1 00:00:07,550 --> 00:00:13,019 Welcome back to Backspace Academy. In this lecture on virtual private cloud or 2 00:00:13,019 --> 00:00:18,029 VPC we're going to build on what we already know about VPC so we've 3 00:00:18,029 --> 00:00:22,260 launched an ec2 instance inside of a VPC we've done that before 4 00:00:22,260 --> 00:00:25,560 so now we'll look at the different options that are available for us for 5 00:00:25,560 --> 00:00:30,840 connecting into that VPC well then look at how we can make sure that if we're 6 00:00:30,840 --> 00:00:34,890 running a web server on ec2 how to make sure that that is actually accessible 7 00:00:34,890 --> 00:00:39,719 over the wider Internet and finally we'll finish up by talking about the 8 00:00:39,719 --> 00:00:47,550 security features of virtual private cloud. Here we have a diagram of the AWS cloud 9 00:00:47,550 --> 00:00:54,600 and as we know the AWS cloud is divided up into multiple regions 10 00:00:54,600 --> 00:00:59,719 across the globe and we also know that each one of these regions is divided up into 11 00:00:59,719 --> 00:01:04,080 availability zones and those availability zones are physically isolated 12 00:01:04,080 --> 00:01:09,420 from each other and what that enables us to do is that we can 13 00:01:09,420 --> 00:01:15,720 distribute our our architecture across multiple availability zones and by doing 14 00:01:15,720 --> 00:01:20,130 that we are going to achieve high availability because you've one 15 00:01:20,130 --> 00:01:24,299 availability zone goes down the other availability zone will continue to 16 00:01:24,299 --> 00:01:29,189 operate and our infrastructure located in that availability zone will continue 17 00:01:29,189 --> 00:01:32,909 to operate as well we also know that the number of 18 00:01:32,909 --> 00:01:38,369 availability zones in regions varies, US East has a lot of them whereas Mumbai 19 00:01:38,369 --> 00:01:46,399 has only a few, we should also know that we can create a virtual private cloud 20 00:01:46,399 --> 00:01:53,700 within a region and that virtual private cloud is our own private space within 21 00:01:53,700 --> 00:02:00,450 the AWS cloud now when we previously launched an ec2 server or web server and 22 00:02:00,450 --> 00:02:07,380 we had the WordPress application on that that was launched within the default VPC 23 00:02:07,380 --> 00:02:13,350 we didn't create that VPC and so every time an account is created a 24 00:02:13,350 --> 00:02:20,030 default VPC in each region is also created for us we don't have to worry about that 25 00:02:20,030 --> 00:02:26,070 but we can also create additional virtual private cloud so we can have 26 00:02:26,070 --> 00:02:32,310 additional private spaces within the AWS cloud if we every desire and it is also 27 00:02:32,310 --> 00:02:35,820 something that you should be doing because it does provide some very good 28 00:02:35,820 --> 00:02:44,820 advantages from a security perspective we should also know by now that a VPC 29 00:02:44,820 --> 00:02:51,690 contains a subnet and we need to have at least one subnet to launch an ec2 30 00:02:51,690 --> 00:02:55,590 instance but we can have multiple subnets and we can have those in 31 00:02:55,590 --> 00:03:01,890 multiple availability zones and by doing that we can launch ec2 instances into 32 00:03:01,890 --> 00:03:06,900 multiple subnets across multiple availability zones and that means that 33 00:03:06,900 --> 00:03:11,970 if one of those subnets goes down or availability zones goes down the other 34 00:03:11,970 --> 00:03:17,490 availability zone and its subnet that contains those ec2 instances will 35 00:03:17,490 --> 00:03:22,380 continue to operate and again when we did our WordPress application we 36 00:03:22,380 --> 00:03:28,020 launched that into a subnet and that subnet was a default public subnet that 37 00:03:28,020 --> 00:03:33,420 had been created for us by AWS previously but again we can create 38 00:03:33,420 --> 00:03:42,180 additional subnets or additional VPC's and subnets if we so desire if we are 39 00:03:42,180 --> 00:03:46,470 launching a web server for example if we're launching a WordPress application 40 00:03:46,470 --> 00:03:50,250 and we want that to be accessible to the wider public on the Internet 41 00:03:50,250 --> 00:03:56,280 we need to have an internet gateway at our VPC that allows that to happen and 42 00:03:56,280 --> 00:04:01,020 that will be a scalable it's redundant and it's a highly available VPC 43 00:04:01,020 --> 00:04:05,370 component so you don't need to worry about having multiple internet gateways 44 00:04:05,370 --> 00:04:09,750 you just need to create an Internet gateway and you need to create a route 45 00:04:09,750 --> 00:04:14,840 from that through to a subnet and we'll talk more about that in the next slide 46 00:04:14,840 --> 00:04:21,239 if you're looking for a secure connection to your enterprise you can 47 00:04:21,239 --> 00:04:26,130 set up a virtual private network and that will consist of a virtual private 48 00:04:26,130 --> 00:04:30,509 gateway on the AWS side and it will consist 49 00:04:30,509 --> 00:04:37,020 of a customer gateway on the customer side and that will create a VPN 50 00:04:37,020 --> 00:04:41,280 connection and it's a dual tunnel connection so it has redundancy built in 51 00:04:41,280 --> 00:04:49,409 there and so the VPG is the VPN concentrator on the Amazon side of the 52 00:04:49,409 --> 00:04:53,159 VPN connection and the customer gateway is a physical device or software 53 00:04:53,159 --> 00:04:59,129 application on the customer side of that connection so that's not the only two 54 00:04:59,129 --> 00:05:04,860 options that we have for connecting to a VPC we also have AWS direct connect and 55 00:05:04,860 --> 00:05:11,129 that is a physical fiber-optic high-speed connection from an enterprise 56 00:05:11,129 --> 00:05:17,460 to AWS and it's normally used by large organizations that require very large 57 00:05:17,460 --> 00:05:25,110 throughput through two AWS so there are a number of key requirements that we 58 00:05:25,110 --> 00:05:29,819 need for internet connectivity so again for example we've got our WordPress 59 00:05:29,819 --> 00:05:34,229 application that we're running on an ec2 instance and we want to make sure that 60 00:05:34,229 --> 00:05:37,979 people on the Internet the wider internet not a private Internet can 61 00:05:37,979 --> 00:05:44,069 access that ec2 web server the first thing that we need to make sure of is 62 00:05:44,069 --> 00:05:51,840 that that ec2 instance has a public IP address so if it doesn't have a public 63 00:05:51,840 --> 00:05:57,509 IP address it will not be found on the wider Internet so it means to have that 64 00:05:57,509 --> 00:06:03,690 to be found the VPC must have an Internet gateway otherwise there is no 65 00:06:03,690 --> 00:06:11,879 way for the wider Internet to connect to that VPC and finally we need a route 66 00:06:11,879 --> 00:06:19,289 that is defined in a route table and that will define the route from the 67 00:06:19,289 --> 00:06:25,169 subnet that our ec2 instance is inside to that internet gateway, 68 00:06:25,169 --> 00:06:30,539 so we're not going to talk a lot about route tables but you just need to understand that for 69 00:06:30,539 --> 00:06:37,259 that traffic to route through your V PC it needs to be defined otherwise it will 70 00:06:37,259 --> 00:06:43,130 just not happen so we have a number of features 71 00:06:43,130 --> 00:06:48,830 available within VPC to create high security so we have security groups and 72 00:06:48,830 --> 00:06:54,490 they are firewalls and they operate at the instance level so we define a 73 00:06:54,490 --> 00:07:00,410 security group for an individual instance and that is stateful so if 74 00:07:00,410 --> 00:07:05,180 traffic and what what we mean by stateful and stateless stateful is when 75 00:07:05,180 --> 00:07:11,000 traffic that comes in to an instance with a security group that return 76 00:07:11,000 --> 00:07:16,820 traffic from that request is allowed if it's if it's not then that's called 77 00:07:16,820 --> 00:07:21,800 state less but stateful it allows returned traffic from a request that was 78 00:07:21,800 --> 00:07:27,380 allowed in through your infrastructure we also have network access control lists 79 00:07:27,380 --> 00:07:32,000 and they can act as a second layer of defence, so if you don't touch them 80 00:07:32,000 --> 00:07:37,039 then they will allow traffic in but you can also let them up as a second layer 81 00:07:37,039 --> 00:07:42,410 of defence and they operate at the subnet level, so the network access control lists 82 00:07:42,410 --> 00:07:48,620 will operate across all instances that are located within a 83 00:07:48,620 --> 00:07:55,550 subnet and those are stateless so just because a request is allowed in doesn't 84 00:07:55,550 --> 00:07:59,840 mean that the return from that request is allowed back out again so they are 85 00:07:59,840 --> 00:08:07,120 stateless so you need to have both input and output control this set up and 86 00:08:07,120 --> 00:08:13,310 finally we've got flow logs and they will capture information of requests 87 00:08:13,310 --> 00:08:19,130 going in and out of your your VPC and that will be forwarded through to 88 00:08:19,130 --> 00:08:23,539 cloudwatch logs which you can use for alerting you can use it for analysis as 89 00:08:23,539 --> 00:08:28,729 well so let's have a look at that so we've got how our instances here in 90 00:08:28,729 --> 00:08:36,409 subnet number one and they are referencing or associated to a security 91 00:08:36,409 --> 00:08:41,240 group but if we look at subnet number two we can see that the we have multiple 92 00:08:41,240 --> 00:08:45,500 security groups so those security groups they operate on the instance so if 93 00:08:45,500 --> 00:08:50,420 you've got multiple secure multiple instances you can have multiple security 94 00:08:50,420 --> 00:08:55,730 groups and so what that will do that group will allow requests to come in or 95 00:08:55,730 --> 00:09:01,389 deny requester to come in but if the request is allowed in then the return 96 00:09:01,389 --> 00:09:08,420 will also be allowed out and so that's what we mean by it is state form and it 97 00:09:08,420 --> 00:09:13,639 operates at the instance level then we've got network access control lists 98 00:09:13,639 --> 00:09:17,240 so if they're left alone they'll just allow traffic coming in and out but you 99 00:09:17,240 --> 00:09:22,190 can set up deny and allow rules that will control that even further and it 100 00:09:22,190 --> 00:09:27,320 provides a second layer of Defense for you but with network access control is 101 00:09:27,320 --> 00:09:31,970 just because something is allowed in through an allow rule doesn't 102 00:09:31,970 --> 00:09:39,139 necessarily mean that it is allowed back out again so it is stateless so if 103 00:09:39,139 --> 00:09:43,579 something is allowed in we need to have another rule that allows it to come back 104 00:09:43,579 --> 00:09:49,579 out again so all of this traffic needs to find its way from the internet 105 00:09:49,579 --> 00:09:57,290 gateway through to the subnet and that is where the router comes in and so we 106 00:09:57,290 --> 00:10:02,959 need to tell the router by putting an entry in our route table that defines 107 00:10:02,959 --> 00:10:10,610 the route from our internet gateway through to our subnet and that's what we 108 00:10:10,610 --> 00:10:16,699 talk about when we say a route table entry and without that we cannot have 109 00:10:16,699 --> 00:10:25,910 Internet connectivity so that brings us to the end of this lecture on VPC it's 110 00:10:25,910 --> 00:10:30,320 a very high-level one you don't need to go into a lot of detail being a either a 111 00:10:30,320 --> 00:10:34,430 cloud practitioner or a developer you just need to know the high-level stuff 112 00:10:34,430 --> 00:10:41,810 around a VPC and what you need for connecting to a VPC I look forward to 113 00:10:41,810 --> 00:10:45,339 seeing you in the next lecture