Amazon AWS Certified SysOps Administrator Associate – Networking – VPC Part 6
June 22, 2023

12. [SAA] VPC Endpoints

Our diagram is getting fuller and fuller by the day. So now let’s talk about how do we talk to AWS services. So, as we know, DynamoDB Cloud Watch S Three, these are all within the AWS cloud. Although if we want to access those right now from a private EC Two instance, what we need to do is have that EC Two instance talk to our VPC Nat gateway and then to the Internet gateway. .

And then all of a sudden, there is an Internet route through the public Internet directly into, for example, DynamoDB. And that is problematic because we’d like all this traffic to remain private because DynamoDB, after all, is a service offered within AWS. So enter VPC endpoints right here. And so VPC Endpoints are meant for you to access AWS services within a private network. So how does that work? Well, with the VPC endpoint, and we’ll create maybe an endpoint to S Three or an endpoint to Cloud Watch.

There’s a way to create endpoints to many different AWS services. And our instances through some root table will be able to, for example, from a private subnet, access directly that endpoint and talk to our Amazon S Three or Amazon Cloud Watch service privately, which is really cool. But this is something we have to set up directly. It is not something that’s available out of the box. So VPC Endpoints allow you to connect to a toss services using a private network instead of the public Internet. They will scale horizontally and they’re redundant. So it’s really good.

And they remove all the need to set up an Internet gateway, a Nat gateway, et cetera, to access all these AWS services. So there’s two kind of VPC endpoints. There is the interface VPC endpoint to provide an eni, and that’s a private IP address as an entry point, and we must attach a security group to it. That is how most AWS services work. And then there is a gateway to provision a target, and it must be used in a root table. For example, S Three and DynamoDB are the two services that require a VPC Endpoint gateway. Don’t worry, we’ll see this in the hands on right now.

Now, in case of issues, two things to check, you need to check the DNS setting for resolution in your VPC. So we’ve seen this before. And the other thing to check, if you have a gateway, you need to check the route table to make sure that the traffic does indeed go straight into the gateway. All right, let’s have a go at this. In this lecture, we’ll set up S Three as a gateway. And so for this, we just need to do a few bits of setup. So in the first one, we’re going to go to our EC Two instances and we’re going to go to a private instance. And this one, we’re going to assign to it an IAM role that has access to S Three. So I’m just going to quickly go into IAM to create a role that has full access to S Three.

So for this, I go to roles. In here I’ll create a role for EC Two and click on next permissions. Then I will search for S three and it will say Amazon. S three full access is a great policy. Next tag. Next review. Then I’ll call it s three full access and click on Create Role. Okay, the role has been created so now I can go back to my EC Two instance and I can right click on it. I can go to instance settings attach replace IAM role. And here we type s three full access and we apply it. Okay, so now let’s SSH into our and did I assign to the wrong one? Now assigned to the right one. So this one. Okay, so now let’s SSH into this private IP. So for this we’ll do the SSH command on my instance.

On the right hand side I can remove this one and we don’t need it. So we’re going to SSH into our private instance from my public instance and press Enter. And here we go, we’re in it. And so if I do AOS S Three LS, I should be getting an answer from it. It says here are all the buckets that are available for me. So this works, right? But now what we’re going to do is that we’re going to completely cut off the Internet off of that instance. So let’s go to our private root table.

And now we’re going to remove that destination as a net because we want to remove Internet access. So I say root and here we go. Now our instance does not have access to the net and so if I do a tobac S three LS again, now it just times out it cannot access the S three service over the public net. So now let’s solve this problem using a VPC endpoint. So for this I’m going to go to Endpoints and I need to create an endpoint.

Okay, this is great. I need to select a service category so it could be AWS Services or Marketplace Services. For now the only thing we need to do really is to go into S Three. And so let’s look at it first. These are all the AWS services. So you can see there’s a lot of them and some of them are interface. Actually most of them are interface, but S Three and another one up there, sorry, DynamoDB is a gateway. So these two are going to be gateway setup and the other one is going to be interface setup.

So let’s look quickly at for example, interface setup. So let’s look at cloud formation. When you do an interface set up, you have to define which subnets your endpoint is going to live and then whether you want to enable private DNS name. And for this it says if you do enable this and ensure that enabled DNS hostname and enable DNS support are set to true in your VPC.

So that’s a very common troubleshooting question. And then we need to assign a security group to this endpoint. But we’re not going to do this for cloud formation right now. What we’re going to do is go straight to S Three and set up a gateway. So when you set up a gateway, it’s a little bit different. You need to select your VPC. So we’ll select our demo VPC and this will basically create a rule with a destination. PL will be added to the root table you select below. So let’s select the root table we want. And we want to have our private route table. So that’s this one. And I knew it because if I hover over the subnets, it says private subnet A and private submit B.

So I’ll click on this route table and in this route table automatically they will get updated with a rule to this destination which represents Amazon S Three and that will go through this VPC endpoints. Okay, policy is full access. This is if you wanted to control and restrict access to the VPC endpoint in some way. So we’re not going to go over this right now and click on Create Endpoint and the VPC endpoint has been created. So if we look at it, it looks like it’s pointing to the S Three service name. It’s available. It’s a gateway type of endpoint and it’s in our demo VPC. And if we look at our root table, it’s associated with this route table ID that is associated with two subnets. Now the tricky bit here is that if we look for this route table ID go back to a root table and look for it.

So we’ll filter, press Enter and go to routes. As we can see. Now we get to have the target of this destination, which is basically our endpoint, into the VPC endpoint. So really, really cool. Now it says anytime you hit this URL, these Ciders basically, which are the Amazon S Three siders, then go to this target. If you wanted to edit the route, you could basically add a route, but you could not directly change this one in this UI. What you would have to do to change this one is go back to your endpoints and in there in your root table, you would have to manage it from here. So now let’s look at, see if it works. So remember, this instance does not have access to the Internet. For example, if you go to Google. com, it just does not work. But let’s do Amazon S three LS.

And as we can see, things don’t work. So the trick is here. That because we use the AWS CLI. The default region of the AWS CLI is US East one. But if we go back to our VPC endpoint, it was provisioned for EU West one. So very important thing to remember is that when you do run these commands, make sure you do select the region that you’re into. So EU West One and now if I do this, this will talk to the Amazon s three endpoints in the region EU West One, and then it works and I get the results from it. So very, very important to understand that, because it could be a trick question as well at the exam.

But that’s it. As we can see, our private instance does have access to S three in the region EU West One, and still cannot access Google. com. So it could be a way to make your private subnets and give them access to some sort of AWS services without giving them full access to the Internet. So that’s it for this lecture. I hope you enjoyed it, and I will see you in the next.

13. [SAA] VPC Flow Logs + Athena

Flow logs. Flow logs helps you capture information about the IP traffic that’s going within your interfaces. And you have three kinds of flow logs. You have the VPC flow log and that applies to everything within your VPC. You have the subnet flow logs, which applies to something just within your subnet. And then you have the Elastic Network Interface flow log just for one network interface. So overall if you define a VPC flow log log, then it’s going to have included the subnet flow log and the Euni flow logs as well. Okay, so what would you do this? Well, maybe to help monitor and travel shoot connectivity issues in case some connections are rejected. We want to understand exactly why.

And so for this purpose, flow logs data can go directly into S Three or Cloud Watch logs. And when you enable it, it captures all the network information not only from what you own, but also for some of the AWS managed services interfaces such as ELB, RDS, Elastic Cache, Redshift, and Workspaces. So in our graph, what does it look like? We have a very complete graph, but now we’re going to add VPC flow logs on the top right and the flow logs are directly being connected, collected at the VPC level or the subnet or the eni. But for now we’ll just say VPC level and they go directly into Cloud Watch and or S Three. Okay, so now flow log, you are expected to understand how to read them. And so we’ll be looking at flow logs in this lecture. But so it looks like this.

There is a bunch of fields and there is version account ID, interface ID, source address, destination Address source port, destination port, protocol packets, byte start and action, and log status. So there’s a lot of fields, but it’s important for you to understand the main ones. Source address and destination address will help you identify the problematic IPS or to filter by some IPS source port and destination port helps you identify the problematic ports and action will be success or failure. It’s also called accept or reject in the flow logs directly. And basically from this we can understand whether or not a security group or maybe a network ACL rule blocked our request.

It can be used for doing analytics on your search patterns or observing malicious behavior. And we should be seeing malicious behavior in this lecture. We’ll see that in a second. And there’s a tons of examples of flow logs at this URL. I recommend you do this in your own time to read it. And then how do we query VPC flow logs? Because CSV like some kind of like this format doesn’t really help us. Well we can use Athena on History or Cloud Watch log Insights and they’re really cool. We’ll see them both. So let’s get started. But to enable flow logs is super easy. You go to your VPC, demo VPC and then flow logs and in there we can create a flow log. So let’s create one and we can set up a filter.

So do we want to have all the accepted requests, all the rejected requests only or maybe all the accept and reject? So for now we’ll just accept all and then the destination, it could either go to Cloud Watch Logs or to an S Three bucket. So let’s first do Cloud Watch Logs. So let’s open Cloud Watch. So I’ll go to services and I’ll type Cloud Watch and here we go. And I’m going to create a log group for it. So within it I’m going to go to Logs and I’ll create a log group. So let’s go back to Log sorry action. Create log group and I’ll call it VPC flow logs and I’ll create that log group. Excellent. So now it’s been created and I can go back to my VPC and Flow Log creation page and I will refresh the log groups and it will say VPC Flow Logs. The IAM role you need to select one to allow your VPC to write to Cloud Watch.

Thankfully you can just click on set up permissions here and this will automatically create an IAM role that has the required permissions. And you can view the policy documents right here. Click on Allow and here we go. Done. So now we can go back to IAM role. Click on the refresh button and then here, scroll down and then we’ll find it at some point. Or I’ll just type in Flow in the search bar and we’ll find it for sure. Flow logs roll. Here we go. Okay. Click on Create. And now the following flow is created. So this one is created and it will go into Cloud Watch. Now this can take up to ten minutes to appear in Cloud Watch or in S Three. So we have to wait a little while, but for now let’s also create a second flow log. So we do Create Flow Log and this time we’ll send it to an S Three bucket. We’ll have all the filter and we have to enter a bucket ARN. So let’s go back to here, maybe this tab.

And I’m going to open s three. That’s my service excellence. And I’ll create a bucket. So let’s just keep something familiar. So I’ll call it Stefan VPC Flow Logs Excellence and it’s going to be in Ireland and I’ll just go ahead and create it very quickly. So my bucket is not created, I’ll click on it and then I have a copy bucket ARN button here. So I’ll copy that bucket ARN and I’ll paste it right here. So you have to put the full ARN in there. Okay. And now it will say a resource based policy will be created for you and attach to the target bucket so that VPC can send your logs to this bucket. Okay, click on Create and the flow log has been created. Excellent. So now we have our two flow logs right here being created. And if we quickly check into our S Three bucket, let’s have a quick look at it.

We go to Permissions Bucket Policy, and this was added by AWS itself to allow our flow logs to write to this bucket. Okay, so now what we have to do is just wait a little while. What you could be doing as well is go to your instance, and you could be maybe going to the public one. And I’ll just curl google. com. Okay, this works. So you could just send a little bit of traffic just to make things moving. But don’t worry, even if you don’t do anything, traffic will come. So I’ll just wait ten minutes until we start seeing some data in S Three and in Cloud Watch also, where we wait, I will also restore Internet connectivity to my private route table. So I will say, okay, on top of using the VPC endpoint for S Three in case you go anywhere else. So here you’re going to use my Nat gateway.

In this way, we also have traffic going into that second instance of mine. Okay, Excellence. So now let’s go to s three. Refresh nothing here. And then Cloud Watch. Oh, there are three enis already. So I’ll just scroll. Okay, so maybe we’re interested into the enis from my public instance. So let’s look at the right one. If we go to EC Two management, we found this public instance has the private IP ending in eight, and the network interface is this one. And it looks like the network interface ID ends with B 15. Okay, let’s have a look. So we go back to Cloud Watch, and we still don’t have anything on B 15, so I’ll have to wait. Here it is. This is the second one. And so we are getting a lot of information. As we can see, some of this traffic is reject and some of this traffic is accept. So it’s very, very interesting. It looks like some people are trying to access my EC Two instance because it’s public and a lot of traffic get rejected because it’s not authorized. So to prove this to you, let’s have a look at this one record. So two is the version of this flow log. This is my account ID. This is the eni that we have for this VPC flow log, Excellence. And this is a source IP.

So if we look at this source IP, and we’ll do IP lookup, let’s have a look at what this IP is. So we’ll go and we’ll type in an IP, get IP details, and it looks like this is a static IP coming from Japan. So someone in Japan is actually talking to my EC Two instance right now, but thankfully it’s rejected. And we can look at other IP addresses. For example, this one. Just have a look at this one to see where this one is from. We’ll type it, look it up. And this one comes from Ireland. Okay, so there’s a lot of things happening right here. And what you should be realizing is that some people over the internet are scanning all the IP addresses and trying to find loopholes. So let’s go back to this first record.

So someone in Tokyo is trying to target my institute instance. And then the source port that it tried to access is this one. The destination port was this one. So it tried to access the port seven, six, six on my EC two instance. And that’s a bit scary, right? Then there is six. That means TCP. So you’ll have to look it up in the table. And then this is the start, this is the number of packets. Sorry. This is the bytes, this is the start, this is the end. And it was rejected and it was logged. So there is an okay, so super interesting to see that someone got an address request being rejected. But you could look at a lot of those.

Basically, there’s a lot of IP addresses. Let’s look at this one, for example, on the Internet that will try to scan all your IPS on different ports to try to see if there is any flaw or something like this. So this one is in Germany and is trying to attack my EC two instance as well, but on port 8088. So everyone around the web, hackers mostly, are trying to scan for vulnerabilities and open port. This is why you have to be very careful about the ports you open. So how do we analyze this at scale? Well, two ways. Number one is to go to s three. And so if I refresh this, I should be seeing AWS logs. And I go deep into it and within it I get access to all my VPC flow logs as files. So I can download these files and keep these logs. Or we could use something like Athena. And this is a very popular question.

So how do you analyze VPC flow logs? Well, Athena will be the answer. So we have a default database, but we can create a new one. So let’s create a new table. So let’s go and type Athena DPC flow logs example. And Google is going to be your best friend for this. So here we go. There’s a direct link and it says create a table. And then we need to modify the location. So let’s do this right now. We’ll go to Athena, we’ll paste this in. So create external table, if not exist VPC flow logs. And that will go directly, I guess, in my default database. And then these are all the fields from my flow logs. And it’s delivered by a space and the location of it is and we need to specify the log bucket we have. So it’s VPC flow log first defined. So let me copy this right here. Prefix.

There is no prefix AWS logs. Then the subscribe account ID, which is right here. So I’ll copy this and paste it here. VPC flow logs and then the region code EU west one. Let’s verify this. Yes, it’s good. And click on run query. So now the query is successful and now I have a VPC flow log table. And the next thing I have to do is to go back to the documentation and add a partition. So let me copy this sent right here. And we go to Athena and we’re going to replace this entire thing. We’re going to add a partition, the location. I’ll just copy this entirely to gain time. And so the only thing we have to replace is the year, month and day. So this is quite manual. This is something you can automate using glue, but it’s out of scope right now. So let’s go to s three and 2019 110. This is what we have. So 20190 110. And here 2019 110. That should work. Run the query. And now we’ve added a partition.

And so if we go back to the documentation now, we can for example, run this query and find all the reject on protocol equals six. So we’ll copy this, we’ll go back to Athena and then we’ll run this query. Run the query and as we can see in a second, after all the data has been analyzed, we get all these rows right here, which shows us the source IP address and all the reject and the protocol. So it could be really interesting to do some analytics.

You can run any SQL query on your table. You could, for example, preview the table and this will show you all the rows in the table. Like right now there’s a limit of ten, but you could see all the rows in here and start doing some very interesting SQL queries and that’s it. So this gives us a really good ways of looking at VPC flow logs. I hope you enjoyed this lecture and I will see you in the next one.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!