Amazon AWS Certified Database Specialty – VPC – Networking
August 8, 2023

1. VPC Section Structure

Okay, so first let’s get an introduction to VPC and subnets. So VPC is a virtual private cloud, which means it’s a private network that is within the AWS cloud that allows you to deploy your resources within it. And a VPC is a regional resource. So if you have two AWS regions, they will have two different VPC. So the VPC is represented like this inside of your VPC, which is just a logical construct. You have subnets and subnets allow you to partition your network inside your VPC. And subnets are defined at the Availability Zone level. So we have one AZ. So Aza in this example and we can have multiple subnets. So the first subnet I’m going to create is a public subnet.

And as you can see, the public subnet is a subnet that is accessible from the Internet so that subnet can access the World Wide Web and also can be accessed from the World Wide Web. Okay, so then we have another kind of subnet called a private subnet. And a private subnet is a subnet that is not accessible from the Internet. Okay, and how do we define this? We’ll see this in the next slide. So to define access to the Internet and between subnets, we’re going to use route tables. So within your VPC you’re going to define a bunch of route tables which is going to define how your network flows between all the different subnets.

So remember, everything is at a high level in this whole section. So we won’t do any hands on. But try to remember this concept. You’ll see it should make sense to you very soon. So we have an EC two instance in a public subnet and that one has access to the Internet. And we have an EC two instance in a private subnet and that one does not have access to the Internet, or the Internet does not have access to it. The reason being we want it to be more secure, more private. Okay, so if we look at a bigger diagram for VPC, we have our cloud infrastructure and we have one region. Within the region we have a VPC and the VPC has a set of IP ranges.

So it’s called a Cider range and this is just a range of IP allowed within your VPC. And we have two AZ in this example. So in the first AZ, I’m going to have a public subnet and a private subnet. And we can launch our easy two instances in each subnet we want. And in the AZ two we have a public subnet and a private subnet. So this is what the VPC looks like at a high level. And this is very common in the VPC that is created for you when you use your cloud on AWS, you only have public subnets. You don’t have private subnets, but you have one public subnet per AZ, and you have one VPC in each and every region that’s created for you.

It’s called the default VPC. Okay? Next, in your network we talked about public subnet and private subnet. But we’re going to go one step deeper and talk about Internet gateways and not gateways. So if we go back to the same diagram, say we have an EC Two instance in the public subnet, what makes the subnet really public? How can it access the Internet? Well, for this we use an Internet gateway. Our Internet gateway will help our VPC instances in our subnets to connect to the Internet. So here is your Internet gateway. It lives in your VPC. And so the public subnet will have a route to the Internet gateway.

So your public subnet, for example, your EC two instance in that public subnet has a route to your Internet gateway. And your Internet gateway knows how to talk to the Internet. And that’s what makes a subnet a public subnet. So a public subnet will have a route, direct route to an Internet gateway. So now let’s take another example. We have our easy to instance in a private subnet. And we want it to also be able to access the Internet. For example, to get updates for softwares. But we don’t want it to be accessible from the Internet. We don’t want the Internet to be able to reach those Websites on our private subnet, for example.

So for this, we use what’s called a Nat gateway or Nat instance. They do the same thing. They provide Nat for your private subnets. But the Nat gateways are managed by AWS, so you don’t need to worry about provisioning them and scaling them. Whereas the Nat instances are self managed. And they both allow your instances in your private subnets to access the Internet while remaining private. So how does it work? We are going to deploy a Nat gateway or a Nat instance in our public subnet. And then we’re going to create a route from the private subnet to the Nat instance or gateway.

And the Nat has a route to the Internet gateway because it’s in the public subnet. And therefore your private subnet can access through the nut all the way to the Internet. And that’s the whole point of Nat gateways. So this is a typical infrastructure in AWS, and the net gateways and net instances will come at play later in this course when we talk about lambda functions. Okay? But try to remember this. This is a very simple diagram. And feel free again to revisit this section later in this course. Maybe it will make a lot more sense, but still I wanted to introduce concepts to you. So I will see you in the next lecture for more VPC concepts.

2. VPC, Subnets, IGW and NAT

So now that we’ve seen all the aspects about defining the network in our VPC, let’s talk about this network security. So let’s talk about the concept of network ACL and security groups. So we’re back in our VPC, it has one public subnet and one EC two instance. In it we can create a Knackle or network ACL which is a firewall that controls traffic from NC to the subnets and this can have allow and deny rule. So we can allow traffic or deny traffic and that’s explicit. You attach these knackles at the subnet level and the rules only include IP addresses. So you’re saying hey, all the traffic coming from this IP address is allowed or all the traffic coming from these IP addresses are denied and so on.

So the net goal is here and it is the first mechanism of defense of our public subnet and it’s at the subnet level. So as we can see the traffic coming to and from the internet is going to go first through the network ACL but it hasn’t reached our EC two instance just yet. Next we have security groups and we’ve seen them already in this course. So security groups is a firewall that controls traffic to and from an eni so elastic network interface or an EC two instance and the security groups as we’ve seen can only have the allow rules and they can reference either IP addresses or other security groups and this is something we have seen already in this course.

So we attach a security group to our EC two instance and now the traffic can flow all the way through to our EC two instance and we have the second mechanism of defense. So we’ve seen security groups at depth in this course but we haven’t really touched knuckles. Why? Because when you have a default VPC the default knackle allows everything in and allows everything out. And this is why we haven’t had to change the network SEL in this course and we will not do any hands on on it either but just know that before the internet traffic reaches your EC two instance it has to go through this network SEL which acts as a firewall. So they’re very different than network ACL in the security group and there is a table that summarizes it, you don’t need to remember it.

This is more something for the essay the Solutions Architect Associate or the certified Sysps associate. But the idea is that the security group is attached to an instance or an eni where the network is YL is at the subnet level the security group is only allow rules whereas for network s L, it’s allow and deny rules is stateful. So that means any traffic that comes return traffic is automatically allowed regardless of any rules. Whereas here for the network SEL you need to allow the traffic in and out and here you can look at the rest but this is pretty irrelevant for this certification. Okay, so this is just if you’re curious.

So now that we have all this traffic flowing through our VPC through the network SEL and the security groups we’re curious about, can we get information about all this traffic flowing through? Can we get a log from it? And this is called a VPC flow log. So this is going to capture information about all the IP traffic going into your interfaces. That includes the VPC flow logs, the subnet flow logs, and the eni flow logs or Elastic network interface flow logs. So anytime you have network going through your VPC, it will be logged in a flow log. And so this is to help you monitor and troubleshoot connectivity issues. For example, if you want to know why your subnet cannot access the Internet, or why a subnet can talk or cannot talk to another subnet, or internet to subnet, et cetera, et cetera.

So anytime you have a network issue and you need to be able to troubleshoot it, you need to look at PC flow logs because they will give you everything, all the information around the allowed and the denied traffic. It will capture network information as well from anything that is managed by AWS. So the elastic load balancers, your elastic cage, RDS, aura, all this will appear in your VPC flow logs. So in case of connectivity issues, you can look there right away. And the VPC flow log data we’ll see can be sent to S Three or Cloud Watch logs for storage, so it can be stored in your AWS environments. So let’s say for networking we’ve seen necklace, security groups and flow logs. That’s it. I will see you in in the next lecture.

3. NACL, SG, VPC Flow Logs

Okay, so now let’s talk about how we can establish connectivity between VPC and other structures. So the first thing is called VPC peering. So say you have two virtual private clouds. They’re either in two different accounts or in two different regions. And you want to connect together as either, as if they’re part of the same network. So we want to connect to VPC privately using the network from AWS S. And it’s going to make them behave as if they were in the same network. So we have VPC A and VPC B. And if we want to have them talk to one another, we need to establish a VPC peering connection from A to B. Very simple.

To make sure that this VPC can be connected, you need to make sure that the IP ranges that is defined for each VPC are not overlapping. Because to be able to address the network to another VPC, you need to talk to an IP address. And so if obviously the network ranges overlap, then the network doesn’t know where to go. So to connect to VPC you need to make sure that the IP addresses range it operates on are different and not overlapping. And a VPC peering connection is not transitive. So it must be established for each VPC that needs to communicate with one another. What I mean is that if we connect VPCC through a VPC peering connection between A and C, b and C cannot talk to each other.

There is no transitivity in the VPC peering. That means that if I want to establish connectivity between VPC B and VPCC, then I need to create its own VPC peering connection between B and C. That’s what it means with VPC peering. So as you add more and more VPC, you need to add more and more peering connections. Okay? That’s number one. Number two VPC endpoints, which is going to be very important going into this exam. So endpoints allow you to connect to AWS services using a private network instead of using the public internet network. So something you maybe didn’t know is that all the AWS services are public. Okay? And so anytime your EC two instances for example, use the AWS services, they talk publicly to AWS.

But sometimes your EC two instances are not connected to the public subnets and therefore you want to have them access privately your AWS services. So this is the VPC endpoint. So this gives you enhanced security and lower latency to access AWS services. So let’s take an example. We have a private subnet and an easy to instance in it. And it wants to access Amazon, Sray and DynamoDB which are outside of the VPC into the public realm. Then we can create a VPC endpoint gateway. And this is only for Srey and DynamoDB. So endpoint gateway and we’ll see what SJ and DynamoDB are in this course, obviously. But so your EC Two instance talks to the VPC endpoint and has access to Sray and DynamoDB privately.

As you can see the traffic does not go through the Internet. And then for VPC endpoint interface that’s the rest of the service and that’s only used within your VPC. So that means that we can create for example a VPC endpoint interface in your private subnet and through that endpoint interface with the eni we have private access to Cloud Watch. So VPC Endpoints are really really helpful anytime you need private access from within your VPC to an AWS service, okay? That’s what you need to remember. The other exams need to know the difference between gateway and interface. I don’t believe you need to know it for the Certified Developer Exam, but know that anytime the exam is asking you to privately connect to an AWS service, then VPC endpoint is going to be the way.

Okay? So now how do we establish connectivity between your on premises data center? So that could be your office building for example and your Cloud VPC. So the first way, it’s called site to site VPN to connect an on premises VPN appliance to AWS. The connection will be automatically encrypted and will go over the public internet. So in this example, we establish a VPN virtual private network between your on premises data center and your VPC and that goes over the public internet. That’s very easy to set up very quick. You can set up in matter of minutes and there you go. You have a private connection or an encrypted connection sorry, of the public internet to your VPC.

The other option is Direct Connect and achieves the same purpose. It’s to establish a connection between your on premises data center and your VPC. But this time it is a physical connection. So that means that the connection is going to be private. It will not go over the public internet. It’s going to be secure and fast and it goes over the private network. And because it is a private line to your VPC it takes at least a month to establish because there is some work that needs to happen to have a private connectivity to AWS. So this is called Direct Connect and this is the private route.

As we can see both the VPN and Direct Connect achieve the same purpose but with different manners and different timeline. Notes that if you use side to side VPN or Direct Connect, both these things cannot access the VPC endpoints that we’ve discussed from before. Okay? VPC Endpoints are just to access AWS services privately within your VPC, not by connecting your on premises data center which is something you need to be aware of going into the exam. Okay? So that’s it for connectivity of your VPC in terms of external VPC peering VPC endpoints such as VPN and Direct Connect. I would hope that was helpful and I will see you in the next lecture.

4. VPC Peering, Endpoints, VPN, DX

So this was a heavy section and without any handson. So that may have been confusing. But really I don’t want to bug you down with handson because this is not for Certified Developer. You just need to remember a few concepts out of this whole section. So I’m going to summarize everything in one slide and trust me, you will be all set on all the VPC questions going into the exam. Okay? So don’t stress it out. The first one is VPC which stands for Virtual Private Cloud. And we’ve been using the default VPC all along this course. When we created our EC two instances. There’s going to be one default VPC per AWS region we are using.

Subnets are tied to a specific Availability Zones and this is where we’ve been launching our EC two instances and they represent a network partition of your VPC. The Internet Gateway is what gives access to our instances in our public subnets to the Internet and they’re defined at the VPC level. Nat gateways and Nat instances will give Internet access this time to our private subnets. So our EC two instances and private subnets knuckles Network SEL are stateless subnet rules firewalls for inbound and outbound. Whereas security group, we’ve seen them before, they are stateful. They operate at the EC to instance level of the eni and they can reference other security groups for VPC peering.

This allows us to connect two VPC together as long as they’re not overlapping. And this is not a transitive VPC peering. Therefore, you need to establish VPC peering connections between all your VPC if you want to have them connected with each other. VPC endpoints is going to provide you private access to AWS services within your VPC and that is something that we will see in the future. Lectures for some services and VPC flow logs will give you your network traffic log to ensure that you can debug if something is accessed, denied if traffic is blocked or allowed within your VPC.  Finally, to establish connection from your on premises Data Center to AWS.

You have the site to site VPN which is to have a VPN connection over the public Internet and your direct connect if it’s you want a direct private connection to AWS. So don’t stress if you didn’t understand everything in that section, you can come back to it later. As I said in the course, I will be highlighting all the specific VPC features we need and then come back to it if you want at the end. But don’t stress it out. I’m really serious about it. I just wanted to give you a bit more information than what you needed just to make sure we are on the same page and let’s move on to this course. Trust me, it’s going to get a lot more developers very very soon. All right, that’s it. I will see you in the next lecture.

5. VPC Cheat Sheet & Closing Comments

Okay, so now let’s quickly talk about bastion host. So we can use a bastion host to access our databases that are in private subnets. So it could be an RDS database in ElastiCache Cluster or Redshift database, et cetera, et cetera. The idea is that you have a multi tier architecture for your VPC with the public and in private subnets. And in this example I have a redis ElastiCache server in my private subnets. Now I’m going to create what’s called a bastion host in my public subnet, which is very simply an easy to instance that we get connectivity to and that has connectivity into the private subnet. Now the bastion host users are going to SSH into the bastion host and from there they will be able to access the private subnet because the public subnet is connected to the private subnet in our VPC.

So through SSHing onto the bastion host we are able to issue commands directly against ElastiCache. Now to do so, you need to make sure that the bastion host security group is hardened and allows the connection in from the public. So you need to be very sure that the security around your bastion host is critical. And also you need to make sure that the security group around your Elasticage Cluster allows the security group of the bastion host in. And as soon as you’re done, then you will have network connectivity. Very simple, something you should already know but good to remind you in the context of this exam. So that’s it. I hope you liked it and I will see you in the next lecture.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!