14. VPC Flow Logs Troubleshooting for NACL and SG
Just a quick lecture on how you could troubleshoot security group and knackle issues using flow logs. So let’s look at an incoming request. So this is remember the flow of an incoming request. And so it turns out that if you get right away an inbound reject, it could be either a network ACL problem or a security group problem. Maybe this inbound role blocked it or this inbound robloxed it.
And how do you know? Well, you look at the EC two security group inbound rules and figure out whether or not this is a match for the request that was done, else it is a network SEL problem. And then if you get an inbound accept so if these two queries go through and then you get an outbound reject, well, it turns out that it can only be a network SEL problem because security group are stateful.
And so because the inbound rule is allowed, then the outbound rule is allowed as well. So for outgoing request, same idea. Basically if you get an outbound reject so if this outbound right here doesn’t work, it could be either a security group issue or a network SEL issue. And then if you get an outbound access so this goes through but then you get an inbound reject, it could only be a network SEL problem because your security group is stateful and would have allowed the request back in.
So this could be a very common example. Um, questions as well. They will show you two VPC full logs line and you have to understand how to troubleshoot those. So remember this diagram, remember what how they work and remember about VPC full logs and you’ll be all fine. All right, I will see you in the next lecture.
15. [SAA] Bastion Hosts
So let’s talk about Bastion Host. So this is the diagram. We have our Bastion Host users. We SSH into the Bastion Host, which is in a public subnet. And then from the Bastion Host we’re able to SSH into other Linux instances. So the Bastion Host is used to SSH into private instances and it sits in the public subnet. And the reason we do this is that’s because the public subnet is connected to all the other private subnets. So what we need to do is make sure that the security group of the Bastion Host is super strict to only allow the IPS that need to go in. So as an exam tip, you’ll get this. As the exam, make sure the Bastion Host only has port 22 traffic coming from the IP. You need.
So your own IP and not from other security groups, from other instances. The only thing the Bastion Host needs is port 22 coming from your IP. So let’s have a quick hands on this. So it turns out that we’ve already used Bastion Host without really knowing about it. But when we have a public instance, well, that public instance is also a Bastion Host. Why? Because we did allow SSH access into it. So we allowed SSH and it sits in the public subnet, so we can access it.
And from this Bastion Host, we’ve SSH into our private instance. So let’s have a look at how this works. So let’s go back. So let’s SSH into our public instance, our bastion host. And from there we ran the SSH command to SSH into our private instance. Now this is not perfect, and there are ways not to use the private key pair onto the Bastion Host directly to pass it more as a proxy. There’s ways to improve this, but it gives you the general idea of how a Bastion Host is used. And I hope that was helpful for you. I will see you in the next lecture. Sure.
16. [SAA] Site to Site VPN, Virtual Private Gateway & Customer Gateway
So we are almost complete with this diagram. And the last thing we have to do is to connect our corporate data center. So this is where you have your own infrastructure, your own computer to the AWS cloud somewhat directly or not. So the idea is that to do site to site VPN, this will establish a virtual private network that will basically make it seem like your corporate network and AWS cloud VPC are part of the same network work for this. How does that work? Well, we have to create a customer gateway onto the corporate DC. And this is something you have to set up. It could be software, it could be hardware.
There is a list on the AWS website around what’s possible. And then on the VPC side, we’ll provision what’s called a VPN gateway. And once the VPN gateway is provisioned in between the VPN gateway and the customer gateway, we will set up a site to site VPN connection that will basically link the two and our VPC and our corporate DC will be able to talk to each other. Okay, that’s for the theory. It’s really simple and there’s no hands on because we don’t have a corporate data center at our disposal. But you just need to get the idea customer gateway is on the corporate data center side, VPN gateway is on the VPC side, and site to site VPN connection links the two together. So virtual private gateway is called a VPN concentrator and you set it up on the A side and the virtual private gateway.
So VGW will be created and attached to the VPC from which we want to create the site to site VPN. So it’s at the VPC level, you can customize the ASN if you know what that means. And then for customer gateway, then it’s a software or a physical device on the customer side. So on your corporate data center side of the VPN connection and there’s a list of all the devices that AWS has tested here at this URL. So I invite you to look at it in your own time. And for the IP address of your customer gateway, I think that’s a very important part for the exam. It’s either the static Internet rotable IP address for your customer gateway device so it will have a static IP address, or if it’s behind a Nat okay, if it’s behind a Nat and that Nats need to have Nat T enabled, then instead of using the public IP of your customer gateway, you need to use the public IP of the Nat.
Now make sure that Nat in this case is not the nut on Amazon site, it’s the Nat on your network side. So if you have set up a Nat on your network and your customer gateway is behind that Nat, then use the public IP address of the Nat instead of the customer gateway. That’s all you need to know. But that’s super important. Going into the exam. Now let’s look at the UI just to make this rock solid. So to set up a VPN connection, we have to go all the way to the bottom here and look at virtual private network. And here we can set up customer gateways, virtual private gateway, and site to site VPN connection.
So let’s go one by one. Customer gateway is what you set up on your own side, okay? It’s something you have to set up. So if you know customer gateway with tested, this is what you type into Google AWS, and it will give you a list of all the customary gateway devices they’ve tested. So all these things have been tested and you can set it up in your own infrastructure and that will set up a customer gateway. And then once you have that, you create a customer gateway in AWS. You give it a name, you say whether or not it’s a static or a dynamic routing. And you put the static IP address. And as you can see in the information box here, it says specify the internet, readable IP address for your gateway external interface. It must be static and it may be behind a nut.
Okay? And if you have the nut, then put the static IP address of the Nat. Okay, cancel. And now with that we have a customer gateway that has been created. We set up a virtual private gateway and we click on virtual private gateway. We give this a tag. So whatever you want. Demo VPG. Yes. And then basically or VGW. And then basically here you can either set the Amazon default ASN, or you can set up a custom ASN. This is more details.
This is when you really know what network it gains. And then once you’re done, you have a customer gateway and you have a virtual private gateway. And here you set up a site to site VPN connection. So you create the VPN connection, you give it a name, then you have to select a virtual private gateway, then you have to select a customer gateway. And then basically you set up tunnel, tunnel instructions for setting up two tunnels to have some kind of redundancy and you’re done. And then you have a VPN connection between the two.
Now obviously, you see I haven’t created anything because I don’t have a corporate data center available to me. But this is the process. What you have to remember is that you create a site to sign VPN connection. On your corporate data center side you need to set up a customer gateway, and on your AWS you need to set up a virtual private gateway. And then you connect the two using sidetoside VPN connection. So that’s it for this lecture, just a bit more architectural, less hands on, but I hope you liked it and I will see you in the next one.