What is VPC? AWS Masterclass 2021 Completely Visualized

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone and welcome back to the channel so this is it after all this time and after all the topics that we have covered nothing feels as close to this one isn't it yesterday we are going to start off with amazon virtual private cloud and it is going to be totally visualized as always and make sure you don't forget to subscribe it really means a lot to me these videos and designs actually take a lot of time to make so please make sure you hit the like button and if you're new to the channel then you're most welcome so without wasting any more time let's dig right into this and if you're ready let's begin so this is a very special day and i thought why not let me take you all for a trip don't worry about the world outside this is completely safe and this is going to be our very own virtual trip so you packed your bags and you were ready to move out and you thought of booking the tickets for the transport and the hotel so you went online and you were done with the booking and you got your room reserved so once you reach there you were greeted warmly by the hotel reception he said good afternoon my dear guest welcome to the hotel please listen to the hotel policies very carefully you have to pay for every service you consume but the good thing is and the good news is that the breakfast is complimentary have a great stay then he asked you would you be interested in taking a look at the services that the hotel has to offer you said well of course yes that would be great then the manager showed you the list of features that are available to you at the hotel so you have the gym and the pool area you have the jacuzzi service you have a variety of food service you also have the service for bar and other drinks and the most important one the wi-fi and the air conditioning the bed of course is free and all the services that you see here have a price attached to it isn't it that makes up the total price of the service package so you have to choose the service that you need based on the budget that you had so upon careful investigation and thinking you decided to take the services that were essential to you like the food ac wi-fi pool bar and drinks and you stayed there for about two days so now the time has come for you to return back from the trip back to your home so now you went up to the reception and asked for the checkout and you received your invoice bill the amount was around 225 dollars and it was all that for the services that you had consumed or used in your stay at the hotel nothing more nothing less and then you verified the bill paid the amount that was charged and you left the hotel and went back to your home and that was the end of your trip so much fun isn't it you enjoyed every bit of your liking at the hotel but try and understand what exactly happened back there the hotel gave you a list of options as a part of the service catalog to choose the services that you would need as a part of your stay at the hotel and the policy stated that you pay only for the services you consume you had the idea of what you need and you were happy to pay for the services you consumed you were not charged for anything else other than what you used and once you were done you paid the amount and you then just vacated the place no questions asked and this is in fact a very simple way of understanding pay as you go service model here the service model being the hotel and i'm sure you're getting the idea of where we are heading towards but just hold on to that now let's turn the tables around and let's see what happens when we host an application on the cloud on the cloud environment we are treated the same way there are multiple services at the offer and we have to make the decision of what is the best fit for our application hosting on cloud we will be getting a pool of services starting from the type of processing power we need to the amount of storage we need to store our files we get the choice of databases the choice of analytic tools the security that we need for our data and all that we need to host our application and yes of course the networking capabilities as well but the most important thing is the underlying infrastructure is not ours to manage we will just use it and we pay for the services we consume and that's why it's not physical it's on the cloud now tell me are we ready to understand what is a virtual private cloud or do we even understand what is a private cloud for that matter but let's not focus on aws private cloud for now just think of a virtual private cloud do we understand what is a vpc or do we understand the difference between a private cloud and a virtual private cloud or did we think both are same and this is what we are going to understand next so let's start so now let's try and understand how these models work and i promise you at the end of this road you will have a clear understanding of the concepts that we have and what we are trying to learn here first off we have the hotel so let's see the model here at the hotel you have the receptionist you have the service person and all the services that you can use and there is a price tag to every service that is on offer you pay and you make use of that particular service made by wi-fi or the gym or the pool you are not responsible for any damage that takes place in the hotel well unless you are the reason for it so you don't own the place you don't provide the service you just make use of it and that is you pay as you go secondly let's take the model of an independent house in an independent house you purchase the land you build the house you put your own kitchen you set up your own bedroom your living room starting from the television in your living room to the kitchen sink everything that you have is yours you have paid for it if anything falls out you have to pay for it so the good thing is you don't have to pay a tariff to stay or for that matter you don't have to pay to consume the services you can stay there as long as you want everything is yours but you pay for the maintenance or any damage and if you need to upgrade you have to pay for it as well now let's check the third model that is a studio apartment model i am not sure how many of you have stayed in a studio apartment so here so you have a shared space with two or three rooms in the same apartment you have your own room your own bed your washroom but the wi-fi the food and the pool that you have is shared and you need to pay for the shared feature or the service so if you want wi-fi you have to pay for it all the members are allowed to use the pool if they pay for it so in this model you are paying for some of the resources that you virtually own that is not being accessed by others understand this and you also share some of the resources with someone else that is your flatmate but you have the option to choose the shared services you want so it's also a pay as you go basis but you have some resources that are shared as well this being the combination of both hotel and independent house not exactly but more or less and now let's transpose this model into the real time cloud hosting let's talk first about the public cloud here in the public cloud you have a shared space where you have the pool of resources that you need to host your application the public cloud provider provides you an application hosting capability where you can place your code and allocate some processing power to host your application some of the most popular public cloud platforms are amazon web services microsoft azure and google cloud platform alibaba cloud ibm cloud or for that matter oracle cloud as well and here you don't have much control over how the resources are being provisioned and these are basically computing services offered by third party providers over the public internet by making them available to anyone who wants to use it you pay and you use the services and once your hosting is done you either extend the contract or billing else you delete your hosting that's simple next up is the private cloud this is just like your independent house you are not sharing your resources with anyone your applications are being deployed in-house for yourself or for your customers you devise security rules to define who has access to what part of your resources you have your own i.t team to manage the servers and the infrastructure and if there is any need to expand it you have to pay for the cost of expansion and resource provisioning mostly this is being implemented by bigger organizations to minimize the cost at the later point of time in a longer run and these physical servers can be in the on-premise itself with all the facilities or else it can be placed at other data centers where the company owns that part of the resource now the big fish the virtual private cloud i think by now you must have already got the gist and the clue of what virtual private cloud means so when you see this just imagine the studio apartment where you have your room and think of that as an isolated environment just for yourself and think of other flatmates as other organizations that are in the cloud platform using the shared resources but here you have a certain level of isolation that provides the individual space and resource for each organization so now if i ask you what would be the best part of being in an isolated environment the answer would be yes of course others won't have the access to your resources it's completely yours and that is why it's called a virtual private cloud you are trying to create a virtual environment to simulate a scenario of a private cloud on a public cloud infrastructure i hope you're getting the point here and that is why the name is virtual private cloud because it's made to look like being private and isolated but it's on the cloud so here we end the initial discussion on what are the differences in cloud platforms and we start off with amazon's virtual private cloud we all know that a virtual private cloud or vpc is an on-demand pool of shared computing resources that can be customized as per our requirements and which is allocated within a public cloud environment this basically helps us providing a certain level of isolation between the different organizations using the same resource or the shared resources so that you have a sense of closure between your applications knowing that no one else is going to use or access the resources that you have and that's the beauty of vpcs now let's see what amazon has to offer with its cloud hosting platform in the form of a virtual private cloud so now let's start off with something that aws tells us about vpcs so with the help of vpcs you can provision a logically isolated section of aws cloud where you can launch aws resources in a virtual network that you define so as we already discussed before amazon vpc is an on demand pool of shared computing resources that can be customized as per our own requirement and which is allocated within the aws cloud environment so everything that you know about virtual private clouds remain the same but shift the cloud infrastructure to be on aws that is our own cloud provider and aws in the form of vpc is going to provide you an isolated environment to securely host your applications and services and as it has been already rightly mentioned here amazon virtual private cloud amazon vpc lets you provisional logically isolated section of the aws cloud where you can launch aws resources in a virtual network that you define so here we are going to define the vpc and aws is going to provide us with the resources okay as we said it's going to be private let's see what are the configurations or what are the configurable features that we get so you get complete control over your virtual networking environment right away from the selection of your own ip address range creating your own side of blocks creating your subnets you get the provision to configure the route tables as per your requirements and you can configure your own network gateways and you can also make use of both the ipv4 and ipv6 ip configurations here you can create your public facing subnets for your web services or web servers that you have so that they have access to the internet by configuring it with the internet gateway and as well provide the restriction to your own customers by using customer gateways and by using vpc only subnets and not just with public facing endpoints if you wish to have it secured you can also place your backend system such as databases or applications and in a private facing subnet with no internet access so that only you and your applications have access to these resources and the security provisions don't stop there with vpc you get multiple layers of security with security groups and network access control list where you can protect both your instances and your subnets as well so i have used a lot of heavy words here and i'm aware of the fact that you may or may not be aware of these terms but nothing to worry about them we will be discussing them in detail in the upcoming sessions as well so if you haven't subscribed already now it's the right time so now let's see what are the concepts that we need to be aware of in order to get the maximum confidence when we talk about vpcs and let's understand the terminologies and we will take these terms as our benchmarks to cover vpcs so we have three types of users here who are going to consume our application and we need to design our vpc so that we can host the application and provide our services to these users or customers or even the people who are at our on-premise location so here we have the people who are accessing the public internet and we have our customers who are going to use the application that we have hosted for them and we have our on-premise environment where our developers at our different locations are trying to use our aws cloud infrastructure so we have to design our vpc in such a way that we can make our services available to all the users but please don't get worried about this if you don't understand these terms please don't think much about them we will be covering them that is the main goal of this one so that you if you don't understand these terms then you will be able to understand them in the upcoming sessions okay so that is the benchmark that we are going to set for us to understand vpcs okay so here we have our aws cloud and that is where we create our vpc and when we create the vpc we try and host our applications across availability zones for high availability here it is on ap south 1a so as we already spoke about we can create both public and private subnets and our security groups behind which we can place our instances to have further control over the access so here we have both our private and public ec2 instances and then we have the route tables which contain a set of rules called routes that are used to determine where network traffic from our subnets or gateways is directed and then we have the network access control list that acts as a security group for the subnets and there is the nat gateway that we have which helps private instances to access the internet and access the other aws resources as well next up we have the direct connect to the on-premise location with aws vpn gateways or what we call as our virtual private gateways then we have the side-to-side vpn connection along with the customer's gateway to connect to our customers so that they have access to our hosted applications and then we have the vpc endpoints that enable us to create a private connection between the vpc and other aws services without requiring access over the internet with vpc flow logs you can capture information about the ip traffic going to and from the network interfaces in your vpc and that actually can be published to cloudwatch and s3 as well and then we have a very popular service that is known as internet gateway which allows communication between your vpc or vpc and the internet and that's how our applications or the programs that we have are able to access the public internet and next up is the vpc pairing which helps us to establish a network connection between two vpcs that enables you to route traffic between them privately and last but not the least we have our aws private link as well this is a very important service as well and it has revolutionarized things in aws vpc which provides private connectivity between vpcs aws services and on-premise applications securely on the aws okay this was a lot of information but if you know these topics it's well and good but if you don't then please don't get scared of this when you understand these terms and when we complete this session of vpcs and the list of videos that we have on vpcs you will be able to explain this diagram and this architecture that we have here to others like a pro i guarantee you that so let's again highlight some of the important points that we have here so we have the route tables here we have the vpc nat gateway and we have the network access control list and from the vpcs we move ahead to cloudwatch and aws and from vpc flow logs we can capture the logs to aws cloud watch and aws s3 and from our vpc internet gateways that we have here we can connect to dynamodb that is our another aws service and to the users as well and with side to side connection and the customer gateways we are able to connect to the customers and we have the vpn gateway that we have here or the virtual private network gateway that we have and we are able to connect to the on-premise instances that we have using the direct connect and we have the private link here that you see this is also very important for us to remember that can provide us private connectivity between our vpcs our aws services and on-premise applications securely on the aws and we have the vpc pairing as well which helps us to establish a network connection between two vpcs that enables you to route traffic between them privately okay so i hope you are able to understand these terms and you will be able to understand these terms very soon and once we are done with this you will be able to get hold of all the topics that we have here and all the terms that we have here so make sure you watch all the videos that we put on the channel okay for vpcs that will really help you understand these terms and much more and yes here we are at the end of the line for the vpc introduction and i don't think and i don't want you to get scared looking at the huge set of services we have here some of them are very short and we will cover them very quickly and others we will cover them in detail so please don't worry about that and if you want you can take a screenshot of this and you can keep it for your reference later on but i will be keeping the track of these in the videos to come i'll have them as a roadmap for us to complete vpcs so don't worry about that but for your reference you can just take a screenshot as well so let's do a deep type on the security groups and we will see what are the additional information that we need to learn for the certification and there are a lot of information that we need to cover so sit back grab a cup of coffee or tea or any energy thing that you like and let's get this over with and as we have already discussed security groups actually act as a firewall or virtual firewall for our instances to control inbound and outbound traffic what does inbound and outbound mean it means that inbound points to the incoming traffic or the request that come into the host and outbound points to the outgoing traffic which basically is the request that are going from the host machine to the outside world and as you can see in the diagram as well we have the ec2 instance and the access is inbound and outbound so by default all the incoming rules are blocked to the ec2 instance and by default all the outbound rules or the outbound traffic from the ec2 instance is allowed so you need to remember that you can't create rules that deny access if you wish to block ssh then simply you don't add a rule that allows it okay and if you wish to have http access allow port 80 as a part of the security group okay so there is no restrictions you can add or remove rules at any time and when we talk about security groups there is a very important question that comes along what is called connection tracking so in ec2 instances if you send a request from your instance the response traffic for that request is allowed to flow in regardless of the inbound security group rules that is what makes security groups stateful and that is being achieved by connection tracking so what it means is that security groups use connection tracking to track information about traffic to and from the instances and the security rules are applied based on the connection state of the traffic to determine if the traffic is allowed or denied for example if you take icmp ping command you ping an instance where icmp is added to the inbound security group rule okay so information for that traffic is not tracked so it is not considered as a new request but rather it is viewed as an established connection to the instance even if the outbound security rule has not allowed icmp considering a security group name is unique to a particular vpc this seems to be a bit unclear isn't it so let's check the example table here so in the table here we have both inbound and outbound rules that you see here so we have the inbound rule and this is the outbound rule okay so now so now one thing you need to note down is not all flows of traffics are tracked as in if the security rule permits tcp 80 port for all the traffic and from the other end it allows all the outbound traffic then the flow of traffic is not tracked so if you see the example here we have security rules for tcp and icmp where the outbound rules allow all traffic and tcp traffic on ssh or port 22 here is tracked because the incoming traffic is not allowed for all ip addresses even though all outbound rules allow the traffic so if you see here so the tcp rule that you see here is 22 so for ssh and that is being tracked because the inbound rule states that any of the source ips that are in this range are only allowed access using ssh and that is why it is being tracked but the tcp rule http 80 port it has all the source ips allowed in both inbound and outbound rules so that is why it is not tracked because it is both a bi-directional allow all traffic and when you create the security groups you can name them by anything that you want but it should be unique within the vpc so this is something we need to keep a note of okay so let's again recap some of the most important points that we need to remember for security groups so first and foremost security groups actually control how the traffic flows to and from the ec2 instances or the machine and they act like our virtual firewall so by default all traffic is blocked for inbound traffic so remember that all traffic is blocked for inbound traffic and all traffic is allowed for outbound traffic okay so by default when you create ec2 instance if you haven't provided anything then the default security group allows all the traffic or all the requests that you send from your instance to the outside world but the incoming is always blocked but you can access the other resources okay so the security groups are attached to a region and vpc and security groups can be attached to multiple instances and multiple instances can have a common security group so you can create one security group and you can assign it to multiple instances as well so the ec2 instances have no idea what's going on with the security groups so it acts as a virtual firewall so your ec2 instance level security is being maintained through the security groups and we don't place anything within the instance itself to protect it from the incoming or the outgoing requests we have that in place of the security groups itself and we should actually always create a separate security group for ssh so now let's get back to some of the basics before jumping onto the tough stuff so we all know that there are different types of ip addresses right so ipv4 and ipv6 but we must also be aware of what are public and private ips so let's take a look at this example now so these are the two web servers and they are able to communicate over the cloud or the internet that is the world wide web but how the thing that we see here is that they use public ips as the word suggest public ips are the ip addresses that can be accessed over the internet and you can think of them as a mail number or a mailbox number which anyone can access to communicate with you so if you have a public ip anyone can access the data that you are broadcasting if they have sufficient permissions and in your daily life you are using instagram facebook youtube all these sites that have a public ip mapped to a dns or that is the domain name which can be used to access the site so naming your site is always better because no one would remember the numbers right remember huge pile of numbers over a fancy name isn't it let's take an example like google so it's fancy isn't it but what if you are in a private space like your office or your private home servers then things would be different so if you see here there is a private office internet space which has the provision to communicate within the organization or within its own network but not the outside network without the help of the public internet gateway and that is why we call them private they have isolated scope to be accessed within the network more so the office or the home network and they can't be accessed globally so you cannot access a private ip from outside its network until and unless you have a vpn connection to the network or something that you can grant access with okay so what is the important thing that you need to remember here so if you have a public ip anyone can access the data that you are broadcasting if you have sufficient permissions and just like you use in your daily life like instagram facebook and youtube all these sites have a public ip that is mapped to a dns name you cannot access a private ipv from outside its network until and unless you have a vpn connection to its network or something that can grant you access okay so i hope this was somewhat of a clear understanding of how actually things work with public and private ips so let's move on so now let's get some of the basic differences out for the public and private ips so the first thing is like ipv4 uses a 32-bit address scheme that allows you to store up to 2 to the power of 32 addresses approximately 4 billion addresses so on the other hand we have ipv6 it is the most recently used of the ipp protocols it uses a 128 bit address scheme that will not end in my lifetime at least and ipv4 are numeric addresses like 192.23.12.2 separated by dot and ipv6 are alphanumeric whose binary bits are separated by a colon and it also contains hexadecimals and as we have already discussed a public ip is an ip address that can be accessed over the internet that is mostly masked by a dns like web server email server whereas private ip addresses of a system is the ip address which is used to communicate within the same network there is office space or the private space and public ip are globally unique but private ips are unique over the local area network and you might have to pay for a public ip but private ip is usually your own and company managed and these are the classes of ip ranges that we have for both the public and private ips so if you see here we have for public ip we have class a class b and class c so the class is start from 1.0.0.0 to 9.255.250 to 255 and that ranges to 11.0.0.0 to 126.255.255 to 255. and public ips can be geographically located means you can go over the internet and find from where the ip has come from and who is the host and unless it is secured but private ips are private and you cannot find them online okay and now let's start off with the very important topic that most of the people don't explain that is cider and the reason i'm saying you this is because even though our channel wants to help with everything that we have people will still question our integrity but we have to prove ourselves that we are willing to grow and not to anyone else so let's start off by understanding what is cider and why is it important first thing what is ida so if you take the acronym or the full form for cider it says that cider is classless inter domain routing so i hope you remember your engineering network classes so classless was termed as like where we actually ignore the address classes like a b or c and we consider it as an idea where the ipv4 address has two parts so prefix part and the host part as defined by the masking values and we don't consider the class here unlike what we did in the classful one and we use this classless addressing in inter domain routing which is a type of routing algorithm that works within and between domains and when we create a vpc we must specify a range of ipv4 addresses for the vpc in the form of aside a block that is our classless inter domain routing block so that we tell aws that we are going to create the vpc and we need this block of network addresses as a part of our family so within which we will divide this and make small parts and that is what we will learn next okay so the first thing that you need to remember here before creating one of the classless into domain routing cider is the method for allocating ip addresses and for ip routing okay so cider is method for allocating ip addresses and for iap routing so the value that you see here 10.0.0.1 16 is a cider block and you don't have to take my word for it why should you believe if i say that it's a side block so for that let's learn why that is a cider block okay so for now think of this 10.0.0.1.6 to be an ipv4 address range that will make up for our vpc but if you see this the block is being divided into three parts so the first part is the ip address the second part is the slash that you see and the third one is a decimal number and each of them have a or each of them has a certain significance okay so the first half represents the ip address and the second half is your subnet mask so collectively that slash and the decimal actually is termed to be a subnet mask so don't worry if you don't know what is the subnet mask but remember this for now and if you see the image here we can understand that a vpc moves across all the availability zones that we have and considering that we are not going to create availability zones that is already available and aws provides us with the availability zones what we are going to create is we have to create smaller groups that can be termed as a subgroups or networks or sub networks or what we call as subnets and in vpc you can add more than one subnet in your availability zone so don't get confused here az is itself a resource center where you can host applications we will just provide it a network group so that we can access the instances and the resources there but what our intention is here just we are trying to name our smaller family groups i hope you remember discuss local zones where we actually discussed about aws regions and we can also add subnets in local zones as well that will help provide services closer to our end users for faster access and if suppose i want to create subnets in availability zones then i have to create them by taking a subset of the sideblock ip range and make a subnet out of it as z is isolated your subnet should remain within the availability zones because for what i'm asking you this so that actually we can eradicate a single point of failure and that is why we call it as high availability if you create one subnet that is actually spanning across two three availability zones there is no point in making it isolated isn't it and that cannot be possible as well so i'm just saying in terms of actually explaining to you why it should be isolated within the availability zones or why it should be available within the isolated availability zones okay so that we can eradicate the single point of failure and as i'm speaking just try and imagine that we have subnets in these availability zones and they are isolated from each other but are made by the subsets of the cider block okay so let's suppose this is a side block so this are made from the subset of the cider blocks and now as we need ip address we need a range from them isn't it so now if suppose i want to access instance from this availability zone and it should have ip address right but this actually needs a set of ip addresses or a range of ip address because there is not going to be only one instance isn't it there can be multiple instances so for that we need to understand the number of ip address allocations okay so the subnet mask that you see here slash 16 is the one that is going to determine how many ip addresses are you going to get out of this cider block so subnetting is the concept of dividing a network logically to create separate space so by the way we determine how the network has been divided we look at the subnet mask which tells us how it has been divided and how many ips are there in the subnet or or the subset or the network that we have and if you see below so 192.168 actually it covers all the ips in the range and slash 22 here covers 102 for ip addresses and slash 32 can only cover one ip in the ip range so you must be feeling that the way it is covering the ip range actually depends on the masking value right so slash 22 slash 0 32 and all the ip address remain same and the subnet value is only changing and there the ip range is also changing so you might be feeling like the subnet value that we have here is basically the determinant factor to determine what actually would be the coverage of the ip addresses but the question would be how how is it doing that so that's what we'll understand next so when we talk about the subnet mask you might have already seen something like 255.250.258.0 isn't it or at least heard someone like use the term here the subnet mask for this ip address should be this but when it comes to aws or unix based terminology we come across subnets or like slash 22 or slash 16 or slash 24 and in our sessions on aws we will be referring to these type of terminologies that is with slash rather than ip patterns so these are the two forms of subnet masks so that we have so one is ip paste pattern and the other one is slash base that is slash 24 16 or slash 32 and in but in this session i want you to understand both the ways so even though you won't use it i want you guys to understand the concept and when we talk of ip addresses we know that an ip address is a 32-bit number that uniquely identifies a host so host can be a computer or other device such as a printer or a router on a tcp ip network so this is the textbook definition isn't it and as you can see here we have the ip address 192.168.123.54 and it's 32-bit representation so when i create an 8-bit binary for this value then i get the below long 32-bit representation so 1-1 6-0 dot one zero one zero one triple zero dot zero five ones sorry four ones zero one one dot zero zero one one zero one one zero so this is basically a 32-bit representation so you can count the number of digits here you will be having 32 because everything is eight bit okay so eight into four is 32 so simple maths so there is a site actually you can validate this online and you can use the google to actually validate this so you can just go online and check for the conversion of ip address to a 32-bit representation you will get that and when you see the sip address it has four individual numbers isn't it so let's divide them so we have 192.168.123.54 and we'll divide this into four parts so 192 168 123 54. so this belongs to which class i hope you remember the class actually we saw that previously in the list of charts that we had so it is a private ip and it's a class c of private ip whose range is from 192.168.0.2 to 192.168.255.255. have you seen this anywhere i think you have like something in your home okay so so this is the type of private ip that we are currently using for the example okay so now if i convert this into binary i have the values like this that i have already spoken about and the first three numbers form the network address which lets you distinguish between the host and the network itself and the last part is actually your host so 192.168.123 is the network address remember this very carefully and the 54 points to the host itself it can be your own computer that you're currently using right now so it forms each of eight bits network for the three parts and eight bit host for the last part so as you can see here we have eight bits network so basically it forms the network address and we have the eight bits host and further actually the last eight bit host also is divided into two parts imagine okay so one of which is the five bit subnet and the other one is three bit host so imagine you have a network of 128 addresses so out of which one will be the subnet address and one will be the broadcast so out of 128 addresses that you have we will be left with 126 addresses so let's suppose we divide this into four then we will have 32 addresses each so as well now you can reduce 2 from each of them or 2 from each 32 so you will be left with 30 that you can multiply it by 4 so that is 120. now if you had original space of 128 network addresses now you will be left with 120 addresses that's how the subnet masking works but i'm sure it's a bit confusing i can assure you that it's completely fine let us discuss or let us see how we can calculate the subnet with the ip pattern so here let us take an example of the ipv192.168.123.54 with subnet mask 255.255.255.248. now see this may not be important for the exam but it is a very interesting topic so if you want to skip this i won't stop you but what's the harm in learning something isn't it so please stick around so we have the ip address 192.168.123 that is a decimal representation for us and when we convert that into ip binary we get this binary form or the third two bit address binary form here so one nine two twos eight bit representation is this 168 is this 123 is this and 54 is this and the subnet that we have taken is 255 255 258.248. so its binary is this one one one one eight ones eight one eight ones and five ones and three zeros so now what we need to do is a binary and operation on these two on these two in the sense these two ip binary and subnet binary so i hope all of you are aware of what is binary and operation uh it's like multiplication okay so with one multiplied by 1 you get 1 and others will be 0 because we have 0's and 1 only in binary isn't it so when you multiply 0 with 0 it's 0 0 with 1 is 0 and only 1 multiplied by 1 is 1 okay so we have to multiply or we have to do a binary and on ips binary and the subnet binary so if you start from here so 0 0 0 0 1 1 0 0 so it will be 0 0 0 so 4 0's and uh these two are also zero because this has zero and one one so similarly if you try to multiply all these things you will get this type of representation okay so we have multiplied this now both of them by using the binary and and we have performed this operation and now the value that we get here is [Music] 192.168.123.48 okay so this is the subnet address okay for us this is the subnet address now and the subnet binary that we have is this one that we have already captured before so now we will divide this into the network address part and the host part and that host part also as we discussed previously can be divided into two parts that is for the subnet part the five bit subnet and the three bit host so three bit holes that you see here starts from zero zero zero okay so this is zero zero zero remember this very carefully and the ip binary that you have here also this one this ip binary i'm seeing not this one okay so this is the subnet binary i'm saying subnet address binary i'm saying okay not the one that we had already taken before okay so this one actually starts from zero zero one one zero zero zero 0 okay so this is the one that we have generated using the binary and okay so this will be the first ip address okay so this is the 48 becomes the first ip address for us similarly we will calculate the next ip addresses and that is the most important and interesting part okay so you imagine i hope you remember binary edition so we will do this right now let's go to the next slide so now you can read along with me that our first ip will be 48 and that is with five bits of subnet and three bits of host so you see three bit zero zero zero is 48 and the next ip will be determined by adding plus one to the three bit host only to the three bit host not to the subnet remember that okay and we're going to add one to only to the three bit host so it will be now zero zero one for the first one okay if you combine zero zero one one zero plus 0 0 1 it becomes 49 so this is our second ip so we have calculated the first ip that turns out to be 48 when we combine both of them and once we combine both of them on the second one by adding plus 1 we get 49 okay similarly similarly we have all the address ranges here so similarly when we add plus 1 again it becomes 0 1 0 and that is 50. so upon adding one more then it becomes 1 0 0 that is basically 52 then it becomes 53 and then it becomes 54. stop right there and the last one that we have is yes 55 and that is the last one and i'll tell you why and why that is last because adding one more will change the subnet itself it will change from 0 0 1 1 0 to 0 0 1 1 1 that is where we should stop it and will not move forward because it is not acceptable and as i have already mentioned before it has one network address that was 48 that was the first one that we have and it also has one last one that is the broadcast address or the broadcast ip so that becomes 55 okay so 55 is a broadcast ip and 48 is our network ip and out of all these ips that we have we have 49 50 51 52 53 54 and these are the ips or the six ips that are usable hosts and now you can also try this by doing calculations from your side and trying to find out if i use a particular ip address and a particular subnet mask or the subnet group that we have then how many ips i can determine from there itself so now let's check the slash 16 base subnet and let's see how that works so now let's suppose we have the cider for 192.168.0.0.16 and you must remember that the side value ranges from 0 to 32 and it's not different from the ip pattern subnet actually that we saw just now so if you see here you will realize that the subnet 255.255.0.0 16 is called slash 16 so when you say 16 or 16 it means that it has 16 ones in the subnet binary pattern okay so when you convert this into 32 bit representation you will see it has 16 ones and the rest are all zeros and it means that the values that are with the zeros these zeros these two parts are the ones that are going to change when you create subnets out of it or when you create the ip patterns out of it so that is why here in the diagram if you see 255.25.0.0 if we convert that into 32-bit representation we have one one or one one like this is eight ones and eight ones and uh all the rest of them are zero and if you use the ip range of 192.168.0.0 the last ip that we will get is 192.168.252 and that is where we say that only the last two bits are going to change because there is nothing to be available here because it is already packed okay so you cannot accommodate more than this because there is no range itself and with this ip range you can see there are a lot of hosts that we can calculate that is around 65 and 536 ips so that's a huge amount of force but how did we get this value then so there is a very simple formula for this so slash 16 is 2 to the power of 32 minus the subnet value that is here 16. so it's 2 to the power of 16. so basically 32 minus 16 is 16 so 2 to the power 16 is 65 536 host and similarly so here we have slash 18 that is 2 to the power of 32 minus 18 that is 14 so 2 to the power of 14 which allows 16 384 ips and similarly we have slash 24 which allows 256 ips and we have 32 that is 0 so 2 to the power of 0 is allows actually 1 ip and we have 2 to the power of 32 minus 0 so it allows all the ips okay so when you see when you see this 16 or 18 or 20 try to imagine by converting that into the third to bit address representation so bit representation that you have and imagine that they have 24 ones and the rest of them are zero so how you can imagine this is basically so if you divide 32 into four parts you will have eight binary representation bits isn't it so you have to imagine like if i take 16 then 16 ones will represent two spaces of the ip block and the next two will be usable or it will be used or it will change so when i talk about slash 16 here i tell that last two numbers can be changed or will change and when i talk about slash 24 so 24 actually covers three parts of the 32-bit representation okay so then the last last number will change or the last part will change so if you see it allows only one ip then no number changes you have to use the same ip address and if you see here it allows all the ips and all ips all the all numbers can change okay so there are no ones here and all the places that you see are zeros in all the four parts of the 32-bit address representation okay so that is how we actually try to remember these things and this is just one form of hard work to get this data actually but to help us there are plenty of sites that can actually help us get this data as well so for you to practice today so today's task is to calculate the total ip range of 192.168.123.54 with subnet of 255.25 or 250.240 and comment down below with the calculation details and don't copy paste from others okay so you have to calculate this ip range of how many ips that we are going to get what is the network address what is the broadcast ip everything okay so you can comment down below with your findings and your calories so i hope you remember the things that we discussed in our last session about ciders and security groups and we were able to understand a few things about subnets so let's dig deep into this and let's learn about subnets and when we try and imagine vpcs and availability zones and subnets and subnets as a part of the availability zones i want you to always have a picture in mind that you are the one who is designing the vpc and there are availability zones within which you create your subnets so imagine this vpc to be the piece of land where the house is of 1200 square feet which acts as an availability zone and inside which you have different rooms like your subnets so we have the bathroom the kitchen the bedroom you can think of these as subnets so there can be many rooms in the apartment but the only thing is that you don't create the apartments just like you don't create the availability zones the only thing you can create is vpc and subnets inside the availability zones or local zones and that's how we try and imagine the vpc to be a complete set of private cloud resources that are going to give me an isolated environment to host my services and give me enough control over how i want things to be customized so now that we have imagined what and how the subnet is going to be in our vpc let's understand the concept with respect to aws so here amazon vpc actually supports both ipv4 and ipv6 addressing but for these sessions we will focus on ipv4 only as you might be always already aware of and the cider block size quota is also kept different for both of them okay remember this point very carefully and one more point that we have here is a bit tricky but you must remember this so by default all vpcs and subnets must have ipv4 side blocks then what about ipv6 then so optionally we can associate ipv6 id blocks with our vpc so by default all vpcs and subnets are ipv4 so remember this point very carefully okay so by default all vpcs and subnets must have ipv4 sider blocks and you can additionally or optionally associate an ipv6 hyder block with your vpc and to have an ipv4 subnet we must specifically or we must specify an ipv4 sider block and its allowed block size is between 16 net mask and slash 28 nest mask so subnet mask and net marks are interchangeable don't think too much into this okay so you already know now like what is actually these terms when i say like slash 16 or slash 28 so if you don't know this and if you still have some confusions then you can go and watch the part two and once you have watched that please come back here and you can continue from here and watch this session so you'll get a better understanding of what i'm trying to say here okay and to create these blocks there is an rfc standard and once you assign one of the slider blocks that becomes your primary and after which you can associate secondary sider blocks after creating a vpc okay and to create these blocks there is an rfc standard which tells which range of private ips are recommended so you can check them out to know more about assigning private ip ranges so it's your rfc 1918 that is for address allocations for private internets so what is rfc yes that's a task for today so comment below what is the full form of rfc and i'll put a heart on every right answer okay so comment below what is an rfc why am i telling rfc 1918 that is for address allocation for private internet i want the full form for rfc so next if you check the chart here if the private ip range is like so if your ip is ranging from 10.0.0.0 to 10.255 255 255 your vpc must be 16 or smaller so for example it can be like 10.0.0 16. and if it ranges from 172.16.0.0 to 31.250.25 it must be smaller than or slash 16 or smaller than that okay so you can have it like 172.31.0.0.16. and if it ranges from 192.168.0.0 till like 192.168.250.25 then it can be smaller than that as well so it so it can be smaller than slash 16 as well so it is like 192.168.0.0.20 and you can create a vpc with a publicly routable cider block that falls outside of the private ip ranges so don't worry about that so just to reiterate on this the slider of the ipv4 address range that is created while creating the vpc is called the primary sider that is 10.0.0 16. so that is basically your primary sider and you must remember that vpc spans across all availability zones and you can create one or more subnets in each of the availability zone and when you create a subnet you specify the side block for the subnet which is basically a subset of the vpc cider block okay so you take the vpc sideblock and you take the subset of that and create a subnet okay subset subnet okay remember that so subnet is a subset of the cider block so as i have already told you twice or thrice now each subnet must reside within one availability zone and speaking of subnets it's not fair for us to not speak about the types of subnets so let's check them out so the first one is the public subnet so the general definition states that if a subnet's traffic is routed to an internet gateway the subnet is known as a public subnet okay so if a subnet traffic is routed to an internet gateway then that subnet is known to be the public subnet and if you want your instance of a public subnet to talk to the internet over the internet gateway you should either have a public ipv4 address or an ipv4 elastic ip so this is the elastic ip that we are having right now okay so the second one that we have here is the private subnet the secure one so if a subnet does not have a route to the internet gateway the subnet is known as a private subnet and the target is always set to local and the third one that we have here is vpn only subnet so if the subnet does not have any routing provisions through the internet gateway instead has a route to a virtual private gateway for a side to side vpn connection the subnet is known as a vpn only subnet so with this what you can do is you can enable access to your remote network from your vpc by creating an aws side-to-side vpn that is the side-to-side vpn connection and configuring routing to pass traffic through that connection like the way we use a vpn so i hope this was clear let's move on so now let's check some of the key points for subnets so these are very important so these are very important so please listen to them very carefully so if you have a single subnet in your vpc then the side block of the subnet can be the same as that of the side block of the vpc so if it is only one subnet then it can be same as the side block for the vpc for multiple subnets you have to use the subset of the slider that you have for the vpc okay so as i have already told you multiple times now for multiple subnets you can have or you can make use of the subsets of the slider that you have and the allowed block size is between slash 28 and slash 16 net mask and if you create more than one subnet in the vpc aside a block of that subnet cannot should not overlap you cannot have that overlapping okay so forget about that and there is a site below that i have mentioned that you can use to get ideas of how you can design subnets in this site it will show you how you can divide your vpc cider block into number of subnets that you want so if we see the example here for us that we have like 10.0.0.24 so let's suppose this is aside a block for the vpc which is targeted to have 256 ip addresses so we can divide this into two parts so the first block that we have here is 0.0.0 25 okay so that will range from 0.0.0 hyphen or to 127 ip address range so that will be the side block one so the next ip block will be starting from 128 to 255 okay so that will be our block two so you can divide this into two parts by using this one okay so let's suppose i had to divide that into four parts then what will i do then each one will be having 64 ips okay so 64 means so as 2 to the power of 6 is 64 then what will be the block then so you have to subtract 32 minus 6 so 32 minus 6 is 26 okay so so it will start from 0.0.0 to 63 then from 64 it will start again to 127 then from 128 it will start to 191 then from 192 it will go to 255 okay so in that way so let's suppose i have slash 24 then i can divide it that way and if suppose i have slash 26 then it can be for four parts as well okay so you might ask me 256 ip addresses i got that but you might ask me are you sure all of these ips can be used so i would say that yeah you might be correct on this one not all of these ips can be used so let's see what are the pointers in this context so what aws tells us is that the first four ip addresses and the last ip address in each subnet cider block are not available for you to use and cannot be assigned to an instance okay so remember this very carefully first four ip addresses and the last ip okay as you can see in the diagram as well so these are the first for ip addresses and this is the last one okay so this is the side block okay slash 24 side block so i'm not go able to use it so this is the one that the four ips that i have and the last one i will not be able to assign it to any instance okay so the first one is assigned or reserved for the network address the second one is reserved by aws for the vpc router the third one is reserved by aws for dns servers so the ip address of the dns server is the base of the vpc network range plus 2 so what did you understand from this so what exactly it means is that the base is at 10.0.0.0 then the dns server will be plus 2 so it will be 10.0.02 okay so whenever you have the base just add plus 2 to that and you will get the dns server address so the last one as aws does not support broadcast in the vpc therefore we reserve this address for the networking broadcast okay so now i would just want to reiterate on this one once again so the first four ips and the last one is reserved you cannot use it or you cannot assign it to any other instances and you must remember that very carefully while designing your cider blocks now let's move on to some of the rules for applying cider so the below example is going to show us the difference between what you may expect when you have created your vpc with a single sider block and the vpc with two sider blocks okay so the first one as you see here we have one sider block okay so that is 10.0.0.0.16 with two subnets 10.0.0.17 and the second one is 128.0 17. and when you associate a side block with your vpc in order to enable routing within the vpc or route is automatically added to the vpc route tables so you don't have to worry about that and the routing table is shown below here as the private subnet the destination will be the side block itself that is 10.0.0 16 and the target will be local so here i am actually not sure if you know what target local means but when the target is local remember this point very carefully it points to the same vpc okay local means it points to the same vpc and don't worry about this we will be discussing this in the routing tables part as well so for now just remember this and here once we have the primary side is set we can also associate a secondary sider which is created here as you can see as a second portion that we have so that is a secondary sider that is 10.2.0.0.16 and with that we have created a third subnet using the subset of that from the secondary sider that we have and the routing table is shown here as well so the destination will be the side block that is a 10.0.0.16 that points to the target is local and for the secondary sider as well we have 10.2.0.0.16 and that will be also pointed to the local okay so any direction any instances that are pointing towards this or trying to use this will have to go through the main route table that we have and it has to pass through the side block itself okay and let's check the rules for adding cider blocks to the vpc so the first point that is very important for us so i think we have already discussed this so i the allowed block size is between slash 28 and slash 16 net mask and the second point that we have here the side block must not overlap with any existing cider block that's associated with the vpc and remember one thing you cannot increase or decrease the size of an existing cider block so please be careful when creating one and you have a quota on the number of cider blocks you can associate with a vpc and the number of routes you can add to a route table and cider blocks must not be the same or larger than a destination cider range in the route table or in a route in any of the vpc route tables because of basic common sense you cannot fit a 17-inch laptop in a 15-inch case isn't it so you must remember that the cider block must not be the same or larger than a destination side range in a route in any of the vpc route tables okay and when you add or remove a cider block it can go through various stages right from associating to associated to so disassociating to disassociated to failing and then failed and if it is ready the cider block is ready for you to use when it's in the associated state okay so remember this very carefully associating associated disassociating disassociated failing and failed and if it is ready then it has to be in the associated state so it has to be associated isn't it yes now let's see one of the two most important topics that we have so subnet routing so as you know this already let me put this across once again when you associate a side a block with your vpc in order to enable routing within the vpc a route is automatically added to the vpc route tables and each of the subnets we create must be associated with the routing table and the good part is that every subnet that you create is automatically associated with the main route table for the vpc and here you can see this is a very important example or a very interesting example here that of the vpc only gateway with the custom route table that we have so any traffic destined for a target within the vpc that is so 10.0.0 16 is covered by the local route and therefore it is routed within the vpc and all other traffic from the subnet uses the vpn only gateway with side to side vpn connection and we will learn more about this in the routing table concepts as well so don't worry about that and for the security point of view aws provides two features for increased security in your vpc so one is with the security groups which we already aware of and with network acls or what we call is network access control list so the way we are trying to keep it secure is that security groups actually control inbound and outbound traffic for your instances and network acls control inbound and outbound traffic for your subnets okay so one is for the instances you have and the other one is for your subnets itself and the good thing is that every subnet that you create is automatically associated with the vpcs with the vpc's default network acl and to ensure you have the audit in place you can also create flow logs or the vpc flow logs from your vpc or subnet to capture the traffic or an individual network interface as well and that can be published to cloudwatch logs or aws s3 so that actually makes it very reliable when it comes to audit or debugging issues [Music] so cost is something that will be very important to the solutions architect as he or she will be in charge of designing the vpc and hosting applications as well so i felt this is a very important concept to cover with respect to the exam and that's the reason why we will be talking about ewa savings plan today so when we think of savings plan we must have a range of expenses that might possibly be incurred with respect to our application hosting for a simple person like me if i'm hosting application i wouldn't mind or i won't aim at having a thousand instances running all the time for my applications but yes i would need something that would be minimal and sturdy so i would think of having an architecture with around three instances with the auto scaling group and those will be my on demand instances i am fine paying 15 per month for my usage or the computational power that i need and i will have a balance between the expense and the budget but if i was a multinational corporation or well to do startup or even a modest software company my usage of computational resources will be leaps and bounds ahead of what it will be for an individual or a single person hosting its application and yes it can range from hundreds to thousands of instances mostly which will depend on the demand of my customer but if the demand keeps on increasing the company will incur huge costs to maintain the service and provide computational power and the balance with the expense and budget will be down way south and this is the situation for me where if aws provides me with some form of savings money that would actually help my company's budget and i can save it for other valuable operations and for that we need to plan things and we need to think of a long-term solution and that is what we will be getting when we use aws savings plan so let's see what it has to offer so aws savings plan provides you with a flexible pricing model for aws compute services which can help you save up to 72 percent on aws compute usages with aws savings plan amazon offers lower prices on amazon ec2 instance usage regardless of what your instance family is or size or what kind of operating system you use or what tenancy you have set or which region it belongs to and this also applies to aws far gate and aws lambda in case if you want to migrate from ec2 to fargate or lambda and aws savings plan actually offer incredible saving percentages just like the way you have with the reserved instances if you commit yourself that you're going to use a specific amount of computing power which will be measured in dollar per hour for a one or three year period and one or three year period doesn't mean between one two three it doesn't mean that it is going to be either one or two or three it means that it is either one year or it is three years okay and where can you get this or where can you get this done so you have to use your aws cost explorer and that you will get the option for aws savings plan where you can customize and create your own savings plan and it doesn't stop there actually you get much more so along with that you will get recommendations on how you can maximize your savings with this feature and you will also get performance reports and also budgeting alerts and when it comes to the offerings on the savings plan aws offers two types of saving plans so but both these plans need you to provide your commitment of usage which will be measured in dollar per hour so the first one is compute saving plan so as per aws aws compute saving plan as actually provides the most flexibility and helps you to reduce your cost by up to 66 percent and i would say this is the one of the most complete saving plan because it automatically applies to the ec2 instance usage regardless of the instance family that could be if you're switching from general purpose to compute optimized or any other instance family or it can be the size like 10 gb or 20 gb you can switch it from any other size that you want or availability zone like ap south 1a or us east 1a if you're switching from any of these availability zones or if it's the os or the tenancy like if suppose you are trying to switch from linux to windows or tenancy if you are trying to switch from shared to dedicated or even if it's a region like example like let's suppose you're trying to switch it from or you're going to migrate from india to london region the savings plan automatically applies to the changes okay and it applies to the same way to forget in lambda usages as well considering if you wish to switch to them from ec2 and just like we can configure compute saving plans for ec2 you can as well do that the same way for fargate and lambda as well and the next one is easy to instance saving plan so just like compute saving plan here also we get a lot of saving opportunities and it provides the lowest prices and offers savings up to 72 percent that's a huge saving isn't it but the most important thing to understand here is that ec2 instance saving plans apply to ec2 usage on a specific instance family in a specific aws region regardless of availability zone or size or os or tenancy so i hope you got the difference here so ec2 instance saving plans help you to save the cost of ec2 instances over a specific instance family so let's suppose you apply it to c5 then you can save or apply savings plan even if you are migrating from c5 dot x large running windows to c5 dot 2 x large running linux it is regardless of availability zone or size or os or the tenancy okay i hope you got the point here let's move on so now let's talk about how it exactly works so this is very very simple and you have to just go to your aws cost explorer and select your saving plan and then you need to just review it if there are any recommendations that you have for a saving plan based on if you already have been using a saving plan or if your usage is higher than expected then you will get some recommendations so you just need to review them then you can either change any existing plans that you have or choose from these two that is and that is compute saving plans or ec2 instance saving plan then you can choose the payment type if you're willing to pay all upfront or no upfront or else you're willing to pay partial upfront and the term length that is either from one or three years and the next step is to provide commitment usage like like one or five or ten dollars per hour based on your usage and that's it you will get a calculated price data of how much it will cost for you and how much you are going to save obviously you can check the same in the pricing data as well just to reiterate on this once again you have to go to your cost explorer on aws select one of these saving plans that you have compute saving plans or ec2 instance saving plans and choose the plan type payment type and term length then you have to assign a hourly commitment that you have like five dollars or one dollar or ten dollars per hour that you want to have that you want to give as a commitment to aws and then you get the automatic application of discounts and usages on usage across ec2 and forget so you'll get all the details instantly okay so now let's take a look at some of the benefits of using aws saving plan so when we think of saving plans not only with aws but also in general banking patents as well we think of how flexible the plan is and the same goes here as well so when you change your usage across ec2 or far gate and lambda this saving plan will automatically apply to that you don't have to configure that separately based in your changing need and today if suppose i i'm using ec2 as my computing unit later on i move to ecs or lambda the same plan will apply to that and the next plan we have is also very important the saving plan actually offers up to 72 percent saving in exchange for a commitment to the consistent amount of usage for a one or three year term so let's suppose you tell aws that yes i will commit that my hourly usage will be five dollars and then you will get the saving plan price for up to that five dollars and post that it will apply the same what the instance usually charges okay so the decision making is very important that is why you need to keep on checking the recommendations and last but surely not the least is the ease of usage so it's very easy to use and there are like two simple steps using the aws cost explorer by which you can get this done so the first step is obviously customize your saving plan and then feed the commitment price and then add to the cart and purchase the plan so that's very simple and there are some other faqs that i wanted to share with you that i felt might be important for you and you might ask them in the comment section so i thought why not put them across ahead of time so the first question is how do saving plans actually work with aws organization and consolidated billing so what aws tells us is that saving plans can be purchased in any account within an aws organization or consolidated billing family by default the benefit provided by saving plans is applicable to usage across all accounts within an aws organizations or consolidated billing family okay so however you can also choose to restrict the benefit of saving plans to only the account that purchase them so this can be used both ways so either you can choose to restrict it to a account that has purchased it else it can apply to all the accounts the second question that we have here is can i have multiple saving plans active at the same time the answer is yes you can and the third one do saving plans actually provide capacity reservation for ec2 instances so for this i would ask you that ask yourself this question okay should a saving plan actually provide capacity reservation obviously it will not provide you can get that done on the on-demand capacity reservations okay so it will not provide so the answer for do saving plans actually provide a capacity reservation for ec2 instances is no and the fourth one that we have here is a very valid question so why don't we use only reserved instances okay because they also provide a similar benefits to us so the point that aws makes here is that anyways ris or reserve instances will come to expire at a point of time and you can go for a savings plan instead of that as they offer the same savings as reserved instances but they also provide additional flexibility but if you already have a reserved instance or if you already have reserved instances and you have a saving plan they can work along with each other and can help you reduce overall cost okay so there is added benefit of having that but aws actually recommends you to go for the savings plan because it provides much more flexibility so this is the documentation for aws for savings plan so here you have an option or the tab here for pricing so you can click on this and here you will find all the details for all the plans that they have like for computational saving plans for amazon ec2 for far gate for aws lambda and ec2 instance saving plan as well so here as you can see it has been mentioned here like compute saving plans applied to ec2 instance usage regardless of instance family size az aws region os or tenancy so you can choose the computational saving plan here so for the term of either one or three years and if you want to have any payment option that you want to choose that you can choose here like you have no upfront cost partial upfront cost or all upfront if you want to pay everything at once at the start itself you can pay it using all upfront if you want to pay half of that you can pay it using partial upfront and if you don't want to pay anything and you just want to go with monthly payment options then you can go for noaa front okay and you can select one of the regions here so if suppose i select the region that i am in so asia pacific mumbai then you can choose between like what is the type of operating system you have like operating so let's suppose i choose windows and the tenancy is either shared or dedicated host or instance so let's suppose i keep it at shared now you will get all the discounts that you have or like on the savings on the on-demand instance that you are going to get so you get 15 percent on three three dot nano and if you go to the end itself like to the 10th part so the highest amount of difference that you're going to get is for the larger instances so you get 32 percent of savings on on demand so if you say d2.8x large the saving plans rate is 5.65 where on-demand rate is 8.268 on the region that you have asia pacific mumbai and if you tell that i am going to use it for a one-year term length then they are going to give you a saving percentage of 32 percent okay and again you have the compute saving plans for aws for gate so if you are not aware of what is aws forget so basically aws fargate is a serverless compute engine for containers that work with both aws elastic container service that is called as ecs or elastic kubernetes service okay or eks okay so this is fargit is basically your computational engine for these two acs and eks so here as well if you're trying to use aws fargate you can make the selection of the term size that you have like one year and you can choose the region and you will get more discounts based on the on-demand prices that you have like over 20 percent over on demand per gb per hour and or per vcpus per hour so this is the type of savings that you're going to get with aws far gate and here as well like aws lambda so aws lambda works on requests and durations isn't it and the same goes for compute plans for aws lambda so if i have a term length of one year and payment option that i have for all upfront and the region that i'm going to choose is asia pacific mumbai then i'm going to get for the duration i'm going to have per gb per second i'm going to get 17 percent over the on demand rates for 1 million requests it's not that much there is no savings at all but if you see for free tier it obviously gives 1 million requests as free so okay the same goes for the provision concurrency and the duration of provision concurrency so both of them you get 17 savings over the on demand and for ec2 instance saving plan okay so here there are a lot of things that you have to choose like the term length is one year you can have no upfront or partial upfront i'll go with partial upfront here as i already told you ec2 instance saving plan applies to easy to usage on a specific instance family in a specific aws region regardless of ac size os or tenancy so you have to choose the instance family that you want maybe it may be like m3 or i3 or anything okay so you have to choose now from let's suppose i choose m5 and ohio east or no i'll choose my region itself so it will be around asia pacific so here i am going to choose windows so here it gives me 21 savings over on demand because the on-demand rate is 0.193 and the saving plans actually give me the rate of 0.153 okay so even if i switch from m5 large to m5 dot metal also i will get the similar kind of savings okay i don't have to worry about that so these are kind of the saving plans that you get so you can come here and you can as well see and define the requirements that you have and you can get the saving prices and we will go to the aws console now to check out how it exactly works there so let's go there and see that okay to sign into the console and to use aws cost explorer you either need to be a root user or else you need to have im user that has permissions to access your aws cost explorer service okay so here it actually automatically opened it for me because i tried to relog in but you can go to services and type aws cost explorer and you can get the option here as well where you can right click on this one and open the same so here what i'm going to do is i'm going to show you like how you can create your saving plan but i'm not going to create it because it is going to cost a lot of money for me because we are running on the pto one so we are free people and we are cheap people so we will do only the demo here okay so here you have all the options where the cost explorer reports budgets and anomaly detection like this in the beta stage that you have we have the recommendations as well but here is the one that you are going to be focused on so savings plan so if you want to create a savings plan then you have to just click on sub purchase savings plan okay so once you click on purchase saving plan you will be getting a form here so where it actually tells you like what are the different saving plans that we have so the first one is compute saving plans applies to ec2 usage it blissfargate or aws lambda service usage regardless of region instance family size tenancy and operating system the second one that we have here is ec2 instance saving plan so let's suppose for let's suppose for an example i am going to go with compute saving plan then the option next option that i have is i have to choose what is the term that i want to set like whether it is going to be one year or that is going to be three years okay so for now let us go with one year plan so i am going to tell aws that i am going to go for a one year term and i am going to have a purchase commitment of around two dollars per hour and i will pay partial upfront okay so the partial upfront payment is eight thousand seven hundred and sixty dollars if i'm saying that per r my commitment of usage of the compute saving plan is going to be dollar two okay and you can give the start date but it is an optional thing that you have here you will get the purchase plan payment details so the total upfront cost that you have is 8760 because it is partial upfront then monthly payment that you have to pay is 730 the total cost is around 17 520 for one year okay and let's suppose i do it for no upfront then the cost again changes like i have to pay a monthly charge of 14 160 and the total cost actually remains the same and for all upfront also you can pay the upfront cost like 17 520 and you don't have to pay anything monthly for a year okay so let's suppose i choose three years for the same option like half then the partial upfront cost will be twenty six thousand two hundred and eighty monthly you have to pay 730 and so the total cost will be fifty two thousand five hundred and sixty dollars okay so now let's suppose you make it one dollar one dollar then one year partial up front that is around 365 dollars so for an individual these prices may be very high but for the organizations based on the money they actually make on the budgeting capabilities that they have this may not be that much okay so don't worry about that these prices are very high because if you have to pay like if i have to pay 8760 dollars if you see the earning capabilities of mine on youtube you can easily judge that i might be making one or two dollars per video so i can't even afford a single on demand instance and that's on a serious note okay so let's move on so the second option that we have here ec2 instance saving plan so in this actually it applies to instance usage within the committed ec2 family and region regardless of size tendency and operating system so the term size i am going to choose is one year and you have to choose the region because it is regardless of size tendency and operating system but not the region okay so you have to choose the region here so i'll choose my region asia pacific mumbai and here i have to choose the instance family so we will choose one of the basic instance families like c5 and the purchase commitment that we are going to have is one dollar per hour based on our status and the payment option that we have here is like partial upfront and that comes around 4 380. uh i will take that back that is not even our status so uh the next thing that we have to do is nothing we have to just see how much upfront cost that we are going to get here so 4 380 is the upfront cost that we are going to pay and monthly we will be charged for around 365 and total cost is 8760. so with this you can actually change between any of the instances that you have in that instance family regardless of the size tenancy or operating system that you have so you can play around with that but the biggest advantage is you're using the savings plan and you don't have to worry about the prices at all so it will cover within your savings plan itself okay so i hope this was clear and you can just come here and the free tier account log in with your root or the im account that you have and you can as well see this and try this and experiment this on your own and you can see this recommendation here so what once you click on recommendations it will show you if suppose you have any recommendations based on your usage so bigger companies who are using like so many instances like hundreds and thousands of instances they will obviously get some recommendation but here if you see we don't have any recommendation because we don't have any savings plans yet or they have some options here also given to us like why we are not seeing any recommendations so currently there are no saving opportunities identified so they don't identify aws hasn't identified any saving opportunities yet or your average on-demand spend is below 0.10 dollars per hour during a chosen look back period you can still purchase the saving plans by going to the purchase page be sure to review your usage and estimate savings ahead of the purchase so they also tell us the same thing before actually purchasing this purchase plan actually you need to determine how much of expense that you are having with your current usage of ec2 if you don't have that much of cost that you're going to save by using savings plan i don't think so it makes any sense to go for that but for bigger organizations or startups or companies that are dealing with large number of user set they can actually use this saving plan and actually benefit from this okay so i hope you got the point of how we are going to use it and why actually savings plan can help us or where exactly in which situations savings plan can actually help us so make sure you make the right decisions for your company or the organization that you're working for or the program that you're designing for or the application that you're going to host and come back here and see your recommendations and make your right decisions okay so that's it from the demo side let's move on so once you're logging to the aws console that you have you can just go to vpc by typing vpc here okay so you will get isolated cloud resources when you select vpc so just select this and we will be welcomed to the vpc management console so this is the place where all the magic actually happens so aws provides us a very good user friendly interface to create vpcs and that is what we will be checking right now so here you have lot of options here like your vpc subnets route tables internet gateways and all the things that you can create from this management console but the thing that we are going to create is a vpc so you can just click on your vpcs and when you create your account this comes with a default vpc and nvpc hyphen f888888 a90 is my default vpc and the cytoblock that has been associated by default is 172.31.0.0.16. okay so if i have to create a vpc then i have to just click on this create vpc button and here it will ask me for a couple of options okay so the first thing is we have to provide it a name so i'll give new vpc okay and the cider block actually what we had already discussed was the range of the cider block that you can provide is going to be between 16 and 28 okay so i can provide it 16 right now so 10.0.0.0 slash sixteen and no ipv6 side block so i don't want to give anything and the tenancy that you see here this will decide whether all the instances that you're going to create here the ec2 instances will go as default or it will go into the dedicated we don't want any dedicated instance right now so we will be selecting default and if you want to read about this you can click on info here so here it tells us that you can run instances in your vpc on single tenant dedicated hardware okay or dedicated hardware so select dedicated to ensure that instances launched in this vpc are dedicated tenancy instances regardless of the tenancy attributes specified at launch so even though you specify any type of tenancy the default actually will go as now as if you have selected dedicated then it will go to the dedicated tenancy okay and select default to ensure that instance is launched in the vpc use the tenancy attribute specified at launch so regardless of what you have specified uh in launch if you have specified dedicated here it will go to the dedicated one because the default tenancy or the vpc is set to dedicated okay so this is one thing that is very important for you to understand and if you don't want to incur huge costs don't select dedicated in the beginning while creating the vpc okay we may never know what is our current requirement okay and if you have the specific requirement and your architect already has told you or you are the architect and you know that every instance that you're going to get for your vpc is going to be dedicated then please go ahead and make addition and use this tendency but if you don't have any clue regarding what type of instances are you going to host later on in the future then just select default okay and i just don't want to give any other tag the tag is already specified name and the name that i had given was my new vpc and i don't need to add any more tags so the one thing that you need to be very clear is you have to specify between 16 and 28 so if i go to this website i p address calculator guide and if i supply this side block that i am going to use it's like 16 then if i hit calculate it can it will tell me that there are total number of ips that are going to get you are going to get is 65 536 but the first one will start from 10.0.0.0 and the last ip will be 10.0.255.255. okay and this actually we can divide into multiple cider blocks okay so the next thing that you're going to do is just click on create vpc so once you have created the vpc you will get a vpc id ok so this will be mapped with your name and if you can see here the state is actually available dns hostnames are disabled dns resolution is enabled and the default tenancy that we have is default the dhcp option is already set and the route and the network acl is already been created so these two will be created by default so these are default route tables and the default nacls or the network access control list i can go here and right click on this one and see so the local zone that i have i think the target in the destination will be set to the sider in the route table so if you see here if i go to the routes so see as i told you on the diagram also before the destination will be 10.0.0.0.16 and the target will be local okay so it will point to itself to the same vpc okay so here you can see the ipv4 sider is this one 0.0.0.16 and we don't have any ipv6 items okay so if i want to take action so i can actually edit siders i can create flow logs as i told you you can send it to cloudwatch or you can send it to s3 you can also edit dns host names and dns resolution as well you can manage the tag and you can delete it as well so if i click on edit sider so if i want to give another citer block i can just choose 10.1.0.0 16 because when i showed you here this actually these are the two things that are going to change so the last two numbers that are going to change okay and you cannot have one more slider block which is actually trying to bifurcate the first cider that you have okay so you cannot have this so the only way that we are going to have it is like this 10.1.0 slash 16 okay so once i have this i can just click on save and i can create this if i want i can create a few more like i can create up to a maximum of five i think so this is the way you can add more ciders so this becomes your primary cider and this becomes your secondary cider and this was the part that i wanted to show you and not add any more ciders because this is sufficient for us i'll just remove this and i'll just close this so i don't want to add it and the thing about cider is actually the ipv6 side is you can create a new one but i don't want to have any ipv6 sliders as of now so but if you are interested you can you can just click on add new ipv6 sider and you can choose amazon provided cider block or you can have ipv6 hide a block owned by me and you can choose a pool amazon already provides you a pool of cider blocks so you can choose and you can just click on select cider and create it but i will not create it right now so you can just close it so the default item that i had i did not give any name to this one i can just give it a default name okay so default vpc just for clarity so this is my default vpc and this is my new vpc that we just now created okay so congratulations you have created your first vpc now and the cider block that you have associated is 10.0.0.0 class 16. so the next thing that we are going to do is we are going to create subnets so click on subnets on the left hand side below your vpc you will find subnets so this is the default vpc subnet you can see here it's written default vpc we don't want to disturb this we have to create our own subnets for the new one that we have created so how we can create it we can just click on create subnet and we can create a subnet here i'll just write the name subnet a public the vpc that i want to choose is this one my new vpc availability zone is ap south 1 a okay so i can give the cider block now 10.0.0 [Music] 24. so this exactly comes between the side block that i have slash 16 slash 28 so this should be sufficient for me so just you're going to create on this one click on create they should be created well and good congratulations and now we are going to create one more so it will be subnet be public and i'll choose the vpc again and this one will be 10.0.1.0 24. making sure that they don't collide between each other i'll just create one and i'll create one more subnet that i have so it will be subnet c public and this will be in vpc and i will make this inside ap south 1b okay so two subnets i have provided it in one availability zone and the other one i am going to provide it in one b so this will be 10 dot 0 dot 16 dot 0 24 okay so the first one was 0 the second one was 1 the third one was 16. so now this is also created so 251 ips 251 ips and 251 ips so now what i'm going to do is i'm going to create the private subnets so subnet and this one will be 10.0.32.0 24. so this is also fine so these are not colliding with anyone so we have the private subnet and three public subnets now i can go ahead and create one more and the vpc will be new and this will be the second ac and i'll give it 10.0 dot okay let's suppose i give 32.0 slash 24 let's see what happens okay this will overlap the existing cider okay so if i give 16 it will overlap the existing sider okay okay so i have already given 32 so if suppose it starts from this so if suppose my side actually started from this how you can calculate is slash 24 okay i'll clear this so the last ip will end at 32 dot 255 okay so we have to create something after this so what i can do is i can create 33 okay 33.0 24. it will get created yes so every time that you feel like you are going to crash on some of the subnets that you already created just look at this ipsider block that you already have and look at the last ip that you have created and you can give like one value after this so like after 32 i have given 33 so that also works and not a problem because it falls under the same range between 25 to 255 so it doesn't matter okay so now as you can see here 2512 so every time actually we wanted to calculate slash 24 we always imagine that we will get 256 ips but we are getting 251 ips so i hope you remember we already had discussed this before that aws itself reserves five ip addresses and it only gives us minus five ips based on the side value that we have and those will be only usable hosts and the five the other five will not be usable so if you haven't uh gone through that session then please go through that session as well i have provided the link in the description as well so don't worry about that it's very simple so just remember for now that any time that you have to decide on creating ciders or decide on creating subnets and assign siders you must remember that five ips from that list will not be usable and the way i actually decide how i want to create subnet is basically like let's suppose i created a vpc with cytoblock of 10.0.0.0 16. then what i can do is i have the flexibility to now create my side blocks or the subnets that i want within the availability that i want from any possible value between 16 and 28 okay so the first subnet that i wanted to create was subnet a pub and the cider block that i wanted to create was 10.0.0.0 24. okay and that actually gives me 256 ips and that is fine for me okay so if suppose i want to create the next one and i can basically go here and actually and i can just paste it here and calculate what is going to be the first and the last value of the cider block so if i have the first ips 10.0.0.0 and the last ipa is 255 i can anyways change the second value of this and create a second side so i will go ahead and change the second value as 1 and i can create another 256. so if i take this again and i try to calculate the value for the first and the last ip so here also i get 256 ips and it starts from 10.0.1.0 and ends with 10.0.1.255. so i will create the second subnet that i have for the public one with 10.0.16.0 24. so let's suppose i have this ip or the side block then i can just go ahead and paste it here and if this was my cider block and i had to create any third cider i can actually create it from 10.0.17 or 15 or it depends on me it should not be like 10.00 16.1 or something okay it cannot be like that it cannot be between 0 and 255. so the next value that i wanted to give for the cider block was for the private one so i plan to give it like 10.0.32.0 24. so if suppose i calculate this again so if i just paste it here the next value that i wanted to give was the first value that i got here was 10.00 32.0 so the last ib that i'm getting is 10.0.24 dot because we have only 256 ips so so the last range will be 255 and then the side block actually changes so i cannot have something like 10.0.32.2 as one of the sides because it will not work okay so for that reason itself i chose 10.0.33.0 okay so let's suppose i i wanted to give you the same example here so i i already told you that i chose 10.0.33.0 24 and it worked for me and just for your satisfaction if you want to know whether this works or not if i have to choose between 10.0.32.5 and i'll try to create a subnet just see okay what happens so i have to create a subnet here like i'll choose 10.0.32.5 k6 24 doesn't matter try to create this it will not so it must be a valid side because slash 24 already covers 0 to 255 rps and then if i wanted to create one like 33 as it is already created it will tell me that the cider block is going to overlap now if i want i can create a 34 yes it will not throw me any errors if i want to create i can create 31 it will not throw me an error between 0 to 255 as many numbers are there i can create one because my cider block actually allows it my bpc cider block actually allows me to but i cannot overlap two cider blocks which are already created and i cannot bifurcate both of them by creating one more so that is not advisable so that is why you cannot create so while creating you can prepare excel sheet like me what i have created and and you can actually make a list of all the sides that you want and you can actually determine how many host count that you want and remember this thing that this will basically be 251 so it will be 251 it will not be 256 because five ips are already reserved so this will be the actual host count so this will be actual so this is the actual host count so don't worry about this so you have to remember that even though your host count remains 256 your actual host count that will be usable is 251. so you can see all the information that you want here for the vpc but the additional information that you can also watch is for your network access control list so here what happens is as i already told you before that a network access control list will act as a security group for your subnets isn't it so you can see the subnet associations here you can see associated with five subnets so when you create a subnet it gets associated with your default knuckle or the network access control list and you can see the subnet associations here so you will find that all the subnets that you have created both private and public are already associated to this network access control list and now coming back to this once again if you go to subnets so if i click on this one yeah now you're able to see the second vpc that we have created so you can just click on this and you will only see the subnets that are associated to the newly created vpc and you might tell me that python we have discussed all of this this is well and good we have created the vpc and the subnet you told that there's my public subnet and these two are my private subnet but i didn't find any difference between both of them we created them the same way so first of all i want to assure you that we will be covering this and i have already told you before a subnet which actually has a route to the internet gateway is considered to be a public subnet and the private routes to the local vpc okay so this is the two difference the main difference that you need to remember and that is what we will be setting up in the sessions to come for now we are just going to focus on the vpc and subnet part so we have done that we have created the subnet and we have created the vpc so this will be it for the demo for today and i know that some of the people actually fear creating these vpcs and subnets thinking that they might incur a huge amount of money for their creation in the free account as well in the free tier account as well but don't worry about that for creation you don't need to pay anything only for the resource usage you're going to pay so don't worry about that and you can just create it and delete it that's what i'm going to do right now so don't worry about that create your free tier account start practicing this is how you're going to get the hands-on experience on how we are actually creating vpcs and subnets and all the other things that we are doing and the next thing that we wanted to do was just click on these go to actions and delete subnets yes are you sure that you want to delete these subnets yes i want to delete them just click on delete yes and if suppose you want to delete the vpc and you're scared that you might incur some of the cost then you can just go ahead and click on my vpc or select my vpc or the one that you've created and go to actions and delete the vpc so just type delete and make sure you have deleted the one that you've recently created not the default one because you might have some running instances there so anyways it will tell you that you cannot delete it but make sure that you don't delete these things okay so just the one that you've created newly delete and just type confirm delete then just click on delete again yes now the vpc that we had created is now deleted the subnet that we had created is also deleted we have cleaned up everything so we don't have to worry about anything right now so before connecting your ec2 instances we need to hold on to that thought for some time and we need to talk about a very important topic that is called routing the definition tells us is that a routing table contains a set of rules called routes that are used to determine what network or where network traffic from your subnet or gateway is directed so the most important thing that you need to keep an eye on is where network traffic from your subnet or gateway is directed remember this point very carefully where network traffic from your subnets or gateway is directed so this can go both ways like what if the request is coming from an external entity or network or if a request is going out from your subnet as well so when you create a vpc an implicit router gets attached to your vpc and what does a router do it helps with the routing of course and other things like nat and traffic management and it also helps us with connecting to other networks and there are other purposes as well so let's suppose you own a logistic service and you have segregated the pin codes of the places of delivery and the delivery executives who will be assigned with the consignment so let's suppose you get a package delivery for mumbai you check the inventory to find out who is the executive that can take this request up and then you assign the task to that person how do we know that information exists we have an idea of this because we have a rule set that tells us if a request comes from a specific area then who is the one who should handle it or who is the one that should handle it and that is what the route table does and each entry or what we call is route in a table specifies a destination and a target as i told you just now that a vpc has an implicit router and you use route tables to control where network traffic is directed so let's suppose you want your application on easy to connect to the internet and get access to services and aws as well for this you need the help of the internet gateway here you need to be very clear that each subnet that you have in your vpc must be associated with a route table which controls the routing for the subnet but you might also want to assign your subnet to a different route table that you might have customized for your requirement for this we can assign our subnets to custom route tables as well and make use of them else it will be assigned to the main route table by default as you can attach subnets to only a single route table at once but the good thing is that you can assign multiple subnets to a single route table so that's a good part and if we see the visual here we want our ec2 instance to connect to the internet that is the public internet and for that we need our instance to be on the public subnet and what makes a subnet public subnet yes if that subnet is assigned to a internet gateway so the top row tells us that you have your subnet which is not connected to the internet gate with the id igw12453254545 and this is the subnet that we have and this is now connected to the internet gateway and here the way we read the route tables is very important so if you see the destination of the route that is basically your 0.0.0.0.0 which actually spans across all the ipv4 addresses and the target is your internet gateway that's attached to your vpc and if i want my ec2 instance to access google.com we know that google.com is having its public ip mapped to the dns for example it could be 43.22.12.11. which actually falls in the range of 0.0.0.0.0 that's a public ip address so the ipo of google.com becomes my destination ip now when this request is sent out the routing table checks the rule set and tells the gateway that there is a destination ip that is in the range of the public ipv4 address and you are the one who is meant to handle it because your name is mapped as a target so that is the reason we say the route table has a route to the internet that is 0.0.0.0 through the internet gateway so the route table is here and this has a mapping for the internet gateway which actually has the connection to the internet and for the private subnet you will have an entry for your sider of your subnet as your destination and the target being local which means the instance communication between private instances should route through the same vpc so this is the one so this is the cider block for your vpc and there's the local as a target and when you create a subnet this route is added by default to all route tables if you have more than one sider block then you will have an entry for each of the cider blocks in your route table that is your local route and for the ipv6 addresses as they are not included by default as a part of the ipv4 list you must create a route with the destination insider of colon coolant 0 for all the ipv6 addresses so this is for the ipv6 for the main route table there are a few important points that we need to cover so let's talk about them so let's talk about this portion now so as we have already spoken about this we when we create a vpc it automatically has a main route table that gets associated with it and if you have seen the demo you might have witnessed that the same that we did not create a route table it was automatically associated with that and this main route table actually controls the routing for all subnets that we create that are not explicitly associated with any other route table so as we might want to assign our subnets to a different route table that we might have customized for our requirements we can assign our subnets to custom route tables as well and make use of them else it will be by default assigned to the main route table and you can add remove modifier routes in the main route table but you cannot create a more specific route than the local route that is pointing to the same vpc and you cannot delete the main route table but you can replace the main route table with the custom subnet route table that you have created and you cannot set a gateway route table as a main route table so these are the few points that you need to remember for the routing tables for the main route table i hope it was clear let's move so i think by now we have the idea of what a custom route table is but let's discuss a few points here as well so what aws tells us is that as a part of the best practice please don't change the main route table and leave it in its original default state and instead create your custom route tables and assign the subnets that you want to that by default the custom route table is empty and if you create a vpc with an internet gateway on the console the wizard actually creates a custom route table and adds a route to the internet gateway and you can add modify and remove routes in the custom route table that is the flexibility that we want and for better reliability you can delete a custom route table only if it has no associations so this we can actually experiment this in the demo as well so don't worry about that and another important type of route table is the gateway route table and gateway routing is a term used when a routing table is associated with a gateway as the name suggests it's referred to as a gateway route table in gateway routing we associate the routing table with an internet gateway or a virtual private gateway and this type of gateway is very important if you're planning to route the traffic to your instances from a security application or firewall application before it reaches your applications so here what happens is if there is a traffic that wants to reach your application then it has to pass through the eni or elastic network interface before it reaches your application instances so in this way you can secure your application further on these lines and there are several rules and constraints to using a gateway route table i want you guys to please read them in detail in the aws documentation as well and the important one that i wanted to share was that when you think of gateway out tables you must remember that you can only specify a local or a network interface as a target you cannot specify any other type of targets including individual host ip addresses i know some of these points are really confusing so let's check out a real-time example here so this real-time example tells us a story about a design which has a middle box application which can screen the incoming traffic before it reaches the application instances and middle block application can be a device or a software that acts like a firewall or net or a traffic filter it is a concept that is widely used in modern application design and the basic idea for the design would be first you have your application hosted on ec2 instances which is being guarded by the application network interface or the eni and we have an internet gateway attached to the vpc which lets traffic come by here our firewall app actually inspects all the traffic that enters and leaves the vpc through the internet gateway now let's understand how the routing table is configured to ensure that our design only lets traffic coming from the internet gateway to pass through the firewall application and the eni before it reaches the application that is hosted on the ec2 instances so the route table 1 or the route routable a but the destination that is falling inside a block of 10.0.1.0 slash 24 the target is set to be the id of the eni or the elastic network interface and any other instance has to be iterated over the local same vpc so as you can see here the cider block that actually wants to have access so this cider block subnet b so any destination ip that falls under this hider block for the subnet b has the target for eni which tells us that that is basically has to pass through the firewall app the route b actually that you see here if the traffic is being received the same way the instance has to access the internet for this the route table b tells us that all the ips inside a block 0.0.0.0 0 that is basically all the ips in ipv4 that has to pass through the internet gateway and the route table c that you see here here as well all the ips in the side block that we have that is basically all the ips in the ipv4 address list that has to pass through the eni as we are trying to restrict control to the eni and all instances are required to pass through the eni itself and if you try to understand the property here we will get a clear understanding of how smartly we can control access within the subnet we have the internet here and if suppose there are requests coming in from the instances they have to pass through the firewall app and then to the eni to get access to the instances that we have and the same goes when our application are willing to access the public internet they have to pass through the eni then to the public internet that is with the internet gateway so you can also design applications like this so i hope you now are getting a very bleak understanding of how the internet gateway and the design actually works so let's move on so now that we are aware of how instance is able to access the internet or for that matter we want to access our ec2 instances from the local desktop or laptop that we have we want our instances to have visibility so that we can have a transaction and this visibility is provided by the internet gateway and as we have rightly mentioned here an internet gateway serves two purposes the first one is actually provides a target in your vpc route table for internet routable traffic and it also can help you perform network address translations so don't worry about nat that's what we are going to discuss in the next upcoming sessions and aws tells us an internet gateway is a horizontally scaled redundant and highly available vpc component that allows communication between your vpc and the internet and it supports both ipv6 and ipv4 and there's no additional charge for having an internet gateway in your account so you don't have any charges for having an internet gateway and if you're still thinking about what an internet gateway is i would like to tell you that please don't think it's some rocket science stuff it's just a logical interface that helps you to connect to the internet from the vpc and it's not a physical device and if your vpc does not have an internet gateway then the resources in the vpc cannot be accessed from the internet conditional 2 if in case you have something like a vpn connection or a direct connect to your on-premise office for your traffic flow so the next important thing and the thing that we are here for is to understand how to enable internet access so here is our vpc with our subnet for our az that has an ec2 instance that needs internet access in turn has to be accessible from the outside world as well so for that to work the first step is to create an internet gateway and create a route table for the subnet that we have our instances at but even before that we need to ensure that our instances in the subnet have a globally unique ip address that can be your public ipv4 address that we have like this one here or elastic ip address or ipv6 address because in order for instances to be accessed from the internet we need to have a public id attached to that but that doesn't solve the problem there you also need to make sure that you also need to make sure that the network access control lists and security group rules so you have to ensure that you have the network access control list and security group rules allow the relevant traffic to flow to and from your instance and once you have added the route for your subnet and for the incoming traffic to be passing through the internet gateway you should now be sorted out and you should be able to access the internet and your instances will also be visible from the local machine and the node that you see here below to provide your instances with internet access without assigning them public ip addresses you can use an ad device instead that is what we will learn in the next session so if you haven't subscribed please do that right now so let's discuss some points on the internet access for the default and non-default vpcs because you might say to me that pythonic we did not create any internet gateways to access the public internet and we were also able to access our instances from the local machine when we did not create any vpcs and we were using the default vpc so for this we need to understand the below differences with what actually comes by default for you to access the internet for your vpcs the first one is internet gateway so with the default gateway it comes automatically with the default vpc but for non-default vpc it's yes but if you created the vpc using the first or second option in the vpc wizard that is from your console otherwise you must manually create and attach the internet gateway so the second one is route table with route to internet gateway for ipv for a traffic so that is basically your 0.0.0.0.0 so that is also yes for default vpc and the same for non-default that is yes if you created the vpc using the first or second option and the vpc wizard so the route table actually comes by default which has a route to the internet gateway for ipv4 traffic or the default vpc so that is why we are able to actually access that and for the ipv6 that's the third point so that's a no for both default and non-default until and unless you explicitly assign ipv6 but mostly it is for ipv4 and next up is for the public ipv4 address automatically assigned to instances launched into the subnet and yes it is a yes for the default subnet and that is why you were able to access the internet without creating an internet gateway because the public ipv4 address automatically is assigned to instances launched into the subnet so if you select the default subnet in your default vpc a public ipv4 address will automatically be assigned to this and for the non-default you need to specify that so it's a no and that is for the non-default subnet and for the ipv6 it's know for both as predicted so now that we are at a state where we have an idea around how this works let's see this illustration and understand what we are trying to achieve in the demo so we will be creating a public subnet with the internet gateway and we will create the route table that will have the routing entry for the instances through the internet gateway and that is how we will be getting the public internet access and that's what we will be trying to achieve and hopefully we should be able to do that and that should not be that difficult for us and the yellow line that you see or the yellow dotted line that you see here is what we will have as our path to reach the public internet i hope it was clear let's move on to the demo then let's start off with the demo and here we will be creating a vpc so if you haven't watched the previous episodes on how we actually created vpcs don't worry about that we will create a sample vpc here as well so you can follow the same things as we are doing here and you can also do this demo so first thing that you need to do is you need to go to the all services and click on vpc or you can just right click on this and open a new tab or you can click the one if you have recently visited you can just go to your vpcs and you will see an entry for your default ppc so this is the default vpc that you have it has a default vpc id and it also has the ipv4 slider so that is basically yours so 172.31.0.0 16. so it's a good one but we have to create our own vpc so how we can create it you can just click on create vpc here and you have to assign a name for that myvpc01 that's what i will give quite generic name but okay so 10.0.0 16. so we'll create a cider block for 10.0.0.0.16. so don't worry about that we have the tags in place we don't want to assign any ipv6 side blocks or there are no side blocks that are owned by me as well and the tenancy will be default and yes that's it you just click on create vpc and you create the vpc okay so the next thing is once you have created the vpc you need to create the subnets isn't it so click on subnets here and you will see three subnets that are all part of your default bpc but we have to create our own isn't it you can just click on create submit type in public okay i'll just create one so public subnet and the vpc that will assign this to myvpc so this is my vpc that i have created now there's the new vpc that we have created so click on this one and the availability zone you can choose any one of them i will choose the first one but if you want to have high availability you can create three subnets and assign it to one of each of them so that we get high availability and we can now assign aside a block for this so it can be 10.0.0 or 1.0 slash 24 okay just create it so if you want to understand more about how we actually are creating this you can watch the first episode of the demo for vpc i have discussed this in detail so don't worry about that so this is the public subnet that we have this is not yet your public subnet i have just named it so don't try to insinuate things here so you can create one more so that will be your private and this will also be you know private vpc that you have and ap south 1b so i can associate it with another side block it can be 10.0.2.0 slash 26 okay so it does not overlap so 26 and 24 don't overlap so it's fine so we can create both of them so but 26 already has like 59 ips and 24 gives us more ips but that's nothing to be worried about so now you have the subnets and you have the vpc so the next thing is you want to basically create your instances isn't it so go to ec2 and we will be creating our own instance here so my launch instances so you can click on launch instances and you can start off the creation process so here i will be choosing amazon linux to ami select this and we will select the t2.micro here you have to make some specific changes for your vpc and you have to let aws know that you are going to create a ec2 instance for your vpc itself so here that you see here the network selection will be for myvpc01 that is the new vpc that we have created and here as you can see i have two subnets associated to this one so the public subnet one and the private subnet one for now i want to associate it with the public subnet one and if you see here we use subnet settings so by default the auto assign public ip will be disabled because it is the default subnet setting and if you want you can change this in your subnet itself so here if i go back here in the public subnet actually i can change this so i actually i can do this like modify auto assign ip settings so here if i just click on this one or check this one enable auto assign public ipv4 addresses it will be enabled for me but i can also do this manually while i'm going to select this as enable so if you enable this one you will have a public ip auto assigned to your instance and that's it i don't think so we need to do any other changes here so you have the vpc that is ympc01 you have the subnet that is public one and you have enabled the auto assign public ip that's it i'm not going to use any user data here so don't worry about that and just click on add storage this should be fine just click on add tag then give it a tag like new instance public one okay and then configure security group you can create a new security group or you can use an existing one so i can just create a new security group for my instance that is public like an sg what i'm trying to do here is i'm just trying to create a security group that actually has a ssh enabled for me so that so i can do ssh to this instance from my local computer as well so that is a target for us in the demo isn't it and i'll just review on launch yes that's it great launch and yeah you have you should have your ec2 key i have mine so i don't have to worry about this i can just click on launch instance so now you can click on this id to view your instance also so you can just click on this and yeah so this is now created this instance is now created and this is running and if you click on this now once you've created the instance you will have your public ipv4 address attached to it so this is the public ipv4 that i was talking about so 13.233.130.16 and the private ip v4 address that will be automatically assigned based on the cider block that you have and this is the one that we will be using to connect to our instance that we have created here so let's copy this and let's go to the terminal and i will try to connect to this instance so to connect to this i just need to ssh ec2 hyphen user at the rate that's the username and the date the ip address hyphen i and i am going to assign key that i have okay so the key was ec2 hyphen yeah so this is the one so you see to hyphen key dot pin and if you're using windows then you can use the default terminal as well don't follow the same thing that i'm doing here i'm using powershell because i'm comfortable with this and if you want you can just use the terminal if you are more comfortable using the terminal itself and now you just need to hit the enter button and let's see if it is able to connect okay so now as we expected before like i think only you also expected this so this has connection timed out so now we are not able to connect to this instance because we don't have internet access to this instance from the outside world so for that what we need to do we need to create the internet gateway isn't it so let's go and create our internet gateway so here you have the subnets and uh if you see and the vpc that you have here the vpc that you select on this one so if you select the vpc here you have the routing table so this is the main route table for us so the main route table what it tells us is that all the routes that we have for 10.0.0.0 slash 16 will be routed to the local as a target so these two are the default subnet associations they have not been explicitly associated with any other route table and therefore associated with the main route table so if they are not associated explicitly with any other route table as i already told you before they will be associated to the main route table itself so now we can go to the internet gateway here and we have the default internet gateway that is already attached to the vpc id for the default vpc and you can just click on create internet gateway and you can create your own so my vpc igw okay one so this is the name that i want to give for this internet gateway and just click on create internet gateway so once you've created this internet gateway you see the state is detached right so what you have to do is you have to create the internet gateway and attach it to a particular vpc so i can go to the actions and i can attach to vpc so here i can select the one that i have created so myvpc01 so just click on this one and you have the aws command line interface command as well so this is the command aws ec2 attached internet gateway hyphen vpc id this one and the internet gateway id is this and region is ap south 1. so you can copy this and you can run it from the terminal as well and you can click on attach internet gateway and this internet gateway will be attached to your vpc id that is myvpc01 so now our internet gateway is attached to the vpc so let's see if we are able to connect to the instance or not no still no luck also going to timeout i know that so what is the problem now so as we have the internet gateway but there are no associations to it isn't it because we have not created any route tables so for this you need to create a route table so when you come to the route table section you see two route tables isn't it so these are the default route tables that are assigned to the vpc so this is the vpc id for the vpc that we created and this is for the default vpc so these are the main route tables for each of them and as we already had discussed before that we can create our own custom route table so that is what we are going to do here and you can create a route table here by clicking on create route table and here i'll just give it a name so route table hyphen public igw 01. so this is something that i can assign it to it and i'll assign this to my newly created vpc and i don't want to add any tags here so you can just create the routing table now so you can just close it and you will see the new route table that has been created so this the new route table rt hyphen public hyphen igw and this is not the main route table so as you can see here this is not the main route table and for the public internal access to work we have to assign the igw or the internet gateway to our routing table so what you can do you can select this route table and you can click on this and you can add did the subnet association or the route propagation or edit routes so what i can do is i can just click on routes and i can add the routing position also so here i can add it out here so for this i will add 0.0.0.0 0 and i will give it the internet gateway and i'll assign this internet gateway that i have created and i can save the route so the routes have been already assigned here so let's check if our instance is able to communicate now still know what is the problem then now we have created the route table we have created the internet gateway what else is left then the only thing that is left now is subnet association so here for the routing table we don't have any subnet associations yet so what i'm going to do i am going to edit subnet associations and i am going to associate this public subnet to the routing table that we have here rtpublic igw01 and click on save so which was now publicly associated or which was now associated to the main route table now is associated to the custom route table that we have so if you want to see the main route table again you can just click on this one there's the main route table that we have for the ppc that we that we created recently then you can just click on this one and here you will see the routes so this is the local route that we have and subnet association will disappear for the public one and because it has already been explicitly associated with the custom route table that we have here and that is why you will only see one reference to the private subnet that we had and the public one is already assigned to this one we have the internet gateway ready we have the route table that has been set we have given the path for the internet gateway and we have associated the subnet as well so this time we should be able to connect to the instance so let's go and check that out yes so this is the public ip that we use to connect to the instance but if you see here ec2 user at the rate ip101195 this is the ip for the private ip that we have associated with the instance so if you go to the instance once again then says that we have already created right now so if you see this is the private ip and this is the one that you're going to see on the terminal as well once you connect to this one and now if we want to check that whether we have internet connection in this instance or not we can just do a ping of google.com and yes we are able to ping to that particular public ip that google.com is currently hosting so it is 172 217 174.78 so it is working we are able to get internet connection from the instance so now we will see how we can disassociate these things so if suppose you want to delete all the things that you have created first of all terminate the instance that you have so go to the instance go to the instance state and then just terminate the instance and then i'm going to go to the subnet association that i have and i'm going to remove the entry from here so edit submit association and i will just remove the association by unchecking on this one and i'll click on save so i have removed all the associations from the subnet that i have from the routing table and here in the routes i'll just edit the routes and i will remove this internet gateway association as well from the routes and i'll click on save and now i can just right click on this and delete route table so now only i am left with two default route tables and i can go to the same internet gateway here as well and i can just click on this newly created internet gateway and i can detach from the vpc so now it has been detached i can click on this again and i can delete the internet gateway i have to just confirm this by typing delete so now it has been deleted so you have cleared the internet gateway you have cleared the route table now what you can do you can just delete the subnets and now you can select your vpc and you can just click on the newly created vpc and you can go to actions and you can just delete the vpc again so it might tell you that yeah this will also be deleted because the security group belongs to this one so you can just click on delete and click on delete again now your vpc is deleted and you are left with the default vpc and please don't delete this one i don't know i don't think so you can delete it but there is option to delete this as well but i am sure that you want to make use of the default vpc to create your instances so please don't delete this so when we think of public ip addresses and the time it came into introduction everyone believed that it would be sufficient because of the amount of public ips that we had at our disposal with the 2 to the power of 32 ip address range which is about 4 billion 294 million 967 296 public ips among which we have 500 588 million 514 thousand 304 reserved ips that's a mouthful here no one expected it to become scarce in just a few years and it became very hard to manage the world wide web with the decreasing number of free public ips let's suppose let's take a moment and imagine a scenario where people sitting at home had a lot of devices that needed internet connectivity and they were using the ips from the pool of the public eyepiece to connect to the internet made by your laptop or phone or smart speakers everyone was just using a public ip address but with the growing demand for devices and the way people got addicted to media devices around the world billions were now online and it gradually kept on decreasing the count of the ipv4 public ips and it was at that stage we felt the need for private ips and now along with the public ips we had a range of private ipv4 addresses that could be used to attach to the devices and if private ipv was a solution for the dying public ip address pool let's see what happens when we attach private ips to our devices here we have all our devices in our local network with our private ip and we assumed everything would work fine well that then go as expected isn't it we believe that private ips are the solution to our internet connection but the issue was that only the public-facing ip addresses have the capability to connect to the internet and that's a very concerning thing so let's change something in the configuration now let's introduce a nat device that is the network address translation device or what you may also know as your router and let's see the magic unroll and yes now you're able to watch movies and listen to your songs on your laptop and ipads but what exactly happened when we attached an ad device and how you're able to connect to the public internet using the router or the nat device so if i tell you that it's a type of device that allows multiple devices to access the internet through a single public address you might ask me like how is it even possible think of nat or network address translation to be a process in which we translate one or more local private ips into global public ip addresses so that we can get connected to the world wide web don't worry about the working principles of this we will talk about this in short in just a moment for now you have to remember one thing the device that you are using in your home might be connected to the wi-fi router or an ethernet cable but they are within the local network which will have their own private ips that is the same reason why if you take that local ip of your laptop right now and and try to access it from a cafe or office you won't be able to access it because it's not a part of your public ip space that is the reason why you talk to your isp or the internet service provider and get an internet connection and attach that optical fiber cable that you get to your router and you connect your devices to the wi-fi router in order to get the internet access and when you connect your devices to the router on that device and keep the track of the mac addresses of the devices and its ip addresses and all the requests that is being made are requested and how does the router do that yes the answer is not and i'm not saying that's the only thing that goes around and there are other things like routing as well but we are talking about nat so let's stick to that i really wanted to skip this part but i felt even if this may not be important for the exam but it is something that is really important for everyone to understand the concept of how the nat actually works so let's not skip this we will learn this as well and i would request you one thing that throughout this explanation keep this in mind nat translates local private ip into a global public ip and vice versa okay so let's see what happens in the explanation so we are at our home using our desktop computer and we want to access the internet our local ip block is 192.168.0.1.28 that is what is called our inside local address which is not provided to us by the service provider but instead it's our very own local ip which can be accessed within the local internet that is the private ip now we send the request to the nat device there can also be multiple devices sending the request to the net device so we also have inside global address which acts as a ip representative for one or more local ip addresses that is called ip masquerading which can be an ib from the block 47.12.22.3 24. with that public ip you are able to connect to the public internet but having said that it's a request and response architecture isn't it so when you send a request to the outside world or to the world wide web you will also get a response isn't it or you will expect a response isn't it and for that we need to translate the public ip to a local ip address so that we can get the response back to the device which requested it and there comes our response and it's back to our public ip that is the outside global address that is the before translation ip address as seen from the outside world and now that we have the response back we can translate the global ip again to the local ip addresses which is available or which is visible to the local network and the response is sent back to the device and that is what is called our outside local so the process is to translate one or more local ip addresses to global ip and vice versa so that we can communicate with the public internet so here we make the request and this is the ip that gets translated using the network address translator and which gets connected to the internet and gets the response back to us with the same or a different global ip and which gets again translated and gets sent back to the device which requested it so that is why i said it's a process of translating one or more local ip addresses to global ip and vice versa so that we can communicate with the public internet but how does the nat know which ip the request has come from and to whom the response is meant to be sent so when we look through the eyes of the net all our devices have a local ip which is a source ip and we have a web service to which our devices are willing to talk to which is our destination ip so this is how the nat table looks like all the source ip have a source port which is mapped to a translated public ip which will be used for communication over the nat device if you see here we have the different source ips but the same source translated ip here the source ip is different but the source ib translated is same and using the port and the ip mapping the nat actually does a reverse address translation and sends the appropriate response to the one who has requested it i hope this was clear let's move on to the aws net and let's understand how we can provide internet access to our instances at the private subnet so just like we discussed before the nat device actually helps us to enable instances in the private subnet to connect to the internet we all know that the instances which are in the private subnet have the main route table pointing to the vpc subnet sider to the local vpc as the target and that is why it doesn't have internet access and the people outside also cannot access these instances so along with that it actually helps us during software updates or if we want to use it for accessing other aws services and also it helps us to forward traffic from the instances in the private subnet to the internet or other aws services and also sends the response back to the instances so for this aws offers two kinds of nat devices so the first one is that gateway and the other one is the nat instance and aws recommends that we make use of the nat gateways as they provide better availability and bandwidth over net instances don't worry we will get to know about both of them so now let's start off with nat gateway so nat gateway service is a fully managed service from aws that helps us enable instances in a private subnet to connect to internet and other aws services yes you heard it right it's a service so nat gateway service and it's completely managed by aws so there are way less things to be worried about when you use nat gateway service so nat gateway actually supports 5gbps of bandwidth and automatically scales up to 45 gbps and as this is a service you will be charged for the usage as well and you are charged for creating and using a nat gateway in your account and you will be charged early for your usage and data processing that is you are charged for each nat gateway are that your nat gate fee is provisioned and available and data processing charges apply for each gigabyte processed through the nat gateway so if you see here for ap south 1 region the charges for nat gateway per r is 0.056 dollars and for per gb data processed it's also the same that is 0.056 dollars and that gateways are not supported for ipv6 traffic we need to use outbound only egress internet gateway for that so now let's see how we can create an ad gateway so there are very simple steps to create your nat gateway so the step one is you must specify the public subnet in which the nat gateway should reside yes the nat gateway should reside in your public subnet which means it is associated with the internet gateway so i think i gave you the clue right there and step two is basically specify an elastic ip address to associate with the nat gateway that is the ip that will be used to create ipmas grading so that's really important and step three update the route table associated with one or more of your private subnets to point internet brown traffic to the nat gateway so if you have more than one or one or more private subnets you can add them to the route table for them to get associated with the nat gateway but it is advised to have one or more in each subnet and you can have more than one nad gateway per availability zone and the quota is a maximum of five per availability zone and that gateway and the pending active or deleting state counts against your quota so even if they are in these three states it still counts as a plus one for your quota limit and here as well we need to consider the availability zone independent architecture and for that aws tells us to create an ad gateway in each availability zone and configure the routing to ensure that resources use the nad gateway in the same availability zone else they might have a single point of failure now let's see the visualization here so here we have our availability zone which has a private subnet which has a database instances that needs an internet access so the main route table for the private subnet sends the request to the nat gateway and the nat sends it to the internet gateway using the elastic ip which acts as a source ip so i agree it's not a magic one touch connection but for your instances at private subnet to access the internet they have to talk to the nat gateway which resides in the public subnet so this is the public subnet where your nat gateway should reside and using the internet gateway here we actually connect to the internet so if your instances at private subnet want to access the internet they have to talk to the nat gateway which resides in the public subnet using the internet gateway which in turn gets connected to the internet but all that happens with the help of the route tables as you can see so all the instances here making a public ip address request actually goes through the nat gateway id and then it forwards it to the internet gateway as you can see here so i hope you got the idea here that if your instances that are in the private subnet want to have internet connection they have to go through the nat gateway which resides in the public subnet so public subnet means your subnet will have access to the internet gateway through which you will be able to access the internet so now let's talk about some of the important rules and limitations for creating an ad gateway so the magic number here nat gateway is actually support 5 gbps of bandwidth and automatically scales up to 45 gbps and you can associate exactly one elastic ip address with an add gateway so remember this very carefully and you cannot disassociate an elastic ip address from a nat gateway after it is created because if you wish to do that you must first create a new nad gateway with the required address and update your route tables and then delete the existing nad gateway and the nav gateway actually supports the following protocols that is tcp udp icmp and you cannot associate a security group with an ad gateway that is because it is important to use it for your instances at the private subnet and you can use a network acl to control the traffic to and from the subnet in which the nat gateway is located because it is the subnet level and nat gateway cannot be accessed by a classic link connection that is associated with your vpc so remember this very carefully while designing applications and the next point also is very important because you cannot route traffic to a nat gateway through a vpc pairing connection a side to side vpn connection or aws direct connect and an ad gateway can support up to 55 000 simultaneous connections to each unique destination i think that's sufficient for a normal usage and let's suppose you're migrating from the nat instances to the nat gateway you can easily do that with these simple steps so the step one is to create an ad gateway in the same subnet as your net instance and the step two is also very easy because you have to replace the existing route in your route table that points to that instance now with the nat gateway that you have recently created and the step three is disassociate the elastic ip address from your nat instance and then associate it with your nat gateway when you create the gateway so now let's talk about the less efficient one the nat instance yes it's an instance and it's an ec2 instance that acts as an ad device okay and just like any ec2 instance you have to create your own net instance and i hope you understand the issues that come along with that so that is the same reason why aws tells us to go with the nat gateway is because it is a fully managed service but nevertheless we have to discuss this so nat or network address translation instance which like your nat gateway resides in your public subnet and helps us to enable instances in the private subnet to initiate outbound ipv4 traffic to the internet or other aws services so this as well does not have support for ipv6 traffic and for that you have to go for the egress only gateway and that instance quota depends on your instance quota for that region because it's an ec2 instance so that will be applicable as per the charges that are incurred in that region so now let's see how we can create an ad instance so here we can use the amazon linux amis that are already configured to run as a nat instance so that's a big relief you don't have to take that headache of creating one for yourself and you can search that in the list of emis that we have which the extension of the naming convention that is like amzn ami vpc net and you can create your instance with that ami with the instance family and the storage that you need and you have to attach an elastic ip to it and the good thing is that you can assign elastic ips to your instance after it has launched as well if you're not going to go with the same public ip that was added as a part of the launch process while creating the ec2 instance and there are a few config changes that happen when we launch nat instance ami so here the ipv4 forwarding is enabled and icmp redirects are disabled in the nat setting configuration file and as a part of the boot launch configuration the script configure pad dot sh runs at startup and configures iptable ips and let's see the explanation here for the visualization that we have so here as well we have our az which has the private subnet which has a database instances that needs internet access so the main route table for the private subnet sends the request to the nat instance and the nat actually sends it back to the internet gateways using the elastic ip or the public ip that we have which acts as a source ip similar to what we saw in the nat gateways here as well the main route table redirects traffic to the nat instances in the main route table and the custom route table tells it to be forwarded from the nat instance to the internet gateway and that is how the instance at private subnet gets internet access and the only difference that you see here is basically between the nat gateways and the nat instances and the very important thing is to ensure that you have the main route table configured for all the public routed internet connectivity to the net instances or the add gateways in the net gateway section and the nat gateway or the nat instance should point everything to the internet gateway because this is the public subnet so i hope you understood this very carefully and if you haven't then i want you to watch this again and again so that you have this concept cleared because this is very important today's episode we will be doing a small hands-on demo on the nat gateways and net instances and we'll see how our private instances in the private subnet can get internet access so if you're ready let's begin so nat gateway service is a fully managed service from aws that helps us enable instances in a private subnet to connect to internet and other aws services yes you heard it right it's a service so nat gateway service and it's completely managed by aws so there are way less things to be worried about when you use nat gateway service so nat gateway actually supports 5gbps of bandwidth and automatically scales up to 45 gbps and as this is a service you will be charged for the usage as well and you are charged for creating and using a nat gateway in your account and you will be charged early for your usage and data processing that is you are charged for each nat gateway r that your nat gateway is provisioned and available and data processing charges apply for each gigabyte processed through the nat gateway so if you see here for ap south 1 region the charges for nad gateway per r is 0.056 dollars and for per gb data processed it's also the same that is 0.056 dollars and that gateways are not supported for ipv6 traffic we need to use outbound only egress internet gateway for that so now let's see how we can create a nat gateway so there are very simple steps to create your nat gateway so the step one is you must specify the public subnet in which the nat gateway should reside yes the nat gateway should reside in your public subnet which means it is associated with the internet gateway so i think i gave you the clue right there and step two is basically specify an elastic ip address to associate with the nat gateway that is the ip that will be used to create ipmas grading so that's really important and step three update the route table associated with one or more of your private subnets to point internet brown traffic to the nat gateway so if you have more than one or one or more private subnets you can add them to the route table for them to get associated with the nat gateway but it is advised to have one or more in each subnet and you can have more than one nad gateway per availability zone and the quota is a maximum of five per availability zone an ad gateway in the pending active or deleting state counts against your quota so even if they are in these three states it still counts as a plus one for your quota limit and here as well we need to consider the availability zone independent architecture and for that aws tells us to create an ad gateway in each availability zone and configure the routing to ensure that resources use the nad gateway in the same availability zone else they might have a single point of failure now let's see the visualization here so here we have our availability zone which has a private subnet which has our database instances that needs an internet access so the main route table for the private subnet sends the request to the nad gateway and the nat sends it to the internet gateway using the elastic ip which acts as a source ip so i agree it's not a magic one touch connection but for your instances at private subnet to access the internet they have to talk to the nat gateway which resides in the public subnet so this is the public subnet where your nat gateway should reside and using the internet gateway here we actually connect to the internet so if your instances at private subnet want to access the internet they have to talk to the nat gateway which resides in the public subnet using the internet gateway which in turn gets connected to the internet but all that happens with the help of the route tables as you can see so all the instances here making a public ip address request actually goes through the nat gateway id and then it forwards it to the internet gateway as you can see here so i hope you got the idea here that if your instances that are in the private subnet want to have internet connection they have to go through the nat gateway which resides in the public subnet so public subnet means your subnet will have access to the internet gateway through which you will be able to access the internet so in today's episode what we are going to do is we will have our public subnet and we will be having a private subnet as well and in the last episode we already have created the internet gateway i hope you have seen that demo as well and we will launch an ad gateway in that instance and we'll see how that actually affects our instances in the private subnet we will see how the nat gateways and night instances are able to help us as because we are staying in the private subnet for us to reach the internet and to get connected to the internet so this is the vpc and here we are going to create two subnets and those two will be one from the public subnet and the other one will be our private subnet but as you have already seen the previous episodes we have already created that and you can check out the previous videos for to know actually how we have created the subnets and here we have the public subnet which has cider block of 10.0.32.0 slash 24 that is also having 250 ip addresses and here as well we have the private subnet this is also same 10.0.1.0.24 so both of the subnets here i have 250 ip addresses so i don't think this is going to matter much because i'm going to just create one or two instances so this should be just fine so the next thing is we have to create an instance in the private subnet so how we can create that we have to go to ec2 and then we have to create the instance here so to create the instance you need to just click on launch instances here you need to choose the linux to ami just choose the t2.micro because this is the free to your eligible one click on configure instances and here you have to choose your own new vpc that you have created that is my vpc demo and we have to choose the private subnet so the only point that i want to make here is you have to understand the clear difference between both of them is because the public subnet even though you name it anything if it is connected to the internet gateway then it is considered to be a public subnet if the private subnet or any subnet that does not have internet access on its own then it is by logic a private subnet so here as well i can choose whether to give it a public ip address or not but now i can just enable it and there are no other changes that i need to make i have selected the vpc i have selected the subnet that i want and then i can just click on add storage so this should be fine just click on add tags add tag so give it a name nine private zero one configure security groups here you can choose to create a new one or you can choose an existing one as well so if for the demo purpose i can just create a new one my private sheet and i can give the connectivity for ssh that is the port 22 and it can be from anywhere so not a problem it does not have internet access so don't worry about it just click on review and launch launch and i think you already have this key i also have this so just click on i acknowledge that i have access to the selected private key click on launch instance that's it you should be able to get your details for the instance right now yeah so this is the instance that i have right now and here as you can see i have the public ipv4 address as this does not have internet connection we won't be able to connect to this from the outside world so just to show you the same thing once again just copy this go to your terminal and go to the path where you have the key then do just a ssh of ec2 iphone user at the rate the ip address fni the sh key yeah this obviously won't work because there is no internet connectivity but if suppose this instance was in the public subnet and it had internet gateway then obviously it would be able to connect but what we can do now is we can launch another instance for us in the public subnet and see whether we are able to connect to that or not so click on launch instance select ami and here i will choose my vpc but i'll choose the public subnet and i'll enable the auto assign public ip and that's it just click on add storage add tags public zero one configure security groups select an existing one yeah sure this should work for me punch yeah that's it so now this is the public instance so now let's see whether we are able to connect the newly created public instance or not so this is the public incident that i have and it is already running and i can just click on this copy and i'll try to connect to this same procedure as such easy to hyphen user at ip address or just hit enter yes we are able to connect to this and one more interesting thing is i can connect to my private instance because the main route table tells us that all the ip addresses locally within the ipsider block that is 10.0.0.0 16 should be routed through the local vpc and that is the reason why even if i try to connect to the private instance from my public instance outside i will be able to connect to this so how we are going to connect to this we need the key right so we have to copy the key here and i'll copy the key here and i'll try to connect to the private instance so here in the public instance what i can do i can go to the home folder pd slash home slash ec2 iphone user and here i can create a sample and here i can create the private key so it will be easy to hyphen key dot [Music] and then i'll just copy the content of the key that i have i'll just copy the content of the private key that i have and i'll just press i that is the insert command and you can just ctrl v and you can paste it pull in the blue queue that's it you have the content now you have to change the mode for the file basically we have to change the permissions to make it secure that's it chmod so yeah we are good for now if you do a ls if an alt-r you should see the permissions to be secured and it should be easy to have user easy to hyphen user the group and the user should be same so now that we have copied the key and we have changed the permissions now we are ready to connect to the instance so what you're going to do you're going to just easy to hyphen user enter it copy the private ip that you have fn i the ec2 hyphen key that you have just copied yes you are able to connect to the private instance from your public instance that you have because both of them are in the same vpc and the route table actually guides it within the vpc itself there is one more thing that we had to confirm now this is the private instance but we have to confirm that we don't have internet access otherwise it'll be a big blunder because we'll not get to know that whatever modification that we made by creating the nat gateway it actually works or not so you can just work google in google.com and it will not work so obviously it does not work because we don't have internet connectivity so how we can resolve this obviously we'll add an nat gateway to this you see here nad gateway click on add gateways and create an ad gateway so in this form you have to fill out the detail like my nat gateway demo so i'll give it a name and the subnet you have to choose is public because the nad gateways should reside in the public subnet and you have to allocate elastic ip for that and then you just create an add gateway so it will take some time for the states to change from pending to available you can just wait for a few minutes or few seconds to get this done yeah so now it is available and you have the elastic ip address as well so what is the next step that we wanted to do we had to associate or we had to create a new route table so this is the route table that we have for the internet gateway so if you click on this one you can see the route is being propagated to the internet gateway and to connect to the internet from the private ips or the private instances that we have we need to create a route table so i'll create one so my route private plat let's suppose we'll keep it like this and you can just define the vpc that you have and just click on create and what is the next thing that we wanted to have we have to associate the nat gateway that we have recently created isn't it 0.0.0 0 to the nat gateway so once you click on that you will see the nat id already propagated here if you have multiple then choose the one that you have as per your requirement just click on this and save the route and you must make sure that the status of the association should be an active state if suppose it is a black hole state then you are not going to be able to connect so now you have to associate your subnet as well this is the private subnet that we have so i have to associate this with this subnet but first let's see even without association does it work or not otherwise it will be a big no-no for us isn't it no thank god it does not correct my theory is correct here so we have to associate the submit here you click on edit and there's a private subnet click on this private subnet and just save so now your private subnet has been associated to this route table we have created the instances the private instances we have created the nad gateway we have associated that in the route table for the main route table or the custom route table that you want you can create it because i have created a custom route table so don't worry about it and i have associated 0.0.0.0 0 to net gateway id and on the public subnet i have the custom route table which is pointing every public ipa address 0.0.0 0 to the internet gateway so both of this is done so now we have the instance we have the nat gateway we have the routes populated that's it we should be able to connect to the internet from the private instance now let's see so this is the private instance 10.0.1.95 i'll just show you once again this is the one otherwise you might tell i cheated 10.00 195. there you go we are able to connect to the internet and if suppose this instance has to be connected to the aw services that you have like s3 or any other service you are now able to do that because you have the net gateways with you or which you should be grateful to amazon not to me so now let's talk about the less efficient one the nat instance yes it's an instance and it's an ac2 instance that acts as an add device okay and just like any ec2 instance you have to create your own at instance and i hope you understand the issues that come along with that so that is the same reason why aws tells us to go with the nat gateway is because it is a fully managed service but nevertheless we have to discuss this so nat or network address translation instance which like your nat gateway resides in your public subnet and helps us to enable instances in the private subnet to initiate outbound ipv4 traffic to the internet or other aws services so this as well does not have support for ipv6 traffic and for that you have to go for the egress only gateway and that instance quota depends on your instance quota for that region because it's an ec2 instance so that will be applicable as per the charges that are incurred in that region so now let's see how we can create an ad instance so here we can use the amazon linux amis that are already configured to run as a nat instance so that's a big relief you don't have to take that headache of creating one for yourself and you can search that in the list of emis that we have which the extension of the naming convention that is like amzn ami vpcnet and you can create your instance with that ami with the instance family and the storage that you need and you have to attach an elastic ip to it and the good thing is that you can assign elastic ips to your instance after it has launched as well if you're not going to go with the same public ip that was added as a part of the launch process while creating the ec2 instance and there are a few config changes that happen when we launch nat instance ami so here the ipv4 forwarding is enabled and icmp redirects are disabled in the nat setting configuration file and as a part of the boot launch configuration the script configure pad dot sh runs at startup and configures iptable ips and let's see the explanation here for the visualization that we have so here as well we have our ac which has the private subnet which has a database instances that needs internet access so the main route table for the private subnet sends the request to the nat instance and the nat actually sends it back to the internet gateways using the elastic ip or the public ip that we have which acts as a source ip similar to what we saw in the nat gateways here as well the main route table redirects traffic to the nat instances in the main route table and the custom route table tells it to be forwarded from the net instance to the internet gateway and that is how the instance at private subnet gets internet access and the only difference that you see here is basically between the nat gateways and the nat instances and the very important thing is to ensure that you have the main route table configured for all the public routed internet connectivity to the net instances or the nad gateways in the net gateway section and the nat gateway or the nat instance should point everything to the internet gateway because this is the public subnet so when it comes to net gateways we did not create any instances per se but we just created the nat gateway service but in that instances we have to create the net instance or the ec2 instance which will act as a nat device for us so as we have already created the private instances and the public instances i won't create these two again i'll just create the nat instance and we'll see how we can actually use it so here you have to go to the launch instance paste this the extension for which the ami that we want i can just choose amazon linux i can choose the first one that we have amazon ami bpc map i can just select this and t2.micro is fine with me and i can have this in my own vpc my vpc demo and this will be also in the public subnet you can assign it a public ip or we can assign it a elastic ip as well so don't worry about that so i'll assign it a public ip but i'll ensure that under sign up and stick i'll do this then just click on add storage then click on add tags this is my mac device my nat device is going to be a security group i can create a new one my mac instance sg and i have ssh and what i can do is i can add a rule for icmp is an icmp so that should be enough for me that's also fine for me i'll just click on review on launch so here it is telling me that boot from general publisher this is the or so pretty it you can get up to 30 gb or general purpose ssd we can use it recommended so i'll go over this not a problem just click on launch yeah this is fine i can go with the same key click on view instance so i can go with this public ip if i want or else i can go ahead and attach a elastic ip to this but i go to elastic ips this elastic ip is already there for me and i can attach elastic ip or associate elastic ip to my instance so there's the one mynac divides instance if you just click on this you will get the drop down just click on this choose the private id it's okay you don't have to choose it but yeah it's fine not a problem then just click on associate so now it is associated to this so if i go back to my instance so the elastic id that is associated so now we have everything that we want but the next thing that we want to do is basically to check whether we are able to access internet isn't it so we have to go to the ppc again we have to go to the route table and we have to create a new route table just like we did when we were creating the net gateway so my route on that instance isn't it so choose my vpc again and just click on create and just close it so now what we have to do we already know this we have to edit the route and we have to add the route and here i have to give tell me what should we choose what is the night instance it's the instance right i'll click on instance and i'll choose the mynet device instance and just save that out and now associate the private subnet i give the subnet and just click on private subnet and save it now it is associated that's it let's see whether we are able to connect to the internet or not let's go back to my public instance copy the public ip and just paste it so this is the instance that i have in the public subnet obviously it will be able to connect for us so the next thing was we'll have to go to the home folder ec2 hyphen user and here we have the key that we want to connect to the private instance so what is my private instance ip i'll go to my private ip and choose the private type media and then and just try to connect it i have already logged in before so it should be able to log in now just continue google.com and once i click enter it should be able to connect otherwise we have messed up something really bad what is the problem here you know what is the problem that we have done here i think the problem is source destination check that's the problem i feel this is an ad instance you must stop source destination checking an attention must be able to send and receive traffic when the source of destination is not itself so this is the mistake that i have done see learnings isn't it so just click on stop and save it and now go back to the instance once again and do a ping google.com see it's working that's what i was thinking what is the mistake that we have done sometimes we do miss out on things not 100 percent accurate right we are bound to make mistakes and that is how we learn isn't it we will be talking about the dhcp option set and i'll give you a brief idea of why this is important for vpc networking so what does aws tell us about dhcp options the dhcp or dynamic host configuration protocol provides a standard for passing configuration information to hosts on a tcpip network it is not clear isn't it and that is why before this we need to understand a few basic terminologies uh then we will be ready to jump onto the dhcp option sets so let's begin with that so what is dhcp so dhcp or dynamic host configuration protocol is a network management protocol used on internet protocol networks or ip networks whereby a dhcp server dynamically assigns an ip address and other networking configuration parameters to each device on the network so that they can communicate with other ip networks and let's suppose you have an internet service provider for your internet usage and you have the devices that you want to connect to the internet using your isp and that's your private network isn't it but these devices have an ip address that gets assigned by the isp for its communication and when you add a new device to your network a new ip gets assigned to it that is the same reason why you are able to talk to each other if you want to experiment on this one take an ethernet hub and connect four devices using the ethernet cable and connect the lan connection or check the lan connection you will be able to talk to each other because of dhcp and that is why we say that dhcp server dynamically assigns an ip address and other network configuration parameters to each device on the network so they can communicate with other ip networks the isp has a connection to the dhcp server here which can fetch you an ip from its ib address database from its free ipool for you to use that is why you see the concept of byod or bring your own device as with dhcp it's very easy to configure devices that is why it is called dynamic host configuration if not you will have to manually configure an ip to the device and other host configurations as well that's a very big overhead for the network administrators so i hope you got the point here let's move on so for a network to work properly there are a set of network operations and configuration that help it to function correctly and one of the main factors or protocols that helps the network administrator to manage a huge network is dhcp the best part that i feel is that it automatically sends required network parameters for hosts to communicate properly over the network so as dhcp is a protocol it follows a pattern of request response and acknowledgement so let's suppose the host is your dhcp client and we have the dhcp server so the first step is dhcp discover request which is sent to the dhcp server so in the first step when we connect a device or host it broadcasts a dhcp discover message over the ethernet network to locate all the available dhcp servers so that is the first part the second step is dhcp offer here the dhcp server sends out a dhcp discover offer message and broadcasts the network informations like ip address dhcp ip lease ip ntp server details and all these things to the network itself and once the client understands that yes we have a dhcp server that is in the third step the host actually sends a dhcp request that is for a third step with the ip that it wants to use in the last step the dhcp server checks if the same ip was the one that it had sent before in the broadcast and if it is yes then it sends the acknowledgement so we have four steps here the first one is dhcp discover where the host actually tries to find out all the available dhcp servers then there is an offering made by the dhcp server then the host actually sends the dhcp request then the dhcp server sends an acknowledgement so if you have to understand this in the simple terms the host actually first asks can you please give me an ip address the dhcp server says do you want to use this ip 192.168.22.23 the host says okay that's cool are you sure i can use this then the server acknowledges by saying yes indeed you can use it so this is how the dhcp server and the client actually communicate to each other it's simple isn't it now let's talk about aws dhcp option sets so as i've already said this before the dhcp provides a standard for passing configuration information to hosts on a tcpip network and there are configuration parameters that are provided by the dhcp server so that can be like your domain name domain name server netbios node type netbios name servers and ntp servers as well and you can configure dhcp option sets for your virtual private cloud but by default you have it configured when you create a vpc but you can also create one for yourself and now let's talk about some of the options that we have for the dhcp configuration so the first one that we have here is domain name server so we can have a configuration set to either amazon provided dns or to custom domain name servers if we want to provide that for our instances by which we can translate the dns to the mapping ip address but the domain name that we have if you are using aws or amazon provider dns then for usd1 you have to specify ec2.internal if you're using amazon provider dns in any other region we have to specify region.compute.internal otherwise we can use a custom domain name as well let's suppose i want to use it for pythonic i can have something like pythonic.com as well so this value is used to complete the unqualified domain hostnames or the dns host names and for an example if i want to cite here like let's suppose you have private dns names so it can be like ip hyphen private hyphen ipv4 hyphen address dot ec2 dot internal for us east one and it can be like ip hyphen private hyphen ipv4 iphone address dot region.compute.internal for other regions same way it goes for the public dns as well so you have ec2 hyphen public hyphen ipv4 iphone address dot compute iphone one dot amazon aws.com for usa1 and the same goes like ec2 iphone public hyphen ipv hyphen address.region.com.amazon.com for other regions and for the ntp servers we can have the ip address of up to four network time protocols servers that we have and if you don't know about what is an ntp server or ntp protocol i will give you a small example and you can also read about that later so for example if you have 50 instances and they are a part of your network and if i ask you to change the time or check if the time of all the instances are synced or not will you do that manually no you won't right for the same reason we use network time protocol that keeps a synchronization between the times of the instances in the network these instances can speak to the ntp server to keep the time synchronized with each other for the netbiostream server we can have the ip address of up to four netbios names servers so the instances running on the windows operating system have a netbios which which is the network basic io system if the dns is dev.pythonic.com then a netbios name is dev and if it is pythonic.com then the netbios name is pythaholic but then there is the difference between netbios and the dns so dns is more important and available for the connections over the internet whereas netbios is always available to the devices connected directly to it and the fifth one that we have is netbios node type so for netbios we have various node types like one is equal to b node that is for broadcast and two that is the p node that uses point-to-point communication and four we have that is called the multicast that is m node and eight which is h node or h node used as a hybrid of both b node and p node that is basically your hybrid for broadcast and point to point communication and these are used to communicate to the net bios server just like dns has dns server for name resolution netbios has its name server to register and resolve computer names to ip addresses i know these topics may not be common for many of you out here but please don't worry about this with respect to the exam just remember the option sets that you have with dhcp and if you're interested we can make a separate video on this but for the exam this is sufficient so you must always remember we have options like domain name server domain name ntp servers netbios name servers and netbios node type so if you go to your vpc console you can see that we have a myvpc demo that we had created previously and this is the default vpc so if you right click on the default vpc you see a edit dhcp option set so if you click on this one you have a by default option set already selected and there are two options here you can have no dhcp option set or you can have the default one that you have and this actually gets associated to all the vpcs that are created after that as well so for an example let's suppose i go ahead and create a vpc here by clicking on create vpc and i'll name it myvpc hyphen2 and i'll just give it a cyberblock of 10.0.0.2024 and that's it i'll just create the vpc you will see that the dhcp option is already set to the default one okay so now here we need to understand what is the difference between both the dhcp types or or what is the difference between if we set the dhcp and if we don't have a dhcp set so how we can check that we have to create instances in both of them and we have to disable the dhcp set in one of the vapc's and we'll check what is the difference so let's suppose i have this this is a new one and if i right click on this one and edit the dhcp option set i'll see that it is already default by default it has been attached so if i click on this and i just edit it i have this default value for this as well but what i will do is i will create a subnet in this vpc the new one that i have created just now and i'll disable the dhcp option set and i'll create an instance in both of them and we'll see what is the difference so let's go to the subnet and let's click on create subnet okay so i just created a subnet here so in this vpc we have this option set enabled but i'll disable it for now so no dcp option set and i'll save it and on this one we have the option set enabled so let's go and create the instance here let's go to instances and i'll launch a instance i am sure that everyone by now is quite familiar with creating the instances but here i'll choose the myvpc2 and i'll choose the only subnet that i have and let's suppose i enable this public assign auto public ip okay that's it i don't need to do anything just click on add tags i'll give it a name and i'll assign the name as my vpc to iphone one so i have to create a new one then yes this should be fine and just click on review and launch and launch it yes i have this launch instance go to the instance that we have so if i select this instance if you see i have a private ip and i have the public ip address as well but i don't have a private ipv4 dns okay so the mapping is not here for me because i have not selected any options if you don't believe me what i can go do is i can just create a new instance and i'll choose my vpc demo i'll choose a private subnet i'll enable this as well click on next add tags add okay i'll just review and launch select an existing one i have a lot of them i guess so i can just choose this and review and launch and launch launch instance now let's see the instance so this is the one that i had created for my vpc that i created recently my vpc2 and this is the one that i created just now for the demo vpc see i have this dns name so the problem here is or the default actually property that you have here is with amazon ec2 instances that you launch into a non-default vpc are private by default and they are not assigned a public ipv4 address unless you specifically assign one during the launch that is what we did by modifying the subnet that we have for the public ipv4 address attribute but by default all instances in a non-default vpc receive an unresolvable host name that aws assigns so for example if you have an ip address you can assign a dns name to that and you can assign your own domain names to your instances if you create a special dhcp option for your vpc and that is why it is really important for us if we want to have our own domain names to our instances then we have to create the dhcp options and if we want to automatically assign them to our instances that we create for the vpc we have to create a dhcp option set and assign the domain name that we want to provide and then any instance that we create after that in that particular vpc the domain name that we want will be attached to it if you see this these are the default dns names that are attached by aws as i told you that all the regions apart from usd1 will have compute.internal region.compute.internal so that is why if you go here you don't have anything if you go here you have it but now let's suppose let's change things so let's suppose i want to have this i can edit the option set and i can assign the default one to the vpc to that i recently created okay and i'll save the changes so now this vpc that i had created recently also have a dhcp option set and the instance that i have right now will also get a private ipv4 dns now you might be thinking that i don't have this public ipv4 dns in both of them isn't it let's suppose i'll launch another instance and i'll tell you what is the difference so i'll go with the default vpc and i'm not using the other vpcs that i created manually by myself i'll be using the default one i'll choose a subnet i'll enable the public ipv4 address and i'll just add storage and i'll have a name my default one and i'll name it select an existing one so i can choose this one yes i can choose this one and review and launch launch it and let's go to the instance and we'll see the difference click on this see i have a public ipv for dns and i have a private ipv4 dns for my default vpc why this is happening for this but not for the other instances that i have so my demo vpc hyphen one only has the private ipv for dns because i have a dhcp option set and here as well but why isn't happening for the public ipv4 dns for that we need to go back to the vpcs and i have to just right click on this one and edit dns host names and i have to see that by default for the vpcs that you create the dns hostnames will be disabled so this indicates whether instances with public ip addresses get corresponding public dns host names or not and this is the reason why this segment is really important for you to understand and if you just click on enable and save changes and go back to the instances this is the one that we had if i just refresh on this one you will see a public ipv4 dns assigned to it sorry this one yes not this one i'm really sorry for this one because this is the one that i changed here this is the one that i changed here so this one got its public ip for dns so this instance my demo vpc iphone 1 belongs to this vpc so i can just right click on this one and i can click on edit dns hostname and i can enable this and save the changes and when i refresh this my demo vpc hyphen 1 will have its own public eye before dns see so what you need to remember is when you create a vpc the dhcp option set will be by default set to the default one if you right click on this one again the edit dns host name will be set to disabled you have to check this enable to give your public ipv4 addresses or dns name and if you go back and if you right click on this one dns resolution it will always be enabled so these are the ones that we have for the default dhcp option set so if you have to create a dhcp ops set what you need to do is you need to go to the dhcp option set in the list of available menu that you have and then just click on this one and you have the dhcp by default already set to this one so if you can just right click on this and view details the domain name that you see here ap hyphen south iphone 1.compute.internal we go to the instances every instance will have a domain name for the same that you have created but for the public one as you already know that you will have compute.amazonaws.com so don't worry about that so it will be region dot compute dot aws or amazon aws.com and here it will be region.compute.internal so whenever you know that you are hosting it in a particular region then you will understand that all the domain names that you have when it is set by the domain name server of amazon provided dns then it will be starting with the region dot compute dot internal and here we don't have any ntp servers enabled or that bios name servers enabled or netbios node type also if i want to create a new dhcp option set i can just click on create i can specify the name my dhcp and i can just give a domain name for that and i can just give the domain name servers and ntp server and all the details and i can provide the tag and i can create one and based on the domain name i set and the domain name server that i set the populated values for any instance will be resolved like this so a private hosted zone is a container for records for a domain that you host in one or more amazon virtual private clouds or vpcs so when it comes to private hosted zones we have already discussed this in route 53 as to how we can create a private hosted zone and how we can create records in the hosted zone that can help us determine how route 53 responds to the dns queries from our domains and subdomains with the help of which we can send a request to dev.pythonic.com if we have that as our domain and it sends the mapping ip address with which we are able to talk to the server so let's see how we can create one when you come here to the route 53 dashboard you see a hosted zone tells route53 how to respond to dns queries for a domain such as example.com here you see create hosted zone click on that or you can click on here as well and you can create your own hosted zone for example i want to create something like uh python like demo.com so let's suppose this is a domain name that i want to have and this is my sample dummy private hosted zone and uh this is the one that i want to select because this is the private host zone that i want to create so private hosted zone determine how traffic is routed within an vpc or amazon vpc so here i have to choose a region so my region is basically ap south 1 and the vpc that i am looking for is basically my vpc demo because it has public access and i'll tell you why so here i have clicked on vpc id and then i can just click on create hosted zone so once you have created it successfully you can see that we have the zone id it is private hosted zone that is a type and it has been assigned to the vpc that is myvpc demo and the record count is two these are the sample records that basically get created there's the ns record and the soa record and here i can create a new record for myself and when you create a record you will get the routing policy so it can be like a simple routing or a weighted routing or geo location or latency based or failover or multi-value answer so all these things we have already discussed in the route 53 section so here i'll just choose simple routing and i'll click on next and it is asking me to provide a simple record definition so you can just click on define simple record and i'll just give dev.pytholic.com and it should point to address or another value depending on the record type and this will be my cname record i'll create a cname record for this and here it tells me to point to a specific location so i can just point it to www.ipoholic.com or i'll just point it to amazon.com amazon.com then just click on define simple record so now you have created your records just click on this so now this record has been created and it points to amazon.com so how i can validate this i can just copy this one dev.pytholi.com i can go to the instance that i have what is the instance that i have in this one so my vpc demo iphone one this is basically in my private subnet so what i can do is i can go to my public subnet this is the vpc that i had so i can just copy this and i can try to connect to user rate ip address hyphen i the key name and enter okay so i can do a dig and i can so i can paste the cname record that i have which is dev.pythonicdemo.com and the answer that i'm getting is www.amazon.com here so that is how efficiently you can route traffic this is the kingdom of a very famous king but the king is worried about the security of the castle he has guards to protect his castle from within but recently there have been problems with some of the people entering the castle when we speak to the guard he tells us that if someone has permissions to enter the castle why should i frisk him or her the way out and the king now wants to have a better solution for security before it reaches the castle itself so let's find the solution with the growing demand for security the king now appointed a special task force at the entrance of the kingdom so that all the people entering the castle will be allowed or denied access at the entrance itself and that too before it reaches the second stage of security and the best part is that this new guard will check the permission for both in and out before the person enters the kingdom but we are not here to talk about the kings and castles right in aws we have our instances that are being protected by the security groups for that let's talk about knuckles or what we call as network access control lists which is going to be a very special task force but before moving forward to knackers or network access control lists let's understand the problem statement i know this cannot be termed as a problem but it's more of an enhanced security measure when it comes to security groups let's check the case one where we have no access restrictions in the security group for the inbound traffic we have port 80 and 22 and it's allowed for all ipv4 addresses and the same goes for outbound traffic where it has all traffic allowed as well so the instances in our subnet with the security group as my security group can be accessed and it's a free flow of request and response now let's take the case 2 for security groups and let us remove the access for all ips from the outgoing traffic in the outbound rules the general logic here dictates that it should prevent the connectivity to the instances with this type of security group configurations but that's not the case isn't it because the security groups are stateful and because of the property of connection tracking if the inbound rule allows all traffics to access the network or the instance by default the outbound rule holds no value and that is the reason why if we block the outbound rules it still works now let's bring in our special task force and let's place it in front of our vpc subnet just like a firewall and configure it to block all traffic from the sider 192.168.0.1.28 and let's see what happens and yes it doesn't even allow the traffic to enter or reach the security group itself even if the inbound and the outbound rules for security groups allow this ip set that is the enhanced level of security we needed isn't it let's suppose we have a target and we want to restrict it from a list of six subnets and that could be more than 25 security groups in that so how will you restrict all that in one shot yes by using a network access control list so let's understand more about that so what is nacl or knuckle or network access control list if i say knackle or nacl please don't get confused i'll be using these terms as and when it comes to my mouth so please forgive me for that so knackle or network access control list so it's an optional layer of security for your vpc that acts as a firewall for controlling traffic in and out of one or more subnets so we need to understand clearly that nacl or knackle is the optional layer which works for controlling the traffic with the subnet and security group works at the instance level and not the subnet level so with this analogy tell me which takes higher precedence yes you're right it's knuckle and there are a few rules and basic concepts that we need to understand before we can use knuckles properly so the first point is the default vpc automatically comes with a modifiable default network acl and by default it allows all inbound and outbound ipv4 traffic and the next point is you can create a custom network acl and associate it with a subnet with the default one that you have if you don't want to use it or if you want to use a specific target measure then you can create your own knuckles as well and attach that to your subnets so that's a very good thing and each subnet in your vpc must be associated with a network acl even if it allows all traffic and yes for the fourth point it's yes that you can associate a network acl with multiple subnets but a subnet can be associated with only one network acl at a time okay so you can associate a network acl with multiple subnets but a subnet can be associated with only one network acl at a time just as security groups have inbound rules and outbound rules and they work on the principle of siders or ip address and the port we can route here the network acls has its numbered list of rules and these rules are evaluated in order of the number of the rule and the highest number that you can use for a rule is three two seven six six and what aws recommend says like you can create like 100 150 200 250 or you can have it like 100 110 120 130 in that particular order and it's ordered with the lowest number first and network acl has separate inbound and upon rules and each rule can either allow or deny traffic and this is one of the most important differences as well with security groups the network acls has separate inbound and outbound rules and each rule can either allow or deny traffic and network acls are stateless and i know you might want to understand what that means we will understand that don't worry and you might ask me like how many network acrs we can have what is the quota so per vpc you can have up to 200 knuckles and each network acl can have up to a maximum of 20 rules and this quota can be increased up to a maximum of 40 rules and this is the one-way quota for a single network acl now so per vpc you can have a maximum of 200 network acls so a network acl rule contains a pool of resources that we have to add to create a network acl so let's understand that so the first one is rule number as you can see the table here all the terms that we have in the columns will be discussed here so don't worry about that so starting off with the rule number the rule are evaluated starting with the lowest number rule which means if there is a rule let's suppose 150 and it denies 443 but you have a rule with the lesser number for example 100 which allows it then the network acl would allow it considering the lowest number rule allows the request made for the 443 port and the next is type so this is the type of traffic we expect like ssh or https or http or icmp and you can also specify all traffic or a custom range so next is protocol this is quite simple we can specify the protocol type such as tcp and the port range we can specify the listening port or port range like 443 2280 or https ssh and http respectively and source which is for inbound rules only the source of the incoming traffic you can specify the ip or the side of range the same goes for the destination which is for the outbound rules only the destination for the outgoing traffic so that it can be a so that can be a side block as well and allow and deny if you wish to allow a rule you can specify allow else you can deny that now that we know what are the parts of the rules let's check how does a default rule look like so this is the default network acl that you get when you create a new network acl just like the security groups we have inbound and outbound rules for network acls if we reiterate this once again network acl is like a firewall or security enhancement for your subnets and security groups are meant for your instances so when you create a new network acl the default network acl is configured to allow all traffic to flow in and out of the subnet so now let's understand how we can read the network acl rule set so here for both inbound and outbound check the entries for the type of the request here rule number 100 that you see allows all type of traffic in and out of the subnet for all protocols and port ranges if the source is 0.0.0.0.0 which covers all the ipv4 addresses remember to check both entries of inbound and outbound but this rule allows all the ips but in case you have ip ranges that are specified then there might be a situation that a set of ip may not match any rule set that is defined for the same reason the asterisk or the star that you see here ensures that if a packet does not match any of the ordered numbers or the other numbered rules it actually gets denied and unlike security groups if you have a rule set that allows inbound traffic and denies outbound traffic then it's not going to work because network acls are stateless and that is the most important thing that we wanted to understand isn't it so unlike security groups if you have a rule set that allows inbound traffic and denies the outbound traffic then it is not going to work it should be allowed both the ways in and out then only the network acls work otherwise they don't work so that is why they are termed as stateless and along with the default nacl or network acls you can also customize the main network acl as well or we can create our own network acl for our subnets and we have to understand this point very clearly that the rule numbers in the custom network acls are really important and we have to understand them thoroughly so when you see the custom network acl inbound rule you see the column of rule numbers isn't it where you see a list of numbers like 100 110 120 130 140 the only rule when adding rule numbers is that the highest number that you can use for a rule is 32766 and if you start from 100 aws tells that it's advisable to increment it by 10 and add your rules and the rules will be evaluated from the lowest order so what does it mean so we start from the first number then we make our way to the bottom to evaluate if the request is allowed or denied starting from the lowest number so it's a bit tricky isn't it but we have to understand this so let's take an example here so we have a user here that you can see who wants to access our instances over https with 443 so let's see what are the inbound rules and outbound rules for 443 so we have an entry here in the inbound rule for 443 that's on the second row which allows all the ipv4 addresses to enter the subnet with rule number 110 now let's see the outbound rule set we have the rule 110 here which allows outgoing traffic for https o43 from the subnet so now let's see what happens when the request comes from so it tries to match the rule number 100 which is http 80. so we don't have a match here then it moves to the next higher number 110 which has https 443 allow rule set so we have a match now that it has a match it will check for the ephemeral port and then if it allows the set of fmlip block it will move on to the outbound graphic so the rule number 100 has no match for https in the outbound traffic then it moves to the next one rule number 110 has a match and then it checks for the ephemeral ips for its permission levels and if it is allowed then you have a successful connection but i am sure that you might be asking a lot of questions to yourself right now and we have learnt about the flow of information and the packets but you might be thinking what is a femoral port don't worry i haven't missed that out but before that i want you to carefully look at the rule set and observe that we don't have an allow all traffic for all ipv4 addresses and just for a moment rethink why we have allowed custom tcp for these ephemeral ports that is three two seven six eight two six five five three five and if i tell you that if i remove the rule number 120 from the outbound traffic your ports 80 and port 443 won't work so if i say this will you agree with me on this one of course you should not isn't it until and unless you watch it from your own eyes so let's understand the importance of ephemeral ports so what are ephemeral ports ephemeral in english means short-lived and here as well an ephemeral port is a short-lived transport protocol port for ip communication it looks very short and simple but it's not that simple and we have to ask that if the definition tells us that it is a short-lived transport protocol port for ip communication why is it short-lived so these ports are short-lived because ephemeral ports are assigned on a temporary basis or making or handling requests by the operating system that is the host for the same reason the client that initiates the request chooses the ephemeral port range and depending on the client's operating system whether it is unix or windows or linux or whatever it is it assigns an ip from its ephemeral ip range so here as it is already mentioned for unix or linux or for that matter amazon linux kernels use ports three two seven six eight two six one triple zero and requests which are originating from the elastic load balancing users ports one zero two four two six five five three five and for the windows operating system through windows server 2003 users one zero two five to pi and for windows server 2008 and later versions they use four nine one five two six five five three five and the nat gateway uses ports from one zero two four two six five five three five the same way actually lambda l functions also use ports from one zero two four to six five five three five so these are their ephemeral port ranges and whenever they initiate a request they will choose one of these ports from the port ranges and they will make the request so based on your operating system there will be an auto assignment of authorial ports and that's the port number that will act as a source port for the packet header yes that's true i know it sounds very strange but let's see this example of what happened when a client sends an https request so when a client makes a request with 443 the destination ip is 421210 and the destination port is 443 remember this very carefully that the destination port is 443 next the source ip is 32.12.22.11 obviously because it has come from the source but the source port is 32770 it's the ephemeral port not 443 remember that and the most important thing that you need to understand is that when you make a 443 request your source port will not be 443 your destination port will be 443 your communication board will be the ephemeral port similarly the way the response header has the source port as 443 because it is the response so the source port will be 443 the source ip will be 42.1.2.10 because it has come from the source now as a part of the response now the destination port will be 32770 that is the ephemeral port and the destination ip is the one that made the request that is 32.12.22.11 that is our client and that's the same reason why if we don't have a rule set in our inbound or outbound rule with all the traffic allow we need to have a rule set for the ephemeral ports i know this might be a bit confusing but don't worry we will get the clarification in the demo but you have to remember that the most important thing that you need to understand is that when you make a 443 request your source port will not be 443 but your destination port will be 443 your communication port will be the ephemeral port so this is our vpc console and as you can see we have the myvpc demo that is our demo vpc that we had created last time and here we have subnets and we have two subnets for our new vpc that is private and public and if you have been following the series then you know that we have a public subnet which is attached to our internet gateway that is why we are able to access the instances and on ec2 i have hosted a instance here on my subnet on my public subnet that i have so this is the public subnet i had and this is the vpc id my vpc demo and that instance can be accessed by me publicly so what i can do i can just copy the public ipv4 address and i can just paste it so this is the output that i am getting right now from the instance i have set up a nginx server i think everyone has already seen the video where i have set up the engineering server if you haven't then please go back in time and check the video out so that we can have instance like this so if you go to the vpc console you can go to either security and go to network acls or you can as well go to your vpcs and click on your vpc and you can just click on this vpc id and you will see the network acl here so this is the one that is attached to your vpc if you click on this you will see the subnet association so this will be both for your private and public subnet that i have created and here you will find the inbound rules so this is the default inbound rule and you have the rule number 100 which allows all type of traffic all protocols all port ranges or any ip that we have and it allows everything and start so other than that other than this rule if anything that comes i know that it won't come then it will deny that and in the outbound rule we have the same like 100 for all traffic that allows it and we have a star that actually denies it so we have a matching inbound and outbound rule that is why it works and if i refresh this i'm able to connect to the instance and if you want to see the security group that i have for this instance i have everything allowed like port 80 and port 22. anyone can access it from any public ip so this should not be a problem for us so there is no restriction from the security group side but we have to restrict some things in our subnet isn't it that is why we are using the network acls so to understand this problem we have to first of all see if suppose i make any changes to the outbound rule the general conviction that we have and what we have understood is that it should not work so i'll edit the outbound rule and i'll change it to custom protocol then i have custom tcp and i'll change it to port 80 because that is one that i'm currently using so rule number 100 port 80 and just will allow this so let's save it and let us see if it works so i have allowed only port 80 and i have denied everything on my outbound rule and the inbound rule all of them are allowed so let's see if it works i'll refresh this no it does not no it does not work isn't it even though our inbound traffic allows all the traffic but it does not match the http 80 port isn't it how is it even possible that is what we learned just now isn't it about the ephemeral ports so if i edit this and i add a rule about like 1 1 0 and if i give it a tcp custom tcp rule and if i allow the port number from 3 to 766 to 65400 or any range that i want and i keep it in the allow state and save it we'll see and refresh the page here see it works because this is one of the port ranges from which our operating system is picking up the ip address and the port number and it is forwarding the request so now it is clear that the one who is sending the request is not using the port 80 he is using a femoral port so now let's delete this i don't think so we need it right now let's suppose i allow this allow all traffic and i just save it right now so now also it should work because we have both the inbound and outbound rules as equal now let's see what happens if i delete all the rules and save it it will not work obviously and let's suppose i just add a rule per 100 and i just add the ephemeral port range three two seven zero zero hyphen six five five v five can i allow this itself not even port 80 save it will it work yes it will so what about your theory about allowing port 80 then which is basically what the security group is allowing right now isn't it so that is the same reason why we have to understand the importance of the ephemeral port range so even though i haven't allowed any outbound rules and the inbound rule allows all traffic and the outbound rule does not even allow port 80 it still works so what if i edit this inbound rule and i just change it to custom tcp that i have and i mark it as three two seven zero zero four six five five three five will it work let's see no it doesn't you know why what happened here because the incoming traffic has to allow for port 80 because that is the one that we have as the destination port so this is what we saw here the destination ip was 42.1.2.10 but the destination port had to be allowed because it was 443 that is what we wanted to access which was our destination but having the source port at 32770 that had to be allowed from the outbound because that is our destination port for the server that is going to serve the request so even though we did not have a source vote in the response or the outbound traffic it does not matter but it has to be there in the inbound traffic or the one that has to make the request so here if i'll just go back and edit it to https 80 and i'll just save it it works okay so i hope you got the idea this is very interesting because you can try a whole set of permutations and combination and try yourself on how actually you can trick network acls and play around with it i can have any number of rules that i want but it is maximum of 20 but you can increase it to 40 so it doesn't matter but this is actually how you play with the network acls and this is the main network acl i haven't created a new one as of now i'm using the same the main acl that has come by default with the vpc but if i have to create one then i can just click on create network acl and i can give a name tag to this mine my new nacl and i can just attach it to one of the vpcs so and i can create one so this is the one that i created just now and by default if you see it comes with all deny but the default one actually comes so we'll see the default one default one actually comes with everything one allow and one deny if you create a custom one the first rule that you see here is all deny so now let's check some of the differences between the network acls and the security groups the first and foremost important difference is that security groups actually operate at the instance level and network acls operate at the subnet level so this is quite most important because you have to understand this very carefully that whenever we have a question related to securing our subnets then you have to understand that we have to talk about network acls and if we want to secure the instance at the instance level then we must talk about the security groups there are various other ways but i'm talking in perspective of what we are discussing right now and security groups actually support allow rules only because you make a rule that you want to grant access like for ssh or http and there is no option to have deny as a rule in security groups but for network acls actually they support both allow rules and deny rules as we just saw right now and security group it is stateful so the return traffic is automatically allowed regardless of any rules and in network acls it is stateless so for that reason return traffic must be explicitly allowed by the rules as we saw and security groups actually we evaluate all rules before deciding whether to allow traffic or not and in the network acls we process rules in order starting with the lowest number rule when deciding whether to allow traffic because you can have multiple rules with the same set of protocols but with different rule numbers when security groups actually applies to an instance only if someone specifies the security group when launching the instance or associates the security group with the instance later on so you can attach a security group when you're creating it and you can allow one of the rules that you want or you can specify it after you have created also if you already have some security groups you can attach them after you have created the instance as well the network is actually automatically applies to all instances in the subnet that it's associated with and therefore it provides an additional layer of defense in the security group rules that are too permissive that are too open in other words so now let's create the replica of the example that we saw at that time so i'll just add some of the inbound rules now so now i have added the inbound rule and the outbound rules refresh this page it will obviously work because it is connecting so what happens here is it will first check whether the 100 number rule actually matches or not if not then it comes to 1 1 0 and then it comes to 120 then 130 and that actually finds a match for port 80 and here even if i don't give three two four five five it'll work but i have given it so not a problem so when you go back to the outbound rules it will match here for the 100th rule number it will check there is no match then it will come back to 110 and it will see that yeah it is a match but that's not the port number that i am trying to access so i will go ahead and check the rule number 120 that we have the custom tcp rule then it'll check the port range and yes yeah we have this port number that i want to access isn't it so that is the one that will allow it so that is why it works so that is why it is termed as lowest order rule that is why it checks 100 then 110 then 120 then 130 then 140 and just like that it goes to start so far we have been working with vpcs and we are able to work with instances but now there is a problem because the users of vpca are not able to access the instances and resources from vpcb so do we have a solution for this yes let's talk about vpc pairing so the problem that we were talking about was a scenario where the instances are not able to talk to each other if they are present in other vpcs a vpc peering connection is a network connection between two vpcs that enables you to route traffic between them using private ipv4 addresses or ipv6 addresses so aws provides us a vpc peering connection which helps us connect vpcs so that we can enable traffic a routing between them using our private ipv4 addresses and that is the reason why when we look at this image below we see the instances across subnets are able to communicate with each other but not with the instances across vpcs so the instances at vpc a are not able to communicate with the instances at vpcb so there is no communication between them they are totally isolated they want to talk to each other but they are not able to talk to each other and if you don't have the vpc peering what we have to do we we would either need public internet access or vpn connections or internet gateways to achieve this but what if we don't want to use these things we need something simple isn't it so what do you get in your mind when i say vpc pairing just think of this term peering and nothing else so peering is a method that allows two networks to connect and exchange traffic directly without having to pay a third party to carry traffic across the internet so the peering connection is provided by aws and we can use it to connect to other vpc and get access to the resources we need but that's not that simple we need to understand what are the things that make up for the vpc pairing connection and that is what we are going to discuss now so let's change things here and let's replace the connection with our vpc pairing connection if you see on the right hand side these two vpcs belong to a specific region and you might ask me what if these vpcs are in a different region altogether and yes your question is totally valid so let's see how it can help us so if our instances or vpcs are placed across regions for this aws provides us with inter vpc pairing connection i hope you will remember this point inter-region vpc pairing connections so let's go back to the definition again a vpc pairing connection is a network connection between two vpcs that enables you to route traffic between them using private ipv4 addresses or ipv6 addresses so this is nothing like we put some cables or any special hardware when you create vpc pairing actually especially for you so here aws uses the existing infrastructure for a vpc or of a vpc to create a vpc pairing connection so that sharing data across accounts becomes easier and so that sharing data across instances across vpcs becomes easier sometimes you might have people working in your same organization who want to collaborate and use specific resources or applications privately you can make use of the vpc peering connection for this case as well and as i have already told you before we can establish peering connection or peering relationship between two vpcs across different aws region that is also called as the inter region vpc pairing and the best part and the usp for using vpc pairing connection is that you can communicate with ec2 rds or even aws lambda without needing to have a gateway connection or vpn connection or or even having the need for separate network appliances and all traffic that you see remains in the private ip space so now let's talk about how do we establish connection when we try to create a vpc peering connection so here we have john and jesse both owners of vpc they are currently working on so they are working on products and they have some dependency on each other so what they decided was they will be using vpc peering as a part of the solution here john is the request of apc that you can see who actually is going to make a request and jesse is the owner of the acceptor vpc yes when you create a vpc pairing connection there has to be a requester who makes a request to another vpc to accept the peering connection let's check the steps here so john who is the owner of the request of vpc sends a request to the owner of the acceptor vpc to create the vpc pairing connection so that's the first step so john here actually sending a request to the vpc that is owned by jesse to create the vpc peering connection and the acceptor vpc can either be in the same account or another aws account or it can be owned by you or someone else but the thing that you need to remember is that you cannot have a cider block that overlaps with the requester vpc cider block so you cannot have vpc peering connections with overlapping side blocks and this is one of the most important points that you need to remember you cannot have vpc pairing connection with overlapping cider blocks next jesse who is the owner of the acceptor vpc accepts the vpc pairing connection request to activate the vpc clearing connection and next to enable the traffic flow the requester vpc has to add the routes for the ip addresses in the route table and if your security groups doesn't match with the current setting for the peering connection traffic flow the request of epc must make changes to security groups as well so that there are no restrictions for the peering connection last but not the least if the instances on either side of the connection use public dns host name for communication we must enable dns hostname resolution so that they can use the private ip to talk to the instances i hope you got the point about how we actually make the connection possible don't worry we'll be doing the demo as well so please watch the video till the end so now that we have some idea on how we actually create vpc pairing connections let's look at the life cycle of the vpc peering connection and its different stages the first step when we initiate a request for appearing connection the peering connection may either fail or may go to the pending acceptance stage so once the request has failed it cannot go back to accepted rejected or deleted states and the failed peering connection remains visible to the requester for two hours and the pending acceptance state it's obviously waiting for the peering connection to be accepted by the acceptor vpc owners so it will wait for that period of time to be accepted by the acceptor vpc here the owner of the request of vpc can delete the request in other words the requester can back off with its request of creating the vpc pairing connection and the owner of the accepting vpc can either accept or reject the request so if it is accepted it moves to the provisioning state and if no action is taken within seven days by the acceptor vpc it gets expired and same here as well it's visible for two days to both vpc owners and then it's no longer visible next if the request is rejected it moves to the rejected state and the same here as well the rejected bpc pairing connection remains visible to the owner of the requester vpc for two days and visible to the owner of the acceptor vpc for 2 hours if the request was created within the same aws account the rejected request remains visible for 2 hours itself next up once the vpc pairing connection request has been accepted it will soon be in the active state so once it is active you can make use of the peering connection and in this state or being active you cannot reject it anymore but if you want to close it you can delete it the next step that you see for deleting applies to the inter region vpc pairing connection this can be put by either party when they send a delete request when the status is active or it can be sent by the owner of the accepting vpc that has raised a delete request while in the pending acceptance state last is the deleted step here as well this can be put by either party when they send a delete request when the status is active or it can be sent by the owner of the accepting vpc that has raised a related request but the most important thing to remember here is that vpc pairing connections remain visible to the party that has deleted it for 2 hours and visible to the other party for 2 days if the vpc pairing connection was created within the same account or within the same aws account the deleted request remains visible for 2 hours so i hope you got the whole idea of the life cycle if you still have some doubts please put them in the comment section below and i would request you to listen to this again and relate them with the same with the flow diagram that we have here to get a better understanding so in the lifecycle policy that you see here we have clear steps so you have to initiate the request which might go to the pending acceptance stage where the acceptor has to accept it which moves it back to the provisioning state and then to the active state so once it is in the active state basically you can make use of the peering connection so from the active state you cannot reject it or you cannot make it expired or you cannot make it failed but you can surely delete it if you don't want it anymore and when you are in the pending state you can see we have directions towards if the request is not accepted it gets expired or if it is rejected or if it is deleted so when you initiate the request also you can backtrack by just canceling the request and it goes to the failed state where it will be visible for two hours to the requester and it is no longer visible anymore so i hope you got the idea here for all the states that we have like initiating request pending acceptance provisioning active deleting then deleted or it can be rejected or expired or failed and the most important part is no longer visible because it will no longer be visible after a certain point of time so till now we spoke about two vpc pairing connections let's take it to more than two vpcs and let's talk about multiple vpc peering connection this is very important to understand because you have to keep in mind that it is a one to one relationship between two vpcs that is why always remember that there is no support for transitive relationships or connections so which means if jon and jesse are friends with each other and jesse is friends with david it doesn't mean that john by default becomes friends with david isn't it that's the same way as if you are friends with someone else and that person is friends with the other person but here it does mean that you have a common friend but you both cannot be friends by default isn't it until and unless you have a friendship relationship or unless you have appearing connection in other words so in mathematical terms also transitive also means like if a equals b and b equals c then a equals c but here it is not possible that way so if you see here we have the upc1 which has appearing connection with vpc2 and c 2 has the same with v p c 3 but that doesn't mean v p c 1 has a transitive relationship with v p c 3 so if a equals b and b equals c you cannot say that a is equal to c okay so the transitive property does not exist here so i hope that was clear let's move on so the next limitation or restriction that you must know which i have already spoken about so we cannot have a peering connection or vpc bearing connection for vpcs with overlapping sider blocks so what does that mean so if you see the blocks here for case one we have both the side of blocks which are the same for both vpcs so that is 10.0.0.0.16 for both the vpcs and it means we cannot have the peering connection here but you might feel you can create a cider block that is not overlapping but if you see the case 2 where we have non overlapping siders as well here as well if the vpcs have multiple ipv4 sider blocks you cannot create a vpc peering connection if any of the cider blocks overlap remember this very carefully if any of the cider blocks overlap so even if you have one side a block that is overlapping you cannot have a vpc pairing connection to that so this means regardless of even if you intend to use the vpc pairing connection for communication between non overlapping cider blocks you cannot do that so remember this very carefully you cannot have a vpc pairing connection or vpcs with overlapping sider blocks still not clear let's take another example for for edge to edge routing through a vpn connection or an aws direct connect connection so here as well if you see we have a peering connection between vpc1 and vpc2 and vpc2 has a side to side vpn connection with the corporate network the users or the people working in the corporate network can make use of the vpn connection to connect to vpc2 isn't it but they cannot have an edge routing connection to vpc1 so remember that you cannot use vpc2 to extend the peering relationship to exist between vpc1 and the corporate network so now let's talk about another scenario for h2h routing through an internet gateway if you see the visual below we have a vpc peering connection between vpc1 and vpc2 here our vpc1 has an internet gateway attached to it and it's able to connect to the internet and the same way the traffic coming in is also able to access resources in vpc one using the internet gateway but vpc2 doesn't have any internet gateway connections and here as well we cannot have a edge routing capability which might help the traffic coming into the vpc one using the internet gateway to access the instances at vpc2 so this transitive property also does not exist and this h2h routing also does not exist you cannot have this using vpc pairing connections too many examples already isn't it but there is one last example that you should understand so if you see the visual below we have a vpc pairing connection between vpc1 and vpc2 here our vpc2 has a vpc endpoint that connects it to the amazon s3 which allows vpc2 to connect to s3 and store files and records but vpc1 does not have any endpoint connection to s3 as you can see in the diagram and here as well you cannot use vpc2 to extend the peering relationship to exist between vpc1 and amazon s3 so even if vpc2 has a connection to s3 the vpc one cannot have the edge routing through vpc2 to access data at s3 so i hope you are clear and you got a very clear understanding of what you can do with vpc pairing and what you cannot do so let's move on so let's talk about some of the important things that you need to remember for vpc pairing the first thing is that you cannot create a vpc peering connection between vpcs that have matching or overlapping ipv4 or ipv6 id blocks so i hope that is almost clear by now when we speak about the quota for usage of vpc pairing by default you get 50 active vpc pairing connections per vpc and the maximum quota is 125 peering connections per vpc and here the number of entries per route table should be increased accordingly and that might be an impact on the network performance as well and by default you get 25 outstanding vpc pairing connection request and you get one week that is around 168 hours of expiry time for an unaccepted vpc pairing connection request and this quota cannot be increased for vpc pairing does not support transitive peering relationships as we already discussed so you must remember this the vpc pairing does not support transitive peering relationships and you cannot have more than one vpc pairing connection between the same two vpcs at the same time and the next point is any time that you create for your vpc pairing connection are only applied in the account or region in which you are creating them so remember while creating tags or using cloud custodian for tracking the tags make sure that you remember this point very carefully and you cannot connect to or query the amazon dns server in a pure vpc so i hope we had a good discussion on the theoretical aspects of vpc pairing let's do a small hands-on demo for this let's move on to the demo part so in order to create a vpc pairing connection obviously you need two vpcs isn't it so we have a myvpc demo that we have already created before and we have the default vpc so here if we want to test the vpc pairing connection we need instances isn't it so that we can see whether we are able to actually connect to them or not so let's suppose i will make my vpc demo to be the requester vpc and the default vpc will be my acceptor vpc okay so here what happens is i'll go to the ec2 instances that we have so i have created two instances so to test if the connectivity is proper between both of them and we are making sure that we are not able to connect to the instances that are in the different vpcs we need to connect to them isn't it so let's connect to each of the instances and see whether we are able to connect to each of them by using the instance that we have so i'll connect to the first instance that is a public instance that i have for my requester vpc i'll just copy the public ipv4 address and i'll just connect to that yes i am able to connect to this one so that is 10 0 32 1 1 2 so if you see here this is the private address so now similarly what i can do is i can go to the my acceptor public ipv4 address that i have for the instance and i'll just copy this and i'll just create one more instance of this one and i'll just repeat the same process again so we are able to connect to this one as well if you see the private ip that i have here is 172 31 32 186 so let's keep them side by side so this one is the my default vpc so this one is from the request of vpc my demo vpc and this one is the my default vpc so i can just use the same ip address and i can try to connect to this one so if i want to connect to this instance i need the sh keys and it so what i'm going to do is i'm going to create the ec2 hyphen pem key here e dot spam and i am going to copy the key that i have and i am going to paste it here anyways it will not work but mostly what happens is we have to change the permission for the keys so c2 headphone key dot m so i'll just change it and i'll try to connect to the instance once again so this will not connect so that is the basic problem that we had because there is a request of vpc and this instance is in another vpc and we are not able to talk to each other isn't it so what i'm going to do is i'm going to have a connection between them and we will be using ppc pairing connections so let's go back to the vpc console and here you can see vpc pairing connections or the peering connections so you just need to click on pairing connection and i had already created a peering connection before so don't worry about it i can just click on create peering connection and here you have to provide the name my appearing tool so whatever name you want you can give it and here you have to select the local vpc to appear with so this is your of vpc so what is our requester vpc it is myvpc demo i'll select this so now it has been associated so this is the sideblock and the next one that you have to select is so if you have a specific requirement like it is in another account you can choose another account here or if suppose the vpc is in another region you can also make sure you select this one and choose one of them so now what happens is you have selected the options here you have to just choose the vpc that you want to have as an acceptor so our acceptor is default vpc so i'll select this so now this is the cider block for the acceptor vpc and here as i've already given the name tag i cannot give the name tag here so you can give any other tag that you want but now for now this is enough for me i have given the name tag i have given the requester vpc i have given the acceptor vpc connection as well so that's it you can just click on create peering connection and now it is successfully created so click on ok so once you have created or initiated the request to create appearing connection it basically goes to the pending acceptance stays so remember the life cycle that we had studied before in the theoretical part so why is it still in the pending acceptance state because we need to accept it isn't it so right click on this one and accept the request so here you have the details of the requester account id the acceptor account id and you can just click on yes accept and now what it is telling is your vpc peering connection has been established to send and receive traffic across this vpc pairing connection you must add a route to the peered vpc in one or more of your vpc route tables so i have to modify the route tables i know that and i can just click on close so now it has become active so our condition that we had that it should be accepted has been accepted and it is now active here as i'm owner of both the vpcs i am able to do this but let's suppose you are working on a bigger organization and you have a vpc that is not a part of your same account you have to request the one who is actually owning this vbc to make the acceptance criteria perfect and to accept the request that you have so he will do it for you he or she will do it for you so now as we have to add the routes so before this i can go back to my same instance again and i can just check if i am able to connect to the instance still no so not a problem we haven't added the routes yet so this is basically the main route table but as we are using the public internet so i have already created the my igw route table that has the route for the internet gateway so i can just edit this route table and add a route for the side block that i have for the instances that are there in the default vpc so what you can do is you can just add the cider block so i don't remember the cider block so i have to go back and check for the cider block again so this is the default vpc so click on the vpc id here is the cider block copy this cider block and come back here and paste it as the destination so what you're telling is whatever traffic is going to this destination should go from the peering connection obviously isn't it so this is the peering connection to that i have created recently i'll just click on this and i'll select it and i'll save the route so this is the one-way traffic that i have created now from my vpc demo to the default vpc the same way we have to do it from our default vpc to my vpc demo because this is one to one connection isn't it so this is the route table that i have for the default vpc so here what i can do i can just uh click on this one and i can edit the route here and i can add the route for my mybpc demo so that cider block is 10.0.0.0 16. and here as well any connection that goes to this destination has to go through the peering connection so i'll choose this and i'll choose the appearing connection that i've created recently and i'll save the route and i'll just close it so as per the theoretical aspect that we have here this should work so similarly if i go back here and i just try to do ssh yes it works so for the fun part i would just go back to this instance that i have so this is the one that is in the default vpc so i'll go to the home sorry i'll connect to this once again to cd home pc two okay i'll do ls not a problem so i'll create a bim file that i have so i'll just create a hello.ext and i'll type i my vpc demo and i'll just save it and i'll go back to this one and i'll do a ls i see the hello.txt here isn't it because i have i'm connected to that instance and now i'm able to access the resources that i need so that is how helpful the bpc pairing connection is yes i am able to access the record or i am able to access the file so this actually sums up the peering connection part so i know this was a bit tricky but it is very interesting to work on and i would request you to please do this hands-on demo to have a better understanding of how this actually works and this will actually give you a very good idea of how actually we can do this and how we can actually achieve this so this is my humble request for you to create a retail account and test this out if you want to enable a connection between your vpc and other aws services like s3 and dynamodb but you want that to be private and you don't want to use direct connect or gateways or vpn then we might need something more isn't it thanks for joining in today and let's talk about vpc endpoints so let's begin so it's been a really long time we have seen the roadmap for vpc and let's get an overall picture of what we have already completed till now and what is still pending so we have almost covered all the important aspects that we need for vpc but we still have a few more left which should not take much time and now let's get it's a very good thing for us so as you can see we have already completed nacl route tables nat gateway security groups and the next thing that i felt was important was vpc endpoints so that is what we are going to discuss today so the biggest question here is what is a vpc endpoint or what are vpcn points isn't it so vpc endpoint enables private connections between your vpc and supported ews services and vpc endpoint services powered by aws private link for now just ignore the last part here we will have a separate topic all together for private links so don't worry about that and the best part is that a vpc endpoint does not require an internet gateway nat device vpn connection or even aws direct connect connection as well along with that they are horizontally scaled redundant and highly available vpc components and as i already told you that this is going to be a private connection and instances in your vpc do not require public ip addresses to communicate with resources and the services because it remains as a private connection and there are two types of vpc endpoints that we have so the first one is interface endpoints and the second one is gateway endpoints so don't worry about that we will talk about them in detail but what is that comes to your mind when you think of an endpoint you know what's the dictionary meaning of endpoint it says the end of something or something that you are trying to achieve in a general sense you can say sentence is like i don't feel like i am at an endpoint or even at a mid point in my career or something like we have reached an acceptable end point in this litigation so an end point can be termed as something that gives you a perspective of a state or entity for you to reach to a conclusion and you might as well get the result or response back but when it comes to the computing world we mostly think of an endpoint as it could be an interaction point for communication or it can be a url or one end of the communication channel or it could be a url where your service can be accessed by the client application just keep this in your mind that an endpoint could be a url where your service can be accessed by the client applications and i think you are getting an idea of what we are moving forward with so let's check that out so when we speak about interface endpoints remember that the interface endpoint uses an elastic network interface to create a vpc endpoint connection so it's very easy to remember this way like interface endpoint uses elastic network interface isn't it i know it sounds dumb but if you have to recall things instantly try connecting the dots now you know what the context is let's talk about this in detail so if you see the visual on the right hand side in the case where if i did not have an option for vpc endpoints to privately access kinase's data streams i would obviously make use of the internet gateways and i would use the default dns name of the aws service for that which is in this case is kinases.u.s hyphen west hyphen 2 dot amazon aws.com and that is what my instance is going to use so now let's change things now that aws has provided us with an option to access kinase data streams privately by creating vpc endpoints that actually solves many of our problems now let's come back to the vpc endpoints so an interface endpoint uses an elastic network interface or eni as you can see on the diagram as well and a private ipv4 address this private ip address is taken from the ip address pool of your subnet and will be used for the eni and this serves an entry point for traffic which is destined to to a supported aws service like kinases or a vpc endpoint service and vpc endpoint service which is one more very important service which makes use of the network load balancers and we will discuss this in aws private link but don't worry about that but where we will try to join an vpc endpoint service and a vpc endpoint and create a private link connection between vpcs and moving on with interface endpoints you can talk to aws services without having the need to use the nat gateways or devices or virtual private gateways so coming back to the visual again once you have created the interface endpoint using the elastic network interface now our instance can access the kinase's data streams privately using the endpoint specific dns host name which is vpc hyphen 123 that is going to be vpcid dot kinases dot us hyphen west hyphen 2 dot vpce which is vpc endpoint dot amazon aws.com which uses the private ip from the subnet of your vpc and if you wish to use the private dns we need to enable that so let's enable that and in order to enable the private dns you must set the following vpc attributes to true one is enable dns host names and the next one is enable dns support and in this way if you don't want to use the private ips or the ip address and if you want to use the dns names you can as well use that so now let's talk about the second type that is the gateway endpoints so a gateway endpoint is basically a gateway which you specify as a target for a route in your route table whose destination is pointed to the aws service it's very simple so we create the vpc endpoint and add that to the route table as a target in order to access the aws service but you need to remember that gateway endpoints are supported for only the aws services and they are amazon s3 and dynamodb and if you see here we have the subnet a which is associated with the internet gateway which helps it to connect to the amazon s3 but if you see the second subnet the subnet b has a route to the vpc endpoint id where the destination is amazon s3 service so even though it doesn't have an internet gateway it is able to access the blue service of course with the help of the vpc endpoints so remember one thing very carefully that the interface endpoint uses the elastic network interface and the gateway endpoint uses the route table for routing and traffic redirection to access the aws service and that is private and if you see the route table as well here so the subnet one or the subnet a has the local redirection towards the side block for the vpc and all the internet facing traffic has been directed towards the internet gateway and the subnet b that you have if it wants to access the amazon s3 so we have the prefix list id for amazon s3 and the target is obviously vpcid i hope you will remember this that the interface endpoint uses the elastic network interface and the gateway endpoint uses the route table for routing and traffic redirection to access the aws service and that remains private okay so now let's start off with the vpc endpoint demo so for this what you need to do is so what we need exactly here is we need a public instance where we can actually connect to the internet gateway and to the internet and access our s3 buckets so this would be one way to do it but the other one that we wanted to do was the v2 instance that you see here which is basically our private instance it should be able to access the s3 bucket using the vpc endpoint that is our main goal so let's have one public instance and one private instance and we will see the differences between them as to how we can connect to the s3 buckets so let's go back to the console and just see that so this is my ac2 console and i have a public instance already created and a private instance i've already created that so i'll connect to my public instance and i'll show you how we can connect to the aws s3 so go to the terminal and i'll quickly connect to the instance so this is my public instance now what i'm going to do is i'm just going to type aws s3 less so aws s3 ls is basically a listing of all the buckets that you have so by default it just lists all the history buckets okay so if you face this issue it means that you don't have enough permissions to access the s3 so what do we need to do we need to add a role and a policy to this ec2 instance that i have so to do that what you need to do is you need to go back to the instance so this is the instance that i have and go to security and modify im role here if you can choose one from the drop down so if you have a full s3 access policy already existing or the role already existing then you can assign that if not then you have to create a new one so i'm going to show this show you how to create one so here once you click on create new item rule you'll go to the management console for iam here you have option for create role isn't it so just click on this here you have like four options so it was either you can create it for aws service or another aws account or a web identity or saml federation so this is basically for your authentication single sign-on authentication but here we have two options now the common use case that you can see here is ec2 so if suppose i want to allow any service to be accessed from the ec2 instance i have to create a rule for the ec2 instances so if you click on this one and click on next so you can see here all the existing policies it will take some time to load so you can just type s3 here and you can see here a lot of s3 policies already there so we have s3 access policy isn't it so if you can just expand this you will be able to see the json format so what it is saying is you have action of s3 star and you have access to all the resources so what happens here is you can do a list object get object put object delete object anything if you have all the permissions if you select this and you click on next you can add the name of the tag that you want and you can just review this you can add the role name so i've already created a amazon s3 full access so i won't create it but you can do it by adding a name here and once you create the rule you will be able to see it when you refresh this you will be able to see that in the list of roles that you have it's very simple so once you have this once you've created that you can just come here and you can just select the role that you have just recently created and just save this so now you can just see if you see here we have attached the im rule that is full s3 access don't worry about this so now once we go back to the console again or the terminal again and we can just do awss 3 ls we'll be able to see the list of buckets that we have so this path is clear for us because this is a public instance and i'm able to access it through the internet gateway and with that i am able to access the s3 buckets so not a problem i am able to do this the next thing that i want to do is i want to have my private instance also being able to connect to the s3 packets using the vpc endpoint so we'll do that first of all let us just connect to the private instance and see that it is not working so that's one important thing that we need to do so if you go to the private instance and just let us copy this private instance and appear to send this let us connect to this so i have already copied my ec2 key here in my home directory so if you so if you see this ec2 key hyphen pen so i can just connect the same using the same ec2 key i have already shown this how to do it in my previous episode so i think by now you all are pretty much aware of how to do this so not a problem so now you are able to connect to the private instance and the same way the way we did it for aws s3 ls to list down the objects or the buckets will do that okay so we can configure the same for the private instance and i can just go to security and modify the item role select the full s3 axis and save it and just we'll do this once again but this won't work because it's a private instance and we cannot access aws s3 from here it'll basically time out so don't worry about that but if you want to see what is going on in the background what you can do is you can just do a ctrl c and you can just type debug and you can just execute the same and you can see here it is just stuck at this position so not a problem we are not able to connect to this and that is what the problem is that we are trying to solve here so the next thing that we wanted to do was we have to create the vpc endpoint so to create the vpc endpoint what we need to do we need to go to your vpc console here you can see the option of endpoints okay so this is the place where you can create your vpc endpoints so there are no vpc endpoints created as of now so you can just click on create endpoint and here you can see a vpc endpoint allows you to securely connect your vpc to another service an interface endpoint is powered by private link and uses an elastic network interface as an entry point for a traffic designated or distant to a service so that we have already discussed so not a problem and a gateway endpoint serves as a target for a route in your route table for traffic destined for a service so this is also already discussed so not a problem so service category that you see here there are three ways you can actually create the endpoint so one is for the aw services or you can just find it by the name that you want to have or you've given already or you can just go to the marketplace but for now what we are doing is we are going to just create an interface for the s3 so you can just type s3 so if you see here we have the type aws s3 as gateways i'll just close this and i'll show you if you see most of the services that you see here have interface but only dynamo db i think and yeah and s3 will have gateways wait i'll just type so dynamodb is gateway s3 is gateway so if suppose i want to connect to s3 i want to create a vpc endpoint for s3 then i need to obviously go for the gateway type isn't it just type s3 and select this and what is the vpc id we have myvpc demo and here you want to associate it with you have to associate it with your private subnet isn't it you will get a pl or the prefix list i already told you that you will get a prefix list id so now what it is saying is it will automatically add a route where the destination is the prefix list seven eight a five four zero zero one this is the prefix list id for amazon s3 to the target and it will assign it as a target for the endpoint id that we have for the vpc endpoint and it will add to the route table so you don't need to worry about this and warning it has already shown you that warning when you use the endpoint the source ip address from your instance is your affected subnets for accessing the aws service in the same region with the private ip address not the public ip address yes we already know this because we know that when you create the endpoint we want to have a secure connection on the private connection here you can have either a full access or a custom access you can just click on custom and write the policy you can also click on policy creation tool to generate a policy for yourself and paste it here so here we will be giving the full access so don't worry about that just you need to come down and add a tag okay so i have given this and i don't think so there is anything left for us to do just create the endpoint yeah so we have successfully created the vpc endpoint now just close it as you can see this is the main route table for the myvpc demo and here it has been added like pl 78854001 and this is a vpc id that we have already create just now graded so if you come back here you can see adb e8 and this is also adb8 so now what happened is we have created vpc id or the vpc point and this endpoint has a service association with your amazon s3 so this has a policy which allows you to connect to the s3 and it allows you to access aws s3 and perform the operations that you want so now that we have added everything and the route table and everything then what we need to do is we need to just type aws s3 ls and as i had already told you that this may not work because the region that is specified by default is usd1 so if you want to access it you need to just specify region and the region that you have the content so i have it in ap south one so you can just write this and just click on enter or hit enter so now that you have access to amazon s3 from your private instances using the vpc endpoint you are able to access the buckets that you have and you're able to list them out as well so let's go back to the diagram once again and we'll see that whether we have been able to achieve what we wanted so if you see here we have created the vpc endpoint and the route table that we had we have added the prefix list id for the amazon s3 which has the target to the vpc id so anything that wants to try to access to the amazon s3 cider block will have to go through the vpc id so this we have already done and that is why our instance at the private subnet is able to access the s3 buckets so we all know that log files have always been a savior when it comes to debugging issues with the services and applications we run so do we have something in vpc that can help us with this yes let's talk about vpc flow logs and let's understand how you can consume logs while working with your own virtual private cloud so we have always been using logs for various purposes let it be using them to watch over the console activity or the internet traffic activity or the rest api calls or even the terminal logs to understand what exactly is going on as and when we perform a certain activity and working with logs in vpc is also no different you would always want to keep track of the internet traffic that you have that is coming in or going out of the vpc for the same we make use of the vpc flow logs so let's talk more about that so vpc flow logs is a feature that enables you to capture information about the ip traffic going to and from the network interfaces in your vpc so remember this very carefully when you read this being a feature then imagine having an option to switch it on or off for a service that you're currently using that's the same reason why it's rightly mentioned here that vpc flow logs is a feature that enables you to capture information in the form of logs and you can publish the flow data or the flow log data to amazon cloud watch logs or amazon s3 so if you wish to see the logs you have to go to either of these services and view them and yes there are a lot of benefits of using flow logs but these three points have been actively mentioned in the documentation as well so the first point is monitoring the traffic that is reaching your instance that is helpful as you can review the incoming request and analyze or make changes to the application depending on what type of logs you are receiving and the second one is also very useful diagnosing overly restrictive security group rules so in cases there are issues with connectivity to the instance or the services that you are trying to access it can also help you figure out the issue the number three that we have is determining the direction of the traffic to and from the network interfaces so another thing that you will understand when you see the log formats or vpc flow logs is that it contains the information about the source and the target instances or services that the logs are being sent to or received from and that also can help you with debugging so let's move on and understand how we can use the vpc flow logs so you can create vpc flow logs for three entities so the first one is vpc itself or the subnet or a network interface so if you enable it for a subnet all the instances and interfaces within that subnet will also be monitored neat isn't it let's see how it does so when you think of log any event that occurs in the pieces of entities that you see here will generate entries that contain information about what exactly has happened and that piece of information or the entry is called as log and the flow log data for a monitored network interface is regarded as flow log records but if you wish to publish logs you must keep these three steps in mind so the first step is the resource for which to create the flow log so it could be your instance or subnet or vpc and the second one the type of traffic to capture so it could be either your accepted traffic or rejected traffic or it could be all the traffic and the third one the destination to which you want to publish the flow log data that is either if you want to store them as a file in s3 or the cloud watch log stream so if you see the visual here subnet a has the vpc flow logs enabled for the instance or the network interface and it publishes logs only for that but when you see on the right hand side the vpc flow log actually has been enabled for the whole subnet and as i have already mentioned before this will cover all the instances v3 and v4 and the network interface that are part of the subnet unfortunately as nothing is attached to the instance v2 it actually misses out on the logs simple isn't it and we can create flow logs for the interfaces that are created with elastic load balancing amazon rds amazon elastic cache amazon redshift amazon workspaces nad gateways transit gateways so many of them are here so that actually gives us a lot of provisions to enable vpc flow logs and monitor these systems and you can send them to cloudwatch or amazon s3 that's one added advantage isn't it that we get so now that we have seen how we create the flow logs let's see the log format so the syntax of the flow log is similar to this which contains a lot of information and i didn't want to discuss all of them but here are a few important ones that i wanted to discuss so the first one that you have here is version so the vpc flow log version if you see here we have already mentioned that the default format actually specifies the version s2 and it will choose the highest version among the specified fields so if you specify the version to be 2 then the highest version is 2 and it will choose that version is 2. and if you specify a mixture of fields let's suppose version 2 comma 3 comma 4 it will pick the highest number from there and choose that as the version of the version of the log so that version will be 4 because we have mentioned 2 comma 3 comma 4. so the next one is account id so it's very evident by the name itself so the aws account id of the owner of the source network network interface for which the traffic is recorded the interface id so basically every network interface that you have will have its interface id and that also will be recorded as a part of the traffic and source address source adtr the source address for the incoming traffic that will be your private ipv4 address and the destination address the destination address for the outgoing traffic that you have so that will also be your private ipv4 address the source port it's very evident that it's the source port of the traffic and the destination port also has been mentioned so next one is protocol so we all know that what the protocol means so it's the iana protocol number of the traffic so iana is basically internet assigned number authority so that organization is basically responsible for maintaining the collection of registries for protocol numbers and the next one is action action is very important because action that is associated with the traffic so it can be either accepted or rejected so for the accepted the recorded traffic was permitted by the security group and the network acl and if it gets rejected then the recorded traffic obviously was not permitted by the security groups or network acl so here you can identify from the logs itself that there if there is any problem with the network acl or the security groups with the permissions and the last one that we have here is log status this is also very important so the status of the flow log so there are three statuses that we are seeing here so one is okay one is no data and one is skip data so the okay okay is basically data is logging normally to the chosen destination so there is no problem with that so no data so there was no traffic from or to from the network interface during the aggregation interval so we'll discuss about this aggregation interval because let's suppose for a specific period of time there is no data that has been captured then you say that there is no network traffic to and from the network interfaces and then skip data so so here what happens is some of the flow logs are being skipped during the capture window or what we call as aggregation interval due to some internal error so these are all the information that are very valid information that you can get with the log formats when you're using vpc flow logs and after all this you might still have some doubts like yes we send logs but what will be the frequency and is it sending logs in real time or not so let's discuss that so when you read this line which says a flow log record represents a network flow in your vpc then the flow log record captures the information about the network internet protocol traffic flow which means the flow of packet traffic that carries information from the source interface or instance to the destination so that is what it actually means so the flow log record captures the information about the network internet protocol traffic flow that is your ip traffic which obviously means that it is a packet traffic and what does the packet carry it basically carries the information from the source interface or instance to the destination and one more important thing that i forgot to mention that you might feel that the enabling of these flow logs it might impact the performance or latency but it does not because it runs outside of the overall service transaction and you can create these flow logs without having to worry about the impact on the performance so don't worry about that and the time interval in which the traffic flow occurs is called a capture window or more precisely an aggregate interval and remember this meaning of aggregate very carefully that it is an entity formed by a combination or collection of things and if you combine interval with aggregate it means that it's a combination of time intervals so here we have a time frame with each cell being a time interval of one minute and as it is rightly mentioned here that aggregation interval is the period of time during which a particular flow is captured and aggregated into a flow log record by default the maximum aggregation interval is 10 minutes so that is what you need to remember for the vpc flow logs the maximum aggregation interval is 10 minutes so basically your aggregation is a collection of time frames and in that time frame your logs are being captured so that is why it is called as capture window and as i already said aggregation is a combination it is made of small time intervals or small time frames called the sampling intervals the sampling interval is basically the distance or time between which measurements are taken or data is recorded so s1 that you see here has a sampling interval of one minute and a one that we have as the aggregation interval has the aggregation interval of five minutes so it will collect all the log records in that time frame that is the capture window consisting of five sampling intervals similarly we have s2 with the sampling interval of 5 minutes and the aggregation interval of 10 minutes here we have a log capture window of exactly 10 minutes and if you see here and try to understand the flow log works on the principle of the capture window time frame and it can produce more number of flow log records if the maximum aggregation interval is reduced so if suppose i reduce the maximum interval aggregation interval from 10 minutes to one minute it is going to generate a huge amount of log records and for the nitro based instances that you have it is basically by default it is set to one or less and the most important reason why flow logs don't generate logs in real time is that once the data is received it takes time to process and push them to either s3 or cloud watch so don't expect that as in when you make changes you might be looking into your screens to have your results published so i hope that was clear and if you have some doubts then please put them on the comment section below and we can have a discussion on that as well i know theoretical concepts can be boring sometimes so let's do a small hands-on demo as well okay so now let's do a demo for the vpc flow logs so here we have the vpc console and if you want to enable logs for this just click on any of the vpc that you want to enable the flow logs and here you get the tab that you can see here like details or cider or flow logs or tags we just come to flow logs and we don't have any flow logs enabled as of now so you just click on create flow log yeah here this is the form that you get okay so now you can just give the name like my flow log demo as i already told you before like you get three ways to actually capture the traffic so it can be either the accept traffic or the reject traffic or the all the all actually combines both accept and reject so we can just choose all and the maximum aggregation interval is set to 10 minutes so i already told you what does that mean so if you want to listen to that once again then please rewind the video so you can have it either 10 minutes or one minute i can just keep it at one minute for now just to capture the logs as fast as i can and then we have the destination the destination to which to publish the flow log so i told you before that is the second step where is the destination isn't it so either i can send it to the cloud watch logs or i can send it to an amazon s3 bucket so first let's create for amazon cloud watch isn't it so okay i'll just choose this destination log group so i can just have one that is already there i can use it the same way or i can create a log group so if you want to create a log group go to cloud watch so this is basically how your cloud watch console looks like so you have cloud watch you have the dashboard you have the alarms and you have the logs and the log groups so you need to go to the log group so here you have the log groups i already have by default log groups that were created when i was working with lambda so no don't worry about that so you can just create a log group as well so i can just give my demo low log never expire i don't want to give any other settings so just create this one so this is my log group and this is the arm so now you can just refresh this you can see the option here already enabled this is automatic isn't it it's very good and one more thing that you need to do here is if you want to access cloud watch i think you need to have important financing okay if i don't have this what you can do is you can just click on setup permissions as well so you can choose to create a new i am role and give a role name so low logs rule i don't think so if you need to change it just click on allow that's it one click request sent and response received so come back and refresh this now you will have flow logs rule so select that and the log format can either be aws default format or you can have a custom format you can change this and the way you want it isn't it we have already discussed what exactly these do so don't worry about it you can change it as well and now what happens is if you want you can choose the log format you can just choose it among the filters as well if you want to have a custom format but we will choose the default one the tag is already given that's it just click on create flow log now we have created a flow log and that is basically using cloud watch logs and the same i can just create another flow log by using my demo low log s3 this will be my x3 blue log and i can just click on all maximum aggregate interval will be one and i'll send it to the s3 bucket and it is asking me for a amazon resource name okay let's go back to s3 i think i already have a lot of buckets that i already created so i can create one more not a problem so this will be my log bucket bucket so i'll choose the region the same and rest will be same i don't have to do any changes to this one just give it a name and just save it okay my lock bucket already exists okay just give something not a problem but it should be unique so you have to remember that otherwise it will keep failing just click on this and you have to copy the amazon resource name so just copy the bucket here and name go back to your vpc console and paste it that's it i don't think so we need to do any anything else just click on create flow load it's a very good thing that we have two right now so the main objective for us is so we have zero objects right now don't worry about it within few minutes or few seconds you will be getting logs and we can go back to cloudwatch as well and we can just go to the log groups and this group will click on this and now we have already started receiving logs that's great isn't it just click on one of them and you can see we have already started receiving logs this is reject log this is reject log this is reject log so don't get confused what i just added i came to cloudwatch i clicked on the log groups i clicked on the log group that i had created just click on this again and here you are getting the log streams so log streams is a collection of every interval time interval or the capture window that you have if it has any proper data it will create a stream for it okay so here it has created stream for three you can click on each of the log stream to see the logs okay don't worry about this so these are the events that are being captured you can see this is a reject okay call so the first one that you see here is the version number the version number is two by default this is my account id this is the interface id that i have this is the source ip this is the destination ip it is trying to reach so this is not mine and i think someone else is trying to use it so we can just see that as well so this is the this is the source code this is a target port this is i think for the protocol 6 i don't know what i think it is tcp but ok so 6 is for tcp transmission control 7 is for cbt egp igp ok so once you go back then you have the time start time this is the end time this is the type of the request reject okay i don't think so there are any accept requests so but is there a way to check from where these requests are coming because this will be very interesting for us so are there any sites that can help us with um oh yeah i can find some ip address trackers so i can just copy the ip address that i have here and i can just paste it okay so someone is trying to access some of the interfaces we have from china it's interesting isn't it so this is from china and let's suppose we go back to another instance that we have the source instance and just paste it here this is from london who is trying to access our instances obviously there will be some free public ip addresses that we have so now people want to access it this from russia region unknown city saint petersburg and if suppose i want to do the same for my instance what i can do is i can go to the ec2 and go to the instances that i have and this is my public instances in it or you can go to the networking part and you can go to the eni and this network interface what it can do is as we have already created this vpc flow logs it's already being tracked you can see here it's already been tracked but if you wanted to create it for the specific eni you can do that as well so you can just click here as well and create it you don't have to necessarily go to the vpc and create because it will be capturing the data of all subnets and all the instances you can go to the interface id as well and you can create it so that's one more thing that i wanted to share and once you go back to the s3 console then you can just refresh this and we'll see whether yeah yes we have the logs now so aws s3 this is the account id this is vpc flow log the region name 2020 11 16 and this is the log gz5 isn't it i can go back download just save this yeah so this is the file that we have so these are the logs that have been generated this is the same thing i think but most of the accept requests are there so it's a good thing for us so this is the same way you can have it and you can actually parse this by using athena that we have already seen so you can go back to the athena tutorials and you can see how we have accessed these logs and we have created sql scripts for accessing the data and parsing the log files that we have from s3 so this is one way to do it so now here we have seen two formats or the two ways that we can do for one is for the cloud watch and another one is for the s3 so if you want to have it in any way you can do it either you can have the both ways as well and you can send them both to s3 and to cloud watch and you can have fun by looking at the logs and tracing out errors and debugging and have fun about that isn't it in 1546 the word bastion was introduced into the world and it was regarded as one of the pillars of security in military terms and these bastions were placed at each corner of the fort to protect the castle from the persistent attacks making them the strong line of defense not exactly like this but i hope you're getting the point even after many centuries this word bastion remains a preventive measure for potential attacks and the attacks have now changed from the ground to cyber inclusions for that let's talk more about bastion hosts and let's learn how it can protect our instances so now let's understand what is a bastion host by definition as per aws a bastion host is a server whose purpose is to provide access to a private network from an external network such as the internet for members who are not aware of what bastion host is listen to me very carefully before trying to decipher the above statement let's break bastion host into two parts i hope everyone is aware of what a host is so a host is nothing but an entity that receives or entertains other people who are the guests isn't it but not all guests are good and shouldn't be allowed into the house as well so for that we use a bastion which has a rule set which prevents unwanted guests from entering the house the same way bastion host is a server whose purpose is to provide access to a private network for the users who are from an external network or maybe the public internet like the way we see in the visual here we have the best users who want access to the instances placed in the private subnet through the bastion host which resides on the public subnet the simplest way to achieve bastion host protection is to allow ssh access only through the ip of the bastion host by placing the restrictions in the security group of the private instances and the bastion users that you see here they actually connect to the bastion host in order to connect to the linux instances that we have so as you can see we have the bastion host placed in the public subnet and all our instances are placed in the private subnet so they don't have public access but if they want to access those instances they have to connect to the best in host through which they will be able to talk to the private instances similar to what we see here we have our bastion users who want to enter the castle and others who are a potential threat who don't have the access and our bastion host prevents them from entering the castle and thus giving a level of security and authentication to our private instances now let's do a hands-on demo for bastian hosts and let's see how it works but as we know that the bastion host is basically a server that is present in the public subnet so we have to create an instance which will act as our bastion host and through which we will be able to talk to the private instances so let's create our bastion host and let's allow the traffic from the bastion host to the private subnet so this is our ec2 console and let's create a bastion host here so best in host is nothing but i'll just create a instance in the public subnet so that's the most interesting part that i want to tell you but it's not the exact way to create a bastion host there are several other ways to create it like using the using proxy authentications as well so now let's launch the instance i'll use the amazon linux 2 the t2.micro and i'll create this instance in the vpc demo and i'll create it inside the public subnet enable this and i don't think so we have to do anything else just click on next and here this is also fine just add tags so here i'll just give it a name bastion host demo that's it just click on next and we can create a security group for this one i'll just give it a name or bastion post priority group that's it and i'll just allow ssh connection to this one ssh and just click on review and launch and here i want to create a new keypair so this keypad will be best in like this so i can just download the keypad now and i'll just save it please don't forget that if you lose this key there is no going back so please keep it safe as it has been rightly mentioned here you will not be able to download the file again after it is created so now just click on launch instance let's wait for some time for it to come up so now our bastion host is running so the next thing that you want to do is you want to restrict the access for the private instance only from your bastion host so for that what you need to do and what i'm going to do is i'm going to change the security group for this private instance so go to so click on private one that is a private instance go to security you have the security group here just click on this and i'll just edit the inbound rules and i'll allow it from my bastion host security group and i'll just save it now the source only is from the bastion host security group and here this is not a problem we have just restricted it to the bastion host so now the next thing that we want to do is we want to connect to this instance isn't it so now let's connect to the bastion host go ahead and copy the public ip address and here just do ssh ec2 open user at the rate copy this public ip paste it here hyphen i and the key bastion access dot pim okay so this key has bad permissions so what you need to do is for this so this is the file just click on properties so you can see her security right so now you have to edit the permission so what you need to do is you need to go to advanced i'll just remove all the inheritance from the object and now i'll just add and i'll just click on add and select a principle i'll add my username click on check names yeah i got it so read access and read okay just apply this and save it now go back to the terminal once again yes you're able to connect so remember if you face any problems for bad permissions in windows you can just do what i did or if you are in mac then you can just do a ch mode to the same file and you can just change the permissions that will work not a problem so now this is the bastion host that we have here right now this is nothing but the public instance and we have to go back and we have to check the ip address of the private instance that we have so go back and click on the private ip and copy the private ip of this one and just come back but one more thing is here also we have a private instance that uses a private key so we have to make use of that so i have to just copy the same private key that i'm going to use to connect to the private instance just to our cd home pc to user and i'll just create a ec2 key here now i have to change the permission as i told you before pc2 hyphen key so what i did chmod 400 to hyphen key dot pen that's it so now what i have to do i have to just type ec2 iphone user at the rate i'll just copy the private ip that i have and i'll paste it hyphen i and easy to hyphen key just enter that's it yes now we are able to talk to the private instances using a bastion host but you might say that we can use any other public instance that we have and try to connect to the private instance because it can work that way as well but we have added this to the security group for our private instance so this should work only through this bastion host but if you want to test i can test it again i have a public instance here and i'll try to connect to the private instance to this one so i'll just close it and i'll open this once and this is the public instance that i have i can just copy the public address of this one and i'll try to connect to this okay so from here i try to connect to the private instance let's copy the ip address now we'll do ec2 hyphen user at that eight ip address hyphen i ec2 hyphen key dot no you cannot connect to this one because the access is only through the bastion host isn't it interesting but this is not the exact way we create a bastion host in the in the real time or the real-time scenario or with security hardening but this is a simple way to understand how a bastion host actually works when it comes to working from home or working away from the office there are very few ways to talk to your office servers and the same goes with connecting from your aws cloud to your on-premise hosted environment but nonetheless there are ways to achieve this and that's what we are going to discuss today thanks again for joining in for today's session of aws where we will talk about aws side to side vpn and we'll get to know more about the connectivity to the cloud when it comes to hybrid architecture we mostly think of having a part of our environment or infrastructure hosted on the cloud and the other part on our very own on-premise servers but remember that when you hear the word site to site vpn the focus should be more on the word called vpn which is a virtual private network and the vpn connectivity utilizes the public internet which can have unpredictable performance and despite being encrypted can present security concerns as well but i don't want to confuse you right away let's talk more about the side-to-side vpn in addition to being a solution for our aws cloud to an on-premise connectivity problem the side-to-side vpn helps you to enable access to your remote network from your vpc by creating a side-to-side vpn connection as i already told you the vpn might use the public internet to keep your connection secure side-to-side vpn actually supports internet protocol security or what we call as ipsec vpn connections okay so you might ask me what is ipsec so the term ipsec as it's rightly formed if ip for is ip for internet protocol and sec or sec stands for secure and these are a group of protocols which make device connection over a public internet more secure by encrypting the ip packets and authenticating the source where it has been sent from and mostly it is used for vpns for secure connectivity and there are a few very important concepts that we must learn and which are very useful for the exam as well so the first one is vpn connection the second one is vpn tunnels the third one that we will also discuss is customer gateway customer gateway devices and virtual private gateways and transit gateways don't worry we will be discussing them one by one so please watch the video till the end and there are a few more important pointers that are mentioned here when working with the side to side vpn you need to remember that ipv6 traffic is not supported for vpn connections on a virtual private gateway and the next point is also very important when you are connecting your vpc to common on-premise networks make sure you don't have an overlapping sider block and the next important point that i wanted to mention was and when it comes to path mto discovery aws doesn't support that mostly that is used for avoiding ip fragmentation so you should remember this as well and before moving on to the vpn connection and vpn tunnels let me ask you one thing do you know what is a tunnel so now let's understand what are tunnels and why are they used so commonly in networking when we think of connecting two places or cities and there is an obstruction in between the most suitable approach is to dig a tunnel in the hill or the mountain that is creating the obstruction and making the way for people to travel across the places but what if two similar networks want to talk to each other in networking tunnel or tunneling helps the movement of data across networks allowing private network communication over the public internet and the best real-time example would be an ssh tunnel which we use to connect to our customers environment by using a jump host which allows us to connect to the host we need using the private network communication yes there is a few security steps also involved i am just stating an example here the data packet gets encapsulated and is sent via the multi-protocol router a which has the address of the router b then from the router b as the packet gets removed it is sent over the communication lines to host b in some cases we will also refer to this as port forwarding so you need to understand that the host does not have to worry about the way it's transported it knows it will be secure enough to reach the destination i hope it was clear let's move on to something else that i wanted to ask you i wanted to ask you one more thing do you know what is a vpn so let's talk about that so what is a vpn i know most or all of you might be working from home and if you are not but i think it applies for both as i'm sure you might be browsing some of the educational sites yes very educational site i'm sure you know what i meant by enabling something called a vpn so you might be using an application like node vpn or secure vpn or openvpn and most companies use cisco vpn for office work so you choose the location and you connect to that site using the vpn client and if that's the vpn client or if there is a vpn client then there will be a vpn server is ended so the locations that you see are a source for your vpn server let's take an example of a developer trying to work from home and trying to connect to its office network we all know that public access is not secure and no company allows direct public access to its network so now let's see what happens when we use a vpn when the developer wants to connect to the server it makes a request and the static route sends it to the vpn client your vpn client then encrypts your data traffic and sends it to the vpn server through a secure connection and the encrypted data that you had sent is now decrypted by the vpn server when it comes to sending the data back the data traffic is then encrypted again by the vpn server and is sent once again to you using the encrypted vpn tunnel now you know why i explained you about the tunnel and that's how a vpn actually makes your data transfer or communication secure and before moving forward i want to share a very important thing any action that you do online can be traced with the unique ip address that you have that is something that can be avoided by using vpns but it doesn't make you invisible but yes it's far more secure than browsing without a vpn now that you have an idea about what a tunnel is and how we make use of the encrypted tunnels using vpn let's understand how does this site to site vpn work when it comes to side to side vpn aws offers two vpn tunneling mechanism between a virtual private gateway or a transit gateway on aws side on the aws side and a customer gateway on the customer or the on-premise side so the idea here is that you can create your virtual private gateway or transit gateway and connect to your on-premise services using the customer device and customer gateway and here we have to consider four major components one is the virtual gateway second is the transit gateway third and fourth i will combine them and tell that customer gateway device and the customer gateway so let's start off with virtual private gateway for a successful vpn connection with the on premise or customer network with the customer gateway you need a vpn concentrator at your aws vpc side and vpn concentrator means it is a special type of router device that helps create a vpn connection and it also manages it so this can actually help you create or terminate vpn connections so a virtual private gateway is the vpn concentrator on the on the amazon side of the site to site vpc connection for this to work you create a virtual private gateway and attach it to the vpc from which you want to create the cytoside vpn connection as you can see here we have two things or we need two things one is the virtual private gateway at the aws side and the customer gateway on the on-premise site and when you create a virtual private gateway you can specify the private autonomous system number which is also called as asn for the amazon side of the gateway and if you don't specify an asn the virtual private gateway is created with the default asn number that is 64512 so asn is basically an ip routing prefix used for controlling routing within the network and to exchange routing information with other internet service providers these are both in private and public and you will have like a public asn and a private asn as well but that's a totally different or a totally separate topic to discuss and you can read more about them in the documentation as well so we will not go there and there are a few other pieces of information given about asn so if you create your virtual private gateway before july 2018 the default asn is 17493 in asia pacific singapore region and 10124 in the asia pacific tokyo region and 9059 in the europe ireland region and 7224 in all other regions but for now the default asn is 64512 when it comes to multiple vpc you need to create a virtual private gateway for each vpc and attach it to them in order to make a vpn connection with the customer gateway and for high availability we have two tunnels providing the channel an encrypted link where data can pass from the customer network to and from aws and this is one of the overheads along with the lack of scalability that was solved by transit gateways so let's move on to that and if you don't want to go with the virtual private gateway approach and you can as well follow the transit gateway architecture style of vpn connection so a transit gateway is a transit hub that you can use to interconnect your virtual private cloud vpc and on-premise networks if you know what a hub is it actually helps us connect multiple devices so a single contact point isn't it the transit gateway here helps us to simplify the connectivity between multiple vpcs and also connect to any vpc attached to aws transit gateway with a single vpc connection there is an option that transit gateway provides us to scale the ipsec vpn throughput using equal cost multipath or what we call as ecmp routing support over multiple tunnels with the help of which you can scale beyond the maximum throughput of 1.25 gigabits per second provided by a single vpn tunnel but in order to effectively use it and get advantages of scalability you must ensure that you have enabled the dynamic routing option as you can see here as well we have multiple vpc connected to the transit gateway and then with the vpn tunnel they are able to have a secure communication channel so i hope it was clear so please remember that a transit gateway is a transit hub that you can use to interconnect your vpcs and on-premise networks let's move on now let's come back to the customer side of the connectivity and let's talk about the customer gateway and customer device a customer device is rightly a device that you're on from my side or customer side which is a physical device or a software application that helps you complete the connection for the side-to-side vpn connection this must be configured at the customer side and this information will be used as a part at aws to create the customer gateway so a customer gateway is a resource that you create in aws that represents the customer gateway device in your on-premise network so here as we can point out clearly that we need contact points at both sides of the spectrum which completes the channel and the customer device acts as one of them from the on-premise side so you need one from the aws side and one from the customer side and the customer gateway or the customer device acts like one from the on-premise side so here we can see that the vpn connection goes to the virtual private gateway over the secure channel and the two lines that you see are the tunnels for the vpn connection the customer device that you see comprises of the ipsec encryption and decryption mechanism which is inbuilt and two tunnels which are used for high availability and if there is a device failure with an aws the vpn connection automatically fails over to the second tunnel so that your access isn't interrupted i hope that was clear so i'll repeat that once again a customer gateway device is rightly a device at your on premise side and not on your aws site remember that it's rightly a device that you're on my side or customer side which is a physical device or a software application that helps you complete the connection for your side-to-side vpn connection that you create and the customer gateway is a resource that you create in aws that represents the customer gateway device in your on-premise network so i hope it was clear let's move on one more very interesting thing that was launched that has helped the companies a lot is the accelerated side-to-side vpn connections and yes whenever you read about accelerated or accelerated in aws you know there will be a edge location or global accelerator running around in the vicinity isn't it yeah so jokes apart if you wish to enhance the experience of your users or customers on your on-premise connectivity or the on-premise connectivity you have the option to enable acceleration for your side-to-side vpn connection here the side to side vpn connection uses aws global accelerator as i already told you there will be a edge location of global accelerator running around so here it comes so the side to side vpn connection uses aws global accelerator to route traffic from the on-premise network to an edge location or aws edge location that is closest to your customer gateway device which obviously will make use of the aws global region to connect to the edge location and as we know aws global accelerators enhance the network path you can be rest assured to have a congestion free best application performance by default acceleration is disabled when you create a side to side vpn connection but this can be achieved when you enable acceleration while creating a new side-to-side vpn attachment on a transit gateway as shown in the visual here so this architecture actually consists of three important elements the first one is the aws region where you have multiple vpcs connected to the transit gateway the accelerated side to side vpn connection uses the aws global accelerator to determine the optimized path to route traffic from the on-premise network to an aws edge location that is closest to your customer gateway device and if you have noticed mostly the vpn connections are not that fast compared to a free connection this actually can improve the situation at hand so i hope you got a clear idea about what is the difference between the virtual private gateway and the transit gateway in a virtual private gateway you have to attach a vpn connection to each of the vpcs that you want to have a vpn connection for and with the transit gateway actually you can create a hub which has inter vpc communication with the vpcs that you want to connect and they don't need to create separate vpn connections so now that you know how things work theoretically let's see how they are done using the aws console so this is going to be a very short hands-on demo because we don't have the money or the infrastructure to actually create a vpn connection but i'll just show you where you can actually go and actually can see how it's being created so this is your vpc dashboard as you all know that we have a vpc dashboard and here on the left hand side you have option for virtual private network or the vpn that is what we discussed isn't it so let's suppose we have imaginary company and we want to connect our on-premise network to the vpc so the first thing that we need to do is we need to create a customer gateway isn't it so we'll click on customer gateways and if you don't have anything you will just get a button here to create customer gateways and you can just click on this to create the customer gateway you have to just provide the name and here you can choose between dynamic routing or the static routing so if you choose the dynamic routing basically it will be using the bgp asn or autonomous system number that i already told you and you can provide your esr number that you know either it can be public or it can be private so it can be static for now so you can provide the ip address of the device name and you can provide the arn of the certificate arn and you can provide the device so enter the name of into the name for the device that hosts this customer gateway so you can provide this so this customer gateway actually needs your customer device and it needs all the information regarding the customer device that you can get so based on which you can create the customer gateway for yourself once you click on this once you fill in the details you can click on the customer create customer gateway button and it will create a customer gateway for you so now the customer part is done so now we have to come back to the aws part so here we can choose either transit gateways or we can choose the virtual private gateways but today i'll just talk about the virtual private networks because i want to create a separate video on the transit gateways because i think there is a lot more to discuss on that part so for now you can just click on virtual private gateways and if you don't have anything then you can just click on create virtual private gateway here you have to just provide a name and you have to provide amazon default asn or a custom asn i told you before use amazon provider dsn for bgp on amazon side okay so for dynamic routing you have to choose the amazon default asn or you can provide a custom asn number for yourself so once you have created this virtual private gateway so now what is the next step to create the side to side vpn connection isn't it so if you have to create a vpn connection you have to just click on this and you have to give the name that you want so creates a name creates a tag with key equal to name and value set to the specified string so whatever name you give it will create a tag with the name called name and there you can just specify whether you want to choose a virtual private gateway if you choose a virtual private gateway then you have to just select that from the drop down if you have already created so it'll list the name of the virtual private gateway with the id and if not you can just choose the transit gateway so the settings will vary bit depending on what you choose so as we have created the virtual private gateway we can choose the virtual private gateway here and here you can choose an existing customer id or customer gateway id or you can create a new one here i can choose the one that i have created but as you can see we haven't created anything so it is saying the no results found but in case we had created there then it would show this in the drop down so we could have selected this not a problem and here as well i can choose the routing mechanism that i want for the either it can be either it can be bjp or it can be static and here the tunneling options we have for ipv4 and ipv6 and you have to provide the local ipv4 network slider and the remote ipv network side and here there is a tunneling option so you can customize tunneling inside the cider block and provide the pre-shared keys for your vpn tunnel and if you don't specify them they'll be randomly generated by amazon so if you don't provide this it'll be generated by amazon so don't worry about this and there is one more interesting thing that i want to show you that there are additional options for tunneling and if you don't use this default option you can actually edit and you can make use of all these encryption algorithms that you want and you can make your changes or you can customize this as per your requirement so these are a lot of other information or additional information that we are not going to discuss today but i think we can make a separate video when we start the series on networking itself isn't it so as we don't as we won't go ahead and discuss our transit gateways you can just click on transit gateways here you have the option if you want to create it you will provide the name you will put the description you will write the asan number and you have all these options whether it should support dns and i told you ecmp support vpn ecmp support that is for multiple vpn tunneling which actually enhances the single vpn tunneling capacity of 1.2 gbps and it increases that capacity so that you can have scalability in place so this also you can enable and you can add it to the default route association table and you can also have the multicast support and all these options you can have once you're well aware of what exactly you need you can come here and configure this as well so once you have created this transit gateway you can come back here and once you create it you can choose the trans gateway that you want and you can select it from the list so that's it actually i don't have much to discuss here because we don't have the money or the infrastructure to actually create anything and to showcase you that how it actually works but this is the way that you can do it and customer gateways if you want to create any customer gateway or you want to know what are the default what are the supported ones that amazon has already tested then you can just google that you can see the list of devices that are currently supported so these are the example configuration files so your customer gateway device can be physical or a software appliance and these are examples of some of the devices that have device specific configuration files in the amazon vpc console so you can use these not a problem with the side to side vpn everything was rainbows and unicorns but there was a question still unanswered which was what if i don't need this public internet and what if i needed something more secure like a private connectivity which could improve everything for better not exactly but i hope you're getting the point thanks for joining in for today's session of aws where we will talk about aws direct connect and aws direct connect gateways and we'll see what it has to offer okay let's read this statement first so aws direct connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to aws that was a lot of words isn't it but the most important part here is to consider first is dedicated network connect the second one is the name itself which is direct connect and the third one that it is a cloud service solution so when you combine the first two terms and you think about it collectively you realize you are talking about something that is a direct connection and a network connection that is for all purposes a dedicated one so what does it mean so it means that you will have a secure channel using a dedicated network connection directly pointing to your aws cloud infrastructure so if i put this question to you then how would you imagine it yes you will think of this in a way that which can help you establish a private or dedicated direct connection between aws and your data centers or your office networks so unlike side to side vpn that we had discussed previously in the previous episode so if you haven't watched that then i would request you to please watch it so we are not talking about a connection over a public internet space and you should remember this point very clearly and the third one is that it is a cloud service solution when you think about cloud and service and solutions you should always remember that this is something that aws will help you with and you don't have to root yourself as it will provide you with a service that can help you create your own aws direct connect don't worry there are a lot of steps that goes for creating the direct connect and we will discuss them in detail moving forward so now let's read the statement once again aws direct connect is a cloud service solution that makes it easy to establish a dedicated network connection from your on-premise to aws i hope you got a better context to this statement once again as we have done a small explanation as well and along with providing a feature set that can help you establish private connectivity between your aws and your data centers it also helps you to reduce your network cost so imagine setting up optical fiber connectivity on your own or creating multiple data centers at various locations that would be really hard and expensive isn't it and it will also help you increase the bandwidth throughput and most importantly it will provide you more consistent network experience than internet-based connections so as i told you that direct connection provides a dedicated connection from your on-premise or data centers to aws it basically lets you connect to the aws taric connect locations so as you can see here in the image as well and these dedicated connections can be partitioned into multiple virtual interfaces with the help of industry standard 802.1 queue virtual lens and we know that virtual lands are much more efficient compared to lands as they are very much coupled with their broadcasting domain and i don't want to confuse you here so please just remember that using industry standard 802.1 cube virtual lan the dedicated connections can be partitioned into into multiple virtual interfaces and what's the best use of it then yes the multiple virtual interfaces that you have allows you to use the same connection to access both public resources such as s3 or glacier and as well the private resources such as ec2 running in your private vpcs or the vpc within the private ip block yes this is like one shot and two targets cool isn't it as you can see here in the visual as well we have shown how the connectivity is established from the on network to the aws direct connect locations and there are a lot of locations also to choose from and they should be co-located to yours so and you can check the list in the documentation as well and with the help of the multi-virtual interface we are able to access both resources as i already told you so one will be private and the other one will be public okay so i hope you got some idea about this let's move on so as i already told you that we connect our on-premise networks to the aws standard connect locations it is not that simple and there are a lot of ground stuff also that goes in this as well so let's try and understand that so the main idea of connectivity in direct connect is that it links the internal network that you have to an aws direct connect location over a standard ethernet optical fiber cable so when i say this you might jump up to me and ask me that you just told us that we won't do anything it's aws who is going to do the things for us wait wait wait just let me finish okay the way the ethernet optical fiber connection works is that one end of the cable is connected to your router at your location and the other one to an aws direct connect router and that is how you create the virtual interfaces but before moving forward we need to understand how it is actually done in the base level itself so aws provides us with a separate service all together to create our aws direct connect and here we take the decision of what is the direct connect location that we are going to use and the connection size that you need and there are two approaches to create the direct connect connection one is a simple setup and the other one is using the wizard which gives us more options to customize which we will check out in the demo as well so don't worry about that then we will create the connection request based on the requirement that we have and after you have done this as i already wrote then you will create the connection request based on the requirement that you have so once you have done this the second step or the second phase that comes along is the letter of authorization and what we will do here is we will download the letter of authorization from the console i know you might be getting confused here but understand this very carefully we are trying to set up a secure dedicated connection and not shared connection so for that we need people to set up the connectivity for us from our network to the aws direct connect location for that we need the help of aws direct connect partners or aws apns which are nothing but our aws or amazon partner networks which is basically your global community of partners who leverage amazon web services to build solutions and services for the customers at every data center that aws has or any of the services that they provide they tie up with companies to provide a solution for example in india we have data communications for aws direct connect and don't get confused with aws direct connect locations and apns okay they are different so we need to make use of either aws direct connect partners that is the hosted connection or or you can make use of the apns that is the amazon partner network so once you download the loa or the letter of authorization you need to give it to the apn partners partner network so they get the approval to create the cross network connection at the aws direct connect location which is also known as cross connect remember that time very carefully so that is basically called cross connect so once you download the loa or the letter of authorization you need to give it to the partner network so they get the approval to create the cross network connection at the aws that connect location which is also called as cross connect so moving on once all this is done you can create the virtual interfaces so that you can access your private and public endpoints from the office space as well so this is how the ground reality of the direct connection looks like i know i might have missed a few things but i believe this is more than enough so don't worry about that so the first step create the connection request using the aws management console then you download the letter of authorization and pass it on to the amazon apn or the direct connect partners and you configure the interfaces which is basically to create a public and private interfaces so that you can access both the resources so private and the public one so i hope you got the point let's move on and now let's jump into some benefits of using direct connect so the first one is reduced bandwidth cost so with aws direct connect you can reduce the bandwidth cost with a huge margin because now you don't need to pay the intermediary cost because you have a direct connection to aws and then the data transfer rates with direct connect are mostly cheaper so this is a very good thing to have so the second one is consistent network performance as we know with direct connect you get the dedicated connection which reduces the overheads with network lags and propagations in a way it provides more stable and consistent network performance so the third one is private connectivity to multiple vpcs so this is an interesting point so we spoke about multiple virtual interfaces and it so using that we can also create connections to multiple vpcs as well scalability is very important even if you have a dedicated connection if you want to avoid the low data transfer rates with vpn you can replace it with your direct connect and direct connect provides you with the 1gb ps and 10gbps connections which are way faster and yes you can provision multiple connections as well and the fifth one is compatibility so as this is a service provided by aws it's compatible with mostly all the aws services that are over the internet like ec2 s3 and vpc let's move on okay so next thing we need to understand is when to use direct connect so the first use case is while working with large data sets so as we have already discussed with direct connect you get the dedicated connection which reduces the overheads with network lags and propagations in a way it provides more stable and consistent network performance so when you're working with a huge data set or huge set of data and you need to transfer them if you are using an isp it is going to be really expensive and constrained as well but with direct connect we can transfer it directly to the premises data centers and with much more faster speeds so the underlying thing is that you actually bypass your isp and you get your data transferred and that is why it is very fast and second case is real time data feeds you know that when it comes to real-time data such as audios or video feeds latency can act as your biggest enemy or your biggest friend if it depends on what is the rate it is running on so if it is high then it is your biggest enemy if it is low it can be your biggest friend and that's what direct connect helps us with as this is a dedicated connection you can control how the data is being routed so in this way you can reduce a lot of latency and make it more consistent the third one is most obvious one that is a hybrid architecture with direct connect you can have your own private dedicated connections which maximizes the benefit of cost and minimizes network overheads ensuring that you have a secure connectivity from your data centers and aws cloud so now that we have some idea about the watts and wise of direct connect let's come back to the how part and let's understand how does the director network so as you already now are aware that aws direct connect links your internal network to an aws direct connect location over a standard ethernet optical fiber cable in which one end of the cable is connected to your router and the other one is connected to an aws direct connect router isn't it there is a statement that is really interesting and important and has been mentioned in the documentation as well is that an aws direct connect location provides access to aws in the region with which it is associated okay so i'll repeat that once again so you can just let it sink in so an aws direct connect location provides access to aws in the region with which it is associated and you might ask me how so direct connection as you may not be aware of but it is a global service so let's clear that out first but you need to make a choice on the location that you want to use as a part of your direct connect location and that is the way it actually provisions resources closer to the customer that it has that is why even though the service itself is global the locations are specific to the region there may be more than one direct connect locations in a region there is no harm in checking that out isn't it so now that we have our aws cloud let's bring up our aws direct current location so this is how the direct connection looks like so you have the direct connection endpoint or the direct connect endpoint in the aws cage so cage is like your rack or site i hope you're getting the point isn't it and which is connected to the customer or partner router in the respective cage and which creates a connection to the premises network or the customer network that you have so here we need to discuss about two main components one is the connection and the other one is the virtual interface themself so when we talk about the connection part we know that we create a connection from the on-premise network to the aws region or the direct connection location and here as well we have two segments one is the dedicated connection and the other one we have is the hosted connection we will talk about them in detail next so don't worry about that as of now so moving on we have the virtual interfaces that you see here as well so we have the vlan 1 and vlan 2 where vlan 1 that's the blue one which denotes the private virtual interfaces and we have the vlan 2 which is green and denotes the public virtual interface which helps us to connect to the public resources such as s3 and s3 glacier and on the customer side we have the customer router or firewall which completes the connection as a whole and the people sitting on the customer end are able to access the resources stored in the cloud that is aws i hope you got some idea and how the direct connect works actually so this may not be required so much in depth for the exam but i wanted to share it nonetheless it may help you in future when you will be working in aws or with direct connect so and then the customer side we have the customer router or firewall which completes the connection as a whole and people sitting in the customer location or the on-premise location are able to access the resources so you have the customer router which connects to the aws direct connect location and the direct connect location actually gets connected to the aws region that you have so this is a completely secure line or a channel and this is completely dedicated and you are the only one who is going to use it so that is much more secure for yourself but yeah it may cost you for the connection and everything for the usage but it is way more secure than using the public internet space which we were doing using the site to site vpn okay so i just told you a few moments ago that i'll tell you about narrate connect connections so here it is so let's talk about that so we discussed in length about how aws direct connect helps us to create a dedicated connection between the on premise and the aws standard connect locations so what are these connections actually called so we have two types of connections here so one is the dedicated and the other one is the hosted one and let's understand the differences here so when you compare both of them the biggest difference that you would see between them is that with dedicated connections you as a customer can request for a dedicated connection using the console or api and aws creates the physical ethernet connection with that single customer that is you but in the hosted one what happens is that you directly contact a partner in the aws direct connect partner program who will create the physical ethernet connection on your behalf so the partner associated with the direct connect partner program will have the provisions to do that so other than the location we have another aspect which is really important that is the port speed so if i say this point you will ask me okay what is port speed so you are going to be really surprised by answer because you already know the answer support speed is the maximum speed at which the data is transferred like your bandwidth speed which obviously depends on the port speed value that you have that's as simple as it can get so the dedicated connection the possible port speed values are 1 gbps and 10 gbps and you cannot change the port speed after you create the connection request and for the hosted connection you have values ranging from 50 mbps 100 mbps 200 mbps 300 400 500 1 gbps 2 gbps 5 gbps and 10 gbps and here the aws diet current partners who have met a specific requirement may create a 1 gb ps 2gb ps5 gps up to 10 gbps hosted connection here as well you cannot change the port speed after you create the connection request so this actually gives you an idea of how the speeds are going to vary and what are the customizations that you can do or what exactly is your requirement and what amount of speed that you need and based on that you will be charged so make sure you make the proper decision as per your requirement so you can go with the dedicated connection or you can go with the hosted connection as per your requirements so till now we spoke about how we can create a single direct connect connection for our usage but what if we want more resilience and for that we need redundancy so how are we going to achieve that in aws direct connect so with aws direct connect you can make use of lag that is not like your lag in the sense you are lagging behind or something like that don't consider it to be that so the full form of lag is link aggregation group so if we want to make use of multiple connections and make them redundant but it should basically act logically as a single connection so for that we make use of a la cp protocol so that is link aggregation control protocol which helps us to aggregate multiple dedicated connections at a single direct connect endpoint okay so i'll repeat this once again so using a lacp protocol that is the link aggregation control protocol we can actually aggregate multiple dedicated connections at a single direct connect endpoint remember even though they are two different connection we combine them into a single managed connection and thus increasing the throughput beyond what a single connection can provide so lacp protocol existed before all this as well and we are just making use of that to aggregate connections so that we can benefit from it it's not something that aws has created on its own just like other things as well isn't it that's cool so you can see we have the single connection or a single direct connect endpoint here from the aws side and we have four dedicated connections that is connection one two three and four and what if and what we have done is we have taken two connections and created a lag or see when i tell this term lag don't go ahead and think about lagging just imagine the full form now okay so lag is basically your link aggregation group so think of aggregation when i say we create a lag think of an aggregation group so which actually terminates at a single location that is our direct connect location so we have connections one two forming lag one and connection three and four forming the lag two but they are visualized as their single connections even though they are formed with two dedicated connection so with this you can just use and maintain two lags or two lag connections instead of using four dedicated connections so that's quite impressive isn't it so now you have to just manage two lags not four dedicated connections but logically they are actually like four connections but you have aggregated them into two each so that it is easy to use and it is highly effective with redundancy so with this actually you can use and maintain two lag connections instead of four dedicated connections and that's really important for us but before using this you should understand a few more caveats to this or else you might face issues and or you might have to make some changes in your design so first one is all connections must be dedicated connections and have a port speed of 1 gbps or 10 gbps by now you should be aware of what this port speed is so i feel we are all good here because it can create a bottleneck so it's advised to have same port speed for all the connections all connections in the lag must use the same bandwidth so that's quite evident isn't it the third point is that you can have a maximum of four connections in a lag each connection in the lag counts towards your overall connection limit for the region so that completes your quota of four connections in a lag so that is why it is said that you must have a maximum of four connections in a lag and the fourth point is also very self-explanatory all connections in the lag must terminate at the same aws direct connect endpoint terminate here doesn't mean like terminator we are not at war here okay we are not destroying anything all connections in the lag must terminate at the same aws connect endpoint means that there is a connection point okay imagine there is a connection point where you connect your physical line and all the connections should be plugged into that point or the end point so from there other connections can be created or devices can be plugged in and that's what connection termination means so in the same way that i want to tell you that all connections in the lag must terminate at the same aws direct connect end point so coming back to yet another very important feature we saw lags in the direct connect which actually helps us with redundancy but what if we want to connect multiple vpcs to a single direct connect endpoint and make use of it yes you can do that and for that you need to make use of the aws direct current gateways so before that i want to tell you something about direct connect that remember that a direct connect gateway is a globally available service you can create the direct connect gateway anywhere in any region that you have and access it from all other regions remember this point very carefully okay so direct connect gateway is a globally available service or resource and you can create the direct connect gateway in any region and access it from all other regions so having said that let's see the example here so we have vpc in usbs2 that's on the left hand side and on the right hand side we have another vpc at us east one and to have it connected to the direct connection endpoint or the direct connect endpoint we need to create virtual private gateways across both the vpcs so that we can have a connection point channel which is secured that is also called as your virtual private gateway associations as you can see in the image as well the highlighted ones so now that we have created the virtual private gateways or the associations the next thing is to connect the gateway to the direct current location isn't it so for that we have created the private virtual interface to connect our direct current location and the direct current gateway and that location will obviously have a connection to the customer gateway just like we had in the previous one so in normal situation also you will have a direct connect location actually connected to the customer gateway or the customer network which actually creates the direct connect connection isn't it but here what happens is we are not connecting the direct connect endpoints directly to the vpacs we are just using the direct connect gateways to connect more than one vpc to it so as you can see we have two apcs usbs 2 and usb s1 and both of them have the virtual private gateways and the associations to the direct current gateways and that actually is connected using the private virtual interface to the direct connect location and the direct connect location is connected to the customer gateway so we have a channel here till the direct current gateway it's the single pass and from there you can connect multiple interfaces or multiple vpcs so that's the whole idea in this process you have to consider a few things so you need to choose the vpc that you're going to associate it with and you need to ensure that you have your virtual private gateways created to create the associations and once you have all this go ahead and create your direct connect gateway and there is one more thing that you need to remember here very carefully there is no property of being transitive and remember that even if you have association with your direct connect gateway it doesn't allow you to connect to other vpgs or the virtual private gateways to communicate with each other okay so it's just like not being transitive so make sure you keep this in mind it is not meant to connect to virtual private gateways but instead it is used to connect your on-premise to the aws cloud so you might ask me should i create direct current gateways in a specific location so don't worry about that as i already told you it is a globally available resource you can create it in any region you want and access it from any other region that is why you are able to connect the vpc1 and the vpc2 with the same direct connect gateway location or the connection i hope that was clear let's move on okay that was all about the concepts now let's get some hands-on demo for these services i hope you are excited for this let's jump into the aws console now okay so this is your aws vpc console so if you're new to this and if you haven't watched the previous episodes and vpcs though just remember this very carefully that the correct vpc that you have here is based on the location that you have so this is the mumbai location that we have here so ap south one now the status is service is operating normally so that's well and good you don't have any problems and everything that you have created on your own or it has been set by default will be listed here so we previously have discussed about side to side vpn connections and virtual private gateways and there is one more service that we need to discuss today so that is direct connect just search here so now there is a change in the ui that you can see that you get to search directly from here otherwise we used to go here in the service panel and we used to search the same so now you can do it directly from here so not a problem so just click on direct connect so this is the starting page that you will get if you have not created any resources but if suppose actually i don't know what's the property of this website if you have visited it once and if you haven't created any resources or anything also will just take you to the actual page itself so this is the one that actually you need to see if you haven't created any connections yet so here it actually tells you that it lets you establish a dedicated network connection to aws and connects directly to an aws device from your router at aws direct current location so this is the connection that we want to create so the router that you have for aws will be at the aws directory location and your router will be it will be at your place or your office at your data center okay so don't worry about that then you have to just click on create connection see so here there are two options that we get to create the connection one is the classic and one is the connection wizard so what does it say so the classic says that create connections one at a time best for augmenting an existing setup so we don't have this existing setup yet but if suppose i had to choose this then what i have to do i have to provide the connection name like my connection i'm not going to create it so don't worry about that because we don't have any company or we are not affiliated to any other organization so that we can create one so we'll just see the features or the form that we are getting to create one okay so there's a location so location in which your connection is located so you can just choose one from here based on the so if suppose it is in hyderabad you can just click on hyderabad so as you can see here this is the global service and it does not affiliate itself with any other region specific so you don't have to worry about this you can just create it in any region that you want so this is your location and this is a port speed that i already told you the desired bandwidth for your new connection so it can be like 1 gbps or 10 gbps okay so if it is on premise so you connect through an aws direct net partner or you can just uncheck this so it will just choose the apn partners so if you want to choose the direct connect partner you can just select that and you can choose the service provider so with that actually i told you before that in india we have data communications working as the direct connect partner the tata communications is the one whom you are going to hand over the loa or the letter of authorization and these are the people who are going to create your connection and you have to hand over the loa or the letter of authorization to them in post which you can add additional settings like tag so you can just add a tag by giving name and the value so this is all about the classic connection and let's suppose i want to have a more precise wizard like structure that i want to use so i can just choose the connection wizard which actually create connections using your resiliency recommendations recommended for new setups so if this is your new setup then just click on this you see there are three options here that is what i wanted to tell you before but i did not say that because anyways we were about to discuss this in a demo so so the first one is maximum resiliency so maximum resiliency for critical workloads so if you can just read this you will understand what exactly it is trying to tell you so you can achieve maximum resiliency for critical workloads by using separate connections that terminate on separate devices in more than one locations as shown in the figure this topology provides resiliency against device connectivity and complete connection failures as well so what exactly it tells us that you have more than one direct connect locations this endpoint fails or this end point fails you don't have to worry about anything it will have more than one to actually suffice your requirement and it will never let you fail or it will provide you the highest resiliency that you can get and the next one is high resiliency so if you choose this what happens is so it will have only one direct connect end point in each one so but in the maximum you get two but here you will get only one and that will be connected to the customer so here as well you can achieve high resiliency for critical workloads by using two single connections to multiple locations and this topology provides resiliency against connection failures caused by a fiber cut or a device failure so if this fails this works if this this fails and this works so this also helps prevent a complete location failure of this total location fails also not a problem you will be able to reach and the next one is development and testing so this is this uses a single connection and you can see that you can achieve development and test resiliency for non-critical workloads by using separate connections that terminate on separate devices on one location so this topology provides resiliency against device failure but does not provide resiliency against location failure because this is just set to one location but even though it is set to one location it has a termination endpoint for two so it terminates to two endpoints as it is already written that it terminates on separate devices in one location so based on that even if one fails then you will have a resiliency of even if connecting to the customer data center but it is not that useful for the highly critical workloads it is just for development and testing so let's suppose i choose connection wizard and i choose development and testing let's suppose i click on next it will provide me with the options to actually configure the type of bandwidth that i need 1gb 2gb 3gb up to 40 gbps and i can provide the location that i have so ap south 1 ap 0 to 1 yeah so let's suppose i have sct hyderabad dc1 so data center one and the service provider that is data communications so if you want to choose any other let's suppose i choose mumbai so you get more number of uh service providers bharthiyatta is that net magic solutions is that lines jio is there jio jio people so stiffy is that what a phone is that what of an idea is that i think they've collaborated now so it's not a problem why why vi so that's it and you have additional settings like add tag like previous one and you can just click on next so here as i already told you that it will provide you two connections in the same location that you have and for resiliency of course and this will cost you an estimate of 0.60 dollars per hour and monthly 439.20 for port usage and additional data smashes charges okay billing will begin once the connection between the aws router and your router is established or 90 days after you ordered the port whichever comes first okay so these are the ones who will actually do that job for you once you create this then the next step will be you can get the loa or the letter of authorization but we are not going to do that so we will not create any connections here so now the virtual interfaces if you want to create any virtual interfaces you can just click on this so you can create a private interface or you can create a public interface as i told you or you can create a transit interface so let's suppose i choose private i can provide the virtual interface name that i want and the connection so let's suppose the physical connection on with the new virtual interface will provision so if i had created that then that would have shown in the drop-down list but it is not so i am not getting anything here and it is asking me for the virtual interface owner the account that will own the virtual interface so it will be my account or it can be another account okay so you can either choose a gateway type of direct connect gateways that is recommended or you can use the virtual private gateway so there are two options here for us with the gateway types so if you want to connect it to the direct gateway so as i already told you we can create a virtual private private virtual interface to connect to our location and the diode connect gateway so that we can connect multiple vpcs so if you want to do that you can use the directory gateway here or else you can choose a virtual private gateway to connect to a single vpc in the same region and let's suppose you want to create or choose a direct current gateway then you have to provide that once you've created it or you can create or you can choose one of the virtual private gateways and the next one is the vlan so the vlan or the virtual local area network number that you also can provide for the new virtual interface that you're going to create and the bgp asm so this is something that we have already discussed before in the side to side vpn so if you haven't checked that you can go for like you can just read more about that and you can check the video about we have discussed already on the autonomous system number so you can provide that it is for the without propagation and here also you can add the additional settings like whether it should be ipv4 or ipv6 based on that you have to provide the router peering so you have to provide the cider blocks for this one and the bgb authentication key and all these actually this is not that important it is too in-depth for the exam as well so i don't think so we need to go over that and so once you have filled on the details and then you can create the virtual private interface so if you have the private interface then you can connect to your ec2 instances and if you create for the public one you can just access your s3 or s3 glacier and for the transit actually i'll discuss it when we discuss transit gateway so we'll keep that aside for now then click on cancel so when coming back to lag so as i already told you lag is basically your link aggregation group so you can just create a link aggregation group with using the existing connections or by requesting new connections so let's suppose we are using existing connection to create the lag so you have to provide the lag name and existing connection details so the number of connection that you want so next is the number of new connections that is optional so as we already told that four connection is a max so you can have four here and the minimum links can be two because you have to link isn't it you cannot have link with one connection you need more than one connection so the minimum is two and the maximum will be four and that is how you create the lag and you can just provide the tags here so in lag what we do is we just couple both of the connections or more than one connection that we have and we try to create it as a single logical manage connection so that's what we are trying to do here and you can request new connection as well so you can just provide the connection link the speed it is just like creating your new order for direct connect again so based on that you can provide the details here just cancel it now come back to directional gateways so when we click on this we can just provide the name of the right gateway and the autonomous system number the asm number and once you create this what happens is this may appear to be a two value field form but once you create it you will have provisions to access it through other forms or other services so let's suppose i have a virtual interface and when i went to the create virtual interface i was asked i was asked about like can you provide me the right gateway name that we have so i can just provide this basically that is a feature or that is a service so that is why it does not have much values to be taken into account for so you connect your interfaces to the virtual private gateway not the other way around so these are the things that are really important for the direct connect so connection virtual interfaces lags and directional gateways i don't think so we need to dig more into this you can as well read the documentation for further information on how everything is configured if you want and i think you should and i think that's it from the demo side i think we can move on from this with all the things that we have learned till now when we think of connecting our vpc to access services across other vpcs or services hosted with a marketplace or any other service appliance our whole idea surrounds with oh okay i need to add firewall rules i need to have entries in the route table i need to have a proper vpc peering connection if so i need to manage the cider blocks to avoid conflicts and of course i need an internet gateway for smooth access but what if i don't want to burden myself by creating all this and what if i could just go with a much simpler solution and that's what we are going to discuss today thanks everyone for joining in for today's session of aws and let's talk about the much awaited aws private link but before moving forward with what private link is and how it works just forget everything about aws if in general i ask you what do you get in your mind when i say this term private link more like speaking in a common english vocabulary so you might tell me that yes it's a link then it must be connecting something or two points maybe creating a connection between them like creating a link and if it's a private link then the parties involved in the communication link are the only ones who can interact with each other at a given point of time isn't it and that's how a private link is formed now if i ask you if you have a vpc will it become public by default or you might need to perform some operations or add some features for it to be accessed by the public or the internet and you will say yes of course we need to add nat or internet gateway and make them part of our subnet associations and any instance we create in that subnet if we have the public dns enabled will be accessible to the outside world that's for the public part when it comes to the private access we have already discussed three important concepts i hope you remember them the first one is creating your own private subnet then creating your nad gateways and routing it through your instances second one you can create your very own side-to-side vpn and access your vpc instances and services and the third one which we discussed in the last session that was using direct connect with all these we have tried to make our best efforts to provide a secure connection isn't it but the configuration overhead is more and we want a much simpler solution to connect our vpcs and the services having said that let's introduce ourselves to a service called aws private link this will help us establish private connectivity between vpcs and services hosted on aws or on-premise without exposing data to the internet and that is the link that we want to create and that's where private link helps us with if we have to imagine aws private link there should be a private endpoint using which we will be able to talk to services across other accounts and vpcs and which will not be exposed to the public internet it's simple isn't it so remember private link in itself is not a service but a method where we create a specific endpoint which will help us to privately communicate and make use of services in other accounts or vpcs we don't have to make use of any internet gateway nat device public ip address to communicate with services and the best and the most important thing is to remember that traffic between your vpc and the services does not leave the amazon network and that's why we have mentioned here secure private connectivity simplified and that's what private link is but when i say it's simple it doesn't mean that you have to just sit back and relax and you don't have to do anything yes you have to make some changes and you need to bring in some mechanism to achieve the creation of the link and that's what we will discuss next when you think of private link remember that you need to understand two concepts very clearly one is the vpc endpoint which will help you create the elastic network interface with the private ip which acts as the entry point for the traffic to the service and the next one is the endpoint service where we create an aws private link powered endpoint service so that the service that we want to expose can be available for usage so one is the consumer and other one is the producer confusing don't worry imagine it like this so we have john who is working in the engineering team and he wants to use a firewall application that is being provided by the security team which lilly is working with for this to work they can create a private link connection by using the endpoint at the john's side and create a service endpoint on lilly's side to securely access a service and that too without using public internet connection i hope you got the idea now so here as you can see john is asking that i need to use the firewall application can you help me and what lee says is yes i have this service that you need let's create a link and that's how in real time actually things work if you're working with other teams you need to communicate with them and they might create a service endpoint for you so that you can access their services i think we have discussed enough now let's see how it actually works so this is our playing round which is a aws region so what is our main goal here so we will try and connect our vpc to another vpc that could be in our account or in any other account and we will access the services provided by a producer so here we will act as the consumer but as we are in a learning process think from both sides as you could fall into any of the categories think as a consumer as well as a producer let's start off with our consumer part here we have our consumer vpc with the cider block 10.0.0.0.16 and we have the private subnet where we have our instances and this is where we will create our interface vpc endpoint which helps us to create our elastic network interface with the private ip that we have here and this will act as our connection point for the first part of the link now let's go to the producer side okay so don't get confused here we have a vpc here as well not that of a big surprise here so if you see the instances here these are the appliance instances that host the service so these instances are the ones that hold the service for you and there is one more important thing here that makes the link possible which is the network load balancer which receives requests from the service consumers and routes them to your services so in order to create a vpc endpoint service you need a network load balancer remember that so now that we have all this setup how do we create the connection first thing you need to understand is that if you want your service to be consumed by the consumer you need to create a service endpoint there is an option in your vpc called vpc endpoint service where you can configure a service endpoint using the network load balancer that you have and you can have a private dns for that as well once you create the vpc endpoint service the consumer has to create an endpoint using the endpoint service dns to create a successful connection and that's where the connection starts so don't get confused here you already know vpc endpoints can be created by three options one with aws marketplace second one with aws services and the last one is with vpc service endpoints that is where you will enter the producer vpc's service point dns to configure your consumer endpoint to make use of the private link to send your request to the network load balancer in order to access the service hosted by the producer that's it your private link connection is ready so if you are the producer and you want your services to be consumed make sure that you have the vpc service endpoint which is basically using the network load balancer to talk to the instances that you have and that service endpoint has to be configured by the consumer by creating a vpc endpoint connection which makes use of the service endpoint that you have here and then generates the private link connection to that and there are a few access permissions that you have to define which we will discuss in the demo so don't worry about that let's move on now let's see some of the benefits of using aws private link so that you can make your own decisions the first point is secure the traffic this is a very general idea that we have already spoken about which tells us that you can use your private link connection to securely access aws service from your vpc without having to make use of the public internet space everything remains in your aws network and that's the best part which in turn reduces the risk of leading to a brute force attack and distributed denial of service attacks or the ddos attacks and while creating a vpc endpoint you can have a pinpoint control over the access as you have to provide the details about your vpcid interface type the vpc service endpoint name the subnet ids and the security groups that actually make it more secure the second point is simplify network management so with aws privately in order to access services across other vpcs you don't need to configure any internet gateway or you don't have to provision any vpc pairing connection and you don't have the overhead to manage the cider blocks to avoid conflicts thus it's a very simple way to manage your network third one is accelerate your cloud migration here you need to understand that you might be using a side-to-side vpn or direct connect to connect to your aws services and that's it you don't have to manage anything more than that this actually helps you to be very free about migrating your services to the cloud because you will be confident that your service access will be secure that is why it is already written here easily migrate traditional on-premises application to software as a service offering hosted in the cloud with aws private link and if suppose you are a producer and you want to do that you can also do that so that others can leverage your services now let's see some of the basic features of using aws private link we have spoken a lot about how good private link is but aws doesn't want us to stop here so first one is accessing services over aws private link so here as well we have already discussed this as you can create your endpoints and add the service and points that you need and you can securely access the service that you want second one is sharing your services over aws private link so if you are a producer and you wish to make your services accessible for other consumers to access then you can create your aws private link powered service endpoints and others who want to make use of it can use your endpoint name and you can accept their connection requests the third point is privately connecting to your on-premise applications so this is also what we have already discussed just now that you will be using a side to side vpn or a direct connect to connect to your aws services and and you don't have to manage anything more than that and that actually helps you to be very free about migrating your services to the cloud and accessing the services that are already hosted on aws through the private connections that you want last but a very interesting point here integrating or the integration with aws marketplace so did you know that aws private link is integrated with services in the aws marketplace where you can find existing services and make use of them as per your requirement did you know that but yes it does so aws private link allows you to discover purchase and provision aws private link enable software as a service products through aws marketplace and aws private link enables you to securely pass data directly to the sas application or the software as a service application without ever leaving the aws network that's something that has made aws private link a much more acceptable solution for most use cases you don't need any public ip address to access these services and you don't even have to move out of your aws network that's so cool isn't it and there are companies that have their services hosted on aws and you can make use of them so for example we have cisco so cisco provides a cloud monitoring tool called cisco stealthwatch cloud which helps you to send your data for monitoring and it provides visualization as well that's cool isn't it so yeah that's it so now let's see how private link connects using your on premise locations so imagine you're working for a hybrid architecture and you wish to connect to your aws cloud so you might be using a side to side vpn or you will be using a direct connect connection isn't it having said that let's assume you are using a direct connect connection here we have our data center then we create the direct connect connection to talk to our aws vpc instances privately so in our vpc we create the vpc endpoint to talk to the network load balancer that we have in the form of our vpc endpoint service which in turn takes our request to the service that we want to access and that's how a private link connection with the vpc endpoint service is formed and that's how the users on the on-premise location are able to talk to the services privately using our private link connection i know that we have another option which is called gateway load balancer using which we can create a private link connection and that is something that we will talk about in the next session so don't worry about that but now just concentrate on this part you have your data centers you have your direct connect connections you connect to your vpc that you have privately you create a vpc endpoint using the vpc endpoint service that you have and from there you can connect to any of the services that you want having said that make sure there is a service endpoint available else if you want to access any generic services you can do that by using the aws services list so now that we have covered the basics let's jump on to some hands-on demo so in order to make use of your endpoint services and endpoints you need to go to the vpc console so this is our vpc console and the last time we had already done uh the demo for vpc endpoint so i think you can visit that video as well and check out what exactly is vpc endpoint and how we have configured and how it actually works so let's suppose we are the producers now and the first thing that we have to do here is we have to create an endpoint service isn't it let's suppose we have an application that we want to host and we want to make it available as a service so what we need to do we need to create an endpoint service so that we can expose the service that we want isn't it on the left hand side if you see we have the virtual private cloud the first one is endpoints and the second one that we have here is endpoint service i told you we will have something called endpoint service but if you go ahead and search for private link you may not find anything there are no service called private link but you have endpoint services that's a vpc feature isn't it so if i click on this it exactly goes to this point i hope you're getting the point here so we will come here and we'll click on endpoint services and then we'll click on create endpoint service so now that you see here we don't have any load balancers connected to our vpc so this is not showing anything right now but the most important thing for us is to remember that we need a network load balancer and we can associate the private dns with the service that we want to host so as you can see create endpoint service you can use aws private link to make services in your vpc available to other aws accounts and vpcs aws private link is a highly scalable available technology that enables private access to services across vpc boundaries other accounts and vpcs can create an vpc endpoint to access your endpoint service that's what the whole idea of this is other accounts will create a vpc endpoint you will create being a producer you will create an endpoint service and they will be able to access your service that's it and endpoint services can be created on network load balancers gateway load balancers we have now checked the network load balancer part in the next session i'll tell you about the gateway load balancer so don't miss out on that and if you haven't subscribed please do subscribe it right now so the important difference between network load balancer and gateway load balancer from the connection point of view is services created on network load balances or nlbs can be accessed using the interface endpoints while services created on gateway load balancer the glbs are accessed using the glb endpoints so you have to remember this okay i'll do a small demo i'll not disappoint you here let's at least do the reducer part let's create the endpoint okay so we have three running instances here that i have stopped so don't worry about that we can create one so we'll launch instance just select this amazon linux and here i'm selecting t2.micro and i'll select the myvpc demo and i'll choose the private subnet that i have okay so this is fine for us the storage is fine i can just give it a name so i can just name it as service ep service endpoint okay then configure the security groups you can just create a new one we are not going to do anything so just leave it as it is and review and launch and launch here i can choose easy to access i have this key and just create a launch instance so now that our instance is going to be launched the next thing that we want to do is we need to go to the load balancer part and here you can create a new load balancer for yourself so just click on this here you see only three load balancers isn't it in mumbai region that you have so this is the classic load balancer there's a previous generation one this is a network load balancer and the application load balancer so we have to create it for network load balancer but the fourth one that you have the gateway load balancer it's not visible here and if you switch the region to oregon you will be able to see that just switch the region to oregon now you see it okay so i'll just switch back to my region that i have and will be satisfied for now with the network load balancer because that is our requirement isn't it so let's create one so we have the network load balancer here i can just give my demo nlb as the name and yeah internet facing or internal facing not a problem i can give it a internal facing and ipv4 this will be tcp balanced 80 and i'll choose my ppc demo and the private because this is my private subnet that i want to tag along and that's it i can just click on configure security groups just click on next you can create a new target group called demo target group it can be with instance or it can ip but yeah instance is fine for us advanced cell checks not required just click on register targets this is the one that is already running so i can click on this one and add to register so now once i have added it to the network load balancer target list it'll act as the network load balancer for this not a problem so we have added this that's the only part that was missing for us now click on review and launch so these are the targets associated to the network load balancer this is the name of the network load balancer sorry so this is the name of the load balancer this is the name of the target group and there's the vpc that is pointing at and this is residing in the subnet of private subnet that we have okay so now just create now successfully created load balancer then just close it so now it is in the provisioning state integration status okay see this load balancer is not configured to any endpoint service so here also we can create endpoint service and the tags so if it is in the provisioning state we can go back to the create endpoint service and we can see if a service or network load balancer is in a provisioning state whether it is able to showcase it in the drop down shall i go back and come back again yeah i can just go back and come back again see now it's showing right and the status now is provisioning so yeah so this is something that we learnt today so if it is in the state of provisioning also it will be able to detect so now you can just click on demo nlb that is a network load balancer that you have so this includes the availability zone that we have and here you can associate a private dns name with the service if you have but i don't have any private dns names here so i will not associate it and i can name a tag here then i can just give it a name my endpoint service okay and that's it i have associated a network load balancer which has the instance associated to it which is my service instance so if you have mentioned that and you have checked the box here then you have to manually make the decision of whether to accept the request or to reject the request so you have to consider this point very carefully so by default most of the times it's always true but it depends on how you are setting up your vpcs and how you're exposing your services so if you don't want to have to if you don't want to take the overhead of manually accepting these connections then you can just uncheck this okay so i think we are good here and you can just click on create service yeah so now your service is ready so this is the service name that you have so this is a service name that you have and this is the one that we are going to use so this is the interface type because we have used the network load balancer and now this is not associated to any aws service we have our own service that we have hosted so this will be used for that and we have the network load balancer arn here acceptance required is yes and we have the vpc id here and yeah that's it we can just copy this search name remember this i'm copying the service name that we have here the service name i'll copy this and i'll go to my endpoints and here i'll create an endpoint so this one actually find service by name you can just paste it here and choose the default vpc because we have already created the endpoint service for myvpc demo okay just choose default vpc and just click on verify service name found okay so we've got the service so this service is available only in this availability zone so it's fine it is showing the all the details that we have and now the security groups that are attached to this is sg e6 ec6f118 so that is also fine for us that's it once you have this you can just click on create endpoint and it will be created so i can add a tag here again name endpoint demo sorry endpoint demo and just click on create endpoint yeah your endpoint is created close okay so now it is showing pending as acceptance isn't it because we have checked the check box there to accept the request isn't it the acceptance criteria so let's go to the services endpoint services and endpoint connections it should show yeah here it has come this is the one and if i just right click or actions yeah accept or reject i can do it manually here so i can just click on accept and point connection request because it is my service so why should i hurt myself i'll just accept it isn't it now as you can see we have refreshed this and this is an available state yeah that's great isn't it and now it is available and the one thing that we need to understand here is if it is an accepted state then it should have created a elastic interface elastic network interface isn't it so that's what i wanted to check so i can go back to the ec2 instance that we have the ec2 management console i have it here itself so i can just refresh this okay so here we have where is that network interface yeah network interfaces which would have created one for us so this is this vpc should have a endpoint id associated to the interface that we have created the network interfaces yeah see here so we have the network interfaces here so now what we can do is we can just copy this and we can see the network interface list that we have and you can just paste here yeah so this is the one that has been created now okay so now this is the interface that has been created for us so it takes a bit of time to actually create the vpc endpoint interface so if i just click on search yeah so this is the interface name so you have the endpoint interface here vpce i'll just copy this and i'll show you that this is the one that we are currently using see this is the one this is the end point and that is what it is trying to refer to so this i did not create manually this will get created once you create an endpoint okay so now what we have done we have achieved a lot in this one so we have created the endpoint service for us and we have created the endpoint when we have also associated both of them and we have given the acceptance criteria as false as true sorry so that we can manually accept or reject the connections so i think that was clear isn't it so if you wish to do this you can do this as well but make sure that you delete all the connections as and when you create them so that you don't have any billing problems so that is what i am going to do right now so what i'm going to do here is i'm going to delete this endpoint service first so this endpoint service and i'm going to delete this i don't want to face any i'll just delete the endpoint connection first so delete this endpoint okay so first we are going to delete this and we are going to go to the endpoint service we have the endpoint we don't have any endpoint connections now we can just click on the my ap service and we can just delete the endpoint service as well so now we are clear from this we don't have any endpoints we don't have any endpoint service and we'll go back to the instances and there's the only running instance that we have we'll just dominate this okay so just terminate this instance we have to just clean up everything because this is not our company sponsored video so we will incur a lot of bills for this and i think we have learnt a lot today and i hope you will also try to do this by yourself by watching the videos and you will try to learn how to do this yourself as well okay so let's move on then and i think that's it for today's session of aws i think it was a wholesome session and i hope you learnt a lot here as well and if you haven't subscribed to the channel then please do subscribe we have just 20 of people who actually subscribe and watch the videos so please please please do because this channel needs your support and i'm really working hard to give you the best quality content and if you have any feedbacks then please let me know in the comment section so if you wish to support me the links to the insta mojo page and paypal and patreon are given in the link in the description below and if you wish to join the channel and become a mandalorian then please do so just click on the join button so i'll meet you in the next session of aws until then stay safe stay healthy it's pytholic signing off so if you liked what you saw please hit the like button comment on what you liked or you didn't make sure you subscribe to the channel and let's be friends on instagram join me at tougher apollo and to watch more please click on the videos on the tab shown on the screen until then it's by the holiday signing

Info

Channel: Pythoholic

Views: 26,994

Rating: undefined out of 5

Keywords: Pythoholic, auto scaling group aws, aws, aws certification, aws certified, aws certified solutions architect - associate level, aws for 2021, aws vpc masterclass, aws vpc peering, aws vpc tutorial, bastion host aws, cidr in computer networks, customer gateway and virtual private gateway, internet gateway aws, internet gateway vs nat gateway aws, privatelink aws, subnet in aws vpc, transit gateway aws, virtual private cloud, vpc, vpc peering aws, what is vpc

Id: RNdJ3XQSIyk

Channel Id: undefined

Length: 411min 45sec (24705 seconds)

Published: Thu Jan 07 2021