AWS Networking Deep Dive

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey uh good evening one and all welcome to uh aws networking deep dive uh it's so good to have you here first of all i would like to thank our community partners that is a cloud tech online meetup group we have partnered up with them so that their members could join this session and benefit from it second of all i would like to thank all of you who have joined today and uh without wasting much of your time i would uh uh add the speaker hey so much uh thanks karthik um [Music] thanks for having me yeah so uh someone could you please uh tell us about yourself and uh this topic that we are going to present present today yeah sure so what we're going to do today is uh we are going to talk about aws networking so networking is a you know a huge area in itself and what we are going to do is we are going to talk about a few of the basic constructs what you would encounter in your day-to-day work and few of the advanced topics and i would encourage everyone to dive deep into the certain topics of their interest but this is one of the core services that we have and we will discuss a few of those in next 30 40 minutes okay that's amazing could you please uh share your screen okay sure uh thank you so much uh uh karthik i think your voice was breaking a little bit so that's why it was not able to hear properly so uh thank you everyone uh once again for joining in and uh i really appreciate all of your time uh you are spending in the evening and uh what we are going to do today is uh we are going to talk about uh aws uh networking right so before uh we get started uh you know feel free to ask questions if you have any and if you are watching this and recorded a recorded version in the youtube feel free to uh you know ping me over linkedin or twitter wherever you feel like uh or even in the in this uh uh you know uh recording uh in the comment section so that you know i can reach out to you uh my name is suman uh i am based out of bangalore and i work for with the developer relations team uh here at aws and i predominantly focus on uh storage uh uh machine learning and uh serverless so uh today we are going to talk about uh one of the core service called vpc and things around vpc and i just thought that this may not be a very fancy topic with respect to other you know managed services that we have within aws but this is one of the important things that uh you know we all should learn right so i'm also not a networking expert but i just thought to share a few of uh the basic constructs and my learning uh you know on uh networking so when we think about networking uh you know the first thing that comes to our mind is the internet right so let's uh let's consider that uh this is our internet and this is the aws account that you have created right so let's say you have created a brand new account uh so this is where you are in and now you can create a different resources within your aws account like let's say an ec2 instance or an rds instance or an emr cluster for data analysis and all of that or even any other resource right so what happens is these resources doesn't get created on air right it doesn't get created in the vacuum so this all all of these resources which you create everything gets created within our default vpc or a virtual private cloud as we say right so when you create an aws account you get a default vpc in all the regions and what this default vpc gives you is is a boundary a virtual boundary within your aws account from the outside world right so whatever you do it's only within your vpc now when we talk about the default vpc the this is the address that it comes with this is the cider range a 172 uh 31.0.c 16. we will go deep into this address uh in a moment but uh this is the ip range that you get and all the resources that you create within your vpc uh you know get some ip from this range right so if you see here it is 31.0.0 uh this is the range right um the slider range and if you see the ip of this instance is 0.128 1.24 1.27 and so on and so forth right so all these ips are belongs to this cider range right or another cider block so what else you get from the default vpc you get uh different subnets now what is the subnet subnet is basically a grouping of your whole ip range right so uh if you look here we have two ac's let's say in this region wherever you have created this vpc this is the default vpc but the concepts are exactly same if you create your own custom vpc right so whichever region that you create this vpc you will have a different availability zone and in each availability zone you can have one or more subnets right so in this case we have a z1 and az2 and each of them uh will have a different subnet right so so if you see here here the subnet range is like the ipad from the ip address itself you can say there is 31.1 31.1 but here it's 31.0 and 31.0 right so there is a different uh smaller uh set of address spaces uh from your actual vpc uh cider block or the vpc ip range that you get within your uh availability zone in the form of two different subnets apart from that you know you you need to connect to the internet so you also get an internet gateway and we are going to talk about internet gateway in a moment uh so this is also uh something that comes with your default vpc and obviously you will have security group and knuckle and these are the things that we are going to discuss next so uh you know i'm not uh stretching on these three points okay and because these three we will discuss uh you know in a moment from now but all of these comes with your default vpc when you create an account this is what you get in all the regions uh where we operate in okay so now let's talk about few of the vpc concepts and fundamentals so to start off with we will discuss about the different uh ip addressing um that is you know how the addressing looks like we we have we have seen a little bit about that a while back but we will just go little deep into this we will also see how you can create a subnet and how the traffic routes through the vpc right not only within the vpc but also outside vpc and finally we will look into security and this is where that security group or knuckle comes into picture okay so these are the four things that we will discuss so let's start with the ip range so when you create a vpc uh you know it is very important that you select your ip range properly because that only defines how many resources that you can have within your vpc right so let's go back to this ip 172 31.0.16 and this is not a random ip this is a private range ip which is mentioned in this rfc 1918 um if you want to uh you know dig deep you know a deep dive into this you can refer to this rfc and in that you will see that this is one of the ip range out of many other ip range uh which is uh mentioned in this uh you know literature which says that this ip range is private so you will not find any internet resource or anything which has this ip so you are always sure that within your vpc uh you know this ip will not conflict uh with anyone outside your vpc all right so this is a private uh ip range which is not available in the internet and if you look at this slash 16 uh this says the subnet basically uh so this is uh the host address space and this is the actual uh you know the network address space and this is the actual uh address of the host or instance whatever we call it right so if you have slash 16 you will get 65 000 addresses right basically the mask so just to avoid conflict because when you create a different vpcs lots of vpcs you may may not want to communicate within vpc on day one but it might so happen that in future as you you know continue to develop and work and you know build mature softwares it might happen that you want to have one instance from one vpc uh talking to another instance in another vpc right so in that case we need to make sure that there is no ip conflict so always uh have this in the you know design you know uh i would say guidelines that uh you should avoid any ip overlapping right so because if if you have duplicate ips across vpcs or across network right you will not be able to communicate right so basically it's a fundamental of networking now how you create these subnets uh as we have discussed uh every availability zone will have a different subnet so let's say uh you have three different azs here uh eu west or one a one b one c and uh you will get three different uh you create three different subnets and all these three different subnets will have a three different slice of address from this uh vpc address cider range right so it is 0.0 and if you see here this is 0.0 slash 24 this is 1.0 24 this is 2 2.0 24. so this is how you slice and dice your uh your vpc address space into different uh subnets or different availabilities on and as i mentioned before you can have multiple subnets within an within an availability zone and you can pick the address range accordingly right so all the address range should come from your vpc cider range right so that's why uh when you pick up this address uh you need to make sure that how many uh you know resources or uh you know at this uh you might need considering your future growth and all of that or your business growth all right so now we have talked about ip uh v4 so far and as we all know uh you know i guess almost a decade back people started to work on ipv6 support as well and we are also no different so um on aws also we support ipv6 and there are subtle difference between ipv6 and ipv4 uh one of the important uh you know differentiation is that um you cannot change this uh uh the these sub uh these address spaces so you can have slash 56 for vpc address or cider and you will have when you create subnets you will get 64 address space so you cannot change that and the other thing is all the addresses all the addresses that you get from ipv6 all are publicly routable so basically those addresses are uh are not private so they are uh you know routable outside so it's basically a unique address uh on this planet right so it's you need to think uh that way it's not a you know a private ip because we have millions and billions of ips so we can afford to you know have a uniqueness there so always remember uh ipv6 uh in your vpc are you know uh publicly routable okay unlike uh ipv4 where you you can have public ip as well as a private ip so now the way that uh it works within your vpc if you go back to the same slide it works in a dual stack so when you enable or when you need an ipv6 support uh you know you can enable that at the time of creation and uh it will get an ipv6 address for all your subnet okay just like how you get for ipv4 okay it's just that you cannot define this you will get automatically from aws all right so the last thing uh uh you know after we create a vpc and subnet is the routing right so how packet flows uh within vpc and not only within vpc but also outside vpc so uh the way that you know we define the routes is using a a root table or route table and it contains a certain rules okay so that means in the root table you define that if the packet is coming for a particular destination what to do right so this is where you put your routing table right and the default uh vpc and the subnets it will have a default uh root table but you can always create and assign that root table to any of the uh other subnets so you can define your own uh root table so how it looks like it looks like something like this if you go to any of the subnet and we can see that in the console as well but this is the route that you would see so this is let's say this is the vpc address range the whole cider range and it says active and this is for the ipv6 and it is also saying it's active so that means uh here all traffic which are designed within the vpc uh always stays within your vpc right so it uh it doesn't say at least at this stage what you see on your screen uh any instance that you create will not have any internet access right because uh for internet it will be a some public address right so let's say 8.8.8.8 whatever it is right so it won't it will not find any uh routing information from this table so it will not be able to process that okay and we are going to see that how we can connect to internet uh you know next but this is how a root table uh looks like okay so it has a destination and it has a target like if any traffic comes for this range of ips where to go so here local means stays within your vpc now talking about internet how it gets connected to the internet so let's uh look visually okay so uh so far you have seen this right so we have the vpc we have two availability zone and we have two four subnets so we have not talked about private subnet or public submit as you can see here the private public subnet and the the private subnet similarly we have another public and private subnet here but i will come back to this private and public thing uh in a moment but for now um as as it uh as the name defines uh or you might have got an idea uh private subnet is a subnet from where internet access is not possible and the public submit is a subnet from where you can access internet right so just uh hold on to this thought and we will see you know how it can access the internet but before we jump into you know how an instance from any of the subnet access internet i want to talk about you know these services which are highlighted in uh you know in colorful icons here so within aws we have lot of services uh that you create which stays within your vpc and there are a lot of services which are part of aws but they are not part of your vpc so basically these services like s3 dynamodb and so on and so forth they all have a public they all have a public address space so basically they are not um you know within your vpc it's kind of an internet facing a service although it is within aws but they all have an public address space okay so when we think about uh you know having any of your instance here uh talking to internet okay we need to consider uh not only this but we have to consider how it will talk to other services which which are within uh awf but not within your vpc okay so that's why we have uh you know shown all these public facing uh services as well as the generic internet okay so let's see uh you know how it all works so let's say you have four uh instances in all these four subnets so the first thing that we do is let's say if you want this instance a which is in this public subnet to have some connectivity we will have some route table right and this route table will have some rules as we have seen it will be by default local that means it can talk to any of the instance within this vpc similarly another instance in a private subnet will also have a root table and it will also have the same uh you know root entry or the uh the rule that it can talk to anyone within the vpc now to have an internet access what you need is you need to have an internet gateway and this is at the vpc level and that's why the icon is on top of you know all the all the subnets right and what happens is once you have an internet gateway you need to have an entry uh in your route table that for any of the address which are outside this normal vpc address range which is 110.1.0.0 because 10.1.0.0.16 is the vpc sider range right so if any traffic uh which is have the destination address x outside this 10.1.0.0 uh go to internet gateway okay that is what this entry means so you cannot just create an internet gateway and assume that all your instances within your vpc will have internet access okay so you need to update this root table now the moment you do that what happens is your when you try to access let's say when you try to access instance a tries to access internet it need to have a public ip right and all this mapping between that temporary public ip and the private ip is maintained by this internet gateway right and that is what this elastic ip is so this is the public ip and this is the private ip and this tuple is maintained by the internet gateway and now this instance a can talk to all the services which are there within the aws which are public facing or has a public facing address and not only that it can also access internet right so this is how any instance which are part of public subnet access the internet okay it's through an internet gateway that is the first thing that you do second is you need to add an entry in the uh route table that's all okay now the second immediate question comes uh what happens uh to public ins uh private subnets right so the way that uh you can have uh any instance which are in private subnet to have internet connectivity uh is through nat okay network address translator and why we need that assume that these instances are let's say the database instance or any backend server instance and they might need internet uh not always but at times maybe for patching or something like that right so in that case uh you need to have something called nat so that and that nat instance need to be in one of the public subnet okay so you might be getting an idea what we are going to do now right so the moment i you create a net instance you have to have an entry in this route table and say that anything which is having any ip except this internal vpcip ip range or cider range go to instance p now i give all the so instance c will give all the responsibility to instance b to take care of all the packets to go to the internet okay so now what happens is what nat will do is it will talk to internet gateway and it will have an ip again the same you know uh iptuple which contains the private ip and the public ip and it will manage that and it will allow an access to the internet okay so that's how uh you know the nat instance work right and this is how we have been telling our customers or developers to work with any instance which is in the private subnet which needs to have internet access but now we do not recommend that we do not recommend nat instance and instead of that we have come up with another product called nat gateway which is a much more scalable and an easy product so you can just create an ad gateway and you know you can just use the internet but since we have changed this uh nat instance to nat gateway we have to remove this entry in the route table and we have to give the new entry of nat gateway okay so that's the only difference so if you want to learn more about nat uh you know you can read the documentation it's basically an index system all right and it has some separate set of packages and all of that but uh now you don't have to manage all those ec2 instances which is running uh uh you know those special packages and all of that you can just create an ad gateway and you are done right so so to summarize uh whether it's public or private subnet to have an internet access you need to have a internet gateway and nat gateway uh depending on if you want any access from private subnet or public subnet if from public subnet you don't need any nat gateway uh you can go ahead with internet gateway and you're good okay so that's uh that's about uh uh routing and the last thing is the network security now there are a lot of uh you know uh different topics around network security and their security is one of the major thing within aws for any service for that matter uh so what we are going to do today is we will just touch base upon these three uh important uh constructs okay uh security group knackle and flow locks so let's start with security group so let's say this is your vpc and we have an internet gateway as you can see in the top and we have internet although these two doesn't matter but just uh it's there that's why i'm just saying but uh let's say you have seven instances and you have four instances let's say web web servers and let's say you have three instances of let's say database or any of the backend server and now what you want to do is you want to do um a different grouping of these two uh set of servers okay and this is what security groups are so it's basically a virtual firewall where you can define rules uh for a different set of groups and any instance within that group need to adhere to that right so in this case we have two security groups my web server and my backend server and now in the my web server i can say allow any web traffic on 0.0.0.0 and which makes sense right because it's an internet facing application that you are you are going to develop and these all are web servers so you need to have this access but your backend server only need to talk to the web server so in this case in this security group that is my backend server you will not have um allow to all zero all traffic on 0.0.0 right so here you can give access to only allow traffic only from my web server security okay so this is one of the best feature in terms of security or as far as the networking is concerned and this is how the security group would look like so let's say uh you you create two uh security group uh my web server and my backend server and now we have selected this my web server and if you see here we have a traffic on for all the http uh request from 0.0.0.0 right so all traffic uh it will allow uh similarly for ipv6 we have another entry but if you are not using ipv6 then only first entry would be there right now let's select the back-end server now the moment you see the back-end server you will see that in the source we don't have any ip but we have another security group which is nothing but the my web server security group right so this is very important that when you create a security group you you can either give a range of ips and not only that but you can also give another security group so that's how flexible it is because as and when your infrastructure grows your application go grows you know you might not want to you know define different you know rules for different ip ranges but uh you know you can group them all together in a logical uh firewall like a security group and you can use that security group uh to be part of another security group just in this case as you can see the back end uh security group allows traffic only from the the front end or the web server security group now uh this is a good so this is a virtual uh firewall and uh there is another uh security construct that we have called knuckle uh we are not going to go deep into knuckle but the idea about kneckel and security group if you look at the difference is this uh first is security group uh operates at the at an instance level uh but nekkel operates at a subnet level so you have to define a knuckle for a particular subnet whereas security group you can create different different security group and you can put different instances on that security group just like we have seen right web servers and the pack-in server security group and but what is the most important thing is uh in security group and knuckle is uh security group uh allows uh only uh it only allows uh allow rules okay whereas network acl or kneckel uh you can define allow as well as deny rules okay and a security group are stateful and that means if you allow traffic from a to b it automatically from b to a also it comes under allow rule but that may not be true for all the cases right so if you want to have a different set of rules for inbound and outbound you can use uh knuckle okay so that's what uh knuckle and security groups are uh one thing that you need to remember is how you know one is stateful and another is state uh stateless so like nickel and one operates at an instance level and another one uh operates at a subnet level so these are the two most uh you know important thing uh which we need to remember right so that's about network security and the last thing is the flow law so so far we have talked about how you can harden the security uh within your vpc right but we have not talked about you know how you can actually monitor this right how you know what traffic is coming and going and all of that this is where a vpc flow log comes into picture so you have your vpc and uh uh what you can do is you can enable or create flow logs now flow log can you can enable or create at different level you can create it at a vpc level or at an az or subnet level or at an instance level right all these three different levels you can have this vpc flow law and what it would do is it will monitor all the traffic and it doesn't read the payload but it just reads the description so it's not like it is reading your data but it will just have the information like from which source to which destination address which port to which port and so on and so forth right and it will tell you uh accept or reject so if you have ever played around you know where shark or any of the network traffic analyzer it is similar to that and once it analyzes it need to save the data so it allows you to save the data either in s3 or cloud watch right so uh these are the few things that you can do you can get a good visibility about your traffic within your network uh it is good for troubleshooting and obviously it is useful for analyzing traffic and this is how it looks like and what you can do to create one so you go to your vpc select your vpc um whichever you have maybe default or your custom vpc and then go to a flow log and click on this create flow log it's as simple as that okay and since we have seen that it has two destinations either it can be saved in s3 or it could be saved in cloud watch right it's up to you now the last thing uh before we wrap up on this section is uh you know how how this uh flow log looks like uh so there are a lot of distractions here but uh just try to focus on line number one and you will see that it has a source ip address right it has um the destination ip address so source at ip address is this destination ip address is this and this is the source port and this is the target port and then we have a few other information like when it has come how many bytes of information we have and whether it's an accept or reject and based on that you can have some uh maybe uh you would read this logs and you may take some uh you know do some analysis using uh athena maybe on s3 because all these data is is is dumped into your s3 bucket right so you can do a lot of analysis of about your audit and traffic flow control in general okay so that's about vpc flow log so the last thing on this is how about or what about dns we have been talking about ip ipip but there should be some dns service and surely yes so within your vpc we have two options that you can go with um we have a dns resolution and dns hostname both are enabled as you can see here and what this allows you to do is whenever you create an instance you know you don't have to remember the ip address of that it will automatically assign a host name and similarly it will uh it will do the you know resolution of those addresses when needed right so we do have the vpc have this dns options right so you can always make use of that so it automatically assigns host names to this instances okay so the last section which is so so far whatever we have discussed these all are basic and core uh constructs of vpc uh so these are the things that we should we all of us should know uh to what details it depends on uh you know what uh uh you know at what level uh you are working so if you are a software developer you may not need to know uh you know everything around how things work but if you are from the infrastructure a team or if you are an architect you may need to know little bit more beyond what we have just talked about okay so before we um uh you know go to the last section um i just uh want to check if if if we got any questions if not i'll just continue okay so it seems that we are good so i don't see any questions uh let me see um how do you link uh security group to vpc okay so i think gotham has asked one question so let's uh open the console okay so this is my console okay and this is my vpc i've just clicked on vpc and what we can do is we can come to security groups right let's say security groups and now we are going to create one security group so let's let's click on security group and we can give some name let's say my front end uh sg okay and we can have some inbound rules and outbound rules so let's say inbound rules as http s okay and let's say uh we gave to everyone okay and if you see here you can also define uh that uh let me just delete this you can also define my address so it will take your address automatically okay so let's go to custom and say 0.0.0 okay and let's come down and click on create security group okay we have to give some description let me copy paste here and create this so now this uh security group got created right and now the next thing what we can do is whenever we create an ec2 instance uh you know we can attach uh this a security group so we can put that or rather let me rephrase it we can have uh instance in this uh security group right so what i want to show you is let me go and create another security group okay so let me create go to security group create a new security group and here we will say uh my back end security group okay and in this case i'm going to uh have let's say tcp only tcp traffic and here i want to have the security group uh the front-end security group right so this is my front-end security so you can search it here it will automatically uh you know select uh the security group so this is my front end security which i have created and i can always uh create uh this security group so now uh when you create any resource like an ec2 instance yeah let's say any backend server you have to give this security group you know during the creation of ec2 instances okay so you can always create security group standalone okay so ankit is having a question uh could you tell us how a nat gateway uh work okay so behind the uh behind the scene uh what happens is uh basically if you look at um let me go back to the slide where is this give me a moment okay i'm just trying to fetch that yeah so what happens is basically if you look at if you look at this is what we want is just yeah so basically what happens is when you you create a net gateway it's basically an instance only right at the at the end of the day it's also a a system let's say linux system and what it does is it's uh it's kind of uh how you have seen any bastion host uh work right so you don't you don't allow any traffic from outside internet or to this nat gateway and then come to instance c it just do not allow so you can think of it as a kind of a security guard right so who can who has the visibility of outside world and the way that it does that is it takes all the packets from uh from any of the instance within that vpc and then it talks um to the internet gateway okay so it doesn't uh so the idea of having a private subnet is not to give uh you know internet gateway in this route table right if that happens then what uh what that eventually would mean is anyone you know anything in this subnet can talk to internet which we don't want right we don't want that so we just want um uh only output uh you know uh outbound traffic from this instance to internet uh to flow right not the other way around right so that's where the nat gateway uh comes into picture it just takes you know you can think of it as a gatekeeper and it will just translate the address from an private address to a public address without exposing the actual instance so if you see here when it is when it is trying to send the traffic from instance c to the internet to the internet it is not uh using that ip address so its ip address is 2.11 but here it's 1.11 so it is completely masking or whatever address it is getting or it's only nat gateway who has that idea or has that information from where it is coming so it might happen that instance d also can you know ask for internet access right maybe some patch download or upload sorry not upload uh maybe and uh patch uh upgrade or something like that right so that's how uh you know nat gateway can help okay so that's uh about this um so if you have any further questions uh let me know i'll uh you know i'll just uh you know take that offline okay so um uh is there any other yeah i think rahul has a question uh could you please tell aws firewall service i have not uh used other services uh so i may not be the right person rahul uh but uh i can share you feel few of the resources um which you can go over uh and uh you know you might you know get some insights because there are a lot of products in that space in the enterprise market uh which i'm not aware of but i i'll i'll be happy to share that information okay yeah um uh there is a question uh once i have deleted uh amrutha asking this uh once i have deleted a one old nat gateway it is not deleted properly uh created a new one and now i have multiple net gateway in the vpc now traffic back holding is happening how to find the old one and delete it okay that's it that's an interesting uh question i am not very sure uh you know how why you are not able to see i i think you should be able to see uh the nat gateway uh the old one as well but uh if you want to uh uh but even if you have the old one if you have created a new one and if you will see this if you have created a new one and if you have atta if you uh if you have updated the route table with the new one the traffic should use the new uh nat gateway not the old one okay so this is a specific thing uh if you have anything you can send the screenshot or whatever maybe the command output i can try to see okay all right so what else uh uh yeah i think any private nat any reference document yeah there are a lot of reference i'll share it with you uh if you don't mind can you just if you can ping me uh uh on linkedin i'll share share it with you okay all right so um what else okay so does it work like a router which has uh d nat enabled uh and i'm not i did not get the question uh can you just uh repeat it once okay so by that time i'll just move on to the next last part okay um okay so i think uh he uh uh uh tala have has a question um uh how will an instance in a private uh subnet access other aws service like s3 and dynamodb so as uh as we can see here it will access through uh there are different ways that it can access but if you consider this it will access the same way as it access the internet okay so it will the traffic will let's say this instance instance c tries to access s3 okay so it will go uh it will use this uh nat gateway it will go to the internet gateway and then from internet gate will go and get the s3 access but there are different other ways that you know it can access and which we are going to touch base next okay but this is the basic one okay so let me uh put this into uh the presentation uh more okay and then we will just uh try to finish this off okay uh let me come to the slide all right so we talked about vpc and different components within the vpc but how about different vpcs right so let's say you want to connect from one vpc to another vpc or you want to connect to uh to your on premise data center right if you have an on-premise data center how will you connect right we talked about vpc but now we are thinking big right outside your vpc now there are different services that we have one is vpc peering and another is transit gateway so vpc pairing came first and we will discuss you know how transit gateway uh you know is helpful uh you know uh and we you may not use vpc pairing always right if you if you're running it at that big scale and we are going to talk about that but let's start with vpc peering okay so how it works so let's say you have a vpc a we have another vpc b and we have vpcc and we pcb okay so now what vpc pairing says that if you want two vpc to talk to each other you just have to create two different peering okay so there will be one pairing between a and d and another peering between b and c okay so similarly as you might have guessed if i want to uh you know have some connectivity between a and b i cannot just go through different path okay so i have to have another path between a and b okay so that's that's what vpc appearing is about it's between two vpc and you need to create more and more peering uh as and when you need so you can think about this that it is quite cumbersome if you have lots of epcs and you want it uh you want all different vpcs to talk to each other all right so uh this this may not be that scalable right and also uh this is this is the point uh which i was talking about initially that your ip range should be uh unique right if you have two vpcs of same range uh there will be an ip overlap and it won't be able to communicate right and this is where you know the the planning for ip range at the time of upc creation comes into picture right so now how you create an vpc pairing it's pretty much like an tcp handshaking uh you know protocol if you're aware of um so the first step is uh let's say one of the vpc like in this case the left hand side vpc which is 31.0.0 it initiates a request and it accepts the request and then at the end what happens is you need to just update the route table right so if you see the route table now now this route table is the route table for this vpc okay so now uh don't look at this table but in this route table we should have this ip address right and this is exactly what we have it here right and in this case what we are saying is um uh you know as a target we are giving this vpc peering construct okay so that means that now any traffic can go from this vpc to this vpc all right so basically uh you have made a route between any of the instance from this vpc to this vpc so similarly if you have multiple vpcs connecting across each other you need to update all these route tables in all those uh vpcs okay so it's it's it's little bit cumbersome but uh this is what we have to do okay now how about connecting to uh other vpcs and not only that how how about connecting to uh you know on-premise uh systems right or data center and this is where transit gateway uh comes into picture so as we have seen uh without uh a transit gateway which we have not discussed yet with vpc pairing if you have two vpc you will have a vpc pair you will have another two uh two vpc you will have another vpc and so on and so forth right and this this this will clutter a lot right as in when you grow and similarly if you have your own data center in that data center you have to first create a customer gateway or rather you can think of this as a you know vpn which you might have in your data center and then uh you will have a vpn connection between uh different vpcs like every vpc you need to have a different vpn connection all right there is one way this is one of the way that how you connect your on premise uh infrastructure with with aws and there is another way called uh aws direct uh connect gateway and in this case also um if you want to have the connectivity within your vpc uh you have to have you know connect you know connectivity between uh each and every vpc like this right so you can think of this as a very cluttered architecture as you grow right and this is where um you know transit uh gateway comes into picture so you have two vpcs uh and what you do is you just create a transit gateway that's all and then you connect these two vpcs similarly if you have two more you don't have to create another vpc pairing as we have seen before all everyone can now talk to the transit gateway right so not only within aws but also uh you know from your on-premise data center using a customer gateway and vpn so transit gateway is the single point of you know construct virtual construct which can talk to other vpcs not only within your aws account but also uh outside within your data center okay so this is how uh you know transit gateway works so you might ask you know if this is so good why do we need vpc pairing so it's up to you which one to select and we need to think about uh you know which one we should go with if you have less number of vpcs then you don't have to create transit gateway you can go ahead with vpc peering itself but if it's more then you may like to you know think about uh transit again okay so that's uh there are some limits but you know these numbers keeps on changing but uh we really don't want to spend uh much of the time okay so one last thing that i have is how you actually connect uh to your on-premise network from your vpc so let's say you have the vpc here and this is your office or this is your office or data center right this is your office data center and this is your vpc so the way that you can connect there are two different ways uh one is using aws vpn which we just touched based upon and the another one is direct connect okay so let's talk about the aws vpn first so what you do is you create a customer a gateway first in your data center uh this this would be your networking device so it could be a router or a firewall or whatever right and next what you create is a virtual private gateway in your vpc so this is all aws here in this site right and the moment you create that you can have a connectivity or vpn connectivity and what it does internally is we create two ipsec tunnels okay and the reason that we have two separate ipe v6 tunnels is because we have two separate vpn termination end points in two different availability zone for high availability right uh so if you are not uh using any um you know any dynamic routing protocol like uh bgp for example uh you may have to update uh the route table within your vpc as uh you can see it here right so that's how uh you create so first you create a customer gateway and then you create a virtual private gateway and then you just have a vpn connectivity but this uh uh you know this may not be good uh always uh because you may not want uh you know uh your data to flow uh from the internet uh from your database from your data center to aws you may not want always the transfer to be through uh internet although it's secure and all of that but still you may not want that so in that case uh we have direct connect so how it works it's pretty simple just like before you have a vpc you have your aws account you have the virtual uh private gateway and you have your data center right this is your customer environment or your office network now what you do is uh you have to check in our aws website um where are the direct connect locations so there are different uh direct connect locations you have to pick the location which is nearest uh to your uh you know office or this customer network and these direct connect locations uh are are the places where we have lots of networking gear routers and ports and all of that so you can connect your data center with the direct connect uh either yourself or through any of the partners that we have right and once you have that um you will get a uh you you'll have your uh virtual private interface talking to your vpc not only that if you want to someone was asking right how to connect her to aws public facing services like s3 dynamodb so you can connect through the public virtual interface all using the direct connect so that you don't have to go to internet and all of that so it's basically a direct tunnel um to your aws account okay so that's uh that's about uh the how you can connect through uh your data center from your vpc uh i know there are a lot of content that we have discussed today uh uh i did have few more slides on uh you know few of the advanced topics like vpc sharing and all of that but i think you can get those things um uh you know of your own it's pretty straightforward uh but those are little advanced topic and you may not need it under until you are from infrastructure background so uh that's all from my side i see there are a few more questions let me just check one or two questions so there is a question from ankit we create rules okay you are just responding okay um yes ankit yeah you are correct yes so uh through transit uh gateway can we access on-premise uh uh machine yeah so uh that's correct you can uh you can have access but you need to have either a vpn or and a direct connect right so that you need to have so if you see um if you see here uh where is that yeah when you have a transit gateway still you need a direct connect or this vpn network to connect to your aws account all right so this all the middle part is your aws and this is your customer gateway or customer data center or your on-prementation center so you can either you know use a direct connect or vpn connectivity as we have just seen right so you can do that okay so uh could you please tell about direct connect uh and that transit okay yeah sure okay so uh basically if you see here transit gateway the way that you can think of transit gateway is how you can create you know remove this mess so in vpc tiering what happens is two vpc talk to each other only two vpcs right um and every time you need to have a connectivity you need to have one is to one ratio connectivity all right so it's not that scalable and that's where our transit gateway comes into picture so that's now it's a single construct you connect all your vpc to this transit gateway and now this transit gateway can talk to everyone outside uh aws right so whether it's a uh uh aws on-premise or whatever all right so now how to connect your on-premise to aws network that's a different thing all together right so how you connect your on-premise uh to your uh aws account or aws network is through either aws vpn or direct connect right so now whichever you choose you feel free to choose and then once you choose that then you can use transit gateway to actually talk to your vpc okay okay excellent so yeah what is the best strategy to migrate so migration is not only about you know the networking right uh so a lot of things in terms of application and networking is one of the crucial thing to think about but when you think about migration it's more we need to think from the application standpoint how you do that but if if i assume that you have considered everything from the application standpoint and you are just talking about uh the uh the infrastructure uh in that case uh you may start with aws vpn because direct connect you may not you know that that is something you can do it later on so you can just have a vpn connectivity and you can test you know how things are working uh you know across two data centers like not two data center uh how it is working from your data center to aws right so that's that should be the first thing that you can explore and then if things goes fine and you have a very big business you may like to go ahead with a direct connect because it would be um you know most uh you know it's everything is secure but at times you may not need internet um uh you don't want your traffic to go through internet so in that case you can use uh direct connect and also it will be of less latency because you have uh direct access to the aws um you know resources okay so how different is the networking in aws outpost uh jb i have not worked on aws outburst uh i'm not very sure uh you know um you know what is the exact difference i do not work on that but uh the basic concept should be same uh the outpost is uh uh when you think about outpost it's basically uh the hardware that we ship to on-premise right so you get all the uh features and flexibility that you could do on cloud but now how you connect that to aws let's say you have an aws resource on cloud on your account and how you connect uh through outpost i'm not very sure because i have not um you know worked on that but yeah i can find that uh you know answer for you um talked about unicast traffic what about what yeah so we don't have a broadcast and multi-cloud that's a good question we don't have anything like that we do have some uh ipad so when you that's a good question actually so when when you uh create a subnet right you have a subnet range ip range so within that ip range i think there are five addresses which are reserved and those let me just find out if if i have that opened i guess um we don't have anything like that which you are talking about but i just want to show you uh yeah this is these are the uh okay i found that okay so these are the five addresses which are uh reserved so for any subnet that you create right if you see here let me just zoom a bit so this is also important from a sizing standpoint when you create a a subnet what address space that you use always subtract you know five addresses and those five addresses are used for specifically uh you know uh reasons and those are the first four address and the last address so the last address is the network broadcast address and we don't support broadcast in a vpc and that's why it is reserved so you cannot use this and that is for future use and this is for the network address and this is for the vpc router and another one is for dns and this is the there is for that dns host resolution and uh discovery right so that's about this uh so we don't have anything like uh you know on broadcast or multicast within that vpc which you have which you can change or you know tap around okay cool so i guess uh i'm already shooting up on the time but uh feel free to uh you know ask questions maybe on linkedin uh i'll take that forward i can keep on talking but since it's evening time that's why uh you know you might have some other work but if you have any other questions you know i am online you can ask me i'll be more than happy to uh you know answer and uh thank you so much uh for all of your time um really great questions uh feel free to ask more questions and if you want uh let me just show you uh quickly uh uh i wanted to share a few other things um which are these okay which are these okay uh vpc sharing and vpc end point because endpoint is something important i'm not going to share it today because we don't have much time but i'm going to have same session with these details in reskill platform i think if karthik can share that link uh you can go over that maybe next month and uh we'll have some quiz attached to this uh and i'll take few of your questions as quiz uh so there are a lot of good questions that you have asked uh but feel free to you know uh hang around that next month if you want to know more uh otherwise as always uh feel free to you know ping me uh anytime uh you know on any of the platform of your choice yeah so uh back to you karthik thank you so much for your time hey suman uh thank you so much the session was uh really interesting uh the audience really enjoyed it and uh guys please uh feel free to reach out to someone on linkedin if you have any questions for him as he said and you will find all the links mentioned in the stream in chat so thank you all for joining today thanks thanks everyone have a great evening and yeah bye bye take care bye everyone

Info

Channel: CodeOpsTech

Views: 387

Rating: 5 out of 5

Keywords:

Id: P3PPdJ5hlYs

Channel Id: undefined

Length: 64min 51sec (3891 seconds)

Published: Wed Sep 29 2021