AWS Certified Solutions Architect Associate 2022 (Full Free AWS course!) | Part 3

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

yes it is hello everyone this is michael gibbs so great to have you back for those of you that don't know me i'm the founder and ceo of go cloud architects and we're an organization dedicated towards building high performance cloud computing and networking careers today is day three of our completely free aws certified solution architect associate 2022 training program we will be doing aws solution architect certification training and again this is a free aws full course to let you know how we're going to run the course is as follows they'll have approximately 40 minutes of training and 20 minutes of question and answer sessions every hour so we're gonna try and make this as much of a classroom-like experience as possible what will happen is we're going to present questions will come in and we'll periodically stop to answer the questions you know when you're doing your aws certified solution architect associate training we want to make sure that it's not just here watch this video and you're on your own because then you won't know what you know or you won't know what you won't know so we're going to make this live we're going to make this fun we're going to make this interactive this is going to be like a real aws boot camp as if you bought it from from one of the global training providers ziki took it from aws directly so really excited to have you back here today this is something that we truly truly truly love doing around here we love providing free aws training whether you're building a cloud architect career or a solution architect career or a cloud solution architect career we want to help you now we're going to get deep into some of the tech um as much as we can in certain places there'll be a point where we're gonna have my good friend and fantastic cloud architect friend alonzo coleman and he's gonna be maybe doing some labs to try and get you guys a little hands-on i will give you the architectural approach i will explain how the technology works what it is why we use it and those sort of things and i'll try and give you as much as we can in a short certification training program to give you the business acumen and the cloud architect knowledge so you'll be prepared for a cloud architect job so we're live now of course anytime when you do things live computers can fail internet connections can fail literally speaking anything that could go wrong probably will go wrong so we're going to make it as fun as possible you know you build a plan you build a backup plan you build a backup backup plan and when everything fails else almost fails adapt improvise overcome and for those of you out there that know what i mean you know how important it is to be adaptable be flexible with the situation as a cloud architect as well as everyone so if you're here and you are ready to go type hashtag cloud hired and i know everybody's here and you know what hit that like button if you if you don't mind it's good for the algorithm it helps more people see our free content so if you can hit that like button great if you like what we've been doing for the previous three days if you've not seen what we've done for three days wait until you experience it before you hit the like button but if you've been here and you've been participating and you've been having a great time if you can help us with that algorithm by liking commenting subscribing and sharing this with others our goal when we do free aws full courses and free aws certified solution architect associate training is to really give people the kind of training that they couldn't afford a good training program like this is about four or five thousand dollars where they're live and interactive and we know that's outside the budget of many people throughout the world we want to make sure that you get access to this kind of training every anyway and that's why we're doing it free coming real soon we're going to have a free cisco certified network associate course the reason we're going to do that is the cloud is a network and a data center that's virtualized and you know who knows the network and the data center network engineers so we're going to have some free networking training coming your way as well just to remind everyone that tomorrow um itxcel the executive i.t recruiting firm is coming in again they will bring in either their ceo or one of their executive officers they will talk about cloud architect jobs you'll be able to send in your resume you'll be able to ask them questions about what employers want i got to tell you these are really good recruiters they've helped more students of mine get jobs in the past 20 years than i can even count they've helped more people than i know get hired they have 20 full-time recruiters in new york city they are connected with thousands and thousands and thousands of hiring managers spread across the country they've got connections all across the world and you know what they're coming tomorrow free at 10 a.m so it excel is coming tomorrow so before the end of this we will give you guys the link to do that because we want to give you everything we can to help build your cloud architect career with that in mind we're going to go back to some training we had some fun training yesterday and yesterday we were working on databases so as a refresher we talked about relational databases we talked about what's the word i'm looking for we talked about nosql databases we talked about data warehouses we we talked a little bit about scaling the databases we talked about read replicas we talked about caching and we talked about queuing so you know those are the kind of things that we discussed yesterday so today what we're going to talk about is a little bit more on the databases and then we'll get into some really cool really fun topics so i promise today we'll get into some good technical content and if you guys are ready we're ready to get started just bear with me for a minute to figure out exactly where we left off so we can give you guys the best experience ever so just bear with me let's talk a little bit about extraction translation and loading so yesterday we talked a little bit about the creation of a data lake when we talked about taking data from relational databases nosql databases data warehouses object storage and we talked about really using these kinds of environments to aggregate your data so that you can run business intelligence tools and make better business decisions so let's look at the world of data lots of data coming in from all angles this data can do some incredible things to help us this data can help us make better business decisions this data can can help us you know look at the data to make better predictions data is our friend but i want you to think about data imagine you've got data coming in from a million and one sources and they're all in its own format now let's think about this data coming from here in a relational database stored in columns and rows data in a nosql database stored who however with a flexible schema now you've got data in a data warehouse now you've got your data sitting in object storage lots of data so what do you do with it how do you take the data from one place and another place and another place and get it all somewhere smooth so you can make you can analyze the information you use something called an extraction translation and loading tool and let's be fair there are a lot of these tools lots of custom work now one of the great things is when you go to a cloud provider one of the reasons the cloud provider is so cool is as follows the cloud provider has been doing this business for a long time so normally speaking in an enterprise you'd have to buy an expensive tool or custom build a tool and a lot of the work with extraction translation and loading meaning taking data from one database and one database and another database and all these other data sources a lot of that information takes time and manual coding but when you're dealing with aws they've got a tool that's been pre-made and the tool they have their extraction and translation and loading tool to aggregate your data from different sources is called aws glue so what is aws glue it is an amazon branded amazon designed amazon coded extraction translation and loading tool so it will take the data from the various databases and load them into the appropriate sites remember every database has its strengths and weaknesses nosql databases scale incredibly relational databases give us the relationships between variables object storage lets us dump a whole lot of stuff into an environment and have metadata so when you combine these that's really where the magic happens you're aggregating and then you're going to be able to make better decisions so it's all about the data aggregation so that's realistically speaking what we're talking about now when you have a tool that can do this for you it's pretty terrific so normally speaking what would happen is you build your own tool you put your own tool on a virtual machine and what would happen is the virtual machine the tool and the virtual machines will catalog your data make it searchable queryable that kind of thing and can be then loaded into a database data warehouse or really speaking anything that you desire that's what you do with etl tools but with aws it's easy they have a pre-made tool pre-coded talk called amazon glue and amazon glue is already running in a server-less environment now i may not be the biggest fan of serverless and the reason i'm not is i like to be able to go on and off cloud providers data centers very easily but this is a really nice tool it starts serverless there's nothing that needs to be built you just point you take the glue tool and inside the glue tool you point it to your data and i'm aws glue will basically discover the data store it and in a catalog and it'll create a catalog of metadata or data about the data so then once you've got this catalog amazon glue can literally put it wherever you need so this is a really simple and a nice elegant solution when we're really trying to talk about some of these things so let's look at this architecturally what it looks like because this is a really nice elegant tool basically you've got over here you've got s3 which is your object storage you've got glue crawlers and the crawlers are going to be pulling information from athena which is a which is uh for example a relational database redshift which is a data warehouse you'll be using elastic mapreduce to be which is going to do similar etl tick functions mapping and reduction from one database to another database and then you're going to use a tool like tabula or quicksight to visualize the data see the whole point of these data lakes is to do something with the data that data is your friend the more information you have the better decisions you can possibly make so data is really great so that's realistically what we're talking about whoops didn't need to do this so now we've talked about relational databases we've talked about data warehouses talked about nosql databases we've discussed databases but let's talk about high availability database design now database design is very different for high availability and high performance so let's talk about this yesterday we talked about increasing performance and we added read replicas to offload reload reload from the primary database yesterday we added caching to reduce the load on the brood replicas which is further reducing the load on the master database yesterday we talked about adding queuing to make sure that messages didn't get dropped on the way to the master database all good right none of that had anything to do with high availability it all had to do with increasing performance so now let's talk about how do we build for high availability well it all goes back to this military outage one is none two is one and three is greater than two um for the people that are asking the question from emmanuel was asking a question the video will be here later go back and watch it um absolutely so it all comes down to that same adage no single points of failure anywhere so how do you design a database to really grow to really scale with regards to high availability you do it in the following way you host the database in multiple availability zones so two data centers that's it so reminder you know on the first day we talked extensively about what is a relational data i mean what is an availability zone which is a data center what is a region which is a large geographic area we talked about local zones edge computing and we talked about edge locations which was related to cloudfront so what do you do with aws for high availability database design use multiple data centers minimum so if you're going to host your database and at all in aws you should probably host it in two data centers which means two availability zones why you should do this is you have your database in the data center and you copy it to another data center now if the data center were to have a flood a fire an earthquake or a massive cable cut it doesn't matter your systems are available in another data center so if you want to increase availability you use multi-availability zone if you want to increase performance use redrock capabilities i'm going to say this again it's a text question and it's confused by almost everyone multi-availability zone does not improve performance and improves availability read replicas caching and queuing improve data based performance please know that you will probably see it on a test but more importantly you need to know this for your career much more important than just passing an exam here's what multi-az does you've got your database saying us east it will synchronously copy all of your data to them to the backup database saying us west this backup database will do nothing unless there's a failure or a situation that will cause a failover but it will do nothing and we'll we'll tell you what it'll cost to fail over but it'll just sit there and be back up back backup backup backup and then if you need it it'll kick on it will do everything that needs to be and when you bring up your new database it'll synchronize the old data back to the old database and you will lose nothing high availability database design put your database in a minimum of two availability zones now you've got your database and two availability zones what's it going to look like i'm going to show you what it's going to look like right now identical copies into places look at this architectural diagram here we've got a three-tier web app a web and app and a database here in two availability zones so should anything happen in availability zone a guess what availability zone b will take over and everything is good so now you know how that works now what will cause this availability zone to switch over to this availability zone let's talk about that for a moment here is what will cause an availability zone to fail over if the primary database fails switch to the backup makes sense if the availability zone were to go away like you can due to an outage switch over to the backup the database service has changed switch to the backup you do maintenance on the database like passionatch the operating system guess what fell over the backup you initiate a manual failover something like a reboot but fell over to the other system it will fail over so now you know the concept of high availability database design it is about making sure you have sufficient information sufficient sufficient sufficient information from one data center to go to another data center should anything happen okay now we're going to get into some basic networking which is my favorite area but prior to getting into some basic networking i want to make sure that you're ready and you don't have any last questions on the databases so if you guys have any more questions on the database like high database design let me know if you do not i will go straight to the next section which was an intro to networking but i need to make sure that i know where your questions are before i move on to the next thing can you host your data in two separate provider data centers um the answer is yes um you definitely could and should so if you're dealing with multi-az you're dealing with these situations um two separate data centers now if you're talking about two cloud providers across two data centers of course you can do that as well you're going to probably be using your own manual database like you'd set up an ec2 instance in one environment you install your database software and you could do that in aws you can do it in azure and you can do it in gcp the entire time so yes absolutely what about scalability of the database so boveda we spent uh a massive amount of time talking about scalability yesterday and you can definitely watch the replay we talked about scaling relational databases and we talked about adding read replicas to offload the read traffic off of the master database we talked about adding caching to reduce the load on the read replicas as well as the master database yesterday we talked a lot about adding queuing to reduce the right load on the master database we talked about with no sql databases partitioning the databases we did not discuss partitioning of relational databases because that's not without its gotchas and not even some of the database providers don't do that with relational databases but they almost always do it with no sql databases so if you want to go back and watch yesterday there's a lot of content on that and would love you to see it please what is the technology so jamal you know that's a great question there are a lot of different technologies that you can use for failover and these cases most of the databases themselves have their own heartbeats and their own signalings and clustering mechanisms so realistically speaking that's typically the way that it worked kellyanne if you fail over to a backup az you have to clone the backup az right away for availability um no you don't really have to do anything if you fail over to a backup az if you set it up properly what is the difference between scalability and availability unless that is a great question scalability is as follows can you deal with 100 users a thousand users a million users a billion users that's scalability high availability means that it's going to be there when you need it so for example a high availability network will be available 99.999 percent of the time which means the network will be up with the exception of five nines with the exception of five minutes and 15 seconds of downtime per year a four nines available network is basically 99.99 available which is what you can get on aws with two availability zones um with regards to that that will give you four nines availability or about an hour's worth of downtime per year so realistically speaking that's kind of where you're going from can you store session information in dynamodb using dax well you could but remember you you're not looking for accelerators and in memory caches to store your information because all that information goes away with reboot you're trying to store it in the actual data center itself those kind of things are designed to accelerate the database as a rule availability zones are data centers that's exactly correct the cloud provider should really say hey the regions of geography and availability is owned the data center um but it you know the cloud providers really like their mysticism when you don't know what it is it sounds really cool it sounds technical a lot like some advancement in innovation the reality is an availability zone is just a data center oracle's got their own tools for replication of auto auto auto things what about or a cluster versus side i don't know what you mean by what about that um um so i don't even know where to begin to answer that i'm not trying to be difficult um is high availability database disaster so okay so no high availability database design is keeping your databases available when needed disaster recovery is preparing for massive things earthquakes nuclear attacks um floods real kind and all kinds of disasters along the way disaster recovery could be included in training and building for availability but it could be separated so realistically speaking the high availability database design we're talking about is not related to disaster recovery but disaster recovery is part of an overall high availability enterprise-wide strategy mario mill and how developers work there are a lot of fellows with mario so i want you to think about anything whenever you're dealing with failovers think about a heartbeat so whether it's a routing protocol like osbf that says hello hello hello or to identify its neighbors whether it's a heartbeat between two databases where they're saying are you there are you there are you there whether it's a health check from a load balancer saying are you there and the server's responding yes i'm here are you there yes i'm here it's all going to be the same thing so whether it's vrrp or hsrp for making a virtual router whether it's a routing protocol with an ospf hello whether it's a heartbeat between these systems whether it's a health check with regards to dns or load balancers they all use the same kind of thing they send a periodic message are you there are you there and they get a response i'm here leave me alone you got another question are you there they say i'm here leave me alone and you get another message are you there and they say i'm here leave me alone so all of these failovers work with that and what happens is typically whether it's a hold time are you there are you there are you there no response switch over and that's typically how all these fail overs are performed you guys in the case of a failure what happens to the transaction as they're supposed to be acid well if it if the if yogesh if the thing is written to the database it will immediately be synchronously copied to the other one so if the transitions in the process of being written and maybe something gets rebooted you know you may lose that transaction but only if it didn't occur once it occurred their acid and they should be pretty stable arun can you get a two-tier architecture and a three-tier architecture and also have cost-saving concept uh look you can put all this around on a single server the linux apache mysql php stack is a single server architecture for web apps and it's totally appropriate the problem is how big of a server can you have 128 cores four terabytes of dram at some point that's just not enough at some point you need a thousand 128 core servers with four terabytes of dram for your website so you can do two tiers you can do three tiers but it's really based upon what you need to do now i'm going to recommend that whenever you do three tiers and you decouple things boy they scale better if you set it up to scale better you won't be troubleshooting things later that don't need to be troubleshooted and you will be in uh in a much better position so generally speaking try to decouple the lash what is the main difference between scalability and elasticity both look to the same to me no less there is no such thing as elasticity elasticity is a made-up word from amazon it's a fake word it's a marketing term it is meaningless what their point of elasticity is is it'll grow and scale and do what it's supposed to do that is a marketing term scalability means that it will scale meaning if you need to grow 100 users 1 000 users 1 million users that's called scalability if you meet with the chief information officer of a fortune 100 company if you meet with a fortune with a bank if you meet with the ceo of cisco the ceo of microsoft they know what scalability is and they've been building and designing for scalability forever if i were to go meet with the ceo of microsoft and i'm going to make your systems elastic they would laugh me out the door they would say we are not amazon we don't use funny marketing terms we use scalability if i would try to pitch that to executives at google they would still laugh at me so i'm not trying to laugh at you i'm saying amazon and their marketing team have worked so hard to give us such crazy terms for things like simple storage i mean seriously tell me it's object storage elastic everything i don't need to know elastic everything the cache isn't elastic it's just the aws brand stick elastic in front of everything google puts cloud in front of a lot of things and you know what from a marketing perspective from a business perspective it's very intelligent because it enables the cloud provider to really differentiate themselves when they make it clear that when they come up with something really cool simple storage solution or whatever they want to call it that's right guess what amazon simple storage it makes it harder for you to conceptualize if you don't know that it's object storage and it sounds fun and it sounds fancy the price goes up and if you're dealing with it this way and it gets more complicated people don't know what it is so when you charge a certain price it's like wow i'm getting great storage now if you're an architect you need to know what it really is so i don't like marketing terms i don't tell people that i've got an elastic business i just tell people how to make their systems work to go from one person to a billion people and by doing that i help them so great point great question um stay generic stay out of the marketing branding and your career will grow much faster i think i i'm being informed by my team that we have to get back to the content so if you're enjoying yourself type hashtag cloudhire because i need to know you're awake alert and oriented for the next part because the next parts of networking where it's going oh what is an asset transaction and actually transaction basically means you take your system you write to the database it's either all or nothing meaning you wrote to the database you didn't write to the database one transaction doesn't affect another transaction an asset database means that if i write instantly after a write everybody else can get the new content so that's what's meant by an acid database immediately consistent all or nothing one transaction doesn't impact another okay i'm starting to see things now we're going to get into a little bit of tech here i've been asked by my team to remind you if you're enjoying our free aws certified solution architect associate 22 2022 program please leave a like um it helps with all the algorithms so now we're going to do a basic basic basic networking review the cloud is nothing nothing nothing more than a virtualized network in a virtualized data center and because of this networking is just so critical i mean networking is so critical that if you don't have the network up and running perfectly i'm going to tell you nothing works nothing works so let's do some basic basic basic networking and then we're going to get into the vpc section of course in the vpc or virtual private cloud section what we're going to do is as follows we're going to do this we're going to make sure you have a lab and you can create a vpc and alonzo will work with you on that and it'll be really fun so let's go back to the networking the first thing i want to talk about is the osi model why the osi model is used by every network professional in the entire world the reason we all use the osi model or the open systems interconnect model is it enables us as network architects to really be able to look at what's going on and we troubleshoot based upon the layers of this model so this is something that's really important to us we've got a seven layer model now networking consists of only four layers the entire stack consists of seven layers let's start with the basis the physical wire the physical cabling this is layer one layer one is a wire so with layer one we've got a wire wire or a fibre up the connection it's physical it's the cabling that's layer one of the osi model it's the ethernet cable so here at layer one it's a physical thing we're sending electrons on a wire or photons on a piece of fiber optic and with that we're transmitting bits of data so physical layer layer one physical wiring or cabling layer one of the osi model this is where your tier one troubleshooting is is it plugged in no the next layer of the osi model is as follows the data link layer the data link layer is the hardware layer of networking model if you've got a computer and it's got a network card in it it's got a hard-coded address on that network card a hard-coded address that is called a mac address at layer 2 you've got a mac address if you want to look in your computer and you want to look at your computer's address i think we can see it hold on cmd sure i haven't used the windows computer in a long time but i had to switch over to one because my mac didn't work if you take for for the kind of work that we were doing if you take your computer and if you're on a on a linux system you open up a terminal and you type ifconfig if you're on a windows computer and you do an ipconfig slash all you'll see your ethernet adapters and on your ethernet adapters you're going to see a physical address the physical address on one of my cards is f is in foxtrot c is in charlie 3 4 9 7 alpha zero foxtrot delta one six that's my card's physical address and you know what the first part of that physical address the the first six bits that fc3497 that is something called the oui which identifies the company that made the ethernet card in my system which is intel and that's intel's oui so layer one is cabling bits and bytes layer two is a hardware address a physical address like your mac address at layer two we're sending data that's called frames so bits at layer one frames at layer two that first cloud that i worked on in 1998 that was called frame relay why was it called frame relay because at layer 2 we were pushing frames it was a layer 2 transport technology next what do we have on layer 3 we have layer three layer three is the logical addressing we're gonna use it's your ip address we manually configure here's what it grigs at layer three your ip addresses here's what else exists at layer three um your your routing information so layer three is your is your routing layer three is your address an ip address is a logical address that you put on there that is what we're talking about and we're talking about routing logical ip addresses so realistically speaking this is what we're actually talking about so let's look up move up let's start layer four layer 4 is transport layer 4 manages the sessions so let's look at it this way layer 4 is tcp and udp so let's work let's look at the four layers because in networking there's only four layers layer 1 physical layer layer 2 data link layer layer 3 network layer layer 4 transport layer for networking people like me that's it we go no further now let's make sure you know the next three layers layer six is decession this basically controls the connection that exists beneath it layer six is something called the presentation layer again something we networking people don't even think about but the presentation layer basically presents the networking information to the application layer and the presentation layer handles encryption so we still talk about it sometimes and then we've got layer 7 which is the application layer this is the stuff we use we go to a website it's layer 7. i do a secure ftp it's layer 7. i send an email it's layer 7. i open up a web browser it's layer 7. it's an application so let's walk through it one more time because it's important layer 1 wire physical layer layer 2 data link think ethernet think frame think mac address layer 3 think network think ip address think routing going on and you think about packets that you're sending on the wire layer 4 transport think of transport as tcp udp and we send segments set layer 5 is session it controls the connection we're dealing with sockets layer six is the presentation layer it's really presenting data and handling encryption like tls for example layer seven application users this is where you connect to these are things that you use those are the seven layers so now what we're going to do is as follows we're going to do a very brief ip addressing thing and a very brief subnetting super netting route summarization thing and then after we do that it's going to be very brief we're going to go into the vpc now when we go over this basic subnetting we may not have as much time as we need to so here's uh here's realistically speaking what we're actually talking about when we go through some of these kinds of things um in networking we actually created a four hour complete subnetting workshop chris or one of the people from my teams will do the following they will list they'll provide a link in the chat window to the free subnetting workshop we did and if you guys want me to do another free subnetting workshop i am happy to do it if you want me to do subnetting use type subnetting workshop in the chat box and i'll find time to do another four hour submitting workshop some day soon but in the meantime we're going to go through a great thing but if you want or need a bigger subnetting thing type hashtag type subnetting and we will do something and also well if you're enjoying the content if you can hit the like button share with others as well it's always good for our things um here's the current subnetting workshop if you want us to do it we'll do us let us know run subnetting workshop and i will have chris from my team add it to the list of things that we'll do because we want to do anything we can to help you in your competing careers so let's talk about ip addressing let's first begin with what is an ip address quite simply a ip address is a logical address or an address that you put on a computer every device that needs to talk to another device must have an ip address kind of like your house your house has to have an address if you don't have an ip address you're not going to be able to get there so if you can't have an address you can't get there so what needs to occur every device needs to have its own ip address and for devices to communicate with each other they need to have unique addresses for example if i made a photocopy of myself and neither was mike and my next photocopy is mike b how would you know who's mike and who's mike b you wouldn't now if you name one photo mic and the next photo might be and you were going to say send data from mike a to mike b you could do it but if all you knew was mike and both photos had the same names and they were identical photos and they were i was identically dressed how would i send information to each other if we had the same name the answer is we couldn't so with your house for you to get mail delivered you have an address if you had the same address as your neighbor the mail person wouldn't know whose house to give it to well the network is the same way for the network to work realistically speaking for the network to work everybody has to have a unique ip address so that's what we're talking about so every device every entity needs its own unique address for the interest of work i'm going to say this again every device needs to have a unique ip address okay so here's where the problem comes from when we're dealing with ipv4 which is still the predominant ip addressing scheme we're using we have a 32-bit address so if you want to know the number of addresses that are available to us you can do two to the 32nd power and you'll see it's a pretty large number of addresses but not enough see here's what happened when the internet was found when i started working on the internet um but when i started working on the internet you know here's what happened you know there weren't that many things on the internet it was never an issue we didn't have a problem because you know we had two to the 32nd now by comparison here's the thing that's going on every phone has an ip address every house has an ip address on their tv on their computers on their printers literally everything everything everything that's kind of what's going on when you need these ip addresses you need an address on everything your refrigerator if it's a smart refrigerator has an ip address the camera is in your house they'll have ip addresses up there we just ran out of ip addresses a long long long time ago and because we ran out of ip addresses a long time ago we have to do something we came up with private i p addresses so here's the thing with the pr about private i p addresses the internet engineering task force decided to specify we all got together because i've done a lot of internet engineering task force kind of work as well and what happens is when you're here you get together with a large group of people you write what's called a request for comments and basically you create a specification now the internet engineering task force did as follows they created a specification for private i p addresses which included the ten dot slash eight address space 10.0.0.0.8 the 172.16.0.0.8. i don't know why that says zero slash one uh slash eight and uh it also includes and so includes the one seventy two sixteen dot zero dot zero slash twelve and it includes the one ninety two one sixty eight dot zero to zero sixteen so here's the thing every organization or nearly every one of them is basically using the same addresses so anytime you're going to address your vpc in aws vpc in google vpc equivalent and azure your chances are for your internal stuff you're all going to be using these private ip addresses from rfc 1918 meaning the 10 8 address space the 172 16 12 address space and the 192 168.0.0. address space now let's walk you through some legacy things because on these exams you're going to hear the term cider or classless inter-domain routing and here's where this is coming from a long long long time ago we had this concept of classful addresses and classical addresses used the same mask so a class a address was anything from 1.0.0.0 all the way to 126.255.255.255.255. and what would happen is we would have a slash 8 which would give us 2 to the 24 hosts available in a subnet but only one now the next thing and we'll talk about really where it came from were the class b's and class b's were effectively a slash 16 they began from 128 all the way to the 191.255 255 255 25555 and then after that we had this concept of a class c address and with the class c address we had a 192 168 or basically the 192.0.0.0 and uh and uh it went all the way to 223.255.255.25.0 we had the class d addresses which we used for ip multicast i won't go to them and we had the class e addresses which were experimental here's the thing they all had classful boundaries meaning a 1.0.0 was s 8 which is great if we were going to put 16 million hundred and seventy seven thousand hosts in a single subnet but here's the problem here's the problem by doing this by putting all of our host in a single subnet we would have so many broadcasts that we couldn't do it anyway so we couldn't do it anyway so we can't put more than about 500 hosts on a subnet and realistically speaking not even more than 250. so we couldn't use these class a addresses because remember every interface on a router every network card on a server needs to be on a different subnet so if we stuck with these old class a addresses and we had three ethernet cards on our computer we would have three class a addresses and each class a address would burn 16 million 177 000 addresses so literally speaking for three users we would use 48 billion address 48 million addresses now that is obviously not appropriate so we came up with the concept of a classless address here's a classless address a classless address is something that uh for example does not adhere to a classical boundary so when you create a subnet mask that's not the default is considered classless that's it that's all classless interdomain routing is is not holding and not not saying that you have to use the class of boundaries and that's realistically it so how do we go from classful to class list the answer is we subnet it out and that's it and like i said we'll go over we'll do a quick walkthrough now and if you guys need we'll do that subnetting workshop i had asked some people to do some subnetting workshop if they wanted it looked like a lot of people commented submitting workshop so we will do a four hour submitting workshop coming very very very soon um because it's an important concept to know so let's now look at what is submitting so let's begin by this let's take this simple environment let's say i've got one class c address a 192 168.1.0 24. let's say that i know that i need to put six servers in three different subnets but i need multiple subnets what i do i can take my class c network and i can chop it up into middle networks and each one will be able to communicate with each other and nobody else without going through a router so say i take this 192 168.1.0.24 and i break it into a 192 168 1.0 slash 28 192.168.1.16 28 or 192.168.1.32 28 a 192.168.1.48 28 or 192.168.1.65 28. this is what we need to do now i got to tell you 90 of all problems with technology are because someone did not have the skill to design the best ip addressing scheme if the ip addressing scheme is not set up properly what happens is the routing is wrong and if the routing is wrong what's going on is nothing will work properly so almost every problem i've ever seen in tech is when someone that was not a network architect someone that was more of a jack-of-all-trades designed the ip addressing scheme the ip addressing scheme is wrong and the rest of your design and architecture will always be wrong nothing will work well if your addressing scheme is wrong so let's walk through this a little more with a little chart and i'll do a complete class if anybody needs so looks like lots of people are looking for subnetting so i will do it but i just want to show you basically what happened here i took the 192.168.1.0 subnet slash 24 and i subnet it into all of these individual class cs so keep that in mind now if we listed an intro to subnetting video i strongly encourage you all to watch it it's hours long we work through lots of project examples please see it um because you guys are definitely going to need it and i will make another workshop within the next four weeks where we spend four hours viewing you teach you guys submitted because it is so critical for your cloud computing career so let's talk see so one other thing if you want to know how many hosts are available to the subnet you can do two to the number of bits that you actually have and that will give you your answer so in this case we borrowed four subnetting bits so if we can do two to the fourth we get 16. so that would be the total addresses now in a normal world the first ip address is reserved for the network meaning the 192.168.1.0 the last address of that subnet would be 192.168.1.15 that is used for broadcast it is not usable so remember this when you're dealing with ip subnetting as a rule two addresses are always lost now when you're on the cloud it's different every cloud provider does their own weird ip addressing things aws is very unique in the way they do ip addressing they reserve the first four ip addresses of the subnet and they also reserve the broadcast so realize if you've got a slash 28 which is the smallest subnet you can use in aws and you've lost five addresses versus two addresses you only have address 11 addresses left over so if you're taking an aws certified solution architect professional exam or you see it on your aws certified solution architect associate exam remember this they burn more addresses so if you're asked the kind of a question that says hey you got a load balancer you've got some web servers app servers and some servers and you've got a slash 28 and auto scaling stopped why do you think auto styling might have stopped because you may have these systems that are scaling up each system needs a new ip address if you run out of ip addresses auto scaling will stop so no aws burns five ip addresses the first four are burned and the last one that broadcasts is burned so know that now while we're talking about subnetting let's go the other way because this is even more important let's talk about super netting this is one of the most critical things you will be doing in a cloud computing career is super netting super netting is the exact opposite of subnetting supernets basically take multiple subnets and combine it into a big one so okay wait we're going to take our networks we're going to submit them down for more efficient use of that now mike's telling me let's supernet and then take these little small things and bring them together okay what's really going on we're going to be using an elegant subnetting steam to decouple our environment we're going to segment our traffic with good ip addressing scheme the more subnets that we create to isolate our environment which is the best thing we can do by creating of additional subnets the more subnets we create the more routes we put in the routing table which is fine to a plane so when you've got millions and millions and millions of routes in the routing tables it takes a lot of cpu performance in these routers takes a lot of memory takes a lot and if you don't have big giant really awesome high-powered routers and firewalls then it could be too much but that's not really what we're talking about when we're talking about super knitting or route aggregation we're talking about doing it for another reason what we're talking about doing is we're talking about optimizing traffic so let's look here you've got these four subnets 192.168.0.0.24. 192.168.1.0624. 192.168.2. i know 192 168.3.0624 these are four subnets these are four specific routes that i would be spending to the vpc and if i send all these four routes awesome it's going to work perfectly but do you know of any routing limitations on the aws cloud i told you some yesterday aws will let you have 100 routes in your routing table i'm going to say this again 100 routes in your routing table do you know what 100 routes is nothing nothing the kind of systems i work on with have 40 000 routes in the routing table internal to organizations and you know 800 000 routes from 10 different internet service providers and aws says you can have 100 routes nothing so those people like me that have been network engineers and architects for 30 years remember when we worked on routers that had a 20 megahertz cpu with a meg of dram guess what when you're dealing with the cloud you're dealing with those old ancient kind of routers that can only do 100 routes how did we do it 20 30 years ago we got real good at route summarization how do we deal with the cloud providers that give us 30 year old routing capability we use the same route summarization we did 30 years ago on networking we don't have a choice we do that with the cloud providers and then everything is optimal why else would we do this we want to hide some of the information in our current system i also want to do this we want to reduce the scalability when a traffic engineer so that's why we use route summarization to work around the weaknesses in the of the cloud in some cases we kind of do that i think that's pretty important but also to reduce the routes that we're sending to our cloud providers they don't let us sound a lot of routes the cloud providers aren't stupid they're smart they've got great network engineers they've got fantastic network architects they've got exceptional people there you're not the only client we're not the only client everybody that's there does their own kind of thing so realistically speaking people do what they need to protect them aws azure these people have millions and millions of clients imagine taking in 100 routes from a million one clients it's unbelievable what they have to deal with so that's why the cloud providers are going aren't willing to take too many routes they can't because they have too many customers so summarize accordingly and that's why route aggregation or supernetting is so wildly used now before we get into the vpc um and we'll get into the vpc let's briefly talk about ipv6 addresses and they are a newer form of ip address so an ip address is a 32-bit binary address so realistically speaking um when you're dealing with this 32-bit binary address this is via ipv4 you've got 2 to the 32 in terms of usable hosts which is a lot but not enough now take ipv6 it is a 120 bit hexadecimal address so take 16 to the 128th power and now you know the number of addresses that are available with ipv6 infinitely more so their ipv6 addresses are being used by lots of people but realize right now they're predominantly being used by mobile phones now when you sign up for an ec2 instance on aws you will automatically get an ipv6 address you can disable that if you don't want so let's do this let me answer some questions and then we'll get into the vpc we'll talk about the vpc alonzo will do a really really cool and fun lab on the vpc and i know alonzo's got a cool one planned for you anytime we're dealing with a great cloud architect like alonso i'm always expecting alonzo coleman to give you guys something good so let's do some questions prior to getting back and then after we get the questions um let's go back to the course so chris i saw one question come about my eye i'm going to address that right now because it is troubling me i was involved in a horrible accident approximately 10 years ago i was unable to walk for three years i lost the use of my left foot i lost the use of my left hand i did between six and nine hours of physical therapy every day for eight years straight and at the end of this accident i'm left with a goofy eye twitch so i'm still here i'm providing free cloud architect training free aws certified solution architect training i got an eye twitch that was a result of an accident where the doctors told me i would never walk again or even be able to sit into a chair again so i have an eye twist just left over so i thought i'd address that so thank all of you that are participating i really do appreciate you all being here now chris who has the next question okay so yogesh asked a great question i can finally see it on the screen what is a vlan a vlan is as follows if you take a switch i got one take a switch like this notice this switch has a whole lot of ports in it now what if i were to say these ports all belong to finance i can't say and these plans all go to accounting and these ports all equal devtest and these ports all equal production so basically speaking i've taken a switch and i've logically um chopped a switch into multiple mini switches that is uh what a vlan is a vln is a virtualized switch so take a switch chop it into multiple pieces and you've got virtualized switches so vlan is nothing more than a virtualization as virtualization of a switch i asked so so jesse yes of course i've got uh you know my home has about 15 of those switches it's got about nine servers in it with 24 cores in it i've got 10 gigabit ethernet wired throughout my house i've well we don't even need to know what it takes just to run this application we're dealing with stuff okay how to segregate subnets through this great question the second you create a subnet and you put them all in a different vlan they can't talk to each other so subnets can't talk to each other if they're on a different note so you could literally take a switch plug all of them together on different subnets and if every person was in a different subnet they couldn't talk to each other so how do you segment to subnets just by being on a different network subnet or different network address systems cannot talk to each other so while chris is bringing up the next question if you guys are enjoying yourselves you can type cloud hired in the window role does aws search and architect need to have devops skills absolutely not as architects our job is system design so we're designing end-to-end systems so designing of systems does not include configuration of systems it does not include coding it does not include maintenance which is system it definitely does not include devops now devops is an incredibly great career for engineers it's a break career for the future because it has a lot to do with regards to automation automation is the future so devops is an incredible career but devops and architecture are exact opposite sides we architects design it and the devops people help build it so hope i answered your question chris are there any others networks can't talk to each other without routing if they're on different subnets they cannot and that's how we connect subnets together with the router there's a question on the screen what are the stuffs to take care on vpn design and connectivity well there's two parts of that question the first part is vpns are simple it's just setting an ipsec tunnel across the internet now with regards to vpn design now you're getting into some place that's a lot a lot different and here's the reason we're talking about something that's very different you're talking about can wan design hub and spoke um fully meshed hub and spoke plus partially fully meshed now there you're getting into some cisco certified design expert territory things that would probably take about 500 hours for me to really answer in depth just talking about how to design a lan but as a general rule a lan should have no similar points to failure meaning you should have at least two connections generally speaking with regards to network architectures you should have a core of the network which is where your high performance routing is outside of your query you should have what's called the distribution layer so the core is the backbone and then a distribution layer plugs into the backbone and then plugging into the distribution layer you typically have a bunch of access layer switches access layer switches are these things there are these things that have a million one ports on them they're the things you have in the wiring closet you plug in 500 computers to one of these things they then go into the next series of switch which is a distribution layer switch which aggregates like 10 wiring closets and then you take that and you feed that into the core of the network that's the way cisco designs things core access distribution so depending where your systems are you might do a hub and spoke you may do fully mesh and you may do a combination and that's going to be based upon who needs to speak with whom the latency of who needs to speak with whom the kind of routing that you need to do based upon primary backup and tertiary paths the type of engineering that you have to do with your traffic and the latency required so those are the kind of things that are really necessary to truly truly answer that question so um i may do if you guys desire a session on wan design um and if that's the desire i can probably do a wan design on youtube live um but you know it's far far far too much to cover in just a single week's time but i could definitely do that because it's probably a great idea srinivas sir i need more clarity on when we will use a private subnet okay versus a public subnet so here's the thing everything you will do will be in a private subnet unless it needs to be reachable from the internet everything that you will do needs to be reachable from the internet we'll have to have a public address in some way sure perform anything that you don't want to be reachable from the internet gets a private ip address there any other questions there most of the questions are going to be covered in the next sections okay i think i saw one pop up as a cloud architect you need to know sd-wan if you're a cloud infrastructure architect like me you must know sd-wan if you're going to be a cloud architect and be highly successful bgp knowledge mpls knowledge sd-wan knowledge is really really really valuable okay so i'm ready to uh move on to the next topic i've been told i've asked enough questions if you're enjoying this content if you can hit the like button inform others and share i will switch to a little bit of knowledge in the vpc and then alonzo is going to do a lab unless would you guys prefer content first or lab first because we can do it either way let me know in the chat box type content versus lab content or lab and we'll give you both just no matter which order you want let's see where we get alonzo in the chat box we're both looking we're always having fun teaching this is where you have to politic for yourself alonzo okay so right yeah um let's see what the votes are oh it's neck and neck content neck and neck you know if more people want you to do the lab we do the lab if more people want the contact we'll do the contact up we're definitely going to cover we're both going to cover the content on the labs it's looking right now that people have heard my voice for a little while and are saying alonzo loud even derek you know reached even called you out by name alonzo lab so champion guess what alonso is gonna go do a lab for a few minutes and then after alonzo's lab i will talk about content so let's make sure we make you guys all have fun that's why we're here now have a good time to learn and to help you guys build careers so we're gonna do both alonzo take it over to you i'm actually gonna get a glass of water while you expertly show off your great cloud architect skills okay mike go and hydrate okay everyone if you all are following and you have your um management control screen up you're you're free to follow up and we'll continue to move forward so i'll give you just 60 minutes to get your screen going and then we'll follow suit and get some vpcs going 60 minutes huh 50 seconds not 60 minutes it's not gonna take you that long so everybody get up let's go let's get the management console up for 60 seconds not 60 minutes yeah that's a great question hey you know what we could do training all day i always find it hilarious and fun i find no better experience than being able to share knowledge you know while alonzo's getting that up and you're all doing it to me i've been in tech for so long i can't even remember in fact i when i work remember the token ring this little thing that that ibm embedded that move the little ball to different slots click click click click so you know they were the folks that trained me and for me it's about let's train the next generation of really fantastic technology professionals i live kind of around palm beach when the next generation of cloud architects and network architects are there i'm going to be practicing yoga on the beach in jamaica listening to bob marley ziggy marley and songs like beach in hawaii where they're talking about yoga and uji breathing with reggae so that's what i'm going to do after the next generation of technology professionals are created so glad you're here we want to give you the best careers possible take it away alonzo everybody's got their things okay guys we are ready to go so first things first uh if you're in your management console we are going to go to our vpc landing page or dashboard if you'd like to call it that so here we are we are at our at our resources region we're going to click vpcs now vpcs this is your kingdom this is where you're going to be setting up your own personal real estate you're going to have your own subnets this is where you create everything that you need to know this is your fort and so by doing so what we want to do first is click create vpc and now we want to type in your own personal name that is easy to reference easy to look for and since i have multiple vpcs up and running so i got to be a little uh gotta add mine to a zero two so we're going to put in our default um ip address which is 10.0.0.0 slash 16 and we're not going to need any ipv cider blocks we're just going to do a default tenancy this is going to be a very simple vpc of which we're going to have two subnets we're going to add a router we're going to add an internet gateway and we're going to have a public and private router so that you can understand why you would need a public subnet and why you would need a private subnet so right now we are creating our vpc we're going back to the dashboard so as you can see right here this is my my uh vpc this is uh my cider block um address which is 10.0.0.16. our dns resolution is enabled and we're ready to go so the first thing that i want to do is be able to provide a connection to the internet gateway for my vpc so we're going to go over to um the drop down area and we're going to look for our internet gateway i want to open that up i want to open up extra windows so everyone can be able to easy easily reference what we're doing at a moment's notice and if anyone needs me to uh slow down you know i'll definitely be looking at at the chats and if chris you could help me with that if anybody needs any assistance i'll be more than happy to do so so now we're over at the uh we're going to select our internet gateway actions or rather create internet gateway that would be my dash igwo2 and we already have our tags we're going to create our internet gateway now remember when i was first starting on vpcs one of the biggest issues that i couldn't uh understand was that why am i not connecting but i also have to remember that you have to not only create your vpc you have to attach it as well it's all like plumbing you gotta you gotta build it and you have to attach it so that everything can work and connect with each other so let's attach to the vpc we have our my vpco2 that i originally created we're going to attach that internet gateway and now we're going to be back over here so the next thing i want to do is create our subnets so i want to create a private and a public subnet now when you're doing a public subnet you usually want to have a public subnet for in the instance that you want to ssh um using an ec2 so that you can public privately um create that compute store that that compute and that instance um back into that public subnet so you can specifically um if you want to just like if you want to specifically get to the ec2 from your public ip that's what you can do in that instance for a public subnet but for a private subnet say for instance you are using that same ec2 instance in that public subnet to connect to your databases which you want no connection to an internet gate you know in a gateway or to the internet as a whole you use that um for that particular instance so let's create a subnet so we're going to do publix uh public subnet rather let me go back here i'm going to create our subnet we're going to connect it to our vpc and we're going to say my hub sub and our preference because i am in the uh texas area and the best best area for me is going to be us east 2a that's going to be for my public subnet now we're going to have our um cider range as 10.0.0.0.24 or rather let me rephrase that ten dot ten dot zero dot one dot zero slash twenty four now with this this group this can this gives us 251 um usable ip addresses for this slash 24. but in the instance of aws remember what mike said they take four off the top and they take one from the bottom so that leaves us with only 249 ip addresses to use in this subnet we've added our tag here we're going to create that subnet okay now what i like to do is make sure that everything is attached so our actions we're going to go to this specific area actually we'll do everything we're going to because um since it's a public pub sub we're going to add our knuckles okay now because this is public we don't have to worry about um protecting anything we don't have to worry about locking anything down because we want access to the internet so what we want to do is look at our inbound rules and we want to adjust them okay wait a minute let me go back because sometimes this is what i need to do this is what i need to do is i'm going to go and create our subnets all of them all at once so that i don't confuse everyone all together so bear with me as i get this all squared away then we have our subnet okay we're going to create another private subnet or rather a private subnet to go with our public subnet in this instance because we want to consider about consider about durability and we want to make sure that this particular uh subnet is going to be in us2b we have our name and our private sub tag attached we're going to create that subnet rather we got to add the uh cider block so right here in our public subnet we had 10.0.1.0 24. now we're going to have a zero slash 10.0.2.0 four and our subnet is created so now what we want to do is we want to be able to add our route tables now remember before when i was saying about the internet gateway we need to be able to connect to the internet and it's all about plumbing so we want to create that route table so that everything can interconnect with one another so that it can do what it's supposed to do and communicate with each subnet and the public subnet can also access the internet gateway so we're going to create a route table and we're going to call this our public route we're going to attach it to our vpc02 now it's always important to make sure especially if you have so much traffic like i do on my dashboards to connect the right piece vpcs to your right subnets knackles security groups it's all about detail it's all about making sure that you have everything associated with the right groups so we're gonna tag it as name public rock table create close so now with that public route table we look at our routes we're going to add some now of course that public route is connected to the subnet i mean to the vpc that of which it's in but we want to add additional subnets we want to connect it to itself 0.0 so that it can all be connected together okay then that can also be connected to the internet gateway save route oops route table oh that's right okay so we're not doing that dot zero dot two dot zero slash twenty four [Music] sometimes you got to relearn this stuff as you go along because it's so important to get this right okay okay oh man what am i doing wrong here okay oh that's right we don't even need one here that's what i'm thinking about my private subnet so because we're already as the public route we're already connected to our vpc and the vpc is already connected to the internet so we're good to go there so let's create a private route alonzo yes can you uh zoom on the view on google chrome okay yeah there we go good for everyone okay thank you you're welcome okay so now we're on the private route now remember here we do not want this connecting to the internet so there's no reason to connect it to anything else at all so we're just going to say private route and that's oh that's adjusted so um it's always good to remember to name these things appropriately but now that i remember i also um the subnet associations the route here particularly i forgot that not only does it have to connect to the vpc of 10.0.0.0.16. you want to make sure that it is connected to the internet gateway itself so i believe that it's the right thing going on there we go so yeah it can be a little confusing sometimes making sure you're dealing with the route specifically but ensuring that everything is connected with each other is key so that the entire uh vpc can move and information can flow to the right areas as necessary so now we're looking at our vpc making sure that we're good to go there subnets just making sure our route tables are good to go okay so now that we have our public and our private subnet what i want to do is add the knuckles now the knuckles is basically uh the firewall of the subnet as the security group is the firewall of the instance that is within the subnet itself so let's take a look at that so i want to create a network acl that will be my pub echo i want to associate it with my my vpc the tag is there i'm creating that knuckle so now the inbound rules as it is a public what we want to do is create a new rule to allow traffic to come in welcome through alonso which subnets you're creating and which ones you want them to go through like which rule you're creating for your public versus your private make it a little clearer pecan okay now in this particular area we are focusing on our public knuckles this is going to be our accessibility into the internet and we'll discuss the private knuckle after we create this so we want to allow so we want inbound traffic to come in save changes so now we want to create our private knack i'm going to select that vpc as well we have our naming tag and our value create knuckle so the difference with this one is that we do not want uh any traffic into the internet so we want to create some new inbound rules right here it says allow we do not and otherwise everyone can get into our our uh private information and do what they want so say for instance we did yesterday we did a ssh into our ec2 in this illustrative purposes i can provide ssh and then i can um add my source for my own personal ip so that the only way that this ec2 in the private subnet can be accessed is through my own ip information wow save changes so right now just looking back at our vpc i just want to recap what i did i created my own vpc this is again this is your own personal environment your own realm your own fort if you will of your own environment of what you want to create there with i created both a public and private subnet the public subnet is going to be an opportunity for you to drop in say for instance ec2 where only thing that you want it for is to uh ssh into any private subnets uh for your ec2s and your private subnet say for instance that's where you house personal information that you do not want accessible to the internet which will be your databases um or any other information that is critical like say for instance some of this uh database information could be credit card information uh hipaa related medical documents that is critical for companies to keep private the route tables also associated well like i said i had the public route which is associated with the public subnet and creates a route out of the vpc into the internet the public i mean the private route is is uh focused on keeping the information in the um in the vpc itself so that does not have accessibility into the internet nor can anyone tunnel into that and the internet gateway is the door to the internet um that that allows access into and out of your vpc your knuckles again are going to be your firewall for your specific subnet you can set those parameters to allow traffic in like the public knuckle whereas it's accessible out of the um out of the vpc and into the uh into the internet or you can create that that private knuckle where everything is locked down nothing can get in and nothing can get out and of course the security groups if we had any ec2s or we created ec2s like we did yesterday that would be placed into your subnet of choice and it will be surrounded by that security group that security group say for instance it is an ssh specified to only be accessible from your ip address can be used there and so back to the vpc these are a lot of the key elements a lot of the key resources and services that you can use to create your vpc lonzo looks like your audio went out so am i here you're you're you're back again although now you're got a unique screen um did you have any more i think that is and i wanted to keep it really simple using two subnets one vpc and be able to define the public from the the private subnet so that i you know i wasn't going to create any large three-tier you know um vpcs but something where everyone could understand the differences and how they can navigate and create those those subnets and get them to talk to each other so if you have any more questions please i look forward to to answering them um i think it might be best to to wait for a question session until we start covering the content because a lot of the questions that we're being asked is are questions related to the content that's coming up okay so i think we should do that um alonzo thank you um as you look you know note that what alonzo was doing here is we were demonstrating how to create a vpc as alonzo mentioned he kept the vpc open because we wanted public reachability because this is a lab environment have this been a real environment we'd be using firewalls to provide proprietary security we'd have pretty pretty strict rules that we'd be doing so realistically speaking um that's what we're talking about so your vpc subnets are going to be in a data center they're obviously going to be regional because you know how else would you get a subnet across data centers unless you you were bridging vlans and running layer 2 traffic which obviously is not something that aws is going to let you do like run a vlan and an 802.1q tag and trunk from switch to switch say your private subnets and your vpcs are going to be locally significant so alan's a really great job on that and thank you thank you really thank you so if everybody can say thank you to alonzo coleman great cloud architect appreciate him doing this demonstration i'm going to get started on the vpc um if you're still here let us know um by hitting the like button if you like our content if you're not a member subscribe convince others to join our questions as well we'd love to uh to be there with we'd love to uh share our and spread the word of our free training content so now we're going to talk about bgp i'm sorry we're going to talk about vpcs in fact i like bgp so much i think of vpcs and i think of bgp why do i think of bgp and vpcs together well whenever you connect your vpcs together you're doing peering pairing is just like working with the bgps so because bgps performs pairing things so my brain always associates these two together and probably there's some good reason for it so wonderful alonso so also requires any pc so i'm starting to see questions like you have a big doubt other which services require a vpc pretty much look at it this way everything you're doing in today's modern world uses the vpc except for serverless which is less than like 10 percent of what we do on the cloud so almost everything is going to be in a vpc so if it's okay with you one of the things that i'd like to do is i'm going to collect all the questions that have come in since the lab started okay and at the next question session okay just start with those okay and uh that way we can because there's several of them that that have come through so okay well you know i haven't been watching the questions as fast as you and i was trying to frantically answer them in the chat boxing yeah you're not going to frantically answer all of them that's why okay that sounds great so let's talk about what are the components of the vpc why is the vpc the most fun part for me this is where your networking is and the vpc will have routing we'll have internet gateways we'll have egress internet gateway as well if not instances and not gateways we'll talk about elastic ip addresses vpc endpoints vpc peering access control lists and security groups so this is one of the more fun topics for me i love so much about this because you know it's networking and i love networking so if you like networking this is great realize the network is the foundation to everything so let's talk about this the first thing that i want to talk about is the concept of a routing table here's what a routing table is it's a map of how you get to every different subnet that exists that's what a routing table is quite simply it is a map and what happens is routers have something called interfaces interfaces are realistically network cards so rattle have a map and it'll say to reach this subnet go out this arm to reach subnet this subnet go this way to reach this subnet go this way to reach this subnet go this way to reach this subnet go this way to reach subnet this go this way so what's going to happen is the the router will basically sing your traffic out different ports on the router that are all on different subnets so that's how your traffic gets to from point a to point b you start you send your data to the router the router sends it to the next router to the next router to the next router to the next router to the next router and it reaches its destination and it comes back if the router doesn't have a route to the routing table do you know what happens here's what happens you hit the first router and the trotter drops your traffic because if there's no route it's all dropped so want to do this you want to be able to reach something you need a routing table so you know realistically speaking here's what a routing table is going to look like now i manually made this routing table because your vpcs have a virtual router why do you need a virtual router you can't communicate across subnets without a work without a router because the routers need a routing table so here's what your routing table is going to look like you're going to have basically a subnet say this is a subnet you're working with it's local this additional subnet this 192 168 subnet hey by the way reach it out interface pcx one two three four five six how do you reach the 192 168 one subnet go out another interface two one pcx654321 specific route for that one don't know where to go have no idea take the default route which is the 0.0.0 to zero slash zero and go to the internet gateway because that traffic's going out the internet so routers build a map of the network and it's called a routing table so let's look a little bit more about what some of these routing tables actually look like bear with me and how they work so you know let this is the way organizations typically typically build the routing tables you've got a data center and inside of your data center you've got a bunch of routers and switches and subnets what happens is your routers use an interior gateway protocol or internal internal routing protocol like ospf and the routers exchange messages and they exchange information about their links and they calculate a routing table which says how to go places and organizations use routing protocols to connect to external entities too so what you can see here is pretty much what you have in every cloud computing environment you've got basically something on the left which is an organization's data center and you've got something on the right which could be another organization or the cloud provider so organizations run their own interior gateway protocols they have their own internal subnets they peer the vbg pairing to someone else and they connect to external entities guess what this is how you connect to the cloud provider if you've got a direct connection you're going to use ebgp pairing with the cloud provider so you can dynamically exchange your routing information the routers can build a map the router here knows that to reach this router here to go to this router this router this router once it gets to this router this router is going to say hmm this is the best path this radar is saying hmm this is the best path that's how the traffic is kind of routed like the child's game hot potato take it to here pass it here press it here pass it here until you reach the destination the router's job is as follows get the information get the packet and send it out and interface as fast as possible that's what routers do in i know that's how they reboot your traffic so now you know so when you're dealing with the kind of information all of your routing is going to be to build a map of the network the map of the network is called a routing table now you know what the routing table is now let's say you want to make a web app let's also say you want to have vpns you need access to the internet so how do you get connected to the internet on the cloud well there's a couple ways first we're going to talk about real internet access real internet access enables you to go out to the internet and enables people to reach you from the internet so when you're talking about real internet access it's not like and that it's not like you know you're behind a firewall and you go through the internet the firewall and your return traffic is let out but nobody can reach you real internet connectivity involves bi-directional connections you to the internet and the internet to you so how do you do that how do you get a real internet connection here's what you do with a real internet connection you connect to the internet how do you get off of your network and connect to the internet you need a router that's connected to the internet what is the other name for a router it's called a gateway so with aws if you want to make your systems available to the internet you've got to connect them to the internet which means you need an internet router which has got a wan connection to the internet and in the aws environment the router with that lan connection is called an internet gateway so here's what you do you basically take your internet gateway you attach it to your vpc you place a default route a default route is a 0.0.0.0.0 route it says if you don't know where to go take this default route so what happens is organizations will have routers with routing tables they'll have a path to every subnet and when you don't know where to go they go to the internet because they assume it's not local so that's there now can anybody think of this and i want you to comment in the window if i stick my server on the public internet does anybody see a problem with that if my web server is on the public internet it will be reachable from the web server if any of you guys can see a concern of a public server available on the internet type that concern in the chat box right now what is the problem of having your servers 100 reachable on the internet so when you attach an internet gateway if you don't do anything else the servers in your public subnets will be on the internet so we've got a problem judith seemed to figure it out when our servers are reachable from the internet they can be hacked so then for a hand of god um for the rest of us this is not a good thing not um it's not a good thing so what's gonna happen is as follows we're gonna get hacked every day of the week we don't want to get hacked so here's what we do we use security protocols we use firewalls we use ids systems we use serious serious stuff and we'll talk about this but please know when you're fully fully fully connected to the internet you will get hacked and there's a lot of hacks there's ddos attacks there's privilege escalation attacks there's all kinds of attacks buffer overflows and we will get them all very fast it's not secure i look at the firewall in my house people try and hack me 20 30 40 times a day so lake alonso said perfectly you opened a door to your front house in a busy city and said welcome everyone and by the way it's like hanging in a sign that says guess what here's money over here here's these other highly priced things there's jewelry over here welcome welcome welcome so no you uh when you're using an internet gateway you've got to think strong about security you've got to build solid security into your architecture so just wanted you to know that so an internet gateway is quite simply a route a router that connects to the internet so let's look at it this way here we've got our instances and here's the virtual router which is connected to the internet gateway our systems know to go out to the internet that's it that is a true internet gateway a true internet gateway provides coming in and coming out well this will be coming in and this will be going out but basically that's what a true internet gateway does now let's talk about the alternative if you're dealing with ipv6 in the aws cloud they have something called egress only internet gateways egress only who thinks of these terms egress means exit only so an egress only internet gateway lets you go to the internet and it lets your traffic return but it blocks people from the internet coming with you because it's egress only traffic into your systems is ingress traffic leaving your systems is egress so an egress only internet gateway is basically a one-way connection to the internet for ipv6 in the aws it allows your return traffic to go out and your traffic to return but it doesn't allow external people to connect to you a lot like a firewall without the firewall security in concept so with aws an internet gateway gets you bi-directional communication to and from the internet on aws and egress only internet gateway only allows your exterior traffic to the end and come back let's think about where this would be appropriate if you want your systems to be protected from the internet but you still want them to reach the internet to update their operating systems or get a security patch and egress only internet gateway is your best friend think about a dog an egress only internet gateway is your best friend this allows your systems to go to the internet and get their patches and come back so with ipv6 we're not talking about net this is just the way it works matt could also enable similar functions like this but matt has many many many other functions that are not related to this for example and that could be used when connecting organizations with overlapping ip addresses nat could also be used um when you're connecting to multiple vpcs now it's got a lot of uses other than just this but yes egress only entering the gateways ipv6 out and coming back now there's two other things that you can actually do with aws there's the concept of the nat instance and the concept of a not gateway they both have pretty much the same thing but the way they do them is differently the old way to do this is to take a knot instance and it's a virtual machine you can get from aws it's on an ami it runs on an ec2 instance you basically put the nat instance in a public subnet with a route to your internet gateway and what happens your internal systems used in that instance then that instance translates into a public address and your traffic is routed out to the internet now this is egress only when you're using an internet gateway with and not instance so it allows your truck your stuff to go to the internet and allows your return to return to traffic to come back this is a perfectly perfectly good way to do not here's the thing in this particular case you've got the nod instance and you've got the internet gateway totally appropriate way to do things not the newest aws service but it works perfectly people like me have used this kind of environment for years so we've got a router we've got another router doing that and we've got our private stuff works perfectly but is not the aws preferred way note with this environment you've got the internet router and you've got the net instance but it works perfectly so aws came with a fully managed service aws likes to do things where you click one button and it does everything for you which is one of the great conveniences of the cloud another thing that's not so good about the cloud they try and do as much of it for you as possible which means a lot of the tuning a lot of the coolness a lot of the things that you want to do you're going to have to work around the limitations of the cloud because they try so hard to do everything for you kind of like when i use my mac if i need to do anything cool i can't because i don't have access to the cool stuff that's why for stuff that i need to do that can't be done on the cloud i have my own data center my own private cloud so but the cloud makes it easy which is why we're going there it's simple it's elegant the cloud is about 89 000 times easier than what we used to jeff to do so it's fast it's simple it's elegant so aws decided to make it simpler and they came up with something called a not get way and this is really a nice simple elegant solution it's basically a single router that does your not and connects you to the internet for egress only traffic at the same time so instead of using a nod instance on an internet gateway to give you this then that what gateway does it all as a one-stop shop it's really kind of cool you've got a single service that connects you to the internet and translates your internal address with your external addresses in a one too many not capacity meaning you can have all your addresses all translated to one this is also referred to as port address translation now not gateways are cool because they are very simple and elegant so architecturally let's look at it we've got our private subnet we've got the nat gateway and it's directly connected to the internet so all we need is a default route then that gateway and everything everything everything will work hope that kind of makes sense so now we talked about everybody having a routing table we then talked about different ways to connect to the internet we talked about using an internet gateway for direct internet access we talked about using an egress only internet gateway for ipv6 egress only traffic meaning out to the internet and back we talked about using that instance and in that gateway i mean in that instance at an internet gateway as a means to use the not instance to translate your addresses on the internet gateway to connect to the internet we talked about the new and modern replacement of the nod instance plus the knight gateway the not instance plus the internet gateway called in that gateway one-stop shop does your not and connects you to the internet those are the types of ways that you could connect your organization's vpc or virtual private cloud or virtual private data center and uh that's what's going on so let's uh let's talk about some new things that are part of the vpc so somebody before asked what's the difference between elastic and scalability i said elastic is just a marketing term that doesn't mean anything if you want to get a network interface in aws they call it an eni or elastic network interface strip off the word elastic and you know what it is a network interface what is a network interface it's a network card on your server an ethernet card now you know what an elastic network interface is strip off elastic and you know what it is that's why when we're really talking about architecture we get rid of the buzzwords we get rid of the names and we call a spade a spade we're talking about a network interface so what happens is when you boot up a system it comes with a network card because how else would it work on the network so it comes with a default elastic network interface or network card called eth0 pretty much your standard ethernet port now if you wanted to put a server in multiple subnets you could add multiple elastic network interfaces now lots of reasons you could do it there are times where organizations will want to put multiple servers good business reasons now there is a bad business reason to do this called the bastion host a bastion host is probably the worst id you could possibly think of in the entire world it is a security nightmare and is something that no one should ever do a bastion host is you stick a server unsecured in the middle of the internet and you allow someone to ssh into this non-firewalled off server and after they ssh into this server it's got a second network card and you can use that back end of the network card to pass your firewalls and go directly into your network this is insanity it's great for a test a bastion host is a host that sits on the internet it's got two network cards or two elastic network interfaces you go straight into that bastian host you go out the back secondary elastic network card into your network you violated all of your security and poof you're on your systems of course any hacker that's worth their salt in about 10 minutes can violate your systems and break into your bastion host so never ever ever ever wreck a magnesium hose do your connections do your configuration and maintenance over your ip6 tunnels or your direct connections or your direct connections with ipsec running on top of it but an elastic network interface is a network card you stick two network cards in a server it's called dual home if you decided to make a bastion host and i beg you not to do this if you don't want your customers to get hacked here's what you would do you would create a server you'd put in a second elastic network interface you would go in the first ho interface the publicly available one and you would use the back end that secondary network card to bypass your security and go straight into your system so then it revolt then that result when you have more than one card in the server it is called dual homed if you've got multiple cards it's called multi-home so in outside port inside port if you put multiple cards on a server guess what it will be called a multi-home server but the bastion hosts idea don't do it they jump out huck that jump host idea don't do it but that is a perfect example of a dual home server but there are lots of good reasons to do this no anytime you want to connect to the internet you need a publicly facing ip address it must be globally routable so normally speaking it would be called a public ip address but with amazon here's how you remember it they have some other name for a public ip address if you're in doubt with aws stick the word elastic in front of something and you'll have its name what do you think aws calls a public ip address an elastic ip address an elastic ip address is this following it is a public ip address so now what aws does here which is really really cool is as follows aws lets you borrow their address and this is really really really cool and i'll address babita why people use bastion hosts although really it's mostly just in lab and almost never done in production um and the only people that are teaching the bastian hosts are the people that have not worked in the production so we'll explain to you why later that is and i'll show you what people do instead but realistically speaking um the elastic ip addresses are the public addresses why is this so cool because aws lets you borrow that address and keep it as long as you need it you want to stick it on an e and a network interface great you can keep it there you can put on your web server for the next five years you can put on your loads balancer for the next five years there you go it's that so and when you're done with it it goes back to aws you don't have to apply for public addresses you don't need static addresses it is the most simple and elegant solution aws renting you an elastic ip address is absolutely amazing simple elegant fast and i absolutely love it so i may not be mr marketing and i might like to call a bear a bear and a cat and a cat and an ip addressed the ip address but this concept of borrowing an address when you need it is really really great so let's go over the two kinds of network addresses we've talked about we've talked about an elastic network interface which is just a network card we've talked about an elastic ip address which is a public address that gets placed on one of your interfaces now you know now let's look architecturally speaking at what is an elastic ip address we'll work through it let's show you so basically speaking you've got your instances here let's assume this is a little bit of a low balance you heard load balancing we've got this 3.3.3.3 which is a public address that is the elastic ip address that will represent our servers all of them and that will go through our internet gateway and it will be sent to the internet and guess what everybody everybody everybody can communicate with each other so there we can go so i think we've covered some elastic ip addresses some nod instances some not gateways i've got more that i want to talk about on bpc such as endpoints but i think we should open it here for a few minutes of questions and answers so chris if you want to bring it up um yes so can you hear me yes okay so uh some of the questions have uh gone out of my i guess you call it portal so i luckily i pasted them to myself earlier so i can't pop them on screen but i'm going to read them out loud okay and you can simply say uh you can you can answer and review or you can say that that might be coming up if it's something that's coming up of course you got it um and if you want to switch back to big u instead of little u yeah that sounds good all right so the first one um uh this one came in during the labs towards the end of the lab once a vpc is created what kind of default elements are created well lanza you want to speak to that because you were just configuring it because typically your your vpc is going to create your subnets inside of your subnets which you can aggressively hide that's where your access lists are going to be that's where literally everything is going to be there so right right normally with aws you're going to have your default vpcs that come with the actual vpc that you spin up but you can delete those and create your own at will so say for instance you have your vpc that's your your full environment and then within that you can make your own subnets public or private interconnect them with the router um and make sure that the internet gateway is accessible so that everything can communicate in and out based on your knuckles and your security groups okay sounds great okay chris let's go to the next one yeah the next one is can you explain the concept of an ephemer primal report you got it in association with necro rules so here's what an ephemeral part is certain things are very easy to create a firewall rule or an access control system raw allow ip address x to reach ip address y on port 443 allow x to reach y on port 80. that's a standard node port in the femoral port is allow x to connect to y with some temporary port that's only going to be there for three seconds and it's going to change at the end of the session when you're dealing with ephemeral reports and you're dealing with things it's going to really complicate the types of things that you can do with your access control list because you're going to have to specify a range and when you're specifying a range like that it's going to be a big range and it's going to open it up so what you typically want to do is make sure you've blocked everything you can with your firewalls everything you possibly can to protect the systems from your with your ids ips systems and then when you allow those ephemeral ports into a subnet you make sure that those hosts have whatever host-based firewalls they have you make sure your intrusion detection intrusion prevention systems are searching for anomalies so if they can sense something that looks like a bad pattern of behavior they can thwart the attack so when we're talking security and we're going to get into security i don't want anybody thinking security is waft shield and knuckle in a security group that doesn't even come close to talking about enterprise-wide security look the web application firewall awesome shield awesome network acl is awesome security groups awesome but you know that's only a very very very small part of security so when you're dealing with big gaping holes like this and ephemeral ports you're gonna have to go really strong and really specific on the security because otherwise you're in trouble great question you want to bring up the next one and i'll actually walk through why never to do the bastion host as an example um when we get to that but let's um so for an s3 which doesn't fit to vpc how can it interact with vpc elements okay we're going to get to that what happens is you're going to create an endpoint and there's basically two kinds of endpoints there's gateway endpoints and interface endpoints and what you do is you're going to create a route to the endpoint and it's going to be in the routing table and i'm going to show you exactly what that looks like when we cover vpc endpoints which coincidentally are coming up next yep all right so the next one is um can you clarify something since we learned in part one day one that vpcs are private space you carve out from the public cloud does that mean you will launch your vm's databases etc in the vpc exactly your vpc is effectively like your virtual private data center and all the stuff that is yours will be inside of your vpc an organization may have to have many vpcs if they're segmented you know it's not uncommon for me to look in an organization with a thousand vpcs so but yes all your stuff is inside of a vp6 perfect um if you have a private network where nothing goes in or what would this be for what is its importance okay so look at it this way let's say you work at a hospital or any business for that matter the hospital has to keep keep their patient records the hospital has systems where i order a prescription for my patient when i order labs with my patient like i can blood chemistry i want to be able to look at the blood chemistry if i order an mri on my patient somebody's going to do a scan and it's going to be then set in an imaging system where it's called the pac system where i can view my internet none of that needs to be connected to the internet so realistically speaking 90 of an organization's businesses will not be on the internet you don't want any of your internal systems on the internet all your critical infrastructure's not on the internet for some people the only thing they have on the internet is just a website to basically let everybody know that it exists most everything that matters is going to be private your intellectual property is going to be private your manufacturing is going to be private your patient data is going to be private your customers financial data is going to be private all that needs to exist in private internal systems yeah b3 collectors that critical infrastructure pretty perfect yep um the next one is bastian host but you already said that you're gonna that that's not the one that's not the one that caught your attention so i'm just gonna skip it anyway i'm gonna do that in a minute i'm gonna white board out like the worst idea in the world and never used by anybody that has a real business and the next one is how could you have different availability zones for different subnets in a vpc and the demo the private and public subnets used different availability zones well a subnet is going to be local to a geographic area so realistically speaking if you've got two data centers the only way you could have them on the same subnet is if basically you had users in one vlan on one side and uses another virtual zlan and then in between them you run a layer two trunk with like an 802.1q tag or an isl tag some way to keep it separate and that would be a layer two network organizations don't do large layer 2 networks because layer 2 networks are prone to loops and broadcast storms which are really really ugly so aws will route in between availability zones which means of course if you've got two data centers they have to be on separate subnets all right and the last one that i had collected before the bastion host one was what is the function of a vpn and vpc and how is the application okay well vpns or virtual private networks are ways where you can cr we can send your information privately across a network that's public so an ipsec tunnel an encrypted tunnel between two points on the internet where you're passing your private information and uh as part of their private as part of their private access to information so realistically speaking that's what we're talking about now let's talk about why bastian hosts are such a bad idea and i'll show you what organizations can typically do they care about security versus organizations that don't so let's just let's go over here i will actually create a new slide and we'll we'll walk through the secure way to manage your infrastructure versus what you've been taught to do by a lot of the certification of course providers because they are very very different here's what a well-architected high-security environment looks like you've got your data center over here metric cloud vpc inside of your vpc you've got your servers it's called the servers vote server and this these are production servers so in real life i've got a i've got a direct connection between these two facilities so if i am the user and i want to manage this server i leave my data center i stay on my private wire private line through my private connection i'm already in my vpc and i'm administering the server now this server to let you know what we've done the server has got a firewall first behind the firewall that's actually it's let's really so you can really see what a well-designed security what a well-designed web host app is going to look like so the first thing we're going to have is we're going to have some ddos and we're going to have a firewall after the firewall we're going to have an ids ips system behind the firewall we're going to have a network access control list this is real security so let's move this stuff to the bottom because i've got a lot more security to put here and i'll show you why the bashing host is something you should never do on anything other than a certification exam behind the network acl we've got a security group and we'll talk about that in a minute and then on the server which is our web server which is coming up next here's what we've done to the web server on our web server we've disabled all unnecessary services and ports then after we've disabled all unnecessary services we have a host-based firewall into it so we've got a host-based firewall so disable services now let's say we we put a host this well i'm not going to be misrespelling today let's say we've got a host-based firewall host-based firewall let's say we've got some anti-malware protection look how protected this server is actually from the internet we've got ddos protection we've got firewalls we've got ids ips systems we've got network access control lists and we've got security group we've disabled all of the unnecessary services pretty much we are locked down here's how you manage the systems you go through oops your private line secured private connection directly into your systems and your systems are 100 really locked down now let's say besides this we had this great idea because we took some training and it said let's use a bastion host all this security goes away here's now what we have we've got now some computer literally sitting out there in the middle of the internet and it's not a specialty security appliance the one from azure is the one from azure is a lockdown security appliance more like a vpn concentrator but the bastion host that most people are doing is as follows they just stick this cert this little server directly on the internet the servers on the internet you can't have a lot of firewalls and ids and ips systems because it's a bastion host you got to leave it out there so now you're sticking a regular computer on the internet you skipped all the layers of enterprise security and this bastion hosts this crazy idea um let's see you've got all you have to do is now access this uh bastion host and straight from the bastion host you're going directly into your server so unsecure system in the middle of the internet connect to that connect to your server now compare this you can only go through your private connections and you've got to beat your ddos your firewalls your ids ips systems your network acls security groups a host-based firewall anti-malware and unnecessary services wait bastian hosts just go remote desktop into some windows host in the middle of the internet and bypass your firewalls bypass your ids bypass your security groups bypass your knuckles bypass everything and now you're on your internal network does that sound like a good idea lou will lose all your firewalls lose all your intrusion detection i wouldn't do it why do people do it then if you don't have the connection to the cloud provider like in a lab environment you don't have a way to do this over the direct connection so if you're building a lab environment like in a certification course they'll say here create a bastion host or a jump host and try it out that's the only way you can get onto your systems through the command line but in real life networking in real life cloud computing this idea is so dangerous that you would never want to use it so it's cloud architects it's not about knowing the name of the service and how to configure it it's knowing what's in the best interest of your customers how do you give them next generation technology how do you give them the concept of security and you do that by segmenting them by locking them down if everybody understood why i like high security and why being a cloud architect is about real depth of knowledge and you understand why we're talking about this from a security perspective before we go to the next thing hit the like button and please put cloud hired so now you know why we don't use bastion host as a rule and we will definitely talk about load balancers as well as dns and everything else so we'll definitely get to that so if you're joining this content hit the like hit the subscribe button and let me know by typing cloud hired and then after that we will go back into the content okay i'm starting to see you guys are getting it please keep me know i love i don't know how you added the cloud to that cloud hired abigail marks but that is pretty terrific so if you're here let me know that way i know everybody's awake alert and oriented now for we medical people we typically do awake alert and oriented times three alerting to knowing who your name is basically what the year is those kind of things so okay i see you're there i know that you're awake alert and oriented we can keep having fun talking about things excellent excellent excellent we're talking about tech it's party time to me i love tech i hope you guys all love tech for architecture careers it's good if you like tech because we're going to play with a lot of it now let's talk about vpc endpoints what a cool idea this is a vpec endpoint is a way that you can connect your vpc to other vpcs or an aws service we love talking about endpoints because it's kind of part of networking and networking is fun if you like networking type networking is cool in the chat box if you spend if you're a cci like me with a number of less than ten thousand when you were old enough to take a two day test that was uh ninety percent failure rate you know you're going to love networking like me so let's talk about the vpc end plans and why organizations use them secure high performance connections low latency low cost and high security so it goes back to the same kind of thing where we talked about about not using bastion hosts let's talk about a vpc endpoint let's walk through this situation s3 is not local to your vpc it's a public endpoint for aws service if you didn't have an endpoint here's what you would have to do to have your systems use s3 you would have to have your vpc your traffic would have to go out an internet gateway your traffic would go across the internet your traffic would come back into aws s3 so now i really really want you to think about the complexity of this if you didn't use an endpoint you have to go to the internet which means egress traffic amazon charges you for egress traffic so i'm going to send your traffic to the internet actually they charge them a lot they can charge you ingress or gross depending upon where but as general rule they don't charge you to send your data to aws but they charge you to send it out so you will pay for the traffic to go out to the internet your traffic will cross the internet unencrypted and insecure and then it will go back through the internet back into aws so you got network charges and using the internet remember yesterday when we talked about direct connections versus vpns and we said direct connections offer guaranteed performance and bandwidth and vpns are best effort because they're based upon the internet where do you want to sing your data down a high speed highway or down something with a bunch and bruises along the way you want to send it down the highway not with the bumps and bruises so by using a vpc endpoint to s3 you can ride the amazon private network which amazon is control of the internet nobody's in control of see your traffic is best effort but when you're on the aws network aws has really good network engineers and really good network architects and a really good network so your data is going to traverse their network in the right way so that's why organizations use endpoints without endpoints we'd have to use the internet or we'd have to get a direct connection to them and that would get expensive so let's talk about end plans more because endpoints are cool there's two kinds of endpoints there are gateway endpoints and interface endpoints and end plans like everything else in aws or virtual devices that are relatively high availability highly redundant and highly secure so the types are gateway endpoints and interface endpoints and they are a little bit different so let's make sure you know a gateway endpoint places a route in the routing table so it works via regular routing a gateway endpoint is a high speed high security access to an aws service so when you're dealing with an s3 endpoint remember it enables you to have private access to s3 to and from your vpc when you're going to create an end point for s3 what happens is a prefix list is created the prefix looks tells you how to get to your things and the vpc endpoint is created the prefix list will adhere to a naming convention that looks like a pl dot pl whatever whatever whatever and you'll see it in the routing table it will be a route to s3 and it'll work via generic routing the kind of routing i've always done forever route to your store data in s3 won't be an ip route but it'll be something like it now when you're dealing with gateway and fencing you're dealing with security you're dealing with routing remember why do i love routing routing gives you access to everything i want you to really think about it if you don't have a route or a path you can't get somewhere so if i wanted to drive to my friend ian's house ian was one of my cloud architect students he's a great cloud architect recently got a great cloud architect job but when i drive to my friend ian's house in london i can't why can't i drive to ian's house there's no road so i can't reach ian directly now i could buy an airplane and reach them via airplane but it's a lot harder to do it i could get a boat and i could go from florida to london but again it would be hard because i'd have to sell across the atlantic ocean and it would take time so by making by not have by using a route you can really enhance your security with routing routers and routers you can limit routes to people that need it if you don't have a route to it you can't reach it if you can't reach it you can hack it can't hack it so think about when you're dealing with gateway endpoints and routes and routing tables you want to lock your system down it's really easy keep them from having routes to the destination and everything will be perfect that's how you get to ultimate destination so now you know about gateway endpoints now let's talk about that other kind of endpoint let's talk about that interface endpoint so internet face endpoints are a way to connect to different aws services such as the ec2 systems manager kinesis elastic load balancer apis external services could be used by aws partners et cetera you could be using interface endpoints for that but an interface implant works differently with the gateway endpoint that you use for sas three it places a routing table with an interface endpoint it creates a network interface inside of your vpc like another network card so it places an additional subnet now when you're using these interface things it creates like a private link connection or a wire between you and the other service so an interface and plane basically puts a network card on both sides of the connection on the same subnet so interface endpoints do traditional ip routing by placing a network card on both sides of the equation that's an interface endpoint so when you create an endpoint because it's going to have an ip address and the subnet it's going to give you a dns address so this is really really great so now you know about endpoints interface endpoints so interface endpoints use that private link service and effectively they create a virtual private line now what's cool about this lots of things when you create a link to somebody else and it's private link it's assuming you're dealing with private networks what do private networks address space use private networks all use something as specified by rfc 1918 you know those addresses we just talked about something from the 10 8 address range something from the 172 16-12 range something from the 168 16 range so you got a problem company buys company b they've got overlapping ip addresses they can't talk what do they do they either readdress everybody or they use not so when you're using interface endpoints that creates a network card on both sides of the equation these systems automatically do net so you can connect to somebody else they're using the same addresses you're using the same addresses private link automatically assumes you where anyway whether you are not creates not places on a subnet inside of your vpc and something inside of somebody else's vpc and everything works it is a simple elegant beautiful beautiful solution so let's lock let's look and see what this realistically looks like okay so in this environment here's what you can see we've got one vpc of one customer we've got another vpc of another customer in this case vpc2 is sharing a lot of services with vpc one so what we've done is we've taken a network load balancer and we've used it to load balance a bunch of servers in vpcu2 and now vpc1 connects to vpc2 over this private link service they get fast secure high performance networking services in between virtual private clouds in between virtual organizations so this equals awesome really really awful awesome so this is how it works now you know we will talk about vpc peering but private link is a little different than vpc pairing private link enables you to connect to a service or an external entity private link does not private link uses routing to connect so private link is a great way to connect two vpcs oh wait there's this concept of vpc pairing which can also be used to connect 2vpcs see when you're dealing with architecture there's usually a lot of different ways to do things and you have to select the best one for your customer to optimize their business so it's not like memorized services it's about know how to solve the customer's problem how to make the customer's business better so we talked about private link how is private link different than vpc peering well i'll tell you it's different in a lot of ways well first private link gives you access to a simple specific service so if i connect two vpcs with private link i could say you have access to this server that has some flaky recipes but nothing else so very specific service vpc peering is like let me connect my new york office and my london office and share everything so private link specificity vpc pairing everything if you need to share multiple services use vpc pairing if you only need to secure one thing use private link now let's talk about bpc pairing vpc on pairing only enables you to connect to 125 connections that's nothing literally nothing 125 vpcs it's nothing in the grand scheme of things we're talking about networking private link is much much much more scalable if you need more than 125 connections and getting that with vpc pairing is nothing especially we're talking about fully meshing you know that's nothing private length scales pretty much the limits are based upon the maximum throughput achieved by load balancers and servers so it's almost unlimited scaling private link as i mentioned solves the problem of overlapping ip addresses because private link uses not now one of the things with private link that's a little odd is it's unidirectional so let's say i wanted to set up my vpc to have recipes for hoyatiki solatus which is a greek salad souflaki which is a greek food and faso like you which are greek green beans i wanted to share the recipes for that and nothing else with private link i could basically make it that people could access the information from me and i would still have no access to their systems because it's unidirectional now i think it's hand of gone that's somewhere in greece and let's say hand of god by the you you by the uh i think that's uh your name via youtube let's say you're over there in greece right now and let's say we wanted to share information and i wanted to i was head over heels i'm so sorry so head over heels let's say i wanted to connect to you in greece and while i'm an expert on making souflaki and huayatiki salatas and fasolakia which is greek green beans you're an expert on everything else so i enable you to connect to get my recipes and i create reach out to head over here's recipes in greece that person shares them so we can set up private link in one direction or both directions with vpc pairing we're sharing everything so understand that's kind of the main difference so now let's look at vpc airing what is vpc pairing vpc pairing is one of my favorite things it's when you take one virtual private cloud and you connect it to another why do i like it so much i built a career working with bgp vgp pairing vpc pairing kind of the same so let's talk about it so vpc pairing is used to connect to multiple vpcs now i want you to really think about how cool this is if you connect multiple vpcs across the aws network what do you get aws network performance wow that's good so it's not like internet performance you can do it over the private aws network which will give you much much much better networking performance now vpc peering is not transitive and we're going to talk about that in a lot more depth but i need you to understand this vpc pairing is not transitive what that means is let's say my head is router b my left hand is is router a my right hand is router c and my head is router b in non-transitive routing if i learn a route from router a and it goes to me router b i will not send that route to router c if route rc does not know how to reach router a they won't be able to communicate with each other so in non-transit of routing like vpc peering if i learn a route from one person and i take it in i don't give it to someone else so they're not reachable so if i want people to be reachable or vpcs to be reachable in cloud competing with through pc pairing i have two choices i must fully mesh them or i must break the rules of vpc pairing so let's show you what vpc pairing is first then we'll show you how to break the rules because you know this kind of stuff is important so let's take this particular situation of vpc pairing here we've got one vpc on the left side wpc on the right side we've set up vpc pairing and they are exchanging information back and forth and everybody's happy life is good vpc pairing is not transitive is it a problem here not one bit at all because we've got a vpc on the left and a vpc on the right the vpc on the right knows all about the less routes because it got them because they're directly connected the vpc on the left knows all about the vpc's routes from the right because they're directly connected and they are shared because they are shared everybody knows how to reach everybody this is good this is what we want now i'm going to go back and i'm going to say this again vpc pairing is not transitive which means if i learn a route from somebody else i don't give it to somebody else so this changes everything vpc pairing unless you break the rules will not work in a hub and spoke environment it requires something called full mesh and i'll show you what that looks like here is the problem with full mesh the more devices you have talking to each other the more connections you need and it goes up exponentially and fast if you ever want to know how many vpc connections you would need to fully mesh your vpc pures it gets ugly fast the formula is n times n minus 1 divided by 2. n times n minus 1 divided by 2. so if you had 100 vpcs and a hundred vpcs is absolutely nothing nothing it's pretty common and big networks have a thousand vpcs but let's say you only had 100 vpcs if you had 100 vpcs 100 times 99 equals 9900 now divide by two that would force you for a hundred vpcs to do fully meshed to have four thousand nine hundred and fifty pairing connections four thousand nine hundred and fifty to connect just 100 vpcs now how many vpcs does aws allow you to appear 125. you couldn't deal with this under any circumstances so vpc pairing is not transitive and because it's non-transitive just like ibgp it gets ugly really fast so let's walk through this let me show you the architecture and then i'll show you what we do about it because don't worry it works we've got a workaround to every problem so in this particular case i want you to look at this this is non-transitive routing at its best you've got vpc a in the center vpca can reach vpcb vpcc vpcd vpc e vpcf and vpcg that's great and vpc b can reach vpca and vpcc can reach vpca and vpcd can reach vpca and vpce echo can reach vpca and vpcf can reach vpci and vpcg but now can vpcb talk to vpcb with non-transitive routing let me know in the chat box if vpcb with non-transit of routing can not talk to vpc c and the chat box type no communication and if they can talk to each other type communication so in this non-transitive routing environment if vpcb can talk to vpc type you know connected and if they're not typed no connections are not routable let me know so i know you've got this and then i'm going to teach you the workarounds okay judith exactly they can't talk to each other i've had a head over heels polika they can't talk to each other victor no they can't talk to each other and wrath you are correct they cannot talk to each other hand of god they can't talk evil no talk brenden they can't talk sm-7 they can't talk without us doing something to break the rules and you've mentioned one of the ways to break the rules exactly we are dealing with non-transitive rounding non-transitive rounding does not allow communication if any of you guys took my bgp thing what do we do in vgp to get past non-transitive routing in bgp we have this cool concept of a route reflector what is a route reflector because guess what everything we do in the cloud is 30 year old tech coming from networking and i love that because i'm a networking person and i love the cloud too because it's so darn agile but no communication that's what non-transit means so now let's say we're dealing with bgp pairing because this is going to be the solution what if on vpca let's pretend this was bgp we could make it a route reflector what is a route reflector a route reflector breaks the rules of bgp pairing that says for ibgp which is not transitive break the rules so take the routes learn from vpcb give them to vpc d c d e f and g and then take the routes of v p c c and give them to v p c d e f g and b and so on and so forth so everybody knows everybody's routing information and if you do that with a route reflector everybody can reach everybody and then you've got full communication with aws they give you an option they've got two ways to fix this they've got their own rot reflector like equivalent it's called cloud hub or transit gateway one of the same there's a slight difference between them and is identical technology there is a slight difference in the implementation we'll talk about it but cloudhub transit gateway is basically just a bgp route reflector for vpc peering again 30 year old tech learn the network learn the data center and you will always know the cloud nothing's new each day the cloud is a new and new feature that equals a network and data center feature from the last couple of decades this is really exciting because it means the cloud is getting as good as the network and the data center soon and it means if we can do better faster and cheaper outsourced than we could do on our own it's legendary it's life-changing for business and tech so it's wonderful so with each one of these new features if you understand the legacy you will always always always know what to do so we have two options we use something like cloud hover transit gateway or we fully mesh them meaning everybody is connected to everybody in this full mesh environment can be talked as a yep can b talk to c yep can c talk to b yep can c talk to a yep all because they are all fully matched but n times n minus 1 divided by 2. 100 times 99 divided by 2 is a big number it was a far bigger number than just it gave us 4 950 pairing connections and i'm not mr math so look at it that way so let's go and talk about cloudhub and we'll talk about transit gateway 2 because it's pretty much two sides of the same coin different brand names and slightly different features so what is cloudhub cloudhub enables you to connect to multiple remote sites or offices that are their own vpcs in a hub-and-spoke environment and share a routing how are you going to share the routing with my favorite routing protocol ebgp so we're going to be using bgp so basically we're doing we're creating this route reflector-like environment but we're using ebgp versus ibgp and here's what it's going to look like it's going to be our work around our workaround to the fully mesh requirement so going over here here's what you can see let's say we've got a boston connection a washington dc connection and a san francisco connection and we want them all to communicate to each other we enable cloudhub and with cloudhub we're exchanging routes to cloud with cloudhub via ebgp and ebgp is transitive by nature whereas ib gp is not transitive unless you enable the router function functionality that is how it works when do you use cloudhub when you have vpn connections from your slides cloudhub is for vpns that's how you separate cloud hub from transit gateway they functionally do the same thing cloud hub is for vpn so if you want to know what aws cloud hub is it is for vpns to break the rules of non-transitive routing that's it so cloudhub enables these hub and spoke transitive connections it uses bgp for the routing information every bp vpc creates an ebgp connection to what's going on and because it's ebgp which is transitive all the routes are sun now you can basically create a policy with bgp and filter routes if you want to control reachability but by default ebgp simple elegant and effective now let's talk about let's give you one more example of what this looks like here you go we've included some bgp in this case we're dealing with sydney london and new york you can see what we're doing here we're running ebgp64513 is it an autonomous number six four um i think it's a zero zero one it's hard for me to see so the point is is ebgp connections and routing now this is for vpns what if we wanted to use a direct connection instead of a vpn what if we wanted to use a direct connection and a vpn then we can't use hub and we can't use cloudhub why can't we use cloudhup cloudhub's only for vpns so aws has cloudhub number two they call it transit gateway transit gateway basically is the same thing it enables you to create ebgp connections for to make vpc pairing transitive versus non-transitive and up-and-spoke environment but transit gateway lets you use vpns and private connections so it's newer it's more modern now let's talk a little bit about access control lists alonzo made an access control list with you earlier today i think he made some security groups with you as well um but let's go back to those network acls what is a network acl quite simply it's basically the same kind of access control list that existed on routers for the last three decades an access control list or a network access control list is something that you use to keep unwanted traffic out of a subnet so security groups keep traffic out of a host network acls keep traffic out of a subnet i gotta tell you this is one of the most confusing areas for students network acls keep traffic out of the subnet and a security group keeps traffic out of a host you will see probably eight questions on the aws certified solution architect associate 2022 version of the exam why because it's common and most people don't get it network ac let's protect the subnet security groups protect the host so a network acl enables you to create a policy to allow or deny traffic and network acl is identical to the access control list that you can put on a router if you're familiar with cisco routing they're just like an extended access list you can specify the source and destination protocol and port number now remember firewalls are stateful they keep track of what's going on so they know to allow they know if you have traffic that egresses a firewall to allow it back in network acls are stateless they don't pay attention to what's going on in your systems and i'll discuss stateful much more when we deal with security groups but network acls don't keep track once the the packet goes through the access control list it's forgotten about so because network ac calls are state list you must configure them in both directions stateful and state list do not mean whether you configure them in which directions stateful means tracking network acls are stateless i will give you the example a firewall is stateful let's pretend my left hand is a firewall if i'm behind if if you're outside trying to come into my house and you're trying to bypass my firewall you're gonna be blocked block block you're not allowing in if i go to from i'm sitting here right behind the firewall here's my fire one i want to go to www.gocloudcareers.com i'm going to go out my router through my firewall to the internet i'm going to go to the server www.gocodecareers.com my traffic's going to come back my server is going to give me response the server my the message the packet's going to come to my firewall the firewall is going to say okay mike gibbs initiated this session sitting from behind the firewall i allowed his traffic to the internet this traffic is destined to mike gibbs computer mike gibbs originated the connection i'm watching the connection because i'm stateful let it back in so stateful really refers to monitoring of the connection it's what's going on so the reason stateful things don't need to be applied in both directions is it knows so when you're dealing with the security group which we'll talk about soon which is stateful it knows that if the message goes into the web server because you allowed it allow it back out because it's traffic that was initiated in the right direction so network acls are stateless they keep unwanted traffic out of a subnet so you have to configure them now when you configure a network acl the order matters real badly if you get the order wrong bad things will happen i promise you every one of us that's been in networking or security for more than a week has misconfigured an access control list many times in their life or at least once i've done it twice and i can remember each time it wasn't good i locked myself out of the routers both times just so you know alonzo is kind of cackling off camera when you said that i i did it more than a few times yeah yeah well i've done it twice and let me tell you if you're you know sshing into a router one of the core routers one of the world's largest internet service provider and you you slap on an acl because they're in the middle of a ddos attack and you accidentally block your traffic you can't even get back into the router to go fix it so anybody that's ever locked themselves by making an acl mistake is just lying to you we've all done it yeah and and definitely just just to kind of like really break it down for everyone it's like having your home fortified and you lock the door but you take your keys throw them back in the house and close the door behind you so that's that's pretty much equivalent so you're locking yourself out so it's just really important that you understand uh the pecking order of of the uh of the inbound rules exactly and that's the other reason i love you to have that back door network connections to the way we described it not the bastion way through that direct connection or through that vpn because this way when it breaks you usually have an alternative back in because trust me you will break something it's just a matter of when so because access rule lists are processed in order if you get the order wrong you will break everything so i'm going to show you what not to do so if your first rule is deny everything and the next rule is allow web traffic or port 80 traffic let's really think about what happened packet hits the acl deny trashed nacl deny trash deny trash deny trash it's denied trash now if you wanted it to hit that web server it's not going to happen because the access controller sees the packet throws it away sees the next packet throws it away the rule is denial traffic so if you deny all traffic inbound in all traffic outbound you've got nothing so you've got to change the order now realistically speaking you don't even need as a ruler to do permits just do permits and the denies are implicit so now let's look how to do it the right way rule 110 allow tcp port 80 until from any source allow pcp port 80 from any destination look at it this way you're saying allow web stuff in and nothing else so now the only thing to hit so when you write access control list two pieces of advice they're processed in order do not make them one two three four five it's a rookie mistake i made 25 years ago and never ever do this here is what's going to happen when access control is do you think you need today tomorrow you're going to find somebody's pc gets worm infected and you need to add a rule temporary access control list rule you're going to find some new applications of bin you're going to find your acls which you thought were going to be two lines long which are now 39 lines or 300 lines long so technique 100 110 120 130 140 150 give yourself 10 rules in between every rule and that way when you have to add rules you'll have space because the order matters so you may have to deny one host from a subnet and then permit the rest of the subnet you have to do the permit they do not but so you've got to get the order right so please understand that now i want you to really architecturally look at this because a lot of people do not get this let's look at network acls network acls keep traffic out of a subnet and a security group keeps traffic out of a host so let's look at it this way you've got your internet gateways you've got your routers behind the firewalls and things which we're not showing you're going to use a network acl to protect this the subnet and keep bad traffic out of the subnet and then you'll use a security group to hook for the host so if someone asks you which you're going to use a network acl or security group the answer is both even the two of them together is not enough you're still going to need firewalls and ids ips systems you're going to need so much more so network acos protect a subnet security groups protect the host so what we'll do is we'll talk about security groups then we'll go through some questions and answers and then tomorrow we'll get into some fun stuff with related to network performance optimizations and placement group we'll get into route 53 we'll get deep into load balancers we're going to get into all kinds of cool fun performance tuning but we've got to get here so now you know what the acl does it protects the subnet and a security group protects a host so now let's think about the security group because they're a little different a security group is just like an acl but it's applied to a computing instance versus a subnet so the network acl protects your subnets and yes i've mentioned this 30 times no i'm not normally this repetitive but i gotta tell you after coaching students cloud computing for as long as i can remember students get this wrong and you're my students now and i want you to get it right so security groups are like a host-based firewall they are stateful they protect traffic getting into the server so if my hand is the server and there's a security group and traffic tries to come in it's only going to be allowed to the security group to reach the server if it makes policy otherwise it's blocked it protects the server a good environment will have security groups and network acls security groups are stateful security groups support allow rules only so all non-allowed traffic is denied only permit through the security group what you desire so security groups are stateful which means they track they know they watch they monitor the nail everything that's going on with your connections that's what security dupes do so that's where they get shared and do so stateful access control lists are used um the stateful security groups are like stateful firewalls that get applied to the host so you only have to apply them in one direction because they're stateful meaning they track the connection architecturally i'll show you here's where we've got our internet stuff we've got our network acls protecting the subnet instant grain now before it was blue now we've got the security groups that protect the host so now you know what security groups do now i'm sure i've been on it for a couple hours i'm sure you've got some questions for alonso you've got some questions for me so let's kind of answer as many questions as we can for you chris do you have any questions that you can bring up and bring on screen or did we not get that not resolved yet there were some questions but they got some pretty solid answers in the chat box um kind of surprised i've actually learned something so i can tell when they got the right answer okay so that's uh so let me pull uh look full of some of the ones that did not get answered and actually i'm trying to find the questions that were answered so i can know that they were answered correctly okay and also that's a lot of ones and also um you also answered them after they got like after that i may have answered most of them some of our students may have also answered them um i just want to know all right here we go here's one but uh no that one was from the from your walk through nevermind your whiteboard um sorry it was a long it was that one was a long session so i have to scroll back a while could you put the question is could you put a bastion host behind those security controls you could and if you did that it would be a whole lot less risky so it wouldn't be terrible um the kind of security controls i'm talking about um are gonna get really expensive to really lock down your system so here's your options you could use a vpn concentrator well if you normally speaking you'd have a direct connection so there's no reason to use the bastion host you've got a connection anyway the bastion host is only if you got there so you would never need to use a bastion host if you have a direct connection or a vpn backup because you wouldn't need it is it possible to create a bastion host that's secure sure if you've got the skill to basically take a linux kernel just the kernel and add the two or three packages that are necessary for a bastion host by adding packages and build your own linux instance and then you knew how to harden all the linux files on there and you made certain that no ports were listening that were that there and then you really locked it down and put the best host base firewall on it the best anti-malware protection and you really split two three four hundred man hours into building this and make it secure you could use a bastion host realize when you're dealing with these kind of security apparatuses that are used for bastion host purposes made by a cisco you're probably dealing with about 500 million dollars just going into making these systems locked down and secure compared to that to a bastion host it's typically done by some person that they can do in about five minutes compared to someone that spent a half billion dollars hardening the host so which one do you really want to use for your enterprise i would not use sebastian host for any circumstances whatsoever and if i was going to use a bastion host which there's no reason to because you can use your private connections i would make sure that i heard a company like a z scalar somebody that really is good in security i would pay them to build me the best bastion host it would be a couple million dollars to get it right and i would make sure they'd build me this system they'd install all the right appliances all the right software they lock it down it's going to cost a lot of money to do this right to use bashing host there's no reason to ever use a bastion host if you've got a vpn connection to the cloud they do this in lab courses because if you don't have a vpn to the cloud how would you ssh into your systems but in reality you will never ever need to do this so leo says to have a bashing host you need two network adapters what is needed for an iseq tech tunnel nothing your data center is going to be connected to the cloud with a router so basically speaking you're just going to create your vpn connection to the cloud now how you're going to get your data to the cloud anyway you're going to send it over your direct connections how are you going to keep your data saying or synchronize with the cloud over your vpn or your direct connections how do you access the systems that are on the cloud over your vpn and your direct connections so there's no point if you're an enterprise connecting to the cloud to ever think about a bastion host in the first place it's only useful in the lab environment if you don't have access to your subnets via vpns or direct connections io what's the difference between vpc peering and transit gateway great question although we probably covered it in depth vpc pairing is when you connect multiple vpcs together vpc pairing is not transitive so if you've got 3d pcs each one needs to connect to everybody if you've got four vpcs each one needs to connect to everybody so put you in this n times n minus one divided by two situation where if you've got a hundred um vpcs that need to peer you would realistically need i think it was four thousand nine hundred and fifty connections yes that's what it was when we did the math whereas if you use transit gateway or cloud hub you could basically have a hub and spoke environment and just pure with 125 with 100 of them and do 100 connections versus 4950. that's the difference transit gateway is just a way like cloudhub to break the rules of non-transitive routing with regards to vpc pairing there any others chris yes it's on the screen what's the difference between vpc peering and an endpoint good question vpc pairing is when you connect two vpcs an end plan is just to connect to a secure external service so there's two kinds of end plans there's a gateway endpoint which is used to connect to things like dynamodb and s3 and there is an interface endpoint which is connect which is used to connect to a service or other vpcs vc pairing by comparison you take two vpcs and you completely connect them and they have access to everything connecting two vpcs with a vpc endpoint specifically an interface endpoint that uses the private link enables access to a single service and a single service only across your vpc pairing chris you can bring up the next one i'm going to bring this one up but i think you just covered it i literally just covered it okay can you see it um vpc peering and mike can i add more light to it please i think i just covered that yeah i'm just bringing it up because it's there i'm glad you are i want to make sure we address everything um not sure exactly what this one is in reference to all i see is the same vpc peering one it says is it similar to cisco's hub and spoke dmvpn but using evgp uh very similar um in fact what what he's actually referring to is cisco's got especially meraki they basically have this you know auto create your vpn basically create a vpn you've got your host to connect to your vpn concentrator or your firewall and what happens is that adds routes and establishes the connection and it puts you into bgp so the rest of the network actually knows your ip address cloud hub hub and spoke is like the cisco one here's the thing the cisco one is designed for remote access employees this cisco one uses ipsec encryption over the public internet this cisco one is entirely secure extremely robust and gives you much more control of the routing so the cisco solution gives you much much much more control much more routing much more filtering and that's the thing which we can't we don't really talk about a lot of times when we're talking about these certification courses when it comes to security if it matters chances are you're going to go to the marketplace and get something from cisco or palo alto or fortinet or checkpoint because you're really going to need enterprise-grade security which often is going to be much more than wi-fi shielded the cloud native services the cloud native services are excellent but sometimes you need more and when you're dealing with you know fifty thousand a hundred thousand remote access employees you're not going to be using cloud hub you're gonna be using something much more serious and the dvd vpn that uses bgp ebgp with cisco is the perfect elegant example of how you deal with a large number of people coming in remotely exactly all right and are you looking at the stream yard window or the youtube window i'm looking at the youtube window that's why you're doing it and that's why i'm delayed on you um i haven't been able to uh oh wait i i found it um now i see the stream yard window hand of god security is used at the instance level and knuckles uses the subnet level exactly is basically you know look at everything um protecting the subnet but in an outgoing you have to do because there's no state because it's not keeping track of what's going on you have no choice if it kept track like a firewall you wouldn't have to worry about it and there you go ceo trials sg is stateful like a firewall now network acl is not like an access control list on a router exactly one of the things that's really cool about aws on the console is that when you're setting your security groups on the vpc in the management console with the security group you only have to add it once for incoming because it is stateful on the security group and it will reflect on outgoing as well just a little uh tidbit for you that is a really great perspective well i'd say hand of god a security group is you know that's more iam it's x grant access if access is granted security groups are basically if your packets meet a certain state certain source certain destination will allow in grant access is more of identity and access management which is who are you what are you allowed to do access granted or access denied and then tracking what you actually did we used to give it a much better name authentication authorization accounting authentication is who are you authorization was what are you allowed to do in accounting was what you did somewhere along the name of coming up with all these cool terms that are really complicated to understand we came up with this term identity and access management which again um is a fancy way of saying authenticate authorize account chris you can bring up the next one if there's more yo gush in ftp the data connection ports are open dynamically how can a nacco handle this well they aren't they're not so what has to happen is when you're dealing with ftp you're dealing with port 20 or port 21 and you only have to allow that it's the any source to any destination now the responding ports aren't really the issue because you're going to say source port 20 or 21 destination can be any address any port so you don't have to worry about those ephemeral ports that are coming in that are dynamic on the way out it always comes in at port 80 for www it always comes in a port 443 for ssh or i'm sorry ssl traffic now what goes out this the source port will be different but the destination port will be the same or in this case the source port the desk if you're coming into an ftp server you know the destination port i think it's port 2021 i'm drawing a blank right now i know it's one either port 20 or 21. so it'll be destination port 2021. now when it leaves the server the source address is going to be coming from that port 20 the destination address will be something a destination port will be something else which is dynamic so you don't have to worry about the destination only the source so we don't have a problem just enable it in both directions and you'll be good to go chris with any others yes there are just a second awesome actually while we're waiting for chris to bring some questions if you're enjoying this content please leave a like um please type cloud hired so we know that you're here paying attention while chris actually comes up with new questions okay there you go mike i have some cloud basics but i really want to be your student and i would like to talk to someone in your team first love to speak with you um give our office a call um i'm actually gonna put our office phone number um here i actually will have a phone to i will be holding the company phone today if you desire to speak with me all the executives from our companies we take turns sharing the phone but i will have this phone today and i will have this phone tomorrow so i just popped my phone number and the chat box we'd love to speak with you and yes uh jesse we're happy to have chris get technical let's face it chris is a little bit more technical that he'll let on chris is a heavy heavy heavy operations expert heavy with such extreme experience that when he came to learn cloud architecture from us i was like no you're working for me you're my new chief operating officer you're an expert in operations chris also went to this massively long data science bootcamp which he won't really talk about because he will tell you guy and chris is muting my mic yeah she's not wanting to say this because he's a shy guy but um jesse heck yes chris can get technical if he wants to he like me pretends that he doesn't know how you know how i advanced in architecture and when i was an engineer how does that work mike i don't know let me get you an engineer how does that work mike you know i don't know next thing i realized i'm wearing suits i'm now an architect and the engineers are teaching me how to do things that i already know how to do but you know you got to do what you need to to change your brand sometime mike can you please explain vpc endpoints again within an architecture killian absolutely here's the thing let's say that i wanted to connect to s3 s3 is an external service i have two ways that i can do this killian i can go out to the internet across the internet and back into amazon and into s3 that i could do that right so why would i not want to do that i'm going to go to the internet the internet that traffic is not guaranteed so i'm going to send my internet on the cloud i'm going to go pay to send my traffic to the internet and then it's going to come back in and i'm going to get bad performance an endpoint is basically a way to create a private line that uses the aws backbone to get your data from point a to point b so an endpoint is exclusively just a way to connect on the aws network so think of an end plan is basically as if they're going to create a fake wire for you across the network and route your traffic logically privately and securely on the aws network so you've got two options when you're dealing with connections you can basically buy a wire with something that's called a private line or a direct connection if you weren't using vpc endpoints and you wanted to connect two entities you could just buy a private line between them and it would work perfectly we've done it for the last 50 years outside of that for example you could go across the internet in like an ipsec encrypted tunnel but again internet bandwidth is not guaranteed or aws gives you the opportunity to connect directly over their network at something called an endpoint so an endpoint provides secure and high performance connections to an external service over the aws network if i i hope i answered your question if you desire more killing please feel free to ask again yogesh we already talked about it um comes in a certain point you only have to allow that port you allow that same port on the way out we've been dealing with routers forever we enable 20 import 2021 and or it's either 20 or 21. mw so with the network acl you must think of all possible traffic certain areas well you need to think about everything that you want to go in and everything that you don't want to be blocked you must must must be careful about what you went in and what you get blocked so the answer to that is yes but you're only doing permits as a rule so if it's a network acl and you know what's going on and all you need to do is permit to a web server permit to a file server commit to these things you already know the protocols and ports so anytime you're dealing with security you must know your workflows but guess what anytime you're designing an architecture you need to know your workflows you need to know all parts of architectures are looking at the business what are your what is your current state desired future state what problem you're solving will drive the technology the kind of challenge the company has determines what you need what applications need to talk to what applications that's part of your design um what people need to talk to about people which is part of your design which parts of the organization need access to which parts of the network and which parts of the information that's also part of your name who needs to access what what do administrators need to do versus non-administrators what do managers need to know what is the minimum level of access you can give someone to do their job that's what you need to know in the military it's called need to know if you don't need to know you're not giving that information in this world we call it the principle of least privilege i still call it need to know because it's logical and i understand what it is i'm a person of plain simple language i understand what it is what's this it's a water bottle very simply it's not a device to carry water and distribute water at a controlled pace through a proper spout i mean i could call it that if i wanted to but to me it's a water bottle so you know i feel like it's easier so part of architecture is understanding all parts of the business all parts of communication and all of the traffic flows between users so please please please always think of all possible traffic scenarios prior to doing anything because that's what we architects do wow that's perfect jesse a hydration load balancer and when we're dealing with cloud computing that's what we're seeing by the time we're done looking at things you don't even know what they are with all these culinary conventions so exactly a hydration load all balancer i'll put the next question vpc pairing can it be likened to vrf leaking well you know it's kind of interesting for those of you that are not familiar about 20 years ago we had an rfc 2547 which specified bgp vpns and what happened was in this cloud the organization would have an mpls um they would basically have like an ospf or isis um layer one network a flat network which would be the igp and then they would turn on rsvp which would enable us to determine if a path was there and then we would turn on you the label switching or tag switching and then we would overlay bgp and we would create a vpn and then what we ultimately did was created virtualized vpn instances into the router so the routers would take multiple customers and they would put them into vrf's and realistically speaking everything was logically separated all across the climate network so you can think of cloud computing as the same thing as vrfs and vgp vpns it was a cloud then and it's still a cloud now vpc peering or enabling two entities to communicate across your private network while being logically isolated and separated from each other is exactly like virtual routing and forwarding instances that were part of that bgp 2540 rfc 2547 vpn um about 1999 and 2000 when i did my cci exams yes absolutely and a lot of ways they're very similar although they have their differences alonzo why do we have to have all the ports out of the security group what do we have to attend 24 625 in the outbound of the security group well what we're doing is that that 10.0.0 that default is that that's going to be your avenue to come out of your subnet out of your vpc into the internet so the 10.24625 i wasn't sure if i saw that but what what he did what alonzo did was he basically since he wasn't thinking about exactly which port the traffic was going to come out of he enabled everything that would possibly pop up guarantee it would work i know what you did there i wasn't watching what you did okay and i was thinking well yeah that'll work okay you know that's that's where it goes right back to the knuckles and everyone making a mistake every now and again this is a perfect example so what happens when you're live why did he do it he wanted to be certain mario milan i know where you work you and i have grown up in the same networking world so good fine thank you mario i appreciate it nitro pen can a and a network acl log inbound outbound requests well sort of but on the router you've got better logging with regards to syslog what you do here in nitro pan is what you would do is you enable vpc flow logs and vpc flow logs are really cool they're just like cisco netflow where they can show you the source the destination and the protocol and the flow of your traffic they will show you which things get blocked by network acls it will show you which things get blocked with security groups it will give you really cool data and i got to tell you bpc flow logs are really cool to me because i'm an architect and as an architect specifically on the cloud infrastructure side i'm always thinking about the data that's traversing the system the infrastructure and you'll get great information from vpc flow logs you know lots of times you know i make a plain of saying you know where's these crazy names and part of it's for fun but part of that seriousness we need to know but vpc flow logs are really awesome it's like getting netflow in the cloud so the next question is born out of a conversation that was had because the slack community was brought up in the chat box okay so jay trail decided he was he was gonna ask this for the other people that didn't know what was going on hey mike how can i get again not asking for those in the chat that are not part of coke club architects yeah well we started getting questions about the slack community et cetera in the chat box okay so like like this one okay so the key is students that are on our program can join our private slack we are not like there's a there's a course provider that has a slack channel that invites everybody to slack and then as soon as somebody asks them a question about getting hired this person blocks their notifications so they don't have to hear from you we are not like that i've got lots of students that have made that complaint that is not us we have a very busy slack channel for our internal students our students come in and when our students come in they talk to each other and when our students talked and a lot of my people have complained about and experienced about it that's how we know so much about the situation um because we take in those people and we train them all day so our slack channel for example has hundreds of messages per day our students are turning in video assignments they're turning in you know interview practice things they're turning in architecture designs they're turning in career plans they're turning in resumes i am like the busiest person in the world literally grading and feet providing feedback on students homework assignments i think i spend two hours per day going through assignments so our slack channel is really big we basically have a 25 000 cloud computing program that we offer for less than a thousand dollars that slack channel is included as part of it and all we also include live training we're where we do live classes live architectural training classes twice per week and we have a slack channel so that slack channel is exclusively for our students um for example if you'd still like access to information that is outside of our program we do the best we can to provide as much free content as we can on linkedin chris please i'll post a link to our linkedin channel also you know i i would say to you guys we all need more tech training is so critical to everyone that that we have our future completely is 100 with regards to you guys people like me for example have been involved in technology for decades we already know the job we don't need training we need to teach you guys to be the new generation of technology leaders every one of you has the ability to be technology leaders now i can tell you personally do you know why i do all this free training i do all this free training for the following reason and it's really important to me i know what it takes to get hired and i know what's out there isn't enough in fact you know today i made a social media post i'm going to share it with you guys if you guys want to look at it or comment on it i made it on linkedin i'm going to provide the link you know to me it's really important that we all demand our course providers to be experts in what they teach a few weeks ago someone asked me to teach a four-hour ccie program and they offered me an amount of money that was just so high and i was like are you kidding i could do this in 400 hours but not four hours so here's the thing i really really want you to demand from your cloud providers tell them if you've never worked in networking don't make an advanced networking course you need to hear from experts i don't talk about coding why i'm not a coder i'm i teach what i know and i think we all demand our instructors teach what they know because if i go to training i'm expected to learn something i need to be better yeah someone want me to do a four hour cci training and what's worse they were a very prominent very preeminent edtech company one that everybody knows by name without even thinking about it so the point is i want you guys to be out there ask for more demand more if we need more i'll do as much free training as i can next month we're going to try and do a ccna course you guys as far today we'll do some free subnet training so we'll give you as much as we can for free but things like slack things like our interview training things like our executive communication training we've got to give our internal students a competitive advantage to be the best in the world so they get hired every time they get interviewed so that's really critical to us that we do that so we give you guys as much as we can for free but things like our slack channel that are used for private and executive communication between our executives and our students and our instructors and our students we have to keep that private um but we keep our training as affordable as possible so it's in with a budget for anyone anywhere in the yeah world you just uh went into that i'm going to post a link to the enrollment page um why you answer the next question okay great i love answering questions and i love teaching there's no more fun it's a two-parter our endpoints and additional pay for connection services derrick everything on the cloud is an additional charge everything on the cloud is an additional charge normally you pay for a network connection on the cloud you pay for the network connection you pay each day to have the connection and then you actually pay to use the connection so even though it's internal you're still going to have to pay for it because you're technically going outside of your vpc oh there's another one but um there's more but i'm getting to the section where you asked him what time cloud hired so give me a second oh cool i love to see interactivity because that way i know people are alive and awake actually if you're still here type cloud hired please that way i know you're here come on bye he is the king seriously chris is fantastic exactly this is what you get when you do that i get all the praise good um i wouldn't this company wouldn't be half of what we are without you helping us hey thank you so much i so appreciate your very nice kind words there we go that's the person i was asking about [Music] look forward to working with you i think when you're surrounded by really positive people in a great environment this this this is where the magic happens jeez all these cloud irons yeah chris i asked him i don't ask for anyone we need to know people are here because i don't want to bore people to death i want to know they're here i wanted to learning and having fun we love this i see mp are you there there you go there you go alonso high praise that's that's the highest praise right there wow do you see that mike yeah mario i think we can connect you to alonso um when the time is right mario you reach out to me i'll make the connection happen for you you're one of our students um we worked with alonzo to make him such a great cloud architect now he's so good we use them for everything so yes i can make sure that we can connect that those two things for you mario just to let you all know i've learned so much from mike so it's it's it's like you know if you want to go straight to the pitcher instead of pouring it into the cup that's mike is the one so i think he is uh a phenomenal teacher and you're going to learn so much and if there's anything i can do to help support that i'm definitely here for you for everyone on the on in the community so thank you so much there are currently no more questions wow okay well so let's talk about what we're going to talk about tomorrow so tomorrow here's what we're going to do we're going to talk about network performance optimizations we'll go into groups which are really fun we're going to have a great time with dns we'll probably get a little deeper into dns than i'd like to but we'll probably do it because it's important we're going to talk about load balancers which are one of my favorite things we'll but we'll get into much deeper internal load balancers external load balancers literally all kinds of stuff and we'll begin getting into security and when we get into security we're going to get into security we're going to go a lot deeper than traditional just aws security because i want you guys to all know did you know the cloud gets hacked every day and 60 percent of all the hacks are related to misconfigured s3 buckets so thank you for having me i'm just trying to do the best i can to try and help as many people as possible along the way when i left medicine moved into tech it was hard so i don't want anybody to have that struggle so a couple of questions came in as soon as i said that there weren't any so give me a second questions are good people are hearing they have questions we'll answer them don't forget everyone tomorrow i'm bringing those recruiters so getting cloud hired as part of your goals please be here it's going to be awesome if anyone was there for the last recruiter event it was a very very good good good opportunity to experience and see a lot of questions that people came out with so don't miss this one yeah there are some really great people to let you know it's it excel they will be taking your phone numbers your resumes if you desire they have placed more people that i've given them over the last two decades that i can count and they're here for you too so um can i give an example of both a nat gateway and an internet gateway being used in the same vpc sure let's say you wanted to connect your web servers and if we can do something about the spam that's coming in from somebody called webcabschat.com sorry we don't want our students being subjected to that we want to run a clean classy operation and help our students we don't need that all right we don't know here's what you might do rauhan fernandez because that is an exceptionally exceptionally great question um can i give an example so an organization might have some web servers and for the web servers they might basically the front end of the web servers the load balancer where they're at may need to be in and viewable so for example you would use an internet gateway to make sure your internal systems that are in your demilitarized zone have access to the internet now by comparison you don't want your internal system well by the internet so for example because you don't want your systems that you have your internal systems reachable by the internet what you could do is you could use a nat gateway to enable your internal systems to go out and update their operating systems via patches give users internet connectivity but you don't want those users reachable so in your vpc you could have a nat gateway for your internal users to be able to go out maybe update their operating system and you could additionally have an internet gateway that's used for your web servers and things like that once i answered your question there rohan um chris you can bring up the next one okay here we go here you go hi alonzo you created a virtual machine an ebs and tried to attach the ebs to the vm but snapshots lifecycle policy was required how to can you do that well you shouldn't have needed a snapshot life's life cycle policy that that shouldn't have been relevant what you should have only been able to do was just create that evs and then you were able to attach it to that ec2 but i'm more than happy to um go over some of the concepts with you at a later time if you'd like julie anthony you've been a unix admin for a long time fantastic i've been playing with linux and unix for two and a half decades now now you want to go to solution architect can you make the transmission and transact transition absolutely so anthony when i get questions like this here's what i want to let you know i went from medicine to lead architect within six months i have worked with people literally speaking from customer service from sales to graphics to anything and it's easy to get them ready to be a cloud architect now generally speaking for me it takes me eight months of someone that's got no tech background to get unto the point where they're ready to be a cloud architect and it takes me about 500 hours of training and that to do so and it takes the architect themselves you know a good amount of studying but they can do it with zero background meaning somebody could have been selling cars last month eight months from now with the right training and the right effort now the right training is 500 hours and the right training is that student going and studying a lot every day but that person can easily make the shift people coming from a networking background i know cci ccies like me that have gone straight to distinguished principal architect roles on the cloud with no background in the cloud at all other than networking expertise because the cloud is not new for us we've been working on clouds for 30 years so there's that linux admins are great with a linux admin you typically know something about security you know about users and groups you know about the kernel which is essential you typically have some concept a little bit of a routing table not a lot but still some you understand how to lock down systems disabling unnecessary services you understand ipconnectivity to some degree as the linux admin you're familiar with vi and all those other things that are there that are associated so you know a lot about computers now you also understand how to write a basic shell script should you want to do some of those engineering things but you really understand how it works now to also let you know all these clouds are built on linux all of them in fact every one of my students in the clutter development program builds their own cloud what do they do they install on a bunch of linux kernel then they install the cloud control plane software then they set up the data plane the forwarding and all everything else they set up the storage so these are the kind of things that we actually do so yes a linux background is excellent in fact i have a person from red hat that's creating a linux for cloud engineering program with me for that same reason because it's a very good skill i am not a linux engineer so i don't make it but we're collaborating with someone that's worked for red hat for the last few years someone that i coached someone that had no tech background that i coached that took a senior position at red hat someone that took that position and worked at rad hat for years so when they just left red hat and went to redis now another great company one of my students and he said mike how can i be part of bringing this to you because he's he's an openstack ansible cloud expert and a linux expert so he's like hey wait let's make a linux for cloud computing course together so if he does what he's supposed to we'll be filming it in two weeks but you know it's hard to develop an external course providers because they don't all work like 100 hours a week like me does ephemeral ports need to be open for outbound something generally not but typically speaking you can just specify the things that you need and fresh essay or even south africa per chance thank you for the great session greetings from johannesburg wonderful so happy to hear from you abigail marks thank you chris mike and alonzo you're the best teacher i've had in all my education thank you so much 100 sincere so happy i found your channel last week so happy to hear from you abigail and i look forward to speaking with you on monday wise geeps hi chaps can i use these free sessions to pass the aws associate absolutely so let me give you some guidance on passing the associate exam first this course will get you there secondly we have a completely free aws certified solution architect associate ebook if you would like more certification training i strongly recommend andrew brown's free training on youtube and exam pro i've looked at every single course that's out there almost every one of those courses made me decide to do free training um but certification training and employment training are two different things we focus on employment training i will tell you andrew brown's got a very good aws certified solution architect associate of course i encourage you to read our book i encourage you to complete our course i encourage you to look at andrew brown's which is more certification oriented and proof you will have the simplest time ever now students tell me every day that they've used mine and just passed the course exclusively but i am an over preparer i like to take in everything so i will tell you this our aws advanced networking um for example and they will our certified solution architect professional andrew brown's course that'll give you all the certification materials you ever need if you want a practice test review and prep your ceo haman sharma is a great guy i have no financial connections with him whatsoever but i know him well i know his other partners in that business and they work really hard they deliver a good product and they have a very good practice test for the certified solution architect associate but yes this is more than you need but i've just given you a list of all the free resources that are out there our ebook our course yogesh i have to look up what you mean by quic i've been an architect for too many years there are a million one acronyms so let me see if i can find this acronym which are a multicultural transport over udp i'll the only time okay so um it's a little different this is not something that i've ever worked with um in networking in any way shape or form um generally speaking um if i was going to try and create multiple connections and layers i'd use something like port aggregation protocol i will do it on the routing side i have not seen anybody use this protocol in my experience so i don't really want to comment it's not something that i typically use so can't answer that question okay sometimes you get it confused between an elastic ip and an internet gateway great question so an elastic ip is a public ip address microphone internet gateway is a router that connects to the internet now when you connect to the internet the router that connects to the internet will need an external ip address or an erp at elastic ip address the way i remember what eip is i remember external ip address because the word elastic doesn't mean anything to me unless you're talking about a rubber band so you know elastic doesn't mean anything to me so when i think of eip i translate elastic ip address into external ip address because that's what it really is and then i always know what it is so think of an eip as an external ip address except on the exam remember it's called elastic because it's aws just slap elastic in front of everything and it's probably the right answer and an internet gateway is a router that connects to the internet so i hope i can help you uh hope i hope to answer that question mike when do i sleep that is a really good question uh well it's not as not as much as you would think because i typically start my days off in india by speaking to folks in india or asia and then after that i go i'm next speaking to really great folks in nigeria cameroon south africa that's typically next on my list and then from there i'm in central europe and i'm in england and then we hit new york city so new york wakes up the east coast wakes up and then next texas wakes up and then after that california and oregon wakes up so i i get calls for look all day every day seven days a week i don't know how i've done it but it works this way nitro pen uh thank you so much we want to do anything we can and jesse murdoch's probably right i don't get a lot of sleep that's why i think uh i think it's safe to say you know yesterday we learned that mike no longer reads three books a day or three books a week or whatever it was and i'm pretty sure it's safe to say that mike no longer sleeps either i'm working on that we got to get that taken care of at some point that's actually how i earned my paycheck yeah yeah by making him stop he's on an iv drip with coffee actually seriously chris is so essential chris will say mike um stop like what do you mean i got a little work to do and he's like no no no if you don't stop now how are you gonna and you don't sleep for one hour how are you gonna be able to present and talk tomorrow so chris is really essential to my team but i just hired two new people i'm bringing in somebody from aws to john michine someone that's a ccie as well and i'm really excited to be bringing them on and i just hired a really young really smart person that i plan on training a couple years from now to being a key member of our team so that's how i do it so you have three years experience as a linux admin great how can you switch to aws solution architect roadmap so let me give you a little piece of advice there i don't recommend you become an aws solution architect at all i recommend you become a cloud architect and i'll explain the difference an aws solution architect is someone that only knows aws guess what i recommend against this and here's the reason when it comes to driving a car who would think that i'm going to learn toyota's and next week you're going to take another certification to learn to drive a honda and then the month after that you're going to take a certification to learn to drive a chevy and a month after that you need special training to drive a bmw and then a mercedes this is crazy learn how to be a cloud architect learn how to drive and you can work on any cloud anywhere anytime so first thing is i recommend learning the cloud note when we discuss things today and i had to keep the certification related because we're online and it's public but i i kind of took away the certification terms i kind of tried to get rid of words like elastic i tried to call a virtual machine a virtual machine instead of an ec2 instance i talked about object storage block storage and file storage so because of this i always stay neutral to the technology so how do you become a cloud architect well i'll give you the two ways the easiest way is to take our cloud architect career development program it's cost effective it's a process we take people in we take people out and we get hired our students all leave with a certified solution architect professional which is basic intro to cloud computing our students all have extreme cloud architect knowledge communication skills executive presence emotional intelligence and the design skills to be great our students even build their own clouds from scratch that's how we teach cloud computing as our students know the cloud so there's that so um we'll keep going let me finish answering this chris before we bring in the next one so that's how we do it if you're not with us is what you can do you can read the routing tcpip book from bassam halabi you can read the two books from jeff doyle routing tcpip volume 1 and volume 2. you can read the stevens tcpip book that will give you a basic intro to networking and that's about 5 000 pages of reading and it's about 200 bucks but it will help you get there we teach all of that in our program the next thing after that you need to learn server virtualization so get a vmware for about a thousand pages you can learn virtualization knocks containers because that's the competing thing go to vmware go to docker go to kubernetes and about a thousand pages you can learn containers next firewalls about a thousand pages of documentation from cisco about a thousand pages of documentation from checkpoint palo alto that'll give you some networking that'll give you some security firewall knowledge do the same thing for intrusion detection intrusion prevention systems now learn linux attaching mysql php if you are not with us get some linux training all of our students do a tremendous amount of labs on linux including building their own clouds but you know what if you're not with us get some linux training then make sure you learn how to build the lamp stack and then after that what you need to do is as follows learn active directory as well as radio services you must know enterprise wide am again 1000 pages of rating will take care of that after that you need in the cloud so build yourself an openstack ansible cloud build your style yourself a nutanix cloud build yourself an openstack ansible cloud and a nutanix cloud and connect them to each other built in openstack ansible cloud and connected to aws we cloud architects work on multiple clouds all day every day so do that then set up server virtualization build containers build firewalls vpn concentrators do all the clouds if you're not with me you need a 16 core xeon server with 128 gigs of ram and three ssd drives and raid zero for these things when you've done that you gotta remember architect jobs are not just tech jobs they are fifty percent tech and they are fifty percent leadership if you're with us as part of our program it is covered if you're not with us don't worry you can take a speakeasy class for three days that's they call it talk so people listen it's an intro to speeches we go much deeper but about two thousand dollars you can take that if you are not with us get some emotional intelligence training emotional intelligence training on average raises your salary thirty thousand dollars a year so over the 30-year career that's a million dollars of extra training extra earnings why is emotional intelligence so happy it's important it's the difference between getting hired and not getting hard when you lack experience emotional intelligence is going to be critical in the role of an architect and you're going to meet with a ceo and a cio and they've already spent three billion dollars on technology and it's not working you're gonna have to be really emotionally intelligent to work through them you're gonna have to learn executive communication skills take a cxo relevancy training if you're not part of us these are the skills we are business executives we are business leaders that are married hybrid technology professionals that's the skill so learn how to present learn how to write as an architect you will be spending percent of your time presenting writing and selling and fifty percent of your time designing you will not be configuring you will not be coding all design design present design present design present document sign document document present present present design that is the job that is the skill set i'd be happy to get you there if you wanted to work with us if not i've told you exactly what you can do on your own we're much cheaper but in either case you can get there any others chris what is an api an application programming interface is a way that you can actually connect to something so with an api you can push new configurations to the routers you can modify configurations for example you can do that so these are the kind of things that you can do via an api any other crest i know at some point we're gonna i'm i'm looking for questions related to the to the content giving them priority so give me just a second did you see the hand of god's response as i was actually i was actually i was starting to type a response saying that i am from philadelphia no i consider myself to be greek and speak greek at home and and let's just say uh being you know greek is a big part of my life but other than that no i'm gonna i'm gonna i'm gonna roll all of these questions into one because i know how you're gonna answer it you mean you know i'm gonna answer i'm gonna give a very detailed answer um thank you and they're all about the same thing okay good you brought it into one so um [Music] okay so we're gonna start with uh uh so let me read them all off i am looking to enroll for the course can all the training go on simultaneously yes um we've got lots of students that are our students taking a course what do you think of a cloud architect job that require that job description that requires cloud engineer experience or devops experience what uh what is the difference between cloud practitioner and cloud admin uh i have a practitioner's certificate and then i got two others to roll together after that okay well i will say the cloud practitioner is just a certification from aws the cloud practitioner was designed for sales people to know enough to sell aws services not designed for technology professionals um then uh thoughts on cloud architect jobs that require engineering or devops experience required you really have to do this so like we'll have the recruiters talk tomorrow so what happens is when you see hr make a job description what hr does is i give you the real secrets the dirty little secrets of companies because i've been at the elite levels of all of them a low performance company like a cable company has 3 000 applications for a single job and i don't think anybody out there would say my cable company is the most pleasant people to deal with best customer service best performance best experience they get three thousand applications for a single job now a good company gets more than five thousand applications for a single job so what hr does is they create these absolutely stupid job descriptions that include olympic gold medals 30 years of kubernetes experience even though kubernetes is only a couple of years old experience as a cloud engineer experience doing devops and then here's what happens because i spent lots of years i've done 5 000 interviews in my career so i've seen it hr then sends you these people they've got devops experience great they've got engineer experience great and when you ask them how to design something they don't know when you ask them how something works they don't know they've got great coding skills but they don't know we can't hire this so what i do is i don't deal with hr when my students deal with hr what i recommend doing is as follows reaching out to somebody in that company if you know them reaching out to people that work there and say hey wait this is the cloud architect job what do you do i can call 10 friends at amazon and say hey you're an architect what are you doing they can say design present and sell and i said you can figure of course not do you code of course no what do you know of devops well it's automation we've got these people that do that so there are some non-architect jobs that are engineering jobs that don't pay like architect jobs to pay like engineering jobs that they call architect i had one of them 30 years ago i had worked for a south african company for about a week the management was a little arrogant i didn't enjoy working with them so i just disappeared i had two job offers at the time and they made me a consulting systems architect and i said what's a consulting systems architect and they said a consulting systems engineer but we want to give you a little better salary and we want it to sound cool and he said so what am i going to be they said the systems engineer this is the wildman architect they said it sounds cool so they said do you know how much more we can bill out your services for as an architect than an engineer i said what so they said it's all about perception so i left that company three days later i literally walked out the back door that company was a very good company they were one of the largest gold partners for one of the biggest networking companies in the world and they just got bought by one of the largest telcos in the world but you know that wasn't me i'm either if i'm an architect i'm going to do architecture from an engineer i'm going to do engineering so the key is real architecture jobs people don't do this now they may say experience and if you can actually call someone in that company you're probably going to find out they don't actually want anything what people do know is they would like to know that you are familiar with the devops pipeline what it is so you should know the cicd process you should know what is a blue green deployment and how they work but that's all you need to know so typically speaking that's why we use recruiters because they'll call the hiring manager and say hey what do you really want an architect they're going to say a systems designer and we're going to say in the job description it says devops they're going to be oh i don't need that hr is not that thing there i only need this i need someone that has expertise in network design where expertise and cloud security really that's what's going on as they're looking for specific areas of expertise so don't worry about what's in the job description worry about the hiring manager once and that's why we have 250 recruiters that we use to ask the hiring manager exactly what they want so we can send our students to the hiring manager and skip hr i never had what was ever desired in the job description for any of the five jobs i've had in my career never mind i went straight to the hiring manager oracle cloud is offering free training until december third what are my thoughts well here's what i think in general education is a good thing so i'll never say don't do training night oracle is offering the training themselves so it's by oracle so i promise you it's going to be better anything than far better than anything you can find on udemy because it's going to be done by oracle so there's that oracle cloud i see growing a little bit but again i about learn the cloud and then be able to use it anywhere so the question nitro pan is where is the best use of your time so the average cloud architect earns 600 a day average a good one earns more than double that so knowing that where do you want to spend your time if you could spend your time learning oracle that's one way if instead you could be spending your time learning architecture executive presence communication skills and how to be a great architect versus somebody else's cloud the name of the service and how to configure it it will probably probably help you be the best be better at it than a career so somebody recently said mike i'm a certified solution architect professional and a ccie do you think a master's degree in technology would help me and i said where's your current salary where you're at and i said no i said but an mba would i said acumen training would executive presence training would i the master's degree in tech can take you from 180 to 190. i said but in mba business acumen communication skills emotional intelligence that compresses to get you 350 a year i said where do you want to maximize it where do you want your career to be so for me i would ask you where do you desire to be what job do you desire be if your job is desired to be an architect if you don't have business acumen if you don't have emotional intelligence executive presence and know what a ceo cares about a cfo cares about a cio cares about if you don't understand the network in the data center that's the job i'd invest my time in networking data centers in the finances if you have a big background in those things let's say you're an mba let's say for example you're a network architect let's say you know all about networking and data centers and security and cloud and you want to pick up the oracle thing and it's free i strongly encourage you to do that so i think you need to look up where you're at and where you want to be if your goal is just to be an architect which is a great goal it's what i've done for years decades and i love it being an architect i'd study architecture and all the things that go along with business leadership skills if i wanted to just work on oracle or i was already an expert architect and i wanted to pick up the oracle then i would do the oracle so i hope i answered your question in a matter that makes sense for you that's it okay that's it that's all the questions i'm allowed to answer no that's it you did it i did it i answered everybody's questions so everybody tomorrow morning 9 00 am itxl and you can ask them those any questions you want about stupid job descriptions and and things like that you can ask them any one of those questions the question is a master's degree in cloud management i will answer that question personally when we speak but i will tell you this if you know what you're doing an mba will yield three times the results of a master's degree in technology but if you just love starting technology and all you want to do is deep engineering well then the masters in technology could be good absolutely and uh nitropan asked uh you still need certifications right you still need certifications here's the thing with certifications the certifications signal the hiring manager that they should interview you which is great but they don't signify that you're capable so here's what's going to happen in an interview i'm going to give you the honest dirty little secrets if you go on an interview and when you go on the interview and they interviewed you they believed that you could do the job based upon what's on your resume if you do well on the interview you will get hard if you don't do on the interview the hiring manager has two choices you're terrible you don't know anything you can't communicate and i don't like you that's option one for the hiring manager option two for the hiring managers it was so nice to see you today i really like you come back when you have some experience now which sounds better you stink or i need more experience now i'm exaggerating the concept just slightly but it's kind of true so don't let anybody tell you that you can't be something people interview people without experience all the time all the time so be great at what you do excellent what to do be a specialist and you will get hired every time we're getting cut off so 9 a.m eastern time is 2 p.m uk time which makes it 3 p.m central european time for the time zones there what about togaf i think togaf is an excellent architecture certification i would say a certified solution architect professional maybe something from networking and a toe gap looks really really great um excellent question ned and there so yes jessie murdock 9 a.m but eastern is 6 a.m pacific good point amica are there any limitations for a university dropout in the cloud architect careers absolutely you can do anything you want the secret in tech no one cares your education they care about your capability and your competency so you can be there no problem you need to be great great great at what you do to be a cloud architect you will need several certifications but it's not the certifications it's the knowledge the certifications that typically mean are you need one from a cloud provider typically speaking you need a certified solution architect professional an azure expert or a google professional cloud architect one of the three and that's it the rest of your training should be in networking and data centers because that's the cloud or whatever specialty so if you want to be a cloud security architect get that azure expert and a cissp you want to be a cloud network architect get a ccnp as well as a certified solution architect professional it's about building a brand of expertise that's what we're trying to do any other questions for me nope not yet okay well my ceo's internet is going to get cut off at 4 pm due to maintenance which is in a few minutes i've got a big day lots of phone calls to return from people i've spoken to um well i got to tell you i can really appreciate this um i can i can i can appreciate things coming in from arabic things coming in from greece i really love this as well as hebrew as well um i'm equally happy with several of those languages hand to god um really really really appreciate that um as jesse has said and for the last few what about aviatrix avatrix multi-cloud professional is excellent because we're dealing with multi-clouds how do i showcase knowledge in the cv um that's something we do all the time with our students um maybe one day i'll make a youtube video on that oh wow um fantastic from cameroon from manchester i guess to close if you can all type the country that you're actually in i always love to see i see some cameroonians i see some greek people like me um i've seen lots of people that i know spread all over africa which i think is unbelievable and it makes me super happy um i also see a lot of people in india i know there's some people in australia that have been on this call by name so super excited uruguay wow fantastic carlos we'll be back tomorrow at 9 00 a.m but let us know where you're coming from because i always love to know kenya fantastic uk india wonderful uk toronto love this poland welcome it's great that's nice brazil um fantastic alada or greece uh spain delhi moore in kenya cameroonian in belgium fantastic tyrone's in cape town south africa mario's in bethesda maryland one day i'm going to ask you where you're actually from mario when we have a chance to speak um vanessa's in bangalore america's in toronto fantastic this is just how wonderful to get so many wonderful people raleigh north carolina cameroon and uk mexico bulgaria wow very fantastic and also in scotland wow i love this nigeria um thank you so much i wish you all you know happy i wish you a happy life as well so much sofa evo's in bulgaria but now denmark i'm loving this um washington haiti wow look at that look at that international group um i'm actually not sure whether that is adult please let me where that is because that's a country that i'm not familiar with and i now need to know but at least mario now i know i picked up a little bit of hint of french in your accent so um adult that is really cool i'd love to know where that is i'm going to be looking it up tonight so thank you so much so thank you all super super happy to have you here let us know anything we oh a state it's a state in india thank you so much you might you might um thank you all so much for being here please come see the recruiters in the morning chris will send out an email please please please join us tomorrow we're probably going to go through saturday i want you guys to have the best certification experience in the world and we're doing it all for free thank you so much please like and share if you're not a member um please subscribe please smack that like button and tell others to watch our training take care everyone thank you so much bye see you later

Info

Channel: Go Cloud Architects

Views: 10,179

Rating: undefined out of 5

Keywords: aws certified solutions architect associate 2022, aws solution architect certification, aws solution architect interview questions, aws full course tutorial, free aws certification training, aws certification course online, aws certification course free, free aws course, cloud architect career, aws career tips, cloud architect training, cloud computing architect, cloud architect, go cloud architects, saa-c02, aws cloud computing full course, cloud computing complete course

Id: RPmEEEdyWKU

Channel Id: undefined

Length: 234min 48sec (14088 seconds)

Published: Thu Oct 07 2021