1 00:00:00,200 --> 00:00:01,610 ‫Okay, so now let's talk about 2 00:00:01,610 --> 00:00:04,840 ‫how we can establish connectivity between VPC 3 00:00:04,840 --> 00:00:06,530 ‫and other structures. 4 00:00:06,530 --> 00:00:09,070 ‫So, the first thing is called VPC peering. 5 00:00:09,070 --> 00:00:11,500 ‫So say you have two virtual private clouds, 6 00:00:11,500 --> 00:00:13,580 ‫they're either in two different accounts 7 00:00:13,580 --> 00:00:15,120 ‫or in two different regions, 8 00:00:15,120 --> 00:00:18,050 ‫and you wanna connect together as if they're 9 00:00:18,050 --> 00:00:19,630 ‫part of the same network. 10 00:00:19,630 --> 00:00:22,250 ‫So we want to connect to VPC, privately 11 00:00:22,250 --> 00:00:25,670 ‫using V network from AWS. 12 00:00:25,670 --> 00:00:27,160 ‫And it's going to make them behave 13 00:00:27,160 --> 00:00:28,570 ‫as if they were in the same network. 14 00:00:28,570 --> 00:00:31,070 ‫So we have VPC A and VPC B, 15 00:00:31,070 --> 00:00:33,830 ‫and if you want to have them talk to one another, 16 00:00:33,830 --> 00:00:38,010 ‫we need to establish a VPC peering connection from A to B, 17 00:00:38,010 --> 00:00:39,350 ‫very simple. 18 00:00:39,350 --> 00:00:42,400 ‫To make sure that these VPC can be connected, 19 00:00:42,400 --> 00:00:44,660 ‫you need to make sure that the IP ranges, 20 00:00:44,660 --> 00:00:47,900 ‫that is defined for each VPC are not overlapping. 21 00:00:47,900 --> 00:00:52,120 ‫Because to be able to address network to another VPC, 22 00:00:52,120 --> 00:00:54,180 ‫you need to talk to an IP address, 23 00:00:54,180 --> 00:00:57,900 ‫and so if obviously the network ranges overlap, 24 00:00:57,900 --> 00:00:59,960 ‫then the network doesn't know where to go. 25 00:00:59,960 --> 00:01:01,360 ‫So to connect to VPC, 26 00:01:01,360 --> 00:01:03,810 ‫you need to make sure that the IP addresses range 27 00:01:03,810 --> 00:01:07,350 ‫it operates on are different and not overlapping. 28 00:01:07,350 --> 00:01:10,810 ‫And VPC peering connection is not transitive, 29 00:01:10,810 --> 00:01:13,210 ‫so it must be established for each VPC 30 00:01:13,210 --> 00:01:15,200 ‫that needs to communicate with one another. 31 00:01:15,200 --> 00:01:18,150 ‫What I mean is that, if we connect VPC C, 32 00:01:18,150 --> 00:01:21,700 ‫through a VPC peering connection between A and C, 33 00:01:21,700 --> 00:01:25,030 ‫B and C cannot talk to each other, 34 00:01:25,030 --> 00:01:28,690 ‫there is no transitivity in the VPC peering. 35 00:01:28,690 --> 00:01:31,510 ‫That means that if I want to establish connectivity between 36 00:01:31,510 --> 00:01:35,840 ‫VPC B and VPC, then I need to create 37 00:01:35,840 --> 00:01:39,300 ‫its own VPC peering connection between B and C. 38 00:01:39,300 --> 00:01:40,800 ‫That's what it means for VPC peering 39 00:01:40,800 --> 00:01:42,760 ‫so, as you add more and more VPC, 40 00:01:42,760 --> 00:01:45,710 ‫you need to add more and more peering connections. 41 00:01:45,710 --> 00:01:47,230 ‫Okay, that's number one. 42 00:01:47,230 --> 00:01:49,070 ‫Number two, VPC Endpoints, 43 00:01:49,070 --> 00:01:52,400 ‫which is going to be very important going into this exam. 44 00:01:52,400 --> 00:01:56,510 ‫So, Endpoints allow you to connect to AWS services, 45 00:01:56,510 --> 00:01:57,820 ‫using a private network 46 00:01:57,820 --> 00:02:00,720 ‫instead of using the public Internet network. 47 00:02:00,720 --> 00:02:02,437 ‫So something you maybe didn't know is that 48 00:02:02,437 --> 00:02:06,330 ‫all the AWS services are public, okay, 49 00:02:06,330 --> 00:02:09,860 ‫and so anytime your EC2 instances, for example, 50 00:02:09,860 --> 00:02:14,860 ‫use VAWS services, they talk publicly to AWS, 51 00:02:15,460 --> 00:02:18,290 ‫but sometimes your EC2 instances 52 00:02:18,290 --> 00:02:20,909 ‫are not connected to the public subnets, 53 00:02:20,909 --> 00:02:24,810 ‫and therefore you want to have them access privately 54 00:02:24,810 --> 00:02:27,860 ‫your AWS services, so this is the VPC Endpoints. 55 00:02:27,860 --> 00:02:30,310 ‫So this gives you enhanced security 56 00:02:30,310 --> 00:02:33,580 ‫and lower latency to access AWS services. 57 00:02:33,580 --> 00:02:34,930 ‫So let's take an example, 58 00:02:34,930 --> 00:02:38,130 ‫We have a private subnet and an EC2 instance in it, 59 00:02:38,130 --> 00:02:41,530 ‫and he wants to access Amazon S3 and DynamoDB, 60 00:02:41,530 --> 00:02:45,850 ‫which are outside of the VPC into the public realm. 61 00:02:45,850 --> 00:02:48,740 ‫Then we can create a VPC Endpoint gateway, 62 00:02:48,740 --> 00:02:51,720 ‫and this is only for S3 and DynamoDB. 63 00:02:51,720 --> 00:02:54,760 ‫So, Endpoint gateway and we'll see what S3 and DynamoDB 64 00:02:54,760 --> 00:02:57,410 ‫are in this course obviously, that's up. 65 00:02:57,410 --> 00:03:00,820 ‫You're EC2 instance, talks to that VPC Endpoints 66 00:03:00,820 --> 00:03:04,450 ‫and has access to S3 and DynamoDB privately, 67 00:03:04,450 --> 00:03:06,260 ‫as you can see the traffic does not go through 68 00:03:06,260 --> 00:03:07,380 ‫the Internets. 69 00:03:07,380 --> 00:03:10,120 ‫And then, for the VPC Endpoint interface, 70 00:03:10,120 --> 00:03:11,480 ‫that's the rest of the service, 71 00:03:11,480 --> 00:03:13,610 ‫and it's only used within your VPC, 72 00:03:13,610 --> 00:03:16,200 ‫so that means that we can create, for example, 73 00:03:16,200 --> 00:03:19,290 ‫a VPC Endpoint interface in your private subnet 74 00:03:19,290 --> 00:03:22,210 ‫and through that invoice interface with an ENI 75 00:03:22,210 --> 00:03:25,260 ‫we have private access to CloudWatch. 76 00:03:25,260 --> 00:03:28,270 ‫So VPC Endpoints are really, really helpful 77 00:03:28,270 --> 00:03:32,840 ‫anytime you need private access from within your VPC 78 00:03:32,840 --> 00:03:36,670 ‫to an AWS service, Okay, that's what you need to remember. 79 00:03:36,670 --> 00:03:38,250 ‫The other exams need to know 80 00:03:38,250 --> 00:03:39,750 ‫the difference between gateway and interface, 81 00:03:39,750 --> 00:03:40,810 ‫I don't believe you need to know it 82 00:03:40,810 --> 00:03:42,410 ‫for the certified developer exam, 83 00:03:42,410 --> 00:03:46,000 ‫but know that anytime the exam is asking you 84 00:03:46,000 --> 00:03:49,440 ‫to privately connect to an AWS service, 85 00:03:49,440 --> 00:03:52,110 ‫then VPC Endpoint is going to be the way. 86 00:03:52,110 --> 00:03:55,260 ‫Okay, so now, how do we establish connectivity 87 00:03:55,260 --> 00:03:57,950 ‫between your On-premises Data Center, 88 00:03:57,950 --> 00:04:00,320 ‫so that could be your office building, for example. 89 00:04:00,320 --> 00:04:02,560 ‫and your cloud VPC. 90 00:04:02,560 --> 00:04:06,210 ‫So the first way it's called Site-to-Site VPN, 91 00:04:06,210 --> 00:04:11,210 ‫to connect an on premises VPN appliance to AWS, 92 00:04:11,240 --> 00:04:13,250 ‫the connection will be automatically encrypted, 93 00:04:13,250 --> 00:04:15,830 ‫and will go over the public Internet. 94 00:04:15,830 --> 00:04:17,120 ‫So in this example, 95 00:04:17,120 --> 00:04:20,240 ‫we establish a VPN Virtual Private Network 96 00:04:20,240 --> 00:04:21,990 ‫between your On-premises Data Center 97 00:04:21,990 --> 00:04:25,130 ‫and your VPC and that goes over the public Internet. 98 00:04:25,130 --> 00:04:27,210 ‫That's very easy to set up very quick, 99 00:04:27,210 --> 00:04:29,060 ‫You can set up in matter of minutes 100 00:04:29,060 --> 00:04:30,950 ‫and there you go, you have a private connection 101 00:04:30,950 --> 00:04:32,470 ‫or an encrypted connection sorry, 102 00:04:32,470 --> 00:04:35,320 ‫over the public Internet to your VPC. 103 00:04:35,320 --> 00:04:37,650 ‫The other option is direct connect. 104 00:04:37,650 --> 00:04:38,650 ‫It achieves the same purpose, 105 00:04:38,650 --> 00:04:40,100 ‫it's to establish a connection between 106 00:04:40,100 --> 00:04:42,660 ‫your On-premises Data Center and your VPC, 107 00:04:42,660 --> 00:04:46,010 ‫but this time, it is a physical connection. 108 00:04:46,010 --> 00:04:48,220 ‫So that means that the connection is going to be private 109 00:04:48,220 --> 00:04:50,090 ‫it will not go over the public Internet, 110 00:04:50,090 --> 00:04:52,440 ‫is going to be secure and fast. 111 00:04:52,440 --> 00:04:54,010 ‫And it goes over the private network, 112 00:04:54,010 --> 00:04:58,140 ‫and because it is a private line to your VPC, 113 00:04:58,140 --> 00:05:00,330 ‫it takes at least a month to establish 114 00:05:00,330 --> 00:05:02,550 ‫because there is some work that needs to happen 115 00:05:02,550 --> 00:05:05,700 ‫to have a private connectivity to AWS. 116 00:05:05,700 --> 00:05:07,810 ‫So, this is called direct connect 117 00:05:07,810 --> 00:05:09,590 ‫and this is the private route. 118 00:05:09,590 --> 00:05:12,860 ‫So we can see, both the VPN and Direct Connect 119 00:05:12,860 --> 00:05:15,760 ‫achieve the same purpose, but with different manners 120 00:05:15,760 --> 00:05:17,510 ‫and different timeline. 121 00:05:17,510 --> 00:05:20,650 ‫Note, that if you use site-to-site VPN, 122 00:05:20,650 --> 00:05:23,710 ‫or Direct Connect, both these things cannot access 123 00:05:23,710 --> 00:05:26,737 ‫the VPC Endpoints that we've discussed from before, okay, 124 00:05:26,737 --> 00:05:31,310 ‫VPC Endpoints are just to access AWS services privately 125 00:05:31,310 --> 00:05:33,760 ‫within your VPC, not by connecting your 126 00:05:33,760 --> 00:05:35,210 ‫On-premises Data Center. 127 00:05:35,210 --> 00:05:36,790 ‫which is something you should be aware of 128 00:05:36,790 --> 00:05:38,310 ‫going into the exam. 129 00:05:38,310 --> 00:05:41,490 ‫Okay, so that's it for connectivity of your VPC 130 00:05:41,490 --> 00:05:43,600 ‫in terms of external VPC peering 131 00:05:43,600 --> 00:05:46,610 ‫VPC Endpoints such as VPN and Direct Connect, 132 00:05:46,610 --> 00:05:47,970 ‫I hope that was helpful 133 00:05:47,970 --> 00:05:49,920 ‫and I will see you in the next lecture.