AWS Networking Fundamentals - Level 200 (United States)

How do I do? Thank you for taking the time to attend the AWS networking fundamentals session today my name is a Solutions. Architect with a w s a number for attending the session today. Might already be familiar with the traditional data center Network design architecture of networking concept. Michael the next 30 minutes is to cover the AWS networking services and features that can help you build your network architectures on AWS. So let's Jump Right In With AWS, we do have the concept

off a reason. A reason is an isolated geography, color area. And what did this reason we do have one or more or multiple availability zones in the winter, in zone can be one or more data centers, that have redundant power networking between them and wouldn't these available G'zOne Sweden have multiple dressed and then we have multiple hosts. So how did this all happen to the diagram that you see here? So we do have us East one, which is our region. It is cuz our Northern Virginia region. And within this region, we have multiple availability zone. I'm just

showing to available. So we have you at least one it and then u.s. is one day, and it wouldn't be so easy to win sentence, which are the actual house that run within the availability Zone spending a good chunk of what I'm talking about, what your private cloud and the features. Private clouds are green box that you see in this diagram here, out of his diagram and just focus on the BBC, what that you define on this AWS infrastructure. We talked about IP addressing as we go.

But keeping to understand here is a VPC is a region of construct. When you create a BBC, you will be asked to select a region. What you do. You didn't create subnets Within These few pieces of net is very difficult to what you would consider in your data center. Do you create subnets that apart of your BBC Network space? And it can be different types of subnets, public and private sadness. And I'll be covering about the difference between the sub list and also, which application goes into the public places, the private 70s, when you

learn to sublet, it is within a whale ability to submit in the diagram. Do not stand across. Availability funds diagram, I have to stop missing one availability Zone and do something that's in the other availability Zone. Now that I have my subjects, I can now launch instances with Indy subnets that I have so I do know have a BBC, I have subnets. I have my ec2 instances but the major limiting factor these instances don't have any communication outside of his VC or even within the BBC, you still need to do certain tuning in order for the

instances to communicate with each other. What are those are? A number of Gateway Inns and fines and fearing connections that are on Services Network and that's what we going to be covering as we go to the fluffy slides. We talked about and how to use that. But the fun. Let's take a look at this web application from a 10,000 photoview. I just don't want to talk about gateways and then points. I want also focus on how you can use this thing to this application that you're building. This is a difficult web application that I have. I do have the same diagram, I have they have application into

availability zones, and let's see how you're talking is going to roll into this job application. First things first, let's get talking about the IP addressing you have you if he sees you have your tablet when you can today to support both ipv4 and IPv6 addresses with ipv4. I can Define the side of block as you see here and this could be an odyssey, 1918 space, or it could be any IP ranges. She thinks, you know, what is this? IP ranges are not out how to build outside of to BBC. BBC side of block can be

anywhere from /, 62 /, 28, and smallest, you could go with / 28 equals. We don't recommend you use the flash, my teeth because you're limited by the number of eye peas. And also, when you use a /, 28, your lips are limited to One. Stop me, the number of applications of your building. We wanted to be highly available so I need to at least multiple subnets here. You can also enable IPv6 on your PC. Once you enable IPv6 does becomes a jewel stack BBC and how can you use? IPv6 addresses. So we

assign a /. 56 cider Co BBC. We also have been assigned submits to your BBC space that I need to fix that. The flash 64 subnet range. What do have this, you know how the full re-pc with an IP, we fought as well as an IPv6 addressing ranges. So we've been since we busy with our IP addresses, the next step is you still don't have that external communication that you're talking about things that are required. And as you see on this light here these findings will enable YouTube for your

instances to get that out on internet connectivity. Let's talk about them busting your innocence has required a public IP address. This could be a public IP address from Amazon school so when he launched an instance, you can select auto assign public IP address and this allows them to automatically assign the public IP address. You could also use something called an elastic. IP address, question that we get is, hey, what's the difference between the auto assign? Public IP address was to see a lot of static IP address. The differences with auto assign public IP

addresses. During instance, life-cycle events. You might use this IP addresses letters with elastic IP addresses. Once it's allocated, It states that no matter like what happens to Children, since? As long as you go into this associate IP address, it stays there forever. What are the elastic? IP addresses. We also have a feature where you can bring in your public IP addresses into your BBC and we do support this for ipv4 today. So if you look at a diagram vacuum. Got my public IP addresses assigned on my ec2 instances

is once I sign my public IP, I now need connectivity. So I need to create a Gateway and a time. But this is the first kids movie talking about, I need to create the gateway called internet. Gateway. What is internet gateway is is is a manager and all the stuff is a Satanist one is to onenet. It's Matthew. Private IP address to a public IP address. So I go into my console. Say that's what you see in the diagram here. Once that's done, you go into your ec2 instances,

router table and I don't know if there is any traffic going out to the internet bill. Next stop, should be my internet gateway often. Any kind of traffic that we want to send out from the easy. Do the basic rule applies you going Easy to install and update your step 2 and step 3 covered. Now, Our internet connectivity figured out about different types of sadness. Public and private. The difference between this is pretty straightforward the name into gets it on with public submit you have your public IP address. It has internet gateway and tested internet

connectivity. What is the price of nephew? Don't have any of that. It be the instances that sit inside the private subnet. So what kind of applications or what kind of applications would run in Frankston, it was public, submit my distance, it inside my Publix sub name and my database for example or application service, they don't need any external connectivity. So I can put these inside my private subnet. A common question that comes up is hey, I have these applications so it's in my friend submit.

I see need internet connectivity in order to update my deposit is, what do I do this? We have the second type of paper that I'm going to be talking about this translation translation. What we do is Amazon provides to snatch eat wish that you could deploy in the Public's assign, an elastic IP and all it's doing is doing a float address translation. So it takes traffic from your find subnet uses Tonasket. We send out to the internet and such as any updates that you want. So

as you see, he has enough to the next Gateway and Annunaki. Tree has the internet gateway attached to it. Now it's complete. That the connectivity piece you got internet connectivity, figured out for our application, but it's important things that we want to talk about one, instant access control list and the other is Security Group. What they do is be talked about this internet connectivity and the flow of traffic. These allows you to define the rules for the flow of traffic. And I've been talking about sloths traffic. We want to see how you can

actually capture them. Using re-pc flow, This is our application, my website was in public submit my application. So it was in private submit network. Access control device operates at the stop. Next Level. What is my default? The network access list are stateless. So I have to Define impounds than happy to find out bundles. So with the default route, this is what you will get, you will get the default in town that allows all traffic and the default outbound that allows for traffic.

But what if you want to find you in this network access control list and then you're as you see I have my application server. This over doesn't need any traffic coming from outside. So we see. See it only means traffic coming in from my website / summer. Aggravated my dog tables for my private subject to a lot of traffic coming in, on it to the top of my business where the web server advice. And you see the only thing that's different is, my destination

is still the same range of my public and only to find the 4th because I know what the incoming for tasty are going for. It is one of the FM. The next security control you have is using Security Group. Elastic network interface, that is wrapped around the ec2 instance. If you think about when to use security light at the instance level, I can have a security group for my inbound traffic. That says any traffic on Port. 443, DPS is allowed on my VIP server, similarly

application. So I can sit a rule that says, any idea, what I want to do is allow any traffic coming in from the web server. So, what I'm doing is I'm supposed to find, this is easier for you because when you specify the source is a Security Group, Security Group can be applied to your papa web service. And what it means is, any restaurant that has the security group is allowed to So far, we've talked about the connectivity. The last two things I mentioned was that on the logging of all the Schenectady that

allows you to log this, meditate, and get the flower Graphics that, you can see that you can see the source. IP destination, might be so sport destination for and depending upon what traffic, you're capturing, you can capture McCall traffic. You can capture the traffic of July, for example, and you can specify this either. So, we be sea level. The subnets level are specifically at the particular elastic network interface, these other than push to a close watch on Amazon S3. The last thing is for customers, looking for a little more than what

they see in the metadata, this is where you will see customers, use traffic Metairie, what is you see it? You tell what traffic do you want a copy. So when topic hit the sort you define the source, it's basically take sucks copies of traffic into a destination that you specify given this is coughing Pockets into a destination. You're actually shedding fans. I want to call the dog because that's important as your building these large-scale traffic murdering filters for the important that you know, that you're shedding fanvid.

So now we've completed part one, which is connected with you within the week BC and my connectivity to these multiple V PCS. And now we have three pieces each with their own side of love. What if I want these new PCS to communicate with each other? Of course, I can use an internet gateway. Communicate between the species as you see here. But what if I don't want to use the public space? I want to use the RC 1918 as a strange, that I've Define here. So what you could do, if you can use a feature called EC. This is available between the

feces in the same reason or across different regions. You can also use it to feel between sweet pea seeds in your own account on a different account. So when you send the request and the destination BBC has to accept it once that's done, going back to basics to go in and update. In this case, it's a PCI switches up here in connection. No, I can do the same thing for all the bpc's. I go in a big round tables on all the BBC's. Some key things to know the witnesses that you have that. I wouldn't the same reason. When you do intervention BBC. You cannot

do this and you're trying to resolve your public IP Amazon will be able to resolve to the private IP because we now have a data fast running between these three PCS something that one for Trans to routing does not work. It's also important to select your side of blocks that don't overlap with each other but when you're Crossing regions, it is not supported. So the next step is I have a data center. How do I connect my Wii? PC to my data center and it's it's pretty straightforward. Most customers started

with a site-to-site VPN. This is the 92nd and as you might know, ipsec requires two endpoints for the termination, this act of Cat6 termination point on the AWS flight. So when you create this gate where you can select, you can give it a name and you tell us what the time is 2 number, you want to use similarly, we need a Gateway on the other side, and this is the couch. So when you create a custom engagement, you tell us what kind of VPN connection using a dynamic is when you use a routing protocols to advertise about sweaters. I think you'll have to manually. Tell us what

routes needs to be advertised. You all seem to like to be to be a tournament system number and your friend will need a public IP address. If you don't travel fixed IP address, you could definitely use the certificate faced with me. And once that's done I go into my console ID, create VPN connection. What does does is it creates two endpoints of p a w s side, one in each, a whale abilities do and this is great because for history focuses, even if you still have the influence on the other availability in soon and it dominates on the customer Gateway side that you own. So

it's one VPN connection but it's actually two tunnels. So using bgp, you'll be JW. No, don't watch out your advertising behind that. It has no idea. What's wrong with your advertising the same rule applies, you going to your instance and a bit of table saying that any traffic that needs to go to my data center? My next stop is my wash your private Gateway. Shipping to know what is East analyst cap at the banquet of 1.25 weeks and even though we have two tunnels, aw spends all the traffic to one tunnel in an active passive mode. So that's

what you see here. We will send photo to send it. I don't want to go up there so you could use a feature called now. Propagation, what does Doc's, wine and whatever else you wish have you learned? It's automatically propagated to the Round Table. The ipsec VPN connection is over the Internet so that's going to be late and see that's going to be like limited bandwidth that we saw. This is the AWS direct connect two pieces. One is the physical piece which is a physical connection that you see here. This is where it

might be in the same colocation or they could use one of our part of physical is done at this location and from there from the customer router to the Datacenter. The last activity has taken care of by the customer figured out and this physical connection can be a 1 gig or 10 g gold. You could also be able to support link aggregation today. What's the physical connection is figured out the large Philly connection kicks in and this is where we use. What you need to do to 1 kuebel and tagging and BJP.

Three types of interfaces if you're going to be talking about on the private listening to face the public and the consequential interface. What is the private with their privates? Has any communication from your own premises into a witch with private Cloud. Send this case, we got the physical connection you know. List of private with I created that I connect you to other Gateway in our series of gateways that we've been talking about. So we created recognize it and attached to be PCS to this direction at Gateway. And now wants that stunt you create

a private fare from this direction at Gateway. What is now allows me to do is allows me to talk some discuss. My data could be in any location for example. Sydney Australia to be PCS in any from Sydney, Australia to talk to a VDC in region one, which could be us East, Virginia, and US West California. So this is what the private lift enables you to do. What about the public? So the public with basically and enables you to talk to any AWS services that have a public IP address, advertises all the public eye. Just pack your own premises

and you will be able to communicate with services like dynamodb S3, Etc. I'm talking about the trance. If I want to take a step back to talk about Trump's 53, what's the number of BBC's? You have gross to what? You're seeing on the screen here in the complex, to manage to Spirit connection because you have to have one is to one collection. This is where is the next exit, which is the transit Gateway. You cannot attach all your ABCs to this Transit Gateway attacked. And then it's traffic to the others post. So we PCH and talk to me BCE or BBC, be can talk to

Wiki CD, as long as it's attached to this nonsense. So how does this work going back to the VPN connection that we had? Same thing. I'm attaching to the transit Gateway and then I have a VPN connection from the drunks the gateway to my own premises. So now I can update my dog. How to say, hey any traffic, send it to the transit. Gateway gateway has its own routing table and for Simplicity of Music, the default here and sending everything back to my data center. So this is, this is going to be helpful with a double yesterday when you have a chance.

So this is how it looks. So I have all my VDC stand. I connect to my Transit Gateway and no, I connect the transit gateway to the Creator. Concert with that allows me to communicate that are connected to the t-shirt and my data center. So we can pick it up a couple of things. We competed connectivity with a b, c, d, c e. F s excetra EPC and points. When you have two types of the first one is the BCM Point. What does Gateway VPC endpoint. Let's see who Amazon S3. You

could use the inside Gateway as you see in the sky, communicate to factory, Gateway, go out and reach AWS Amazon S3. But there's also you could use BBC and point to communicate, privately to Amazon S3. What you doing is I'm creating a Gateway VPC endpoint with industry PC, and of course, I need to update my tables to see the next talk for Amazon. For example, in this case, I'm taking it Presley, the next stop will be my VPC endpoint and each has their own public IP

prefixes that are represented in this prefix-list 30 seater. So, I need to communicate to either Amazon S3, or if I cheated once they can communicate to dynamodb, Multiple other AWS Services, we launch an address private link which is based on our hyperflame technology and this is the same technology that is used for not Gateway Network, balances, Exedra, and a lobster private communication between you and the services in that region. So, for example, in this case, I haven't asked you a request that I need to do. So my USF us and

it goes to the VPC endpoint, it reaches the VPC endpoint, and communicates to the sqs service. Birth control to be use for your lawn services. What this means is it can be used in a relationship with them privately, talk between PVCs. I have a SAS 4. Why do who is running a specific service that you want to consume privately? So that's why does using a network load balancer? Which the phone's IP Target groups and they're running a service behind the next load balancer. You can create a private place

in your account and private he communicates with the service in the Adobe PC. What is also means as you can exchange, the Gaza mention, which means he has to be on premises so you can extend services from your BBC to communicate. Back your data center, do a direct connect or VPN using private Lake. Let's bring everything together. We talked about a number of gateways today we talked about different connection mechanisms with endpoints and Fielding connections. So how does his oxygen to the application that

we were venting going to be in this way across to available so we've gotta subnets figured out before. It's always an application service, we talked about how this application can connect to other species, using the TCP application to your on premises using a site-to-site VPN connection. Connecting. We talked about this communicating to services such as Amazon, S3 or Dynamo using VPC endpoint. And then we talked about the interface type in point, which is powered by privately to communicate to the other AWS services that support interface with

EC type in points. Today we also talked about using Transit Gateway that enables you to connect multiple PCS together and that can also then we used to talk back your own sentences using a VPN I also want to quickly point out some of the features that we've launched instrument 2019. Before we wrap up the session service for the support for interface with PC and wants to know if you have applications that require to communicate two. Setas you can use the interface VPC, endpoint of features interagency

allows you to your Transit gateways across regions and launch support for my routing and other additional Regent Square Concepts. Gateway is being supported. So you have more floor records that you can use to analyze data. And I wanted to thank you for taking time to attend the session today. And the second slides and videos will be available on the 8th, a blessed event space. Thank you, everyone.