AWS VPC PEERING with Demo | Visual Explanation

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so far we have been working with vpcs and we are able to work with instances but now there is a problem because the users of vpca are not able to access the instances and resources from vpcb so do we have a solution for this yes let's talk about vpc pairing and if you're ready let's begin [Music] and in today's episode we will be talking about what is vpc pairing how can we make instances at different vpcs talk to each other and we'll surely do a hands-on demo for vpc pairing so please watch the video till the end so let's start now so the problem that we were talking about was a scenario where the instances are not able to talk to each other if they are present in other vpcs a vpc peering connection is a network connection between two vpcs that enables you to route traffic between them using private ipv4 addresses or ipv6 addresses so aws provides us a vpc peering connection which helps us connect vpcs so that we can enable traffic routing between them using our private ipv4 addresses and that is the reason why when we look at this image below we see the instances across subnets are able to communicate with each other but not with the instances across vpcs so the instances at vpc a are not able to communicate with the instances at vpcb so there is no communication between them they are totally isolated and they want to talk to each other but they're not able to talk to each other and if you don't have the vpc peering what we have to do we we would either need public internet access or vpn connections or internet gateways to achieve this but what if we don't want to use these things we need something simple isn't it so what do you get in your mind when i say bpc pairing just think of this term peering and nothing else so peering is a method that allows two networks to connect and exchange traffic directly without having to pay a third party to carry traffic across the internet so the peering connection is provided by aws and we can use it to connect to other vpc and get access to the resources we need but that's not that simple we need to understand what are the things that make up for the vpc pairing connection and that is what we are going to discuss now so let's change things here and let's replace the connection with our vpc pairing connection if you see on the right hand side these two vpcs belong to a specific region and you might ask me what if these vpcs are in a different region altogether and yes your question is totally valid so let's see how it can help us so if our instances or vpcs are placed across regions for this aws provides us with inter region vpc pairing connection i hope you will remember this point inter region vpc pairing connections so let's go back to the definition again a vpc pairing connection is a network connection between two vpcs that enables you to route traffic between them using private ipv4 addresses or ipv6 addresses so this is nothing like we put some cables or any special hardware when you create vpc pairing actually especially for you so here aws uses the existing infrastructure for a vpc or of a vpc to create a vpc pairing connection so that sharing data across accounts becomes easier and so that sharing data across instances across vpcs becomes easier sometimes you might have people working in your same organization who want to collaborate and use specific resources or applications privately you can make use of the vpc peering connection for this case as well and as i have already told you before we can establish peering connection or peering relationship between two vpcs across different aws region that is also called as the inter region vpc pairing and the best part and the usp for using the vpc pairing connection is that you can communicate with ec2 rds or even aws lambda without needing to have a gateway connection or vpn connection or or even having the need for separate network appliances and all traffic that you see remains in the private ip space so now let's talk about how do we establish connection when we try to create a vpc peering connection so here we have john and jesse both owners of vpc they are currently working on so they are working on products and they have some dependency on each other so what they decided was they will be using vpc peering as a part of the solution here john is the request of apc that you can see who actually is going to make a request and jesse is the owner of the acceptor vpc yes when you create a vpc pairing connection there has to be a requester who makes a request to another vpc to accept the peering connection let's check the steps here so john who is the owner of the request of epc sends a request to the owner of the acceptor vpc to create the vpc peering connection so that's the first step so john here actually is sending a request to the vpc that is owned by jesse to create the vpc peering connection and the acceptor vpc can either be in the same account or another aws account or it can be owned by you or someone else but the thing that you need to remember is that you cannot have a cider block that overlaps with the requester vpc cider block so you cannot have vpc pairing connections with overlapping cider blocks and this is one of the most important points that you need to remember you cannot have vpc pairing connection with overlapping cider blocks next jesse who is the owner of the acceptor vpc accepts the vpc pairing connection request to activate the vpc clearing connection and next to enable the traffic flow the requester vpc has to add the routes for the ip addresses in the route table and if your security groups doesn't match with the current setting for the peering connection traffic flow the request of epc must make changes to security groups as well so that there are no restrictions for the peering connection last but not the least if the instances on either side of the connection use public dns host name for communication we must enable dns hostname resolution so that they can use the private ip to talk to the instances i hope you got the point about how we actually make the connection possible don't worry we'll be doing the demo as well so please watch the video till the end so now that we have some idea on how we actually create vpc pairing connections let's look at the life cycle of the vpc pairing connection and its different stages the first tip when we initiate a request for appearing connection the peering connection may either fail or may go to the pending acceptance stage so once the request has failed it cannot go back to accepted rejected or deleted states and the failed peering connection remains visible to the requester for two hours and the pending acceptance state it's obviously waiting for the peering connection to be accepted by the acceptor vpc owners so it will wait for that period of time to be accepted by the acceptor vpc here the owner of the requester vpc can delete the request in other words the requester can back off with its request of creating the vpc pairing connection and the owner of the accepting vpc can either accept or reject the request so if it is accepted it moves to the provisioning state and if no action is taken within seven days by the acceptor vpc it gets expired and same here as well it's visible for two days to both vpc owners and then it's no longer visible next if the request is rejected it moves to the rejected state and the same here as well the rejected vpc pairing connection remains visible to the owner of the requester vpc for 2 days and visible to the owner of the acceptor vpc for 2 hours if the request was created within the same aws account the rejected request remains visible for 2 hours itself next up once the vpc pairing connection request has been accepted it will soon be in the active state so once it is active you can make use of the peering connection and in this state or being active you cannot reject it anymore but if you want to close it you can delete it the next step that you see for deleting applies to the inter region vpc pairing connection this can be put by either party when they send a delete request when the status is active or it can be sent by the owner of the accepting vpc that has raised a delete request while in the pending acceptance state last is the deleted step here as well this can be put by either party when they send a delete request when the status is active or it can be sent by the owner of the accepting vpc that has raised a related request but the most important thing to remember here is that vpc pairing connections remain visible to the party that has deleted it for 2 hours and visible to the other party for 2 days if the vpc pairing connection was created within the same account or within the same aws account the deleted request remains visible for 2 hours so i hope you got the whole idea of the life cycle if you still have some doubts please put them in the comment section below and i would request you to listen to this again and relate them with the same with the flow diagram that we have here to get a better understanding so in the lifecycle policy that you see here we have clear steps so you have to initiate the request which might go to the pending acceptance stage where the acceptor has to accept it which moves it back to the provisioning state and then to the active state so once it is in the active state basically you can make use of the peering connection so from the active state you cannot reject it or you cannot make it expired or you cannot make it failed but you can surely delete it if you don't want it anymore and when you are in the pending state you can see we have directions towards if the request is not accepted it gets expired or if it is rejected or if it is deleted so when you initiate the request also you can backtrack by just canceling the request and it goes to the failed state where it will be visible for two hours to the requester and it is no longer visible anymore so i hope you got the idea here for all the states that we have like initiating request pending acceptance provisioning active deleting then deleted or it can be rejected or expired or failed and the most important part is no longer visible because it will no longer be visible after a certain point of time so till now we spoke about two vpc pairing connections let's take it to more than two vpcs and let's talk about multiple vpc peering connection this is very important to understand because you have to keep in mind that it is a one to one relationship between two vpcs that is why always remember that there is no support for transitive relationships or connections so which means if jon and jesse are friends with each other and jesse is friends with david it doesn't mean that john by default becomes friends with david isn't it that's the same way as if you are friends with someone else and that person is friends with the other person but here it does mean that you have a common friend but you both cannot be friends by default isn't it until and unless you have a friendship relationship or unless you have appearing connection in other words so in mathematical terms also transitive also means like if a equals b and b equals c then a equals c but here it is not possible that way so if you see here we have the upc one which has appearing connection with vpc2 and vpc2 has the same with vpc3 but that doesn't mean vpc1 has a transitive relationship with vpc3 so if a equals b and b equals c you cannot say that a is equal to c okay so the transitive property does not exist here so i hope that was clear let's move on so the next limitation or restriction that you must know which i have already spoken about so we cannot have a peering connection or vpc bearing connection for vpcs with overlapping sider blocks so what does that mean so if you see the blocks here for case 1 we have both the side of blocks which are the same for both vpcs so that is 10.0.0.0.16 for both the vpcs and it means we cannot have the peering connection here but you might feel you can create a cider block that is not overlapping but you see the case 2 where we have non overlapping sliders as well here as well if the vpcs have multiple ipv4 sider blocks you cannot create a vpc peering connection if any of the sider blocks overlap remember this very carefully if any of the cider blocks overlap so even if you have one cider block that is overlapping you cannot have a vpc pairing connection to that so this means regardless of even if you intend to use the vpc pairing connection for communication between non-overlapping side blocks you cannot do that so remember this very carefully you cannot have a vpc pairing connection or vpcs with overlapping cider blocks still not clear let's take another example for for edge to edge routing through a vpn connection or an aws direct connect connection so here as well if you see we have a peering connection between vpc1 and vpc2 and vpc2 has a side to side vpn connection with the corporate network the users or the people working in the corporate network can make use of the vpn connection to connect to vpc2 isn't it but they cannot have an edge routing connection to vpc1 so remember that you cannot use vpc2 to extend the peering relationship to exist between vpc1 and the corporate network so now let's talk about another scenario for s2h routing through an internet gateway if you see the visual below we have a vpc peering connection between vpc1 and vpc2 here our vpc one has an internet gateway attached to it and it's able to connect to the internet and the same way the traffic coming in is also able to access resources in vpc one using the internet gateway but vpc2 doesn't have any internet gateway connections and here as well we cannot have edge routing capability which might help the traffic coming into the vpc one using the internet gateway to access the instances at vpc2 so this transitive property also does not exist and this h2h routing also does not exist you cannot have this using vpc pairing connections too many examples already isn't it but there is one last example that you should understand so if you see the visual below we have a vpc pairing connection between vpc1 and vpc2 here our vpc2 has a vpc end point that connects it to the amazon s3 which allows vpc2 to connect to s3 and store files and records but vpc1 does not have any endpoint connection to s3 as you can see in the diagram and here as well you cannot use vpc2 to extend the peering relationship to exist between vpc one and amazon s3 so even if vpc2 has a connection to s3 the vpc one cannot have the edge routing through vpc2 to access data at s3 so i hope you are clear and you got a very clear understanding of what you can do with vpc pairing and what you cannot do so let's move on so let's talk about some of the important things that you need to remember for vpc pairing the first thing is that you cannot create a vpc peering connection between vpcs that have matching or overlapping ipv4 or ipv6 id blocks so i hope that is almost clear by now when we speak about the quota for usage of vpc pairing by default you get 50 active vpc pairing connections per vpc and the maximum quota is 125 peering connections per vpc and here the number of entries per route table should be increased accordingly and that might be an impact on the network performance as well and by default you get 25 outstanding vpc pairing connection request and you get one week that is around 168 hours of expiry time for an unaccepted vpc pairing connection request and this quota cannot be increased for vpc pairing does not support transitive peering relationships as we already discussed so you must remember this the vpc pairing does not support transitive peering relationships and you cannot have more than one vpc pairing connection between the same two vpcs at the same time and the next point is any tank that you create for your vpc pairing connection are only applied in the account or region in which you are creating them remember while creating tags or using cloud custodian or tracking the tags make sure that you remember this point very carefully and you cannot connect to or query the amazon dns server in a pure vpc so i hope we had a good discussion on the theoretical aspects of vpc pairing let's do a small hands-on demo for this let's move on to the demo part so in order to create a vpc peering connection obviously you need two vpcs isn't it so we have a myvpc demo that we have already created before and we have the default vpc so here if we want to test the vpc pairing connection we need instances isn't it so that we can see whether we are able to actually connect to them or not so let's suppose i will make my vpc demo to be the requester vpc and the default vpc will be my acceptor vpc okay so here what happens is i'll go to the ec2 instances that we have so i have created two instances so to test if the connectivity is proper between both of them and we are making sure that we are not able to connect to the instances that are in the different vpcs we need to connect to them isn't it so let's connect to each of the instances and see whether we are able to connect to each of them by using the instance that we have so i'll connect to the first instance that is a public instance that i have for my requester vpc i'll just copy the public ipv4 address and i'll just connect to that yes i am able to connect to this one so that is 100 32 112 so if you see here this is a private address so now similarly what i can do is i can go to the my acceptor public ipv4 address that i have for the instance and i'll just copy this and i'll just create one more instance of this one and i'll just repeat the same process again so we are able to connect to this one as well so if you see the private ip that i have here is 172 31 32 186 so let's keep them side by side so this one is the my default vpc so this one is from the request of vpc my demo vpc and this one is the my default vpc so i can just use the same ip address and i can try to connect to this one so if i want to connect to this instance i need the sh key isn't it so what i'm going to do is i'm going to create the ec2 hyphen pem key here dot pem and i'm going to copy the key that i have and i'm going to paste it here anyways it will not work but mostly what happens is we have to change the permission for the keys so c2 headphone e dot m so i'll just change it and i'll try to connect to the instance once again so this will not connect so that is the basic problem that we had because there is a request of vpc and this instance is in another vpc and we are not able to talk to each other isn't it so what i'm going to do is i'm going to have a connection between them and we will be using ppc pairing connections so let's go back to the vpc console and here you can see vpc pairing connections or the peering connections so you just need to click on peering connection and i had already created a peering connection before so don't worry about it i can just click on create peering connection and here you have to provide the name my appearing do so whatever name you want you can give it and here you have to select the local vpc to appear with so this is your request of vpc so what is our request vpc it is my vpc demo i'll select this so now it has been associated so this is the side block and the next one that you have to select is so if you have a specific requirement like it is in another account you can choose another account here or if suppose the vpc is in another region you can also make sure you select this one and choose one of them so now what happens is you have selected the options here you have to just choose the vpc that you want to have as an acceptor so our acceptor is default vpc so i will select this so now this is the sideblock for the acceptor vpc and here as i've already given the name tag i cannot give the name tag here so you can give any other tag that you want but now for now this is enough for me i have given the name tag i have given the requester vpc i have given the acceptor vpc connection as well so that's it you can just click on create peering connection and now it is successfully created so click on ok so once you have created or initiated the request to create appearing connection it basically goes to the pending acceptance stage so remember the life cycle that we had studied before in the theoretical part so why is it still in the pending acceptance state because we need to accept it isn't it so right click on this one and accept the request so here you have the details of the requestor account id the acceptor account id and you can just click on yes accept and now what it is telling is your vpc pairing connection has been established to send and receive traffic across this vpc pairing connection you must add a route to the paired vpc in one or more of your vpc route tables so i have to modify the route tables i know that and i can just click on close so now it has become active so our condition that we had that it should be accepted has been accepted and it is now active here as an owner of both the vpcs i am able to do this but let's suppose you are working on a bigger organization and you have a vpc that is not a part of your same account you have to request the one who is actually owning this vbc to make the acceptance criteria perfect and to accept the request that you have so he will do it for you he or she will do it for you so now as we have to add the routes so before this i can go back to my same instance again and i can just check if i am able to connect to the instance still no so not a problem we haven't added the routes yet so this is basically the main route table but as we are using the public internet so i have already created the my igw route table that has the route for the internet gateway so i can just edit this route table and add a route for the side block that i have for the instances that are there in the default vpc so what you can do is you can just add the side block so i don't remember the cider block so i have to go back and check for the cider block again so this is the default vpc so click on the vpc id here is the cider block copy this cider block and come back here and paste it as the destination so what you're telling is whatever traffic is going to this destination should go from the peering connection obviously isn't it so this is the peering connection too that i have created recently i'll just click on this and i'll select it and i'll save the route so this is the one-way traffic that i have created now from my vpc demo to the default vpc the same way we have to do it from our default vpc to my vpc demo because this is one to one connection isn't it so this is the route table that i have for the default vpc so here what i can do i can just click on this one and i can edit the route here and i can add the route for my myvpc demo so that cider block is 10.0.0.0 16. and here as well any connection that goes to this destination has to go through the peering connection so i'll choose this and i'll choose the peering connection that i've created recently and i'll save that out and i'll just close it so as per the theoretical aspect that we have here this should work so similarly if i go back here and i just try to do ssh yes it works so for the fun part i would just go back to this instance that i have so this is the one that is in the default vpc so i'll go to the home sorry i'll connect to this once again so cd home pc two okay i'll do ls not a problem so i'll create a bim file that i have so i'll just create a hello.txt and i'll type i my vpc demo and i'll just save it and i'll go back to this one and i'll do a ls i see the hello.txt here isn't it because i'm connected to that instance and now i'm able to access the resources that i need so that is how helpful the bpc pairing connection is yes i'm able to access the record or i'm able to access the file so this actually sums up the peering connection part so i know this was a bit tricky but it is very interesting to work on and i would request you to please do this hands-on demo to have a better understanding of how this actually works and this will actually give you a very good idea of how actually we can do this and how we can actually achieve this so this is my humble request for you to create a retail account and test this out so that's all from my side today and remember that having an overall knowledge on the topic should be your ultimate goal when you appear for a certification exam and if you wish to support me the links to insta mojo paypal and patreon are in the description below so i'll meet you on the next episode of aws until then it's pytholic signing off

Info

Channel: Pythoholic

Views: 8,781

Rating: undefined out of 5

Keywords: RoadToAWS, SAA-C02, Pythoholic, vpc peering, aws vpc peering, aws vpc basics, aws vpc peering in english, vpc peering aws, vpc peering between two regions, vpc peering between two accounts, vpc peering aws tutorial, vpc peering aws demo, amazon web services, certification, aws vpc, aws vpc peering connection, aws vpc peering example, vpc peering in same account, vpc peering –one vpc peered with multiple vpcs, one vpc peered with multiple vpcs, aws vpc peering between regions

Id: w-5lSvqSkjs

Channel Id: undefined

Length: 27min 15sec (1635 seconds)

Published: Sun Nov 08 2020