1 00:00:00,000 --> 00:00:00,930 And now let's talk about 2 00:00:00,930 --> 00:00:02,870 egress-only internet gateways. 3 00:00:02,870 --> 00:00:05,610 So they're used only for IPv6 traffic, 4 00:00:05,610 --> 00:00:07,130 and they're similar to a NAT gateway, 5 00:00:07,130 --> 00:00:08,550 but for IPv6. 6 00:00:08,550 --> 00:00:09,780 So NAT gateway is IPv4, 7 00:00:09,780 --> 00:00:12,500 but egress-only internet gateway is for IPv6. 8 00:00:12,500 --> 00:00:13,333 So what do they do? 9 00:00:13,333 --> 00:00:16,780 Well, they allow instances in your VPC outbound connections 10 00:00:16,780 --> 00:00:18,880 over IPv6 while preventing the internet 11 00:00:18,880 --> 00:00:21,580 to initiate an IPv6 connection to your instances. 12 00:00:21,580 --> 00:00:23,870 And to do so, you must update your route tables. 13 00:00:23,870 --> 00:00:24,885 So let's have an example. 14 00:00:24,885 --> 00:00:25,718 We have the internet, 15 00:00:25,718 --> 00:00:28,750 our VPC with a public subnet or private subnet. 16 00:00:28,750 --> 00:00:29,583 And so this EC2 instance can access 17 00:00:29,583 --> 00:00:33,530 the internet through the internet gateway 18 00:00:33,530 --> 00:00:36,062 and can also have the internet initiate a connection 19 00:00:36,062 --> 00:00:38,160 to the instance using IPv6, 20 00:00:38,160 --> 00:00:39,980 because it's connected to the internet gateway 21 00:00:39,980 --> 00:00:41,157 and it's in the public subnet. 22 00:00:41,157 --> 00:00:42,560 Now we don't want that. 23 00:00:42,560 --> 00:00:45,030 What we want is just outbound connections. 24 00:00:45,030 --> 00:00:47,750 So let's consider an EC2 instance in a private subnet, 25 00:00:47,750 --> 00:00:48,950 so it doesn't have an internet gateway, 26 00:00:48,950 --> 00:00:51,320 that makes the subnet private. 27 00:00:51,320 --> 00:00:54,280 And we're going to create an egress-only internet gateway. 28 00:00:54,280 --> 00:00:55,890 So what's going to happen is that now 29 00:00:55,890 --> 00:00:58,090 the EC2 instance in the private subnet 30 00:00:58,090 --> 00:01:01,090 will be able to access the internet over IPv6 31 00:01:01,090 --> 00:01:03,070 through the egress-only internet gateway, 32 00:01:03,070 --> 00:01:05,790 but the internet will not be able to initiate 33 00:01:05,790 --> 00:01:10,111 a connection from the internet to the EC2 instance. 34 00:01:10,111 --> 00:01:12,220 So to summarize, here is a diagram 35 00:01:12,220 --> 00:01:13,550 of how IPv6 routing works. 36 00:01:13,550 --> 00:01:16,630 So let's consider a VPC with IPv6. 37 00:01:16,630 --> 00:01:18,520 We have a public subnet, we have a private subnet, 38 00:01:18,520 --> 00:01:21,770 so they both have IPv4 and IPv6 obviously in them. 39 00:01:21,770 --> 00:01:23,540 And so again, if we consider a web server 40 00:01:23,540 --> 00:01:24,760 accessing the internet, 41 00:01:24,760 --> 00:01:28,800 it can do it over IPv4 and IPv6 through an internet gateway. 42 00:01:28,800 --> 00:01:31,150 And so the route table for your public subnet 43 00:01:31,150 --> 00:01:33,940 is going to have the first line to be local 44 00:01:33,940 --> 00:01:38,220 for the local IPv4 and the local IPv6 traffic. 45 00:01:38,220 --> 00:01:40,020 Okay, these are within the CIDRs of your subnets 46 00:01:40,020 --> 00:01:41,260 or your VPC, 47 00:01:41,260 --> 00:01:42,880 and then anything else, 48 00:01:42,880 --> 00:01:47,010 so 0.0.0/0, this is the everything IPv4, 49 00:01:47,010 --> 00:01:50,270 and the ::/0 is the everything IPv6, 50 00:01:50,270 --> 00:01:51,790 go through the internet gateway, 51 00:01:51,790 --> 00:01:54,270 which allows your web server to access the internet. 52 00:01:54,270 --> 00:01:55,720 So this should make sense. 53 00:01:55,720 --> 00:01:59,390 And this is how we enable IPv6 and IPv4 both ways 54 00:01:59,390 --> 00:02:00,730 in a public subnet. 55 00:02:00,730 --> 00:02:02,900 But if you consider a private subnet, 56 00:02:02,900 --> 00:02:06,540 your server again has a private IPv4 and also an IPv6. 57 00:02:06,540 --> 00:02:08,289 And so how do we make sure that this server 58 00:02:08,289 --> 00:02:10,840 can access the internet, but not be accessed? 59 00:02:10,840 --> 00:02:13,200 Well, you know already that for IPv4 60 00:02:13,200 --> 00:02:15,800 we need to use a NAT gateway. 61 00:02:15,800 --> 00:02:19,230 So the server connects to the NAT gateway, okay, 62 00:02:19,230 --> 00:02:21,750 and the NAT gateway then connects to the internet gateway 63 00:02:21,750 --> 00:02:24,220 and then accesses the internet over IPv4. 64 00:02:24,220 --> 00:02:26,190 And for IPv6, we know we need to use 65 00:02:26,190 --> 00:02:28,740 an egress-only internet gateway. 66 00:02:28,740 --> 00:02:30,280 So IPv6, the server connects 67 00:02:30,280 --> 00:02:32,170 to the egress-only internet gateway 68 00:02:32,170 --> 00:02:34,230 to the internet over IPv6. 69 00:02:34,230 --> 00:02:36,170 Now your route table looks a little bit different. 70 00:02:36,170 --> 00:02:38,130 Again, the first two lines are the same, 71 00:02:38,130 --> 00:02:42,820 but then your NAT gateway ID is a target for 0.0.0.0/0. 72 00:02:42,820 --> 00:02:45,930 So this is all IPs' IPv4. 73 00:02:45,930 --> 00:02:49,770 And then the fourth line is ::/0, 74 00:02:49,770 --> 00:02:50,840 which represents a target 75 00:02:50,840 --> 00:02:52,880 to the egress-only internet gateway, 76 00:02:52,880 --> 00:02:56,310 because this is a target for the IPv6 type of traffic, okay? 77 00:02:56,310 --> 00:02:57,510 So this should make sense. 78 00:02:57,510 --> 00:02:59,100 And then if you have this in mind, 79 00:02:59,100 --> 00:03:00,420 then you understand exactly the difference 80 00:03:00,420 --> 00:03:03,050 between an internet gateway, a NAT gateway, 81 00:03:03,050 --> 00:03:05,150 and an egress-only internet gateway. 82 00:03:05,150 --> 00:03:05,983 So that's it. 83 00:03:05,983 --> 00:03:06,816 I hope you liked it. 84 00:03:06,816 --> 00:03:08,260 And I will see you in the next lecture.