AWS Certified Solutions Architect Associate 2022 (Full Free AWS course!)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back everyone this is michael gibbs i'm the founder and ceo of go cloud architects and today is day four of our free aws certified solution architect associate 2022 boot camp in this boot camp we're going to cover the aws certified solution architect associate and realistically speaking this is a free aws certification training course it's a full free aws course and it's designed to help you in your cloud architect career we will give you aws career trips but realistically speaking everything we're doing is about to help you get cloud hired again i'm going to be here with my good friend and fantastic cloud architect alonzo coleman and any labs that we do today will be via alonzo coleman alonzo coleman is a great cloud architect but he also has a pretty good cloud engineer skill set and that's why he's going to be configuring these things for us because we architects is a rule we don't configure um but we definitely do our job in design so realistically speaking this is an aws full course tutorial and we're really excited to have so many people participate this is day four of the process so today we're going to be talking about aws network performance optimizations and it's something that's going to be near and dear to my heart we will also cover things from the internet protocol realm such as dns and we're going to do everything we can to help you in your cloud computing career this is day four um i'll make sure that in the description below all of these videos we have the playback links for the aws certified solution market associate 22 course day one day two day three and day four so i want to make sure that you're all here realistically speaking kick off in the content in about one minute all that i can tell you is typically speaking we come online and it takes about four to six minutes for youtube to uh realistically inform everyone to come here so bear with us for two or three minutes if you did not have the opportunity this morning i had christina marinaro the ceo of it excel that's a recruiting firm i've worked with for 20 years now for 20 years they've been helping my students get cloud architect jobs network architect jobs network engineer jobs cloud engineer job blockchain jobs systems admin jobs and every possible job you can think of so if you did not see you know the uh the the interview this morning with christina marinero i strongly strongly suggest that you actually watch it give you guys some information on some of the cool stuff we're going to do next week next week we're going to be bringing in on friday with my good friend parveen praveen is a big data architect and a cloud architect he's now a working cloud architect he was my student but he's been working in big data for decades so he's the expert when it comes to creation of data lakes um working with data gleaning data so that businesses can make much much much better decisions so if you're here and you're ready to go hit the like button put hashtag cloud hired in the window and we're going to have a really great time working on this aws solution architect certification in our free aws certification training so let's go let's have some fun let's talk about some aws network optimizations and i'm super here to be with you have anything to kick off the conversation alonzo well as always i'm always glad to see everyone from all corners of the earth coming here within our community to learn something really you know really learn some really cool stuff and just cooperatively just support one another um at gca so let's go let's enjoy this let's get going let's enjoy it and if you're having a great time please make sure you subscribe please tell others about this free aws training we're doing and let's do everything we can to get you cloud hired now we're going to talk about some network performance optimizations or at least what aws calls network performance optimizations so we're going to begin and in this section we're going to talk about a few things most of this is not networking but aws calls it network performance optimizations networking to network architects like me are as follows routers switches cabling and all the associated protocols that work in these environments but some people loosely group a lot of non-networking things like load balancers into the conversation so we're going to be doing this so let's have some fun what we're going to talk about in this optimizing performance and networking section is the following placement groups single root i o virtualization otherwise known as pci pass-through and i'll show you what that really is it's not so complex we'll talk about the elastic fabric adapter we will talk about dns where the aw was branded version of dns which is route 53 and we will talk about load balancers and load balancer technology and then of course we'll talk about the aws branded load balancers but we will always cover the tech first because i want to teach you how to drive a car not give you a certification for how to drive a honda and then force you to go back and learn how to drive a toyota for another training class i want you to be able to work on any cloud anywhere anytime so we're going to always look at these things from an industrial perspective as well the first one thing that we're going to talk about with regards um to uh actual actually improving your performance is something called placement groups so i want you to think about this when we're dealing with networking there's always going to be a time that it takes to go from point a to point b that's called latency there are applications that are very very latency sensitive i've worked with financial applications that one nanosecond can be the difference of hundreds of millions of dollars per year in terms of profitability one nanosecond just that can enable a bank that's using an algorithmic trading system to process a trade faster than the rest of the market at a lower price so when we're talking about high performance computing we are talking about high performance applications and reducing latency is essential so in some cases your requirements for latency are so low you can't put them on the cloud in other cases because it's too far away you can use it use the local zones that we talked about because it's closer to you in some cases you can put your applications on the cloud and do things like placement groups which is what we're going to talk about now so placement groups are how you you group your servers that's it so if you put your servers closer to each other guess what there's going to be less latency if your servers are farther away from each other there'll be more latency but there are trade-offs associated with each thing often when you're dealing with high performance kidney clusters everything has to be really close to each other so now understand that we'll talk about it in the term replacement groups placement groups are really about getting your stuff closer together to reduce um the latency in between things so let's talk a little bit more about the first kind of placement group this if you need to reduce your latency in the cloud and you need your servers to be a part of this low latency high performance completing cluster this is the fastest a clustered placement group here is what a clustered placement group is you take all your assets and you group them together closely now typically speaking when you're using a cluster placement group all your servers are going to be in the same rack and in many cases in the same physical server so think of this if you have a 128 core server with four terabytes of dram and it's your server and you put four virtual machines in the same server look at what the networking is it's not even leaving the server it's literally speaking and the virtual machines will go straight from machine to machine in the same server it is really fast now by comparison think about spreading your servers over 10 000 miles lots of latency so a clustered placement group is when you put everything on the same rack and often in the same server now think about this everything is now in the same rack next to each other so here's what it's going to look like architecturally it's going to look like this all your stuff all your servers are all going to be in the same rack so same rack means same switch which means same power supply which means if the power supply or power distributed the power distribution unit for which the servers are plugged into the rack goes down poof your systems are down if they're all in one server and the server goes down all your systems are down so if if there's switch that everybody's plugged into or the power goes down it's down so cluster replacement groups high performance no redundancy so if if you're going to use something like a clustered placement group use two of them one and one availability zone and another an availability zone when it comes to high availability one is none two is one and three is greater than two if you were going to survive in the wilderness don't blink one flashlight ring two and guess what if you have the opportunity bring three so that way you know you're going to be solid now if clustered placement groups is putting all your stuff in the same rack guess what happens how could you do a little better maybe just maybe instead of being in the same rack you could put all your things in the same data center maybe they're 50 feet apart from each other on different racks with different switches with different power supplies now let's think about this huge boost in terms of availability because it's still now not on one server or one set of racks or one set of switches huge improvement but if anything happens to that data center or availability zone you're down and you're out so think about it this way partition placement groups give you the opportunity to spread your load across a data center and remember we're dealing with high-speed connections we're dealing with fiber optic connections or copper connections the speed of light is 186 000 miles per second the amount of latency to cross a data center is in the nanoseconds provided your gear is good so again this is still fine remember keeping in your data center not on the cloud will reduce latency by milliseconds as a rule so you know what we're talking about here is to save nanoseconds you can save milliseconds by running a hybrid cloud and keeping your things in the data center so we're always talking about performance optimization the goal of some of these optimizations is to get the cloud to give you the performance of the data center things that you could do with the data center but remember the cloud is virtual data center and anytime you virtualize you reduce performance so the cloud performs not as well as a properly best designed data center but it is so agile that it is worth it the cloud is the greatest thing to happen to us but when we're in the cloud what we have to do is often think how do we work around the cloud how do we architect the cloud solution to be good enough to meet the kind of performance that we were able to give our clients in the data center remember amazon's running their cloud in their own data center they have access to the most performance they resell capacity to us which is great azure does it google does it palo alto does it the cloud is great but remember you got long cable connections so it changes things so clustered placement group everybody's in the same rack partition placement group everybody's in the same data center across racks so much more redundancy here's what we're talking about with regards to a partition placement group see spread across rocks in the same data center so hope that kind of makes that obvious to you now the next option and this is going to have some pretty pretty pretty significant impact on it is something called a spread placement group what is a spread placement group basically you spread your stuff across hardware racks and even availability zones so much much much more availability but also much higher latency so you have to look at this as what is in the best interest of the customer in most cases a clustered placement group is going to be too risky unless you run two a spread placement group will have lower performance but it has higher availability so it may be a good thing here is what a spread placement group looks like you're across racks and across availability zones so relatively good performance because you know most availability zones are close to each other and at the same time you've spread the load much much much more um redundancy now we're going to talk about some networking improvements and we're going to use some industry jargon and then we're going to explain what it actually is so the next thing is what aws calls enhanced networking vmware carrying the term single root i o virtualization i don't know who makes up these terms here's what single root i o virtualization is you take a physical network card you know like the kind that's plugged into the server and you pass it through into your virtual machine so normally speaking with virtualization you've got your server you've got a hypervisor and the hypervisor creates you know virtual network cards and virtual cpus and virtual memory and virtual hard drives carved out of your physical server equipment and that's you know virtualization so virtualization uses software-based network cards software-based video cards and here's the thing things done in software are slow things done in hardware are fast so if you had a virtual machine and if you've ever set up a virtual machine with a type 2 hypervisor like something like vmware workstation or oral kills dropbox on your computer you know that in the virtual machine the graphics performance is terrible why is it terrible it's terrible for the reason it is a software-based video card not a real video card so we're talking about the same thing if you had to do machine learning in a virtual machine like a gpu optimized instance what they do is they basically take the video card which is pcie based and they push that pci card directly in the virtual machine and that gives the virtual machine access to a hardware based video card so it's the same thing so what we're doing is we're calling it pci passthrough what is pci passthrough is when you take a physical network card and you make it available to the virtual machine if you make a physical disk available to the virtual machine a physical video card to the virtual machine it is the same technology it's called pci passthrough you're passing a physical pci card into the virtual machine so aws enhanced networking is nothing more than pcie passthrough where you actually take like a 10 gig or 100 gig network card physical card and you enable it to be working within the virtual machine that's it single root i o virtualization just hardware card in your thing you want to know what a gpu optimized instance is same thing gpu pushed into a virtual machine now aws has another higher performance networking card so right now we're talking about high performance physical cards with the single root i o virtualization but with this case we're actually talking about another software card so aws has come up with a virtual network adapter adapter that's got a really good driver behind it so what happens for those of you that don't know you've got a driver which sits in between the the cpu itself and the operating system and it tells the operating system how to use that physical device so aws has created a really nice network adapter that theoretically has been designed for speeds of upwards of 400 gigabits per second that's right you heard me 400 gigabits per second it's not able to do that right now but that's what the card driver is supposed to be able to do so when you need high performance and you're not working you can enable single root i o virtualization or pci passthrough from another name or you can use the virtual fabric adapter which is a specialty high performance network adapter and driver to give you good networking performance now we're going to get into dns next and dns is kind of a heavy topic i am not mr dns but i've worked with dns a lot we're going to get into some pretty good depth with regards to dns we're going to put our geek hats on with the multiple propellers and we're going to have fun with it as we go along so i think we're going to stop real quick answer some questions for the next few minutes prior to moving on to dns and load answers so let's talk a little bit let's go through the questions let's see what we've got chris if you'd like to bring up some of the questions so far i can't seem to see this okay the first question what are the use cases in real world to use a placement groups i mean when do you use it great question um chintan when are you really dealing with these things there are times people run certain head-up clusters 100 clusters that need to be relatively low latency latency although they typically work well in the cloud it's typically these financial applications that are super low latency and i'll give you an example as a programmed algorithmic training platform so when i first worked with this it was about 20 years ago with one of the largest market makers on the nasdaq and what would happen is they had built a black box trading system now they're in everywhere and what would happen is the black box trading system had a history of various news what happened on certain dates throughout history it would have various knowledge of you know what would happen if an earthquake would occur what would happen for example if there was good financial news what would happen if somebody released earnings and then these black box trading systems would buy or sell large blocks of stocks based upon news feeds or financial fees what's going on with the industries based upon an algorithm now when you're purchasing stocks for institutional investment if you go buy a block of a million shares of cisco when you try and buy the block of a million shares in cisco what happens you're bidding for an auction and it raises the price now once you go to buy a million shares to say cisco for example i just made up cisco because i worked there and loved the company for many years doesn't work there so let's say you're going to do that everybody else is going to see that you're buying and they're going to say wow this big bank is buying a million shares what do they know that i don't know so they all start buying buying buying buying buying and what happens if the stock was 50 by the time everybody starts buying it's 52 53 54 55 and if you're gonna go buy a million shares or something five dollars is five million dollars and organizations like these banks will do a million shares 30 40 50 60 80 times a day they'll go through this with stocks they may be smaller numbers but they're buying selling buying selling buying and selling constantly in these algorithmic systems what they'll do is if they can buy it one nanosecond faster than the rest they comply cheaper than the competition so you buy a stock one nanosecond faster than the competition for three percent less you let the competition then bid it up five percent and then you sell it so realistically speaking these organizations are making five percent in seconds off of somebody else's money so when you're dealing with these kind of low latency applications the faster you can process a trade the greater the competitive advantage so there are a lot of industries where being first to market and making the first decision on an algorithm can mean billions of dollars a year in terms of additional profitability so that's an example high performance um systems that are doing algorithmic training in the finance world it's not most places but it definitely exists there chris if you want to bring up the next question faisal can you please talk a little bit more about virtualization and how it works you know absolutely bear with me a second let me see if i can pull up a slide to try and explain it to you and other than that what i will actually do if i can't find a slide i will just verbally do it but let me see if i can get a slide that will verbally make it a little easier for you to see i think i have a slide presentation for this i can also share the link to the video if you'd like share the link to the video and then i will basically go answer this question because i think it's a great question but please share the link of the video of virtualization and containers great chris thank you so let me go back to this slide here i'm going to get it here and then let me take let me paste this slide in because i think it's a great question so let me go share my screen to answer your question sir so what is virtualization virtualization is as follows you take a physical server and why am i covering this in depth because virtualization is the enabling and driving factor of cloud computing all your computing on the cloud will either be in a container on a virtual machine so um here's what we're talking about you take your server which is physical physical hardware and there's a layer of stuff where you put it on it it's called a hypervisor so what happens let's say you've got this server it's got 128 cores and 40 terabytes of drama you then install a hypervisor what the hypervisor does is it enables you to chop that computer into multiple that physical server into multiple logical servers so the hypervisor is a memory manager it is a cpu manager so it happens you take this server and on your server you install the hypervisor and then after you install the hypervisor you create your virtual machines now on each virtual machine you specify your cpu your memory your hard drive space then you launch the virtual machine like any other virtual machine you install an operating system on it like windows and linux and you install your application so virtualization which was really the foundations and the fundamentals of competing we started using about 30 years ago in networking today's virtualization has roots actually actually ibm about 50 years ago and then 30 with the mainframe they had some virtualization and then after the mainframe virtualization we had switch virtualization and vlan virtualization about 30 years ago and then we had private vlans which was the equivalent of a container but what we're talking about here is a physical machine for which a hypervisor has been installed in which case you create multiple servers on a single server and while we're at it even though it's this isn't really part of the curriculum but it's necessary for you to get cloud hired so we'll talk about containers and we'll talk about virtual machines so now we're going to have a container so let's go right back to this real quick here in a virtual machine you've got your server your hypervisor and note you have multiple virtual machines each with their own operating system now because each virtual machine has its own operating system the operating system takes a lot of time space it may take 20 gigs it may take four gigs of ram just to run the operating system so virtualization is the foundation of cloud computing all your ec2 instances as your virtual machines google and google compute engine are all virtual machines following this philosophy now there is a newer technology for virtualization and this is called containers again containers are not new we had a concept in networking 20 years ago called private vlans where you would have two users and the vlan and basically they couldn't communicate with each other well this is the same thing with a container it's much more lightweight we still have our server just like before the same physical server but here say we install linux or host us then we install a container engine like a docker or kubernetes from here we make these little lightweight isolated things that basically the app and the libraries that are necessarily needed so while a virtual machine you've got your users you've got the hypervisor and you've got separate machines that all have same different operating systems when you're dealing with the container you're dealing with the server the servers us the container engine and then you've got these little mini logically isolated applications all in their own containers the containers are logically isolated so theoretically if container one crashes it should not affect container two or container three that's how these work so virtualization gives you the most security because everything is completely isolated but it takes all the most overhead by comparison containers which are a lighter weight form of a virtual machine each virtual each container leverages the operating system of the host so if you can put 20 virtual machines on 128 core server with say 4 terabytes of ram you might be able to put 200 containers on that same server so containers are a lightweight approach to virtualize your applications and take your applications from point a to point b so i hope i answered your questions there with regards to what is virtualization um the hypervisor is basically like a linux kernel and a little bit of software so that's the best way i could describe it so are there any other questions chris before we move on i want to make sure we answer everybody's questions and we give everybody a great experience any more questions questions okay srinivas hello sir what is a gpu what is the use of this great question srinivas a gpu or a graphics processing unit or a video card is a card that's been optimized for graphics now graphics processing is often used by consumers with regards to video games but graphics processors are really powerful you could be dealing with like 20 teraflops of performance on a gpu so what a lot of organizations are now investing in is gpu computing instead of doing your computing on the central processing unit you do your computing on the graphics processing unit cpus are very fast like a race car gpus are like a tractor trailer they're a little less fast but they can do a million and one things at the same time you may have 128 cores in your cpu but you may have thousands of cores in your gpu so when you've got parallel computing your graphics processing unit is incredible where do we use a lot of graphics processing units outside of video games video rendering for movies basically takes straight um what do you call it footage that comes straight out of the camera it comes raw footage and we convert it to like an mpeg-4 with maybe an h.264 or an h.265 codec to really shrink it down we use gpus for that kind of rendering we also use gpus for machine learning here's the reason why we take all this information and the gpus are powerful enough for all the ml and ai things we're predominantly using gpus there's a little bit that can be done in fully programmable asics but for the most part it is gpus so gpus are used for a lot of things video editing graphics performance and data science on machine learning ai applications okay what's the next question noelle so with containers are you doing away with having to use a hypervisor absolutely not you can provide substantially more resources to a virtual machine you can have a virtual machine with several hundred cpu cores and terabytes of dram but you know what you can't do you can't make a container like that you've got a lot of memory and cpu limitations with regards to your containers really big environments will need virtual machines big servers need virtual machines some things that are lightweight can be deployed in a container so it's about knowing what to do and choosing the right one at the right time is that if there's no more questions i will go back to the content i just want to make sure periodic intervals okay if you're still here and you're having fun if you could hit that like button and subscribe if you're not a member and guess what um if there's others you feel like there would be help by this please share the link to this so they can catch up they can start from the beginning and continue to watch and let's get back into the content so now you've had a request to explain a hypervisor again okay we can re-explain the hypervisor i'd be more than happy to do so let's go back to this slide and we'll go back over here so let's talk about this hypervisor the hypervisor is a layer of software that will partition the physical hardware in your server for the to allow the creation of virtual machines chris do i have the ability to uh share a web brow a browser yes you do okay so let me do this let me log into one of our servers use the screen share function on stream yard okay i am going to try and figure this out okay to get okay proceed i mean just let me go log into one of my servers okay everyone let's do this you guys asked a question way outside of aws certified solution architect associate training but totally critical for cloud architect training so let me let me do this so oh wait um i might be on the wrong browser in order to be able to share this so let me try this one more time when i need to yeah yeah i know this isn't okay so we got a stream yard he says it says it says share and then what do i do share screen um share screen okay i see oh great chris thank you so much no one else asked about kubernetes would you like me to direct them to the video yeah for the kubernetes direct them to the video um but i actually will can you guys see my desktop right now on obs make yourself big when obs make myself big excellent okay so you guys can see me and you see if you guys can see the server can you guys see my server and the server screen okay the answer is yes so here we are excuse me we're in a vmware esxi server this is one of the servers that my students use to build clouds to learn cloud computing to set up virtual machines build containers build they build their firewalls here and of course they build the cloud um because you know to be a cloud architect you really should know how to build the cloud so now let's look at this physical server for a moment note you can see the manufacturer's dell it's a precision 2810 you can see that i've got 24 cpu cores you can see that they're e5 2670 v3s you can see there's 128 gigs of ram here you can see this is the server's ipv4 address you can see this is the server's ipv6 address you can see these dns servers they happen to be google's dns servers you can see the default gateway or its router and the such now you can see right now that the cpu is used at two percent the memory of the server is being used at 34 and a half gigs and we've currently used uh 660 gigs out of the one terabyte drive here so now let's let's actually walk through the creation of a virtual machine so you guys can know what goes on behind the scenes at aws now if you go to azure and get a virtual machine if you get a google google and get a compute engine instance then with aws if you want an ec2 instance it's this same thing but they pre-made it for you so here's what it is so we've taken the server we installed our hypervisor which is just the software we're then going to create a new virtual machine let's say we name the virtual machine we'll call this aws so i know how to delete it afterwards csa 2022 and then what we'll do is we'll tell it the guest operating system let's say we select we select linux we select them you zoom in on the browser i can't zoom in on this um because it's uh it opens up in a short window but i'll and my browser is 100 zoomed in unless there's something else here yeah you can you can zoom to 125 150. okay three buttons to the top right corner the three yeah zoom there you go okay excellent see what happens is uh mac users that have haven't used windows in 20 years until their mac couldn't handle their needs have to learn how to use windows it seems to be working pretty good by the way i was really surprised after not using it for decades so let's say we suggest ubuntu 64. and then next what we'll do is we have to customize the settings of the virtual machine note cpu we select the number of cores this is going to determine the performance of the system number of cpu squares and the clock speed of those cores determines your server power then you know we would we want the hardware going directly to the guest coders then we would select the memory of the virtual machine hmm you need what's the memory it's the dram so i select gigs and then i choose what i want to use i want to use 16 gigs i want to use eight gigs you select the amount of memory that you use then you select the network adapter well you can do you can do status of these things you can create a mac address if you need it to match something and guess what else you can do you could do single root i o virtualization or pass through a card but i don't have any extra cards in here then when you typically speaking when you launch a computer you launch the server from a cd or an iso file so here we go we'll do that now then we've got to go to the data store and find the operating system images so here's where we keep the images i don't even know which image this actually is this linux iso but we'll just pick it we'll select it we'll go to next we'll go to next now here's a window a machine that we just connect we just tested let's boot up that system okay well i don't think i actually set up an appropriate operating system for that so let's power this system off this is what happens when you do things live on the fly like i said i don't recognize that operating system so you know that's that's so let's go back to this let's edit the settings of this virtual machine i don't really like that datastore's iso file that we picked because it's apparently not our right thing so let's go to v this is let's go to the data store let's go find out where the oh here we go let's go find uh an operating system file now let's launch that virtual machine note it's going to launch like any other ubuntu server because it's a it's a logical server it's virtualized sitting inside of this thing so if any of you guys have ever set up ubuntu linux we've just now created an ubuntu linux virtual machine so what we did is we took our server the server has a hypervisor the hypervisor enables us to take the number of cpu cores memory and dram we've selected that we've mounted an operating system and right now we would install the operating system on this server identical to the way we would do it on any physical hardware note when you're doing it this way you actually have to install the operating system it's not going to be like with aws where you just click three buttons and it can be done you have to know something to do it this way you have to be better and that's why you know employers are looking for virtualization experience that's why we train so much you must know this it is an absolutely absolutely critical skill you must have extreme knowledge on server virtualization to be working as a cloud architect because everything that we do 100 of everything that we do is we take things from the network and the data center and we move them to the cloud with equivalent services and in order to do that you must know what it is you're actually moving let me delete that so we don't use the resources on the server so um are there any more questions on server virtualization before we go back to the content someone asked if we know what hypervisor's aws uses aws uses their own hypervisor called the nitro hypervisor realistically speaking all of them are almost the same they all either come from vmware's esxi which typically speaking runs on a debian linux kernel or what you're typically finding is all of these other hypervisors are all running on linux for the most part whether it's kvm which is the common linux one whether it's qvmu which is also a common linux one or whether it's the nitro one or whether a zen it doesn't matter it's just a hypervisor so hopefully answered your questions here we're trying to give you everything that you need to be cloud hired so if you're having fun you know hit that like button and type cloud hired and we'll go back to the content trying to give you everything you want and need all at the same time in addition to just giving you what's necessary for a certification because getting certified versus cloud hired are very different so you guys are ready for dns let me know by typing cloudheart and smacking that like button okay very good i see you guys are enjoying we'll always have some bonus content you know we had in our we're planning on doing a database demo today for you as well but whatever we can do to get you cloud hired to get your cloud skill to improve your pr your cloud architect career development or your technical career development program that's what we want to do we're here that's why we don't focus on certification we focus on cloud hard so thank you for letting me know what the cloud hired thanks for hitting the like button please share you know as my good friend sandeep says sharing is caring when it comes to producing free content and training others to have the best career let's pre-split the word let's pre-share this if we could all share this to 10 other people and there's thousands of people on this call we can really help a lot of people live better lives have better financial health and be able to take care of their families in a much better way so help me support this mission by sharing let's give people what they need to be able to achieve what they desire so let's talk about dns what is dns or the domain name system the domain name system is somehow to map a name a user-friendly name to an ip address you don't need dns at all dns is a convenience if you knew the ip address of every single computer on the world you would just connect to these computers via iep addressing scheme that is it dns is used to make life easier which is going to be easier to remember go cloudcareers.net i'm sorry gocloudcareers.com or an address that is an ip address and i'll tell you what our ip address is because i don't even know right now um but let's do this so i wish would be harder for you to remember anna so let's do it and that's hold on and let's look up okay so which would be easier for you to remember 192.00 would that be easy to remember or would go cloud careers be easily remembered i can remember go cloud careers i've already forgot the 192.0.78.137 it's only been three seconds so if you have a photographic memory like my wife and you have the ability to remember everything you don't need dns but for the rest of us humans that have memories that can't remember everything we need something that's user-friendly so dns is used to map a name that we can understand to an ip address www.cisco.com so easy amazon.com we can connect with the ip address but who could remember it so realistically speaking i want you to really see what's going on here so when we're dealing with dns and we're mapping names to ip addresses let's say you go to your computer and you want to go to amazon.com so you go to your web browser you type www.amazon.com your computer then sends a request to the dns server the dns server says here's the ip address for amazon.com it gets sent to your computer your computer caches that information or stores it for a short period of time and then go connects to the ip address see you're we're connecting to the ip address not the name but it's the name that we use as an intermediate step so dns mapped a name to an ip address now let's talk a little bit more about dns because it's super important if you go to your computer and you want to find the ip address of any website on the internet all you have to do is do an nslookup our nameserver lookup and then type in the address you can see here i did an nslookup of www.amazon.com your first thing you can see is my dns servers which are google's dns servers the 8.8.88 and when you see this pang palin 53 or hashtag 53 it's them reminding you that it's tcp and udp port 53 that is used for dns port 53 is used for dns i'm going to say it again port 53 is used for dns you want to know the ip address port on your exam it is port 53 tcp and udp coincidentally amazon has a dns service and this is they called it route 53 where's the 53 come from it come from the udp tcp port 53. so now let's go back to my ns lookup of amazon.com first you get the the answer and the answer is that amazon.com the real name is this address this ugly looking tp.47.cf that's realistically the cloudfront distribution that's being used by amazon but or the two sets that are there but what's going on is amazon's got what's called the scene name record which maps a user-friendly address to this ugly cloudfront address and that way what's going on is you can find it what is the ip address for google's cloudfront distribution that we connect to at least at the time i did this video i made this slide it was 13.35.116.114 that could have changed since now and then because they could have changed servers changed addresses and updated their dns policy but as you can see the dns mapped this www.amazon.com to this address of 13.35.116.114 made it real easy huh you know exactly where you're going all the time so let's get out of this and let's talk about the parts of the dns system see we're going to discuss dns before route 53. it's part of that let me teach you how to drive as opposed to let me teach you how to do aws you need to be able to work on every cloud everywhere every time so let's talk about dns domain names are broken into a minimum of three separate sections we're gonna have a host name we're gonna have a domain name and we're going to have a top level domain let's break it down host name www domain name go cloud architects dot dot go cloud architects top level domain com so www.gocloudarchitects.com is what's called a fully qualified domain name why the www focus is the host the domain name is go cloud architects dot and that and the top level main is dot com lots of top level domains dot net dot edu dot co dot uk dot gr for people like me and head over heels we would have a dot gr or grease that are attached to it so see it really doesn't matter but you have to understand what's going actually on you've got an alias record that's mapping one thing to another in this particular case whether you call it a c name record or an alias record you're mapping some ugly thing uh mapping a name that's familiar to something that's not so i am not mr dns i am a network architect these are typically done by the unix linux admins but dns is important so you must actually know those um let's talk about dns record types when we're going to be dealing with the cloud we're going to have dns records dns records which are also known as zone files realistically speaking give particular instructions about the dns servers that are going to provide the information for the domain and it's going to use this specialized form which is known as dns syntax which basically is a text file and it's going to tell the dns server how to carry out its actions anytime you're dealing with dns or caching or a lot of these things you must have a time to live because if you just had a name mapping to an ip address that never timed out if you needed to change the address it would never update so your dns records are going to have a time to live it's normally measured in seconds but it can be changed there are a massive type list of dns records and here we're going to talk about the most common ones the most common ones that you need to know are as follows the a record which simply maps an ip address to a name the the 4a record aaa that one you realistically need to know why do you need to know it because it's a simple a record but for ipv6 a scene name record which is what we talked about before when i talked about taking a friendly address and mapping it to that ugly cloud front distribution dns address it's a cname record a canonical name record some people used to call something like it an alias record it's not exactly an alias record but it maps the domain to another domain you must have an mx record if you want your enterprise to receive email ns record is the name server record pretty important to know soa our startup authority record is also important spf or center policy framework you probably need to know so we'll talk about it so when we do this now let's talk about the aws branded version of dns it's called route 53. route 53 is the aws implementation we've been discussing dns in general why we've been discussing dns for general aws is not the only game in town for dns you can be using the aws cloud in your own server your dns servers in your data center you could be using google's dns servers you can be using anybody's dns servers at f5 dns servers so when we talk about aws and we talk about dns with regards to aws we're talking about route 53 but it doesn't have to be compete anyone's now route 53 is a highly available service it's high availability high latency and it's very good now route 53 uses something called anycast and anycast is a very challenging concept to learn but it promotes high availability here's what anycast is anycast is when you have multiple servers that all use the same ip address and now you're saying wait mike you told me yesterday that every single ip address in the world needs to be unique to have communication and that is still true you will not have true communication unless every ip address is unique any cast is a rule to break the rule but the rule still applies here's what anycast is i have 10 servers located throughout the world and every one of them has the same ip address which is a problem because um what's going on here is they all have the same imp address now these servers all are synchronized with the same information now what happens in the way this actually works is as follows i'm here in my house in palm beach florida or st lucie florida right near palm beach life is really simple i'm playing with my computer i'm going to my nearest dns server what happens i want to go to cisco.com i go to cisco.com i do a dns lookup my dns lookup uses the google dns servers which are 8.8.8.8. now i get a response from 8.8.8 and i know what to go exactly we told you but how do i find my 8.8 that i ate today my internet service provider is running bgp and they're exchanging explaining exchanging routes going back and forth in all these different directions they're exchanging routes so when i go to my internet and i look for the dns server 8.8.8.8 what's going on is my internet service provider is giving me the closest 8.8.8 now should that 8.8.8 go away guess what my route their my internet service providers routers will find me the next 8.8.8 that's the next closest whether it be because at some point it has the better local preference shortest aspect or however the traffic was engineered so what happens with anycast is you've got multiple devices that are using the same ip addresses and what happens is if one of these things goes down the routers on the internet will know how to rig route your track to the next server with the same ip address so look at it this way since anycast is way way way above the scope of the certified solution architect associated training critical cloud architect training but you know you could we could spend weeks on optimizing any cast and using it for multicast and other things so this is not a small process but anycast basically has multiple servers all the same ip address and the routers take you to the closest one and because of that if a dns server fails guess what you'll just go to another dns server and another dns server so we're really talking about some good performance when we use anycast dns now i'm going to cover a few of these records that i want you to know the a record let's go to this way the a record is simple it maps a name to an ip address and for ipv6 it's an aaa record maps a name to an ip address simple elegant that's all you need to know now the next record is called a scene name record what's going on with the scene name record it's similar to an alias but not exactly a cnam record is when you map a domain to another one so if everybody that goes to www.a.com gets automatically forwarded to www.b.com that is a cname record and you need to know that when you're dealing with cloudfront you will almost exclusively be using a cname record because cloudfront the content delivery network is going to give you the ugliest url for your website and your users will never remember it so you're going to have to make a cname record to map a cool name a human usable name to the cloudfront distribution now let's talk about the ns record the ns record a very critical record identifies the name servers the authoritative name servers the ones that are responsible for your dns zone so these are the servers that propagate your official dns information to the rest of the dns servers on the internet see this is important the next is an mx record which is a mail record which specifies which mail servers can accept mail for your domain after that we'll talk about the start of authority record this is the primary name server for the domain the responsible party for the domain realistically speaking it's a time stamp that changes any time you update your main domain so let's talk a little bit about more about the aws implementation in dns called route53 it gives you it's designed to be a relatively low cost method for dns services route 53 with aws supports ip version 4 which has two and vip version 6 which is the future you can route customers inside of aws outside it's just a dns server so route 53 uses health checks we'll talk a lot about health checks but health checks enable you to determine if a server's healthy i'll go do and give you my generic answer of a health check here is what a health check is let's say you've got three web servers and you want under there you're gonna have a health check which is gonna ask your servers are you there are you there are you there and if the servers are there they're going to say i'm here i'm here i'm here so if the query or the dns environment is saying are you there are you there are you there and you don't get a response dns knows the web server is dead and do you want to send your traffic to a dead web server the answer is no so the dns servers will just literally remove the dead server so that's what's going on um is going on with these health checks you've got a query that says are you there are you there and you get a response that says i'm here i'm here kind of like an osp flow where they used to say hello hello hello every couple of seconds it's how you identify your neighbors that's how you keep high availability so that's how it all works so hope that made sense to you so now let's talk about using dns policies so when we're talking about the domain name environment we can route our traffic accordingly to many different things since we're talking about the aws implementation of it we're going to describe the aws implementation but guess what it's not much different up here on azure it's not much different if you're on google it's not much different if you're on data in a data center and by a really good dns setup from f5 it's the same so we're talking about dns not just an aws service so let's talk about the kind of routing policies you can do and you need to know most of these we'll talk about simple routing we'll talk about weighted routing we'll talk about latency based routing failover routing we'll talk about geolocation routing multi-value answer routing and geoproximity routing while that is an alphabet soup that is a mouthful but you need to know these you will see them on the aws certified solution architect associate exam the aws certified solution architect professional exam but most importantly you need this for your cloud architect career the whole point of certification is to help you get hired in the end they are 10 of the process to getting hired but you still need to focus on them for that 10 percent they can help you get that interview and the once you get that interview it's up to you and your technical competency your communication skills executive presence emotional intelligence etc they got hired but they help so let's get you the information you need to know we'll begin with simple routing policy simple routing is as follows it is very very very simple simple routing does the following it map the name to an ip address that's it so map this name to this ip address perfect simple elegant now traditional simple routing that's what most people think of dns but that's not it we've got more policies now this next policy is really cool to me it's called weighted routing so when you're dealing with rated routing you can tell how much of your traffic to send to a different location this is cool why do i love weighted routing well let's say you want to try a new website you don't know if it's going to fly you don't know if it's going to work think blue green deployment so you send 10 of your users to the new website and 90 of your users to your current website if you send them to the experimental website and you get lots of feedback and lots of orders and the customers are saying i love this it works then you just shift your policy and send everybody else to the new website so what's going on here with regards to weighted routing is you specify a policy 90 here 10 here so really great way to test new software excellent way to do it send 50 to azure 50 to google weighted rallying so this way you know how to set up policies that are going to work for you in your environments if it's route 53 it's going to work across the internet if it's your own dns servers it's going to work on the cloud dns is a standard so not that much of a complexity now the next thing is called latency based routing latency based routing is kind of cool latency-based routing is as follows you know part of the service to giving a great user experience with web-based applications is as follows it's getting the user to access the content as fast as possible so what slows the content down let's close the experience down a lot of it is the latency between you and the ultimate destination they can be far away from each other so let's say i work for a company that's got a website in london a website in lagos nigeria and a website in san jose and i want to get to the computer so i go to my www and what happens as this following my system determines the latency from my location to the web server and it sends me to the web server with the lowest latency so it may send me to california san jose or it may send me to london it's probably not going to send me to lagos because to let get to legos it's a lot farther away than it is from san francisco for me so latency-based routing is about sending you where the latency is lowest for the best user experience now the next um type of dns policy we'll talk about is failover i use a lot of fail over routing in my design failover routing is this send it to this server or data center and if that server or data center is not there send it somewhere else so think of it this way you've got a hybrid cloud environment you've got an organization that's running an openstack ansible cloud or a nutanix cloud in their data center their data center is really well built it gives them ultimate web performance far better than the cloud at a cheaper price because they are really top-notch but they don't have disaster recovery so in the disaster recovery environment they're using a cloud they've got small instances of things running in the cloud with an auto-scaling group all their data is copied to the cloud here's what happens dns detects a fellow over the data center the dns redirects the traffic to the cloud auto scaling within 45 minutes scales out adds all these servers and the customer's data center is up and running on the cloud fully operational with low cost all year long and it will be there exactly when the customer renews it so failover routing can say hey aws is my primary fail over to azure should aws go down bail over routing enables extremely good options when you're doing things the next one we're going to talk about is geolocation routing this is kind of cool and i want you to think about it let's say you're in a part of the world where about six languages are spoken kind of like where i'm from i'm a mediterranean person in the miranda train we speak greek we speak hebrew we speak arabic you know and of course we speak english typically speaking those are the majority of the languages that are spoken in the mediterranean also you've got some italians in spanish but as well most of the mediterranean is in that hybrid between you're dealing with israel greece and the arabic nation so you've got those languages so let's look at geolocation imagine this i'm in my house in napatamos greece and i go to the internet it detects my location and sends me to a greek page in greek i'm then in israel and it offers me two options arabic in hebrew i'm now in dubai and it sends me directly to the arabic one that's the power of geolocation routing what happens is the user hits something it looks at their source ip address and it sends them to the destination best suited for them so you've seen it all the time i mean you're in china you're in hong kong you go to a web page and it takes you to the chinese version of the web page you go to london you get an english version of the web page you go to france you get a french version that is geo location routing at its best now the next thing that i really like talking about is multi-value or answer routing because to me this is something that i can't imagine why anybody would use it but you know it's comical to draw it it's kind of like rolling the dice you set up a policy and you specify a bunch of servers and every time it just randomly sends it to somebody else so i don't like random in my designs at all i like control multi-value answer routing policy is simply this go anywhere so i can't engineer i can't traffic engineer around anything and random so i don't use it very often the next one and the last one we're going to talk about is geoproximity routing geoproximity routing is a bit of a strange concept but it's kind of cool and i want you to know about it here's what happens with aws they enable something called geoproximity routing they divide the world into multiple regions and basically speaking there's this bias that you can put and it will expand or reduce the size of the regions by expanding or reducing the size of the regions traffic will be placed in other locations it's called geoproximity never used it but it's important to note what they're talking about now let's go into health checks apparently i'm insta-famous from my version of a health check in fact people just call me up and say mike are you there are you there are you there which you know if it gets people to remember what a health check i'm all for it i just want people to remember whether you're on a job interview and someone asks you what a health check is or whether you're taking that test if you can remember are you there are you there you'll never forget the health check so let's realistically speaking look at that health check one more time here's what's going on and this happens in all health checks you've got the aws route 53 doing a health check it's sending a message to the server are you there are you there are you there now look at what's happening on the top on the right side we've got a server that just asks the question are you there and you see it responds yes i'm here and that's why it's got a green check now the bottom server are you there no are you there no are you there no uh oh i just kept saying are you there i've asked a few times i've not got a response back we have a problem this server is dead remove this server from the rotation and only send your traffic to the green one that's how we do it that is what a health check is and now you know so hopefully when you see mike's are you there are you there now you know why it's a health tech it's you the load balancers it's used with dns and it's used absolutely everywhere so we covered dns dns is a big topic can't tell if i'm seeing things are coming in so if anybody has any dns related questions before we go to load balancers let me know otherwise smack the like button and type cloud hired in the box okay i see a question from kishan rao how to configure simple dns server custom db dhc for multiple vcts via transit gateway pierre and hybrid that is a great question christine orale how are you going to set up a config there's a lot of ways you can set up a dns server on and off the cloud we could realistically speaking spend the next six to eight weeks showing you different ways to do it but here's the thing we are basically teaching an architecture program and as an architecture world we don't do any of the setup we do the design and other people's build that people call cloud engineers we are actually doing some things so if there is an ability and a desire to set up a dns zone and configure some route 53 i can add that to alonso's list and we can have alonzo do with dns lab another day because i think it would be good for you to understand how to set up dns in the aws environment but you know configuring complex things that is an engineer world versus an architecture world and as a role at go cloud architects we claim train cloud architects so we're more on the focus of teaching or how it works having said that that other course that we recommend when it comes to your certification exam we recommend the three following this course because it's going to teach you what you need to know are your book because it teaches what you need to know additional resources of great information andrew brown of exam pro has a great course which has got a lot more of those hands-on kind of labs because he focuses more on the on that certification piece and it's there so i recommend that as well and i always recommend a practice exam prior to taking an exam we love reviewing prep haman sharma their ceo is a great guy we have no financial arrangements with any of these people we described we just feel that go cloud careers and go cloud architects we should give you the best information from everybody whether it's us or anyone else in the world so you have the best cloud computing cloud architect job experience doreen is route 53 super netting not even at all route 53 is dns which maps a name to an ip address super netting is when you take two subnets or three subnets or fourth month and you that are contiguous and you summarize or you aggregate them together so if you took a 192 168.0.0 24 a 192.168.1.0.24 or 192.168.2.0.24 and a 192.168.3.024 you could summarize them into a 192 watch to the four of them right okay so a 192 168.0.0.22 instead of three slash 24 so it's kind of those kind of things so i hope i answered your question with the card mwmuru does that mean that in aws anycast all the servers have the exact same information and service the answer is yes all with the same ip address all with the same information on them and realistically speaking in traditional anycast and you go to the one that's closest to you a free p what can we do to ease the ipv6 implement migration implementation for the future oh boy well here's the thing it's all related to your ip addressing scheme so as you know when it comes to designing a network how you actually address your systems will determine whether you can route summarize it will determine you know what what boundaries you can use and how you can set up your network so ipv6 just like ipv4 is about planning the right subnets for route summary route aggregation and traffic engineering purposes uh avery p you know this is a cci level question you're actually asking which we're going to cover in a lot of depth in our cloud network architect program because we could spend the next eight weeks with regards to ip subnet design literally speaking and still not even touch it abigail marks if you use a vpn to watch a british show how is netflix still be able to block you with an ip from that company they shouldn't be able to if you set it up right if you're really using a vpn and it's not a public vpn that just reroutes your information to nowhere and what i mean by that is there's all these little personal vpns that people actually use to hide their ip addresses for example when you're using those what happens is millions and millions of users come out of the same ip addresses so netflix and other companies often block those addresses but if you set up a true ipsec vpn abigail between new york and london you would basically get access to the uk page but that's with a real vpn but when most people are using these vpns they're blocked um because like if you were to use the tour browser which sets up a vpn and you wanted to go to youtube youtube would basically give a warning it's going to say hey too much traffic coming from these servers um you're blocked that's what's going on in fact i will tell you when people work in other countries often they use a vpn to bypass the rules of those countries like for example in the middle east direct internet access is not allowed at least in dubai you go through a proxy server there were people that were like mike don't worry about it create a vpn and i said no you want me to violate a country's laws i don't think so um because they could do that to violate it but it's not me i go to some place i honor the rules i honor the laws but understand um vpns do work but the public vpns that most people do that are the consumer things are just designed to masquerade your ip address and most of those addresses are blocked okay what is the difference between geolocation and geoproximity great questioning lightning ddd1 geolocation is very simple and very logical it determines your ip address knows where you're at and then sends you to the closest location so if i'm in greece it sends me to the greek web page if i'm in abu dhabi it sends me to an arabic webpage if i'm in saudi arabia it sends me to an arabic page if i'm in israel it sends me to a hebrew page if i'm in mexico it sends me to a spanish page so that's what geolocation routing is now geoproximity is kind of weird it's kind of like a geo area specific you set up a bias and aws kind of does it much much much much more control with geo geolocation i don't use geoproximity i've never used geoproximity because but geolocation is used by everybody when they've gotten international multinational companies next question record sets are actually configuring things via via route 53 you know maybe we'll have a route 53 configure action section at some point tomorrow or the weekend i'll see if it fits them with alonzo's time frame any others chris okay well great um we've answered all the questions and we can get back going if you're having fun and you're learning and you're enjoying the concept please smack that like button and type cloud hired in the box and then we'll get back to talking about load balancers we love feedback we work really really hard to put these things together hundreds of hours going to put together a certification course like this so we'd like to know if you're enjoying it okay now let's talk about load balancers load balancers are really cool what a load balancers actually do in fact what is a load balancer a load balancer is quite frankly simply a device that's going to distribute traffic amongst most of all other devices that's it a load balancer shares the load amongst multiple devices so i want you to really think about this which is stronger for example one person or ten warriors one warrior or ten all from the same team look at it this way they don't send one seal they send a sealed team why do they send a team more people equals more capabilities let no single point of failure if you've only got one person that person gets injured they can't win so they send a team what do we do in tech we take lessons learned from all kinds of environments if you have one server and the server fails got a problem so you've got two options when it comes to servers let's say you're at a 64 curve server and it's got you know four terabytes of ram and that cpu is 80 busy and the memory is 90 used you could do this you could go to 128 core server with four terabytes of ram and then it'll be at 40 utilization you're going to be great right you would well would it be better to use two 64 carbon servers with two terabytes of ram or 128 creative server with four terabytes around one is none two is one and three is greater than two remember high availability so two servers for which you could lose one is better than having one server that could die so a load balancer improves performance and availability that is the difference of performance and availability that's why organizations use load balancers i'm going to say it again because i ask this on interviews and no one knows we use load balancers to improve system performance and promote high availability so what happens is the load balancer enables you to use 10 servers instead of one 10 times the capacity and you can lose nine of them and still have one up that's why we use load balancers to improve availability by remote moving single points of value remember you've got two options scaling up bigger computer scaling out at a bunch of computers so when you're dealing with scaling out you're using a load balancer the load balancer is a high availability tool and it's one of your best friends as a cloud architect so next we'll talk about load balancers but there's two kinds of load balancers i don't care if you're talking about an azure load balancer or if you're talking about elastic load balancers with aws there are two kinds of load balancers for real and there's another con which is totally unrelated when it comes to load balancers you have network load balancers and application load balancers here's what i need you to remember network load balancers are fast if you have any kind of high performance requirements with a low balancer you will always use a network load balancer a network balancer operates at layer four of the osi model on day one or was it day two we covered a lot about the osa model chris can put the link to that inside of the window in case you haven't seen it now because network load balancers or look at things in the header source and destination ips protocol and port number and it's not a lot network load balancers are not the fastest network load balancers don't have to have the most intelligence so if you ask a computer to do a simple task as fast as possible now if you ask computer to do something complicated okay task one task two test three task four so while the network load balancers offer some things really really really fast and we'll touch the gateway load balancer it's kind of like a network load balancer but that's neither her nor there but if you ask it to look into the header so network load balancer is really slow i mean really fast and really dumb tcp udp protocol port number that's it that's why they're so fast application load balancers look at everything they look at things inside of the http https header you route with some microservices they are really intelligent if you ask a computer to do something complex it is slow so speed network load balancers and intelligence in your routing application load balancers and with aws they're going to talk about something called the elastic load balancer for the network we'll talk about the elastic load balancers for applications we'll talk about a classic load balancer which is the same thing just a network application now recently ada both came up with the concept of a gateway load balancer and the gateway load balancer in many ways is just the same as a network load balancer here's what a gateway load balancer is used for if you have a real enterprise-grade security you're going to need a real enterprise-grade firewall and that's not going to be aws's wi-fi shield it's going to be something from cisco something from palo alto etc now when you're using aws called native services like an elastic load balancer these are fully redundant devices but in your vpc you might need to use a load balancer that's not made by aws for more performance or you may want to use a real next generation robust security firewall like something you're getting from palo alto or cisco now in the data center this is not a problem you get two palo alto firewalls you connect them in they have a heartbeat between each other and hardware fell over great in the cloud you can't do that you can't plug in a really hardware physical server so on the cloud when you need and this occur this is with aws this is with azure this is with gcp when you need something beyond the basic services offered by the cloud provider you're going to go to the marketplace so you're using a gateway load balancer to load balance between cisco firewalls or at a low balance between somebody else's load balancers like f5 load balancers office or you could be low balancing between things so we used to use network load balancers for this functionality and now aws came up with something called a gateway load balancer and it's designed to really load balance between things so marketplace is your friend when you're dealing with global enterprise solutions and you need more than a wife or a shield when you need that enterprise grade that robust grade for end-to-end serious serious serious solutions so now you know what a gateway balancer it's just a network load balancer that's used to load balance between network devices part of this we did things like used network load balancers to load balance between these things so now they came up with a new one and it's basically a network load balancer but they call it a gateway load balancer so now let's talk about the amazon branded load balancers basically they call them an elastic load balancer if you don't know if you have to guess on a test stick the word elastic on it and chances are you're going to win the questions so a load balancer regardless of whether it's network application or gateway are all called elastic load balancers in aws or classic but that's neither here load balancers are ip devices so guess what they use an ip address guess what load balancers auto scale too because a single load balancer won't be fast enough for everything in your career so low balancers can auto scale so if you don't have enough ip addresses in your subnet auto scaling won't occur so make sure you've got enough addresses now load balancers are cool devices they can load balance across availability zones they can use health checks and they can terminate ssl connections which is really cool so think about it this way um what you're actually dealing with is you've got a load balancer and it's going to low balance in between multiple servers now typically speaking when i said that the load balancers can terminate an ssl connection i want you to think about this if by comparison you terminate the ssl connections on the server that uses a lot of resources encryption is cpu computationally healthy help help heavy so if you can put the encryption and terminate the ssl connections on the load balancer long before we ever get to the server we can reduce the loads so let's talk about network load balancers network load balancers as i mentioned are really fast millions of requests per second really great with rapidly changing patterns here's the thing don't ask your car to do too many things and it'll be fast when you get in a race car they don't even have air conditioners in them they don't want to drain it they have no luxury things like that they don't have radios in it they're basically trying to basically minimize it so a network load balancer is the minimalist approach that's why we use it for shared services that's why we use it for big services that's why we used to use the network load balancers to create elastic load balancer sandwiches and load balance between firewalls part of the gateway load balancer which does basically the same thing it's not exactly the same but it's designed to support the same function to load balance between various other devices so network load balancers are really really fast now they're stateful why are they stateful the connection between the user and the server is maintained in this tilde session is completed that means every time i use a requesting he or she is sent to the same server until their session is over and a new user could be sent to a different server and a new user can be sent to a different server how is this achieved if you look at what's going on in the load balancer and it's mapping the source address to a destination address with a protocol and a port number the low balancer has all the information to remember this at the network layer what happens is aws calls this a sticky session and it basically what happens is it keeps you on the same server and there's a mapping of the source and destination connections and that's how it works generally speaking we use network load balancers for giant vms like those with 120 cores or shared service vpcs or load balancing um other load balancers load balancing firewalls anytime you need high performance you can actually route to containers with them but most people don't let's talk about what it typically looks like so here's what we're using a load balancer for let's look in this situation over here in this particular i'll move it over a little bit so we don't have me in the upper right corner being a problem we have a network load balancer across availability zones and it's distributing the load to these web servers and two different loads this is your typical use case for an elastic load balancer network load balance or application load balancer in either case in this case we're using a network load balancer because we're dealing with big and strong ec2 instances and we want the speed now let's talk about an application load balancer application load balancers are really smart they're working at layer 7 of the osi model remember i'm a network architect by trade actually i practice medicine by trade but that's neither here but for a guy like me that spent the last 20 some years prior to cloud involved in designing networks for the world's largest internet service providers banks and other organizations look at it this way where we're actually coming from is uh is uh is the perspective of the uh layer seven this is not my world i'm a layer through one through four world application load balancers can look at the path provided in the url the elements based on the htp and https header the http method push or get and routing between the source so this is really good for http and https traffic micro responses realistically speaking and load balances on stateful connections so really good let's look at what these look like architecturally architecturally here's what's going on you've got your load balancer your target groups could be groups of servers or a single server basically your load balancer is listening and it's shutting the load now note we've got a health check going on here because we want to remove bad servers so this load balancer for example is saying to these servers are you there are you there and they're saying i'm here i'm here and the same thing is going on the listener is what's doing that health check now we'll talk about a classic load balancer and then i'm going to address internal and external load balancers because for whatever reason that has people confused and i think it's the way people typically talk about it but it's the simplest thing in the world to make sure everybody understands that the old load balancers that amazon has it's called the classic load balancer and guess what they're network load balancers or application load balancers and they called legacy and they auto scale and they can terminate ssl connections and they can still provide logs to analyze traffic lights guess what old version of the same thing lots of these things are naming a gateway load balancer does what a network load balancer does and if you watch the aws videos every use case they give you is the same as the network load balancer it's got a new name but is it a network load balancer they may have tuned it a couple percent but here's the thing it works just like one when it comes to architecture you need to know about what services can do what so could you do it with the classic load balancer of course you can could you do with the elastic load balancer of course you can could you bring in a virtual appliance from the marketplace from f5 and then use a gateway load balancer to load balance between the f5 things yes classic means older but it doesn't mean it's any different but aws recommends you use the new version the new branded elastic load balancer so when you deal with the manufacturer you read their documentation and you listen to their recommendations they make their own stuff so sometimes there's a little bit of branding and things to sound cool along the way if that's the case that's the case but in many cases guess what listen to them don't build something without looking at the documentation don't read something without looking at the dopken documentation and what we're talking about here same thing so classic load balancer legacy version of the same thing so now let's talk about internal and external load balancers this has the whole world confused most people think of external load balancers here's what an external load balancer is you should think of an external load balancer as an internet facing load balancer or it could be as they could still be an external load balancer for non-internet an external load balancer is something that you use for basic let's say you've got a set of websites and the exterior world comes to your website you put a public ip address on the outside of your load balancer and that is the public address for all your web servers for the whole world external load balancers are used for external applications like internet applications load balancers are used to improve performance and availability so most people think of external load balancers for the web app but if you're working with organizations do organizations have servers inside their organizations maybe they're running an electronic health record in healthcare maybe they've got hr software maybe they've got an intranet website that is not available outside of users on the corporate network they still benefit from a load balancer but instead of your low balancers having a public address and being directed to the outside world your load balancers can also be used internal to your network to load share across other servers so please understand that internal load balancers are just used for availability performance of your internal privately addressed servers on your internet external load balancers are used for external applications like internet applications or partner applications i hope that makes sense we'll talk about a couple more things they typically don't show up at the aws certified solution architects associate level they typically show up at the aws certified solution architect professional level but you need to know these things and since you need to know these things i want to address them let's talk about some things like listeners and targets and target groups and sticky sessions and health checks well we talked a lot about health checks so let's talk about listeners the load balancer is going to have a process that's going to wait for a connection request application load balance are going to look for http and http requests on parts one two six five five three five that's what they're gonna look for network load balancers aren't gonna look at anything that heavy they're gonna look at tcp or udp or tls and ports one to six five five three five so they're looking at a lot less they're looking for things so they know where to distribute your traffic then the listener that's listening for the connection request will then send it to the load balancer and the load balancer is configured with targets targets are where the applications get ascended so if you've got 10 virtual machines the target could be all 10 of those virtual machines the target is going to can be a group of things or it can be a compute instance or a virtual machine with an ip address now if your target is an address an ip address it must be an internal ip address or a private irp address or something that's specified in rfc 1918 or rfc 6598 for those of you that are not familiar the internet engineering task force comes up with internet specifications they are specified in something called an rfc or a request for comments rfc 1918 specified private ip address spaces a very long time ago like 20 years ago or more and it's it came up with the 10.0.0.8.10.0.0.8 10.0.08 as specified for private ip addresses 172.16.0.0.12 and 192.168.0.0.16 are specified in rfc 1918. now there's this new concept of the shared address space which was specified by rfc 6598 and that uses the 100.64.0.0.10 address space that is also shared address space so remember if you're dealing with an elastic load balancer inside of aws you're going to be load balancing internally to something on the 10.10 address space the 172 16 slash 12 the 192 168 16 or the 164.0.0 10. you must be using one of those things target is a system now what is a target group it enables you to group your systems together so maybe a target group is 10 ec2 instances now the le we probably also should talk about the concept of a sticky session i had mentioned previously that what you're doing is the load balancer remembers the source and the destination and sends you guys to the right server that's what we're trying to do so that's what goes on you get sent to the right server the appropriate server and you stay there with the network load balancer it's called a sticky session and it happens via by default and it is really good and really cool awesome now by comparison if you're using an application load balancer it's not that fast i mean it works a little differently the application is tracking stuff and microservices so it's not going to be super easy for your application load balancer to necessarily track this user source ip address and this user's destination is where the traffic was done but sticky sessions enabled that so with the network load balancer this happens automatically but when you're dealing truly dealing with sticky sessions on an application load balancer you need something more so what happens is a cookie is used and a cook key will basically be used by the load balancer to keep the traffic between the user and the specialized server the entire time so those are the kind of things that i wanted to just know some last minute things now we've covered a lot on dns we've covered a lot on load balancers and we're going to start talking about some security concepts which i think is really cool and fun but before we actually do that i want to make sure that we answer some questions so chris if you can bring up the questions there's a question that came in from somebody i think they're delayed a little bit on their view from the previous section so i'm going to puff it up and can you kindly give us an interesting example of how you use one type of rounding versus another one for example weighted versus latency absolutely so and i don't use a lot of latency based routing but i will tell you that weighted routing is constantly used weighted routing is as follows weighted routing is basically when you specify a percentage of traffic to go to one location versus another weighted routing is constantly constantly constantly being used when you when you wanted to play a new application so a lot of times people will trying to play a new web page and what will happen is they want to test it on a certain number of users like a blue green deployment you basically send 10 of your users to the new website and 90 of the users to the old website and with the 10 of the users on the new website you could get user feedback and find out if the website works so that's typically mw mural how these things are actually being performed now latency-based routing for example would be to make sure that your users get the lowest latency i don't use a lot of it but what would happen is your users would um basically try and reach something and their source ip address would be determined and it will determine which website to send into it will improve user experience i got to tell you i use a lot of failover routing for example i have a lot of people that have really great hybrid clouds in their data center and they want to fail over to the cloud for example and use the cloud for disaster recovery i would also say that another great place where failover routing is used is you've got a multi-cloud environment you've got 50 you've got your load on aws but you've also got a backup on azure and you could use uh failover routing with aws your website on aws goes down go straight to azure so there's cut lots of examples for example that weightage is commonly used and failover is commonly used as well i hope i answered your question m w mura and if you want more please ask more i don't want to say that there's no different but the use cases the way you're using an application load balancer versus a network balance are pretty much the same i'm also going to tell you that there's not much that changes between taking in things and distribute them amongst most so realistically speaking if you're dealing with firewalls and you're dealing with network devices and load balancing between load balancers we used to use a network load balancer now you've got the gateway load balancer it's probably a better choice very similar in many ways and use cases to the network load balancer when you watch the documentation from aws it feels the same too freep how granular should the load balancing policy with the type of connection and request f3p the more granular you make things the more complicated things go wrong generally speaking the military how to add an adage of keep it simple stupid is the best way to design these systems so try and keep it as simple and elegant as you can having said that there are times when you can't and that's when you do it but as a rule i would at least say with regards to the type of connection location i would say figure out what's best interest for your customer meaning is it best to be low latency use latency based wrong is it best for failover is it best for blue-green deployments i would say choose the policy that is appropriate for your organization and keep the policy for ep mr p as simple simple as you can question can you use the single application load balancer for handling http and https request well as a rule no because you can't have single points of failure now could you use a single application load balancer in the aws environment to do things and set up policies sure here's the thing um they're theoretically highly available things see the point is you could get away with it babitus needo which one are you going to use to implement an internal load balancer if you need speed use a network one if you need intelligence you use an application load balancer if you want to route in between routers or firewalls or things like that which would typically not be internal you would use a gateway load balancer but nothing changes whether you're using a public ip address or a private ip address but vedas and yeah it's the same same decisions krill krillov how is a sticky session handled if we load balance an auto scaling group that scales down could the autoscaler terminate an instance with an active session great question i don't know so i can't really answer that um leonard lash what are the key features provided by an elastic load balancer leonard lash load balancers are the same as any other load balancer key features share the load across multiple servers increase speed performance and availability aws has a list of features if you need above that you will have to go to a vendor like f5 and go to the marketplace but for the most part you can do everything you need to with the aws load balancers they're pretty rock solid can you use a load both a network load balancer and application load balancer for an application well for different parts of the application of course you could you could have one set of things three web things and another set of things for microservices organizations will have five load balancers for a web app they may have one for mac users they may have one for windows phones they may have an additional load balancer for iphones they may have another one for windows users another one for mac users organizations have lots of load balancers how do you combine dns routing with load balancers to root users to a certain condition well they're kind of unrelated so dns or domain theme system matches an ip address to a name so typically speaking dns is going to point to the public ip address of your load balancer and then load balancers are going to route between your servers so dns is just mapping a name to an ip address and you typically map to the address of the public facing the public-facing address of your load balancer but you know real estate speaking and they both run health checks so what will happen is as follows dns will query the health the load balancers and if they're not if they're not there dns will reroute to somebody else assuming you've set up the right policy a load balancer runs its own health checks and if you've got 10 web servers or 100 web servers the load balancer will run a health tech are you there are you there are you there if the server doesn't respond the load balancer will remove it and then it won't send traffic to that so basically it's doing the same thing but they're two completely separate entities derek houston routing policy question how would you configure the router to restrict the domain to a website with a country of origin can only be okay so derek now you're talking about routing and you know routing can be one of two kinds around it traditionally routing is based on routing protocols so you just if you're doing it on the true routing side don't advertise a route or filter that that you don't reach inside your network and it won't be reachable the same by comparison you know don't accept the route from some subnets and you won't be able to reach it now on dns you're setting up the dns policy for example the dns policy might basically say go to this data center versus this data center so routing policies really determine where you want it to go to so if i understand the second half of that question derek and i'm not completely sure i do but if for example i do run into a restriction i run into a question with regards to the com hold on how would you configure the router to restrict okay so the routers really can't restrict countries of origin but what you can do is you can actually if you're using a router you can filter out certain ip address ranges that are associated with a certain country and that's how you could make it not reachable or you could do what other organizations do so let's say you're in dubai in dubai they do not let you go to certain websites you can't go to a website that has a list of things or anything that would be deemed illicit so what does dubai do they push everybody through a proxy server and the proxy server has a routing policy so what's going on is you go to the proxy server and the proxy server says you can't go to these sites but you can go to these sites so what happens is the proxy server sends you the appropriate location so any other questions here now derek china has the great wall of china which blocks all kinds of things and when you're dealing with internet routing in china it is really complex because there's so many government rules and regulations that you must work past it's just so so so many real so many so i was thinking security but i also thought it could be a good fun chance for alonzo to build the database with you guys do you guys want to do a database lab with alonzo right now or would you like to go to security comment in the comment section below and we will run this course based upon your desire you want to do a fun database lab with alonzo let us know you want me to talk about information security and cloud security next we're going to do it we'll do whatever you want alonzo's not fighting any all right database database database lab content database looks like databases okay alonso take it away why don't you run a database lab do that for minutes give everybody the chance to get a break while you're at it if you guys can smash that like button and uh comment and share we will always like to know you guys are having fun let other people's know about it so it looks to me like when we look through the list it's database and then last time okay that's the disclaimer everyone uh well this is security right afterwards okay yeah as a disclaimer we know that as architects we're more architecturally focused on building as opposed to implementing so with this database we're going to do a very high level um execution of setting one up uh we won't be doing any cure um any query editing because it gets into the code and thereby development um so we're going to stay focused on what the concept of data what what the database is being able to set one up so here we go i need my drum roll music there you go okay everyone if you are following on your aws management console i'll give you uh just a minute or two to kind of log in and get focused and we'll set it from there that that timer was the minute timer by the way okay well there it is we have to hey we got to follow what what chris says go so we have to stay focused so okay i am um can you do that can you zoom in a little bit how's that for everyone is that okay there we go i think that should work okay okay wonderful okay so we are um as we spoke we're going to be working on databases and specifically we're going to go into our rds management console and we're just going to set up a very simple or rather i'm going to follow through with what i've already pre-made um for a database as it takes a while to spin up the database cluster so i'm just going to walk you through what i originally put forth um already so once you get to the aws management console you're going to click onto rds and you're going to arrive at the dashboard okay and we're going to create a database so i'm going to switch my window already as we've already went through this so as a create database my focus was on my sql it's very simple um and wanted to just create that high level execution and we're going to move over to the next screen so i've already um i guess i'll walk you through so that everybody is comfortable and understands what the execution is so i pressed mysql uh sql is a database it is a structured relational database and we put in the free tier so that we don't want any surprises although i'm hoping everyone already uh went into their management console um and set up their aws budgets for um experimental purposes and so now we're in the settings right now so what you want to do is that you want to um make a name for your your database you want to name it you know you want to you want to make sure you associate it with what you need needed to be and for the credential settings always like to keep it as admin very simple execution and you're going to create a very simplistic password for yourself so that you can access as the administrator into your your database to make certain queries or uh make adjustments as necessary you want to also confirm your password and it says that right now because you know i've already done it so we're just going through again um all the checklists and stuff so that um if you want to actually execute your own database you can follow through so keeping it you know free tier we're only using a regular dbt2 micro to just illustrate what we're doing and with that storage along with that it's just a general uh solid state um ssd gb2 um storage type for that and we're only allocating allocating 20 gigabytes so we can actually start off with a smaller number um originally at 20 gigs but you can execute it um all the way up i believe to 256 i believe um or even higher than that but based on on the allocated storage we want to keep it down low um so that we don't allocate more um and it really jumps up higher excuse me higher than your aws budget allocation can handle so we don't want any surprises there so storage auto scaling we can enable storage auto scaling but we want to turn that off because again um based on any traffic and how you you scale and and uh set up your database you know you don't want to scale up and scale down and create undo budgetary concerns for yourself and because we don't have um enabled any uh any of those features that's why we don't have uh multi ad az deployment which is you know creating that standby instance and in the event that the main instance dies off it moves and um creates a standby instance you know in the case of of a fail so with connectivity i always um i already created uh or rather use the default vpc to execute this uh database if you want to create or associate in a database that you already uh set up you have to make sure that your knuckles security groups subnetting route table you have to make sure your environment is fully connected fully secured and ready to make um queries um with against that database so moving forward i chose my existing uh default vpc and security groups and your availability zone make sure that wherever you are make sure you associate that availability zone to what to work what works best for you because if you choose something um out of your availability zone or further away it creates latency latency is time and and possibly more money for you so with database authentication um you want to use that so once you log into your database it will um ask you and prompt you for your admin as well as your password credentials and then you're going to create that database now remember i already created the database i wanted to just illustrate it for you because it takes time to spin up that cluster so we're going to move over into my our already rds management console data database that i've already created so now i have my database demo that's the name of the database that i've created and so now you can take a look at what's going on with your cpu utilization i really enjoy the dashboard and the ability to take a look at where your database is what the cpu cpu utilization has been um things of that nature oh this is the wrong database this is the one that i created for my database so now you know as you can see it it takes a while for this stuff to move and sometimes you have to to refresh your page a bit so now this is the one that i actually here we go sometimes aws it's very slow and then it takes a while for it to catch up which is why i didn't want to spin one up in real time so now again um this is my sql um engine my database engine that i spun up again we talk about cpu utilization um what we where we are the class um the region of which i spun it up and what i really love about it is uh that it provides all the connectivity um information that you need to get an understanding of what's going on what the name of the subnets are it creates your one-stop shop of understanding what your database is doing and it also provides monitoring i really enjoy this dashboard because it creates an understanding of your cpu cpu utilization um your database database connections free storage everything and you notice like when i have the freeable memory and and you think about the writing device i'm writing iops you can think about you can see how i've spun it up and you can see uh the throughput of what's going on here and the exercises that i've i've done with it prior to me setting it all up so i really like the dashboard on what's going on and and how you can get things going so any event you ever want to use if you want to query against it you this is where you connect to your database you you know you have your database instance cluster you choose that database um you choose all your associated database username password and enter the name of the database that you you set up originally i'm not going to go down this path i just want to illustrate because this is where it gets into the developer piece of um querying against your database based on um on the strings and and everything else associated with it so um that's what that's how you set up a setup yeah that's how you set up the database um the query database for yourself um specifically for sql uh really um it's just really instrumental in making sure that you keep your your administrator you know admin password and information available for yourself so that you won't forget it because you know there's nothing worse than like we discussed before is not is locking yourself out of your own system so ensure that you have your information and your database stuff available so that's it's a very high level very easy quick uh setup for this database um for you to be able to experiment with and when if you want to spend more time with a query editor and adding on certain code again this is not what solution architects do but if you want to play around with it and search it against yourself to get an idea of how things work you know it's definitely you know i definitely encourage experimenting and learning every all that you can at you know on the aws database um and everything within the environment itself so i think um if there's you know like i said very quick very easy high level click understanding um what you're clicking why you're clicking it um so that you can set up the database that is perfect for you and also you always want to give enough um gigabytes and and memory to kind of create more of a growth so that you can grow into it if you experience more traffic for your database but you also want to just keep it low experiment with that information um and just adjust as necessary so that you don't have extra extra budgetary concerns for that so based on that information it's that's about it it's really quick it's really easy to set up and um you know as configurers that's what developers and administrators they focus on uh building it configuring it and maintaining it but from a uh solutions architect's perspective understanding what the concept is um why it is when you would use it are those those are the three questions you ask yourself um especially with the exam on on how you can successfully answer those questions so if there's anything else that's really key is to know which is the skill for your job yes architect like alonso and i we start with the customer we're asking that executive what are their business goals what are they trying to achieve these are the things that we want to know yes now we're gonna we're gonna design it that's our skill that's our expertise it's design it's presentation it's you know doing the roi modeling to show the customer the value of the solution is greater than the cost of the tech you know that's what we do the cloud engineers build it after the cloud engineers build it this they turn it over to sysup's people to maintain them heck some of the times we can just have a devops engineer and build it all as infrastructure and code we design it and they build it so the key is being really great on your job now remember the aws certified solution architect associate exam is a cloud engineering exam it's related to the name of the service and how to configure it it's completely unrelated to what we do as architects which is design we solve business problems with technology so please kind of keep those things in mind and that's why you know when you get architects like me and alonzo we still know how to configure because you still have to know how but we don't do it it's not part of our careers like by comparison a cloud engineer that's an expert at these things may not be able to convince the ceo to spend a billion dollars on a technology solution because that's not what they do they would have no idea what the ceo needs to hear what they care about it's a completely different world so train for the job you want you'll be great at it so prior to getting into security and we know we all love security let's give a round of applause for alonzo even if it's virtually alonso took time out of his busy day he's a very busy strongly in-demand cloud architect to come and help for free um provide cloud computing training to all of you so alonzo as always you're a good friend you're a great cloud architect and i'm thrilled to have you as my friend and thrilled to have you help me as well so alonzo thank you you are my you are more than welcome i'm always happy to help you mike at any time thank you thanks so much alonzo so now we're going to get back to some security things and alonzo's got a great security background as well i love security heck the two o'clock on a saturday afternoon we're discussing security sometimes and every kind of security you can possibly imagine people like alonzo and i look at the physical security we look at the application security the human security so thank you alonzo so we're gonna get into security if you have a chance you thanked alonzo great please do so please smack that like button inform others if you're willing to to basically participate and let's begin with security security is near and dear to my heart i've been working with advanced security things for decades now and we're going to talk about a lot of things inside of this security section we're going to talk about who's responsible for what in your organization we'll talk about need to know or principle of least privilege we'll talk about industry compliance we'll talk about identity and access management we'll talk about multi-account strategies most likely well even though that's predominantly for the certified solution marketing professional i may or may not cover that based on time we'll talk about network acls security groups will mention the aws firewall called waff we'll talk about intrusion detection prevention we'll talk about distributed denial of services attacks we'll talk about service catalogs and heck if you want we can do a security whiteboard session when the time is right as well so let's begin with who is responsible for what parts of things so when you're dealing with a cloud provider it's different than the data center in the data center this is really clear you're responsible for everything and because in the data center you're responsible for everything if you're really good what you can do in the data center is amazing so don't forget aws just has a bunch of data centers which have really great servers really great routers really great switches really great firewalls and they're managing their own thing and then they're reselling you their data center so realize everything you can do in the cloud you can do in the data center but in the data center you're responsible for all of it now they can't do serverless in the data well i actually could but the let's see if they're here another but we could talk about how to do that later with an openstack ansible cloud so when you're dealing with the cloud you share the security responsibility and i want you to think about it this way aws or azure or google they maintain the security of their cloud or at least they try i mean they maintain the security cloud but realize they get hacked too for example azure had a massive hack where they got access to everybody's database information very recently all these cloud providers can get hacked because they're just like us they're running a data center but know that aws maintains the security of the cloud and you maintain the security of your virtual private cloud or your vpc so aws manage their infrastructure which could potentially improve your security if they do a better job managing their infrastructure than you could of your own so they manage the underlying tech and you manage the tech now remember with security you will always be more secure if you have equivalent security in the data center because when you're on the cloud it's still a data center but now you've got other people's stuff on it and i want you to really think about security in a way in the cloud everything you do in the data center and more on the cloud because the cloud is inherently less secure it's shared versus the data centers or not it's not just that i want you to think in terms of an attacker mindset i want you to think if you are a thug if you were a warrior if you wanted to have an impact which would you hack a data center or a cloud provider if you attack the cloud provider you get access to every customer they have which in certain cases could be 20 percent of the whole internet you attack a data center you get access to the single data center so if you're a smart hacker where is all your time and effort going the high value target the cloud provider so just by that just by that nature being on the cloud is riskier than the data center now this does not mean i don't think the cloud is great but we need to be honest about what we're designing the cloud is not more secure the cloud can be equally secure but you need to work at it so identical security requirements in the data center to the cloud nothing less is acceptable so look at it this way you are responsible for the following things your users like your im users and their roles now guess what else patching the operating systems maintaining the security of your apps configuration of the aws security options the router that connects to the cloud if i can i'm a hacker and i can physically plug into that i can get in your cloud so physical security of your devices does that physical security meaning a locked door does that mean a physical security mean a lock store and a camera does that physical security mean a locked door camera and a guard does that physical security mean i need to hire an ex-israeli commando or a navy seal or a british sas commando to guard the door with the camera security that you're going to add is going to be based upon what the assets are that you are protecting i've worked with all of these situations in my career so aws calls the shared responsibility model that's actually a relatively good way to call it sometimes the branding of these organizations is a little funny but you know the shared responsibility makes sense look at it this way basically you've got aws and they're managing their servers the physical servers they're hypervisors they're physical database servers they're managing the network most of it and they're managing their storage the physical storage they manage their data centers availability zones edge locations locals and that kind of stuff but you are responsible for your data your firewalls your operating systems locking them down your network acls security groups ids ips systems any kind of other things that you're using so you are responsible for everything in your vpc they are responsible for the underlying foundational technology so one of the things to remember in security and this is an important concept is the principle of least privilege otherwise known as need to know what is need to know you give the minimum level of access necessary for somebody to do their job minimum level that's what you use the minimum level as possible of access why minimum if you give people more than they need to you have they will get access to better information people talk you'd be surprised the things that occur if you have access to systems that you don't need and someone compromises your account guess what they can use it to hack do you know where a lot of the hacks accidentally really come from we work so hard to build this firewall and ids and network access control lists and security groups all keeping us perimeter security we do all of it and we get hacked from the inside most of the time so do not give people access to more information military need to know if you don't need to know it you are not going to know it when your leadership when you're an executive one of these big tech companies when you're a senior cloud architect i promise you enterprise architect you will have access to tremendous information about the inner workings of a company and you won't be able to share that information with anybody so you will learn things you will only be able to speak to in your inner circle and you'll never be able to talk about it to the rest of the world this is challenging i promise you it's super challenging so military need to know great way to do it don't give access so give someone the least about access they need and then lock them down don't let them get anything beyond that so let's talk about and see what this really looks like i've got a user who's an administrator we're going to use uh identity and access management a term which i absolutely hate what is identity and access management who are you are you who you claim to be authentication what are you allowed to do authorization accounting what have you done um if you don't know about iam iam comes up a lot when the certified solution architects associate and certified solution architect professional exam chris from my team could you pop a link into the what is im video as well as the what is i am blog to give as much possible help as we can to the cloud architect community that's sitting on this call so here's how it works me the user i basically say i want to access this thing my username password what have you is accepted and i get access regular user tries to go to the management consult he enters his username and password or what have you he is blocked she is blocked because they don't need to know and we are safe bob's your uncle we are protected so now you know a little bit about why we're using identity access management now one thing that you should note and we'll get we'll talk more about identity access management before in a minute a lot of industries are very regulated they have data retention requirements must store data and an immutable vault for seven years meaning unmodified huge regulatory environment in healthcare huge regulatory environment and in payment cards huge regulatory environment in banking just literally speaking huge huge huge regulatory environments for a lot of different places so aws supports most of these standards as does google as does azure otherwise they wouldn't be able to work so know those you can get a full list of all the standards that are supported i'll drop it into the chat box um so you can get a full list if i can even copy this into the chat box but uh oh i can't figure out how to do it but okay so um don't worry about it realistically speaking it's very important for you to just remember that whether it's pci dss fedramp for the us government hipaa for u.s privacy iso 9001 27 0001 2017 2018 most of these big cloud computing standards aws supports them all so you know just kind of understand that now we'll talk a little bit more about identity and access management we'll work through a key bunch of key concepts because aws has their own terminology iam identifies who the user is what they're allowed to do and then tracks it i used to call it triple a we all called the aaa it made sense to everybody triple a was authentication who are you authorization what are you allowed to do and accounting what did you do in fact when you really talk to iam architects they don't use the term i am at all they all use authentication authorization accounting now when you're dealing with aws they have a funny way in which they actually classify their use their names of i am until we get into the complexities for the most part at the certified solution architect professional level at the sort of aws certified solution architect associate level we have i am users which are people like you and me that is an i am user now on aws we have an iam role what is an iem role for the rest of the world we call it a service account like if you're in the google professional cloud architect exam or if you're working for red hat we have what's called a service account a service account is an iam role that's used by a server to connect to another server so for your app server to connect to your database server you have a service account so aws calls that an iam role so as a rule at the associate level this is going to change the certified solution architect professional level a user is someone like you or me and a role is a server accessing another server often called a service account and you might actually see a test question that would say something like what is the equivalent of a service account in gcp and that is an iam role so iem role for a server to attach to another server i am user human like us now there's variations of that especially you get to the professional level across account wells and things which are different federated identity roles but at the certified solution architect associate level it's not really something they really talk about that gets fairly complex so i i'm happy to do that at another time and go much deeper to im if you guys want an iem day we'll have fun with it um always happy to do things to go out there live and interact with you guys i love doing it so let's talk about what this really looks like a user signs into the console the management console with their im account that is authentication are you who you are now they'll provide their username their password a token what have you based upon our authentication type then the user tries to access something and the user is either authorized yes you're allowed or no you are blocked smack you on the wrist you didn't do your job so you're either authenticated or you're not authenticated means yes we know you are you're allowed or blocked right then and there bad username and password failed authentication authorization mike you're allowed to work on this mike you are not allowed to work on this accounting chris in the back end says mike made a million mistakes today today what mistakes did mike make by filling out emails and because mike's responded to 2 000 emails in one day and didn't have a chance to fully read the email so you're a part of the email that's not true i'm very careful and meticulous but chris would be the person to catch me um and he would be tracking what i did to help me because i asked him to to make sure i don't forget anything so authentication who are you authorization what you can do accounting what did you do so now you know the rules again so because we're talking about aws and we want to get it right let's talk about iam users so a user is a person just like us we get permissions to interact with aws resources how do we get these permissions they are created by a principal with administrative access so we need an administrator to do this to create the account iem users can be created on the management console quite easily the cli or via the software development kit through the api this is also important to remember users are permanent until you delete them so if someone gets laid off or fired you have to remove it if someone quits and moves on to a new company you must remove that user it is absolutely critical critical critical critical for you to remove that user after you're done otherwise they will still have access so you know this this should be relatively uh straightforward for you at least what we've talked about so far right now in this particular environment you can see what we've done we've got a user they log in and they're allowed to access anything they need to so ec2 instances s3 buckets databases that kind of thing so let's talk about some key im concepts edwards made these terms up they're not mine the next the first time we have to talk about is a principle a principal is an i am entity that has the permission to access resources in the cloud okay that can be the root user and i am user or a specific role can do it so principle is something that has permission to access resources now let's talk about the root user for those of you that are linux users like me unix users like me you're definitely familiar with the root account the root account is the master account when you first create an account that is the root user the root user can do anything delete your entire organization by accident set up 10 million dollars a month the monthly building by accident protect your root user account do not let this out of your site don't use the root user for daily use you wouldn't log into a red hat server as root every single day and use it as root you don't do it in the cloud either there's no way to restrict root access so if on the root user use some exceptionally strong passwords enable multi-factor authentication on your root account and don't use this for programmatic access like use another account so don't set up your account for one system to access another system as the root user be smart remember that principle is privileged is only give whatever is necessary to do the job try to remember that how do i remember the root user well it's not that hard for me because i've been working in the linux mostly the networking but there's a lot of linux and networking for for decades so i identify the root user as the king with the crown on the head or the queen with the crown on the head they have unlimited privileges they can do everything well the root user is royalty nobility whatever term you want to use they're like the king and queen and prince and princess they get everything they want so don't log in as root unless you have no choice now let's go a little deeper here let's talk a little more about identity and access management since we know that i am use used to determine who can access your systems you could conceivably create a user and apply a policy to every user and it would work perfectly but i want you to think about this how would you do that for cisco at 80 000 employees how would you do it for apple with a few hundred thousand employees would you manually for hundreds of thousands of people literally click each individual permission they could do while you could it doesn't seem to scale imagine cooking a cup a hundred thousand custom recipes for a hundred thousand friends not a great idea well if you do it you could probably open a great restaurant make tons of money but you know not a great idea so let's what do we do they came up with the concepts of groups what are groups so let's say you've got a bunch of navy seals you create a group for navy seals let's say you've got a bunch of force recon marines or marshals they're called now you create a group for marsup marines let's say you've got a bunch of delta force people from the army let's say you've got a set of british sas commandos these groups that we're talking to have very good access to top secret information because they're the privileged the few they're the elite so we might put a group that's called special operations forces then we might have a group for the medical professionals that are working for the military they don't often need top secret unless there's a virus or a bio weapon they would each know then they would need top secret so what you can do is you can have a specialty group and put all your users of a certain liking into that certain group and then all the other users in another group and you can just apply policies to the group so think about it systems administrators need the most access sales reps don't need a lot give come up with a policy for the system's administrators giving access to everything they need create something else for the sales reps that need very little create something else for hr that only needs access to what they need create something else for the finance team basically do it this way create a bunch of groups add policies to the groups and then when you hire a new cloud architect put them in the cloud architect group when you hire a new sys admin put them in the systems administrator group put people in the group apply the policy to the group now you've got a company like this like cisco and maybe you have 500 different roles that people do instead of 100 100 000 different things big difference 500 versus 100 000 groups are a way to group users maybe put your finance people in one group security people and another group says admin and another group and give each group the privilege they need imagine two three four hundred thousand users trying to configure a policy that is personalized for each one of them and me that sounds like an absolute nightmare that's why they came up with the concepts of users and groups these are not new concepts we've been using it for 20 30 years with microsoft and other places so not new new versions of the same thing kind of like the song meet the new boss same as the old boss same kind of concept let's make it fun let's learn users are people groups are groups of people so how's this thing going to work you create a group very simple you provide the permissions to the group and you just add the users to the group now we're going to get into some more complicated i am things and i've been debating about it do you guys want me to give you just what you need to know for the certified solution architect professional or do you guys want more do you guys really want to know the iem piece that's going to help you get hired help you with the certified solution architect professional exam if you want me to stop right here this is what you need to know for the certified solution architect associate i'll stop here if you want more let me know right now in the window full iam or abbreviated certified solution architect associate i am let me know and i'll give you whatever you guys want while you're at it chris will tally up the results smack that like button if you're not a member please subscribe to the channel and then we'll take it from there i'm looking for the some responses from you guys so we can deliver you the best experience in the entire world mike i'm not going to tell tally anything there there's no tallying okay even better more and more more and more and more you guys are awesome i love working with you guys here's why i love working with you guys a certification junkin he says tell me what i need to pass the test an architect says tell me what i need to do to do the job you want more we'll do more super super super happy that you guys are here day four looking for more jg and jim wentworth 877 cash no love that abigail more and more and more i love it we're going to do more so you guys are awesome we love you all from jesse more more more okay we're gonna do it is my friend in greece hopefully here along the way if so maybe we'll do it in greek nope sorry i guess we have to do it in english but i still think it would be fun okay so let's do a little bit more let's talk about roles and tokens so let's do it when we're talking about roles as i mentioned we're talking in general at the certified solution architect associate level of systems so now we're raising our level we're becoming more cloud architect work we're going heavier higher up so while we're doing more let's do more so let's talk we talked about the service roles that is an i am role that is associated from one user connecting to or for a server to connect to another one but there's two kinds of roles there's something called the cross account role and there's something called an identity federation so we'll probably get to there too so iam roles enhance security by basically making sure that you have the ability to connect to external partners to deal with external identity providers so what's going on is aws uses an api and when you're using this api what's going to go on as follows normally speaking you enter a username and password but what's going on here with these roles is basically they have some kind of credential they hit the api they are actually then given a temporary token and the temporary token is actually sent to the receiving end and what happens these tokens are constantly being rotated and because the tokens are being rotated they're constantly new there's no passwords you've got a token that's good for the next hour and then a new token for the next hour so even if a hacker were able to get access to your token they only have access for a very short period of time so what we do here is as follows we generate a token and we rotate the token so when you're dealing with these i am roles and there's a lot of them which we're going to talk about it's based upon tokens so one-time passwords tokens token vending machines there's a lot of it the point is if it's your password that's your cat's first name and i would never do that my cat's name is cindy and i have no passwords named cindy but if someone guessed the password cindy to my sweet beautiful loving adorable cat and chris of course you can put a picture of my cat if you want on the window mike loves his cat i catch like the queen of the household although yesterday we had to climb a large ladder she got herself 50 feet in a tree or 30 feet whatever it was it was high and we had to dry and get the kitten out because how she climbed that tree i have no idea but you gave me her father and you're a heart attack but that's neither here nor there so roles enhance security by using temporary passwords as i mentioned yeah that's my cat cindy when it was raining outside she was not very happy um so when we're dealing with roles they're used by systems so let's talk about the aws isn't she cute everybody security token service it generates tokens and the tokens expire well she really is a beautiful cat and the tokens expire um every 60 minutes now you can set the token expiration to 15 minutes for a super high security environment and you can set the token expiration for 36 hours if you wanted it to stay there so just keep track of those kind of things yeah cindy's really growing up she's like tripled in size and thank you all for your kind words about my beautiful beautiful best friend cindy the cat um i bought a cat for my wife i wasn't even a cat i bought a cat to surprise my wife she came home jumped in my lap i knew she was coming home with me she hasn't left my lap and she slept in between my feet or knees literally speaking since i bought her i thought i was rescuing her she's made me so much happier i think she's that rescue cat rescued me so anyway slightly off topic but we might as well have fun here i love my cat so let's talk about these iron rolls they're typically used for granting permission so an ec2 instance to connect to something else but not always if you connect to another vpc you have something called an iam roll yesterday she was in my lap all day today she's actually outside doing things like finding little things hopefully she comes back really soon so it's an i am role but if you do vpc peering and you want to access content into somebody else's vpc that is also called a cross-account role so a cross-account role is a role that gets you into somebody else now when a user traditionally accesses a system they're called a user but when the use when the when the user applies to or accesses information in somebody else's data center that's called the or other vpc or cloud that's called the cross-count role and we're going to talk a little bit more about those cross-account roles how does all this stuff work there's the aws security token service what happens is it generates these uh tokens that expire as i previously mentioned and these are temporary temporary consensual generated every time you request them which i absolutely like so let's talk about the cross-roll they enable you to access another account so it's often set up for one user to access things in another account but it can also be set up to access realistically speaking so if i'm go cloud careers vpc and alonso has alonzo the cloud architect vpc and i want to connect my vpc to alonzo's we're going to do some vpc pairing or private link like we talked about yesterday now when alonzo who i know respect is a good friend and i trust wants to access my stuff he's using a cross account role when i want to access things in alonzo's environment i'm going to use a cross account role so these are set up where you can access accounts that you don't know now let's talk about some best practices because this is dangerous it's not dangerous for alonzo to interact with my vpc because i know them but when you're connecting with other organizations it's dangerous you're now having a user that has authorized access to your systems this is scary stuff everyone it's kind of like giving somebody at keys to the house your own house if you've got a lot of cross-account rolls these are other people with keys to your house do you give them just keys to the house do you give them keys to your safe plus the house do you give them keys to your bedroom plus the house this is up to you that is what that authorization is these are the things on the cross account roles so cross account roles connect you to other entities so when you connect to another entity a partner organization think about the business opportunities many and multiple the partner company may need to access yours and if you give a partner access to things what do you think you give them access to what they need to know goes back to need to know principles of least privilege if alonso only needs to access mike's cloud network and network and security designs for the last three decades i'm only going to give them access to that but if alonso needs more i'll give him access to everything he needs same concept principle of least privilege give people access to the minimum necessary so while we're talking about cross-account roles and admittedly this is dry stuff so thanks for being willing to pop up with more i just wanted to give you more but so the cross account roles are there so you set it up as one user and when you're setting it up here the things you need to know you set it up to allow access to the accounts you don't know so you're connecting an external account to you so what do you need well you need to know the account that's connecting to you for one thing so that's called your external id an external id is going to be a secret identifier known by you and the third party in this case alonso and i are sharing experiences and sharing lessons and our vpcs are connected and we each have cross-account roles to each other's environments and we've set up the appropriate permissions so let's look about this let's look at it this way so basically speaking in this environment you've got three companies that you're providing access so the cross account role is just using i am to determine what company a company b and company c can actually access inside of myvpc that's it that's all it really is but they just make up such complex terms how do these roles work you create a role for the user so a role is created for the external user so alonzo requests access to mike's network designs as soon as he connects what's going to happen is he's going to get a temporary token from the aws token service the sts security aws secure token service he gets a temporary token then alonso provides a temporary token my systems evaluated lonzo's temporary token and says ding ding ding ding ding winner winner winner alonzo welcome you are allowed in so that's how these cross account rules work now remember a role is taken typically speaking we've got service roles for ec2 instances that are typically used for say a server to maybe access an sqsq an ec2 instance to an s3 bucket and a relation an ec2 instance to a database these are service roles these are things like service accounts on google or service accounts in linux that's all these roles are this computer wants to access this service it's given a role so that's kind of all these things that are going on so now let's talk about identity federations this is pretty important so let's look as follows do you really think that you're going to go to the aws management console and create users and groups for a 200 000 person company no so when we start talking about a lot of these i am features and functions i think it's pretty important to actually understand you you're gonna what you're actually gonna do with the aws iem service is going to be really limited and the reason it's going to be really limited is you're not going to go to some management console every single day add users and groups it just doesn't scale so organizations have i am applications and this is where we're going to get involved in identity federation so we talked about the ime users and roles great for passing the aws certified solution architect 2022 exam for example but in real life you're probably going to be doing some federations or some integrations between scalable identity components so let's look at it this way let's start with a federation a federation is basically you take the aws identity environment and you connect it to something that does identity and then the aws environment inherits by communication relatively speaking it inherits all the identities from the identity store so let's say active directory everybody uses active directory to authenticate users to authorize users and to figure out what they have done active directory is a little weak on the accounting side so there's other tools that people use in the industry but everybody everybody everybody uses microsoft active directory for their iam so what will happen is an identity federation you will take your aws environment and you will connect it to microsoft's active directory and it would pull all the iem information and basically you can sign into the active directory and then it will give you access to the rest of your aws services that's called single sign-in so the way this fight engineer federation is going to work is basically you're going to have an identity which is a user you're going to have an identity store which is where your user's identities are stored think microsoft active directory or connecting to facebook or connecting to amazon or connecting to apple as an identity provider and then you're going to have an identity broker which is going to be an application that checks the identity store and provides temporary access to aws so think about it this way identity is a user alonzo has an identity alonzo and a few friends are setting up a microsoft a d server for me because i don't have time to do it myself they're going to do it because our our cloud architect career development program has grown so much we have so many users coming in and they're all super successful so the point is when they come in he's going to put it into a microsoft active directory server which is automatically going to provision my users vpns into the data center give them accounts on our vmware servers so my students can build a cloud with less intervention i've done it basically the aws way the whole time i've put it into cisco and i put it into other components of our data center but it's not scaling so i need to have active directory so i reached out to my good buddy alonzo coleman a fantastic cloud architect who's done lots of active directory work in his career and he's building me an active directory server so i'm a user the identity store is the active threader server and the identity broker is going to be that in-between intermediary so when a user logs in um they get sent to active directory and then this identity broker comes back and it tells aws yes alonzo's welcome into mike's data center he's doing a project he's building mike an active directory server so now you guys should understand so how does this work now i'm going to give you the ugly ugly technical nitty-gritty so bear with me these are going to be aws terms and more closely related to aws words than mine so the first thing that's going to happen is the user is going to log into the identity breaker using their corporate connections then the identity provider will authenticate against the ldap based identity store think active directory so then the identity provider will generate what's called the saml assertion which secured a search and markup language just the language used to connect to identity providers and it will submit that information to the identity broker the identity broker is going to call the assume role with sample aws sts token service to get a token and it will pass that saml assertion to the role amazon resource locator name to it and it will assume it if the api if the api response is successful it'll give an aws temporary security credential to the people with the associated permissions and then if the temp with the temporary credentials the client application can perform the operations on aws like i said this is more an aws terminology i like to communicate plainly but this is their terminology if you're on that certified solution architect professional you must understand it in their words so we've given it to you in words that are more closer to them less industry terms more aws terms because this is an important concept on an aws test here's the thing remember it this way you got a system you're using uh saml 2.0 it's a it's basically a language to connect to external providers you connect that to active directory user logs in it hits database they get a token they log in it's not that complicated but you're basically integrating active directory or facebook or twitter or any or linkedin or any identity provider and pulling their information and using it to authenticate your users in your environment so let's really think about this one more time we're really we're using one of two connection languages we basically have two ways to connect to identity providers it's saml 2.0 or security assertion markup language or something called open id connect oidc i want you to really think about this in your life and experience have you ever logged into a service and it says log in with google log in with facebook log in with apple log in with this or create a username and password this is what's going on this is exactly exactly what's going on so no different now let's briefly address single sign-on single sign-on is as follows it's an authentication method that enables your users to securely authenticate with multiple applications or website with just a single set of credentials so instead of logging on to ten times log on worse and be just uh pass through in the aws has a single sign-on service that enables a user to sign into one place and access resources and a whole bunch of other aws services in your account single sign-on is usually used in a federated environment connect azure active directory microsoft active directory salesforce.com some kind of a database that's going to have this single sign-on is going to enable your user to authenticate once to the identity provider and then not sign it again so it's a real convenience factor really improves user experience when the user signs on they get authenticated against the identity provider their groups are determined and their privileges are assigned so single sign-on is really nice and elegant here's what happens basically you take your active directory server you federate that with the aws signal sign-on service and then you sign them once and you can access anything you need okay well so let's do a little bit more uh on cognito and then i think we probably need to get to back to some more of the content that's associated with this curriculum but i really want to give you more so aws has this concept of cognito so there's this concept of aws federations and there's a service called cognito and cognito is a service that's going to provide authentication authorization and user management of web and mobile apps it's going to provide an ability to connect to identity providers it's going to enable organizations to synchronous on eyes identity management and data management across mobile devices cognitive users are going to be able to sign in directly with a username and password or with a third party identity provider like facebook or google the way it works it goes back to the same concepts we've got a user or app that authenticates against cognito and gets a token so let's show you a little bit more about this and i am not mr iam but i've been working with a lot i am over the last two and a half decades but you know i'm not mr i am i've spent most of my life in enterprise architecture cloud architecture and network architecture or leadership skills but you know still important to know here's what happens the user authenticates and gets a token they then trade that token for credentials and then they use that token where the credentials to access their aws services okay bear with me i'm looking at some more of this i am trying to figure out exactly how much we have um to cover so we'll go a little more and we'll talk a little bit about identity federations we talked about cognito using the we talked about cognito and it uses the concept of user pools and identity pools see here's what we actually do the secure directory with incognito and that's going to enable you to manage your users in one place and a user is going to authenticate to a cognito and get a temporary set of tokens and what kind of tokens do you think they're going to get they're going to be a json web token why json web token this json and javascript object notation is used all over for all these i am things so we'll do a little more in this concept we'll talk about cognito identity pools and that's going to provide the temporary aws connect credentials identity pools will work with authenticated but also unauthenticated identities and cognito can work with guests both authenticated and unauthenticated provided they have a function now you know a little bit about cognito and i'll tell you i'm going to give you now the deep aws message a user will log into their identity provider this is how it works step two after authentication the identity provider will return a session key for the user three using the session key the application will issue a call to the amazon cognito get id api and get an identifier to the user then cognito will validate the session key from the login provider and if the session key that it receives is valid from the get id api what will ultimately happen is a unique identifier will be returned for the user then a user will send their unique key to a cognito and cognito will validate the session key against the identity provider and if the key is valid um cognito will give the secure token they use the aws secure token service to generate a token and the token will be provided so users can access the aws resources let's talk about will we okay let's talk about authentic uh let's talk about authentication we're gonna have three basic options in the cloud and i want you to know these three here's the basic one username and password so user logs into the console and aws verifies the identity provide that's been given and it provides an authorization based upon the im user's privilege level after this that's a username and password a user can use an access key to log in which is much better an access key is a 20 character key id as well as a 40 character secret set the access key is used to connect to aws via the api this is typically used with the software development kit now if you want to get even more secure with regards to logging in what you're talking about is an access key and a session token so you've got the 20 character key id and the 40 character secret and a token so now rotating things varying keys huge length now you're talking about some authentication access and we're talking about realistically speaking a whole lot so remember this authentication who are you authorization what are you allowed to do and then accounting what have you done now let's just talk about the last part in this section how do you create your iem policies well if you're an architect you're not gonna be doing it anyway because it's gonna be done by a cloud engineer but how should the cloud engineer be creating these i am policies that's going to be configuring them well there's two kinds of ways you can do it you can use a customer managed policy or an aws manage policy so what's going on is you're creating an im policy and it's going to be in json notification and you can provide access to specific resources based upon the amazon resource name or arn or you can use the wild cards from those of you that are familiar with regular expressions they've got wild cards like the asterisk which means allow everything so you're going to create a policy this policy is basically going to be either an aws managed policy or a customer managed policy now let's talk about the advantages and disadvantages of each when you're dealing with an aws managed policy it's going to be a standalone policy by aws aws made these policies aws knows their systems and aws has made them in a simple matter for you they've got policies for pretty much everything and they're well architected security policies and they're well designed and in most cases you can select something right from here and it's going to meet your need optimize for coming use cases and it can be based upon job role level of access aws does a really great job here there are two major predefined profiles one is administrator access hey you can do anything kind of like the king or queen prince or princess or my cat cindy she has access to everything off topic but she gets cooked shrimp once a day and fresh tuna once a day and scallops once a day she's got a rough life let me tell you um but the point is is administrator access is like my cat like the queen like the king can do anything now power user access is basically you can do everything else except identity and access management and something called aws organizations we won't cover aws organizations here because that is not addressed in the certified solution architect associate and that stuff gets pretty ugly to talk about but if you want we can have a make a youtube video on organization someday soon and really explain that concept for you so administrators can do anything like cindy the cat because she's the princess and uh everybody else is a power the power users can do everything other than i am now of course you can make your own policy so if you're an expert in uh in writing uh what do you call it um identity and access management policies you can write your own so that's a policy definitely an opportunity for you should you desire that or you can take a policy from aws and use it i recommend using an aws policy if you can't use an aws policy make a custom policy by doing the following take a pre-made aws policy adjust it for your needs but stick with the aws one so that is my recommendation so here's what we're going to do and what we're going to do and how we're going to do it you can go to the console and in the navigation panes choose policies and just use them that's the way i would be using it for the majority of things the alternative is a customer managed policy you make it yourself which means you have to know how to make the policy i recommend use copying an aws managed policy in edit you can also use the policy generator i'll show you what that looks like in a minute it's kind of a question there and you fill out the questionnaire and a policy is written in javascript object notation for you and you can just use that policy or if you're a great json programmer and you can just create one from scratch but realize this if you mess up on this policy that you're making from scratch you've got a security nightmare so i strongly don't recommend doing that unless you are an expert programmer here is the policy generator it's basically a page you go to on this page it asks you some questions for example and you fill in the questions and it spits ones out for those of you that have not seen an i am policy it looks like this it's going to have a version statement it's going to have a fact of allow or deny and it's going to be associated with a certain thing like the ability to attach or detach a drive to an ec2 instance it's going to specify the resource location and the condition specifies optional elements i am not a json programmer i am an architect but you still need to know the basis of what's in these things even if you're not that need to know what's in these things so let's talk about applying that policy you create the policy you create users for a user remember we have a scalability problem we create a managed policy which you can apply to groups like create a policy for finance or policy for developers or finance production or a policy for testing or we can basically just add users to groups and it could be a basic simple policy these are the kind of basic simple policies that we're referring about this is uh you've got a group of administrators they need lots of access you've got a group of developers they need moderate access you've got a group of testers they need access to a lot so you have different policies for different sets of people last thing i want to talk about in the im section is multi-factor authentication multi-factor authentication is really really important because it can substantially substantially increase your security look at it this way i don't use cindy in any password but if everybody knows i love cindy they would say mike might use cindy as a password so you can take what's called a dictionary attack or a brute force attack and try a whole bunch of random passwords and no i don't use cindy in anything but people would try using cindy they would try cindy1234 and they would try variations of cindy and they would realize it wouldn't work because i don't use cindy as a password because it's too guessable because i was a security architect for a while but if i used cindy as a password which would be dumb but let's pretend i use cindy as a password and you guess cindy's password you have access to this system let's say you guessed cindy's password and you tried to delete my vpc now i don't use just passwords i recommend multi-factor authentication multi-factor authentication typically involves something you have or something you know kind of like an atm card you've got a card but you need a pin number that's something you have something you know multi-factor authentication could be something you have as something you know and something you are it could combine a password with an iris scan or a fingerprint scan or a face scan multi-factor identification it can work with an rsa secure id that changes constantly it can use with a google authentication device if you've not had any experience with google authenticator i recommend you get some experience go download that go find the seed key it's completely free watch how it generates new passwords every few seconds if you've never done it it's completely free google authenticator practice it play with it if you're not used to it the way multi-factor authentication works is as follows in multi-factor authentication you've got a user that's going to basically sign in this user signs into their account maybe they provide a username and password maybe the user is then sent a challenge looking for a one-time password and then the user provides the one-time password and is granted access huge huge huge improvement over just username and password look at it this way somebody guesses your password sends a message to your phone lots of types of multi-factor authentication and realistically it's that so let's do this it's three o'clock but i know people have questions so let's answer the questions um but before we answer the questions if you've been having fun if you can type cloud hired in the group while chris is pulling up questions if you have not hit the like button subscribe to the channel please do so hit the bell and form others so we can expand our mission of training as all of you know our mission to go cloud architects is to get you cloud hired we are not in the certification business at all we're completely doing the certification training because we've gathered and looked at everybody else's certification training and we couldn't find anything that could help you get clout hired we know that our really good certification training a real boot camp where you can ask questions gets expensive and is out of the budget of many people so we're here for you so that's why we're doing this so now while people are typing cloud hired they're hitting the like button which makes us happy chris if you can bring up the first question i'd love to answer it is a cross-account role doing federation sso well it could be but and if you connect to a federation it is kind of a cross-account role the answer is yes but you can do a cross-account role like basically let's say alonzo and i we want to take our environments and connect them to each other alonzo wants me to give permissions he wants to give me permissions to look at his network designs and i went alonzo to look at the iem components my designs so we can access each other's systems and share information so in in a way yes but in a way no so doreen i hope i answered your question there kenny zang do i practice regular password changes for service accounts well regular password changes are a must but a lot of the service accounts use that security token service so they're automatically using one time password that rotate constantly kenny so it doesn't become as much of a problem because the cross account role i mean the service accounts are using the token service lenny is this venerated similar to an oauth2fnr8 in a lot of ways the answer is yes we make a certified developers course probably not we are definitely under no circumstances in the certification business at all certification will help you get an interview but certification does not get someone hired we are not in the certification business we are in the career development business to building careers and developers courses is not something that we're trying to do we do courses to help people get hired getting them hired is very different than getting them certified i am not a developer i am an architect and we are unlike the certification providers we do not make courses for which we don't have decades of experience you won't see me take a developer's course get a certification and teach it tomorrow because it would not be fair to you i am not a developer and because i am not a developer it would not be appropriate to make a development course just because i could easily pass an exam so we're not there we also typically don't focus on development careers for the following reasons we look really hard for the careers that give our students the best possible career opportunities how do we determine what gives our students the best possible career opportunities we do the following one we speak constantly to recruiters and hire owners and what i mean constantly i mean every day we're obsessed with speaking to hiring managers and recruiters so we know exactly what we want when we look at industry trends we look at the supply and demand curves when we look at salaries of it professionals we find certain careers that are really blossoming we're talking about cloud architects we're talking about cloud engineers we're talking about devops engineers we're talking about cloud network architects we're talking about network architects and security professionals as well as data science they are in our top ten we try to stay out of development careers we don't like to get due development careers for the following reason many people in college are taught how to code so there's a vast abundance and surplus of people that can do coding when you have a large supply you have low pricing which means the developer salaries are substantially lower than these other careers we love developers developers are needed but we focus on these top 10 careers we focus on the careers with the highest salary we focus on the careers with the highest pro promotability so when we're talking about this we're really looking to how do we give you an advantage to earn double or triple your competition in technology and because of that we look at the supply and demand curve we look where the industry's going we look where the hiring managers tell us we ask the executives in these companies what do you need most and they always say cloud architects network architects security architects cloud security architects devops engineers and people that know what to do things with data so these are the careers that we recommend we work on building the people the best and most elite careers in the business so we typically stay out of that but again i'm not a software developer and unless i can hire a software developer with 20 plus years experience we don't do it when we make a course like for example i'm not a devops engineer but i think devops is so great we're making a course what sandeep does we'll do what i do great teach people how to interview teach people how to get hired teach people how to do what the hiring manager wants get them promotable get them to get them there all the things that we do how to negotiate higher salaries and we'll have sandeep do what he does how to become a devops engineer it is not fair to you to produce a court of course for which we don't have at least 20 to 50 years of experience in the course we develop the cloud networking career for example for example has three ccies with a combination of 50 years experience 20 plus years working at cisco and almost a decade working at juniper networks and every other thing so that's our approach we only teach what we know we can be the best in the world at so next question what's my advice on taking remote jobs remote jobs are awesome ben i've been working a remote since 2000 i haven't commuted to one two two oh well it depends if you're able to juggle it two remote jobs two girlfriends two wives two boyfriends i don't know kind of sounds kind of complicated to me but you know i worked two full-time jobs while i went to the university it can be done if they're two part-time jobs fantastic but you know it reminds me of this tv show three's company there was uh this guy one of the characters was jack tripper he'd always be accidentally scheduling two dates on the same day because he was forgetful they'd both be in the same restaurant and he was running it out of the bathrooms and changing his shirt not to be seen that's what it's like having two jobs i did have two jobs at one point when i was transitioning companies and let me tell you it was really a nightmare so if you need to do it do it after two part-time jobs great but imagine what it would be like having two wives or two boyfriends and two girlfriends let's remember the privilege uh was the principle least privileged let's let's just do what we need to do and keep it simple doreen's got a great question do i recommend the aws security certification no here's why these are the certifications i recommend from aws the certified solution architects associate and the certified solution architect professional for people that desire architecture or engineering for people that want to do devops i love the certified are the devops professional the aws advanced networking course i want to let you know what it is it's an intro to an intro to an intro to junior level networking the aws advanced security is an intro to an intro to an intro to an intro to an intro to junior level security you want to be a cloud security architect you get a cissp and you marry that with a certified solution architect professional you get a ceh master you marry that with the cervified solution architecture professional you get a big industrial certification that like this that shows that you really know it you marry that with a great cloud certification and you've got it here's the reason i strongly don't recommend against these cloud certification the aws certification providers are really good at getting you certified and knowing absolutely zero about your career i've interviewed a thousand aws certified people before i decided to launch this program they all knew the name of the service how to configure it but not a single one of them in network design so i don't recommend these aws certifications other than the certified solution architect associate and professional and the devops pro not for architects but for devops professionals because these courses are so good at teaching you how to pass the exam and know nothing hiring managers like me look at them and say uh i want that cisp and i want that ceh and i want that ceh and i want the certified solution architecture professional get the big ones don't get a bunch of associate certifications get the biggest ones in your field and you will always have advice do the thought thank you so much shalendra what is the scope and cloud penetration testing for the cloud security penetration testers they have the identical job to penetration testing they do traditionally nothing changes the cloud changes nothing a developer off the cloud is developer in the cloud a network architect off the cloud is a network architect on the cloud we do the same things in every way shape or form the cloud's just the data centers and virtualize so cal penetration testing is the same but you may find out it's a lot easier to hack the cloud than it is the data center so you have to that what you'll find out is because the cloud is so easily hackable you're going to be using a lot more marketplace solutions next question chris unless there's none i can't hear the other folks i'm not sure if they are yeah you uh you ran you you ran them off with that or you soaked them up with that hour worth of security so [Music] well i love security and i've been working in it forever if you're not secure you're hacked if you're hacked you're down if you're down you're out so security is the key people have contracted me for 20 plus years to build the five nines available network and you know what if you need to be 99.999 available which means five minutes and 15 seconds or less of downtime per year you've got to be pretty good and secure so security matters so what are we going to be covering tomorrow what are we going to be covering tomorrow that is a absolutely fantastic and fun question we will cover firewalls and after firewalls we'll talk about ddos then we'll talk uh about some of these aws security services the kind that cover in the penetration like guard duty and shield and inspector um it's we're gonna start getting into the aws applications and services of which we've got a lot to cover like a lot a lot and a lot somewhere but we're gonna do out there and we're gonna do everything we can we will try to finish tomorrow as you can tell we ran this as a real class we let you guys ask questions when you guys desired more guess what um we'll give you more like i said next month we're going to do a free cisco certified network associate bootcamp at least that's in the plans provided we have the time networking is absolutely critical for the cloud architect you and mag what are you mag always at the nicest things to say thank you michael chris alonzo and jesse has been such a positive week uh thank you meg um evo god i gotta tell you the messages you provide are always the sweetest things um doreen uh we're more than happy to actually help can here's a great question from dope rated visuals every one of the previous days sessions is here um and you can access the first four days to earth the first three days today is the fourth day we're gonna go running on i will bring cindy on live actually yesterday cindy was actually sitting on my lap the entire time she was sitting here i was like how's my beautiful cat how's my beautiful cat you know she is just the sweetest and most loving thing so i will definitely bring her on daniel one of these days we're 99.9 if you're five nines happy evo i love it i also love the european comma um um and instead of the period i'm used to using it myself tomorrow will start exactly at noon eastern time which is 5 pm uk time we would ne killian we will never forget uh cameroonian folks we have over 50 wonderful cameroonian students we've got over 80 wonderful nigerian students i can't tell you how many wonderful students we have in india the us canada central and south america um you name it um um we're in each and every one of these places and we love do it we will never forget about you so you didn't even have to bring it up but since you brought it up we'll never forget about our cameroonian friends ever have everyone put uh where they're where they're enjoying the uh the boot camp at like we did yesterday where's everyone from yeah please if you could let us know because you know we love to know where you're from um i know we cover a lot of the world and we do a lot of this free training to help those in developing nations um we will finish quasi we will finish either on tomorrow or on sunday based upon how long it actually takes us to get through okay judith i see is uh um from the cameroon dara lassie dares of common nigerian name so i'm sure you're in nigeria oh nigerian and scotland um leo is one of my students he's great in brazil eva as i call her that is bulgarian but i know she's living there um sm-7 from kenya fantastic living in raleigh i think you just speak my student delroy is over in new york i know that sanchez singh uh is in india dan's in chicago diaz is in mexico abigail mark's axel north carolina friend that moved there um uruguay i love that nigeria i love that cameroonian using administrator if i could i would get a plane ticket and go to every particular city in country would love to do so i would love to too we have another from nigeria genie's in the us but she's from ethiopia and was kind enough to send me ethiopian spices which i have yet to cook properly i keep trying to make kiftu and derwat it's not coming out the way i want it to so any guidance would be there but my indians my ethiopian spice lentils have come out great um kenya living in d.c um sharkey ferns in u.s mw mario kenya ben you nigeria living in my in maryland this is incredible um um chameleon fantastic doreen's coming from virginia yes m7 yes i thought i recognized your name and i'm pretty sure we spoke um yesterday leighton db1 thanks you all god love you guys it's fantastic thanks so much hey i have a great question from you absolutely actual questions if you'd like to take them yeah let's take the questions let's do anything you're watching are you watching stream yard or are you watching youtube i've been watching youtube but i'm going to watch stream yards so i can actually see it and not squint and look like this to the to the phone right and it's also it delays you when you're watching the youtube so when i put them up you don't see them uh so give me just a second there you go can you explain the journey from entry to cloud architect as you're an ex-boot camp student okay so here's the thing there's like the normal world and there's like the way i've done things my whole life i don't do things the way normal people do many people were told me in the beginning you got to do help desk for a year or two and then when you're done help desk got to take this junior network thing or work and sit work in computers and then work in this junior network role i don't do any of that um what i do is i work really really hard this is what i do for my students really really hard to be so good that um the hiring managers can't hire them there are no rules i'm going to say this again there are no rules my first job was a senior network engineer first job and my next job was a lead network architect within six months of the time that i decided i was going to study cisco networking i was then a lead architect on wall street six months later so that was me now i gotta also tell you this i have trained countless countless people over the years over the last 20 years none of my people ever started out with entry-level jobs not a single one not one so here's the secret to getting these jobs when you're new and if you want to watch today's video i had christina marinara mariano christine is one of the best and most successful recruiters i know in the entire world she maintains a team of 20 recruiters in new york she has a staffing thing where they could hire all you guys as cloud architects and she could bill you out to other people or she could place you in everything from aws to azure to the world's largest banks she gets people placed that don't have experience too so the key really is when you're dealing with this you need to be really technically competent really technically competent you need to be the most likable person in the room you need extreme levels of emotional intelligence extreme communication skills empathy enthusiasm and all of it so all of it you need to be able to do roi modeling you need to be able to do sales these are architect skills so i've had people that worked in sales that went straight to aws i had a student that was born in lagos that came to america that was in my program for three weeks that got hired by aws what all these students have in common that skip entry level actually i had another nigerian um and in the uk that did it i also had a sales rep in the uk that did it a jamaican buddy in the uk that just did it under our training every one of them showed up for class one of them worked really hard they all built their own clouds they all set up server virtualization they all work with containers they all focus on executive presence communication skills they focus on all of it they don't focus on anything unrelated so they're not studying sysops they're not studying devops they're not studying coding they're literally laser focused they're like this is this related no trash is this related no trash is this related no trash okay the day has 24 hours i'm gonna work hard four hours a day seven days a week on this that's how i did it that's all people like alonzo become great cloud architects it's how people like chris become great at what they do we work really really really hard on these things so chris you want to grab the next question still big companies have fear to migrate their data what's the reason behind this well generally speaking it's not that organizations have any fear of taking their data to the cloud organizations have what they know it's actually working and you really need to think about the cloud holistically the cloud isn't necessarily better it could be but it's not necessarily better if you have extreme performance needs of low latency and high speed you can't do it as well in the cloud as you can the data center and you need to be aware that as a cloud architect and you've got to not try to migrate those clients the next thing is what kind of a migration are you talking about under the cloud are you talking about refactoring in org companies or applications and going all servers and cloud native i got to tell you 99 of the country companies in this country will say no way to that why will they say no way for the following reasons we've all had interactions with the cable company we've all had interactions with the phone company they give you discount rates for the first year and when you have no when you're there they jack up your prices if you go serverless on the cloud and the and the cloud provider raises your rates you have no choice it could cost you a lot of money so solyndra it could cost you 50 million or 100 million dollars literally speaking to rebuild your applications to move them to the cloud and should it not work on the cloud it could cost you millions or hundreds of million dollars to come off of the cloud so what most organizations are doing is they're taking a step approach they're doing what's called lift and shift they're taking their virtual machine from the network in the data center and they're migrating to cloud which is just a virtual machine network in the data center if that works and they're comfortable then they're gradually having more things i will tell you this i have not consulted with a company in the last five years that didn't have plans to go to the cloud not a single one all of them all of them all of them focus on it but it's up to you remember i said this the cloud architect is not such a technical person have technical half leadership you need to be able to interact with that ceo ask those business goals legal goals regulatory environments all of it you've got to be able to do then you've got to be able to solve business problems with technology then you must convince the customer they need this so if you don't train cells and you don't brain presentation skills and you don't train executive presence and you don't train emotional intelligence and cxo relevancy here's the thing you can't be a cloud architect so you're a cloud engineer and a cloud engineer is a really great really smart person but if you're meaning interacting with clients on the cloud and they don't want to go change your tactic or realize it's not right for that client so here's the key if i meet with 10 clients i'm going to tell three of them not to go to the cloud because it's not in their best interest i'm going to tell one of them they have no choice but to go to the cloud i'm going to have three or four of them that i'm going to do a hybrid cloud and one or two of them are going to do a multi-cloud solution vendor lock-in is a nightmare and everybody's afraid of it and they should be some organizations are also afraid one of the companies went cloud native put all their things in a cloud provider the cloud provider said we don't agree with your business they closed them down the company went bankrupt so since this everybody's going lift and shift everybody's petrified of cloud native we ceos think about what happens i think if i get hit by a bus who will make sure my students graduate every single day i think about if i were to die chris my co is going to be able how can he run what's going on is it chris is it alonzo that are gonna run this company you know these are the things that i think about chris and alonzo could they run this company for me could they take care of my students could they get everybody hired could they work with christina could they work with their critters this is what i have so when a cloud provider kicks a company off the cloud and makes them go bankrupt every ceo like me says whoa i run an openstack ansible cloud that's where we host everything on an openstack ensembl cloud that we built i love the cloud i have a cloud so do you need college no but it helps it's like anything else if your knowledge is good your communication skills are good your attitude energy enthusiasm is good no one can stop you but everything helps you along the way if you have a bachelor's degree it's better than if you don't if you have a master's degree it's better than you have a bachelor's degree do you need it no do you know what my degrees are in my first bachelor's degree is in nursing my master's degree is in nursing and my second master's degree is in business i have no degrees in tech no one cared i was the lead architect for a billion dollar industry one of the largest tech companies in the world it doesn't matter but you must have the knowledge and the skill and be great at what you do any others chris i know somebody kept asking a bunch of questions and said it was important uh i didn't say it was somebody said it was important but they didn't ask it um here we go the book that i typically recommend in emotional intelligence is written by daniel goldman and richard boyatas um they were the two that coined the phrase i have extreme amounts of training i've spent more than a mercedes on just emotional intelligence training because it's so important to your career i will tell you that the richer goat the daniel goldman and richard beauty's training is uh look is a great place to start jeremy wright would it be blessed to learn how to learn how to cloud architect properly yeah i think you don't have no choice i think that you know here's the thing for people like alonso for people like me these aws exams they're silly easy and why are they silly easy first we know how to design the architecture and then we understand what the technologies are so alonso knows what a nosql database is and because of that it doesn't matter if he's on gcp with cloud bigtable aws with key spaces aws of dynamodb or sedona company ec2 instance with mongodb or apache cassandra so learn how to architect in fact when we train students jeremy wright every one of our students graduates with a certification because we have to have something to help on the resume and they all graduate with a certified solution architect professional and we provide the training but we teach them the network in the data center first the certification should be the after the fact you should know what these databases are and the certification should just be oh dynamodb is the amazon branded serverless nosql so yes jeremy we teach people how to art cloud architect first and then we teach them the certifications but we're doing the certification free for the following reason not everybody can afford our training though we keep it low cost even though we could charge 25 times more and still sell it but do the both at the same time that's how you're going to be right learn the network learn the data center learn the cloud and then do your certification all at the same time that's the way you train doctors they learn multiple things they learn pharmacology as well as how to assess patients at the same time and pathology do it the same way it's all parts of the same package you'll be great jeremy wright um give me just a second it scrolled up all right here we go great question from fajara nas it will is the cloud going to be there for the future well here's the thing i look at careers i look at supply and demand curves right now the cloud is in its infancy less than 20 percent of all major organizations are actually on the cloud in the next 10 years we expect 80 percent of them to be all on the cloud now generally speaking we look at supply and demand curves so if all of a sudden there was a shortage of c sharp programmers what would happen is everybody would get c sharp certified everybody would learn c sharp a year from now there'd be a surplus of c sharp programmers salaries would plunge like a stone and nobody would get hired now the cloud is different the cloud is what you call a disruptive technology here's what a disruptive technology is something that's new and innovative that changes things so dramatically it changes our our way of life that is the cloud so what's going on is right now we're at the infancy i say we have 10 years plus of just taking our current customers and moving them to the cloud it is so hard to hire a qualified cloud architect that literally speaking if you actually find one on an interview you can't even let them leave the door without making them an offer because they will be hired by three other people within three days it is that easy to get hired when you're qualified i get three potential people reaching out to me a day every single day of the week and i don't look for it it's because people know my brand so there are so many jobs for architect cloud architects so many jobs for cloud engineers so many jobs for devops engineers and with the future of automation devops is going to be for the role i predict that data science will be there for the long period of time as well because we're gathering more and more data and we want to do something with them to make better decisions cloud architects cloud engineers i think you have more career runway than you can think about i would suggest you learn that along with the networking at the same time and for the next one i already have some links ready with a video about the business side of cloud architecture should be off-topic for this channel the answer is no but it's not a video it's about 500 hours of video um and that's what we do in our cloud architect career development program we realistically need to give you greater business acumen you would have with an mba plus cxo relevancy and i will tell you we teach things that i did after my mba about a quarter of a million dollars of training after the fact i think um those are the kind of things we go into so it is way way way above something we put into a simple youtube video that's what we cover in our cloud architecture development program and i just put the link to the uh business acumen for our cloud architects yeah that's that's one that we did it's a basic one but you know it's still something that you can work with and and no other channel on youtube will teach you this so yeah he asked about the channel specifically so i was like well here's one on our channel it's right up our alley that's that's our whole uh i think there's a resume one on our channel as well and lots of mistakes where solution architects make mistakes things that keep themselves from getting hired like today i had a really nice person reach out to me they thanked me for everything they did they said is my skill enough i'm pursuing a devops career and i say look i love devops but if you get a devops certification when you try and apply for an architect position people are going to see you as a devops engineer and once they see you as a devops engineer they will no longer look at you as an architect you're going to need a complete and total rebrand so sometimes the biggest thing that i can do for you is the following make sure you only get the right certifications the right certifications build you the right brand do you want a doctor that went to medical school or do you want a doctor to cut grass for the last 20 years you want the doctor the one with the medical school when you're gonna if you were to buy a billion dollar airplane do you want an airplane mechanic to fix your thing or do you want someone that's that's been working in sewing that also studied devops that also studied maintenance that covered uh how to wash your cat that's now flying an airplane of course you want the person to train for it so get certifications in your career not other people's careers if you really want to build a good career a heck rather than sticking to a single public cloud the approach adopted these days by enterprises to go for hybrid it's all hybrid and all multi-cloud there is no such thing as just aws anymore it's all hybrid or multi-cloud i love the nutanix solution take your data center turn it into a cloud get all the auto scaling i love the ibm openstack ansible one the red hat one the ubuntu one i run an openstack ansible cloud personally i don't use an external cloud provider because i can run my better password cheaper than the cloud provider so i love this love this love this everything is hybrid cloud multi-cloud that's why we've talked about the google terms and the aws times and we've said learn to drive a car instead of learning how to drive a honda completely agree right mike i have to be the bad guy now you have to be the bad guy i'm not allowed to answer anything okay so you have to plan for more they want more so you have to have time to plan for more for them okay airplane well if we have a captive audience that wants to learn or hear to learn i want to do everything i can now i can't stay much longer um because we already around 35 minutes but let's make sure we give them five more minutes chris okay see i built that in when i give you the warning i'm already prepared i got the five minutes in my back pocket so chris is my chief operating officer and i don't even know how i would survive without him and i need him to tell me what i can or can't do virtual circuit the next time i come to london i would love to have dinner with you i used to be there every week but it's been a little bit of a while i had a really bad accident which kept me from jumping on airplanes sometimes when i travel i have to go to the operating room to open up blood vessels on my leg because of the bad injury i have but i'm going to be traveling soon because i need to and i have to get to the uk and i would love to meet with you harish cena can you share any specific skill sets to focus on like cisco packet tracer because you're from a non-technical background sure here's what you know and this is what's in our cloud architecture development program i need you to read if you if you're not in our cloud architect career development program and you want to know and our program is the cheapest and fastest way to get here if not buy the book internet routing architectures by bassam halabi buy the book routing tcpip from jeff doyle biomes one and violence two it's about five or six thousand pages of reading and that will give you the fundamentals of networking but not all of what you need i then need you to learn that i then need you to learn spanning tree i then need you to learn vlans 802.1 tagging 802.1x qos just the same a few and things i need to be that expert on those routing protocols which we talked about because they're also important then i need you to understand and learn encryption technologies private lines link aggregation groups port aggregation protocols unilateral linked down problems with regards to fiber optic connections and the types of squashes as well as how you architect the systems core access distribution layers and such that is about 10 000 pages of reading and that will give you the fundamentals of the network then on the data center side and by the way this is why i say there's no time for devops and no time for setups because we're going to talk about at least 20 000 pages of reading to be job ready of course we teach this in our program we make it simple for our students but if you're not in our program and you want to do it for free i'm giving you the free way next i need you to learn server virtualization so go to the vmware website read about 500 pages a thousand pages of server virtualization do the same thing for containers go to docker go to vmware go to kubernetes and again for about a thousand pages of reading you're gonna know how all this stuff works it's not for an architect how to configure it's how to design it you can't design what you don't know then linux start learning about linux read some red hat linux books they have great documentation compared to other linux providers then learn about firewalls go to cisco palo alto juniper checkpoint learn about firewalls for about a thousand pages you'll get there do the same thing for ids and ips systems intrusion detection intrusion prevention system zero there now learn about iam learn about radius servers learn about microsoft active directory again about a thousand pages will get you there then learn about the cloud better yet build the cloud all my students do get yourself a server with 16 cores every one of my students does build an open stack ansible build the cloud once you've built the cloud from scratch in the data center you know the cloud so you can't design or architect what you don't know so this is the minimum level of technical knowledge now still you need to learn executive communication skills executive presence presentation skills writing skills speaking skills trust me all this is feasible i do it constantly with people in 16 weeks for people that have a little tech background and six to eight months for people that don't but we've got a system for teaching it and if you're with us it's simple and i've got lots of students here that can tell you their great experience like like alonzo he came through our training program that's why he's such a great cloud architect but in today's day he's rock solid rock star and he gets requests constantly because he's so good but it's about knowing all of those things it's not about being great at configuring it it's not about getting 20 certifications it's not about sysops it's not about devops it's not about any of it it's all about architecture so i didn't mean to give you such a dissertation but you asked some questions and i wanted to make sure that you knew that any others chris uh from mike stone um yes so you answered it in that question but uh someone asked would you recommend an architect student to download linux yes yep yep yep yeah uh someone uh someone said that they'd be interested to join so i'm gonna post the link to the uh to our enrollment page yeah post the link to the enrollment page post a 20 coupon um we want to give everybody make it like and that way it brings that our entire training program to a single day's pay they would earn as a cloud architect because we want to help people in their careers not hurt them financially so if anybody's got any questions about our training program i'll put in our corporate office phone phone number here in the chat box which is a crazy thing to do on youtube considering we get a hundred thousand views a month but you know what we're here for you if you need it so why does a data scientist learn about the cloud not answering that one no no you want me to answer it why all the data scientists have come to me yes you can answer it a lot better than i can okay the the immediate answer that i would give is because the cloud has so much computing power to be able to do all the data science all the machine learning and all the all the data science under the hood yeah my computer that i run uh run models on is nothing compared to the cloud and even even uh even the computers in data centers sometimes can't especially with platforms like google like there's no way to to get anywhere near the capabilities of what's possible on the cloud for the cost that you can get on on the cloud yes and i'll give you the other side of it um you can do all these things in the data center in a great way but you know you're buying a whole bunch of quadro gpus from nvidia which again might actually be cheaper if you're running these systems 24 hours a day but look at it this way look at google what does everything google do search right advertising matching up advertisers with users based upon information to run the world's number one search engine and the world's number two sergeant which engine which is google they've got a lot of ai machine learning capabilities so over the last couple of decades they've got a lot of these things and frameworks that are pre-built so because it's pre-built you can use a lot of their libraries instead of having a data scientist do it now i'm also going to tell you this a lot of it's done in the cloud but i've also had an influx of data scientist students and the data scientists jobs are the among the hardest to get out there especially if people don't have phds in mathematics and other things because they're so hard to get people are coming to me because they know if they can become a cloud architect that also has a big data background and what we do then is we can make them that cloud data cloud data architects we teach them cloud architecture and then we marry that with the things that are necessary to do the data science that people can get really great cloud data science careers so very hard to get these jobs in data science so a lot of the data scientists that have come to me and i've had about four or five at this point have all come to me to help them get hired as data scientists because it's so hard but a lot of these libraries are there and you know if you were to buy a good server and you bought five if you put six quadro cards in a server each server is about five it's really high-end card is about five thousand dollars it would cost you about eighty thousand dollars for a really high-end server that's got enough pcie lanes to the system now on that it might be cheaper to run in the data center or if you're running them sporadically and you need to just do big batch jobs the cloud is going to be a lot cheaper especially because you don't have to make the libraries because they're already pre-built i don't know if i have time for any more chris it's up to you well you you we we have other schedules but that's uh you know you're [Music] on the flow well i think we've got one more which is from chintin um regarding uh chinton's answering someone's question whether they should download linux yes download linux and if you really want to be great at linux and if you really want to learn it i'm going to give you the linux therapy option that i have used with my students for the last two two decades you know what my my recommendation is it's free by the way take your everyday computer that you're working with erase windows and immediately install linux do everything in your life and linux install all applications via the command line in six months for no cost you will know linux because every time something breaks you're gonna have to google it and you're gonna have to read the documentation and you will know linux i've taught more people linux that way and the last question from brendan fraser like the actor are most architects on call look we're not going to be on call like sysop people remember sysups people are maintenance people make a call to two o'clock in the morning the systems are down that is not us but you know we work from home we deal with lots of clients our clients going to call you and ask questions the answer is yes if a client has a big outage and you're their architect they may call you for guidance so the answer is yes are you on call no do you get phone calls after hours sometimes you do but you just have to do everything you can to do the best you can i will still tell you being an architect is the easiest job i've ever had it's about an eighth of the work of an engineer for double the pay maybe half the work for double the pay i absolutely love it it was the best thing i ever did and i can recommend it to anyone i agree with you i love debian but i also i'm partial to red hat because that's where i started i used both and brendan uh encino man pointed out we've got some mistakes on our website well a little humility where me and mike are human it's just me and mike we do have some things on our website mike and i that's it our grammar is not the best and brendan fraser i think you'll be three times happier and then double the salary long term in architecture for half of the work that's what i can recommend i still think devops is a great career but if you like to be in front of people much more options when you're closer to the money and architects are closer to the money which is why they get paid special yeah okay chris i think i ran 50 minutes late and i did it because i love you all out there it is such an honor and such a privilege to be able to speak to so many wonderful people across so many continents so um yes you have lots of spelling errors that we're working on brandon thank you for this it is important to us i i just write this email address in there if you find them please tell us i just hired this really really great super smart guy jesse i'm also hiring somebody from aws in the next month so when these folks join me we will actually have the time to actually really pick some of these things um we're just 100 dedicated towards our students um and uh because of that that's the kind of things we do um you know maybe i'll get to the last one which is harris cena's can i tell you about availability of job titles for entry-level positions you know here's my perspective entry-level jobs are gone right now and you don't need to have them here's what happened with entry-level jobs first we had coven covet basically made all the heart companies lay off or fire everybody that's not one of their best so because they can't afford to pay people so the next thing that actually happens is if you hire a new person what do you hire a new person for you hire them to rack servers to plug them in to screw them in to unbox them to install an operating system guess what we don't do that anymore it's not on the cloud so all of these fresher roles they kind of don't exist anymore so the key is and you can do it is be so good at any job you want that you don't need an entry-level role so i like it as a solution architect is an entry-level role i look at as a cloud engineer as an entry-level role a lot of my people that i train to be cloud architects often they have to go down and become solution architects roles which is almost the same thing if they have no experience but you know what if someone's got a great solution architect role for a year a year later they get a cloud architectural they do that for two years they pick up an enterprise architect role while they've got a great career so i would say um consider your solution architect your cloud engineer role entry level and work fight to be so good that the world can't not hire you i think that's a good night to end on i think that's a good note on all of you can do anything you want the only thing stopping any of us is our own mind um watch what people can do it's amazing so um instagram's down again there you go so oh boy here we go and this is just the beginning so this is why you ask me why i say don't get 10 certifications be great at what you do i've spent 10 thousand hours on just bgp i don't make these kind of errors because that's all i know now if i knew bgp and i knew this and i knew this and i knew this and this i'd have a little knowledge about a lot of things i wouldn't be able to find it yes cloud architecture jobs are becoming very very common is remote available i've worked remote for 20 years so yes absolutely oh my god i've never thought of myself as an influencer before but you know what maybe there's something to be said for that and you know what um i am checking my phone 20 times a day to check in on messages so i guess i have become something a little bit like that but it's all out there for you chris we have to close this down i know we've got a lot of work alonzo thank you again chris thank you again and uh mike said at this time not me i'm behaving i have to respect your time in jesse's time all right well i'm gonna click the end broadcast in five and four please like and subscribe

Info

Channel: Go Cloud Architects

Views: 4,325

Rating: 4.9666667 out of 5

Keywords: aws certified solutions architect associate 2022, aws solution architect certification, aws solution architect interview questions, aws full course tutorial, free aws certification training, aws certification course online, aws certification course free, free aws course, cloud architect career, aws career tips, cloud architect training, cloud computing architect, cloud architect, go cloud architects, saa-c02, aws cloud computing full course, cloud computing complete course

Id: _EeE-0BqwyY

Channel Id: undefined

Length: 231min 26sec (13886 seconds)

Published: Fri Oct 08 2021