AWS Networking Basics For Programmers | Hands On

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up everybody it's Travis here from Travis dot media after today's video you are finally going to understand basic AWS networking I guarantee it because I'm going to explain it all to you but before we get started let me give you a short backstory about three years ago I switched over in my job to a site reliability engineer and I got put on a team of like 30 people most of whom were not primarily programmers in their previous careers we had system admins we had Network admins we had Cloud Architects we even had one guy that worked at Dell like 20 years ago all of these guys and girls were like way over my head an experience and I immediately got thrown into the cloud with everybody and everybody understood it and they were architecting and doing all these diagrams and planning all this stuff and I didn't know what I was doing because I was primarily a programmer and I eventually came up to speed within a couple of months but looking back I see that my biggest struggle was networking as programmers we don't have to do a lot of networking we write code and we build apps but we don't have to understand VPC and subnets and Route tables and gateways and all of those things so I decided to make a video for programmers if you're one of those people who wants to get into the cloud or is looking to move up to a senior level and need to learn these networking Basics then this video is going to be for you so in today's video I'm going to teach you basic networking and I'm going to use AWS as our example and I'm going to do it practically it's not going to be a theory it's not going to be PowerPoint so we're going to look at the architectural diagram of what we're building we're going to step through that we're going to look at terminology what each of these terms mean like vpcs subnets route tables Nat gateways and then we're going to go in AWS and build this out practically and see these things in action and we're going to cover a lot of neat topics like side arranges and you'll even see my quirky way of explaining it so go make you a pot of coffee sign in to AWS and let's get started and as always if you find this helpful give it a thumbs up and consider subscribing to the channel let's go alright so here's our final diagram of what we're building so we have a VPC and we have all of these components within it so if I get rid of all this and bring us to the starting point we just have the AWS Cloud so if you go and log into AWS you'll be all caught up with me now within AWS you have things called vpcs so a VPC or a virtual private Cloud works like a private Network to isolate the resources within it so a VPC is like a fence around a bunch of resources it separates all of your resources within it from another VPC with all of its resources in it so let's add that to our diagram now we have a VPC but like I said this is not a theoretical video this is practical so let's go and create one in AWS so to do that just go up here to search type in VPC and click on VPC all right then select vpcs so here you see we have our default VPC and that's it so let's create a new one so that we can build out all of our components so click on createvpc and you can now do VPC and more which gives you a VPC e gives you four subnets three route tables into network connections we're actually not going to do this once you go through this video and you understand all of these services or all of these pieces then you can go and do this quick start but until then let's do it manually so click VPC only name tag I'm just going to call it my new VPC and next you have a ipv4 cider block so what cider range is this VPC going to fall within now this was a big thing for me a big hurdle for me when I started out like what is a cider range right and what is this slash 24 and why am I doing that so let me give you a quick rundown like a like a dummies guide to this so the way I like to look at it is if I do what they have here they have suggested 10.0.0.0 24. so here's the way I explain this and it's not going to be conventional and people are going to give me a hard time but let me tell you you'll remember it after this so each one of these numbers is called an octet and each one represents eight bits and I actually wrote an article here on medium explaining it but basically each one of these is eight Bits And if you add them all up that's 32 bits so the way I do it is if you see a slash 24 this means the first one being eight second one being 16 and the third one being 24 this only lets you change the IP range on the last number if you have 10.0.0.0 16 you start at the beginning so this is eight this is 16 and those are locked you can only change the numbers or the ranges on the last two numbers and of course if you have 10.0.0.0 8 that means you can change the numbers on the last three octets hopefully that makes sense that's the way I remember it it's not technical but it really helps me out and I think I have the numbers here that might help you out a little better so if I paste this in so slash 24 if you see here that's the IP address is 10.0.0.1 through 10.0.0.254. see how we're only able to change the last one we have 1 through 254. the 10 0 0 don't change we got the 16 we got 10 0 0 1 through 10 0 255 254. so you can't change these first two or 16. so anyway I think if you remember that you won't have any problem with this going forward you can't explain it technically to people who are like purists but we're not trying to do that we're trying to be practical and understand things in our own way and I think that'll be helpful for you so what I want to do here is I don't want this 24 I actually want to do 10.0.0.0 16. so that means these first two numbers are locked I can only change the ranges in the last two numbers that's where I want to start this that gives me a lot more IP addresses than a slash 24. and if you look this up IP range IP subnet calculator we're going to get to subnets in a minute but if I just type this in 10.0.0.0 and then I change this to 16 you'll see we have tons of IP addresses calculate and you have 65 500 and something IP addresses you can play with because we have 10.0.0.1 through 10.0.255.254. and we'll use this in a minute when we get to subnets but but remember my dumb down version and you'll do well so let's set that IP cider let's leave Tennessee default I don't need any tags it sets One automatically but I'm just going to click create VPC to create it and now you have a VPC with this cider range so if we go back to our diagram we're good to go there now within a VPC you have these isolated networks in these different cider ranges called subnets and the terminology is this a subnet is a defined set of network IP addresses that are used to increase the security and efficiency of network communications you can think of them like postal codes used for routing packages from one location to another so anyway they're just these defined set of Ip ranges and what you normally see here is a public Subnet in a private subnet so you have a public subnet for all of your public applications and a private subnet for things that you don't want to be public so let's add that to our diagram first to see what we're doing so we're going to be creating a private Subnet in a public subnet two subnets so let's go back make sure you're in the VPC dashboard and click on subnets and we have all these default subnets we don't have to worry about those but go up here and click create subnet select your VPC ID this puts your subnets within that VPC so I'm going to select my new VPC the one we just created and subnet settings so subnet name let's do public subnet now availability Zone what you normally see people do is they create two public subnets and two private subnets one being in different availability zones so you'll make a public Subnet in this availability Zone in another public Subnet in this availability Zone you'll do the same for private you'll put one here and one here that way if an availability Zone goes down you have high availability by having another availability Zone available to serve your applications but we're not going to do that today because we're keeping this basic so we're just going to do one public and one private so this is going to be a public subnet I'm just going to choose us East 1A all right now ipv4 cider block what are we going to do here well it has to be within this side of range 10.000 16 we're going to make it easy a lot of the times people want lots of private and not as many public because not as many things are going to be public for this demonstration it doesn't matter so let's do let's do what it gives us here 10.0.0.0 24. that means we'll only be able to take this from 1 to 256. this last octet and that's our public subnet let's go ahead and add a new one you can click this add new subnet here and let's create the private subnet so let's do private subnet and availability Zone doesn't matter I'm going to choose the first one in this one we're going to do 10.0.1.0 24. and that again allows us 254 here and it's going to be different from the other subnet because this one is 1.0 whereas the other one is 0.0 hope that makes sense and so we have our public subnet and our private subnet so let's click create subnet to create both of those and one thing about a subnet is you have to have a subnet to launch resources in your VPC so you can't just do a VPC and then launch ec2 instance you have to have a subnet to put resources in so now that we have a subnet let's go ahead and launch an ec2 instance and we're going to launch it in the public subnet so let's go to our diagram go to the next step here which is going to be our ec2 instance so we're going to launch an ec2 instance into our public subnet so we have a VPC we have a public and a private subnet and we're going to launch an ec2 instance in our public subnet so I'm going to come back here and under Services I'm going to click on ec2 and open a new tab and I'm going to click launch instance to launch a new one I'm going to call it my public instance and I'm going to leave it Amazon Linux instance type I'm going to choose a T2 micro because it's in the free tier key pair I'm going to choose a key pair make sure you create one if you don't have one create a new key pair I'm going to choose the one I have and for my network settings click on edit change this to your VPC my new VPC and then your public subnet like I said you have to launch resources into subnets Auto assign public IP enable we want a public IP this is a public ec2 instance and then create a security group I'll call it SG public and then Security Group rules we're going to get to security groups in a little bit but this rule allows me to SSH from anywhere into my instance so TCP protocol Port range 22 Source type anywhere I should be able to SSH into this after you're done with that click launch instance to launch it and while that's launching regarding security groups a security group acts as a virtual firewall for your ec2 instances to control incoming and outgoing traffic so security groups are related to ec2 instances and as you recall we set a rule there to allow incoming SSH traffic but again we'll get to that in a few so my instance is running let me click on it and go to connect and I'll go to ec2 instance connect and click connect to connect to the instance do you think this will work it will not work we get a message here it says ec2 instance connect is unable to connect to your instance why because we don't have any way out to the internet we just created a subnet we called it public subnet that doesn't make it public we're still completely isolated in our VPC so to allow internet access to our subnets we need something called a Gateway that's our next item here so let me click this and more specifically we need an internet gateway but let's talk about a Gateway for a minute a Gateway in general connects your VPC to another Network so you have your VPC here a Gateway just connects it to another Network for example we're going to use an internet gateway to connect your VPC to the internet but then there are Transit gateways there are Nat gateways which we're going to see in a minute but just remember that a Gateway it just connects your VPC to another Network we're going to be using an internet gateway as you see on the diagram here that's going to allow our subnets out to the internet so let's set that up so go back to VPC and you'll see here on the left internet gateways yeah right here internet gateways we need to create a new one no internet gateways found in this region let's create one and you can only have one per VPC I believe and let's call it like it says here my internet gateway and create internet gateway it's really that easy and now we have our internet gateway but you see a message up here the following Gateway was created you can now attach to a VPC to enable the VPC to communicate with the internet so we have an internet gateway but it's detached it's not attached to any VPC it's not doing anything so let's attach it to our VPC so go to actions click attach to VPC and click your VPC and attach internet gateway again just go to actions and attach here you can detach if you want but we attached our internet gateway to our VPC all right so let's go back to connect to an instance click on connect and see if we can connect and it still doesn't work I mean we created the Gateway why are things not working well because we have to give our subnet a route to the internet gateway and we can do this with something called route tables so let's pull up our diagram and let me add that route tables so right here you see a route table we need to alter this route table on our public subnet to allow a route out to the internet gateway and don't mind this router here that's what this symbol is every VPC has a router you don't have to worry about it it's already there so we need to alter the subnet to go out to the internet gateway you see this Arrow here going back and forth between the subnets the route tables already allow that private traffic we just need to create a rule to go out to the internet gateway so let's do that let's go back to VPC management and go to Route tables now you'll see here that your VPC already comes with a default route table that's what this is and it's called the main route table see right here it says main yes all unassociated subnets use this so if you go to this main route table you look at routes we only have one route and it's the local traffic so all the traffic within the VPC that's why we had this Arrow going right here there's our this is already allowed in the route route table now subnet associations any subnets that don't have explicit associations default to the main route table so this private public subnet by default use this default main route table so what we want to do is we want to create a route table for our public subnet and for a private subnet we don't want to use this default because we don't want to treat them the same we want to have them explicitly different and it's just good practice to do that so let's create a route table called a public route table create route table oops I got to choose a VPC make sure you choose your VPC this route table will be associated with it and let's create another one called private route table and Associate it with your VPC and let's go back to Route tables so now we have our main route table but we also have two more created called public in private public and private have nothing to do they haven't been associated with any subnets they're just created what we want to do is we want to go to public route table and we want to associate it with air public subnet so that we can control what's going on there so let's edit subnet associations and we're going to choose public subnet and Associate it with this route table so the route table belongs to the VPC and we associate subnets to Route tables so we Associated that subnet the public subnet with our public route table we're going to do the same for private so here's private route table we're going to go to subnet associations edit and Associate the private subnet with the private route table and now if you look at error default or main route table you'll see that we have no subnet associations they're now associated with other route tables ones that we created explicitly so we have this public subnet route table how do we get it to route to the internet gateway well it's very easy we just go to our public route table click routes and then click edit routes click add route and for Destination we want to choose everything so the 0.0.0.0 that's all IP addresses and this covers all IP addresses outside of this VPC cider range so all of these IP addresses in this VPC can talk to each other subnets can talk to subnets no problem but everything else the public internet all the IP addresses out there we want to make this wide open and our Target is going to be the internet gateway which we can choose here once we've done that click save changes and you'll see that now our public route table has a destination out to the internet gateway so now if we try to connect to our ec2 instance via SSH we should be able to because we have a security group rule that allows us to SSH into this and our instance is now available out on the public internet so click this go to connect and ec2 instance connect and let's see if we can do it there we go so now we have public access to our ec2 instance over the Internet so we can do something like sudo yum update Dash y to update our packages and everything works fine great so let's go back to our diagram so now we have a route out to the Internet so out to our internet gateway out to the internet let's include that so what do we want to do next well let's launch an ec2 instance into our private subnet and learn about Nat gateways so go to ec2 instances and launch instances and we're going to call this my private instance and we're going to choose Amazon Linux T2 micro my key pair and network settings is going to be my VPC and the subnet is going to be this time my private subnet and we don't need a public IP because it's private and let's create a new security group called SG private and that looks good we have an SSH rule that's fine let's do that it's not open to the Internet so nobody can do that but we'll talk about that in a minute so launch your instance so we do have a security group on our private instance that allows SSH access so let's try to SSH into our private instance from our public instance we should be able to do that right and to do that we need to upload our key remember to SSH we have to create a key pair we need to upload our key that's on our computer up here to This Server so that when we SSH into the private server we have that key to use and that's pretty easy to do so I have an SCP command if you're not familiar you can just Google it this allows you to upload a file from your local computer onto a server with one command so it allows you to log in upload all in one command so what this does is pseudo scp-i is a flag that indicates this is your key that you're using to access that public instance air public instance and then the file that you want to copy up there is going to be the key pair and you want to copy it to your public server this is my IP address it's going to be the ec2 user at this public IP address and then the location that I'm copying it to is a home ec2 user so I'm going to grab this again this is just copying our key pair up to that server so that we can access our private server so I'm going to open my local terminal and just run this command and put in my password for sudo and it copied it so now on my public instance here I should have it LS there's my TM AWS keypair.pin now from this public address I want to try to SSH into my private server so let me get my private server IP address here it is I mean the route tables allow subnet to subnet access so this should in theory work so let's do SSH Dash I and my key pair which is in the same directory and then ec2 user at that IP address and type yes and it worked so everything's working fine we can access our private server from Air public server and that worked fine we can't go directly to our private server we can't access that from outside of the VPC but we can access the public server and from there SSH into the private server so that works fine and now that we've sshed into our private server let's try to do something like updating our yum packages so sudo yum update Dash y and you'll see that it's not going to do anything why because we don't have access to the internet and you might think hey that's the point we're in a private subnet we don't want access to the internet and that's true but how do we update our packages is there a way that we can reach out to the internet but nobody can reach into where we're at well there is there's something called a Nat Gateway so a Nat Gateway is a network address translation service you can use an ad Gateway so that instances in a private subnet can connect to services outside your VPC but external Services cannot initiate a connection with those instances so I can reach out and I can update my packages but nothing outside the VPC can come in and access that server that's pretty neat so how do you set something like this up well first you create a Nat Gateway and you actually want to do it in the public subnet so let's click on that Gateway here to reveal what we're going to do you're going to create the NAT Gateway in a public subnet because this public subnet has a route out to the internet and then you're going to use your private route table to Route out to that Nat Gateway so this Nat Gateway is going to allow our private subnet to reach out to the internet and do things while at the same time allowing nothing outside of the VPC to come into our private subnet and access that directly and actually we want to add our private ec2 here so this ec2 instance by way of this route table can reach out to the NAT Gateway in the public subnet and use the internet so let's create that if you go to subnets and Nat Gateway click on create net Gateway and let's create one so let's call it my Nat Gateway subnet I want to put it in the Pro in the public subnet connectivity type is public and we need to allocate an elastic IP just click that button to do so and click create net Gateway and I think this takes a couple minutes to actually get into a run and state so I'm going to pause this and come right back when this is running and actually while this is initiating we can go ahead to our route tables and our private route table and add a route out to our NAB Gateway so edit routes and add a route we're going to do everything and then the target is going to be a Nat Gateway it's going to be this one that's still creating it's not going to work yet but we can go ahead and set this up so edit routes and save changes and it's creating a route and you'll see here in our private route table we now have a route out to our Nat Gateway so let's go back to that and again I'll come back when it's running all right so our Nat Gateway is available we've already set the route so now let's try again and see if we can update our yum packages so try again and there we go so that's working but if I were to get my uh private IP address this private address of course it's not going to work if I try to SSH into that so A Nat Gateway allows you again to let your private instances reach out to the internet to update or upgrade whatever you need to do but nothing to access them back so looking at our diagram we've done a lot we've created the VPC we've created the subnets the ec2 instances the route out to the internet and the route over to a Nat gateway to allow our private subnet the ability to use that to grab things off the internet and I think that's a lot I do have one more thing I want to tackle but I want to kind of leave you guys with that today I think that's a lot to take in and if you understand this much you've understood a lot we don't need to get into Transit gateways and VPC peering yet take this information let it soak in but there's one more thing that we need to talk about and that is knackles and security groups so I'm going to enable this last piece of the diagram and talk about these so knackles network access control lists a network access control list is like a virtual firewall that protects the subnet so it's another layer of protection around the Subnet in this network access control list is stateless so if you allow something into the subnet it doesn't remember that state and then allow it back out you allow it in you have to have also an outbound rule to allow it back out of the subnet so that's a network access control list or a knackle as people call them it's a virtual firewall for the entire subnet and the reason why I'm not going to get into it is because most people leave that default in the default is that it allows everything in and allows everything out and most people don't need to change that because you have routes and you have security groups and things like that one one use case people do use them for is to block an IP address at the subnet level that's a good use case for it but normally you just leave the default and it's kind of an added layer of protection for your subnet if you need it now your knackle protects your subnet but once you get through that you have something called a security group and a security group is like a virtual firewall that protects your ec2 instance so every ec2 instance gets associated with a security group and the security group protects the ec2 instance now the security group unlike the knackle is stateful if there's an inbound Rule and some data comes in it's going to remember that state and also allow that same rule out so the knackle is stateless if you allow it in you also have to set a rule to allow it back out a security group when you allow something in it's going to automatically allow that back out it's going to remember the state and this is where I stopped today again like I said it's a lot to take in but if you understand these basic concepts I think you'll do well and if you enjoyed this and you want to see like a more advanced version of this where we do get into Transit gateways and peering and things like that then let me know down in the comments and I'll get that made in the future hope you enjoyed the video and I'll see you in the next one
Info
Channel: Travis Media
Views: 21,607
Rating: undefined out of 5
Keywords: aws networking, introduction to aws networking, cloud computing, aws networking fundamentals, amazon web services tutorial for beginners, amazon web services explained, aws vpc, aws vpc deep dive, aws vpc networking basics, vpc fundimentals, cloud computing tutorial for beginners, amazon web services for beginners, aws networking for programmers, aws subnets, aws internet gateway, aws nat gateway, aws route tables, aws security groups, aws cloud computing for beginners
Id: 2doSoMN2xvI
Channel Id: undefined
Length: 27min 14sec (1634 seconds)
Published: Sun Jan 22 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.