AWS Networking Masterclass - VPC

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone thank you for joining in this is Faizal let's go ahead and get started with the session guys this is going to be a master class session on B PC which means we are going to cover as much as possible about we PC will go back to the basics as well as cover some advanced topics on B PC however I have to remind you that V PC is a very vast topic which means we actually cannot cover it in a single setting here so I've split this up into two parts so what we will be doing today is part one which should mostly cover almost everything to do with V PC the part two is actually more about external connectivity that comes into the V PC all right all right guys so let's get started and let me give you a quick introduction about myself my name is Faizal Khan I am the founder and CEO of a company called EECOM India cloud IT or e I CIT for short so what we do as a company is we are born in the cloud company and fear a managed cloud solutions provider which means we actually help customers migrate onto the AWS platform which includes architecting solutions for them doing a little bit of development than doing the actual migration and implementation and post that we actually help with the monitoring aspect of things as well so it's an end-to-end solution provider that we have we are we have different additional solutions that we have on our on our and ourselves like we have an e-commerce solution as well where you can just put up your own e-commerce website directly on our platform we also have a few other hosting solutions and domain solutions as well which are independent from AWS personally I with about 13 plus years of experience in IT infrastructure management and as most of you already know if you've dealt with the AWS cloud you know that it's almost always about infrastructure management so this is some this is a word that you hear quite often with AWS which is infrastructure management because AWS is all about implementing existing solutions or implementing existing resources in a different way right so it's not a completely new technology per se all right apart from this guys I do do training as well as you might already be aware by now mostly my training is concentrated around the Solutions Architect course which is kind of a 15 day course that I cover which is going in-depth into the solutions architects side of AWS so if you are ever interested in taking a course please free to have a look at our website our training website okay having said that let me give you our agenda for today so we're gonna take a quick look at how things were before VPC actually came into being or what was the need for VP see you know what what does it solve what are the what are the new things that it brings into AWS then we will look at all the actual VPC concepts we look at how what what is VPC and what are the different components that VPC actually has we'll look at how the architecture for we PC is done as in how you're supposed to build a V PC post that will actually go back a little bit into networking basics right so we look at how IP addressing is done especially how IP addressing is done within the V PC we look at things like cider blocks we look at private public IP addressing subnets and all of that then we'll move on to the routing aspect within B PC so we'll see how traffic is actually rooted within the V PC and then we look at a function new functionality of VPC which is actually PPC endpoints post this will actually go ahead and do a little bit of labs which means we will go ahead and set up a vp c we will configure it and we will do a little bit of testing with our ec2 instances as well post that lab session we will take a look at the different security aspects of vp c as in you know what are the different options you have in terms of securing your vp c and also you know how do you log traffic that's flowing through your vp c the the next two topics which is VPN connectivity and direct connect this is actually two very extensive topics these two topics i intend to cover in much more detail in the part two of our second part two of our webinar which is probably another day but i will touch on these two topics in order to understand you know what this is and how do you make use of it and how it helps you write but obviously we will go into much more detail in depth on these two solutions which is a VPN connectivity and direct connect in our part two of our agenda in our part two of our webinar all right having said that let us take a look at what are the prerequisites okay III assume that you know you have knowledge of the AWS global infrastructure because I'm not going to go back and you know kind of cover what regions are or availability zones are etc I also expect you to have a little bit of a basic understanding of networks which means like what is a router what is a Rooter what what our IP addresses etc right also I hope that you know how easy two instances work because we'll be using a couple of EC twos so I'm not going to show you you know what certain commands are within the ec2 and all of that but I'll just I'll just run them and show you how it's done okay any questions guys before we proceed for the session are we good so far I do want to say that because this is a streaming session there is going to be a slight delay of maybe about about five to ten seconds guys so sometimes I'm finishing my sentence 10 seconds of when you're hearing at a little bit later so there's going to be a little bit of delay so if you ask any questions please bear with me while you know that question is gonna take a few seconds to come up for me to see it alright guys so let's move on and let's first take a look at okay let's talk about how life was before VPC so before VPC let's assume that this is the AWS cloud right so what you used to do is the AWS cloud before the concept of VPC came in it was a flat network which means this whole thing was kind of like a single network which was shared with everyone else so you know you didn't kind of have your own network you were just using the same network that literally everyone else was using although you know you did get different IP addresses and things like that so let's say you started an ec2 here somewhere in the cloud then you went ahead and started another ec2 here then you started another instance somewhere else then another one for your DB or whatever right now the thing is that if you kind of try to visualize this you'll figure out that this these are basically disjoint systems which means these systems are not kind of in a single network that you own and you control they're just part of a larger shared network which means it's open to other issues that open networks have which means if anyone else gets access to any part of that network they can easily get access I mean they can try to get access to your V pcs because this is not a dedicated network and these are all disjoint systems and if you had to communicate between these systems like you it was all like X communication so to speak because it was not within your own network so what that means is that if anybody else also started another ec2 and then they start another ec2 as well you see that your systems are in the same network as the other systems right so this was kind of a network security wise a network issue I mean not much I mean it was secure but it's not really it's not really something that you should be comfortable with right because it's a flat network that anybody else can directly launch ec2 instances into right and when you had to control the access to these ec2 instances what you had was you had individual access controls so if you wanted to protect this system this first system against if you wanted to block port 80 and if you wanted to block other access you had to do it on this system itself and then you had to repeat that on the other system then on the other system then only else like it was kind of a management nightmare because these were all individually separate systems disjoint you had to individually manage these systems because they were not part of a core network and when you were going to try to access these systems you had to kind of access them directly with their public IP addresses and you are not you couldn't actually access the network and then from the network you couldn't go into the systems that was not possible because each of these systems their individual entities and each of them had a public IP and the private IP address so you had to kind of get onto each easy to instance now this is where VPC comes in because what VPC does for you is it kind of allocates a part of the cloud as your own network so if you think about it you can think about it like this where you know I take off this chunk and I call this my network right so now this is my VPC right it's obviously not like don't visualize it like this but the idea is that now you have your own network and you can control the IP addressing in this network you can control who has access to this network and in fact now what you can do is when you're trying to connect into this network you can connect to the network and then literally you can go into all of the systems individually you you don't have to like go into the system's individually directly but rather you connect to the network and then you can communicate with private IP addresses to all of these systems so this is the idea of VPC now let's take a closer look at what are the different functions of features that we PC brings in so V PC is essentially short for virtual private cloud it kind of creates your own network within the AWS network so instead of having a flat network where everyone else is starting ec2 instances on the same network now you get your own little network within which you can actually control so you kind of get your own network and you can kind of have your own IP addressing on that we will cover these IP addressing in a little bit more detail later on so let's say you have your own network and then you can have your own systems in that network and you control this network right you are the administrator for this network no one else has access to it unless you decide to give them access to it and all of these systems can communicate internally with their private IP addresses you can connect to this network to communicate with the private IP addresses of the instances etc right so you basically get your own chunk of the network now the key point to remember here is that this is a virtual network right so it is not a network where you are getting a physical part of the AWS network you don't get that right you don't get a physical network with an AWS it's more or less a virtualized network on top of the physical layer what this means is that there's there's two options here even under virtual which is you can take something called dedicated tenancy as well you can let a WS handle this virtual network which means they will use their networks to they will use the network routers to create a virtual land so to speak for you so those of you in the in the Cisco world and things like that you might have heard about the term VLAN so that's kind of kind of what it is right you get your own VLAN however you can tell AWS to actually give you dedicated hardware that manages your network so instead of using routers or routers that are actually managing multiple networks you can ask AWS to give you your own Rooter which is a dedicated hardware which controls your V PC alright again this does not mean that you're actually getting a physical network you are basically getting devices that are dedicated to you that control your V PC instead of having devices that are shared that are still giving you the V PC I don't want you to confuse this at the moment this is something called dedicated tenancy which not a not a lot of people use in general unless you're of course a corporate who's actually trying to secure your network to take your network to the next level and secure it from external hardware a virtual private cloud is basically having your own defined network with an AWS it allows you complete control of your networking environment which like I mentioned you control the access as to who gets into your network what kind of traffic goes out from your network etc there is something called the VPN and Direct Connect which I kind of touched on on the agenda you can connect to your network to the V PC from your existing network for example let's say you have your you have your existing data center right this might be your data center this might be a corporate office this might be anything outside of AWS ok and then you have the AWS cloud and then you have your V PC in the AWS cloud and obviously you have your systems inside your V PC now using VPN or Direct Connect what it allows you to do is it allows you to connect your existing router or your existing router in your data center it allows you to make a direct connection into the V PC okay now when you do that when you make that connection essentially what happens is this whole thing that is your V PC plus your data center becomes a single network virtually okay not physically it virtually becomes a single network and then what you can do is you can communicate with your systems from the data center into your systems in the V PC using private IP addresses okay you don't need to go out to the internet in order to communicate with your systems you don't need to use the public eye piece you can just use a private eye peas and get connected to those systems right we will talk about this in a little bit more detail as to you know how how you can connect all of these things together but this is something that V PC allows you to do which means it allows you to make a direct connection from your existing data center it allows you to make a VPN or a direct connect in to your V PC and then your internal systems in your data center can communicate with your systems inside your V PC using private IP addresses which means you don't need to expose your network into the public network if you have multiple V pcs you have a V PC one here and then you have another V PC somewhere else you can actually connect these two V pieces together and systems inside these V pcs now can talk to each other by enabling something called V PC peering right we will again discuss this in a bit more detail it allows basically you to connect multiple V pieces together and transmit traffic between them without having to go out over the Internet till about a few months ago in fact till before I think sometime before October of last year there was only V PC peering that was allowed within a single region but since then they have released a vp c peering across regions which means if you have a V PC let's say in in the Indian data center in Mumbai and you have another V PC in the u.s. to East Zone you can basically connect both of those V pieces together with V PC peering without having to worry about you know different options like VPN or Direct Connect or any of the other things you can directly connect both the V pcs together and have them talking to each other we'll try and demonstrate this in our lab session today okay now I'm going to help you visualize this to understand this a little bit better so that you can you can figure out how these things work together now I want you to visualize this as the entire AWS cloud okay I know it looks better than this but this is the best I could do so please be here with me okay so this is the AWS cloud platform and on top of this or inside this cloud you're basically going to build your V PC so this is your blue layer which is your V PC this is the chunk of the network that you have subscribed for yourself so no one else can take this network this network is yours now what you have to do is you have to split your network into smaller chunks because sometimes managing a large network like a slash 16 has a lot of IP addresses to be precise more than 65,000 IP addresses so sometimes managing those many IP addresses is not a good idea so what you would do is you would actually split them into smaller chunks known as subnets right basically there are sub networks of your main network your main network being your V PC so think of these green boxes or these green platforms as your subnets so you have your VP CEO and then you have these green platforms which are your subnets okay so you create your subnets in your VPC we will obviously discuss what a subnet is and how you create that all of that in the in the coming slides but just try to visualize this for now what you would then do is you would actually put your different ec2 instances depending on your application right so in one subnet you might put all of your databases together right there might be another subnet which in inside which you put all of your application servers together right then there might be another subnet which you put all you of your web servers together so the idea is when you break up subnets into smaller chunks of the network you can put similar function assistants that perform the similar function under the same subnet right because we will see later on as to how you can control the access to these subnets so the access that this subnet has might be different from the access that this subnet has because you're going to specify certain rules so what you can do with subnets is once you split it up and make into smaller chunks you can give different subnets different access levels so what you can do is for your database subnet you can completely prevent external access to your database subnet which means no one from outside your V PC can connect your databases except for the systems in your V PC however for your web servers you have to allow external access because those are web servers they are their web facing service right so in this way you can actually control your different subnets inside AWS now you obviously have a router or a Rooter that sits within your V PC that does all the traffic routing between all of your different subnets now let's say you actually have your office network right this is your data center or your office network and you have your own little Rooter or your gateway in your office now we talked about connecting the data center or your office with the V PC right in order to do that you have to introduce something called a virtual private gateway right a virtual private gateway what this virtual private gateway allows you to do is allows you to connect your existing on-premises data centers or your existing networks inside your corporate office it allows you to make a connection into your V PC now when you do that like I told you before the whole thing basically becomes a single network a single private network so now it's as if the V PC and your data center or and your office or your corporate office is in the same network now you can talk to the other network just like as if it was the same private network because now both of them are connected together using something called a virtual private gateway which allows you to connect both of these networks together now having said that remember I told you if you have your server inside your existing office network here and you want to communicate with your database servers remember I told you that you might want to configure this subnet in a way where you do not want to allow external access to your databases right so anybody trying to come into the databases from outside your network will be denied access however because your corporate data center is now connected to your V PC using the connection here either using a VPN or a Direct Connect now you can talk to the virtual private gateway which then talks to the database layer so now you can connect your databases from within your office and your databases are not accessible to anyone outside the world outside the V PC however you can still open up certain subnets to the outside world so we talked about our webserver subnet right now I can still allow external access to my web server subnet so anybody coming from the Internet can still access my web servers because I have allowed the access to happen now we will definitely see how that works we will talk about route tables and subnet access and all of that so I hope you have got a better visualization of how these things happen on AWS I'll pause here for a moment and I'll ask if you have any questions before we go ahead and proceed with the rest of the session so the question is can I connect multiple corporate offices to the same which will private gateway yes you can however remember that the virtual private gateway has a limitation of 1.25 gigabits per second bandwidth so you might run into problems if you have multiple networks connecting into that and your bandwidth is Xing exceeding that right however you can definitely do that all right I will wait for another 15 seconds to know if you have any other questions all right I hope you guys are able to follow what I'm saying here okay there's a question I assume you'll explain VPN and reconnect we will be touching on VPN and Direct Connect towards the end of the session and I will be explaining all the you know parameters and requirements but not in depth because like I mentioned that in depth is going to be in the part two right okay Raj has a question what exactly 10.00 size 16 so don't worry Raj we are going to cover that in much more detail when we actually go into the IP addressing part so that you know how those IP addresses work in in in the V PC subnets and AZ's are the same no Serena they are not the same subnets are just smaller chunks of your network you can have multiple subnets in the same availability zone or AZ you can just use one AZ for all your subnets or you can use multiple AZ's for all your subnets it doesn't really matter but they're not the same thing we will see we will see that in the next slide when we look at the architecture alright so I'm going to go forward and this is how the architecture looks guys so this image I want you to kind of burn this image into your memory because if you're ever going to be dealing with VPC this is kind of the first thing that you have to do in terms of architecting which means you have to kind of draw the diagram and how everything fits together now let me explain this to you so in the outer layer you have AWS within AWS you have different regions right so you have the Mumbai region you have the US east region you have the u.s. west region several other regions that are there whichever region you're creating a VP CN you will have this one second okay so you have your region and within your region you have all your availability zones right I am taking an example of a region with three availability zones it's not that each region will have only three there are some regions which have six availability zones some which have five some which have three but the minimum is two in a region there will always be at least two availability zones okay so you have your availability zones and then within your availability zones will actually create your V PC now when you create your V PC you're creating your V PC in the region you can't create it within a particular availability zone when you create a V PC it stretches across all your availability zones alright and within your availability zones is where you go ahead and create your subnets now it's not necessary that you have to use all your availability zones you can just use two so let's take an example where you have the AC 1 z 1 C and you might not have any of these subnets this might just be blank that's perfectly fine right it's not necessary that you have to kind of have a subnets in all of your availability zones that's not necessary so you have your V PC which stretches across all the availability zones but remember a V PC is always within a region it does not stretch across the region right if you want V pcs to connect together within different regions you use V PC peering where you have a V PC in one region you have a V piece in another region and then you connect them together using V PC peering but we'll discuss that later so you have your availability zones and you have your subnets that are there now don't worry about what public and private subnet is will touch we'll go into detail of what that is but you need to create public and private in order for you to define what your applications are remember I showed you the slide before where I told you that you might want to put your databases in a subnet which does not have internet access right that's where you would put your databases so you would put your databases in your private subnet all right or any servers that do not need access to the Internet right or should not be allowed access from the internet you put them in something called a private subnet and obviously all you web servers and everything you'll want to put it in your public subnets now remember when you create a subnet there's nothing called a public or a private subnet when you create a subnet you just create a subnet right it's later on when you start defining rules for your subnet that that subnet either becomes a private or a public subnet and when you when you make a subnet public you can later on change that and make it private or if you already have a private subnet you can change the routing information and make it public so the thing called private and public subnets they're not static guys and it's not something that you create as a private or you create as a public you first create a subnet and then later on when you go change the routing information you decide whether you make that subnet public or whether you make that subnet private right we will definitely see how we make that all right don't worry about that I think there is a question here ok I'll touch on that question later ok so this is kind of the architecture right you will have your availability zones and your VPC will be stretching across all of these availability zones and you will have different subnets in all of these availability zones inside which you will place your systems now let's go ahead and have a look at all the different components of a V PC now I will come back and touch again on the subnets I've kind of talked about it a little bit now we will come back again and look at how you create subnets how you define the different IP net IPS for your subnets and all of that we will touch on that a little bit later on what I want to go now to is route tables and router now these two things are interconnected the router works by looking up information in the router table now for those of you worked in networking you kind of already know what a router table is but for the others a router table basically holds information about where something should be sent right so when some communication happens let's say from IP address 10 dot zero dot 0 dot 1 or 0 dot 10 and then that goes to IP address 10.2 dot information as to how this IP is supposed to communicate with this IP that information will be found on the router table if there is no route that specifies how does this IP go from this place to this place if there is no route specified in the route table then that communication won't work this this first system won't be able to reach the second system let me just demonstrate that little bit better so you have two systems and the IP address of this one is 10.0.0.0 is 4 this is 10 dot 0 dot 0 dot there should be some information in the route table which says how can 5 communicate with 6 or which route does 5 take to communicate with 6 if that information is not there this system cannot communicate with this system alright so when this system 10.0.0.0 10.0.0.0 Terr the router goes ahead and looks up the route table and ask the router table you know how do I go to that system how do I go from 10.0.0.0 dot 0 dot 6 if the information is there then the router will go ahead and route the packets accordingly if that information is not there obviously that communication is not going to happen it's going to be either something like a request time dot right and these are two basic components and we will deal with more with router tables when we start looking at how to create public and private subnets all right so router table holds information about how the routing happens and it's a router that routes based on that information in the router table all right now do you understand that almost everything that you're seeing here almost everything is virtual devices right none of these are actual physical devices there are vultured devices that are built on top of physical machines right so it's not like a physical that you're getting it's a virtual router that's there in your V PC okay so what's an elastic IP an elastic IP is basically a static public IP now when V PC came in whenever you started a V PC in the I'm sorry whenever you started an ec2 in the default V PC by default dynamically an IP address is assigned to your ec2 okay dynamically an IP address is assigned to your ec2 when you start up a new ec2 in your V PC however that dynamic IP is not permanent which means if you stop your system and start it that IP might change right so rather than relying on dynamic eyepiece you can assign something called an elastic IP to your ec2 instance when you do that your IP is permanent till you release that IP so you might want to have a public IP something like 50 6.15 dot 20.9 of course you don't get to pick and choose but you will randomly get an IP address that IP address will be assigned to your elastic IP I'm sorry that that IP will be assigned to your system so that's basically what an elastic IP is it's nothing but a static public IP address having said that the elastic IP and the eni or the elastic network interface work together the elastic network interface it's I just want you to simply think of it as a network card it's basically a virtual network card it's kind of a port network port for your ec2 instance so if you need network connection for your ec2 you have to have like a network card and the network card is nothing but the elastic network interface the thing is whenever you are assigning IPS to your ec2 instances whether it's an elastic IP or a dynamic IP those IPS always get assigned to the interface and not to the actual ec2 right so it does not get assigned to a particular ec2 instance as such but it gets assigned to the interface then this interface gets assigned to your ec2 instance what that means is if you have let's say 203 network interfaces okay and okay let me let me kind of map this out let's say you have an ec2 that has two network interfaces two elastic network interfaces both of them have an elastic IP associated with the network interface right so there is an elastic IP attached to this and there is an elastic IP attached to this network interface so essentially your ec2 has two public IP addresses that are static now let's say something happen to this server it went down and that you're not able to fix it immediately if you can fix it but it's gonna take time and you only have one server you did something like that then you can easily go ahead and start up another server disconnect these network interfaces from this and reattach it to this system and you can continue using your existing IPs without having to change any other IP routing which means you don't have to go to DNS and change IPS or anything you can just reattach the network interfaces from one system to the other and then you can continue using your existing ip's it's as if nothing happened right so you don't have to use new IPs for your new system you can continue using your existing IDs right so this is what the elastic network interface allows you to do the internet gateway it's as simple as it says it's a gateway that allows you to connect to the internet right now if I were to just go back yeah let's say you had an ec2 instance in your public subnet which is your web server now if this web server needs to talk to the Internet or if it needs to allow Internet access there should be an Internet gateway that is configured in your V PC so that when traffic comes in it comes in through your internet gateway and then goes to your V PC same way when traffic goes out it goes out to the Internet gateway and then goes out to the Internet right an Internet gateway is nothing but like a door at your PC that allows external communication to happen whether it is inbound external communication or outbound external communication right so an Internet gateways as simple as that it just allows you to communicate between an internal VPC okay I'll pause here for a second and ask any questions regarding these components that we have covered so far there's a question from Gaurav can I create multiple be pieces in same region yes you can create multiple V pieces in the same region is subnet Auto created when we create ec2 instance or is it separate from the instance Raj it is separate from the instance it's not Auto created you you basically have to have a subnet in order to put your ec2 in it your ec2 cannot just be placed randomly anywhere your ec2 has to be placed inside a subnet and then the subnet should already exist is the static routing or even dynamic routing protocols are supported - so when we talk about VPN and Direct Connect we will talk about dynamic protocols like BGP and all of that but as of now within our VP see we are always going to deal with static routes BGP is supported for external connectivity like VPN and Direct Connect John Doe has a question with a V PC public subnets and private subnets it will work within the V PC public subnets and private subnets it will work Chango I'm not sure if I understood that question can Internet gateway connect with private subnet - so we will talk about how the systems inside the private subnet can get internet access that is not using the Internet gateway but we will talk about something called an ADD gateway alright that's that's the last one on the table so we'll talk about that a little bit later on how many static IP is can be touched - en is a limitation so think of it like an IP goes to one IP goes to one en I all right elastic IP chargeable yes elastic IPS are chargeable there are some free limits guys there is a little bit of fine print so please look up the details as elastic IPS are not chargeable as long as you have connected them to a working ec2 instance all right that is up to I believe that's to elastic IPS which are free if you have them connected to a working instance if you just have an elastic IP that is attached that is in your account but you have not attached that to any ec2 then you will be charged for their elastic IP yes I hope to put up the recording later on so you should be able to find it which one has weight H Knakal or security group so we will cover that Balachandran we will cover that a little bit later on we will talk about Nagaland security group in little more detail she's it what is v GP bgp is a dynamic routing protocol you don't need to worry about that right now towards the end of the session I'll kind of touch on that but that's a little bit more on the advanced networking side if you don't know that you probably won't be using it in the V PC is it possible that the single Ani consists of many B's attached to it so I will I will link some documentation here as well guys so some of these questions are more FAQ related kind of things single answers not so I will I will link them here how many maximum Oh fine I suppose single ec2 so guys there is a section hole on the limits as to you know how many of this is possible how many of that is possible all of that I will share that table with you so that you can have a detailed look at it as to you know how many per eni how many / VPC how many subnets all of these things there is actually a limit on them there are soft limits I will share that documentation with you you select or free select inhibitors alright guys so I'll move forward now so the next three components are customer gateway VPN connection in which were private gateway now the reason I took toll of them together is because this is how you actually establish something called a VPN connection if you need to establish a VPN connection you need all of these three components to work together so on your site you will have your customer gateway which is nothing but your router in your premises right and then on the AWS side there is a virtual private gateway which if you remember I kind of showed you in that representation there you will basically use the VPN connectivity to establish a VPN connection between both of these endpoints one endpoint is your customer gateway which is your router in your premises and the other one is the virtual private gateway which is the router on the aw side or the Gateway on the a double your site you basically establish a IPSec VPN connection between these two endpoints we'll touch on this a little bit more in detail when we look at the VPN section right now I talked about VPC peering rise so VPC peering is nothing but when you have two v pieces together you connect both of them you basically have to send a request first and then the other VPC accepts the request and then you have the connection there so I will demonstrate that to you during the labs all right let's talk about V PC endpoints a little bit V PC endpoints are basically serve basically connectivity that allows you to talk to certain aw services privately now I will be covering this in a little bit more detail just before our lab session I have a couple of slides on that so what I will just tell you right now is what used to happen is when you try to communicate from your ec2 to let's say something like an s3 service how it used to work is that s3 only had public endpoints which means when you talk to s3 from your ec2 it had to go out over the Internet right it was not a private communication it had to go out over the Internet and connect on the s3 public interface so what you are transmitting between your ec2 and your s3 buckets they were public as in as a not fully open as such but it was going over the public lines right which means that's not good if you are talking about data security what VPC endpoints allow you to do is if you have the ec2 and you have the s3 you have the V PC endpoint it allows your ec2 to talk to the endpoint which talks to the s3 but this is private connectivity which means it doesn't go out through the internet so whatever you are transferring between your ec2 and your s3 buckets they're going to be in the private domain they're not going to go out over the Internet like I mentioned I have a slide on this which I'll cover in a little bit more detail but just understand that this is how it works as of now that Gateway also is something that I'll cover a little bit more detail but let's come back to that question about why would private subnets need access to the Internet so let's say you have your database here in your private subnet okay now obviously your database does not need to allow access into your database from the outside world however your database server is still a server and it needs updates and it needs patches right and the only way it can get that is by talking to the repositories that are outside on the Internet so how do you get your internal ec2 systems that are in the private subnet how do you get them to talk to the Internet what you do is you use something called an add gateway right so you will have an add gateway now this has nothing to do with the network knacking process guys it's different what the nat gateway allows you to do the NAT gateway basically sits in a public subnet so what the nat gateway allows you to do is it allows the DB to talk to the NAD gateway which forwards the communication then out to the Internet gateway and then it can talk to the outside world however the nat gateway will not allow any new communication to be initialized directly into the database it's not going to allow that it will only allow the outbound connection and the reply on the same connection because it remembers what ported went out and it remembers that the request was actually made by the database so it will allow that request back in so if the database is requesting for a patch for MySQL server then it will let that patch come back in because that request was made from the database from the private subnet however it will not allow any new communication to be or any new connections to be initialized into the database that's what the nat gateway does for you we will cover like I mentioned I will cover this in much more detail later on any questions guys before we proceed like I mentioned before you do not have the option to select the IP addresses their random IP addresses that are assigned to you okay I will proceed okay so now let's take some time and let's go back a little bit and talk about IP addressing and subnets now for those of you who are already networking ninjas and already know what subnets are an IP addressing is this might be a little bit boring for you but hang around you might learn something new now when we talk about IP addresses I'm gonna give you a single simple IP address that we almost deal with on a daily basis think of your home network IP address right which is something like 192 168 100 dot 2 0 1 now in these IP addresses each of these are known as updates ok they are known as updates because each of them are made up of 8 bits so technically speaking each IP address is made out of 4 octet of 8 bits each now when we talk about bits is going to look something like this so what you have here on the screen is this 8 bits actually represent the number 192 these 8 bits actually represent the number 1 6 8 these 8 bits represent the number 100 and these 8 bits represent the number 2 0 1 obviously you can change the bits around to represent different numbers but just understand that each of the IP address in an IP addressing range it has 4 octaves and each of the OP dates are made out of 8 bits now what that means is that when you add all of this up 8 plus 8 plus 8 plus 8 you get 32 bits which is why ipv4 s-- are basically 32 bit IP addresses anybody know how many bits ipv6 is sorry I wrote ipv6 here it's actually ipv4 guys is 32 bits anybody know how many bits ipv6 is quickly right ipv6 is actually 128 bits so you have a lot more IP addresses now what I mean by that is this number 32 is important when you start talking about Sider ranges and how you do IP addressing within a wsv pcs i want you to listen carefully here because this is a part where you actually start using IP addresses inside your V PC now there's something called IP Sider range now what a Sider range is it's basically a notation or you write an IP address in a particular format so that when someone looks at that they know exactly how many IPS are there in a network they know how large the network is and an additional information about that particular network how you would write a Sider range is something like this so for example this is a Sider range and as you can see here it specifies an IP address and then it specifies a number now this number has a significance to this number up here what this number 16 specifies is that first two octaves of this are not going to change here's how it works guys the number here is 16 you need to start counting from the left side right so we know that each octet is eight bits so we eliminated the first octet so we took out eight so how many remaining eight bits are remaining from the sixteen so then I took out the second octet now I have taken out sixteen bits what this 16 is notating is that the first 16 bits of the IP address is not going to change in the IP range because when you write a cider range you are not actually specifying a single IP you are actually specifying a whole range of IP addresses all right when I say / 16 actual range is going to be something like this which is 10.0.0.0 up to 10.0 dot 255 dot 255 know the reason it's stopping at 255 is because the largest number that you can represent with 8 bits is 255 if you need to represent the number 2 5 6 then you need 9 bits right so we know that each octet can only do maximum 8 bits that is why you always have an IP address with a maximum limit of 2 5 5 let let me just revisit this here again I wrote an IP range which is 10.0.0.0 / 16 now the 16 number signifies the number of bits that are not going to change so I start counting I start counting 8 bits gone 8 more bits gone so now I know that this much part of the network is not going to change in the range so when I write the range this bit will always remain the same it is only this part and this this octet and this octet that is going to change what this means is that there could be an IP 10 dot 0 dot 1.5 is an IP address in this range because think about it the first 16 bits don't change guys which means we just need to make sure that this remains constant the second on the third octet I'm sorry the third and the 4 octet can change so there might be another IP like ten dot zero dot dot nine can you guys give me a few more IP addresses in this range IP addresses in this particular cider range okay this repeat this part if you haven't understood this when I say 10.0.0.0 slash 16 I'm specifying an entire IP range and I'm telling that the first 16 bits in that range is not going to change which means whenever I write an IP address in this range the first two octets will always remain the same okay which means ten dot zero dot dot 20 remember this third and the fourth octet can be any numbers up to 255 dot 255 so having said that can you guys give me another IP address in this range just give me another IP address in this range okay Bal Sundra cisgendered 0.16 dot zero so you're giving me another range but I need a single IP in this range so let me move on here and I will give you another example so that you know let me test you test you on that so let me say I have I have an IP address range called 192.168.0.0 / 24 can you guys now tell me what is the cider what is the IP range on this guy's can anyone give me the IP range on this guy's I don't want a single IP I want I want the entire range so I will give you another 30 seconds okay here's what's it's going to look like guys it's going to be 192.168.0.0 up to 192.168.0.0 remember dot zero is also an IP address in the range so it doesn't start from dot one it starts from dot zero because god zero is also an IP address part of the range all right I think Haman's and three khans kind of caught it as well which means let me just clarify this for you quickly when I say one nine two one six eight dot zero dot 0 slash 24 I'm saying that 24 bits of this IP address is not going to change which means eight plus eight plus eight what that basically means is that in this cider range the first three updates are not going to change it is only this octet that is going to change which means this can be anywhere from dot zero up to dot 255 right so if I were to write an example IP that would be 192.168.0.1 or dot 0.15 0.21 etc etcetera etcetera right so I hope you guys understood what a cider ranges it's basically a notation where you are specifying a particular range of IP addresses so when you create a VPC you have to specify what is the cider range of that VPC all right you're basically telling AWS that I am going to use X number of IP addresses to define this VP see how large you make the VP see is actually very important because if you look at it if I say a slash 16 okay that means two updates are going to change right the third and the fourth octet is going to change which means it can be 256 IPs into 256 IPs that basically translates to a total of 65,000 I think 536 IDs if I'm not mistaken this is the total number of IPs that you have in a slash 16 network so when you specify the cider ranges for yo V PC remember your V PC is your main network so when you specify a cider range you should specify such a range that it has enough number of IP addresses so that you can assign it to all the systems but it also should not it also should not be so small that you actually run out of IP addresses because let's say for example I I created a V PC and the cider range that I gave it was 10.0.0.0 / 24 okay when I say / 24 it means the first three octaves are not going to change it's only the last octet that changes right basically what I'm telling here is that there are 256 IPs in this V PC I'm basically limiting my V PC to not more than 256 IPS so when I create subnets I have to kind of divide those IPS into different smaller subnets then it's technically speaking I might not have more than 15 or 20 IP addresses per subnet that's that's not really good so you have to have a sudden you have to have a V PC large enough so that you have to have a VP C large enough so that you can assign enough IP addresses to all of your subnets now there's a question from Lilith about CIDR range can be changed in a V PC later on now recently they introduced an option of additional CIDR ranges okay what that means is let's say you first made the mistake of doing this you assigned a V PC side a range of 10.0.0.0 / 24 now what you can do is you can actually add an additional side arranged ten dot zero dot one dot 0/24 POV pc so now you have 256 plus 256 IPS right so you cannot delete or modify or change your existing side arrange but you can add additional side ranges if you wish to alright but obviously they should not be conflicting The Cider ranges should be different from each other now having said that let me ask you decide arrange for ten dot zero dot one dot 15 / 32 can you tell me how many IP addresses are there in this and what is the range of IP addresses can anyone tell me that so the IP address in question here is 10 dot 0 dot 1.15 / 32 okay so some of you got this right so a slash 32 is basically specifying a single IP address now remember almost everywhere wherever you put in an IP address you have to write it in the cider notation so for example let's say you are basically you basically want to allow only one IP address access to something so when you do that you have to specify it in the cider range format you can't just put in I only want to give access to ten dot zero dot one dot 15 rather you should specify it in the cider range because a / 32 means there is only one IP in this range and that IP is 10 dot 0 dot one dot 15 all right so if you want to ever represent a single IP using the cider notation you will actually do the slash 32 now without complicating things too much I just want you to understand that when you write cider notations it is not necessary that it always has to be multiples of 8 okay it can be 21 it can be 19 it can be whatever it necessarily does not need to be a multiple of 8 but as to simplify things a little bit here's what I want you to understand is that when you do 10.0.0.0 slash let's say I am doing 26 okay so this is my cider range it's 10.0.0.0 slash 26 here's how it's going to work you're going to count 8 plus 8 plus 8 so you've already counted 24 so what's remaining is 2 over here how this basically works is that the way you represent 0 okay out of that let's say for example there are 8 bits ok let's say 1 1 0 0 1 0 1 2 3 4 5 6 7 8 okay so these are 8 bits what basically happens here is the first three octaves do not change that we already know because we have already discounted 24 now we need to also specify that the next to the next two bits in the last octet is not going to change so what happens is these two bits are not going to change but the remaining six bits will actually change in the IP address now this actually requires subnet calculators to understand how this works so I will show you a link which will actually help you get to these subnets just give me one second so if you just go to Google and do a subnet calculator the best one that I would recommend is there's one called Jody store te / IP calc if you go there and let's actually specify something that we already kind of did so let's do 10.0.0.0 / 16 I do that it shows me what is the minimum okay and what is the maximum now don't worry about these two five fives and all of that I will talk about usable IPs and non usable ip's but you see there is basically a total IPS of 65535 okay now you see this is that these two octaves remain the same right because we are saying / 16 all these bits are exactly the same if you look it is only in this two octaves that it is actually changing now let's say I say 10.0.0.0 / 26 the same example that we so if I calculate this you see how it splits this up so the first second and the third octet does not change because out of that slash 26 we have already taken out slash 24 so that's not going to change but you see how it is actually separated out these two bits from the eight total bits so if you see this is two bits plus six bits that is forming the total of eight bits so it's going to be something like this it's going to be like 10 dot 0 dot 0 dot dot 0 dot 0 dot 62 it's not going to go up to 255 because the maximum number that you can represent with these many bits is 62 all right so if you are going deeper into the networking side of things and you have to do something that is not in multiples of 8 then you have your subnet calculator here however when you start dealing with we pcs and initially when you start working with them you will most probably be working with something like slash 16/20 fours etc right now that you will need to understand here is that this okay there's one thing that you need to understand here is that a slash 16 is a larger network than a slash 24 okay which is obviously larger than a slash 32 you have 65,536 IPS here you have about 256 IP 0 and you have 1 IP here right so this is how your network sizing is so remember when you create your V pcs it's ideally better that you created with a slash 16 so that you later don't run into issues of not enough IP addresses having said that your V PC should be a maximum of slash 16 and a minimum of slash 28 you cannot have a V PC smaller than a slash 28 which means you cannot have a slash 31 or 32 right you your V PC has to be in the range between slash 16 and slash 28 having said that when you're specifying your IP addresses in the side arrange for your V pcs you should actually be specifying it in the RFC 1918 standard which means you can have a 10.0.0.0 slash 16 remember that this is the RFC 1918 standard so a slash 8 or a slash 12 or a slash 16 that you see here does not mean that you have to apply exactly as it is it is just saying that this range is possible which means if you go for a 10.2 0 dot 0 dot 0 range it has to be anywhere between the slash 16 to a slash 28 it has to be between that you can't go above slash 16 which means you can't go slash 15 / 14/13 etc you can't do that it has to be within the slash 16 to slash 28 same way you can do 170 2.16 dot 0 dot 0 you can also do a one nine two one six eight dot zero dot zero now you can bring in your own public IP addresses which means if you want your V PC to have your public IP addresses you can do that however you have to own those public IP addresses and then you have to go through AWS in order for the routing to be configured so that your public IP addresses are assigned on your V PC one more important thing that I have to mention here is that within a V PC certain IP addresses are not usable right this applies to your subnets as well so in your V PC the dot 0 the dot 1 the dot to the dot 3 and the dot 255 is not accessible regardless of whether it's a 10.0 or a 1 9 2 1 6 8 or o 172 regardless of whatever it is the dot 0 the dot 1 the dot - the dot 3 and the dot 255 is not usable they're reserved for certain things on AWS which means you cannot assign them to any particular ec2 instance or any service that you have the dot 0 ideally in the network always always always the dot 0 and the dot 255 is generally not usable because the dot 0 is the IP of the base network and the dot 255 is the broadcast IP address anyways broadcast is not supported within V PC so you don't have these two IPs anyways so out of 256 if you remove - generally speaking in any network usable is 254 IPS right which is why if I go here and if I put a slash 24 II the total number of hosts is 254 although the IP address including the 0 and 255 is actually 256 but the usable is only 254 that's almost common in all the networks so apart from these two IP addresses three more IP addresses are not usable within AWS V pcs which is dot one dot two and dot 3 as its mentioned dot 1 is reserved for the internal V PC router dot 2 is actually reserved for the internal DNS server that AWS provides dot 3 is not yet used for anything but it is reserved for anything that AWS might come out with in the future I'd like to stop here for a second and ask if you have any questions let me also remove you some of the questions that are already been put there has an example of fully having lemonade please so pranaya please use the subnet calculator that I've mentioned you can pick and choose over there what exactly we provides he rearranges it the time of creating yes when we do the labs I'll show you how you create the side ranges you please tell me how many such things are present like 16 right so I kind of answered that already right so you can do between a slash 16 and a slash 28 for your V PC however you know outside of it literally any slash is possible right slash 28 is a minimum range subnet we can define yes true okay so I'm not going to go into Class A Class B and Class C IP addresses that's a completely different discussion about IP addresses I'm keeping it very specific to IP addressing within the V pcs alright for that like I mentioned you have to use the RFC 1918 standard for the private IP addresses all right you're welcome Raj what is the default VPC range an AWS so we'll take a look at the default V pieces and all of that when you create a V PC there is no nothing like it will by default give you a range you have to specify the range for the V PC all right however there is there is a default V PC available in every single region this was created so that people who were using the classic ec2 which is before V PC I forgot to mention that was called classic ec2 which is before the V PC came in that's what it was called so people who wanted to migrate classic ec2 into the V PC AWS actually created a default V PC within every single region so if you go into your AWS dashboard and have a look at have a look at the V pcs you will always see at least one default V PC in each and every region right ok so I'm going to proceed now ok let's talk a little bit about subnetting here ok so let's say I have my V PC and my B pcs IP addressing cider range is 10.0.0.0 / 16 which means literally 65536 IPS are possible but I definitely want to break it up into smaller chunks or subnets now I will have the different availability zones and in this example I am taking a V PC which has two availability zones in it and what I will do is I will create subnets within both the availability zones now when I create the subnet guys there's one important thing here to understand is that when you create the subnets the subnets are sub networks of your main V PC which means they have to fall within the IP range of your V PC I'll just just go back a second here no IP range is 10.0.0.0 / 16 okay so 10 dot not 0 dot 0 / 6 teen I need to break up this large network into smaller chunks now remember I told you that a 16 Network is larger than a 24 network so ideally speaking you can actually break this network into smaller chunks of / 24 for example let me break this down into ten dot zero dot one dot 0 / 24 now my question is is this ten dot zero dot one dot 0 / 24 is this part of the main network is this actually an IP address in the main network or is it not an IP address from the main network does this IP belong to the main network can someone give me a quick yes or no right so it is part of the main network how do you identify if it's part of the same network you see the first network say slash 16 right which means the first and the second octet is not going to change so let me take a look at this IP address it says 10 dot 0 dot one dot 0 now 10 dot 0 is the same so it's not changing it's definitely part of my main network so whenever you are creating sub networks guys you have to make sure that you are creating it as part of your main network if you have a 10.0.0.0 let me ask you this I'm going to create a subnet like 10.2 dot dot 0 / 24 is this subnet part of the same network can I create the subnet in this VPC it's not part of the same network because the 10.0.0.0 main the same which means it has to be 10.0 but here it's 10.2 which means it's definitely not the same network it's a different network so you cannot create such a subnet so your subnets always have to be part of your main network so in this case I can go ahead and create ten dot zero dot one dot 0 slash 24 I can create a second subnet 10 dot 0 dot 2.0 slash 24 now obviously this second is also part of the main network also when you create subnets you have to create subnets that are not conflicting with each other this network is different from this network right because a slash 24 says the first three octets are going to remain the same now when I look at my second network it is different it is not the same which means it's not going to conflict I cannot have another one here like 10 dot zero dot one dot 0 slash let's say 26 I cannot have that because I already have a network saying slash 24 with 10 dot 0 dot one dot 0 right so I have create another network with the same range I cannot do that I cannot create another subnet because it's conflicting with the first one that I created is this part clear guys I hope I hope it is so when you create your subnets it has to be part of your main network and it also should not conflict with each other ok so now let's look at how these subnets are actually configured your availability zone so I have four subnets here okay so what I will do is I will create a subnet with ten dot 0 dot one dot 0 slash 24 I will create another one with 10 dot 0 dot 2.0 slash 24 and when I go to the other availability zone I'm going to ensure that I create a subnet a little bit differently in a different like a there's enough difference between the first one and the second one so that as soon as I look at it I can realize that ok this is in a different easy because it's a completely different range right so I can do that so you can have different ranges so that you can easily differentiate between different availability zones because if you do ten dot 1.0 10.20 and if you did another ten dot 0 dot 3 dot 0 here it might be difficult for you to figure out if they are all in the same availability zone or not right so that's just another way it's not necessary that you have to do like this this is just for your ease of doing things so that you can have a mental differentiation between all of them so I'll make one public and I'll make the other private and I will make one public and the other one private in my V PC so I have one public and one private subnet in each availability zone so I will put all my web servers over here and I'll put all my DB servers over here alright and my web servers have external internet access through the internet gateway but they do not have access to the database instances because they are part of the private subnet now how do you define private and public subnet so let's take a look at that let's take a look at how routing works within VPC so let's bring back the same VPC we have 10.0.0.0 slash 16 we have a subnet here we have another subnet here we have an ec2 in the first subnet which has an elastic network interface attached to it it has an IP we have also another instance which has the network interface attached to it with another private IP address now we have the route oh that sits within the V PC we have an Internet gateway we have the route table now how this works is pretty simple when when one ec2 wants to communicate with another ec2 let's say this system which is ten dot zero dot one dot 35 wants to communicate with ten dot 0 dot 3.48 here's how it works and not zero dot one dot 35 makes a request to the router saying i want to talk to 10 dot 0 dot 3 dot 48 the router will then go to the router table and look at it if there is any routing information in it now the first table says 10.0.0.0 / 16 the routing is always local which means any system requesting for any IP in this range the communication is local so you can search for the system locally which means you don't need to send it out to the internet so when the router has this information it looks up the route table it says ok this system which is 10 dot 0 dot one dot 35 is requesting for 10 dot zero dot dot 48 now 10 dot 0 dot 3 dot 48 is obviously part of 10.0.0.0 / 16 it is part of the main network so then the communication happens locally it does not have to go out the router obviously already knows which systems are locally there so it will route it to that particular system this is what the router table does now let's say this system wants to communicate with let's say an IP address out on the internet and let other IP addresses 53:19 dot one dot 4 okay that rs.15 dot 19.1 dot 4t 3.19 dot 1.4 so this system requests to the router who talked to 53.9 not for the router goes ahead and looks up the router table when it looks at the router table it does not match this because obviously 53.99 1.4 is not part of that first one however there's another route in the router table which says any IP what happens here is you have an entry in the route table which says every other IP so if there is no match in any of the rules if there is no match in any of the rules that have already been specified it will go ahead and send it to this range which is any IP now what is the destination over here the destination says Internet gateway so 0 dot 0 dot 0 0 dot 0 slash 0 is actually any IP and the destinations Internet gateway so then the router forwards that information to the Internet gateway which then goes out to the internet and connects to that IP so this is what the router table does it has information as to where that information is supposed to be forwarded to so that the router can forward it and then it gets carried forward from there now this 0 dot 0 dot 0 dot 0 slash 0 it's basically any IP so if none of the rules in the previous ones match it will go ahead and send it to that IP address now I want I want to take this one step further and we'll talk about how we make something public or private now let's say again I have these two things and I have two router tables I have a public route table and I have a private route table now why is this route table called private because if you look at this this route table has only one entry which allows local communication there is no other entry in this route table to send the information out to the internet which means there is no association of any Internet gateway there is no association of any nass gateway as such there is only one route and that is local which means anything any query that is coming to this route it'll only allow the communication to be private however if you look at the public route table it is exactly the same one as we have discussed before it has a public route which sends it to the Internet gateway for any IP that is not local that is any public IP it will send it out to the Internet gateway now when I go ahead and associate a route table with that I went ahead and I associated the public round table with this subnet then this subnet becomes public right before that this subnet is just another subnet okay when I associate that route table with that subnet it becomes a public subnet and when I associate the private route table with this subnet it becomes a private subnet now let's look at what happens with the private subnet let's say this private subnet system ten dot zero dot dot 48 wants to communicate with ten dot 0 dot one dot 35 so the request goes out to the router the router checks the route table associated with that subnet ok that subnet has a particular route table Association the router checks for that it sees that okay it's part of this 10.0.0.0 slash 16 so I will send the communication local then the communication will be sent locally however let's say this system is now trying to request for an IP that is outside 52.99 1.4 ok let's say it's trying to reach that IP address so it sends the information of the router the router comes and looks up at the router table it does not see any route for that IP that communication will be denied there is no outside Internet access same way there is no internal access as well the Internet gateway cannot send anything to this system because there is no return route so this is essentially a private subnet so any systems in this subnet they can communicate with other subnets in any other availability zone as long as it is part of the local routing however they cannot communicate externally because there is no external access if you look at this scenario for this system it is exactly the same like we described in the last slide where if it wants to talk to the Internet there is another route here it will go out to the Internet gateway and then it can go out and then come back in so I hope this concept of routing is clear guys I will take a moment here I will pause and I'll ask if you have any questions with regards to how the routing happens just remember here is that the route table is the one that decides whether a subnet is a public subnet or a private subnet by default a subnet is neither public or private it gets associated with a default route table we'll talk about that and anything within the VPC by default there is always a local route specified so all the subnets within a VPC can communicate with each other regardless of what table they are associated with because every single router table has a default local route it's only when you want to decide whether you want to send it out or not that you have to specify an additional rule in the router table which will actually send it out to the Internet way so does request from private subnet to router only check private round table so it depends which route table is associated with the subnet so if there is any system inside this subnet it is obviously going to check with the route table that is associated with that subnet if there is any system inside this subnet it is always going to check the route table that is associated with that subnet so that's what I mentioned you have to associate a route table with a particular subnet and it will always check the route table for that subnet whether any systems in that subnet can talk to the outside world or not any questions before we proceed rise all right I do not any questions I will proceed okay remember that you obviously apart from the routing a route table if you need to make public communication you obviously need a public IP address all right so apart from associating your route tables your ec2 instance should also have a public IP associated with it either a dynamically allocated IP or an elastic IP associated with it but remember even if this system in the private subnet has an elastic IP it's still not going to be able to communicate because of the fact that the route table does not have that information however for information to come back in you obviously need a public IP otherwise that system is not going to be able to communicate with the Internet the role of DHCP DHCP within AWS it's actually assigned automatically there's something called DHCP options which I will show it to you when we do the labs so there is always a default route table that is available inside whenever you create your V PC the default route table it's always local there is it's always private right so there is no public route that is there by default unless you create an Internet gateway and then you connect then you create an entry in your route table which goes to the Internet gateway until and unless you do that till that point essentially your subnets are private right so until you do that everything is private so let's look at what NAT gateways so remember we spoke about an idea a little bit before which is we talked about whether a system inside a private subnet if it wants to communicate with the outside world so an add gate who is basically a managed service that AWS provides you which allows you to make a communication or a connection out to the internet but it will not allow any new communication to be initiated back into the subnet right unless it was actually requested by the system in that subnet it's not going to allow any communication to come in this will allow your instances to actually do any kind of patching or updates or anything that it needs to do this works the NAD gateway works only for ipv4 if you want to do ipv6 same way there is something called egress cooling internet gateway which I will show you when we do the lab section so let's look at how NAT gateway works here the similar configuration here guys except that the public route table and the private route table here is that in the in the public subnet in the public subnet instead of an instead of your regular instance you have something called an add gateway right and if you look at the private route table now there's a new route here which says me just update the color here guys one so I can do in your NAT gateway there is a new route here in your private route table there's a new route here which is actually out to the Internet so let's see how this routing works now let's say there is an IP address of 52.99 1.4 and let's say this system in this private subnet wants to now communicate with this IP address outside on the internet which is it's a patch server and it needs to contact the patch server so now this request goes out to the router the router looks up the route table and it sees an entry for any IP or any public IP and the destination is nat gateway it's not the Internet gateway so then this request gets forwarded to the NAD gateway now the NAD gateway already knows what to do because it's a managed service you don't need to configure anything as such this nat gateway will now forward that communication out to the Internet now obviously when it sends it to the router the router looks at the route table then it forwards it to the internet gateway so you see how this works it is basically this this this and this right so this is how the NAD gateway works for systems inside your private subnet so if you have any systems inside your private subnet that wants to access the Internet this is how you set up the Matt gateway any questions arise before we proceed of how the NAD gateway works or anything like that so this question about what is a bastion host a bastion host is for example let's say the same case where you want to connect from outside you want to login SSH into this system right obviously you don't have a public route and you can't do that even if you have an ADD gateway you can't initialize the communication inside unless the system had requested it so what you basically do is you actually put an ec2 inside your public subnet you SSH into that and then from that system you SSH into the system so this is basically a jump host or a bastion host so it's just two entry - routing table to create NAT gateway now you have to first create an ADD gateway and then once the NAD gateway is created you have to update that information in the route table so that it can start routing to the that gateway right so let me move on okay so some key points to remember here is that V pcs are limited to a region but they actually stretch across all the availability zones subnets can be private or public and are limited to a single availability zone so remember your subnet is always inside and availability zone all right subnets must be associated with a route table without roundtable is not going to be able to route any information anywhere an Internet gateway route must be added in the router table for internet access inbound and outbound so without internet gateway there's no way you can communicate with the internet unless of course you're using a NAT gateway an ADD gateway can be used to simulate the dmz zones which is allow we're inbound public access is blocked but external access is allowed and remember five IPS are reserved so five of them are not usable when you create U V pcs now the NAD gateway it's a managed service it is not an ec2 instance which means you're paying for it as a service you don't need to configure anything as such like you don't need to log into the NAD gateway to configure any kind of routing or anything like that however before the NAD gateway was introduced what people used to do is they used to have an ec2 instance all right which had the same functionality of what net great weight does but you had to configure that on the software level so you on the software level you will configure all the routing which is like you have to disable something called source source port source destination check right you disable those things and you can actually do additional things like IP filtering intrusion prevention detection all of those kind of things additionally on an ec2 but you have to manage this ec2 you have to configure it you have to update update and patch it you have to look up all the rules everything has to be managed by you so instead of that what they started offering is without you having the headache of running an ec2 they provide you a managed service as the NAD gateway where you just put it in the route table it'll handle all the requests for you activity use for only for private subnets nat gateway is used whenever you do not want inbound access to your systems but you want to allow outbound access right so technically speaking that is a private subnet because the public subnet by default has public access inbound right so it there's no point in having an ADD gateway in a public subnet all right so now let's talk about V PC endpoints some of the services that are available on AWS something like Amazon s3 or even dynamodb although they are on AWS when your ec2 instances are talking to them they actually have to go out through the internet gateway and then come into s3 using the public endpoint so this is what I mentioned before that it's not necessarily a good option because you are traversing the public Internet although you know you're still using HTTPS and you're securing your connection and all of that however it's still traversing the public Internet and you don't want that happening if you want to actually transfer data that is highly secure so anything that you're trying to communicate with normally with s3 it goes out to the Internet gateway and then goes to Amazon s3 what VPC endpoints do is it creates something like an Internet gateway it is a gateway so to speak it's an int it's a endpoint all your instances will now talk to the endpoint and then through the endpoint it will connect to s3 the difference here is that this communication is in the private network within the AWS private network it is not going out to the public Internet so the communication that you have here is much much more secure than what you generally get when you're trying to use a Internet gateway to communicate to be services as of now you can use VPC endpoints with Amazon s3 as well as dynamodb all right now there are some other services however which uses something called endpoints but it is a little bit different it's known as interface endpoints so the services are things like when you're using the API calls for your ec2 or when you're using the Service Catalog application or when you're using elastic load balancers when you're using the ec2 Systems Manager Kinesis streams plow watch logs and option for kms and the SNS notification system same thing happens before when you use to communicate this has to go out to the Internet gateway then it talks to all of these services individually it's going over the public Internet however now with the option of something called interface endpoints what happens is there is an en I that is actually created for each of these services and then that is mapped to that en I so now your ni has a private IP address so something like ten dot 0.15 dot 0 sorry 15.10 something like that so each of these en eyes have an IP address the local IP address that is associated with them so now when your communication happens it is private here and obviously this is also private because it's not going out to the internet so these are the two things between endpoints and interface endpoints endpoints basically you just have a great way and it goes out to the gateway in interface endpoints the difference here is that these are the other external services where it creates certain elastic network interfaces within the subnet all right and then all of them are mapped here and when you communicate with those endpoints it is actually going to go out through those Ian's eyes and it's not going to go out through the alas Internet gateway with that said I just want to quickly show you a slide that was recently there in the reinvent session by Amazon back in 27 20 17 which is all the different things that have changed so if you look at this these are the new features that are available on the AWS V PC as of today which is they introduced ipv6 there is something called security group rule descriptions which we will discuss there is support for cloud watch metrics now for all VPN Direct Connect and NAT Gateway all the private link services which I kind of already mentioned the Ian's eyes which are created for all of these services Ian's eyes get created in each of the subnet then you have V PC endpoints that are there which connect to s3 and DynamoDB they introduced inter region VPC peering which means you can now connect multiple V pieces together even if they are across a region we will touch on Direct Connect and connect gateway and expanding your V PC so this was recently introduced feature as such like I mentioned if you already specified a cider range you can expand your V PC by specifying another side range so you don't have to be stuck with you know a single cider range that you happen to specify initially before this was a very large problem before because some sometimes you had ended up creating an V PC which was pretty small and then you realize that you run into these issue constraints of not having enough IP addresses all right I will pause here for a moment and ask if you have any questions before we will see for CloudWatch logs yes we have any ni available so when you're sending and receiving logs from cloud watch now you can securely send it through the you can securely send it through the en ice that you connect via the interface endpoints you don't have to talk to the cloud watch as a public service alright guys so I'm going to go into the VPC labs and I'm going to quickly show you how to set up a VPC and configure everything with regards to setting up subnets and all of those I'm going to go at a medium pace so if anybody wants to try this along with me please feel free to do so I'll give you enough time so that you can complete it but I'm not gonna pause for long so unless you can keep up I wouldn't suggest you do this but you know if you want to try it go ahead so let me go ahead and quickly log into my console so that I can show you how to do this just give me one second all right guys so I'm in my console right now and first thing I'll do is I will go into V PC okay so this is basically o V PC dashboard you have an option to use the V PC Vizard in order to create a V PC however that's too easy and you might not understand what's happening behind the creation of the V PC so what we'll do is we'll go to your V pcs over here and like I've already mentioned you always have a default V PC that is available in your account in every single region guys excuse me for one second you all right so right now I'm in the North Virginia region and as you can see there's already a default VPC available there even if I switch regions there will always be a d4 V PC and almost all the time there going to be a 172 dot dot 31 range so I'm right now in Ohio as you can see there's already one there default and there's another one which I probably created some time ago might have four deleted so let me come back to the North Virginia region and I will create my V PC over here alright so I will hit create V PC and the first thing it's asking me is for a name and it's asking me for the side of block so I'll just give it a name as in urban ah I'm gonna stick to the same side a block that we kind of discussed which is 10.0.0.0 slash 16 if you want you can assign ipv6 assigning it right now I'm not going to show you the ipv6 right now because it's that that's another subject altogether I will discuss that in the part two but when you do this you are going to basically allow ipv6 right so if you want to switch this on you can just put it to Amazon provided ipv6 now again this is the ipv6 address that AWS gives you so you don't get your own IP address this is basically a slash 56 ipv6 block all right you have a slash 56 ipv6 block for your V PC and then you do slash 64 for your subnets this is the tenancy that I was talking about which is default means you're just going to use the existing network hardware you're not going to have dedicated network hardware but if you select dedicated they are going to give you dedicated Network hardware however this is expensive right so unless you're an organization that requires this you should not be selecting this option and you can go with the default option make sure when you're creating it you're doing it with the default because if you don't do so you won't get some other options later on so once again I'm doing webinar as a name 10.0.0.0 slash 16 Amazon provided ipv6 block Tansy's default and I created and there you go it's created so as you can see it's already assigned that block to me it's also assigned a slash 56 block for the ipv6 addresses so now that I have my V PC the next thing I need to do is I need to create subnets right so I'm going to go into subnets and I'm gonna create subnets here's what I'm going to do I'm gonna follow the same model that I showed you on the slides which means I'm going to create one public and one private subnet in each availability zone into availability zones alright so total of four subnets to public and to private in which one subnet will have one public and one private however like I mentioned when I create these subnets they're actually not automatically becoming public or private unless I'm assigning them to a route table alright however just for clarity I'm just going to name it public I'm gonna say public one a right and I'm gonna make sure I select my VPC here and I'm going to select one a here because I already typed in the name as one a and the ipv4 block it's going to be ten dot zero dot one dot 0 slash 24 because remember I am creating a subnet within my slash 16 V PC and to keep things simple I'm just going to use the slash 24 here but obviously you can use anything under slash 16 right it's not necessary that you have to use a slash 24 you can you can do a slash 19 or etc whichever you wish to but to keep things simple I'm just using this one it's asking me whether I want to assign an IP side block v6r to block or not I'm just going to leave this out for the rest of the session because managing ipv6 is a different thing so I will do that so I'm going to create three more and I'm going to call this private one a Richardson my subnet wanna make sure it's in one a ten dot zero dot dot zero slash 24 eight so I'm going to create another subnet and I'm gonna call this public one B so I created public one a and private one a so now I'm creating public one B and private one B so because I said I'm giving the name as one B here I'm gonna make sure that the availability zone is also one B so that there's no confusion and I'm gonna go with 10.0 dot 20.0 slash 24 create a subnet which is drive it on me [Music] 1.0 / 24 it okay so now I have the four subnets that I require now just to filter out this view I'll just go ahead and type in webinar over here so that it shows me only the subnets that are associated with my UC so as you can see here I have created four subnets private one be public one be private one a and public one a and you can see what are the different size ranges on it and as you can see it shows 251 IPS available because remember five IPs are not usable in each of the subnets out of 256 if you take out five that essentially becomes 251 there's a question can we get recorded video yes this is actually being recorded right now and hopefully once the session is over I should be able to put it up on YouTube but I'm still considering that because this was supposed to be a private session alright so I have the different availability zones here all the different things there are tables and everything alright so I created the subnets here now I need to create an Internet gateway because before I assign anything to the route tables I need to create an Internet gateway otherwise my router table right now if I go into my router table and if I see the route table that is associated with my V PC which is this one right and if I go to routes as you can see there is two routes one is ipv6 and one is ipv4 as you can see in the ipv4 there is this single route for local there is no external route and it says that it is the main route table so remember this is kind of the default route table so if I create any subnets that will automatically use the default route table unless that subnet is associated to opportu wrong table all right so first I'm going to do is I'm going to create an Internet gateway I'm just gonna call it simple as that as that just go ahead and create an Internet gateway once you create an Internet gateway you need to attach it to your V PC because you already have another Internet gateway that is attached to the other V PC right so I will attach this otherwise my V PC will not be able to communicate outside because I need to attach it I have attached my internet gateway to my V PC alright so now let me go back to my route tables now I don't want to use this default route table right I want to create separate route tables for public and private so I will create a router table and I will call this public of people and I'm going to associate that with my V PC and I'm going to cry the roundtable and I'm gonna call this a bit okay okay so as you see here I have created two more additional roundtables at this moment there is no subnets that are associated with these roundtables and I will show you what the routes are so if I go to private route again it is only local communication if I go to the public route also it is only the local communication because by default when you create a route table its local it doesn't assign any outgoing paths now if I go back to the that we were discussing in terms of private and public so I have two private to private subnets and to public subnets that are in different availability zones now I have created two route tables I have created a public route table and a private route table but as you saw there in the public round table I still have not configured the Internet gateway right so I will go ahead and do that which is I will go ahead and add the Internet gateway route so I go to my public route I'll go to the routes tab I will edit the routes tab and I have an option to add a route here so I'll click on add another route and here if you remember going back to the slide that basically tells me the route is going to be 0.0.0.0 which is every other IP so do 0.0 0.0 / and where should I be sending this guys anybody can quickly tell me where exactly should I be sending this traffic to what should I be mentioning in the target box here still awaiting for your input skies right I should be specifying the Internet gateway here now because I have already created the Internet gateway and because I have already associated it with my V PC as soon as I click on this box I get the option here for the internet gateway which is igw right now if you did not already attached your internet gateway to your V PC you will not get this option and obviously you cannot add this but as soon as I click on this now it's already there so I click on it and select it there you go and I will save that route so as you see here now the difference between my public route table and my private route table is that in my public route table I have a route that goes out to the public Internet via the Internet gateway however in my private route table I have no such route it is only going to do local communication now I'm going to associate these subnets with this route table because as of now all the subnets are going to the default route table so I will go to subnet associations I am editing my private route table so I'll go to subnet associations I will edit this and I will go ahead and select the ones that say private so here's what I'm doing I am associating my subnets with my route table I'm making that connection now so when I hit save now these two subnets that I just selected have actually become a private subnet these two subnets which is private one a and private one B are now private subnets because I have associated them with a route table that only has local routing it does not send anything out to the Internet I will do the same thing with a public route table I will go to the subnet associations I will edit it and I will add the public route tables over here so I will save that so now I have made public 1a and public one be as public subnets because I have associated those two subnets with my route table that actually has a public entry in it all right so now is how my sub subnets get differentiated as public or private subnets till that point it is the default subnet which is again only private now whatever I put in my public subnets which is if I go to my subnets here now whatever I put in public one B and public one a those systems should be able to communicate to the internet but whatever I put in private one a and private one B those will not be able to connect to the internet now what we will do is I'm going to go ahead and launch some instances to this okay route propagation is used when you are using something called BGP where automatic route propagation happens so again I will kind of touch on this when we talk about VPN and Direct Connect you use it mostly when you're using BGP protocols where essentially this route is getting propagated to every other router in the network right that is talking to this particular V PC so at the moment we don't have this V PC connected to any other network so obviously there's not going to be any route propagation and we are not using BGP so that's not going to happen so I will touch on that a little bit later on towards the end of our session okay so now I have my route tables I have my subnets I have my V PC and I have my Internet gateways okay I'm gonna go ahead and launch a few systems so I'll go to easy to for some reason I have a running instance there I will that okay so I'm gonna launch an ec2 instance and I'm gonna put one instance in the public subnet and I'm gonna put one instance in the private subnet and I'm going to show you how that communication is going to work so I select you to run micro I go next now it's important to remember here that I go select the my V PC and I'm going to put it in public 1a okay one thing I forgot to do before I do that when you create your V pcs by default it does not actually do DNS host names resolution right so as you see here for my VP see it says DNS host names is no which means I cannot use any any particular host names for my systems within that V PC it's not going to work so let me change that to yes so I just select the V PC I go to actions I go to edit T and s host names and I said that - yes so now I can launch instances with host names otherwise before that it's not going to work only ip's is going to work so I select my V PC here I select public one a I will assign it an automatic IP address I'm not assigning it an elastic IP I'm just assigning it a dynamic IP I will show you later on how to assign an elastic IP I'm going to assign it a role now if you don't know what a role is that's basically some permissions for accessing other services on AWS alright so I'm going giving that some permissions because I need to show you command-line interface and we're the next add storage X okay I'm going to create a new security group here I will discuss in detail what security groups are guys just so hold on for a second so I'm just going to create a new security group here which is giving me access to the SSH on this system alright so I'm going to review and launch I'm going to launch it I am also going to launch a second instance and this instance I will be launching it in the private subnet so I will go to private I will do it in private 1b okay because the the private system I am NOT going to assign a public IP to it because it's in the private subnet even if it has a public IP it's no good I'm not giving it a roll right now start storage next tags tag is in our private now because I already created a security group I will assign it the you know in fact I will create a separate security group because I need to show you how communication between security groups actually happen so I will do this as private obviously this is a private system so I am I'm not going to allow SSH as of now we just give it a second as the systems come back up okay so first I'm gonna go connect to the public system so as you can see the public system already has an IP address because I assigned auto assign public IP so I will copy that public IP address and why are putting here as you can see there I went ahead and logged into that instance by using the public IP address alright now this public IP address can sorry this public instance because it is in the public subnet if I say ping google.com you can see it is pinging right now also if I try connecting to the private IP of the other system in the private subnet right so this is the private system I'm going to connect to ping it I'm not response any idea why okay so this is where security groups come in guys so I'm gonna take quickly I'm gonna move away from the labs for a few minutes and I'm gonna explain the concept of security groups here all right okay so there are two parts to the security on V pcs one is something called network access control lists or knackles and the other one is security groups I'm going to cover security groups now and I will show you the knackles in the practical section of it so when we look at our V PC and when we talk about our subnets we have our ec tools that are there inside those subnets right each of the subnet each of the instance is actually protected by something called a security group now remember that this is actually protecting the security group is actually protecting the individual resources that it is assigned to for example I have another ec2 in the same subnet even if I assign that ec2 to the same security group it is still going to have it is still going to cover that easy to instance individually and if I have another instance with a different security group that is obviously going to cover that instance as well individually right now I want to take this a little bit further and explain this now you have security groups here now security group one I have assigned to two instances and security group two I have assigned to a third instance now remember that the properties of security Group one is exactly the same okay secondary Group one is security Group one there is no two versions of security Group one it's exactly the same so if I say allow port 80 ok security group is going to allow port 80 this security group one is also going to allow port 80 however remember I told you that each of the instance each of the resources individually covered by the security group what I mean by this is if instance number one wants to communicate with instance number two technically what's happening is the communication is going out from the security group then it is re-entering the security group okay it's not a internal security group communication it's literally exiting that security group and coming back in now when I say this I'm not saying that technically that's what's happening but I want you to understand the concept behind this because if you want system one and two to talk to each other on let's say port 22 which means I want to SSH from system one to system - if I have to allow that to happen I have to have a rule in my security group saying that port number 22 should be open for security group one to security Group one although it is the same security group I still need to specify that rule because technically what's happening is if I am trying to communicate with another instance within the same security group it is actually leaving that security group and reentering it so if I don't specify this like a reentry it's not going to work right it's not going to allow the communication to happen so I need to open ports for the same security group to itself otherwise sometimes the internal communication is not going to happen obviously if I want to do security group two like if I want to do 420 to inbound on security group - I have to allow for 22 from security Group one to security group - I have to allow that all right however if instances between security group also wants to communicate with each other on 422 need to allow that saying security Group one to security Group one should be allowed access to each other all right what's happened right now is my first instance I have one security group and my second instance I have another security group when I am trying to ping this system it's not working because I have not allowed any kind of rules for the security group at this moment one important thing to understand here is that the default of a security group is to allow all outbound deny all inbound that is a default of a security group all right so it's allow all outbound deny all inbound which means you don't have to specify rules for outbound communication because it's all allowed by default of course you can change that however if you want to allow anything inbound you have to specify that separately in order to allow the inbound so my private instance isn't security group two so I should have a rule that allows security group one access for the ICMP port for pinging right otherwise it's not going to ping because it's not going to allow it now the best thing to do here is rather than allowing individual systems it is better you give access to the whole security group for example I have my ec2 instance here in the price the private ec2 instance and I want all the systems to be able to ping it right so I will give inbound access for sg-1 for ICMP protocol then what happens is even if it is this system in s t1 or even if is this system in sg-1 it is should still should be able to ping it because it is actually allowing sg-1 and not individual systems so it's always better you allow security groups as a whole rather than individual instances because if you allow the security group as a whole you can allow any group any instance that is associated to the same security group access to the resource I'll just show you this in a little bit more detail in the labs here so I have my private and my public one right I will go to my private ec2 instance and see it's actually associated with my private security group so I will go there this is the security group editing option guys so I will go to inbound now I am in the inbound rule for security group - okay so I am allowing open inbound access on security group - so I will edit that I have an option for ICMP here but I'm not going to do that I'm gonna do all TCP okay because those are systems that internal system so it's fine I can allow it but of course if you want to specify a certain protocol as well you can do that but I'm not gonna do that for now all right I'm just going to do I can do a custom ICMP rule here if I wish to but I'm just gonna do it all TCP so here I have to specify the source now if I type in SD hey you going to show me all my security groups so I am allowing any instance in the webinar security group access on all the ports into this security group that's what I'm doing I am allowing access to all instances in the webinar security group into this private security group so any instance in this should now be able to talk to each other now one more thing about security groups is that security groups are it can it can actually allow the communication back in on the same port for example I have my ec2 in the I will submit here and let's say I want to talk on 425 okay and I have another ec2 here now this system in sg-1 talks to this system on SG 2 on port 25 I have an entry over here that says allow sg-1 access on port 25 so it is able to allow it now when this communication comes back in I don't need to open a port here for 25 I don't need to do that I don't need to do that for security groups because it knows that this is the same communication that went out so it will actually allow that communication back in so I don't need to specify a second inbound rule here it will automatically allow that rule back in for any rule that is specified out obviously it has to be coming from SG to itself alright it should not be coming from any other security group it's not going to allow sd3 to come back around 425 if there is no rule here technically what I'm trying to say here is that if you allow an outbound rule for a particular port by default it will allow that inbound rule as well for the same resource okay not for different resources so if 425 is allowed on SG 2 it'll only accept 425 back in from is due to all right not the other way round so if I go back to my okay so I have allow that so now let me try pinging it again interesting what did I miss instances when our private in our public private is cloud all inbound as G Save now by default SSH is available in all of them this is a networking issue that's why it's not able to ping it right it's it's not a application issue because it's not able to ping so it's it's not responding to the pink right let me check what else is wrong here ten or 0.21 dot one zero seven okay I don't know if this is the secretary group related issue I'll just open that up oh okay I see what I did wrong okay I actually allowed all TCP I should have allowed all traffic because pinging is ICMP protocol so obviously it's not TCP protocol so that so it was not working so I'm allowing all traffic and I'm saving it now if I ping there you go sigh clipping you know obviously it was ICMP that so he was not pinging I had selected all TCP instead of all traffic all right okay so let me now show you this give me one second guys let me just get onto the other system with my booty settings here so I'll come back to this towards the end of the session so for now what we will do is I will go ahead and create some s3 endpoints and show it to you how it works okay one thing I want to show you is assigning elastic eyepiece it is pretty simple guys when you want to assign elastic eyepiece is core elastic IP allocate a new address okay so you now you got a permanent IP once you get the permanent IP you just need to associate it with an interface alright so I will refresh that I will associate the address so I will associate it with the network interface of either one of the instances or if I select instance I will get the instance ID right so I can assign it to the private one if I wish to but I'm not going to be doing that because obviously my ec2 instance is in the private subnet second all you need to do is once you do this and you hit associate that system is going to get that IP address I'm just going to show it to you over here once now if I go refresh my ec2 as you can see my private ec2 instance has now an elastic IP attached with it but obviously it's of no use because it's been my private subnet right I cannot make use of that unless I enable an internet route out to the Internet gateway so that's all with regards to elastic IPS if you ever need to assign one obviously you need to disassociate the address if you need to delete it so disassociate and then release it so those are the two steps first you acquire the IP and then you associate it and once it's associated you disassociate the IP and then release it right if you want to ever use that endpoints like I mentioned if you want to talk to s3 or something privately that's the way you have to go with end points where you can directly communicate with the service over the endpoint rather than going over the internet to communicate with the s3 buckets for example if I create an endpoint here it's asking what do I want to create the endpoint for so it's either an AW service or I can find other services or there are actually marketplace services so the marketplace service and service provider podcast this is actually part of the part 2 session because this is talking about using endpoint for public services so that's different for AWS services as you can see here there is dynamo DB and oops so in this list if you look at gateway you have dynamo DB and s3 shown as gateway so these are basically the VPC endpoints and if you look at all of the other ones it says as interface so if you remember I kind of touched on the interfaces as well which is endpoint interfaces which actually creates an elastic network interface inside a subnet so for all the other services which is easy to API is messages elastic load balancing service catalog all of these you can actually do the interface and for s3 and dynamic DB you will have to do the you'll have to do the endpoint all right so I'm not activating this right now because my putti is not proxying onto the second system so I'll come back to this particular section once we have covered with all of the other topics guys because I need to show you getting on to the private system and then making use of this endpoint alright so I will cancel that for now dhcp option sets so this is basically where it allows you to configure the DHCP options now remember there is the IP address which is dot two that is reserved for the DHCP within the AWS network so if you would like to configure custom DHCP settings for example if you want to give your systems or custom host names with your custom domain names you can actually do that if you are also using let's say a Windows system which has which has its own DNS server you can actually read out all your DNS queries to that server and not use this one so this is where you actually configure your DHCP options almost all the time unless you have your own custom DNS server you are not going to touch this you're just going to leave it at the default this will be covered as part of the second section where we are going to show you more advanced in depth we're using a DNS server and how you will route all the DNS I'm sorry how you will route all the DHCP queries to that DNS server alright so if you have any custom DNS servers that you need to mention here you can do that but right now we don't have any custom DNS servers so we'll put that for the next section alright let's talk about nat gateways so we have a private system that does not have communication out to the Internet right so again let me fix that proxy thing with my booty and I will show you this so for the time being guys once I've fixed the proxy part I will come back to this but I will continue with the remainder of the theory part I'll come back to the practicals once again okay I will pause here for a second and ask if you have any questions for whatever we have covered so far guys okay let me quickly show you the network access control lists so whenever you create your V PC it has certain inbound and outbound rules that are associated with the V PC and these are also associated with your subnets okay these are basically known as knackles network ACL this is nothing but you're just specifying what port has what port is allowed inbound and what port is allowed outbound now there are a few difference here between knackles and security groups so I'll just show that you on the slides here the security group like I said it operates on the instance level while the network ACLs actually operate on the subnet level all right the security group allows only allow rules which means you can't do deny rules by default in the security group it's all allow outbound traffic okay which is the third one here allow rules allow our bound traffic but it is inbound denied so we have to allow the inbound on the security groups on the network ACLs you have to specify both allow and deny rules like I've already mentioned security group is stateful so return traffic is automatically allowed so you don't need to specify any particular ports for return traffic for that same security groups however for the network SES that's not the case it is stateless you still have to specify which port should be allowed back in in security group it looks at all the rules before it decides what to allow and what to deny in network ACLs it looks at the rules one by one and then either allows it or denies it I will show you this in the console just give me a second the security group applies to the instance only if someone specifies it but the network ACL applies by default no matter whatever you're doing it applies by default to the subnet so when you have a subnet it will apply by default to it security group unless you assign a particular security group to an ec2 instance it does not get applied to that there is no default in that now I'll just show you the knackles here okay so you see these are the inbound and outbound rules for the knackles okay unlike security groups the first rule is allow all traffic inbound okay that is for ipv4 and this is the second rule for ipv6 after that you can see there is a rule which says all traffic deny all traffic deny so there is both an allow and deny rule so how is it still working because in network access control lists it goes line by line so it looks at the first line if there is a rule that allows it it's allowed in ok it doesn't look at all the other rules so when you are actually specifying rules here you have to be careful because you have to put your most highest priority rules on the top because it executes one rules at a time it doesn't look at all the rules together unlike security groups where if you have ten rules to look at all the ten rules together and then there is if if there is a deny it will actually deny it it doesn't look at one by one rule same thing applies for the outbound for network access control list as well where all outbound is by default an out as well as denied so it looks at the first rule when some communication comes in and it allows it so you have to be careful in terms of specifying the rules here when you do specify the rules here I would suggest that you leave at least some space between the rules for example this is rule number 100 okay and this is rule number one not one don't create another rule with one not two rather create a rule with something like 200 so that if you have to create another rule in the future which is taking higher priority you can create it between 100 and 200 ok so let's say you have a new rule that you created let's say you created it as one not two but then you have a new rule that you want which is supposed to be higher priority than one or two then you cannot do anything you have to literally replace that rule right so that that's that's not a good idea so leave some space between the numbering so do hundred two hundred and fifty then do two hundred then do two fifty so leave some numberings in between so that if you have to plug in a particular rule in the future with a higher priority you can plug it in without actually having to change or delete anything alright any questions between security groups and network access control lists that goes remember the knackles applied directly on the network on the subnet level the security groups apply only on the instance level or on individual resources whether it's your ec2 instance or your RDS instances whichever they are they apply on it individually why elastic IP does not show any IP tab but shown in ipv4 public address you mean to say here that any public IP whether it is a elastic IP that you assign or whether it is a automatically assigned IP that is going to show up here if you have multiple IPS that is also going to show up here so I can attach multiply peace to the system that's always going to show up here so it depends on how you're working with the knackles and the security groups on what applications you are dealing with remember that with security groups there is no deny there is only allow okay so you're just dealing with one side of the things so it doesn't really give you control over the deny part you are because by default everything is denied you are just allowing it one by one right having said that do understand that the security group is the first layer of Defense so you have to make sure that your security group is configured as granular as possible rather than your network control network access list so this is how you add the rules guys just come to the naku you can add another rule here you can give it a rule number like 200 we define what is the protocol or what is the port you define the protocols again you define the port range whether it's a single one or all of them then you define the sources well all right obviously I'm not going to specify that now okay let me quickly wrap up with the remainder of the PPT guys okay so let's look at the two other aspects that I told I will cover in detail in the second section one is VPN and Direct Connect now AWS offers VPN connectivity into your V PC you can actually make the connection using IPSec protocols it can either be static routing or dynamic routing it is a s 128-bit encryption which sha-1 hashing function when you create an IPSec when you create a VPN connection you basically get to IPSec tunnels per VPN connection alright we'll take a closer look at how that essentially translates to so let's say this is your corporate office on the left side and this is your corporate office all your data center or whichever it is and let's say you have an IP address range of 192 168 0 dot 0 slash 16 that is your local network range and let's say you have a V PC with 10.0.0.0 slash 16 you will establish a VPN connection between the customer gateway and the virtual private gateway or the vpg once you do that it actually creates two separate tunnels which gets to endpoints on the Virtual Private Gateway alright and the routing is pretty simple the local network will advertise the routes to the VPN on the other side and this VPN connection will advertise the routes this way so now let's see if these systems wants to communicate with one of the systems in your corporate network let's say this one of the instances actually wants to communicate with 192.168.1.5 teen okay so that will come to the router the router will look at the route table and it sees an entry for 192 168 0 dot 0 slash 16 and as you can see the entry actually goes to virtual gateway right so that communication gets forwarded to the virtual gateway that sends it to the customer router then obviously the customer order will send it to the private IP as well it's simple it's same as what you would have with your you know route tables that you create for the internet gateway etcetera right as long as you have the routing information properly mentioned in the load table that should be fine now this is static routes right this is static VPN where you're assigning a certain static route on to your VPN the problem here is that if a tunnel goes down you have to manually work with this because it's not automatically going to fix or failover to the other tunnel because it's static routes in that sense you can actually do dynamic VPN when you do dynamic VPN what happens essentially is bgp comes into play now for those of you don't know bgp this is actually a networking term which is boto gateway protocol which actually is dynamic ok it's has something called an ASN number an ASN number is kind of the network path so when you look at the number and you say bgp ASN is one seven four nine three this is the number of AWS alright the router that you have know is the route to take to go to that yes number right so what happens here with the dynamic VPN is the fact that you don't have to worry about tunnels failing and all of that because bgp has dynamic negotiation if one of the tunnels fail it has the capacity to actually switch over to the other tunnel as well and you don't have to do any static routing here however the concept of route table still applies where if you want to send traffic between your networks you have to mention as to where it ends up you will have a similar route table obviously in your router over here as well which is all traffic destined for 10.0.0.0 slash 16 it is supposed to go out through the VPN connection all right any questions here on EPS guys I will show you in the console how to create a VPN connection but I was trying to set up a router over here for you for to show you how this works unfortunately that router failed today morning so probably next session I will show you how to do the actually apply the settings on the router so that you can see the VPN connection happening from both sides any questions here on VPN now remember I will be covering this in much more detail in the part 2 section of the webinar hopefully another day what is the benefit of Iping attaching IP directly to ec2 you know okay I will come back to that any questions on the VPN side guys all right one more option you have is resilient VPN connectivity which means you are having multiple customer routers you have something called ibgp you have something called ibgp we does internal BGP between all your routers and then you have your connection that is the me BGP connection that goes across to the internet that goes across to be little private gateway so as you can see here you have resilient connectivity between both of your routers so you have four tunnels across two VPN connections here that are terminating on the same which will private gateway connecting to your V PC when you have multiple V pcs you can still do the same thing where you can have literally multiple VPN connections that are spanning across both your routers that are connecting to both the V pcs right so in this particular webinar it's all it's all been about a single V PC guys so in the next one we will be looking at how to go from one V PC to multiple V pcs right so in that we will discuss more about hub-and-spoke model of V pcs things like transit V pcs Direct Connect gateways etc alright so let's talk about Direct Connect Direct Connect is basically an option for you to have physical connectivity directly into AWS what you get is you get a direct dedicated connection that runs directly to the AWS equipment at one of the data centers that it applies is partnered with all right this is not inside the AWS data center but it is with one of the partner data centers this is a direct connection into AWS which means it's a private connection whatever communication you are actually doing between your your offices or your data centers and the AWS environment it is going to be private it's not going to go over the Internet it is going to go over that dedicated line that you have it reduces your bandwidth costs very much because you are not paying for the public Internet you are just paying for a lower cost that you would pay for the dedicated connection bandwidth now remember it doesn't mean that the actual connection is cheaper because sometimes the dedicated networks actually do cost more in terms of setting however bandwidth costs are much much more lesser than how much you would pay for internet bandwidth you get consistent network performance because this is a private connection it is not going over the Internet again you have certain SL s that are there to be met in this range the speed can range anywhere between 50 Mbps to 10 gigabits per second so this is how it looks in terms of connecting your data connecting your data center or your office to AWS so there is something called a reconnect location where AWS has their routers that are there in that location now remember this is not the AWS data center rather it's another data center outside of AWS where they have kept their routers waiting for an interconnection from you let's say you also have co-located in the same data center and you have your own routers in that data center you can essentially establish a connection between your data centers and that location then you further establish a connection between your router and the direction X location so as you can see here the Demark location is the direct connection location alright that is the place where AWS has their own routers which allows you to go across connect on to their network you have to get something called an Loa in order to make that connection happen but once you do that you essentially have a private connection all the way from your data center or your premises directly into AWS this is not going over the Internet you also have another option let's say you of you do not have the resources to actually run your own equipment within the direct connect location what you can do is you can actually take the help of some somebody known as a direct connection partner write this let's say somebody like Verizon somebody like C fee in India somebody like Airtel Tata Telecom etc they actually have their own equipment that is already located in the same data centers as the AWS routers what you can do is you can request for a connection with with the direct connect partner so the connection between your premises and the direct connect partner will be taken care by the direct connect partner right basically whether it is something like Tata telecom or Verizon whichever it is you will be paying for this much part they will then make an interconnect into the AWS routers in the direct connect location and you will get access directly like that this actually lowers your cost and and it doesn't actually give you the headache of managing your own equipment there you can connect to any one of the direct location partners when we talk about redundancy in this you can think of it like this where you have two different direct connect locations for example in India there are multiple direct connect locations there are known by Bangalore etc so you can actually do a direct connection through two different locations in order to get redundancy well when you talk about redundancy never stop at 1:02 you can definitely go ahead and do multiple redundancy as well which means now you can have four direct connect location for direct connect connections going through two different direct connect locations all right it's a little bit forward there alright so I into cover this in much more detail in the next webinar guys so hopefully I'll send out the dates and the time frames later on so VPN and reconnect so what's in the next session guys it is basically about going from one V PC to multiple V pcs so when we have 5 10 50 100 200 300 B pcs how do we start dealing with them how do we do transit V pcs where you have all the traffic passing through a single V pcs then connecting to all the other V pcs we look at something called private links as well then obviously we will go in-depth into the hardware and software VPN setups we look at something called between cloud hub we look into more detail about Direct Connect itself something called a connect gateway then we'll talk more about public waves and private waves and global public waves and all of that that comes along with the direct connect setup all right now I just want to quickly demonstrate this V PC pairing guys if hopefully there's some time here ok I want to show you VPC peering so I'm going to create another V PC and let's say I'm going to do a 10 dot 0 dot 0 okay so I have a new V PC there let me create a subnet for that okay I have crater 2v pcs now one is a 10.0.0.0 and one is a 10.1 dot 0 dot 0 ok so I'm going to connect both of these V pieces together and enable V PC peering ok so let me first go ahead and launch an instance in the second V PC okay I need to connect it to an Internet gateway I know we are past our scheduled time guys just give me another ten minutes and I'll try to wrap this up so I'm just adding a new route on the new sub nu V PC route table sending into the Internet gateway so that I can connect with that easy to instance so this is my first instance in my first VPC and this is my second instance in my second VPC so I need to get them both communicating with each other at the moment they won't be talking because they aren't completely different PPC's all right so if I try to ping them they're over you're not going to work so from my first instance if I go ping the one it's obviously not gonna work right I haven't opened up the security group but even if I did it's it's not going to work right now so what I'll do is I'll go to my V PC okay I'll go to peering connections I will create a peering connection this is basically I'm connecting to V pieces together I will give it a tag test there is always a requesting V PC and an accepting V PC all right it doesn't really matter the difference here is that if you're actually trying to reappear to V pcs across two different accounts then this matters as to you know who's the requester and who's the acceptor but right now both of these are in our account so it doesn't really matter so I will send the requester as webinar and the other V PC is in my account it is in the same region and I will give the other name and I will create the connection it's as simple as that that's it you just select both the V pcs and that's it now it shows that it isn't pending acceptance I just need to go to the acceptance tab and accept this okay so I'll go to the V PC okay under the peering connection just select the peering and just do accept request accepted that's it so now my peering connection is established however that's definitely not the end of the story because we have to configure our router tables now so now let's go to route tables and where is the euro table of my new system so this is the route table of my second PPC right that is 10.1.1.10 sure so let's 10.0.0.0 slash 16 there should I be setting it to guys any idea any idea where I should be sending this traffic to you okay it's simple I just need to send it to the peering connection PCX this one I just need to send it to the peering connection right so it will automatically send it to the peering connection save it now I need to do the same thing in the other side as well so I'll go to the other side I will edit it and I will create a route for the other V PC which is 10.1 not 0 0 / 16 any request that goes to that IP range send that to the bearing connection as simple as that so I will save that saved it so the peering connections are saved now I'll just go make sure that the security group is also working I will edit this I will add rule all traffic from obviously it said it's not going to show me because that security group is in a different VPC it's not going to show me the security groups of the other VPC right so in this case I will have to specify the IP address now I'm just going to quickly just change this to just ICMP and I'm going to leave it to anywhere because I don't want to open up the whole thing be more specific let me let me delete that i simpiy 1 I will do a droll I will do all traffic and I will do custom IP ok what is the IP address of my first instance it is 10 dot 0 dot 1 dot 2 to 8 so that's 10 dot 0 dot one dot 2 8 / 32 remember I cannot just put in a single IP as such I need to specify the cider notation so that's why I'm putting it as slash 32 and I will save it okay so let's try this now there you go guys so it's actually bringing from one network to the other network using the peering connection so this is system ten dot zero dot one dot two to eight it is pinging system 10.1.1.1 I hope that demonstrates the peering connection any questions here with regards to V PC peering guys all right I'm gonna delete these V pcs and I'm gonna show you how you can do things why are the command-line interface so let me delete all my VP C's first okay I need to kill my systems first now it's a security group that is default denial not the knuckles knuckles is default allow both inbound and outbound you saw the rule in the Knakal right which was if the first rule was allow all right on both the inbound and outbound so it is it's directly allowable in the that is why we are changing the security group because security group by default is deny all inbound allow all outbound that is why we had to open the port on the security group okay I just want to quickly show you how to do the creation of the V pcs through the command line interface so I'm just waiting for these instances to be terminated Oh case let me kill my my pcs I actually should not have killed my first instance because I needed that okay while it's deleting it guys I just want to quickly say that we do have another aw solutions architect batch that is actually starting on Monday so if anyone is actually interested in joining it I think you guys already have the link if you do not you can just go to EECOM dot in slash training and AW solutions architect course it's a 15-day course guys and it's myself that I'm taking it we do have multiple batches so depending on which batch is more full we will go ahead and do that batch maybe two batches also it's a 15-day course guys there is actually a thirty five percent discount on the total of nineteen K for those who are interested in doing the actual Solutions Architect cause it's starting this Monday so if you would like to join in please do let me know before end of day today or tomorrow so that I can get you registered on it alright okay so our V pcs are deleted so now I'll show you how you can actually create them directly from the command interface all right so let me log into this instance right [Music] this configuring the obvious command-line interface so I'm now ready to pass commands to directly work with regards to creating VP C's or all of this right so let me go to the VP C so you can see there is nothing here except the default V PC right and the subnets are all of the default V PC there's nothing that we created route tables again it's just the default route table for the V PC Internet gateway is also deleted all right so rather than going through the buttons on the console guys you can always directly pass command lines in order to create create anything on AWS literally so in order to create a V PC it's pretty straightforward AWS ec2 create V PC and you specify the side of block all right so this is just one line of command I hit enter there you go the V PC is created i refresh this there you go my V PC you see how quick it was rather than going through all those and selecting different options and doing that and doing this that's it I just pass one line command for the side Orange and it created the V PC now that I have the V PC ID I can pass the remaining commands in order to you know create other things on the V PC right so let me show you the other commands this now let's say I want to create a subnet right I specify this command which is create subnet it just creates up gave the VP CID and I give the side a block of the subnet okay before I do this I'll show you that there is no current subnet right now if I go to subnet there is no subnet here other than the default ones for the other VPC okay so I'll hit enter on that there you go it's created a subnet there you go 10.10 dot one dot 0/24 let me show you the remaining run let me just copy over the VP CID there are of course parameters that you can specify for example here I just created the subnet without specifying the availability zone if I want to I just need to like do availability zone and I specify us - east 1a and I change this right up block to zero there you go it's actually created one more in u.s. East 1a there you go u.s. East 1a right so you can specify additional parameters if you wish - so let me create a route table as well for you to again route table creation pretty simple create route table and pass the VP CID there you go route table is created now if I go to route tables I have a new route table that is created which is not the main the main route table is always there but then I created an additional row table now obviously if I want to create create an Internet gateway as well simple I'll just and to create the Internet gateway there you go my internal gateways created now I need to associate this Internet gateway with my V PC that I have that's also just one line of command is attached Internet gateway Internet gateway ID and V PC ID there you go it's attached so if I now go to my internet gateway as you can see it's created the new internet gate where it's already attached it to my V PC as well now let's go ahead and create let's go ahead and create an entry in the route table alright so let me go to route table let me copy the route table ID which is this it's so clear that I'm creating a route entry inside the route table which is the same thing as I mentioned for our internet gateway which is 0.0.0.0 slash zero and it is going to the gateway ID and is that my internet gateway let me check it's not my internet gateway right past this comment I will just show you the existing route table so under the existing route table there is nothing nothing they are now except for the local road right so I will enter this [Music] small error in the command refresh there you go done it's added the new route and as a final step I will go ahead and attach the route table I will attach a subnet to the route table right so I will take my subnet ID first so I am associating my route table with my subnet right pretty simple so I'll mention the route table ID and I'll mention the subnet ID let me first show you that it is not associated right now so if I go to my route tables subnet associations there is nothing associated as of now all right so I will pass that command there you go the association is done now if I go to route tables and refresh as you can see there is actually the route table Association so we did all of this by just passing four or five lines of command right so you can see how you can actually do this by you know through the command line interface where you can literally manage any service on AWS especially with networking it's much more easier through the command line than going through all of these buttons and clicking and adding certain boxes you might miss some instead you can just run a single command to get a lot of things done obviously you can go more advanced and do things like cloud formation and all of that which is a totally different thing but if you do that like at a single click of a button you can get exactly your VP sees your subnets your route tables your internet you know is everything at one go right you don't need to spend a lot of time trying to manually create it all right guys with that we have come to the end of our current webinar session guys I'd like to thank you for listening in and if you are currently watching this via the YouTube window or if not you can just click on the YouTube window and you can click on the subscribe button so that if at all in the future there is new videos that are added or you know new sessions you can actually get notified of those sessions so please do subscribe also like I've mentioned any of you who are interested in actually doing the full aw solutions architect course I'd be more than happy if you would actually go ahead and register so that we we have a bad starting on Monday all right once again I'd like to thank you for listening in I will try adding that bit about the private connectivity once I fix the proxying on my pootie correctly so that it passes the key I actually want to demonstrate it to you how to do the jump host which is going from from the public to the private using the private IP and then trying to reach out to s3 so I'll try to add that to the end of this video later on once I fix that if not I'll post it on another video as well once again guys thank you for listening in and if you do have any questions before we end for the day I'll give you another four to five minutes to clear out any doubts or questions that you have you I will be putting out notification idea as well as since you have already subscribed guys yo you will be part of the mailing list so if at all there is any new sessions coming you will get to know the dates and everything so no worries there we currently don't have DevOps but hopefully in the next month or two we'll try doing that like I've mentioned guys I do have a company to run so I cannot do trainings 24/7 so I'm just sticking to the Solutions Architect course as of now because what you get from that is see we deal with a lot of clients on a daily basis right and we architects solutions for them so what you get from those course the course is actually that real-time scenarios where we look at those solutions and we talk about how you design those solutions and what are the different scenarios that you would use for different applications or different environments etc right so as of now I'm just sticking to the architects side of things hopefully in the future next month or two once things actually clear up a little bit because we're dealing with a little bit a lot of things right now so once that is done and I find more time I might be able to do a session on DevOps Suresh I would recommend you hit the subscribe button once the video is up you will get the direct notification of the link it should be on the same YouTube channel you can just come to the channel name it's a I CIT learning alright guys so it's touching close to 8 o'clock now sorry we had to extend by another half an hour hopefully in the future for the next session we'll cover a little bit more in depth on the VPN side and the direct connect site also we will discuss about having multiple V pcs like I mentioned things like transit be pcs etc I hope you found this session helpful and informative I would really appreciate it if you could leave some feedback or comments once this video is up and I like to hear back from you if you have any other comments right guys if you have any other feedback I'd love to hear it from you the PPT won't be shared but the video will be available so you can take a look at it alright guys thank you and you all have a good day a wonderful night ahead and for some of you good morning for the rest of the day pappa guys thank you
Info
Channel: EICIT Learning
Views: 461,730
Rating: undefined out of 5
Keywords: aws, vpc, amazon web services, networking, subnet, route tables, network, CIDR, masterclass, training, solutions architect, aws training, aws course, aws vpc, amazon vpc, aws networking, tutorial
Id: LX5lHYGFcnA
Channel Id: undefined
Length: 199min 8sec (11948 seconds)
Published: Sat Apr 28 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.