AWS VPC Basics - Understanding what is VPC and Calculating CIDR for VPC and Subnets

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

well this is chitin for Catholics in this video we are going to see networking in AWS and this is the most important topic because networking is the thing which decides the security of your application architecture as well as whether your application can scale and how do you design the traffic the security groups or say firewalls and the routing decisions you take so this is one of the most important topic and I want you to learn this topic by heart okay so as you know before jumping into the AWS world first let's see how the networking happens in physical world or rather maybe in your company network how it works okay well you have a network which is something like this in your company right so this is a private network we are talking about the private network right so okay this is a private network and say it's an Company A ok now in this private network when you go to your office probably you log into your desktops or laptops and these laptops are connected over a LAN so something like this so as you know all these computers are connected over LAN and the routing between this computers have been using a device called a switch right which typically works at a lower level of the networking protocol and works with ARP protocol address resolution protocol and so that this machine can talk to this machine over the MAC addresses right they can talk to each other because switch handles all the communication and then in your company you might have similarly other lands where maybe on another floor or maybe another teams and their computers are all connected over again another line and there is another switch right okay but when this machine said this is machine and this is machine B this wants to talk to this ass which cannot do this because now this you are going out of your network and connecting to some other network and that's where we need some other device which can handle that traffic and which we know is called something called a router right now this router can connect the switches and router works at higher level protocol maybe IP layer and it understand the IP addresses so that this machine can talk with this machine over the IP address and this topology if you see there would be multiple such lands in your company like this and mini lands all connected using again routers and then these routers would be again connected and finally there could be one or more routers which allows an inbound and outbound connection to the Internet okay so that means your company has something like this network and now what we are saying this is probably a physical network what we want is we want to simulate this network in Amazon so if you want to go to Amazon world right so this is my AWS cloud and I want similar Network like this that component in AWS is called a B PC which is a virtual private cloud ok so let's go back to a presentation the formal definition of EPC is it's an private cloud which enables the for putting the virtual network into cloud and then you can simulate the physical network ok so this is what I just explained a traditional network versus a virtual network we will dig deep into what all these things are and we will see everything what our Internet gateway router subnets and everything so I hope this diagram is pretty much clear okay before we jump into the VPC I want you to understand this hierarchy because as we are starting with or AWS sessions you might be confused what are regions what are accounts whether accounts are within the regions or the other way around so understand this diagram as of now you can ignore this organization stuff but you can consider you have an AWS account right you everybody has this account and that account once you have an AWS account you can use any of the AWS available regions so there are around 19 regions at moment out of which maybe 16 you can use so you can operate in any of the region for our use cases typically we will operate in Mumbai region and North Virginia region sometimes so every account can operate in any of the region and then every region has one or more V pcs that means in one region you can create multiple V pcs by default Amazon restrict the count to five but you can increase that limit as well okay clear so let's go ahead okay one more thing there are a lot of AWS services that we are going to see and this different AWS services has different scope which means some services works at account level like a billing or I am which is identity and access management and route 53 which are global services right they have the effect on all the regions and all the services which works below that global level then there are some services which are which operates at region level like s3 bucket you create an bucket in particular AWS region or you create a cloud front or dynamodb tables while some of the other services really ec2 and RDS this works at easy level as explained earlier every region has to pollute two or more availability zones so when you launch an in situ machine you either creating say a z1 or z2 or a z3 because one machine cannot spawn multiple Easy's because it is our physical data centers similarly databases you create in maybe one is he on or another is either scope of this services are easier load balancers yes they can spawn across Easy's which means they can send traffic across edges and that's the benefit of using your balance and can balance the load across the machines ec2 machines which are across availability zones so point is different aw services has different scope or different level at which they operate okay let's move ahead so this diagram probably it's a simple died simple to do architecture or in fact 3d architecture where you have the DNS it wants to the load balancer there is a web server layer at several layer databases so it's a fairly simple application which you can architect in AWS and use these AWS services to host so what part we are looking at is this a virtual private cloud in which we will launch over web servers and application server and databases so today we are going to see how to design a PC various V PC components and how to use them ok so first thing we want to see is make us a familiar with the V PC terminologies just one more thing here as I explained earlier some services works inside V PC and some box outside V PC so in one AWS region if you want to launch in-situ machines you would have to launch inside V PC or if you want to launch a databases inside V PC but some services you they are not created inside V PC because they are being managed by AWS so these services are managed by WS right and you don't have any control where you launch those services they are in your region but not under VPC and under your control okay let's Moorhead let's understand the V PC components so V PC this orange area you see is a V PC the gray area is a region so imagine we have an Mumbai region and in Mumbai region I created one V PC now V PC is one private address space like your company's private network in that network you would have lot of hosts that means machines and machines would have IP addresses similarly V PC is one big address space and we can divide this address space into a smaller address space which is called sub networks or subnets so here the blue boundaries a blue boxes that you see are nothing but the subnets or sub networks one thing to note that subnet and availability zones have one-to-one mapping that means V PC can be created in the region and when you create a subnet inside of a PC you decide which AC the subnets belong to so you can create subnet in either say is z1 or z2 now imagine this is an Moon Bay region which has just two availability zones so I can create subnet across I mean either in a z1 or z2 and I can create as many subnets in a z1 and as many subnet in a z2 but one subnet cannot be in two aces at the same time it's one-to-one mapping ok so V PC is a bit address space private address space and then we divide V PC into smaller address space which are called subnets we will see how to do that now every V PC has something called a route table which decide or which takes the routing decision how the traffic has to go in or Co out of your V PC and we would have a lot of rules in the route table which decides whether your machines are going to be accessible over internet or they are private all those things will be decided by what rules you put in the routing table so route table takes those routing decisions ok next thing is firewalls so in any V PC you could have two levels of firewall a firewall there is one firewall which works at ec2 instance level which is called security group and another firewall which works at subnet level which is called network access control list so this both the firewall have different properties and different purpose which we will see shortly but thing to remember is security group works at instance level and the network ACL works at the subnet level which means whatever rules you put into this firewall will be applied to all easy to instances and what rules you put to the inside a security group it applies to only the ec2 instances to which the security group is connected ok so far so good ok just to revise there is AWS region in one region there could be multiple V pcs V PC is a big private address space we divide v pcs into smaller address spaces which are called sub networks or subnets V PC also has route tables which takes the routing decisions how the traffic will flow in or out of your V pcs or your subnets and then there are two types of the firewalls one is at subnet level which is called network ACL and one it had ec2 instance level which is called security bro ok let's move a few more components like Internet gateway now what I Internet gateway this allows the internet connection to your V PC that means if you want to connect to any ec2 machine inside your V PC from outside you need to have this Internet gateway so it connects basically Internet to your V PC typically whenever you will launch your application and you want to host some websites or some web server or web applications you would have to typically make it public and so that an outside world can access your application in that case you would have to put an Internet gateway attached to your V pcs so that anybody on the internet can connect to your application or use your application so Internet gateway allows that connectivity one final gateway another gateway which you want to reach out to mention is virtual private getaway now virtual private gateway allows the connection private connection between Amazon Network and your on-premises data center network now why do you need this suppose you want to have your V PC to be very secure where you don't want to open any connection over the internet that means you don't want to put an Internet gateway but still you want to use the applications which are hosted inside your V PC over a private IP addresses in that case you can connect this to networks using say a VPN connection and in that case you need a gateway at Amazon side which is called virtual private gateway and then you can form an VPN tunnels between these two networks so that the machines inside V PC can access machine inside data centers and the other way around so this also we will see later in advanced networking section okay to reiterate there is an Internet gateway which allows the internet connection to the V PC and then there is a virtual private gateway which allows the VPN connection between Amazon V PC and your on-premises data center I hope things are clear so let's move head and understand more about the V PC first thing we want to see is V PC addressing so whenever you would create an V PC you need to give it some address range and that would be a private IP address range and if you remember from your maybe your degree days there was a networking and there were Class A Class B Class C kind of address and every class had few rules like first eight bits of the IP addresses will be reserved for the network rest 24 bits will be allocated to the host like this right so those were class those who are called class-based network addressing but with the modern thing now it is classless inter-domain routing also called CIDR notation in which we represent the IP address ranges which are ipv4 addresses so when you create VPC you also need to give an IP address range in the CIDR notation now in that CIDR notation it would be something like this and this guy is called sorry prefix of that notation now how what the script what is the role of the prefix and how to understand this address let's see before we actually see the CIDR first let's understand how the IP address s works so do you know ipv4 addresses and those are you know there are 32 bits right so that means there are total eight bits dot eight bits dot eight bits dot eight bits and if you see there goes up to 0 to 255 dot 0 to 255 dot 0 to 255 dot 0 to 255 so any IP address would have an IP in this range so the first IP address is like this and the last IP address could be this right and it is like 32 bits 8 bits 8 bits 8 bits and 8 bits okay now in this address range if you see if for example I have these 8 bits 8 bits here 8 bits here 8 bits here and 8 bits here or let me just erase this and redraw the things okay so what I am doing is now is suppose I have 8 beads eight beads 8 beads and 8 bits now what I do it's per class a and B and C suppose I want to have a Class A address now in that case Class A says eight bits are reserved for the network and rest of the bits are for the hosts that means out of 32 bits eight bits a result so how many hosts I can have in Class A address is 2 raised to 24 how 24 32 minus this 8 bits and whatever number it comes to if it's Class B address first two octets or first two pockets are basically reserved for the network so Class B would have 16 bit given to the network and rest of the 16 given to the hosts so how many hosts I can have 2 raised to 16 which comes around 6 5 5 3 6 now if it's a Class C address probably for three octaves are given to the network so total how many hosts I can have only 8 bits which comes to 256 ok now with modern addressing with CIDR notation you use similar things but you represent it in in a different way right you express the addressing in this form X dot X dot X dot X slash X now this X is called prefix so for example if my address is this 10.10 dot say 16 what does it mean this means this 2 octet or a 16 bits are allocated to the network and rest of the 16 bits are allocated to the host so how many hosts can I have in this network so let's calculate so first off in this network would be this right the next host IP address in this host will in this network will be this 2.3.4 up to say 255 then what I will do I just have this this to our fix because I am fixing the 16 bits for the network but rest I can change so next would be 1.0 1.1 1.2 likewise so how many addresses I can have how to calculate this so 16 bits I have given to the network so total host how many bits I have for the host addressing is like total 32 bits minus 16 bits I am giving to the network so total 16 bits I have for the whole so total host I can have to raise to 16 which is 6 5 5 3 6 that means if I create a network with this CIDR notation I can have 6 5 5 3 6 IP addresses in that host ok now let's apply this logic to our V PC so suppose I am creating one V PC in Amazon and I give my V PC an address range 10 dot now this time I can take any number from 0 to 255 so 10 dot 100 dot say 0 0 6 team now with previous calculations as we are saying 16 bits are giving to the network given to the network so those are fixed for this V PC but I can have any numbers for this two places so how many hosts I can have again 32 minus 16 equal to 16 bits I have for the host and the total number of hosts I have raised to 16 which is 6 5 5 3 6 ok now let's take an another example what if I have the V PC with address range say 10.10 dot dot 0/24 suppose I created we PC with this CIDR notation then what would be the total number of hosts in this now if you see 24 bits I am giving to the network that means this is fixed for my B PC and I have only this fourth octet in which I can have the host so how many hosts I can have again 32 minus 24 given to the network total this bits available for the host is 8 so total number of hosts I can have 2 raise to 8 which is 256 one okay now let's apply this analogy and what I want to do is now I want to have this V PC which has this many addresses 65536 divided into smaller network address space which we call sub networks now when I create a sub networks I need to decide what should be the size of the subnet so say I want every subnet of size 256 host so what's the first address in this V PC first IP address 10100 0 0 and what is the last address address in this VPC n dot 100 dot 255 dot 255 because we are fixing these two numbers that means they cannot change for my V PC so every host would have these two numbers fixed but they would have these two numbers changing so first host probably would have this address and last would have this address however we cannot really use this addresses first and last but just for an time being just imagine that ok so this is my first address in VP say this is my last address in the V PC now what I want to do I want to divide this complete V PC address space into smaller address space which are called sub networks and what I want I want every subnet to be created with size of 256 so I want what will be the IP address in the first subnet so this is my first address now second address will be this first third will be these then fourth fifth likewise last address the submit should be this now this is my say first subnet now what will be the next subnet of 256 10 100 we already reached up to 255 so we cannot increase it further so it's 1.0 this will be the second subnet and this is the first address in the second subnet what will be the second address in the second subnet 1.1 likewise 255 so this is my second subnet now likewise I can go on increasing this number and I can have multiple sub name and this would be probably my last subnet and this is a last address so how many such subnets I can have in total if you see this is one subnet this is two likewise I can have now 256 subnets and ultimately if you see the total count it will be 256 subnets every subnet has 256 hosts so ultimately the total come as 6 5 5 3 6 again ok same as your total VPC address range so what essentially we are doing here is we are dividing 1 big V PC address space into a smaller address space of 256 size each subnet now let us understand how to notify this 256 sized subnets in the CIDR notation ok so let me raise this again I haven't be PC with Z address ten hundred 0 0 16 right which means this is for the network this is for the host now I want to create a first subnet so I create a subnet of 256 now you know right if in the subnet you need 256 bit host 256 is equal to 2 raise to 8 that means 8 bit I need to give to the host and rest of the bit I will cue to the network so how many bits I will give to the network equal to 32 minus 8 equal to 24 bits so CIDR notation I would have 24 for my subnet so like this so my first subnet you would have the CIDR address as this now what does it mean that means the first address in the subnet is this and then you have this 3 first 3 octet given to the network and the last octet is given to the host addressing so next address in this subnet would be ten hundred 0.1 10 hundred 0.2 likewise 0.3 0.4 0.5 likewise we would have the last address in this subnet is this now this is my first subnet right which has address as this ten hundred zero zero twenty four likewise what would be the my next subnet so subnet - what would the address ten dot hundred dot one dot 0 / 24 which will which means this subnet starts from this address and then it goes like dot 1.2.3 up to dot 255 right so what I mean is when you create VPC you can create with maximum CIDR as 16 so that you can have total IP addresses in this V PC as 6 5 5 3 6 okay and then you can divide this one big address into smaller sized subnets and those subnets will be of any size here we are creating subnet of size 256 H but you can create even smaller subnet of size 16 also ok so let us take one more example suppose I create a V PC again with this CIDR notation right and now I want to create subnet but I want to create smaller size subnet not 256 I want every subnet to be of size only 16 which is a minimum size you can create now if you want to create a subnet of size 16 what should be the CIDR prefix for that subnet now let's calculate that I want subnet of size 16 which is represented as 2 raise to 4 right that means in my CIDR notation 4 bits I will be giving to the host and 32 minus 4 equal to 28 bits I will cue to the network ok with that analogy let's always start for the first address and let's put 28 as our first subnet address now if my first subnet has this address range then what will be the last address in the subnet so let us calculate that now I have this is a first address in the subnet the next address 0 dot one dot three but as you see I have only 16 addresses in this subnet so last address in these subnets will be this now this is Nasim and that's it it's finished at 15 because the size of the subnet was 16 that means the next subnet address would be 10 hundred 0.15 is over 16 / 28 and this will go up to 17 18 up to 31 right now this is my second submit what will be the next subnet like 32 to 48 likewise so I'm not now creating a subnet of 256 size eh but I am creating a subnet of sides only 16 each this is size of 16 this is size of 16 so how many subnets I can create in this V PC we know total addresses I can have in this VP 6 6 5 5 3 6 and every subnet is of size 16 so whatever this number comes that those many subnets I can have in this V PC okay so you need to practice it a bit because it is confusing sometimes but for our demo purpose or whatever we will be using in exercises what we will do is we will use any of the address range which is given in the presentation for V PC like 10.10 dot in or we can use say 192 168 dot 0 0 16 this is for V PC addressing or we can have 170 2.30 1.00 16 right so maximum size you can have V PC 16 that means if you are creating a bit cider 16 you can have maximum IP addresses inside v pc v c 6 5 3 3 6 right so we can create a our V PC with any of the cider range typically I like to create with 10.1 hundred dot say 0 0 16 but that does not matter you can choose your private IP address range what you want out of this ranges okay and then we will always create subnet with 256 size that means in this V PC we will always create subnet 4 submit probably with something like this 24 the next subnet we will create is ten hundred dot one dot 0/24 then the next subnet will be ten dot hundred dot-to-dot 0/24 so these are like subnets every subnet of size 256 we can go on creating such subnets and then launch so this is my subnet 1 this is 2 this is 3 likewise so in all our exercises we will be using this kind of subnets ok let's move back to slides so we have this and as you can see the maximum size of the V PC could be 16 and the minimum size could be 28 so if you have creating the V PC with cider 28 then only 16 eyepiece you can use one more thing which I wanted to mention is in every subnet first for IPS and the last IP address Amazon reserved for its internal routing okay so you cannot use those IP addresses that means if you are creating a subnet of size 256 only 250 one IP addresses you can use not more than that if you are creating a subnet of size 16 then only 11 are the usable IP addresses

Info

Channel: AWS Training Center

Views: 54,727

Rating: 4.9193277 out of 5

Keywords: AWS VPC, CIDR

Id: O3fgul-fJCk

Channel Id: undefined

Length: 31min 59sec (1919 seconds)

Published: Wed Nov 27 2019