1 00:00:06,980 --> 00:00:12,960 Welcome back to Backspace Academy. In this hands-on session on VPC 2 00:00:12,960 --> 00:00:17,369 networking I'm going to be keeping it pretty simple and high-level the reason 3 00:00:17,369 --> 00:00:21,689 being this is a cloud practitioner part of the pathway so it's a foundation level 4 00:00:21,689 --> 00:00:27,359 we don't need to get too involved in the nuts and bolts of VPC but I want 5 00:00:27,359 --> 00:00:31,800 you to understand the basics around VPC subnetting, route tables 6 00:00:31,800 --> 00:00:36,030 network access control lists, all this sort of stuff so that you understand the 7 00:00:36,030 --> 00:00:39,120 basics around it and if you have problems you can 8 00:00:39,120 --> 00:00:45,450 troubleshoot that yourself. So we get to here obviously by services and then VPC 9 00:00:45,450 --> 00:00:49,890 and that will take us to the VPC dashboard which will list all of our VPC 10 00:00:49,890 --> 00:00:56,670 components we can see here now we've already got a VPC and the reason we've 11 00:00:56,670 --> 00:01:03,899 got a VPC is that AWS for all new accounts will create a default VPC in 12 00:01:03,899 --> 00:01:09,090 every single region so we click here on see all regions we can see that we have a 13 00:01:09,090 --> 00:01:16,710 default VPC already created for us in every region we can also see here that 14 00:01:16,710 --> 00:01:22,860 we have subnets already created for us and there are six subnets the reason 15 00:01:22,860 --> 00:01:28,229 there are six subnets is of is that there is a default subnet in our default 16 00:01:28,229 --> 00:01:34,259 VPC for every single availability zone in that region and so the North Virginia 17 00:01:34,259 --> 00:01:40,439 region has six availability zones so there will be six subnets so if we open 18 00:01:40,439 --> 00:01:48,030 that up if I just do it in another screen we will see here that we've got 19 00:01:48,030 --> 00:01:54,360 six subnets there and we can see the availability zones that they're in going 20 00:01:54,360 --> 00:01:59,759 to 1a all the way through to 1f, so there's six availability zones there now 21 00:01:59,759 --> 00:02:03,060 just one thing about availability zone so they've got an ID here so we've got 22 00:02:03,060 --> 00:02:11,459 1a 1b 1c now that can change and what I mean by that is that AWS try and 23 00:02:11,459 --> 00:02:13,560 balance the availability zone so they are trying to 24 00:02:13,560 --> 00:02:18,540 make sure that they have the same amount of capacity or spare capacity in each 25 00:02:18,540 --> 00:02:24,209 availability zone and so if everyone's selecting us east 1a then US East 1a 26 00:02:24,209 --> 00:02:29,940 is going to get full very quickly and so your us East 1a will be different 27 00:02:29,940 --> 00:02:34,380 to someone else's accounts us East 1a, they're not necessarily the same it 28 00:02:34,380 --> 00:02:39,209 depends on which availability zone is being more overloaded than the other and 29 00:02:39,209 --> 00:02:45,750 then they'll change that for the next account, okay so we just jump back into 30 00:02:45,750 --> 00:02:52,890 the VPC management console again now we can also see that we've got 31 00:02:52,890 --> 00:02:58,230 a route table already defined for us and we've got an Internet gateway which has 32 00:02:58,230 --> 00:03:02,670 been attached to the default VPC now if you remember from the lecture we need to 33 00:03:02,670 --> 00:03:08,280 have an Internet gateway attached to our VPC and we need to have our route from 34 00:03:08,280 --> 00:03:14,640 our subnet through to that Internet gateway so let's have a look at that so 35 00:03:14,640 --> 00:03:22,799 first of all have a look at the internet gateway ok so there we can see that 36 00:03:22,799 --> 00:03:29,430 Internet gateway and it's attached to our default VPC so let's have a look at 37 00:03:29,430 --> 00:03:31,760 the route 38 00:03:34,980 --> 00:03:41,069 okay so there's our out table we just click on it to expand it okay what we've 39 00:03:41,069 --> 00:03:46,830 got there is a route so we've got two entries here the first one is for local 40 00:03:46,830 --> 00:03:51,660 traffic within our VPC so this CIDR block here and don't be too concerned if 41 00:03:51,660 --> 00:03:56,459 you don't understand what a CIDR block is because that is associate level stuff 42 00:03:56,459 --> 00:04:01,049 as a cloud practitioner you don't need to know that but that there will be the 43 00:04:01,049 --> 00:04:13,079 same as our VPC so if we click on our VPC we will see that that 172 31 0 0 is 44 00:04:13,079 --> 00:04:20,669 the same here so all traffic local traffic in our VPC is allowed now we 45 00:04:20,669 --> 00:04:27,120 also have an Internet gateway there and we have traffic to the wider Internet is 46 00:04:27,120 --> 00:04:34,560 allowed or is it routed through to that Internet gateway and so we look at that 47 00:04:34,560 --> 00:04:37,979 and we can see that that will be the Internet gateway that is attached or 48 00:04:37,979 --> 00:04:46,110 then it's attached to our VPC so we just open that up again and then we can 49 00:04:46,110 --> 00:04:53,400 see so that Internet gateway we have a route for the wider Internet traffic to 50 00:04:53,400 --> 00:04:59,400 the Internet gateway but we also need to have an association between this route 51 00:04:59,400 --> 00:05:04,380 table and a subnet and that way we can have a route from our internet gateway 52 00:05:04,380 --> 00:05:10,380 through to our subnet itself and so we look here on subject associations we can 53 00:05:10,380 --> 00:05:16,740 see that we have six subnet associations and that is for the six subnets in each 54 00:05:16,740 --> 00:05:24,030 availability zone so all traffic within any of those six subnets those default 55 00:05:24,030 --> 00:05:28,260 substance subjects will be routed if they're for the wider Internet will be 56 00:05:28,260 --> 00:05:34,020 routed to that Internet gateway there is a note here that is you do not have any 57 00:05:34,020 --> 00:05:38,729 subnet associations so we haven't created our own specific subject 58 00:05:38,729 --> 00:05:45,200 associations but AWS has created these ones for us and those have been implicitly 59 00:05:45,200 --> 00:05:51,629 associated for us so just jumping back into the VPC 60 00:05:51,629 --> 00:06:00,120 dashboard now we also have a network access control list here and so we can 61 00:06:00,120 --> 00:06:09,479 click on that and have a look at that so again we'll click on it to have a look 62 00:06:09,479 --> 00:06:15,169 at it so we have inbound and outbound rules and so that is allowing all 63 00:06:15,169 --> 00:06:21,150 traffic okay so all traffic is allowed and then we've got a wild card here for 64 00:06:21,150 --> 00:06:28,860 denied so anything that is not defined will be denied so that is a peculiarity 65 00:06:28,860 --> 00:06:34,379 of network access control list so by default this will be here to deny 66 00:06:34,379 --> 00:06:40,229 everything and so we have to specifically allow a rule to allow 67 00:06:40,229 --> 00:06:45,240 traffic in so we have inbound and outbound rules the reason we have 68 00:06:45,240 --> 00:06:52,979 inbound and outbound rules is because a network access control list is stateless 69 00:06:52,979 --> 00:06:58,229 so just because a request comes in doesn't necessarily mean that the the 70 00:06:58,229 --> 00:07:03,330 return is allowed back out again so we need to define both inbound and outbound 71 00:07:03,330 --> 00:07:11,580 rules for that because it is state less okay so the best way to learn about this 72 00:07:11,580 --> 00:07:17,990 is to launch a an instance and play around with it and see what happens so 73 00:07:17,990 --> 00:07:25,500 if we click on launch ec2 instances here that will take us to the ec2 console and 74 00:07:25,500 --> 00:07:28,770 it will automatically start the launch process for so just click on that and 75 00:07:28,770 --> 00:07:34,409 then we're jumping into the ec2 console and we'll select an AMI so we'll select 76 00:07:34,409 --> 00:07:47,639 a marketplace WordPress AMI, that will be fine and continue so I'm just 77 00:07:47,639 --> 00:07:50,849 going to race through this quite quickly because we've already launched a 78 00:07:50,849 --> 00:07:55,020 WordPress application in the past we know how to do this so I'm just going to 79 00:07:55,020 --> 00:08:00,569 select the free tier eligible one now let's have a look at this so we didn't 80 00:08:00,569 --> 00:08:03,040 go too much in to this when we launched a wordpress 81 00:08:03,040 --> 00:08:08,020 application before but let's have a look at this so we've got our VPC and so 82 00:08:08,020 --> 00:08:11,080 we've only got one of them so we're going to got one to select from and that 83 00:08:11,080 --> 00:08:17,140 is our default VPC we can select a subnet to launch into so I'm going to 84 00:08:17,140 --> 00:08:23,020 just select us to east at one a but it doesn't really matter and auto assign a 85 00:08:23,020 --> 00:08:28,540 public IP now if you remember I'm going to do enable on here if you remember we 86 00:08:28,540 --> 00:08:35,140 need to have a public IP address for our ec2 server so that it can be found on 87 00:08:35,140 --> 00:08:39,400 the wider Internet if we don't have a public IP address it cannot be found on 88 00:08:39,400 --> 00:08:43,930 the wider Internet, now a placement group that is just were we can launch 89 00:08:43,930 --> 00:08:49,060 instances into a high speed group with high speed network between them we don't 90 00:08:49,060 --> 00:08:52,570 need to worry about that, now IAM role if you remember in the 91 00:08:52,570 --> 00:08:58,930 IAM lab we created a role for ec2 we could attach an IAM role here but we 92 00:08:58,930 --> 00:09:04,210 won't worry about that now we don't need that and shutdown behaviour we just have 93 00:09:04,210 --> 00:09:07,720 to stop we won't worry about terminating it actually we will terminate it 94 00:09:07,720 --> 00:09:12,940 actually and protect against accidental determination we don't need to worry 95 00:09:12,940 --> 00:09:16,630 about anything there so we'll leave everything as it is and we'll go to add 96 00:09:16,630 --> 00:09:21,790 storage and we'll leave that as it is again we're going to add a tag and just 97 00:09:21,790 --> 00:09:30,190 call it the name and we're going to call this one public or public IP so this 98 00:09:30,190 --> 00:09:33,010 one's going to have a public IP address and we're going to launch one that 99 00:09:33,010 --> 00:09:39,100 doesn't have a public IP address now we have a security group that has already 100 00:09:39,100 --> 00:09:46,990 been created for us by this iami or it's already defined within this ami so what 101 00:09:46,990 --> 00:09:53,850 we what we've got here is that is it as you remember a security group is 102 00:09:53,850 --> 00:09:59,800 associated to an instance it operates at the instance level it's a firewall that 103 00:09:59,800 --> 00:10:06,070 operates on that instance it's unlike a network access control list that 104 00:10:06,070 --> 00:10:13,100 operates at the subnet level okay so the first entry there we've got is 105 00:10:13,100 --> 00:10:18,920 SSH so if we want to connect into this ec2 instance into the Linux operating 106 00:10:18,920 --> 00:10:25,370 system we can do that through SSH it's a little bit advanced right now but we can 107 00:10:25,370 --> 00:10:32,660 do that if we if we would like to and that will be on port 22 so normally if 108 00:10:32,660 --> 00:10:36,320 we're going to be connecting directly into this instance we would select the 109 00:10:36,320 --> 00:10:41,960 source as being your IP so you select my IP and it would lock it to your IP 110 00:10:41,960 --> 00:10:50,720 address we also need to allow traffic coming in from for HTTP because it is a 111 00:10:50,720 --> 00:10:55,220 website so there we've got we're allowing traffic all traffic from the 112 00:10:55,220 --> 00:10:59,690 wider Internet is going to be allowed and also we've got SSL traffic here for 113 00:10:59,690 --> 00:11:06,670 port 443 and so that's what's going to be allowed in and allowed out and 114 00:11:06,670 --> 00:11:12,380 nothing else will be allowed unless it's defined here in this security group so 115 00:11:12,380 --> 00:11:21,230 let's review and launch and launch so I don't have a key pier so I'm going to 116 00:11:21,230 --> 00:11:35,350 create a new key pin and I'll make sure that I download that key pin okay 117 00:11:36,440 --> 00:11:45,400 okay I'm just going to launch that instance okay so that has finished 118 00:11:45,400 --> 00:11:51,170 launching and I'll just click on few instances and I'm going to create 119 00:11:51,170 --> 00:11:56,930 another instance but this one's not going to have a public IP address so 120 00:11:56,930 --> 00:12:06,710 again we select the same one we select a word press ok or just very quickly go 121 00:12:06,710 --> 00:12:14,660 through this select one that's on the free tier okay so I'm you're going to 122 00:12:14,660 --> 00:12:20,600 leave everything as it was before I'll launch this one into maybe longitude to 123 00:12:20,600 --> 00:12:27,290 one a as well now I'm going to disable assigning of a public IP address so this 124 00:12:27,290 --> 00:12:30,590 won't have a public IP address but other than that it will be identical to the 125 00:12:30,590 --> 00:12:36,620 other one so I'll leave that as it is and storage will be the same I'll add a 126 00:12:36,620 --> 00:12:48,530 tag for this and we're going to call this one no IP believe the security 127 00:12:48,530 --> 00:12:53,830 group exactly the same as the other one and then we'll launch this one as well 128 00:12:58,379 --> 00:13:04,209 okay so that one's launched so we'll just give it a bit of time to wait for 129 00:13:04,209 --> 00:13:09,069 all these status checks to be done and we just click on refresh to see whether 130 00:13:09,069 --> 00:13:15,129 how they going okay so they're pretty well up and running now those two 131 00:13:15,129 --> 00:13:20,889 instances so we've got here public IP nope no IP so if you remember we we 132 00:13:20,889 --> 00:13:25,000 defined a tag for name with a capital n if you use lowercase n it wouldn't have 133 00:13:25,000 --> 00:13:29,709 worked but a capital in there it will come up in this list here so we've got 134 00:13:29,709 --> 00:13:34,660 here no IP and public IP so this one with a public IP that we defined will 135 00:13:34,660 --> 00:13:41,170 have a public DNS so we just select that and have a look at it and there we go 136 00:13:41,170 --> 00:13:45,220 we've got our WordPress site up and running just the same as as we had last 137 00:13:45,220 --> 00:13:49,810 time that we did it and we've also got our public IP address here so select 138 00:13:49,810 --> 00:13:56,139 that and go to it the same thing again but when we go to the one that doesn't 139 00:13:56,139 --> 00:14:01,149 have a public IP address there's no public DNS and there's no public IP 140 00:14:01,149 --> 00:14:05,170 address so there's no way of finding this on the wider Internet it's 141 00:14:05,170 --> 00:14:11,559 impossible to find it so if we go to this private DNS and we try and navigate 142 00:14:11,559 --> 00:14:18,399 to that it's just going to take us to a Google search it's it's just not going 143 00:14:18,399 --> 00:14:25,750 to work and if we go to this private IP address here what's going to happen is 144 00:14:25,750 --> 00:14:31,449 that your computer is going to try and find it on your private network and it's 145 00:14:31,449 --> 00:14:35,800 not going to find it it's it's a private IP address so just the same as you have 146 00:14:35,800 --> 00:14:39,220 computers connected to your private network 147 00:14:39,220 --> 00:14:43,269 it'll be looking for this server that is connected to your private network and 148 00:14:43,269 --> 00:14:47,079 it's actually not connected so it's just going to hang there forever and so that 149 00:14:47,079 --> 00:14:51,879 you can see it doesn't work and so that's one why you need to have a public 150 00:14:51,879 --> 00:14:59,199 IP address so before we get billed I'm just going to terminate that and 151 00:14:59,199 --> 00:15:05,740 terminate okay so that's shutting down now so let's have a look at this now and 152 00:15:05,740 --> 00:15:09,790 we'll have a bit of a play around with the VPC networking and see if we can get 153 00:15:09,790 --> 00:15:16,870 this thing play up on us okay so back in the VPC 154 00:15:16,870 --> 00:15:22,510 dashboard what I want to do now is show you a little bit about Route tables and 155 00:15:22,510 --> 00:15:28,450 the importance of having a route or a route table associated to the subnet 156 00:15:28,450 --> 00:15:33,310 that your ec2 instance is launched into and having an entry in that route table 157 00:15:33,310 --> 00:15:38,980 that defines around between that subnet and an Internet gateway and without that 158 00:15:38,980 --> 00:15:42,970 you're not going to be able to connect to the wider Internet so just go into 159 00:15:42,970 --> 00:15:48,340 this route tables part here and click on that route table and there we can see is 160 00:15:48,340 --> 00:15:53,830 our default route table which has got local traffic defined for our VPC but 161 00:15:53,830 --> 00:15:58,750 it's also got traffic defined there for the wider internet going to our internet 162 00:15:58,750 --> 00:16:05,140 gateway so what I'm going to do now is I'm going to delete that now a word of 163 00:16:05,140 --> 00:16:10,390 warning this is a hands-on session where I'm playing around with a few things and 164 00:16:10,390 --> 00:16:15,460 showing you how things work I don't expect you to do this yourself it's not 165 00:16:15,460 --> 00:16:20,200 a hands-on lab the reason I haven't done this as a hands-on lab because or as a 166 00:16:20,200 --> 00:16:23,800 lab rather than a hands-on session is because when you play around with your 167 00:16:23,800 --> 00:16:27,550 default VPC you can break it and if you delete it 168 00:16:27,550 --> 00:16:32,920 it's you'd have to bring up AWS to support to get it back again so just be 169 00:16:32,920 --> 00:16:36,430 careful when you're when you're doing it make sure you follow on very carefully 170 00:16:36,430 --> 00:16:42,910 and not delete your your VPC and and not get it back again so what I'm going 171 00:16:42,910 --> 00:16:47,980 to do is I'm going to remove that entry so all of a sudden the router in our 172 00:16:47,980 --> 00:16:52,480 VPC doesn't know how to direct traffic for the wider internet it only knows how 173 00:16:52,480 --> 00:16:58,180 to do it for local traffic within the VPC so if we go to the ec2 management 174 00:16:58,180 --> 00:17:06,880 console and if we again go to that public DNS for our public IP website and 175 00:17:06,880 --> 00:17:16,540 we open that up okay so it's still there I forgot to click on save okay so now 176 00:17:16,540 --> 00:17:22,900 saving that router table so now if I do that again because I have saved the rare 177 00:17:22,900 --> 00:17:28,209 table and we go to that again we will find that it just hangs there 178 00:17:28,209 --> 00:17:33,610 forever and eventually times out now if we put 179 00:17:33,610 --> 00:17:36,909 that back again somebody's going to click on edit I'm going to put it back 180 00:17:36,909 --> 00:17:41,799 on again and I'll select that Internet gateway so all of a sudden we've got our 181 00:17:41,799 --> 00:17:45,700 wider Internet traffic going to our internet gateway we know how to route 182 00:17:45,700 --> 00:17:53,740 that now and I'll click on save this time okay so that's saved and now if we 183 00:17:53,740 --> 00:18:01,029 go to that DNS again we've got our website back again which is great so 184 00:18:01,029 --> 00:18:05,799 when you're using VPC or your launch and ec2 instance and you don't have your 185 00:18:05,799 --> 00:18:09,940 word your your server up and running for whatever reason your WordPress 186 00:18:09,940 --> 00:18:13,720 application or whatever it is few things you can check make sure that you've got 187 00:18:13,720 --> 00:18:18,190 a public IP address that's a no-brainer and make sure that you've got an 188 00:18:18,190 --> 00:18:23,529 Internet gateway you've got a route table associated with the subnet that 189 00:18:23,529 --> 00:18:27,850 you've launched your ec2 instance into and make sure there's a route table 190 00:18:27,850 --> 00:18:35,260 entry that defines how to route traffic between that subnet and the internet 191 00:18:35,260 --> 00:18:41,140 gateway so that's all I'll have to tell you for now about VPC I hope you've 192 00:18:41,140 --> 00:18:45,279 learned a lot and I look forward to seeing you in hang on before we do that 193 00:18:45,279 --> 00:18:51,250 we have to clean this up so before I say goodbye let's clean this up because we 194 00:18:51,250 --> 00:18:56,679 don't want to get a bill so again we'll go into here into actions instance state 195 00:18:56,679 --> 00:19:02,890 and terminate yes terminate very important make sure we clean up after 196 00:19:02,890 --> 00:19:07,029 ourselves so now I'll say goodbye and I'll look forward to seeing you in the 197 00:19:07,029 --> 00:19:09,480 next one