Amazon AWS Certified Solutions Architect Professional SAP-C02 Topic: Design for New Solutions Part 9
December 16, 2022

81. Implementing Software Based VPN – Part 01

Hey everyone, and welcome back. In today’s video, we will be discussing how we can implement the VPN architecture that we were discussing in the earlier video. So in this type of architecture, you have your computer here, then you have a VPN server here, and then you have an instance in a private subnet. So this VPN server can be easily instanced directly. So let’s look at how we can do that. So the first thing we’ll do is go to the EC console, and there are a lot of software-based VPNs that are available. You also have hardware-based VPNs, so we’ll be using the software-based VPN for our demo for simplicity. So, let’s click “Launch an instance,” navigate to the AWS marketplace, and search for “OpenVPN.” So OpenVPN is quite a famous product.

So we’ll be using the “Bring your own license” one, which is under the free tire. I’ll click on “select.” So within this column, if you see the software charges, they are zero, and the charges that you see over here under the total column are basically the EC to instance charge. So let’s click on “continue.” So I’ll be using the T-2 Micro, which comes under the free tire. Now within here, I’ll basically have the subletting settings enabled so that the public IP can be assigned to the VPN instances. I’ll click on storage. Storage is fine. I’ll select “Review and Launch SSD,” which appears to be a good option. Let’s click on “Launch.” I’ll click on “I acknowledge” and I’ll launch the instance. So the initial launch might take a little amount of time because when you launch AMI from the marketplace, it has to subscribe, so it might take a little amount of time. As you can see, the initiating launch occurs after the subscription is successful.

So this is our VPN instance. Let’s click here; I’ll just call it “Public VPN.” So let’s quickly wait for a moment for the status checks to be two out of two. Great. So it has been a few minutes, and our instance state is running. The status check is still initializing, but we should be able to connect. So let’s try it out. I’ll copy up the public IP and let’s quickly do an NC on port 22. Great. So we are able to connect to the server on port 22. So let’s try to log in. I’ll specify the key. I’ll answer yes. Great. So it is basically asking for the license agreement. Remember that if it’s an open VPN, the user is an OpenVPN yes. I’ll say yes for the licence agreement, and these are basically the configuration details. I’ll just use it as the default one. I’ll put it under the UI port. I’ll leave it as is. So here, in terms of the license key, you can just press Enter, and it is initializing your OpenVPN. Great. So this is the administrator’s UI. Let me just open this up.

So, since the certificate is not configured, this is something that you will see, and it is asking you for the username and password. So for the password, what we need to do is go to the root, and we’ll change the password for the OpenVPN user. I’ll put in my password here. Great. So this is the password for the OpenVPNuser, and the username for the GUI authentication page is OpenVPN. So let’s try it out. I’ll put the OpenVPN user here, and I’ll configure a password here. So this is the same password that we did the reset for. So this is the licence agreement that you will have to accept. And this is what the console drill looks like. Now, since we had not configured any licence keys, you can still connect to the Open VPN server.

Now, they have certain restrictions, like the fact that you can connect a maximum of two connections, so those restrictions would be there. But anyway, if you need more users for your organisation, you can put in a licence key. Anyway, this is how the console really looks like.Now, OpenVPN is a great solution. In fact, I have been using this for enterprises for more than four years, where we had more than 100 or 150 connected users, and it really works very well. So, this is a high-level overview of how you can configure the VPN. However, this practical is still incomplete because we have not yet tested the connectivity to the private instances. So let’s go ahead and do that in the next video.

82. Implementing Software Based VPN – Part 02

Hey everyone, and welcome back. Now in the earlier video, we had configured our OpenVPN instance. So in today’s video, we will look into whether the connectivity works as expected in the architecture. So in order for us to do that, let’s launch one instance of type T-2 micro. So I’ll just do a review and launch, and I’ll just select my key area. Great. So let’s name this instance. Let’s assume that this is a private instance. All right. The next step is to establish a connection to this VPN server. Now, if you recall from the Cyber Ghost VPN video, we were connected to the Cyber Ghost VPN.

So this is just the browser. This is not a connection to the VPN. So in order to connect to the VPN, you will typically need a VPN client. So in my case, I have OpenVPN connected. So this is how OpenVPN Connect looks like.So I’ll just click here, and then I’ll click on connect. So this is where you will need to enter the IP address of your VPN server. In my case, I’ll put it as 54184, 7121, and I’ll click on “Continue.” So now you have to enter the username and password. Let’s use a default username and password.

It is basically saying that the certificate is untrusted. We’ll just select yes. I’ll click on “yes” again. And now, if you see there is a green symbol over here, which is basically saying that it is connected, So in order to verify if things are working, let’s do one thing. Let’s try to connect to this ECTwo instance over the private IP. So even though it has a public IP, we will not use the public IP; let’s try to connect via the private IP. So from my CLI, I’ll quickly do ANCZB on the private IP on port 22. Great. So it says that the connection has been successful. So let’s quickly try to log in here, and you will see that it is working as expected. Great. So this is how the VPN works at a very high level. Overview. I hope you understood the architecture on the VPN part.

So first is the EC, for instance. On an EC2 instance, you can install a software VPN. It can be OpenVPN or another type. And then you have a VPN client. The VPN client connects to this VPN server, and then your traffic can be routed. Now along with that, I’ll also basically show you the link in case you want to download the OpenVPN Connect client. So if you look here, this is the OpenVPN client for Windows. And basically, if you click here, it will go ahead and install it for you. In my case, I already had it installed because I use it with some of my clients. So that’s about it for the VPN video. I hope this video has been informative for you, and I look forward to seeing you in the next video.

83. Different Load Balancer Types in AWS

Hey everyone, and welcome back to the Kplabs course. So, in today’s lecture, we’ll go over the various load balancer types available on AWS. There was only one type of single load balancer available many years ago, and that was the classic load balancer. But as soon as the time went by, AWS actually launched various other types of load balancers, which came to be an improvement over the classic load balancers. And this is the reason why it is important to understand various types of load balancers and their associated use cases. So as of now, AWS currently offers three major types of load balancers. The classic load balancer is first, followed by the network load balancer, and finally by the application load balancer. So classic load balancers were the old generation load balancers, and they should only be used if you have a classic instance within the EC.

If you do not have one, then it is really recommended that you migrate to either an application-based load balancer or a network-based load balancer. So in order for us to understand the comparison, we’ll actually go into the official documentation link. I just don’t want to copy and paste the same thing over again. So you see, there are three types of load balancers. So a classic load balancer, as we’ve already discussed, is very useful if you have an instance within the EC to Classic networkthen this is something which is very useful.However, if not, then you can either migrate to an application or to network-based load balancers. So, when comparing the feature sets of a classic load balancer and an application load balancer, all of the features found in classic load balancers are also found in the application load balancer. Now, one thing that is not supported by the application load balancer is the TCP protocol.

So for that, you have the network-based load balancer, which is available. Now there are a few interesting comparisons that I would like to show you in this lecture. One is the introduction of static and elastic IP addresses. So this was one of the most requested features. So earlier, with the classic load balancers, you just had the CNAME and the IP address of the load balancer keep changing, and that used to be a big pain. Now, network load balancer provides you with a static IP address, which is quite interesting, and many organisations use network load balancer because of this specific feature of static IP. Again, application load balancing has many advantages, and rather than simply showing you these feature sets, we’ll devote an individual lecture to each of these load balancers and discuss them in detail with practical applications related to what they are.

So before we conclude this lecture, I just wanted to show you that I have a classic load balancer, and AWS actually offers you a migration plan where you can migrate your classic load balancer to the application load balancer. So this is a migration plan if you intend to do so. Load Balancer is really amazing if you’re using Classic Load Balancer for the layerseven to serve websites based on the HTTP/S protocol. So anyways, we’ll be discussing more about this in the upcoming lectures. So when you go ahead and click on “Create Load Balancer,” you see there are three types of load balancers that are created, and Classic Load Balancer is in the grey area. So of all the newer features that AWS releases, none of the new features are for Classic. All of AWS’s new features are either for the network or for applications. So this is like Windows XP. However, these two are like windows. Ten. The latest features and the latest updates come here.

84. Overview of Classic Load Balancer

Hey everyone, and welcome back to the KP Labs course. So in today’s lecture, we’ll go ahead and look into the overview of the classic load balancers, which are also generally referred to as the “first generation” of load balancers in AWS. So the classic load balancers are the older generation of load balancers that were provided by AWS, which work both for the instances that are part of the VVC as well as the instances that are part of the EC2 classic network. Now, classic load balancers provide the basic set of features for all the protocols, which can be HTTP, HTTPS, TCP, and SSL. So it’s like the basic load balancer functionality; it provides for all the protocols, so it provides the basics. But there is a lot of necessary functionality that is not supported by the classic load balancers.

These features have now been ported to the next generation of load balancers, which can be either application load balancers or network load balancers. So let’s look at how we can implement the classic load balancers. So I have two instances for demonstration purposes. The first is called kplabs one, and the second is called kplab two. So if I just quickly open the KPLabs one, I put in the IP address. You see, I have a default page that is installed. So we’ll do the same thing for KP Lab 2 so that even you can get familiar with how I manage to do that. So now that I’m connected to the KP lab, we’ll quickly install the NGINX package. Perfect. So the default document route is in user-shared NGINX HTML, and if you quickly go ahead and edit the index HTML, go a bit down, and this is where we are interested in. So just quickly replace NGINX with servertwo, and I’ll remove the latter part.

So once you’ve edited this, just start NGINX, and once NGINX has started, just open up the IP address and verify if you are able to see the NGINX page. Perfect. So you now have servers one and two. Great, so we are off to a good start for the practical labs. So now let’s go to the load balancers. Now. Click on “create,” “load,” and “balancer.” Now there are three types of load balancers. Let’s begin with the classic load balancer. In today’s lecture, I’ll refer to this as the Kplabs Hyphen Classic. The VPC in which this load balancer needs to be present should be the same VPC where we have our instances. As a result, the Kplabs instance is in VPC. So I’ll just select the VPC. Perfect.

 So that is the default VPC. Now the load balancer protocol As we already discussed, this is like a basic load balancer that supports all the protocols. We’ll use the HTTP protocol for the time being. Let’s assign a security group, or let’s create a new security group. So where port 80 is open for everyone, The hell check would be on index HTMS, with the interval set to ten. Let’s add the EC to instances, and it seems that it is showing all the servers as stopped, which is quite interesting. So the reason this is happening is because of the cache functionality. So in case you get something similar, just sign up and log in again. So I recall one of my colleagues running to us, saying that things were acting strangely in AWS and that all he needed to do was clear the cache in his browser and everything seemed to work fine.

So let’s come back to the topic. I’ll go to the load balancers. Let’s create a load balancer again. I’ll name it KP Labs Hyphen. Classic. same HTTP protocol security group. Let me just say? KP Labs is a classic hybrid. Let me change the interval to 10 seconds. Great. As you can see, the older entries are no longer relevant. Great. So we actually learned one off-topic thing that can be very useful. So I’ll click Add, then Review, and finally Create. Perfect. So the load balancer has been created, and this is our load balancer. So let’s wait for a minute or two. As a result, the instances are currently unavailable. It will take some time for the instance to become operational. So before we do that, we have to make sure that the load balancer can connect to the EC2 instance. So let’s look into the security group of the EC two instances, and the security group doesn’t seem to be allowed. So just allow port 80 for everyone. Perfect. Let’s verify that the security group is the same. Perfect.

So let’s just wait a minute, and the status should be “in service.” Perfect. So the status of the instances is now “up.” So now, if you go to the description, this is the DNS name that is associated with the classic elastic load balancer. I’ll copy the DNS name; let me put it in the browser, and now you see I am able to connect to both servers. So you see, it is actually switching between server one and server two. So this is what a classic load balancer is all about. So this is essentially the feature set supported by the Classic Load Balancer. So just the health checks, the listeners, and the monitoring If you look into the migration, AWS actually recommends that you migrate to the application load balancers. So there are certain reasons why AWS actually asks you for that. So first, with the classic load balancer, they do not support the native HTTP-2 protocol, so that is only supported by the application load balancer. There are a few interesting things here, such as IP addresses, as targets are not supported.

So IP addresses as targets imply that in a traditional load balancer, we generally select which EC2 instance we want to place under the load balancer. But the application load balancer actually supports the IP address as the target. So, instead of simple to, you can put the IP address, and that IP address can be on-premises or in different locations, so it will not necessarily be in AWS, which is a really interesting thing. Third, which is a quite important feature, path-based routing is not supported. So, for example, if you want that slash image, Uri should go to server one, and whenever a request is made to PHP, it should go to server two. So this type of path-based routing is not supported. SNI extensions are also not supported, and nowadays, during the generation of dockers, the classic load balancer does not support multiple ports on the same instances, and there are a lot of other features that the classic load balancer does not support. So this is it for the overview of classic load balancers. In the relevant sections, we’ll be discussing more about application load balancers, and we’ll look into how the application load balancers compare to the classic load balancers. Thanks for watching.

85. Overview of Application Load Balancer

Hey everyone, and welcome back to the KP Labs course. So in today’s lecture, we’ll discuss application load balancers and have a little demo related to how a LB really works. So, as we already discussed, application load balancers are one of the next-generation load balancers that have been provided by AWS. Because this is an application load balancer, they support both the HTTP and HTTPS protocols. So there are a lot of new features in ALB when compared to the classic load balancer. Some of them are path-based routing, host-based routing, you can register servers based on IP addresses, you have SNI support, and you also have load balancing to multiple ports within the same instance. So this is very useful for Docker containers and a lot of other features. So, instead of giving you the entire feature list, I decided to focus on a few of them in great detail because that will give you a much better understanding than a simple list and comparison table.

So we’ll discuss this very interesting path-based routing, which is also quite useful. So what exactly is path-based routing all about? So the requests are routed based on the Uri path. So for example, whenever a request comes in, let’s say example.com/images, we can see from the load balancer that whenever the path IMAGES/Images/Uri is present, then send that request to the server one.So you have another example where the path of slash works. So, if a load balancer discovers slash work in the Uri, it will forward that request to the server as well. So this is what is meant by path-based routing. So let’s understand this with a simple diagram. where you have two servers over here and you have the application load balancer, which is connected to both of the servers. Now, whenever a user visits the domain and puts something like “slash images,” the application load balancer will automatically send that request to the server that is configured. When a user enters slash work in the URI, it will automatically redirect to server two. So this is called “path-based routing,” and it is handled completely by the application load balancer.

So I’ll just give you one of the demos on what exactly that would look like. So I have two servers that are configured, and one of them has images and the other has a path of slash work. So let me show you exactly what I mean by this. So this is just a demo, so you can just watch it for the time being, and when necessary, we’ll implement it. So here we have the Kplab one server. So this is the one server where I have a directory called images. So I’ll copy the public IPV file, and if I go to slash Images galaxy.jpg, I’ll find a beautiful Andromeda galaxy. So this is really amazing. When I see photos of galaxies with millions of stars, it makes me wonder what we are doing with our lives. Such a big universe Anyway, coming back to the topic, this is the first server. I have the directory “slash work” on the second server. So this is the second server. So when I do Work Text, you can tell I prefer work to travel.

So these are the two servers and the two Uriparks that are associated with each one of them. Now, coming back to the interesting part, I have an application load balancer that is in the state of active. So within this application load balancer, this is the Uri for the application load balancer. Now, whenever I put images in Galaxy JPEG, what will happen is the request will hit the application load balancer. So this request will hit the application load balancer. The application load balancer will look at the Uri path. So here is the path: slash images. So as soon as it has fine images, it will forward them to the server one.So when I press Enter, you can see that I automatically get the Galaxy photo.

Now let’s try one more; this time I’ll put WorkWorkTXT, and again, as soon as the application load balancer finds that there is a Uri for work, it will automatically send it to the second server. So when I press Enter over here, you see, I like work and no trial. So this is what path-based routing is all about. Now, we have actually done quite interesting things with the application load balancer. So let me just show you. So within the target groups, you see I have actually registered IP as the target instead of the instances. Anyways, we’ll take each feature one by one. If we discuss everything together, it will become a bit confusing. So this is it for the high-level overview of the application load balance and its one feature, which is path-based routing. So this is it, and in the upcoming lecture we’ll actually go ahead and implement a new application load balance, and we’ll look into how exactly things work. This is it, and I look forward to seeing you in the next lecture.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!