AWS VPC Endpoints (What You Need To Know)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you've ever wanted to learn about aws bpc endpoints then this video is for you hi i'm michael gibbs and i'm the founder and ceo of go cloud architects and today we're going to be discussing vpc endpoints so before we begin discussing vpc endpoints a little quick refresher on what is a vpc especially because there's a little bit of confusion out there we find with new students when it pertains to learning vpcs and vpc networking so a vpc realistically speaking is a virtual private data center and i know people often call it a virtual private network but for those of us that have a networking background a virtual private network is effectively creating a network over a public network and then encrypting it with like ip6 so a vpn tunnel that's where we would think of a virtual private network but in this case you're not just getting a network from aws you're getting a data center and the ability your computing systems your storage systems your security systems so that's much more of a data center so we like to think of a vpc as a virtual private data center now as you can see in this graphic what happens is when you're using the aws cloud you're using their infrastructure and it's a shared infrastructure but even though you're in a shared infrastructure and all of their customers are on that same shared infrastructure they're logically separated so it's kind of like a virtual private network on a virtual private data center and even though they're in a public environment they're logically isolated and they're for their effectively private environments so let's talk about what vpc endpoints are and vpc endpoints are really a means of connecting a vpc to another aws service over the aws network or even another organization or another vpc over the aws network and that's how they're going to enable you to do things now if you were not going to use a vpc endpoint you'd actually have to go over the internet and we're going to show you that in a graphic in about a moment but in this particular case the reason you want to use the private connectivity is with aws your internet connections are of limited speed and you have to pay for data that goes out and then and back and since you're going to have to go pay to send your data to the internet and it's a public intervet and your elastic network interfaces are limited to a certain speed on your internet gateway the internet is going to be the slowest way to do it but it's not just that if you purchase a gigabit connection for example to the internet you have a gigabit to the internet but that doesn't mean the internet has a gig of available bandwidth you to your destination and that doesn't mean that all the service providers along the way don't have congestion so with the internet performance is not guaranteed you can guarantee what you get to the internet but anything can happen on the internet but with a private line and in this case with the vpc endpoint we're going to be using a private network you can guarantee performance one gigabit a second is one gigabit a second you can guarantee latency and you can guarantee that there won't be any variations in latency or jitter which can severely affect voice or video applications so when you're dealing with a private network you're going to get better performance lower latency you're going to get higher security yes you can encrypt your traffic on the internet and it's very secure but if it's private it's even more secure you could even encrypt your your data over a private network and further secure it and it's actually going to be cheaper to not traverse the public internet because you're going to be charged for that and it's going to be cheaper and faster and better so anytime in technology when you can achieve better faster and cheaper it's a definite solution for you so without an endpoint as you can see in this graphic i've got my vpc and on my vpc i want to connect to s3 so without an endpoint you can see i'm going up i'm crossing the internet i'm going back into s3 now in this particular case i actually set up endpoint communication so with endpoint communication it's going to go directly from my vpc to s3 through that endpoint and that private that kind of private uh line kind of service but it's not private link but it's like a private line for those of networking people that are used to that so endpoints are going to be these super highly available highly redundant scalable entry points into a service and what happens is there's going to be multiple of these that are going to be redundant so when you're connecting to an endpoint it's going to be a logical device that's going to be highly reliable and there's two kinds of endpoints and they're going to be gateway endpoints and interface endpoints and they're somewhat different and there's a lot of confusion around them so that's why we did this we're going to explain this very clearly to you a gateway endpoint is a high-speed high security connection to an aws service but it's connection to dynamodb or amazon s3 that's really where you're going to be using this and the way this works is you're going to create the or create the endpoint connect to the endpoint and it's going to place a route in the routing table to reach whatever's on that endpoint and that's how it's going to work it's going to be in your vpc routing tables and what that's going to do it's going to as we talked about not going over the internet it's going to allow private access to say s3 or dynamodb from your vpc let's talk about uh amazon s3 endpoints because they're they're ones that are very often made and there's a lot of confusion around this so what's going to happen is when you create an endpoint for s3 you're going to set up a prefix list and a vpnc endpoint are kind of creative so you've got this prefix list and what's going to be that's going to be the route that's in your routing table so you can point to whatever the resources are and it's not going to look like a traditional route on the routing table it's not going to be like where you've got a subnet and it's like if it would be a default route you'd have 0 0 0.0.0.0 0. that would be a route that you would typically see this thing is going to look like a pl dash and you're going to have a whole bunch of numbers or letters but the point is it's going to look a little different but it's really a route to the service and it's just going to work via traditional routing so looking in this environment if you look in this graphic what you can see is we've got a vpc with two subnets and in one of the subnets what we've done is we've created an endpoint pointing to s3 and you can see in the routing table of this particular subnet that you have not only the the generic route for the vpc that's your site or range which is going to be local you're going to have the directly connected subnet which is what you're using in the bpc which is going to be local you're going to have a route to the internet gateway because there's an internet gateway and that's going to be your default route and you're also going to have the prefix list that's attached to basically use your route to uh your s3 bucket and that's how you're going to connect internally now what's really great about these kind of endpoints is you're connecting your network to the alternative network so let's say for example i have a traditional environment a somewhat traditional environment meaning i've got a data center but i'm also using the cloud and we find many organizations have a multi-cloud environment or a hybrid cloud environment and this is a hybrid cloud environment and it's great because it enables the organization to leverage their assets that they purchase from technology and offload certain things to the cloud it gives them control of what they need versus outsourcing for for maybe offloading or disaster recovery and this could be a transition plan or this could actually be required by the organization maybe they're a finance company and they need super low latency and just the time that it would take to go back and forth to the cloud those few milliseconds might affect an application and this is not normal environment in certain environments you have to design your you always design your data centers and your cloud environments based on your business's needs so in this case we've got our our our corporate data center which has got a vpn connection to our vpc and our vpc is connected via an endpoint to an s3 bucket now my corporate data center can actually access the data in the s3 bucket over our encrypted connections which is great the way it's going to work is you're going to get a ds dns name for the bucket and you're going to you're going to reach these things you're going to tell your corporate dns server how to reach the s3 bucket by placing an entry in there and then all of your devices and your corporate data center can now reach the s3 bucket and this is a great fast secure way to do things so let's talk about gateway and plan security most people will tell you that you'd set up your endpoint policies and that'll secure it and that's true you can set up great iam policies and that's a great way to secure but here's where it gets better because you're using routing you can use routing to to seriously enhance your security posture so if you don't have a route to a service you can't reach it you can't hack it so what you can do is you can limit the routing information to the only the only subnets that will have the routing information to reach the s3 bucket for example will be those that need it and therefore all the other subnets in your organization won't be able to reach it just because they don't have a route on the routing table so this is things that people typically don't remember unless they're coming from a routing perspective like me or a network engineering perspective if you don't have a route you can't reach it and if you can't reach it you just can't hack it so in this case you can actually limit your routing information by using route filtering you can make sure that only the people that need to access it are even able to long before you get to iam now the next type of endpoint we're going to talk about is called an interface endpoint and an interface end plan is a way to connect to different types of aws servers such as the ec2 systems manager kinesis or the elastic load balancer apis but it's also a way to connect to external services hosted by aws partners and it's also a way to connect vpcs to other vpcs that's different as well but typically you're going to use this environment to to connect to a to a vpc and a service vpc and this is different than a gateway enterpoint because there's not really going to be a route on the routing table what's going to happen here is you're going to create this interface endpoint and it's really effectively like an elastic network interface in your vpc and it's going to use your private addressing scheme and even though it's using your private addressing scheme if you're connecting to another organization that's using the same private addressing stream scheme it's not going to be a problem because the way these interface implants are set up is they assume that they'll be address overlap and they automatically use nat so this is a way to connect to another organization and not have to worry about the ip address conflict between your organization and the external service so when you create these uh interface endpoints you know aws is going to generate an endpoint specific dns name and that way you can connect to the endpoint via its dns name now the way these interface endpoints are connected is through something called the private link and a private link is kind of like a virtual private line over the aws network and it it uses the elastic network interface and it really restricts all traffic between the vpc and the customer service so it's a great way to limit the traffic between them now you can see in this diagram here that we've got a vpc that's related to the service provider and on the left side of this diagram we've got the customer and the customer is connecting to their service provider via the interface endpoint which is using the private link for communication back and forth so think of it this way interface endpoints are effectively an elastic network interface in your vpc and you're going to use these to connect to aws services or services hosted by other customers or people or in the marketplace and you're going to use a private address in your from your private address pool but it's not going to be a problem because when you're connecting to the external service provider not as automatically used and let's talk about the difference because you could use vpc peering to connect a vpc and another vpc service provider but there's some subtle differences when you do vpc pairing between organizations effectively full access is there full routing information that is necessary to reach the other side is exchanged so in this particular case the way you would control things is through iam policies and i am roles and cross account rules and other im methodologies when you're dealing with crossing things across accounts through vpc peering but with private link you can basically only set up the link for whatever subnet or service is necessary so you don't and you can filter these things ahead of time so it's not like you could you could even use the services to the services would even be there to use an iam policy and then block it next the service just won't be there so private link is going to be a very scalable solution and with vpc pairing you can do a moderate number of connections it cannot it can always change but the last time i checked it was 125 connections that you could do with vpc peering but the private link is much more scalable you're going to be able to achieve maximum throughput and deal with thousands of of links and what's going to happen is the throughput will be achieved by setting load balancers prior to your servers but you've got very fast links and you can use load balancer with high performance servers so you're going to get much better performance and scalability with private link as opposed to vpc pairing and with vpc pairing if two organizations are using the same ip address space you're not they're not going to be able to talk to each other whereas when you're using private link it's automatically using that so you don't even have to worry about the addressing schemes so now you know the differences between interface endpoints gateway endpoints and vpc peering versus private link we hope you've enjoyed this video very much please remember we have an aws certified solution architect associate ebook all you need to pass the aws certified solution architect exam it's available completely free the link is in the description below we also do weekly mentoring for free every monday at 2 p.m eastern time we invite people and for 90 minutes we let them bring us any questions as it pertains to the aws certified solution architect exam someone may have a question on said the difference between an nacl and a security group they bring it to us we answer them live we do this because we know sometimes when you're studying it's hard to know everything and we want to do everything we can to help you pass your certified solution architect associate exam the aws certified solution architect professional exam or any exam that's part of your certification journey into clown computing thank you so much for watching this video we look forward to seeing you in a new video next week take care

Info

Channel: Go Cloud Architects

Views: 31,481

Rating: undefined out of 5

Keywords: aws vpc endpoint, AWS Privatelink, aws gateway endpoint vs interface endpoint, vpc endpoint for s3, aws endpoint interface vs gateway, aws vpc peering, AWS certified solutions architect 2021, cloud computing AWS certification 2021, AWS certification 2021, AWS csa professional, SAA-C02, aws network specialty, aws security specialty, amazon web services certification, amazon web services tutorial for beginners

Id: 6QS9YFGu5WI

Channel Id: undefined

Length: 15min 11sec (911 seconds)

Published: Wed Jan 20 2021