost 3 of them so huge variations of latency huge jitter this is a line that's going to be horrible for streaming video horrible for streaming audio this is going to be a disaster of a line could i use this for file transfer sure but that's about it so understand you know this is good this is consistent 20 20 20 20 20. this is not consistent this is internet internet is not consistent you can't guarantee your traffic makes it and that's why internet is only for things that don't matter if it matters you're getting a direct connection so that's latency now by comparison think of bandwidth bandwidth is the maximum amount of throughput stuff you can do latency is how long it takes latency how long it takes to get there bandwidth is the amount of throughput the amount of stuff you can push through the link bandwidth is going to be measured in megabits per second so you could have a gigabit per second link a 110 gigabit per second link 100 gigabit per second length but that's your measurement bandwidth gigabits per second megabits per second now that's kind of the bandwidth that's available on the link now here's where it gets ugly and when you're dealing with teeth with transmissions just because you have the link does not mean that you're going to get the use of the like so yesterday i told everybody when we were having fun i said udp is used for streaming data because you have can't use reliable transfer for streaming data because you can't deal with free transmissions and out of order packets and i said tcp is highly useful for reliable because i send a message and the person says i got it so i send another message and they say i got it so i sent a third message and they say i got it this is the way this works all good stuff right okay well that's the way tcp for example make sure you send a certain amount so just because your bandwidth is a gigabit does not mean you can get it for example let's look at the flow control that exists in tcp so when you're using tcp tcp is reliable and it works this way through a data transfer and a handshake so what's really going on when i want to send something using tcp to someone else the first thing that i do is i send a sin which basically says open the connection and then the receiver says i acknowledge it yes i agree and i'll send a sin to open a connection with you and then the next person will acknowledge it now the setup is done that's how this session is established between two or more users so now let's look at this the way this is going to work the flow control established in tcp so a packet is sent and acknowledgement is sent the next package time it sends two packets an acknowledgement was sent the next time it sends four messages and if an acknowledgement is missed read transmission starts over at zero it sends one packet waits for an acknowledgement since two-pack sensitive acknowledgement and will stay there so what happens is tcp will adjust the flow control up or down based upon whether the packets are being received so you could have a 100 gigabit link but if you're losing 10 of the data you might only get one mega throughput because it's going to be super slow because of this constant tcp sliding window sliding up and tcp window sliding down up and down so flow control which is why i said when you need consistent guaranteed performance you must use a direct connection because even if you have the bandwidth on the internet the consistency is not there you get some packet loss your flow will be terrible so it's critical to know your applications to determine the type of bandwidth that you need so the next thing we'll talk about is packet loss what is packet loss packet loss is when a network loses some of the messages remember layer one is bits layer two is frames layer three is packets packet loss is when you lose some of the packets and uh so that's realistically speaking so direct connections on the way to the cloud solve 90 of these issues why is the internet so bad well that's a couple things the first one is called over subscription here's what over subscription actually is when you connect to the internet service provider they what's called over subscribe and when you're using a cloud computing environment they also oversubscribe so let's take this one step back what i mean by one step back is i live in a community and there are 500 homes in this community every home in this 500 home community includes a gigabit access to the internet so 500 homes in this community all have gigabit access to the at t network theoretically and we all connect to a location so what happens is 500 gigabits or a half a terabyte per second is what the bandwidth theoretically would need from my community to 18t now my community does not have five gigabytes of connectivity to 18t my community has 50 not 500 50. so and this is typical isps oversubscribed 10 to 1. so 500 gigabits of bandwidth comes into this 50 gigabit bottleneck which means if no one's using the internet my 500 gigs is great because i get my 400 gigs i mean my full gig if all 500 people at home and they're all using it we're all limited to 50 gigs because that's the maximum limitation so when you're dealing with internet service providers they over subscribe remember in the beginning of the coronavirus when everybody worked at home and we all used our internet it didn't work it was super slow because the over subscription they didn't plan on all of us being home working from home that's what's going on so internet performance is just not guaranteed it is best up right so if it matters you must use a direct connection so we're going to start talking about placement group but i saw a couple of questions pop up so we'll address these questions real fast at least the majority of them knowledge your what's going on is you need to measure latency in your network what's going on is in order to measure latency you need to send a message typically the message that you're using is an icmp or internet control message to see how long it takes to go from point a to point b and that icmp message is often ping ping platter wouldn't be how the way you would do it ping is a plotter is a way that you can kind of ascertain it based upon the use of the internet control message protocol so any icmp is a great way to measure the ping of the the outside the latency in your network so let me explain jitter back to the group so latency is how long it takes from the point a to point b jitter is when there's variations in latency or inconsistent latency so standard latency is if it takes five milliseconds to go across the wire that's late see that's fine that's consistent jitter is when one time is five milliseconds the next time it's 50 milliseconds the next time after that is one millisecond the next time after that is three seconds that's what jitters are variations of latency addie what is the importance of this certificate it depends which certificate are you talking about ssl or tls-based certificates are you talking about a certification certificate i can't tell based upon your question five nation has been wonderful to have you here i'm glad to hear you working on security we're probably going to cover a lot more security stuff here in more depth than by by about 10 times more than would be in the security plus so you can enjoy this and bring that back or watch this at a later time you'll be in good shape in either case regarding the kms and the signatures used we cover that pretty heavily in the certified solution architect professional course which is completely framed the link is in the description below um really going over the key management system and signatures could be a whole day if we really did it so i would recommend you know find that for the certified solution architect professional again it's completely free and it's also available in our free ebook you can read about the key management system and how that works i will provide a link to the free ebook as well tyrone would advise a ccna course in conjunction with aws well here's the thing it depends on the job you want but if you want to do some kind of cloud infrastructure thing you're definitely going to need to know networking many of the students i work with tyrone i have do a certified solution architect professional because that's kind of the minimum barrier entry of certification now mind you certifications are only ten percent only ten percent the other 90 is not certification related certifications are only 10 the other 90 percent the business acumen the communication skills the presentation skills the executive presence emotional intelligence the other 90 the architecture knowledge system design is the other 90 but cisco knowledge is very very very useful to the cloud architect and any of our cloud architects that want to be cloud infrastructure architects we typically have work in a ccna ccnp along the way to make sure they've got some good networking knowledge so definitely definitely definitely valid and important let's talk about some more aws stuff now let's talk about placement groups placement groups are a way to improve network performance so what are placement groups we've been talking about latency latency is how long it takes to go from point a to point b and that's realistically speaking how what what uh what placement groups are so placement groups are a means to minimize your latency what do i mean by minimizing latency if we can stick our computers closer together with our servers closer together we're going to reduce the latency reduced latency improves performance some applications are incredibly sensitive to latency other applications by comparison are highly tolerant of latency so it really depends upon the application that you're using and its tolerance latency but when you have to reduce latency obviously if you're in your data center versus the cloud is reduced by a lot because you don't have to connect to the cloud but let's say you have your stuff in the cloud you can group your stuff together closer and by putting it together closer you can reduce the latency now let's think about this if you stick all your stuff in one small area and something happens to the area what did you do you improved the performance but you decreased your availability so architecturally you will never ever ever get to design what you want you're going to all it'll never be the perfect architecture you're going to have to design something based upon business legal technical or regulatory requirements and when your application says minimal latency and if you decide to take it out of the data center which is low latency to the cloud which is higher latency you got to get creative so placement groups a place where you can group your instances closer to each other are enabled way for you to do high performance computing in the cloud makes the cloud look and perform almost as good as the data center could and you need that sometimes so what does all that mean the first option is something called a cluster replacement group now this is what this is going to look like when you're dealing with a clay cluster placement group you're going to have the lowest latency at all here's what a cluster placement group is stick everything in the same rack heck stick everything on the same server and not even leave the server in many cases i have all your virtual machines in the same ec2 and the same physical server so a clustered placement group plays all your stuff really close to each other same server same route now let's think about this if it's all on the same server and the server fails you're done if it's all on the same rack and your rack is supplied by a single power distribution unit and the power distribution panels you're done if they're all plugged into the same switch and the switch valves they're all done so clustered placement group super low latency horrible availability so where are these kind of things common finance so i've worked in financial applications and when you're dealing with these big banks it's not very uncommon to have them to have two placement groups where basically you have two racks side by side rack one is filled with the biggest baddest most powerful servers you can possibly imagine all on a high performance high availability switch rack 2 is directly next to it and if anything happens to rack 1 you got to back up rack 2. plugged into different switches different power different everything that kind of thing so these things are commonly used when you need super super super latency but remember cluster platelets group everything's in the same rack if something happens to the rack you're done not so good don't recommend it a lot just keep it keep this in mind so that's your cluster replacement group super high performance but there's lots of downsides that go along with it so since we talked about cluster placement groups let's talk about the next kind of option what is the next kind of option a partition placement group let's talk about what that is a partition placement group is when you basically still place your stuff close together but you spread it a little around a little bit so maybe you place your service in two different racks across two different network accessories so now still you got all your stuff real close to each other real low latency because it's in the same building on a separate rack separate power supply network fetch reduced single points of failure extraordinarily good performance still really low latency not as low latency as if everybody is in the same rock maybe on an additional millisecond latency but still low latency architecturally speaking what's that going to look like see this looks a lot better you're in the same data center and you know what's the what's the latency across 50 feet in the data center or 100 meters 186 000 miles per second no big deal not a lot of latency to have lots of protection now if you're dealing with an algorithmic financial trading company sitting in a bank and you want to place a trade for a hundred thousand blocks of a share and nanosecond before your competition then doing it in your data center makes sense because that nanosecond of the bid and the s prior to things being bid up or bid down based upon users behavior you definitely need to do this and then i mean the data center is better but you can do a cluster placement group for that but these are the reasons why people are trying to do these super low latency environments so now you know what a partition placement group is so the next placement group that we can talk about are things like spread placement groups and what are spread placement groups they're basically now spreading your instances out much more intelligently from an availability perspective different racks different servers different power distributions you can spread your groups across multiple availability zones now you're spreading it out now now you're dealing with you know multiple data centers now you've got latency much more latency because now you're dealing with longer distances but higher performance than it would be without a placement group and much higher availability but you lose some performance but again really good option here so what's this going to look like so in this version of performance tuning what we're dealing with is as follows we're spreading your load across racks and availability zones good performance lower latency lots of cool stuff to do so let's talk about some additional ways to improve your improve your network performance so i hate when vendors make complicated names to talk about something very simple so the next network performance option we're going to talk about is single root i o virtualization yes sr dash iov no i didn't make up this term i like to call this beta spade i like to call a cat account kit and a kitten here is what single root i o virtualization is in a virtual machine typically speaking you've got logical network cards logical video cards and because they're logical they're slow hardware fast software slow hardware fast software slow so when you're dealing with virtualized networking things you're dealing with software drivers and they don't perform to the way of a physical card as a rule so when you need high performance networking what if you could push a physical card directly into the virtual machine so instead of having a virtualized network card you actually have a real one just like a rail server you're using it well you can do that so there's this technology called pci passthrough where basically you take your physical cart and you push that hardware directly into the virtual machine so vmware aws call that single root i o virtualization or high performance networking all it is it's bringing you back to regular old-fashioned physical physical server technology by passing your pci card so it's bringing you back to what we did long before we started using virtualization and how to get back to data center performance so just know that no aws of course um has another thing called the virtual fabric adapter so what they did is they created a high-speed driver that's software-based for high-performance networking theoretically it's designed for up to 400 gigabit per second but they don't have anything they can offer anything close to that right now so just kind of understand that these are ways that you can kind of try and boost some performance of the networking so bear with me a second i want to try and look at a couple options with you guys try and see how we can best structure you guys for the next day or so's worth of content so where we're at right now i'm going to give everybody an option we've got about 65 more slides worth of content to cover and we have today and tomorrow so what we can do is i'm going to give you guys some options option one we can do some networking we can continue the discussion um but i don't think we're going to completely get through it or what we could do if you guys desire we can motor through this and try and go to say four o'clock today and cover the entire thing today option two we can leave early today and come back tomorrow and have a really great day tomorrow option three we can do like 20 30 minutes of architectural design today and come back do about an hour and a half worth of training tomorrow and do some architectural training tomorrow if that's a desire we can happily do that so um let me know what your preference is for today of the four options again we can stop early today have a nice good discussion tomorrow we can stop early today and do some network architecture work we can i'm sure we can get we can stop here and do some architectural work for 30 minutes or we can motor on and try and go to four and do the remaining content for the rest of the day it's up to you guys you tell me what you desire three okay i probably should probably should have written down the three options when i gave them i wasn't expecting uh people would say one two three or four i was expecting they'd either say like now did you either leave early or move on till flair like derek had said so uh yeah alex agree a lot of you guys are in different time zones at 7 30 for you guys here so let's see if we can try and aggregate some responses from some people um i probably should have come up with two options where we could have done a pose so i i've got a couple of more networkings which again is my fault for making this slightly confusing so if you'd like me to continue moving on with the course today let me know that keep going on with the course and if you'd like me to to make it an early day and we finish up tomorrow um just let me know let me know those two things and we'll take it from there tomorrow i promise you at the end of the day either way we will find some time to do some to do some architecture work towards the end of the day okay so i got some folks that appreciate that derek um love your enthusiasm there alonso val winters in india so i think we should uh and alex and lots of people leave now and finish the course tomorrow so let's do this let's finish this course tomorrow and i will stick around till three and if anybody desires to do some architecture stuff with us i will do a little mini architectural review board so anybody that wants to stay can stay for the next 30 minutes for everybody else um that is in england that is in india that's coming from all over the world that's totally fine i'll do some architectural review for things for people that choose to stay and for everybody else what we'll do is we will come back tomorrow so i can kick around and give some people some problems and questions and things that people desire try and make this life a little easy for them okay we'll stop the content i'll hang around and do some bonus content questions architectures for anybody that desires so maybe i'll even do some aws network interview questions if any of you guys kind of want that because that would be kind of the kind of things that would go on so let's do this because the majority of the people told me they prefer to go on for tomorrow um also join the architecture challenge next week highly recommend it so for people that we would that actually want to be here and are definitely going to edit i'm going to do a little bit of bonus time so let's let's work it out let's do some word problems some math problems thrilled to have you guys in the uk and other other countries join us again tomorrow let's uh let's do some some basic simple let's do some some networking work and i will share my screen and we'll work through some things first thing we'll do is we're going to take our our empty canvas here and i'm going to draw some ip things and i'm going to see i'm going to ask you guys which is going to be the preferred route oops okay bear with me i am definitely not mr graphic artist although i wish i would um because i was it would be really great for me so let's pretend this is your data center [Music] now since you've seen our data center let's pretend this is the cloud let's say we've got a link over here and let's say we've got a second link let's say over here we've got the subnet 10.0.0 as a cider range let's say on the right side we have the 172. dot 16 0.0 16. actually let's let's let's say dot 16. is everybody with me so far can everybody see these subnets that are there these are the cider ranges now if everybody can see the cider ranges that are here now let's talk about it a little more now that's the range now let's say for example we've got these subnets let's say we've got a 10.0.0.0.24 as a subnet and then let's say we have a 10 24 as a subnet let's say these are the subnets that we have in this organization and let's say on this side we have a zero slash 172.16.1.01 four and let's say we also have a one seventy two sixteen dot 2.0.24 is everybody with me so far if you can let me know with like a word cloud architect or i understand i see this architectural layout is everybody with me so far okay i'm seeing a couple of yes's so i'm going to assume that's understanding now does everybody also understand that 172 16.0.0 encompasses the 172 16.1.0 and the 172 16.2.0 that they're both subnets inside of that larger slider range does everybody see that please let me know if you understand that okay wonderful you guys are getting it fantastic now let's go to the opposite side of the equation let's go to the data center now does everybody see that 10.0.0.8 includes 10.0.0.24 and 10.1.0.0.24 does everybody see this okay this is great you guys are getting it so far we all understand the basic networking and subnetting fantastic so now let's say we've got two direct connections to aws direct connection 1 and direction of connection 2. now if all we pass is this information the aggregate route on both subnets what might be occurring we're going to have two equal cost links does anybody have any idea what's going to occur we're going to possibly be sending data over the top link and having it come back on the bottom link we're sending data on the bottom link and coming back on the top link does anybody see how that could happen does anybody think it's a good idea for me to be sending my traffic um to alonso in texas on one highway and have my traffic coming back on a different highway if i expect the timing to be success so the the same does anybody think it's a good idea for me to take one route there or one route back or if we need real-time traffic i should take one route out and the same route back should i use the same route or a different route for optimum and nick love yeah one of them's supposed to be the vpc vpc data center but they're both just data centers so let's call it cloud bpc which is just your virtual data center versus your physical data center cloud data center this works in both cases exactly nick love asynchronous routing is not an optimal situation so we don't want asynchronous routing because if to alonso's house via one route is 1800 miles and if it's 2 000 miles on the way back it's not a good way to get to alonso's house i don't want to get to alonzo's house that way i want to use the same route good you guys are all with me now if i do nothing and i have this environment i'm going to go to lonzo's house one way and fifty percent of the time i'm going to be coming back to alonzo's route on a different path not good not good so i need to make it the same route each time so i've got two i've got multiple options to do this option one as i make i only use one link and i block the second link with routing how do i block it i basically make it look ugly so i effectively cut off this link and this link now sits here all the time and does absolutely zero unless there's a failure to the top link now how many of you want to work for our company and the company is going to say let me buy a 100 gigabit direct connection i'm going to pay 150 000 a month for it and i don't want it to do anything how many people work in these environments where organizations want to spend millions and millions of dollars per month and leave it there to sit and do nothing if you work for one of these organizations say yes and if you've never worked for an organization that likes wasting their money type no so i know you're with me and there's a huge delay better use a good use of the yes or the no but most organizations that i've consulted with for the last two and a half decades do not like wasting money and they are not going to be happy with the concept of have one active and one blocking aws is recommendation because they assume people don't understand networking is to leave one up and block it i know of no organization that wants to spend hundreds of thousands of dollars a month for wide area connections that wants to leave it there and do nothing none i've never seen a company that wants to do this so what do you do instead you set up an intelligent bgp policy bgp policy number one on the top link advertising to bgp this specific route on the bottom link advertise this specific law over here on the bottom link send this specific route on the top link send this specific route this is 50 of the work that we need to do we'll talk about the other 50 percent in the middle to make this work so over here if the data center on the top link sends the 10.0 24 and we send the 10.1.0 not 24. now if you're in the cloud and you say my path to 10.1 is through this bottom link it's more specific my path to 10.0 is the top link is most specific does this make sense to everybody by putting aim so what's going to happen is routers will always take the more specific route the more specific route or route whichever you choose to call it is going to be identified by the longer subnet mask slash 24 is longer than slash 8. so top root is going to be more specific for the top two subnets that are advertised bottom two links are going to be more the bottom link is going to be more accurate for the subnet that's advertised does that make sense to everybody please let me know with a yes or no the rest of you guys getting this okay most people got it val wonder i want to repeat it for you i want you to get it if on the top link we tell the cloud 10.0.0.0 is the best path for the top link and if we tell the cloud from the use the bottom link for 10.1.0.0.24 does everybody see how aim how a specific route is being sent on each link is that clear 10.1 goes over the bottom link 10.0 goes over the top link okay so now what's going to happen for everybody that understands this is the top link is we're not assigning stereostatic routes that that direct what we're actually doing is we're telling bgp that top link is more preferred by advertising that route into bgp and on the bottom link we're saying the bottom link is more preferred by providing that route into bgp to the data center so what we need to do and what i'll do you know derek um that cause i'll do a live stream at some point in the future what i'll do is we'll take some cisco routers we'll recreate the aws data center and what we'll do after recreating the aws data centers we'll start advertising routes and i'll show you the routing tables how things move along because i want to make sure you know you got this derrick alonso um i'm most we'll be doing this you guys are my students and internally we'll make sure we get you guys some really really deep cisco training because this stuff matters so much so what we'll do is we'll do something like that so top link is going to be preferred for the more specific subnets bottom link is going to be preferred for the secondary subnets now right now if as it stands right now if we do absolutely nothing does the bottom link should anything happen to the top link does the bottom link know how to reach 10.0.0.0.24 if the top link were to go away in the top bgp session where did this appear would anybody be able to reach the subnets at the top if the top link were to disappear as it stands right now if the top advertises 10.0.0.24 and the bottom advertises 10.1.0.24 if the top link goes away is 10.0.0.0.24 reachable because this is really important give you guys a couple more seconds to make sure um but uh this is really important so i want to make sure you guys get it so the top link i'm not sure if that you guys are just not sure or if it's the delay if this top link were to go away and all this stuff over here were to disappear none of that would be reachable none of that would be reachable because there's no routes to it because they're on different subnets so when you're traffic engineering in this manner because the route won't be there you're going to need to provide a backup route so typically speaking what will occur is you'll provide a route like this the summer route on the bottom and you'll provide a summary route up top see what's going to happen here if this top link goes away if all the stuff goes away you're going to still be preferred over the bottom link for 10.1 because it's more specific but you're going to have this 10.00 now does 10.0.0.8 also cover 10.0.0.24 in terms of network layer reachability information this is a 10 8 cover 10.1 10.2 10.3 10.4 10.5 doesn't it so does that summary or that our aggregate route that we're advertising provide network layer reachability information should the primary link go down i hope you guys know this but if not the answer is yes please let me know guys know that you guys understand that that the big cider range encompasses all the smaller subnets inside of the slider range so almost everybody gets it so 10.0.08 includes 10.0.0.0.24 10.1.0.0 24. 10.2.0.2 10.3.0.0.24 all the way to 10.254.0.0.155 actually so now you get it so basically what's really going on there is the summary route provides backup should the primary preferred links that you traffic engineered not work so this is how you provide full reachability and traffic engineering by leaking more specific routes that's one way to do it this is a very common way to do it internet service providers throughout the entire world do this love this situation i've done this hundreds and thousands of times in my career because it's so simple and elegant but let's do it a different way exactly one summarized route for backup one specific route for traffic engineering so now let's look at another way we could potentially do this because by the way this is the way organizations traffic engineer traffic what's the problem you have on the vpc side of this config maxim because you're gonna have to do this in both different directions you're gonna advertise the 172.16.1.0 on one link you're going to advertise the 172.16.2.0.24 on the other link and on the vpc side you're going to hire you're going to advertise on both links the 172 16.0.0.16. to the data center and that way you've got your bi-directional routing and your traffic engineering so william obviously you're going to be setting this up in the virtual gateway but the reality is this if it really matters you should probably be using two different virtual gateways in two different areas but yes you're gonna have to set up some of this in the virtual gateway and some of this on the cisco site now how else could you do this cisco routers and all routers in general prefer the path with the most specific route after the most specific group what is the next thing that routers do they it's completely reachable on both sides william o muhammad because you're providing full reachability on both sides you're providing an aggregate route and you're providing the other more specific routes so the next thing that would be used on cisco routers is weight aws supports weight and other routers which never used to support weight years ago now also support weight so the next way you could modify the routes that you're learning is by adjusting the weight so for example if i wanted 172 16.2.0 to be preferred on the bottom link and let's say i had it ever to i i have other options i could take the the 17216 route that i learned from the cloud vpc and i could change the wave make it a higher weight so if i had advertised on both lengths both roots let's say both of these routes were advertised on both lengths and i want a load chair on this now granted we're going to have to do this on both sides i may only do one for simplicity purposes to make life easier for you guys to see but we're going to have to do it on both sides of the link so let's remove this stuff out of here right now just to make life a little simpler and more elegant for you so if i want the top link to choose the 172 16 i could over here i could i could say i could create a policy that says weight i could say weight 172.16.1.0 i could pick another one like thirty five thousand and i could use that for one seventy two sixteen now for the other ortho i wanna add a zero um for the bottom one i could basically take the other one which is the different subnet and i could rate 32768 for example so now you can see prefer the path with the largest weight so the top link will take the 172 16 to reach this and not the 172 16.2.0 because this will be a backup path because well actually have to do the bottom side so let's let's let's actually let's make this completely clear so on the bottom side we'll change the weight to the top one to 32768 because we want to make it non-preferred and then we'll change the rate to the sum that we want to 35 000 to make it preferred so what did we do here from the routes that we learned from the cloud we took the route that we wanted to be preferred on the bottom link and raised the weight and we raised the weight for the top link for a different subnet now of course we're going to have to do everything we do in bgp is both sides so what we'd actually have to do is we'd have to take the 10 routes that are learned for the 10 wait for we'd have to do this for 10 oops 10.0.0.0 24. that would be on the top link that we would prefer and then the 10 dot 1 dot zero dot zero slash 24 we make lower priority and then on the bottom link what we would do is we would make sure that what we're dealing with is we would now change the this one to 3 7 32768 and we would make this 35 000 3500. does everybody see what we've done here we've prioritized one path for a certain subnet and not another path and the way we've actually done that is by manipulating the weight is that clear to everybody how we just created a preferred path by changing the weight it's just the bgp tuning dom that we choose if you guys can let me know if you guys got that and i know we're dealing with a pretty dreadful delay i will also tell you that bgp is probably the most complicated of all the routing protocols and that's why very few of us work with it unless we're ccoes you guys are doing great then it's clear oh you know what bell wonder i'm happy derek i'm so happy william wallace uh wonderful alonzo fantastic great job i personally think setting up an aggregate route is a lot easier about wonder but you know it's all what you're used to so let's say we didn't want to use weight because we're not on a router that supports way let's say we want to use local preference prefer the path with the highest local preference guess what we'll just change the local preference let's say we say local preference 200 local preference local preference 100 we prefer the past with the largest local preference oh maxum that's a great question i'll show you that in a second and guess what we can prepend af paths on one side no i'll tell you a minute uh i'll max them how that works um administrative distance is something totally different um but i'll cover you there in a second okay so here you go um here we're modifying the path in one direction whether you're modifying the weight whether you're modifying the local preference whether you're changing med this is how you traffic engineer bgp now maxim asked an exceptionally good question how does the router determine that the connection is lost bgp pairing sessions are a tcp port 179 connection if the tcp connection goes down the bgp neighbor is lost and if the bgp neighbor is lost with the routes and all the routes that are learned from it are withdrawn in the bgp update messages on day one where we talked about bgp message types and i said that if a route becomes removed or lost or removed it but when a bgp session is tore down it removes all the routes that are on the associated routing information base and then bgp does a route recalculation so what will ultimately happen is rouse will get added routes will get withdrawn remember bgp is a dynamic routing protocol so as soon as it learns about new things it'll remove them so as i talked about the way load balancers use a health check where they say are you there are you there are you there bgp has a keep alive message over its enable relationship says are you there are you there are you there and when keep alives or missed the bgp session is turned down and all the routes are removed so i hope my answer to that question there now with regards to muhammad asking about administrative distance administrative distance is purely a cisco thing an administrative um distance is this following it's the believability of the route how believable is the route so cisco routers have the ability for you to change administrative decisions don't recommend it administrative distance would say that like oh spf learned routes are more or less reliable than eigrp learned route which you know i wouldn't believe so they give you the ability to change the ospf route to be to a lower administrative justice meaning while the reliable administrative distance is just the believability of a routing protocol based upon what cisco determined it felt at the time was the most believable routing protocol which in certain cases gave preference to cisco proprietary routing protocols like eigrp which for the most part are not really highly used anymore so that's how routers know these kind of things so what you can do with local preference and again if you're dealing with local preference you have to do it on both sides of course actually you can manipulate the local preference on one side and modify the weight on another side and it'll still work it's really a matter of just choosing your bgp tuning option here's another option so anytime you traverse the bgp up when you're using bgp you're using an autonomous system so let's say we make up some 65512 this is a private as number six five five one three so what will happen when and this is ebgpm why is it ebgp because they're different autonomous system numbers it's uh muhammad it's the highest weight and it's only locally significant not the lowest weight and call that's what i was really trying to shoot for everyone and everybody know that a keep alive or health check is just saying hey are you there that was exactly exactly exactly my goal there so 100 you got me you read it i wanted it to stick in everybody's head is let's face it these are the things that are going on so you guys are doing great so here's what our what our route is going to look like in the routing information base so long before we get to the local preference what we're going to see is when we see a route it's going to it's going to give us an as path as yes underscore path and the as path is going to give us the the autonomous system number we learned from our neighbors so six four six five five one two so what you're going to see on all routes learned from the other side or the autonomous system path let's just right now let's actually use the true autonomous system path now let's go back to what we have going on on the left not with regards to what we have on the right of this diagram the right of this diagram we know that the top link is going to be used for 10.0.0.24 because it's got the higher weight we also know that the bottom length the 10.1.0.0 is going to be used to reach the data center because of the higher weight because we can flip these things in multiple places but now let's look over here let's look at the data center on the way to the cloud do we have two equal cost routes again going to the data center um we're learning two two different routes and they have the same autonomous path system numbers we don't have a different weight we don't have a different local preference do we have equal cost routes again towards the cloud everybody and if we have equal cost routes what problem do we have we're going to go i'll use both links and send go out one path come back the other path you guys is with me so far you guys there you guys got me let me know with a yes or something like that it's a dreadful delay here i'm pretty pretty sure of it i understand that i'm going to give you guys a couple more seconds to respond so i know that you're there yeah and you guys can turn me into meme of the health check guy over there or the bgp guy i don't mind any way you guys kind of know me is fine all i really care about is that anytime you spend with me i make you better at the network i make you better at the cloud and make you better in security and i hope you guys build a great cloud architecture called computing your tech careers what you guys call me beyond that it's all about me that's my whole goal of mission of life is to help people with their careers so you guys got me i'm super excited here so now you see the challenge that we have we've got equal cost paths same problem as before now what can we do what could we do here well we've got to make one path preferable so prefer the path with the shortest number of autonomous system tops so how do we make a route look ugly we prepend or we add autonomous system hubs so let's add another six five five one two oops would help if i would actually be a good type or two five you know what have you got to get the autonomous system numbers right here so right now the now let's let's do this six five five one two so now what's going on here look at what we did over here this is pretty cool we now made one route look ugly up top and a different route look ugly on the bottom hmm what do you think now we've created load sharing and guess what with the load sharing where it gets really cool we don't have that on our packets here because we preferred one path now there's some other things that are next like origin code we're not really going to be able to tune that i mean we could but it would be complicated see that's coming from whether you're learned to route from your egp or your igp so the next thing that we're going to play with is the med or the multi-exit discriminator or the metric of the root so less the next thing is bgp prefers the path with the lowest med so how do we do this quite simply we just change meds no big deal and by the way my my cutting and pasting of spelling is a little on the challenging side so exactly derek we created an additional as path and they're not equal so now let's say we want to do it another way prefer the pass with the lowest med med 50 med 100 med med 50 it's meant let's do this the other way met 100 med 50. so check this out the top one has the lowest meta or metric for 172 16. so this link is going to be used to reach that subnet this link will not be used because it's got a higher med unless the link goes down in which case then it's your only path this one on the top this 172 oops let's make this 2.0 likes make this 1.0 see this is what happens when you do these things live and on the fly you occasionally may not use your perfect typing so oh actually you know sorry this is one another so here oh wait like bear with me one second um yeah we've got this correct now so what we're going to do here is we're going to make the 2.0 um have the meta 50 because we want that to be preferred and we're going to make the 1.0 have a matte of 100 and we'll make that lacquer preferred so here we do we're just going up and we're just manipulating the bgp metrics that we talked about so we want the one with the weight to be used we made it we might bump up the weight we want that to use local preference we bump up the local preference of the route we prefer we want to use meta we use a lower weight for the route we prefer there you go you want to use the shortest is path make make the one that you don't want to use uglier by adding an as path these are basically the ways you tune with bgp and this is kind of some fun bgp kind of stuff so now you guys get a good feel for the kind of things that we're doing with bgp any questions on any of this bgp tuning parameters that we just did any questions let me know if you've got any questions checking to see if there's any questions i know there's a pretty pretty pretty long delay here just waiting to see i know there's a delay william how do you choose which one to use uh well for one thing weight's not supported on normal router so if you're using a router that doesn't support weight you don't do it um it depends whether you're manipulating inbound traffic versus outbound traffic because if you're manipulating outbound traffic you can prepend your ais a few times to send to somebody else to make ingress traffic or traffic into you um that would be one way you could do it um you might do something which we didn't talk about which is called sending a community and then matching a policy so it all depends which one you need to use william and that's uh there's uh there's a lot of uh the arc network architecture that actually goes into the question of what you're actually asking but realistically speaking that's the concept you can pick any one of these and they'll all work but if you want to get really really really detailed you know either we'll have to have a one day bgp training one day which you know i might be willing to do or read the book by internet running architectures or be one of our students in our training program students in our trending program get access to doing this kind of stuff a couple days per week and our architecture training courses so i will do this to close out the day if anybody has any questions about the kind of training that we do and they want to call us here's the number of our office chris from my team has listed it already but um i want to make sure everyone accesses it if anybody is interested in training with us in our cloud architect career development program which basically is how we train people to become cloud architects there's the link of our training i always like to include a coupon code whenever i can so here's a 20 off coupon code if there are any last minute questions for me ask me now otherwise i will see you tomorrow at 3 p.m we will have a lot of fun doing some networking the remaining networking components and if you guys want to do some bonus content towards the end of the class and work some problems like this interactively dynamically with me you let me know by saying cloud architect below and we're going to have a ball with it also i should ask if you're enjoying this comment please leave a like please subscribe to our channel i'm trying to learn how to become a youtuber and uh since it's not actually me and please feel free to share this content with anyone you think will be helped by it um so happy you stayed late derek as well as all 40 some of you that did or 45 of you that did um william you have a wonderful night um hannah god what a nice name um thrilled to have you here today so thank you alonzo always a pleasure and every way should perform every interaction say joe so couple you're here mr binary you're welcome 4d robotics have a wonderful day nick love love it architect what a cool name maxim so glad you were here and thank you thank you so much hand of god definitely try hard so it's very appreciative when people give us feedback and so please demonstrate higher local preference definitely higher weight definitely is preferable for outgrowing a.s path the shortest path the better absolutely and med um prefer the lowest net for for outgoing traffic all these things are based on outgoing daryl i've seen all kinds of great progress and uh especially from you some lots of exciting things uh call us thanks so much take care of derek okay you know if you want us to make a thing on how to select virtual machines and network and performance um definitely we can make a youtube video on that because that's a relatively large content but we can do something like that i'll have chris or my team take that information down we'll evaluate that but that could be something we could do a good video on any other special request for content or anything like that any other request because otherwise what we'll do is we'll end today we'll see you guys all tomorrow at 3 p.m have a wonderful wonderful wonderful evening it's been a real honor privilege to spend the time with you love the cloud architect community and look forward to seeing you all tomorrow take care everyone you

Info

Channel: Go Cloud Architects

Views: 2,747

Rating: undefined out of 5

Keywords: aws bgp, AWS Advanced Networking Course, what is bgp, networking for cloud computing, cloud network training, cloud networking overview, networking and cloud computing, cloud computing technical skills, networking skills training, cloud architect skills, cloud architect training, cloud architect career tips, cloud architect, cloud career tips, cloud career training, cloud as a career, cloud career, aws full course, free aws certification training, aws networking training

Id: EB5HaKSLcOA

Channel Id: undefined

Length: 191min 40sec (11500 seconds)

Published: Fri Jul 16 2021