Amazon Virtual Private Cloud (AWS VPC) compact course

1. Introduction: You want to get to know the AWS VPC better, but you can't really find your way through the overwhelming documentation. You had to look at other learning resources by heed. Don't really know if it makes sense for you as a beginner to spend 40 hours working through a theoretical course. You wonder if there is someone out there who can break down the whole topic on point so that you get something out of it in the end, you might even want to prepare for the AWS Solutions Architect associate XM. And the topic of networking is still overwhelming. Congratulations, this is the right place for you. I am Philip from decent notes, Cloud Engineer with several years of professional experience and AWS Solutions Architect associate. My ambition is to explain all the important components of the AWS VPC to you in the shortest possible time so that you understand them well and can use them practically right away. The goal of the course is to build together with you a production ready cloud native VPC from scratch, and to give you the necessary theoretical and practical tools, the whole thing is specifically designed for beginners to intermediate level. In this course, we try to look as clean as possible at the pure VPC service only where it is really necessary. We briefly look into other AWS services. What is not included in this course. If you want to dive deep into dynamic routing with BGP, if you want to build three-way redundant On-Prem Cloud connections on regrade 50 petabytes of data from your on-prem data center to the Cloud. This is not the correct course for you. We focus on the pure Cloud side here. We stay called native for now, pure Cloud or wherever you want to call it. If you want to learn everything you need to know throughout the solid production VPC in the AWS Cloud in a short amount of time. If you don't just need theoretical essence to learn, but someone who will show you all the essential components in detail, then this is the place to be for you. Sign up quickly and I'll see you in a sec. Let's do some networking together. 2. AWS VPC Definition: In this first lecture, I want to give you a brief overview regarding this whole VPC topic and how it fits together with the AWS Cloud. The AWS Cloud is a shared network. You can imagine like there are physical nodes, star rich power supply, and there's also a private backbone because you have to connect all the different data centers around the world, which is provided or which are provided from AWS. And they have to be connected privately. And this is the purpose of this backbone. Then you have the VPC, and VPC is then a private network. For example, just for you, just your private network inside this AWS Cloud. And on this slide here, you can see that there are multiple VPCs in, inside this AWS Cloud. For example, Customer a and Customer B can spin up their, their own VPCs. But you, as a customer, you can also spin up multiple VPC. So this is not an issue. And what is really important to know is that there are some global services from AWS, as you can see here on the left side. For example, this is S3. So this is the storage service from AWS or also SQS or the DynamoDB. And this services are running in their own VPCs, or this is a VPC which is maintained by AWS. And what is really important to know, you cannot spin up your private S3 packet, for example, inside your VPC. In your private VPC. This is always provided and maintained by AWS. And you have to connect by our endpoints to this services. But if you want to launch just a basic EC2 machine, for example, your own server. This is something you can do in your private VPC. On this slide, you can see a more detailed structure about the AWS Cloud. And basically it is structured in multiple regions. One region is a larger geographic area. For example, USE store US West, Frankfurt or ILM. Inside one region, there are multiple availability zones. And one availability zone is a datacenter. It is equal to a data center. Yeah. How many availability zones there are in one region depends on the region. So sometimes it are three, sometimes six. If you want to spin up a VPC, you first have to select the region. Do you want to spin up? In US East or in Ireland, in Europe? You have to select it. Once you selected it, you can create it. And it is created by default over all this availability zones inside this region. And then you can create subnet. Subnets. And you can decide, for example, in which availability zone I want to create my subnet. But basically the best practices just to create one subnet in each availability zone. But for example, if you have the requirement just to spin up an EC2 machine and just to host their aesthetic website and security doesn't matter. Then you can just create one subnet in one availability zone because it makes more sense to have multiple subnets for this requirement. 3. Manage resources: In this lecture, I just want to summarize for you the main approaches, how you can manage your resources in AWS. The first one is the management console. This is something like graphical user interface to manage your resources. Then you have the AWS CLI, and of course also multiple SDKs. I just want to show you this life. You can find also the links here below. And we go to the management console. This is, as I already said, the graphical approach to manage your resources. And I wanted to select here the VPC because it fits to our topic today. Yeah, here for example, I can select your VPCs and I can create a VPC. And yeah, basically, this is the main console to manage your resources because you can do almost everything in this console. The, another approach is to use the command line interface from AWS. So basically you just have to download this tool and then you can manage your resources while the terminal, your favorite terminal. There's also no much difference between the CLI and the management console. But sometimes the management console creates some resources under the hood. And then when you create your resources via the command line interface, you wonder why it doesn't work. And then you have to dive a bit deeper into the resource you want to set up. Because sometimes just some, some other depending resources are missing, which are created under the hood by the management console. And the third approach is to use SDKs. And as you can see here, for almost every programming language there is a SDK because my mother tongue is Python. I want to show you this SDK approach with the help of Python. So I selected here and then I can select, for example here, AWS SDK for Python. And then, you know here on this side that it is called photo three. You have an instruction how you can install, in this case the portal three SDK and you have the documentation here. And then you can just go through the documentation and how it is installed and how you can use it. But in the end, you have to understand which resources you want to set up. And this are just tools to do that. Yeah, you can decide through I want to use the console, I want to use the CLI or SDKs in the end, it doesn't matter. And there's also another approach. Aws also provides an API and basically the CLI is based on this API. But there are also tools like Terraform infrastructure as code. And I normally use Terraform, so I don't do so much stuff in the AWS management console. But for this hour we'll set up another course for this whole Terraform topic. In this course, we want to concentrate on the AWS management console. Do it graphically because we just want to understand how it works. But we will also install the CLI just to know how this works. And we also want to create some resources with both the management console and the CLI. 4. Pricing: The topic pricing is also very important, especially in the business world. So I just wanted to give you a brief overview or some basic rules that you can follow to get the overview about the costs. And in principle, there are no additional costs for the VPC. So if you, for example, create an EC2 machine and you just want to, just want to use this service, this service, service, then the network is already included. But there are some services or some functionalities where the chance is very high that there are additional fees. This are basically controlling and monitoring of the VPC. So every time there's something with monitoring, the chance is very high to have additional piece. Also, every time if they're staked utterance mission, for example, between different regions or from a region to the Internet and from the Internet back to a region or availability zone every time where when connection happens and data transmission and also security of course, for example, if you want to set up a sophisticated firewall, then yeah, you have to pay additional fees for that. So this all the basic rules. And in this course, I also want to talk sometimes about the pricing when we create the different components. But most of the components we are talking about in this course are with no additional costs. But this are the basic rules. 5. Create an IAM User: In this chapter, we want to prepare our AWS account. I don't know if you already have an AWS account. So I assume there is already a main account. If you don't have an AWS account currently, you can just go to the AWS console and then you register your main account. What we want to do now is we want to create an so-called IAM user. I don't know if you already know the IAM service from AWS. It is called Identity Access Management. And basically this is just the user management. So let's switch over to the console. You can see it already here and there recently with the recently visited services, the IAM service, because I already visited. And you can just search here for the IAM service and select it. Then you are here. And then we go here to users, and we want to add the user. Then you can give it a name. I want to name a decent notes. And then we meet the AWS management console access. So this is required because we want to use the Management Console. I also want to show you sometimes a bit the CLI. So that's why I also, I also select you the access key, the programmatic access. But you can decide if you want to do this or if you just want to watch. If I show you the CLI method, then I want to give here custom password. And I also don't want to reset my password. But yeah, in the end, if you want to, if you want to be really secure, then of course you can choose the auto-generated password option or you can also create an password WIOA and password manager. And you can select here though, checkbox to reset the password. Then the next step is permissions. Don't want to save it. This is something we postpone for the next lecture. And then you can create some texts, just assign some texts. For example, the environment is brought for me or something like that. Yeah. And then just just to review the username is decent notes. We want to help programmatic access and the management console access. We created a custom password, create the user. Then you can see here that AWS created the user and also for the programmatic access, the access key and secret access key. And this value pair I can download here with this CSV file. I already downloaded CSV file. Then you have just a CSV file where the two values are in and we can use them later to set up the CLI. Then you just have to click here on the Close button. And then we created successfully the user, in my case, decent notes. 6. Assign IAM Permissions: Now we have to assign the correct permissions to the AWS IAM user, which we created in the last lecture. Because currently this user has completely no permissions to do anything. And we want to create some VPC resources, some components with the help of this user. So we switch again to the console and we select again the IAM service. Maybe you are already there. And we go to users and select the created user. And then you can see here the button Add permissions and we click on that button. You have multiple possibilities how you can select the policies or the permissions. We want to attach existing policies directly. And then we have to search for EC2. You can just type in here EC2 and then select EC2 full xs. Then we also need VPC, full excess. So it just search here for VPC. And then I select Amazon VPC, full access. Then we also need a system administrator permissions. So I search for system and then I can select here system administrator. And then in the end, we can assign IAM full access. If you wonder why we give this user now, I am fool promotions because this is basically where we heavy. And this is just because I don't want to do a full IM course here. And some resources require some IAM permissions. I don't want to select or restricted, very specific. So that's why we just use here full access. But yeah, of course I always support the least privilege approach and I always support you if you sit down and search for for the very specific IAM policies are statements that the permissions are restricted as much as possible. Yeah. And then we can go here to review and just review which permissions we assign, which policies we assigned this EC2, we'd be C full access than system administrator rights and I am full x's. And we can click here on Add permissions. Here we go. We assign the correct permissions. I think this is sufficient to do what we want to do. Maybe we have two edges a bit then in the end, but mainly this is enough to set up all the VPC resources we want to set up. 7. AWS Command Line Interface (CLI): The really last preparation step is to install the CLI. You can decide if you want to install the CLI because we don't want to use it so often. I just want to mention that it exists. But yeah, our main console is the management console, the graphical user interface, because we want to understand how it works. We wanted to understand how we can build a VPC. And we don't want to create it with two or three different approaches. But yeah, I just want to show you how it works and I just wanted to mention that the CLI exists. So yeah, I switch again to my browser. And you can see here the command line interface documentation. You can just Google for command-line interface AWS, or you use the link which is also included in our slides. And all you have to do is to click here to get them started and install an update. And then you have to select your operating system. In my case, it is MacOS. And then you can install here, this installer file. I already downloaded it. And then you can just install it, just double-click and install it. And then we can switch over to the terminal. And the first thing we have to get is the credentials. If you remember, we created the user and then we downloaded the CSV file with the access key and secret access key. So I think it is in my downloads folder. Yeah, here it is. I just cut this CSV file. Of course it is bad practice to cut file Swift credentials because it is thin in the history. And also you don't want to share your secret access key with other users. But in this case we just, it's just presentation mode. I will delete this decent melts user afterwards. So please forgive me for the fourth cutting of this credentials file. Then I can check if the installation of the AWS CLI was successful. And I do this with the command AWS dash, dash version. And as you can see here, it works perfectly. So I successfully installed the version 252. And all I have to do now is I have to configure my AWS account. I do so with AWS configure. And then I copy here this access key ID. And then I copy the AWS secret access key. This is this one here. Paste. And then I have to select a default region. And when we go back to the browser, to the management console, you can select, for example, the VPC service. And then you can see here this selection. Here, all, all the all the different regions, the which are available currently in Ada in the AWS Cloud. Yeah. I like Ireland. That's why I decided to use the default region, you West one. Basically, this is your decision where you want to spin up your VPC with the CLI. Of course, with the CLI, it's just you have to define a default region. If you do not specify directly the region, then it spins up your resources. In sight this default region. This is just what it is all about. I will select this Ireland region here. When I go back to the terminal, I can just type in here. You West one. The default output format you can leave empty. Yeah. This is everything we have to do to configure the AWS CLI 8. Helicopter View Default VPC: Now it's getting excited. We want to talk about the topic default VPC. What is the default VPC? Aws creates by default in every region in the Cloud, a default VPC for you. I think this is the case for all AWS accounts which were created after 2014. I think. Highly likely it is also created in your account. And also AWS creates in every region, for every VPC, some public subnets in every availability zone which is inside the region. What is the purpose of a default VPC? The purpose is that you are able, for example, to launch very fast an EC2 machine where you, for example, can host a static website and you don't want to care about all the networking stuff. You just want to create very quick your resources and you just you just want to focus on setting up the EC2 machine, then the default VPC is the way to go for you. Yeah. I just wanted to give you a brief helicopter overview what AWS creates by default for you in every region. Here you can see again the AWS Cloud and your VPC. We are inside one region. And there you can find, of course, the availability zones. And in each availability zone there is a public subnet. You can see it here. And AWS creates a DHCP option sets, which does the DNS resolution. Then it creates a so-called NaCl, which is network access control list. It creates a router, a route table. It also creates a security group, but this is mostly the same like the knuckleheads in the security region here. It creates an Internet gateway and yeah, that's it. And I edit here the EC2 machine. Of course, the EC2 machine is not created by default, but I just want to show you how the traffic flow can be to the public Internet, which you can see here. This is the helicopter view. What AWS creates by default in every region, in every availability zone. 9. Overview of automatically created components in the Default VPC: Yeah, now we want to go through all the components which we already know from the helicopter view in the AWS management console. And therefore, I switch to my browser. And you can click here on the VPC service if you recently visited the service. But you can of course, also search for the VPC service and selected here. First of all, you can select the region here. In my case, I just selected Ireland, but yeah, it is upon you. You can also decide to create your resources in us-east1-d. over. I don't know. So here you can select the region. Then we have the VPC dashboard. And as you can see here, AWS created by default, one default VPC, then three subnets. And this is because an ILM, there are three availability zones available. And then you have one main route table. You have one Internet gateway, you have DHCP option set. You have one main network access control list, and you have one main security group. Of course, every component, which you can see here is completely free of charge, so there are no additional costs. Having here this default resources in every region. I just wanted to go through the components just to give you a brief overview so you do not have to understand everything because we will have a deep dive into all the different components later on. Yeah. So as you can see here, we have one default, VPC. It has a VPC ID. The state is available. Aws configured by default, CIDR block here. So the IP range is already fixed. And as you can see here, there is a DHCP option set already assigned and the main route table, a main network ACL. The tendency is default. And of course, the flag here says that this VPC is a default VPC. Then we can go to subnets. And you can see here, there are three subnets. They have different subnets, I, subnet IDs, but they are assigned to the same VPC, to the same default VPC, but they have different set of blocks, so they set up locks are not overlapping. And yeah, when you define here the setup block, then you define also the, the maximum available IP addresses. In this case here, it is around 4 thousand. Then you can see here the availability zones, C, ABC. We can already hear ABC. And of course, the same main route table is assigned and also the same network ACL. Of course, all three subnets are default subnets. Then you have one main route table. We can just have here. Quick look into the routes. Basically, this is the core of the whole routing from the network traffic. This is defined here. Now we have an Internet gateway. Nothing much to say here it is just, you just create an Internet gateway and then it gets assigned to a VPC which is available in the region. Then it is ready to go. Then of course we have period the security. So there's one main network, ACL. This is assigned to all the subnets. And here you have inbound rules, outbound rules, and some rules you can define here which traffic is allowed to come into our VPC in which traffic not. And this is the same. Also for the security groups. There's one main security group and you have also here inbound and outbound rules. And we will talk about the differences later on. 10. Limits of the Default AWS VPC: In this last section, in the chapter, default VPC, we want to talk about the limits of the default VPC. And if you remember, I said that the default VPC is the correct VPC for you. If you just want to spin up an EC2 machine and you don't want to take care about the whole networking stuff. You just want to spin up a machine, a public machine, and host Study website for example, then the default VPC is the way to go. But there are multiple limits. And from my point of view, the biggest limit is that you cannot control the network settings. If you remember, when we did our little walk-through. The CIDR blocks are predefined by AWS in the default VPC. Aws selects for you, for example, the IP range starting with 172. And it also, they also configure your size of the VPC and of the subnets. So if you remember, every subnet has IP address range or max address range, which was available there of 4,091 IP addresses, I think. And you can decide is, is it too much or is it sufficient? But in the end you cannot control it. This is the main limit from my point of view. And of course, there is no something like a private subnet. So every resource you want to spin up there inside this default VPC, inside the default public subnet is of course public. The last point here is that the replication of vitamins is not that easy. So for example, if you have deaf and Wyoming and the staging environment, proton environment, when you use it with a non-default VPC, which is the next topic, the next chapter. Then you can, for example, just assign CIDR block starting with ten for deaf and starting with 110 for staging something like that and copy it. Relatively easy. In this case with a default would be see it, it's not that easy. Just wanted to mention. And what is also very important is please do not delete this default VPC. Because obviously, if you want to just create a EC2 machine in the default, we proceed, which is public then. Yeah, okay. But I think you want to dive a bit deeper into the whole networking stuff because you are watching to this course here. So that's why you highly likely or create your own non-default VPC. And but yeah, I just wanted to say that please leave the default would be C as it is, because sometimes there are some problems or some issues which appear when you delete the VPC. I did this in the past and then I had some weird problems because AWS sometimes references to the steep or VPC and when it is not available, then you have a problem. My suggestion is leave it as it is and then create your own non-default VPC. And this is our next chapter. 11. Advantages of the Non-Default AWS VPC: In this lecture, we want to talk about the main topic, the non default VPC. This is very important. The first topic is the advantages of the non Depot VPC. And maybe you can stop the video now and think about the advantages. What are in your opinion, the advantages of the non-default we PC. Just a little hint. Highly likely. These will be exactly the opposite from the limits of the non-default VPC. Yeah, what are the advantages? The biggest advantage is you help full control over all the networking settings. And this means you can, for example, set your own CIDR block size so you can decide which IP range it should be and how many IP addresses are available in your VPC, in your subnet. And of course, you can also create your private subnets. And this is very important, especially if you build some business architectures, some production architectures. Because it's just a matter of security and it is good to create as many resources as possible in your private, in your private subnets and have just a few connections to the worldwide web. And of course, in the non default VPC, it is also more easier to replicate your, for example, Dev staging and prod environments. 12. CIDR Blocks: Now we want to talk about very main key concept in the whole networking space. And this is called the classless inter-domain routing. That relation is sitter. If you read the documentation about the whole CIDR block stuff, it becomes, I think a bit overwhelming, but in the end is really easy to understand. As you can see here, you have some numbers behind this lash. And this number defines a subnet mask which will be applied to the IP address, which comes before the slash here. As 0 here means you apply your subnet mask, which has 32 bits and all of the bits are zeros. In decimal, this is o. And this means then in the end, that you have maximum of addresses of two to the power of 32. In the end, this are around 4 billion IP addresses you can use in a subnet or internet, which is defined with a sitter slash 0. Then you can increase this number here until 3232 means you have a subnet mask with 32 ones. And in the end, this means you have just one IP address left. And this you can use, for example, if you want to define in your firewall or in your security group that just your IP address is allowed or another IP address. But yeah, just if you want to define one single IP address which is about to enter your VPC. And my trick is that I remember this slash 16 sitter definition here. And this means you have two to the power of 16 possibilities as IP addresses. So something around 65 thousand. And every time we decrease this number here behind the slash. So when it goes to 0, then this here increases. So the max addresses increase. Every time we increase here from the slash 16 to slash 32. The IP. The number of maximum addresses decreases to one. Here in the end. This is the whole concept you have to understand when we talk about set of blocks. Because we want to define the size of our VPC and that's why we need this concept of setup looks here. 13. Specify Network Size: Now the question is, how can we specify the network size in AWS? And there is a standard called RFC 1980's. And then this standard, it is the pint, which IP ranges are preferred for the usage in private networks. Basically, this are three ranges here. One starting with 101, starting with 172161, starting with 192168. And AWS to finds that the minimum size of a VPC or subnet is defined with slash 28, which means that the minimum addresses which are available are 16. And this is also very important if you want to learn something for the AWS Solutions Architect associate certification. Because this is where we come in question. They ask, what is the minimum size? And this comes because AWS has five IP addresses which are reserved by default. The maximum size slash 16, so around 65 thousand addresses. This is the maximum you can configure here in AWS. When we have a look here to the example set of blocks, then you can see, for example, if you want to define a set of block in the IP range starting with ten, and you want to have a maximum size of 65 thousand addresses. Then you can, then you can define it like that here. So 100 and then slash 16. This means the first IP address is 100, and we will have 65 thousand addresses. This is also the case for the, for all the other IP ranges which are available here. This is the main concept, how it works with the CIDR blocks. And of course, you have to decide how big your network will be. This depends on how many resources you want to launch and what is also important here. We have another slide for that. This is the third here. You cannot change the size of your CIDR blocks when they are created once. And this means you have to decide before you create your VPC and your subnets, which size they, they have to have. And of course you can change it then by deleting the whole VPC and the whole subnet construction and creating a new one. But of course, this is a very hard task, especially if you already launched some resources in your old VPC, because then you have to migrate all your resources. So you have to create a new VPC with a new set of block range. And then you have to migrate all your resources. And then you can delete your old BBC in your old subnet. And this is a very hard task, especially if you have multiple resources already in your VPC. It makes sense to consider that before creating your basic network architecture. And of course, also the CIDR blocks cannot overlap each other. By you can assign multiple CIDR blocks per VPC, but they cannot overlap. This is very important here to say. 14. Create a Non-Default AWS VPC: Now we want to create a non-default VPC. I just wanted to mention. Now, we want to walk through all the components and the resources which are required to build your non-default production ready cloud native VPC. And every time we create a new resource or we need a new resource, I will explain you the theoretical part of that and then we will create it practically in the Cloud. So this is the plan. And now we can switch over to the AWS management console. And you can see here, I am locked in now why are these IAM user? So I do not use now the main account. And as I already said, it is a good idea every time when you create new resources, do it with an IAM user with least privilege approach. Yeah, I already selected here the Europe ILM region, the EU West one. And in this region, we're going to create our first non default VPC walk. You have to do, you have to go to the Service BBC, I think now it is also available in your recently visited list here. And you go to the VPC and you can see this is the dashboard. You go to your VPCs. You can see here is the default. We'd be C, which we mentioned few lessons before when we talked about the default VPC helicopter view. Now we can click here on the Create VPC button. And there are two options. You can either create the VPC only or VPC subnet structure. But we want to, we want to understand the whole architecture. And that's why it's a good idea from my opinion or from my point of view that we build it from scratch. Here in this first box, you can define a name tag. So I will call it prod one. You can give it a better name. And then we want to define here the menu, menu CIDR block. Yeah, I think it is a good idea to define it with 100 en slash 16. This means our, our p.band range starts with 100, and it has around 65 thousand possible IP addresses. We don't want to use IP version six set of blocks. And then we can also assign here multiple texts. I like, for example, the thick wire meant again, it is brought. Yeah, I think that's it. And then you can just create, create the VPC here, click on the Create VPC button. And then you can see here the VPC ball successfully created, we define the setup block here. And we have also some texts here, the vitamins and the name tick. And when we go back to the list, then you can see here we have the default, we'd be C, and we have the Praat on VPC. Now I want to show you how you can build this VPC. Also in the CIA, I think this is a good topic to talk about the CLI because it's relatively easy to create here, this VPC, there are no much, are no many settings you can assign here. So that's why I want to show you how it works with the CLI. You can decide if you want to. If you also want to create a VPC with the CLI or if you just want to watch. Yeah, that's why what we need first. First we want to gets the command for the CLI. And that's why I just searched, for example, AWS CLI and create VPC. And I think this is the first entry here, create, we create VBC, and now we are here in the AWS CLI command reference. This here in records, the statement in brackets here is very important because this is your prefix. So every time you create a command in the CLI, it starts with AWS, Of course, because this is the binary. And then the second one is the namespace. And this in this case here is ec2. And this is why, this is because all the networking stuff comes from EC2 because AWS started to create their services based on EC2. And the EC2 was the first service which required some network stuff. That's why this is the EC2 namespace. And afterwards then. Comes the Create VPC command. So in the end there will be AWS EC2 create VPC, and then you can hear, find the synopsis. Here. Here are all the options defined you can choose. And we will use the CIDR block, and we will use the tech specifications here. So this were the only options we also set in the management console. Let's start. We switch to the terminal, and then we can start with a command, AWS EC2, create VPC. And now back to the browser. We need the setup block flag here, so I will copy it, and I can paste it here. And then we use this IP range here, and this is just an example. So we will delete the VPC then afterwards, it's just to show you how it works with the CLI and then back to the row. So again, we need the definition for the tech specifications, and this is not that easy. So if you go here to tech specifications, then you can see here it is. There are sophisticated, overwhelming structure. You have to define first resource type. And then you can add a list of texts which is a key value pair in the end. But for me it's a bit hard to understand how it works here. And that's why I always use some examples. And I think in the example for here, yeah, you can copy an example. An example how it works for the tech specifications. And this one I will use, I copy it and then I go back to the terminal and then I can paste it here. And then, for example, we want to name the environment here, slaving one because we have one proton environment now, we're maybe it's a good idea also to help us staging VPC and owner we don't need, we will use then here name. The name is also staging EUS staging one as name and Wyoming just stating, yeah, and then we can enter here. We can click under End. Then the VPC is successfully created. As you can see here, you have the CIDR block range and you have the texts and y amount and name. And where we go back to the management console in the VPC here. When we click here on Refresh, then you can see we have now brought one VPC and the staging one VPC and the different CIDR blocks here. And when we go here, then you can see in the default VPC flex list here there's just one default VPC. This was the one which was created by AWS and we have to know or non default VPCs. And now I will delete the staging VPC because we want to proceed with a plot one VPC. Maybe it is too confusing to have two we PCs for now. That's why I delete it here. Then we can proceed to build our product VPC, with a more detailed structure. 15. Overview public Subnets: We have the non-default would be C. And now we want to create insight, this non-default VPC, so-called subnets. I wanted to give you a brief overview about what different types of subnets exists. And as you can see here in this overview, one type is the public subnet. And as you can see here in the name, it is called public subnet. All resources in this type of subnet are public, available or available in public. This means if your EC2 machine, for example, in the public subnet has public IP address, then it is reachable from the worldwide web. And then another type is the private subnet. And every resource in a private subnet is really private. So basically it has no public IP address, and it is not reachable from the outside, is not reachable from the internet. Then there is a special type and this is called VPN only subnet. And basically this is a also kind of a private subnet. But here you have another point. And this is VPN connection. In the route table from a VPN only subnet, there is a definition and it is connected to VPN server, but it's a kind of a private subnet. And the most important subnets are the public subnet in the private subnet. Then there is another key concept which AWS users and they differentiate between IP version four only, IP version six only, and a dualistic subnets. So in the end you can combine these types here with this types here. You can say, we wanted to build a public subnet with IP version four only, or we want to create a private subnet with dual stack and so on. You can combine this in the end. Yeah, this are the most important types of subnets. 16. Public IP Addresses: Yeah, to establish really good cloud-native we see with subnets, it is also important to understand the different kind of IP addresses is, one kind is the public IP address. And what that means, it means AWS provides pool of public IP addresses, and this is maintained by AWS. So it is very important to understand that this public IP addresses are not associated with your AWS account, with your specific AWS account. So that means if you want to spin up an EC2 machine, then you can decide, and this is here in 0.3. You can design, you can decide with a flag in each subnet, whether you want to assign IP version four address or not. And if you set this flag to true, then it automatically assigns public IP address to your EC2 machine. Then it lifts, as long as your EC2 machine lifts in your account. And if you terminate your EC2 machine, then this IP address will be released. And then it is given back to the global pool again, which is maintained by AWS. So this is not your personal IP address, not your personal or public IP address. It is just borrowed from a pool. 17. Elastic IP Addresses: At another kind of IP addresses is the elastic IP address. And you can imagine like that. It is also public maintained pool of elastic IP addresses, which has maintained by AWS. And you can borrow from this pool your static public IP address, elastic IP address. And in this case, it will be assigned to your AWS account. You can decide how long you want to hold this IP address in your account and then you can give it back if you want to. But it is not related to the EC2 machine, for example. So it has nothing to do with creating your EC2 machine. And then the API address is given back when the EC2 machine is terminated. This is not the case. It is really assigned to your AWS account and HEW health the decision when you want to give it back. You can see here and 0.3, it is also possible map multiple private IP addresses to one elastic IP address. And basically, the idea is, for example, if you spin up an EC2 machine and this EC2 machine has by default a public IP address and the private IP address. But this public IP address is not yours. So if the, if the EC2 machine is terminated, then of course it has gone. For example, what you will do if the EC2 machine will fail or you have to terminate the EC2 machine, but you have to ensure that the service lifts further in the end. So one simple concept is that you just borrow one elastic IP address from this pool. Then you have your fixed static public IP address, and then you assign it the first EC2 machine. And when this EC2 machine fails, you can easily spin up a new EC2 machine and then just switch the target from the elastic IP address to the new EC2 machine. So this is a simple use case. You can imagine how this elastic IP address stuff works. 18. Create Public Subnets: Now we want to create the public subnets. First of all, here is a little overview what we want to build in our fresh VPC. And as you can see here, we have the VPC and the setup rock 10016. And then we want to create two public subnets. And one is called prod sub one, and the other one is called prot sub two. And both are in one availability zone. So this is just an example here. And yeah, that's why I decided just to create in one availability zone, the public subnets. But of course you can also create in every availability zone in your region. Subnets. Also important here is the setup lock range for the, for the subnets, one is 10024, and for the brought sub two it is 1001024. Let's switch over to the management console. And we go here to the VPC service, and then we select the subnets. As you can see here, we have already the default subnets. We want to create a new subnet. So we click on Create subnet, then we select the VPC ID. In our case, it is a broad one. You can see here the associated setter for the VPC, this is 100016. And then you can give it a name, for example, proud sub one as we defined it in the overview. And then we can say availability zone is Test1. Then you can define here the CIDR block for the specific subnet. And in our case, we decided to go for 10024. We will use this one. And you can think about how many IP addresses are then available. If we define here the 24. Yeah, and then we can say here the name is sub-one as a tag. And we will also alpha and Wyoming tag. And this is not in this case. Yeah, we can create here the subnet. This is the first one and then we can we switch back to the overview and the second one will be the Praat sub two, and it has the set of rock 1001024. Let's build again also this subnet. We click on the create subnets. Then we will select here this proud one, and then we will name it broad sought to also assign the EU West one availability zone. And then we say 1001024. And of course also the white man brought. We create this subnet. And if I delete here, this filter, then you can see here, I can order it a bit that we have approximately one and the two subnet. And they are assigned to our product VPC, which you can see here. And we have these two set of blocks. And the max availability or no, the mics available appears as 251. Then it is also important, as you can see here, the Fleck to auto assign a public IP version four address is set to no, and this one we want to change. So that's why we select first the Praat sub one and go to Actions and edit subnet settings. And then you can select here enabled auto assign public IP version four address. This we want to do for the subnet one, and we also want to do it for the Praat sub2. So again, actions and edit subnet settings and then enable the outer assign public IP version four address. This is because we want to launch in the next lessons, EC2 machines in both of the subnets. And of course, we also want to reach the EC2 machines that we can look in into this, these two machines and do some pings and do some network stuff there. And therefore we need a public IP address because otherwise the instances are not reachable. 19. EC2 instances in the public subnet: In this lesson, we're going to create ec2 instances in our public subnets. And here you can see a little overview what we want to do. So we have the products up one subnet and we have the process up to subnet. And then each of the subnets, we want to create one EC2 machine. One is called brought EC2 one and L1 is called brought EC2. To this, we want to do, we switch over to our console and we select the EC2 service. If you cannot see it here. Under the recently visited services, then of course you can always search for the service and selected. Yes. And as you can see here, currently there are no instances running. And we want to launch our first EC2 machine. And we can achieve this by clicking here on the Launch Instance button. And then we searched for a 12 because we just want to spin up won't do based machine. Yeah, 2004 is okay for us. We select it. And then we can use here this T2 micro instance type because this is free tier linkable. Then the next one. And here we select our product VPC, and we select the top one in us-east1-d. of course, we want to alter assign the public IP address because we want to reach this instance from the worldwide web. Yes, I think all the other settings are okay for now. We can add storage, but we don't need, we don't need the storage, so it is fine just having the root storage here and then we can add some texts. And usually I assign the tech and Wyoming, which is proud in this case. I also want to give it a name. And this has brought EC2 one. Then I configure security group. In this case. For now I just want to use the existing security group, which is because we just want to talk about the security groups topic later, later on. So that's why for now It is okay just to use the default VPC security group. Then I click on Review and Launch, and I can launch it. And then I can create a new key pair because I want to connect to the EC2 machine then in the end via SSH. And therefore I need a key pair, and this is what I create here. Yeah, I think how I want to name it, I think C2 or what was it brought? Ec2. One for example. Then I can download this key pair, and then I can launch the instance. Then I can go here on instances. And you can see here the instance state spending. In the meantime, we can create the another EC2 machines. So we click again on Launch Instance. We search for the wound to select this 200 for use again, the micro instance here, Configure Instance at, in this case, we also select the VPC plot one, but now we can plot sub two. Alto San public IP address is also enabled and the rest is okay. And storage is also okay. We want to add something taxed again, so brown men is brought. And of course we also want to give it a name. And this is in this case, proud EC2 to configure the security group, we also want to create or select the existing security group. This is this one, review and launch. Launch. And in this case, I would say we can just use the created all the existing key pair for the C21. Because yeah, for now we can just use the same key pair to connect to all of the EC2 machines here. Then launch instance, go back to the instance overview. And then you can see here the first one is running now and the second one is still pending. We can try to connect now to this first brought EC2, one machine. And therefore I can just copy here my public IP address, copy it, and then we can go to the terminal. And if we look here into our Downloads folder, here, we can find our private key file. This has brought EC2 1. First of all, we have to change the permissions because they are pretty fault to open. And we change it to 060 and the crowd EC2, 1PM. That's okay. And then we can try to connect wire is this H with SSH dish I. And then we can select our our private key. Because it is not the default one which is located in our dot SSH folder. Then we say, we want it back in as the Ubuntu won't do user. And then I just honor, Sorry. Now I copy it again. This all I have to switch back to the console and copy the IP address again. Now we could work. As you can see now, it is not possible to connect to the EC2 machine currently from the worldwide web. And why this is the case. We, we want to talk about this topic in the upcoming lessons. 20. Internet Gateway (IGW): And now the first reason we have to consider why we cannot connect to our EC2 machines is the so-called Internet gateway. And what is the Internet gateway? The Internet gateway is VPC component, an instance which is very highly horizontally scalable, redundant, and highly available. So in the end, AWS maintains this service, this Internet gateway, and it does not cause any risk in terms of availability or bandwidth limitations. And what is also important to know, there are no additional costs. Maybe you can remember, we had it already in the default VPC overview. This is an instance which is created automatically for the default VPC. And the purpose of this Internet gateway, as the name already says, is that this instance ensures that the connection to the Internet is available. So if there is no Internet gateway for your VPC, you have definitely no Internet access. And to create this Internet access, you have to, I create the Internet gateway first and then add up the routing tables and routing tables we will get, we will talk about the routing tables in the next lesson. Here you can see the little overview. So our current status that we have to plot public subnets and the two is two machines. And now we add here this Internet gateway. Therefore, we can switch again to the management console, and now we have to switch to the VPC service here. Then you can see here on the left side, internet gateways. And currently we have just the default gateway which is assigned to the default VPC. We want to create a new Internet gateway. I will call it just print one. Then I can say also the environment is brought. Then I can just create this Internet gateway. So there is nothing much to say for that. And then you can see here that our current status detached and there is no VPC ID here. In the end, this means this Internet gateway is not assigned to any VPC currently. That's why I have to click here on Actions and then attach to a VPC. And then I can select here the plot one VPC and attach the Internet gateway to the VPC. And this is all we have to do here in this lesson. We created the Internet gateway, and this is our gate to the worldwide web from our VPC. 21. Route Tables: Another important concept is the route table concept. As you can see here, we created our public subnets. We created these two machines and we created the Internet gateway here. Now we add a so-called route table. And this route table is basically just a configuration map to configure the router. And the router comes by default with every VPC. So if you create a VPC, then automatically a router is also created here. And as you can see here, on the left side, one route table consists mainly of these two columns here. And one column is the destination and another the target. In this case here, this means just that every traffic will be routed to the Internet gateway x, y, z. If you want to. Yeah. If you want to achieve the AWS Solutions Architect associate level, then this rules here are very important. So this, this are where we come in questions in this exome. Each subnet is assigned to exactly one route table. It means you can just assign one route table per subnet, but you can assign one route table to multiple subnets. If you remember, we have this main route table which comes by default with VPC. And this one you can assign to all of your subnets. But of course, you can also create some custom route tables. With the help of this custom role tables, you can make more detailed settings. So for example, you want to distinguish between private subnets and public subnets. And this is the way to go for you. If you want to do this, then you can create custom route tables. Now we want to switch back to our management console. And maybe you are here in the Internet gateway section and you can just select here the route tables. Then you can see we have two main route tables, one for the default VPC and one for our non-default plot, one VPC. And I just wanted to select here this route table ID from our non-default VPC. And then you can see here, we have the routes, the routes table here, the destination, the target, and the status. And basically we have just one rule here. And this is the default rule. And every route table has to have a local route. This means here just that every instance which is created in our VPC can reach any other EC2 machine or any other instance inside our VPC. So every resource can reach any other resource in the VPC. And this is the, the main CIDR block off the VPC. You can not change this rule. So if you try to delete a local rule, this it is not possible. 22. Establish internet access: And now we want to establish finally, the Internet access. What is missing to access our EC2 machine from the Worldwide Web. As you can see here, we have our Internet gateway. We have for router with a route table. And inside this route table, we just have one rule. And this rule says that every traffic which is inside our VPC gets redirected here in our local subnet. Every local traffic is allowed. What we have to do now is we have to add another route and other rule which says that every every traffic so 0000 slash o gets redirected to our Internet gateway with, because this is our instance that ensures the connection to the Internet. This is what we want to do. And therefore I switch back to the management console and then I select the given route table here. As you can see here we have the Praat one VPC, so I select the related table ID. Then we have here the routes. And as you already know from the previous lesson, we have this one route rule here, the local rule, and we want to add a new one here. We go to Edit routes and add a route. Then we say every traffic and this is 00000 slash o. Then I click here and then the proposal is warm to have an Internet gateway. And as you can see here, this is our Internet gateway which we created before. This one we will use. Yeah, that's it. We just have to click here on save changes. Then you can see we created another route which connects all our instances to the Internet gateway. Yeah. And now we have to ensure that this route table is assigned to all our subnets. So we have our two EC2 machines in the two subnets, prot sub one and up two. And if we scroll here to the right, then you can see that this is the same row table for both of the subnets. And when I select this, this ID, then and go here two routes, then you can see this is the one we, we modify it. And so I think this will work. Now. We can check if we are able to access the EC2 machine finally, so that's why I will go to the EC2 console again and then I will copy the IP address. Then our go to the terminal again. Ssh. Then I think it was called brought EC2, 01:00 PM, the private key file. And then we're born to add the IP address. And obviously it is not working. So what could it be? Yeah, The reason why it does not work currently is another concept, and this is called security groups. And I just want to mention it here very shortly because we will have a separate chapter for the whole security topic. Yeah. We have to switch back to the minute to the management console and go to the EC2 machines again here. And if we select this EC2 machine, then there is a tab called security. And here you can see here is a default security group. The security group, you can imagine it's like a firewall. You can define which traffic is allowed here as an inbound rule. And by default, we have here this rule that it allows all the traffic from all protocols and all port range. But the restriction here is that it just allows all the traffic from instances which are in the same security group. So at references to the same security group, and obviously my local PC is not part of this security group and that's why it doesn't work. What we have to do here is we can just click here on Edit inbound rules and add a rule which allows SSH traffic. So on TCP port 22, and we say we want to allow from x's from everywhere. And of course you can also define here your static IP address if you have one locally. And then, and then just do this slash 32, and then this is your, just your IP address, then it is more restricted. But for now it is okay just to assign every traffic here from SSH. We save this rule. And then we can see here, we added another rule as inbound rules. And this is the SSH traffic here. So let's give it another try. We'll go back to the terminal. And then I started here again. As you can see here, I can connect now to my EC2 machine. This is how it works and perfectly we created our first Internet connection to our EC2 machines. So what we did so far, we created a non-default. We see we created two public subnets. And in each of the public subnets, we launched one EC2 instance. We created an Internet gateway which is attached to our non default VPC and can be used for all subnets, insight one VPC. And then we created a route table that we can ensure that every traffic from everywhere can connect to our Internet gateway. That the Internet gateway can ensure the traffic to the worldwide web. And then we just tweak the bid, our security group that we get permission to access our EC2 machines. And this is how it works. Now we created successfully the internet connection. 23. Overview private subnets: In this chapter, we want to talk about the subnet to section, and these are the private subnets. And just a brief overview where we are currently, we created successfully to public subnets. And every subnet has an EC2 machine which is running inside this subnet. And the Internet access is available because of the route tables here, because every route table here has route to the Internet gateway. In this case, we just have one row table, just this main route table from the VPC. Now, we want to switch the sub2 public subnet into a private subnet. And as you can see here, by default, there's no difference between public subnets and private subnets. So the only thing which is different than will be the definition in the route table. So if you create a subnet, you cannot decide is, is it a public subnet or is it a private subnet? You create just a subnet. And then you can decide based on the rules in this route table. If it is a public subnet or a private subnet or a VPN subnet. 24. Private IP Addresses: When we talk about private subnets, then also a very important key concept is the concept of private IP addresses. Here a little overview of the most important things you have to know about private IP addresses. Private IP addresses are not accessible via the Internet. The purpose or the goal of private IP addresses is that they ensure the communication between all your instances within your VPC or your subnet. When you start an EC2 machine, for example, you do not specify any fixed IP, then AWS assigns automatically one available IP address in your subnet weight, in your subnet range. Remember, this is based on your CIDR block configuration. Aws choose just one IP address inside this range. But you can also, or what you can also do is you can specify your fixed IP address for this EC2 machine, but it has to fit also to your CIDR block range. What it is also possible is that you can assign multiple private IPs to one EC2 instance. 25. Basics NAT Gateway: The last topic we have to talk about before we switch over to the practical part is the NAT gateway. So I want to give you a brief overview regarding the basics of a so-called NAT gateway. What is the NAT gateway? Not means network address translation, and it means that there is a translation between a P addresses. In this case, we replace the source IP address of an instance, for example, your EC2 machine in your private subnet. This IP address is replaced by the IP address of the NAT gateway. This works also the other way around. So if you get traffic then from, if you have them, the response from the World Wide Web, then the NAT gateway IP address is translated back to your source IP address. And what is also very important here is if you want to create high availability, then there should be a separate not gateway in each availability zone. But if you do not want to have HA or this is not a requirement, then it is of course sufficient. If you just create one NAT gateway and just use it for, for every purpose. In that way. There are two different kinds of NAT gateways. One is the public and one is the private NAT gateway. The public NAT gateway works in that way I already explained. So it allows the outgoing traffic from an instance placed inside a private subnet. Then it translates the IP address into the IP address of the NAT gateway. Then the traffic can go to the World Wide Web. And the response can also be redirected again back to the EC2 instance itself, and the IP addresses gets translated back. To achieve this, we are, to achieve this elastic IP address is required for the public NAT gateway. You have to assign an elastic IP address to your public NAT gateway. Otherwise it doesn't work. Yes. And then you have the private NAT gateway. And the private NAT gateway works to be different. So you do not need this elastic IP address because the private NOT gate, we just connects different VPCs or other on-premises networks. And you are still in your private and Wyoming. And so what happens here is just that the private IP addresses of your instances are replaced by the private IP addresses of the NAT gateway. So there is no need of a public IP address. And I just want to mention here again also the prices because in this case the NAT gateway requires additional fees. You can just google pricing, not gateway. And then I think it is priced hourly and also how much traffic goes through this NAT gateway. But yeah, lessons learned. You can what you have to know is if you want to get x's from a private EC2 machine, from a private instance in a private subnet. If you want to have access to the Internet there. Because for example, maybe you want to update your OS or something like that. Then you need something like a NAT gateway. Because the Internet gateway itself, the Internet gateway can just translate public IP addresses, but not private IP addresses. 26. Create a NAT Gateway: Now it gets practically what we want to do. We want to create a NAT gateway. Therefore, I switch back to my management console and I go to the VPC service. And yes, Now you can find here the NAT gateways. And as you can see here, we have an island no, not gateway is currently available. And this we want to change. We create here and not gateway. And say for example, the name is proximate one. And then we have to select a proper subnet for that. This is here, very important to understand. We need a public subnet for the NAT gateway because it just can translate the IP addresses from the private to the public space, if it is, if it is placed in a public subnets. So that's why we have to ensure it is public. And because of the fact that we want to modify the plot sub two into a private subnet. There is just this option here left to put it into the sap one subnet. And as you can see here, we have the two connectivity types we already learned. So there is a public and the private connectivity type. We want to use the public because we want to have public access from our private instances. And then we need an elastic IP address. So I can say here, allocate me an elastic IP address and AWS allocates it under the hood into your account or in this case into my account. We have this works very smooth. And then there is here already, already a name tag with protonate one. And we just want to add also N Y, a main tag, which is called prod. And we can just create this NAT gateway. And this is, that's it. This is everything we have to do. If we want to create a NAT gateway, We have to wait a bit because the state here is currently pending. And if it is finished, then we will also get a private IP address. And then in the Elastic IP address here. What I also wanted to mention is there is also something called NAT instance. This is kind of legacy. And this is another option how you can achieve this network address translation. In this case, you will spin up just an like an EC2 machine with NAT gateway functionalities. And probably in most of the cases, you will just use the NAT gateway. But yes, sometimes if you want to do comprehensive configurations, some if you wanted to do more detailed configurations, then maybe you can consider to spin up a NAT instance. But I think in 95% of all cases, the NAT gateway here is the way to go. 27. Public vs. Private Subnets: Yes, and now we finally want to translate our second public subnets into a private subnet. Here is the little overview. We want to modify here, this route table. In that way that the plot sub two public subnet becomes a private subnet. The first thing we have to do is to create another route table, because you already know currently we just use the one main route table. And the main route table is used for every subnet here. When we delete this Internet gateway route here, then it is also deleted for the public subnet, and this is not what we want to do. That's why we have to create another route table. And we want to do, but before we do this, I will just show you that the connection currently works for the second EC2 machine. So this EC2 machine is currently in our second public subnet. That's why I copy here. They're related IP address. Then I go back to the terminal and say SSH dish. The key is called brought EC2, one PEM file. And we want to connect to, want to end this IP address. As you can see here, this works currently, so I can currently connect to the second EC2 machine because it is still in a public subnet. That's fine. I will exit this here and go back to the management console. Now, we switch over to the VPC service. Then we can go here to the route tables. There are just these two main route tables for the two VPCs. And I want to create here a new route table which is called Proud private one. I want to select the product VPC because this route table is related to our proton VPC. I will assign here the y and y element tag, which is also proud. And I create this route table. As you can see here, we have just one route here, just the local route. I already explained. What we have to do now is we have to assign this route table to the second subnet here. And therefore we just select here subnets, then go to the sub two actions and edit the route table association. And then you can just select here the route table ID. And we don't want to use the main row table, we want to use the Praat private one route table. Then here the entries that reduced just to the, to the local entry here. And then I can say Save. Now, the second subnet here has another route table. As you can see here, the ID is different from this route table ID of the other subnet in our VPC. Now, we can check this. We can go back to the terminal and try to connect again. And as you can see here, it doesn't work anymore because we do not have the connection wire, the internet gateway, this is the, this route is deleted. This is fine. That works as expected. And now we can add here. We can go back to the route table and to the private route table. Now we can add here the internet, the NAT gateway route thing. Before we wanted to do this, we can have a look onto here, this little overview, how it works. So what we want to achieve, we want to achieve that this private EC2 instance has access to the Internet, but traffic from the World Wide Web has no permission to access the product C22 machine. And therefore, we already created this NAT gateway here in the public subnet. But we currently we have no connection to this NAT gateway from the private resources inside this private subnet here. And that's why we have to define another route in this private route table, which is defined as o slash o to NAT gateway, which means every traffic will be routed to the NAT gateway. And then it works in this way. You have your EC2 instance here, and this is a private instance. And with the help of this route here, it can connect via the router from the VPC to our NAT gateway. And this NAT gateway here is inside or public VPC in our public subnet. Sorry. This means it can use this route entry here. It has IP address, a public IP address. And with the help of this public IP address, it can use the route that every traffic gets redirected to the Internet gateway. It can pass the traffic via the router to the Internet gateway. And via the Internet gateway, it has been x's to the worldwide web. And this is how it works. But again, it works just in one direction and in the other direction just with the responses. That means the EC2 instance can request some things via the Internet, and it can also get them the responses back. But nobody can reach this EC2 machine from the worldwide web if the EC2 machine itself doesn't want it. So if there is no request from the EC2 machine itself. So this is the theory behind that. And now we can finally switch back to the console and add here this route. If you go to edit route at the route, and again the zeros 00. And then we choose here instead of the Internet gateway, the NAT gateway, we have here our plot, not one gateway and save the changes. And this is how it works. This is all we have to do for now. When we go back to the terminal. Of course, we also cannot connect to our EC2 machine because as we already learned, this is just one direction and we cannot request now our private EC2 machine and the private subnet from the World Wide Web. But this is expected behavior. 28. Bastion Host: Yes. Now, once step is missing, we want to connect to our private EC2 machine and our private subnet. And we want to check how the connection to the worldwide web works. So basically we just wanted to do a ping to Google just to ensure that our settings are correct. And to do that, we have to introduce a concept which is called bastion host. And what does the best in host, the best knows is just, you can imagine like a public server which can be reached from the worldwide web and which has also the permissions to connect to the private server. In the end, if you remember, we have as the security group for the, for the public EC2 machine and for the private EC2 machine that the SSH access is allowed. So this is okay. And also the route tables from each subnet insurers that every instance which is running inside our plot one VPC can connect to every other instance in this VPC. So that should be fine. And what we have to do now is I provided here little command. And this is a command which basically does IP tunneling. Port tunneling, sorry. Yeah, you just can copy this one here. And then we switch to our terminal. I already prepared here just command. And as you can see here, this is just the copy command from the slide. We have to replace here this private resource IP, and we have to replace the veteran host API. Therefore, we have to switch to our management console again. Go to the EC2 service, then our plot EC2 one machine. This is our prop bastion host. So here we need the public IP address. And this, in this case, starts here with 54. And I will copy that. Then I will switch back to the terminal, and then I can paste it here. And this I will also do for the private IP address. So back to the management console. And then I will copy here. And important here is we have to get here the private IP address. So this should be the private IP address, not the public IP address, because the public EC2 machine has to reach the private instance via the private IP address range. Yeah, so copy this here and then paste it, and then it should work. Now, what we have to obviously is our casts some PEM file because we do not use the default one and our dot SSH folder. Yeah, Now it should work and as you can see, the fingerprint is required, and now we are connected on our public machine. As you can see here, this is the public EC2 machine because it is not equal to this IP address here, which is the private IP address from the private EC2 machine. This is just the first step. In this case, we tunneled now the port 22 from our private EC2 machine to our local host on port 20202020. So this EC2 machine is now available here, this 22 ports now available on my local host. Another port, 2222. Now I can open another terminal where it important is that this, this is open the whole time. So you cannot close this terminal here because otherwise you will close also this session. And then the port is not tunneled to our local host. And that means that you can connect to your private EC2 machine. So this will be open the whole time here. Then I can just connect to my private EC2 machine and I will do so with SSH there. And then our notices the wrong campfire. We use the proteins c2, one PEM file. Then we also use the user won't rule. And now local host instead of the IP address from the private EC2 machine, because As I already said, it is mapped to our local host. And then we just have to specify this port 2222 because pretty fault as H uses the power of 22. But this is our local 22 port. So that's why we need to specify it here. And then I just execute this command. Fingerprint. Yes. And now we are on our private EC2 machine and that you can verify by checking here this EC2 private IP address. And this is in this case 1001228. And we can also verify this in our management console. So if you select here this EC2 in machine and have a look on this private IP address here, then it is indeed the 1001228 IP address. So we are on our machine. Now, the final step is we want to ensure that our not settings work. So that's why we just execute a small ping to Google for example. And as you can see here, it works perfectly. So what, what did we do? We created public subnet. We created the private subnet and the route table was changed. So currently we cannot have excess from the worldwide web to our private EC2 machine, but the private EC2 machine can have access to the worldwide web. So for example, if we want to install just a little update on this private EC2 machine, then this is possible while the net guide wire, the NAT gateway, but it is not possible the other way around. So this is again, a big milestone. And what we have to do now is we just want to delete and stop all the resources which require some additional costs. That's why I stopped here now the service, then I switch back to the management console and then I say, I just want to stop here these two EC2 machines because maybe we need them. Then in the next lectures and chapters. What we also want to do is we go to, again to the VPC service. We want to delete the NAT gateway. Here it is. Actions Delete, NAT gateway, Delete. And now you can see here the state is deleting. Here we can just have a final look, the VPC dashboard. And I think there is there are no further resources which requires some fees or which have some costs, additional costs? No, I don't think so. I almost forgot the Elastic IP address. If you remember, when we created our NAT gateway, we also had to allocate an elastic IP address. And this an IP address will be not deleted when you delete the NAT gateway. So that's why I go back again to the EC2 service here. And then you can find under elastic IP address is here, under network and security chapter one, elastic IP address. And I just have to go here to actions and then I can release the Elastic IP address. I will do so release. And then this is also done. 29. Intro Security Groups: In this chapter, we want to talk about the topic security. I thought a lot about what is the correct way to do it. Put the security topic in front of this whole course or no here. But then I decided to use to create first the VPC architecture and all the functional stuff and ensure that everything works. And now we can add the security layer. Here comes a little overview. First, I have a hint for you, and the hint is assigned a high-priority to security right from the start. From my experience, you get lost. If you don't start to add the security layer right from the start, your infrastructure or your architecture grows and grows and grows. And then you reach the point where you cannot catch up all the stuff you missed in the past. Just as a hint. Security, very high priority. Then you have to two different kinds of security in the Cloud. One is security of the Cloud, and this is the part of AWS in this case. So for example, AWS and chores by hardware firewalls that the Cloud is secure or it provides redundant servers, something like that. Mainly on hardware level but also software level. And then there is the security in the Cloud and this is the user. As you can see here below. You can increase the security level with a help, for example, network access control lists. You can use security groups, you can use firewalls. And these three points are basically just some software firewalls. In the end. You can, you can also increase your security level. Just Bye the winding your VPC into proper subnets and just by using private subnets. So every EC2 instance which cannot, we reached per default from the Worldwide Web doesn't need an access control list or something like that because it is separated. And then of course, you need security groups and access control lists for other reasons. But it is an increased security level. If you create here proper subnets. And of course also monitoring is a thing where you can increase your security level because when you not know what happens in your VPC and your subnet, then you cannot secure your subnet. There's also a possibility to use IAM permissions. For example, one thing is this thing with our IAM user. We created an IAM user to create our VPC resources, and this is highly recommended. So do not use your main AWS account for that. The last thing here is encryption. So for example, you have the possibility to encrypt your data in transit. And this is also another security layer which you can apply here. This is the little introduction for the security. And the next lecture we will talk about the network access control lists. 30. Network Access Control List (NACL): In this lecture, we want to talk about network access control lists called knock-offs. What is the NaCl? Nacl is an additional security layer and you can imagine it works like a firewall on subnet level. And when you remember, by default, every VPC which gets created, has a main network access control list which allows by default all traffic. So we headed for the default VPC and also for non default VPC, we created just the VPC and then by default there was a knuckle and the traffic also out. But you can also create your custom network access control list and assign it to the subnet you want. But when you create a custom network access control list, then there is no rules specified. So that means that you have to explicitly allow the traffic. Otherwise, every traffic is the night. What is here very important to know, especially if you want to do the certification for the AWS Solutions Architect associate network access control list is stateless. What means this fact here that it is stateless? It means that you have to define an inbound rule and then outbound rule to achieve successful achieve successful data transmission. For example, if you do the request and you define an inbound rule, then this works. But you cannot get the response back because you have no definition for the outbound rule. And the Network Access Control List is not able to remember who did the request. So this means you have to define also the outbound rule. There is no storage, there is no state. Also important is that the rule order matters in this case here. You have the possibility to create rules from one to 32,766. Also, AWS RECOMB recommends that you create your rules in increments of ten. So for example, you create 10203040, stuff like that. And this is because if you do it in that way, then you can ensure if you want to add some rules, then a bit later, then you have the possibility, then you have the option to add some rules in the middle. Otherwise you have to restructure the whole the whole rules file then. Also very important is that a rule inside such a network access control list can allow or deny the traffic. This is walk we want to check now in the AWS console, we go first, we want to start the EC2 machine in the subnet because we want to check if it really works. That's why I start here our EC2 machine again. And of course we want to use the EC2 machine and the prod stop that because we just want to connect directly to this machine. We don't want to use the best and host. So if I refresh the state here it is pending. And in the meantime, we can go to our VPC service. And then you can go here to network ACLs. You can see here that we have still just the two main network ACLs. And we want to create here a new one, which is called prod subnet one because I want to assign it to the subnet one. I select here the Praat one VPC, and then also create here Tech and create network ACL. Now you can see here it is not associated with any subnet part. We have a new ACL ID and I can click here, and you can see by default we have an inbound rule, which the nice all the traffic and we have a default outbound rule which denies also all the traffic. And what we want to achieve is that we can connect again to our EC2 machine when we use here this network ACL. And first we have to assign this network ACL to our plot sub one subnet. And therefore we can just select it here. Then go to Actions and edit network ACL association and then we just switch it here to the subnet one and safe. Yes. And now we can go back to the EC2 section and maybe it is running now. Yeah, it seems to be good here. We can copy our IP address here and then switch over to the terminal. Yeah, now we can do here and SSH with E and use our EC2 one PEM file again, we want to, and we use here this IP address Enter. And we see it doesn't work. And we expected this behavior. Because when we go back to our VPC Service, go back to the network ACL. We can see everything is denied here, so we have to add some inbound and outbound rules to ensure that this SSH traffic will reach our EC2 machine. The first thing we want to do here is, oops, we want to edit an inbound rule. I will assign it the number ten here and select SSH from everywhere. And I want to allow it here in the first stage, save changes. Then I will check it again. I will go back to the console terminal. And as you can see here, it doesn't work. And this is because we cannot get the response back from the EC2 machine. Back again here in the AWS console. And now we want to add also an outbound rule, edit outbound rule. And I also add here number ten, and also SSH traffic from everywhere. And I want to allow it save the changes. And we go also back to our terminal. And as you can see here, it also doesn't work. And why it doesn't work. This is a specific behavior of the SSH protocol because the SSH protocol requires some high port ranges when it comes to the responses though, we have to define for the outbound rules, the higher ports because it chooses random some ports two, send the answer back. This is SSH specific. And that's why I go back here to outbound rules. And then I say, I want to edit the outbound rule again, not allow just as his age, I want to know all the traffic. Then I can save my changes again back to the console. And now it should work. And as you can see here, it really works. Now. I will exit this connection. Then I will show you, or I want to show you how the ordering the order of the rule files here are the rule entries works. In this case, we edit the inbound rule again. And now I can say, I want to add another rule with a number 20 and say also SSH. And I want to deny this. And now you can think about what will happen now. Is it possible to reach the EC2 instance or not with this configuration here? I saved this change. Then I go back to my terminal. And as you can see here, it works so I am able to connect to my EC2 machine. And this is why we defined first the allow rule. This rule here doesn't matter because the order matters. If we go again to the inbound rules and say this rule here is for example, no or t. And this will is 30. That means when we order it here, we deny first our eyes as H traffic and then we allow our SSH traffic. And when we go now again to determiner and check the connection, we see it doesn't work. This is expected behavior. We changed the order here. And now this rule here, it doesn't matter because we already defined that we want to deny all the SSH traffic here. Yeah, I mean, this is how it works. This is how the whole staff with network ACS works. And the purpose for that is, for example, if you want to ensure that adjust your IP address from your best friend host or from your local PC. If you have a DNS service or something like that, if you have a static IP address, then you can, for example, here, to find that just your IP address slash 32 is allowed to access your VPC wire SSH for example. So yeah, you have really detailed control here because you can use IP addresses, IP ranges, and you can also define explicit deny or an LLC. 31. Security Group: In this lesson, we're going to talk about the topic security group. What is a security group? It is also like a virtual firewall. But in this case here we operate on resource level. So that means you can assign one security group, one EC2 machine for example. And of course every VPC and every subnet, half a default security group. And what is really important is that security groups are stateful. That means, for example, if you do SSH request to an EC2 machine, then the response is also allowed automatically. So you can imagine like there's a little storage in the middle and the security security group can remember who requested something and the response is automatically load. Then in the end. For security groups, we can only define a low assignments. These two statements here are also very important for the Solutions Architect associate. Excellent. Security groups are stateful and only allow assignments are there. In this table, you can see now again the difference between security groups and network access control lists. As we already said, for the security group, it operates on an instance level and supports just allow rules. It is stateful, which means the return traffic is automatically allowed. So you do not have to create some additional outbound rules if you just want to allow inbound SSH traffic. And the rules are all evaluated before AWS decides to allow or deny or to deny the traffic. And you have to explicitly assign the security group to the instance. So if this is the thing, then you have the network access control list. And the network access control. This operates at the subnet level. Here you have, as we already said, allow rules and deny rules. The NaCl is stateless and the order matters how you define your rules. So if you remember when you create some or two to equal rules, but one just with allow, one with the naive, then it matters, which comes first. And if you assign this network access control list to a subnet or a VPC, then it is automatically applied to all EC2 machines for all instances inside this subnet or inside this VPC. This is the difference. Yeah, Let's do some practical stuff. I will switch again to our console. And first I go to the VPC service again. I will check how it works here with a network ACLS because we want to ensure that we allow all traffic while your network ACLs, that we can check the functionality of the security groups. That's why I go here again to the subnets. And I think we assign to the subnet here our our custom network access control list. That's why I go again here to Edit. And then I will change it back here to the default ACL. That we can ensure that just all traffic is allowed. Wire this ACLs here. So I go here, save, and then I can choose here the security groups. As you can see here, we have just order to default security groups for the two or the two VPCs. And my case here I click on create the security group, then I can give it a name. I name it also proud subnet one and a low SSH, SSH access. Then I can sit here, I want to use it with a VPC plot1. Then I can define, for example, also an SSH rule for the TCP protocol and port range 22. And then I can say from everywhere here and the description is SSH. And I will delete all the outbound rules here. The end, we just have one inbound rule with SSH traffic allowed. Create the security group. Now, I can go over to the EC2 management console here. And we have running here our product EC2 one machine I is selected. Ankle here to security group. And as you can see here, we assign to this default security group. This one we want to change. And that's why I go here to action security and change security groups. Yeah, now I can select here our subnet one security group, the security group. And I can delete here the default one. And as you can already see here, you can also assign multiple security groups to one machine. In this case. In our case, we just want to have this subnet bond security group. I click on Save, and then I go back again to security group. And as you can see here, it it was changed by AWS, but you cannot see an inbound rule and I think this is a buck in the console here. So I will do, I will refresh off this side and go back to security. And then you can see here our inbound rule is here displayed. And now we can check if this really works. I will copy the public IP address of this EC2 machine. Then I will go back to my terminal. I say SSH dish, and then the PEM file and born at and then our IP address. As you can see here, it works perfectly. And just to ensure that it is really this SSH rule, we can also go back here to the security group. Click on the security group and Edit inbound rules and then say, we want to delete here this inbound rule and we click on Save. Then you have to wait a few seconds so it will be propagated, I think. Yeah, in in a few seconds, but most likely not real-time. Yeah. Now, I go back again, exit here, and then I try it again. And as you can see here, it doesn't work. So it was really this inbound SSH rule. And also important, we just defined one inbound rule. So we just defined the inbound SSH rule and we are able to connect to this EC2 machine. And this is why the security group is stateful. I interrupted here. And yeah, I think this is almost it. And I just want to mention here another thing. When we go again to Edit inbound rules and eta rule, then we can also assign as a source here security group. If you remember, we did this also for our main VPC security group for the non-default and also for the default VPC. So there was a rule where all the traffic was allowed to Forum all the instances which are assigned to the same security group. But yeah, um, I'm currently not very sure what is the best practice here. Some people use this and some not. I think it is very, very close to the dependency ****, because for example, if you create a base security group and then you create another security group. And another security group is related to this base security group. And then you decide, I want to delete this basic critique group. You cannot delete this basically the group before the other security group. Not the needed all the rule which is assigned to the security group is not deleted. And if you do this for many instances with many security groups, then yeah, you you are in the dependency hill. So that's why I from my person with a few, I suggest just, for example, to create a security group which allows SSH traffic, for example, from, from anywhere or from from the VPC, from all the IP addresses inside of VPC subnet. And then you can just assign this security group also to the EC2 machine. And then you create another, for example, for the Postgres port 5432. And then you can assign this also to all the EC2 machines which have Postgres instance running. For example. I think this is the better approach, but let me know if you have an opinion on that and drop it in the comments. 32. Network Firewall: To be consistent, I want to mention very shortly in this lesson the network firewall. Network firewall is state who'll, and basically it can filter the traffic in a VPC, for example, traffic to or from an Internet gateway or not gateway or MPN is over. And it uses the open-source intrusion prevention system, IPS, with a name. So click hada. Basically you can just imagine like it is intelligent by a wall which can prevent some sorts of attacks. And it is a second or a third layer, a third security layer. But from my point of view, if you do it right with all the stuff we learned before with a network access control list with the security groups. And if you structure your VPC with private subnets and public subnets and half all the important instances just in your private subnet and just a few connections to the worldwide about why your public subnet. Then this is also very secured, so you do not need this network firewall. Then it comes also with additional costs about AWS provides here for you another security layer. And from my point of view, you can consider two at this network firewall. Then in the end, if you have the real requirement for that, I just wanted to mention that this network firewall exists here. When we go to the console and to the VPC service here. Then you can find the network firewall also here, and then network firewall. But we have no excess here currently with our IAM user because we didn't want to Create here and network firewall life. I just wanted to mention that network firewalls also exists here in the VPC console. 33. AWS VPC - Flow Logs: In this chapter, we want to talk about monitoring. Monitoring from my point of view is also very closely related to the topic security. Because if you cannot monitor or if you don't know what happens in your VPC, in your subnet, then it is also hard to do some security staff, they're very important here for the monitoring is the service, the so-called service flow blocks. And what our Flow Logs. You can see this little image here, so it will move my picture. Flow locks. Can lock all the incoming and outgoing traffic in your VPC. So basically, it is based on the traffic which is, which comes to or from a network interface. And this is here, the elastic network interface. And such. An elastic network interface is basically, you can imagine like network card in your hardware computer, um, so every time AWS assigns an IP address to your EC2 machine, there is an elastic network interface involved. This is the software equivalent to your network card. Flow logs can help you in diagnosing and monitoring the traffic. And what is also important to know here that it is like a separate service and it does not affect the bandwidth on latency of the traffic. So it's just like, like an observer. Oops, sorry. You can create flow logs for your entire EPC, for subnets or even for individual network interfaces. So for individual elastic network interfaces, also important to know, flow logs do not act in real-time, so there's a little delay and where you can store your flow logs. There are two possibilities. One is three, so you can define an S3 bucket where the flow logs can be stored or you push them to CloudWatch. And we want to do it with CloudWatch. So we will switch over to our practical part. Into the console. Again. I will move my picture here again. And now we can go here two subnets to unselect the Praat sub one. And this is very important because we want to absorbed and the traffic for our public EC2 machine. And our public EC2 machine obviously is placed in our product sub one subnet. And then I can go here to flow logs. And I created already one, so I will delete this one quickly. And then you can go here to create flow log. As you can see here, there are many options. One is which field that we want to apply. You can decide, for example, that you just want to track all the traffic which was accepted. Or you can just track all the traffic which was rejected, or you filter just all traffic. In this case, we want to use just all filter and we want to use here the one-minute aggregation and the wall. And then here we can decide which data lake we want to use CloudWatch or this packet. In our case, we want to use the CloudWatch a solution. And therefore, as you can see here, we need a destination lock group where we can write or where we can push our flow logs. And we need, of course also an IAM role because now this flow log service acts like an, like an user. So the service itself needs the permissions to push the flow logs into our large group into a lock stream. That's why first, we have to create this log group and we also have to create this IAM role here. That's why I search here for CloudWatch. Go to the CloudWatch service, then to lock groups. And I create here a fresh log group. I will name it subnet one, low locks. And yeah, I will assign here a retention period of seven days. You can't do it, but to you, it's not really required. It just means that it stores the locks of the last seven days and then it deletes all the locks which are older than seven days. Yeah. Then I can create here this log group. And then we finished our first part. Then. I can go to the IAM service and then we have to create a policy and the role that we can assign them in the end to the flow log service. And therefore, I edit here for you in the slides, the URL, so you can just copy it, copy it, and paste it in your browser. Then you come here to this site, published flow logs to CloudWatch logs. Then we need here this IAM policy. This IAM policy means it is a policy which allows for every resource to create large group, to create a Log stream, and to put also lock events into the streams. This is what we want to do. So we copied this one here. Go back to the management console and we will create a policy. First. Create this policy. Then choose here Jason and we, then we can just paste our JSON stuff here in the next two texts. I will not add any tech for now. Next review and then we can give it a name. So for example, products flow locks, create the policy. Then it takes a little time. And as you can see here, the policy proud Flow Logs has been created. Now, if you remember, we need IAM role for that we can assign to our flow logs. So we create here a role, create the row. Then we choose here the custom trust policy. Go back to the AWS documentation here, and then we can copy the second statement. Go over here and then I can paste it. And what does this means here? It means just that we assign to the role that only the VPC Flow Logs service can use this role. This is just another security restriction. And I can click here on Next. Then I can add the policies and we just need our created prot flow logs policy. So I will select it here. Then I can go the next button. And I also give it a name, brought low blocks role. Then I can create this role here. Now, the role prot Flow Logs role was successfully created. We can use this row now. Nice. So then we can go back to our VPC Service. This is this one here, angle BAC two subnets, and then we select the subnet one here, and then flow logs. Create a flow log. And now we can name it, for example, subnet one, a blow or all aggregation into one-minute CloudWatch Logs. And then I can choose here now are created products up at one flow logs. Lock group. And I can choose the IAM role plot flow locks role. This means now the Service Flow Logs has the x's wire, this IAM role to create fox streams in the log group to put also the log events into this log stream. Then the last selection here is that you can decide whether you want to have AWS default format for the block streams or custom format. Yeah, in the end is just a custom formula you can use. But for, for now fast, the AWS default format is okay. Then we can add tech. And why am I am proud? I can create the prologue. And as you can see here, we have our flow log successfully created. It has an ID. The filter is all. Cloudwatch Logs is the destination type. And here you can also see the destination, which is the CloudWatch Log group. Then we can push some traffic into our subnet. And this we want to do with the help of our proud EC2 machines. So that's why I switch back to the EC2 console. Then I can copy here our public IP address, this one. And then I can go back to the terminal and do SH command my customer PEM file. And we won't do this IP address. And as you can see here, it doesn't work. Why it doesn't work? Because we've got to add again the SSH rule in the security group. If you remember, we deleted it. The end of the security group section. Here is no rule to display. And that's why we have to go again here to the security group proud subnet one. I'll go to Edit inbound rule and then we have to add again this SSH rule from everywhere description is h. And save this rule. Now we can go back to the terminal. I will interrupt it here again. And then here we go. We are on the EC2 machine and I can do two or three times you login just to create some traffic. Yeah, this is how it works. And now we can go back again to our VPC service. And something that's again broad subnet one is this one here, flow logs and then we can go to the CloudWatch service to the log group. And as you can see here, we already have a log stream which was automatically created by either flow logs service. I can go here and as you can see here, we have some traffic. I think this IP address starting with 79 is currently my IP address. And this is how it works. Of course. Now you can go and say, I want to create some metrics here in CloudWatch. And if a special event occurs, then I want to do a lot alarm. But yeah, this is again a whole nother topic, the whole CloudWatch stuff. Maybe I will also create a separate course for that. But I think for now this is enough because this is the basic knowledge. And yeah, that's it for the Flow Logs section. What I forgot to say is if you are ready, you can delete your flow logs and your CloudWatch Log group and even your IAM role in policy which which we created. But just the Flow Logs cost additional money. It is okay if you leave your IAM role there. 34. Interface Endpoints: Now we want to talk about the connectivity topic, and especially in this case here about VPC endpoints. What our VPC endpoints in the end, they solve the following issue. So imagine you have your EC2 machine in your private subnet. And the private subnet has no NAT gateway or connection to the Internet gateway via this NAT gateway. But you need, for example, on your EC2 machines some data from S3. And if you remember right, I said in the beginning of this course that there are some global AWS services which are maintained in different VPCs and you cannot decide that you put this three bucket, for example, in your private VPC. So it's just a reference to another namespace on the AWS side. Exactly for this reason, we have to use VPC endpoints. In this case, we want to connect from our EC2 machine, which is private, to another VPC, which is maintained by AWS. And we do not want to use the worldwide web for that. This is important. If we want to do this here with public EC2 machine, then this is not an issue because the public EC2 machine can x's, for example, that has three endpoints via the World Wide Web. So it doesn't need private tunnel for that. But of course it is better to route your traffic inside AWS, inside the AWS Cloud because it's much more safe. Obviously. I think it is. It reduces also the costs because the traffic is not outside your VPC or the AWS Cloud, it stays in the cloud itself. The first topic is the interface endpoints. And the interface endpoints. This are one kind of endpoints you can configure here in the AWS Cloud. And there are two most important endpoints. One is the interface endpoint, and one is the gateway. The gateway endpoint, which comes then afterwards. So what is the interface endpoint? When you create an interface endpoint, you basically create an elastic network interface. And this is maintained by an AWS service, which is called AWS private link. But yeah, you don't have to take care about this. You can just yeah. I just wanted to mention that it is called AWS private link. But this service creates for you under the hood and elastic network interface. And this elastic network interface you can use then afterwards to provide this connection from your private subnet to the global services like a three or SQS or something like that. And of course, because we add here an additional hardware, in this case, this elastic network interface. There are some additional fees for that and you can check them out here under this link. How much it will cost for you. We want to create now this interface endpoint and we want to connect from our private EC2 machine to the S3 service. In our case, we just want to list the S3 buckets. And especially in my case, I do not have any S3 buckets in Ireland. So that's why I just expect an empty list. Yeah, I switch over to the VPC dashboard here and I go to subnets. The first thing we can check us, we select you the Praat SAP to subnet. Then I go to put to the route table here. And as you can see here, we have our local route and we have the NAT gateway route here still, because this was not deleted automatically. So I can go here to edit the route and the route table. No, this is relatable, sorry, sorry. I have to I have to select here this route table itself. Then routes, and then here it routes. And as you can see here, this is a black hole because this NAT gateway doesn't exist anymore. So I can go here to Edit and then I. You can just remove this line here. That means, in our case now we have no Internet access. Just the resources, just the other EC2 instances which are in the same subnet and the same VPC can reach this EC2 machine. Now, we want to connect again via the best your host wire, the separate EC2 machine and our public subnet to our private machine. That's why I go over to EC2 service. I first have to start the second EC2 machine here. So I go here to instance state and start instance. Then it takes a while until this instance state here is running. But in the meanwhile, we can prepare the command to tunnel our ports. So you can go back to the slide where I presented to you the best and host concept. And you can just copy this command again. I will go to the terminal and then I will copy exactly this command, paste it here. Now we have to fill in here again our IP addresses. The first one is the private resource IP. So this is the one from our private instance. This is this one here, the EC2 to machine. And I can just copy here the private IP version four address. Copy, go back to the terminal, paste it here, and then we need just the bastion host IP. So the API, the public IP from our proud EC2 one instance, this is this one here. I can click here and copy the public IP version four address. Yes. And then of course, we need our PEM file. This is how it works here. And then I can connect to my instance. Yes. So now we are on our bastion host and we tunneled the port 2220 to be tunneled the 22 part from our private instance to the 2322 port on our local machine. And now we have to connect to the private instance. And that's why I go over here. Then I use again or PEM file. Then I connect to want to local host. And the port is obviously the 2 thousand part. Yeah. Now I can click here on Accept. And as you can see, it doesn't work. And now you can stop the video and think about why it doesn't work. So as little hint, there are some possibilities why it doesn't work. For example, the whole security stuff. So the access control lists or security groups, or also the subnet configuration on the VPC configuration itself. The reason why it doesn't work is when we go back here to the EC2 machine. So to our, to the, the first machine, sorry. There we go here to the EC2, one machine here, security. And as you can see here, we just have one inbound rule that allows SSH access. But what we want to do now is we are already on the best funhouse. We are already on this machine here. And we want to have outbound traffic because we, we do the SSH request to the EC2 machine. So this is the outbound traffic from this EC2 machine, from the EC2 one machine to the EC2 machine. And this is why we need here the outbound rules. This is a nice use case here to explain you why we need in the security group section also outbound rules. So if we request from the World Wide Web this EC2 machine, then the inbound rule here is sufficient. But when we go further, we want to make the request from the best one host to another EC2 machine or to another target, then we have to use the outbound rules. That's why I select the security group here. And then I go to Edit inbound rules, no, inbound rule, sorry. Outbound rules, of course, edit outbound rules and then I can select here is this H and from everywhere and maybe brought description SSH and safe the room. Now this should work. Then. I can try it again. And now we know we get little fingerprint error. So I helped to go to my SSH folder and then it can have a look into my known hosts file. And I think there is an entry here, it is local host. I will delete this one. And then I'll go back to downloads. Then I will fire again this command here. And now it should work. Now we are on our machine. What is the next thing we have to do? We want to install the AWS CLI on this machine. And why we want to do this. If you remember, we want to connect to a three and we want to connect to SQL via endpoints. So why are we EPC endpoints? And there are multiple possibilities to do that. You can, for example, search for the API endpoints and then you can just execute the curl post commands for example, or cut or get commands. And just, yeah, do the request to the API endpoints. But yeah, form from my point of view, it is so much more easier to use, just the AWS CLI and the AWS CLI I under the hood also uses the API end points. Yeah, that's why I want to install here on this machine also the AWS CLI and we already did it on our local machine, so might be no problem. First of all, I want to update my machine. And as you can see here now, the update doesn't work. Again. You can stop the video and you can think about it. Why this app to update doesn't work. I interrupted here. This is now an network issue because in our old table there's just one rule. And just the traffic inside my subnet, inside my VPC is allowed here. So there is no connection to the Internet because we deleted also our NAT gateway. So the best way or the most secure way now here will be to create the NAT gateway again, then create the route table rule again. Then we can update and install the CLI. And then we can delete the rule and the route table. And then we can delete also the NAT gateway and also the Elastic IP, which gets created with the NAT gateway. But this is too complicated for me now because I just want to demonstrate to you how it works. And that's why I choose the easiest way. And what is the easiest way? The easiest way is just to go to the VPC service again. And I select the subnet and the process up to here. And then I just did the route table, and I just use here to the main route table. And with this here, I switch the private subnet back to the public subnet. As you can see here, we have again this Internet gateway route table, here, this rule. And that's why we have Internet access. I can go back and then I can do with the update here. And now it works. This is fine. And then I can, if this is ready here, I can install the AWS CLI. Quite this command here, sudo apt install the AWS CLI. So I will install it, yes. And then we have to wait a little while. And when this installation process here is finished, then we can switch the route table again. So this was just intimidate here, just to install the AWS CLI. Now it is finished. I will go back here and then I will assign again the private, the private route table safe. And when I do now again an update, it doesn't work. So now it is again in the private mode. Yes. And now there is another concept, how we can get x's to our to our AWS resources. And if you remember, we established our credentials when we installed it on our local machine. We created there the AWS access key and secret key. So we did this AWS configure when we install the AWS CLI on our local machine. This is one approach you can do. But the better way is to assign to your EC2 machine and IAM role. This IAM role than gifts the EC2 machine, the permissions to connect to as three or two SQS or whatever. This is the better way. And that's why we will create now an IAM role to do so. If you are not familiar with I am. This is the same thing. We did also follow the flow logs. The Flow Logs was also a Service and we have to attach an IAM policy that the flow logs are able to push the log streams to CloudWatch. So this is just a permission thing. Therefore, I go here to item. Then I say here, I want to go to item. I want to create here a role. So that's why I can create here row. And we use the AWS service here. We don't have to use, in this case the custom trust policy because AWS already prepared for you here. The common use cases and one very, very common use case as EC2. That's why we can select it just here with a radio box. Then I click here on Next. And then I have to attach the permissions via the policies here. And I just search here for us three and attach Amazon S3 full access. And then I search again, or SQS. Then I select all the Amazon SQS full access policy. Then I click on Next. And then I want to give it a name, in this case, proud EC2, T2 because we want to assign this policy to the second EC2 machine. And as you can see here, AWS automatically edit here this trusted entity, EC2. And now I can click on Create role and creates the role. And it was successful. Now we can use this IAM role here. That's why we can go back to the EC2 machine. And then we can assign to this EC2 machine here I click here. And actions and security modify IAM role. And then I can assign here this brought EC2 to IAM role and save. Now we achieved that our AWS CLI, which the surrounding on this private EC2 machine has the permissions to access S3 and SQS. So this is another approach than to do which is with a plane credentials, like the access key and the excess secret key. Yes. I go back here to the terminal. And now I want to try, for example, to request here the SQS lists. So in other words, I just want to receive a list which SQS queues exists currently in my region. I have to switch here to waste one. I have to select a region here. I can execute this command, and as you can see here, it doesn't work. And yeah, this is no surprise because we just have the single route, The Signal route rule there, which means only resources in our private subnet in the VPC can reach each other and there is no Internet access currently. Now we want to create the interface endpoint. And therefore we go again here to VPC, select the VPC service and go here two endpoints. Now we can create an endpoint, will name the endpoint proud SQS for now and AWS service, it is. And then I can search here for SQS. And I select the service name. You were just one SQS. Then I can click here this radio box. And as you can see here, it is an interface type. Then I have to select the VPC. Then I just use all the security groups available and I give this endpoint full x's so there are no further restrictions. And then I can also add again the tick and wire meant. And then I can create this endpoint. As you can see here, it doesn't work because our VPC is not prepared. Ippc has to enable the DNS support and also DNS hostname. So that's why we have to go back. So I scroll here and then I will go to VPC. Select our plot one VPC actions and then edit DNS host names. Here you can see this is disabled, this checkbox, so I have to enable it and save the changes. And then I can go back again two endpoints and do the same thing again. So broad SQS and AWS services and then SQS radio box check fraud one. Then here the subnets. Oh, we forgot last time this up that so of course you have to select the right subnet here. So I click here on the one, a Availability Zone. And then of course I helped to select the sub to subnet because our private instance, which has to be out, we want to have the access to S3 or SQS. It is placed in our sub two subnet. So that's why we have to select it here. And then again, I will use every security group which is available full x's, again, Wyman tech. And now it should work. Hopefully, yes. Now it is successfully created VPC endpoint. And as you can see here now, the status is pending. So it takes awhile until this is ready. And what happens now under the hood and another hood, AWS Private Link creates for you the elastic network interface. So when we go here, then you can see it already created and unless thick network interface. So we can click here. And then we come to the EC2 console again. And obviously you can see here there is another separate Aztec network interface. When I delete this photo here, you can see we have now three of these interfaces. As I already said, when you create an EC2 machine, and elastic network interface is automatically created because otherwise, the EC2 machine cannot, cannot have some IP addresses, the private and public IP addresses. So this is the network interface for the EC2 machines. And then we have here the third one, our VPC endpoint interface. We can also hold up here into the description and there is VPC endpoint interface. This is what happens under the hood. Yeah, Private Link and church then the connection the private connection from our private subnet to the AWS services, to the global services wire this elastic network interface. We can go back here and refresh and maybe no, it is still pending, so we have to wait a little while until this one here is ready. Yes. Now, as you can see here, the status is available. So we can try to use our fresh created, freshly created new VPC endpoint. And I will switch back yes or no. I can execute this command again. And now I received an empty list. The response is empty. To ensure that it really works, I can't go back to the console and then choose the SQS service. So the Simple Queue Service, for example, and create a new queue. And I just wanted to name it, test and everything else. I leave as it is. Then I create the queue. Now when I look here into my list, I have just one test Q. And then that can switch back here. And then sometimes it takes a little while until it is available here. We can get executed again. And as you can see here now, we have SQS queue. We just call test in our list here. So the connection works. If it doesn't work, it is highly likely the case that you installed and AWS CLI version bond. And this can happen if you're wondering version has the app package included for the AWS CLI version, one dot X. But as you can see here in this little tutorial, sending a message to an Amazon SQS queue from Amazon VPC. There are some legacy endpoints and the ligand legacy endpoints are, for example, q dot amazon AWS.com or US East to the region dot Q dot amazon AWS.com. And the version, the AWS CLI version one dot X implements this legacy endpoints so it cannot reach the new an end point which is here in this format, SQS dot and then region and then dot amazon AWS.com. We need the long story short, we need the AWS CLI version two dot x. If this command doesn't work for you, if you cannot see your SQS list, then you can just do it. For example, AWS dash, dash version. You can see your AWS CLI version. And if there is a number which is below two, then this is the reason why it doesn't work. What can you do? You can just go over again to this AWS Command Line Interface tutorial here, where AWS explains how you can install an update your AWS CLI version. And they recommend first to uninstall the old version. Because otherwise it cannot distinguish between which version you want to execute and highly likely it will execute the first version you installed. And this is again your one dot X version. Maybe it's a good idea to install or uninstall it first and then install fresh AWS CLI, I wish in through here. And you can just copy these three commands. Just curl this zip file and you have to unzip it. And then you can install it via sudo. And then your AWS install a command here. Then it should work. Because this new AWS here, I wish, as I already said, has implemented the new URL format here. 35. Gateway Endpoints: Now we want to talk about the Gateway endpoints. The Gateway endpoints. When we talk about the Gateway endpoints, we talk about creating just some routes in a route table. So there will be no additional hardware requirements though. We do not need to. At some Aztec network interfaces, we just want to create a route table entry. And this type of gateway endpoint is currently only available for AWS service and for the AWS DynamoDB service. Because it is just one rule and the route table. It has no additional costs. So this is a free service from AWS, but just a wavetable forward this to services a three and DynamoDB. And now we want to establish it. Practically. We switch back to our VPC console endpoints and now we create another type. We create the gateway endpoint. So we'll call this one. Here, is three. And then I can search for S3 in this case. And we will take the first one, just the plain S3 service here. As you can see here, for S3, there are the two endpoint types available. Gateway interface. And in our case, we want to use the gateway interface because this is with no additional fees and history. Best way here to go for us. And then I will select the Praat one subnet, the problem VPC, sorry, then I have to assign it to the correct route table. So this here means this selection that AWS will add to the private one route table. This entry. Again also Fool x's and I want to create also the Reimann prot. Then I go here to create the endpoint. And as you can see here it is. It is a wide level now, so we're just very quick. This is why oranges, because we just add this one route table rule entry. Now we can try how this works. So we go back to the terminal and then we can use a command like this one here. Again, we are still on our private EC2 machine here. I didn't log out. So I just use the same session here. We can connect to S3 with this command here, AWS or three RP and list pockets. This comes just from the AWS documentation, the documentation. And then we have to add again also the region, which is in our case a worst one. And then I click Enter here. And then we can see there is an empty list of S3 packets in this region II due west one. This is how it works and now we can go back to ensure that it is really this endpoint. Then we can delete this endpoint again. I'll delete perfectly. We can go back here to the terminal and executed again. And as you can see here, it doesn't work. So it was really this we EPC Gateway endpoint which enabled for us this connection. This is relatively easy how it works, I yeah, and I forgot to show you how it works in the route table. When we go here to the broad private one route table, select this one here. We currently have no route here by weekend. At the end point, again, I'll create this endpoint again. S3 and S3, this one, gateway, VPC problem. This route table. Create this endpoint. When I go back here to select the route table. Then we can see here the other entry, this a three endpoints. So we can go here to, for example, to the destination PL six and so on. And then prefix list name here. And this is exactly the S3 service. So this is how it works in the end. So now we can delete again. This S3 endpoint here shifts to read it, and then this is how it works. If you not deleted your broad SQS endpoint still, then you can do it also. No. 36. AWS VPC Peering: Yes, now we are ready with our practical part at, I just wanted to mention some more sophisticated, advanced connectivity things you might have to know if you want to do, especially the AWS solutions architect associate exam. But yeah, this are not so common questions. But I just wanted to mention it here. The first one is the so-called WPC peering. And when you do VPC peering, you basically connect different VPCs with each other. So when you do this, there's no additional hardware resource required. You can do it just by a route tables SU, as we do it also for the Gateway endpoints, if you remember. What is important here to know is that you cannot do something like star topology. So there's nothing like central hub. If you have multiple VPCs, for example, three or four or five, and each VPC has to have x's to each other. Then you have to connect every VPC with every other VPC. So there is no central hub. You have to connect it manually. In the end, you have multiple connections there. If you want to read further about VPC peering, you can do so. I created here, I edit here this link. If you want to create a VPC peering, you can also do it. You can just switch to your VPC console. Then there is Section VPC peering. And then you can decide what is the richest source, VPC, which is a targeted VPC, and then you connect it. And then you just have to allow this connection because sometimes it is the case that the other VPC is in another AWS account and then the other AWS account has to permit this connection. So that's why there is an additional security step. This is the thing about VPC peering. 37. AWS VPC Transit Gateway: Yeah, and then another very interesting resource is the VPC trends at Gateway. When you build in transit gateway, then this is real additional resource. So you have to create a gateway. It is not like the VPC peering, just an entry in the route table. It is a separate resource. What you can do with this transit gateway, you can connect your VPCs, which are already in the AWS Cloud. You can also connect VPN gateways, and you can connect AWS Direct Connect endpoints. And that means with the help of the trends at Gateway, you can connect your on-premises networks to the AWS Cloud. And in addition, this transit gateway is the so-called transitive router, which means you can create with the help of the transit gateway, so-called hub and spoke topologies. And this is now something like a star topology. If you do not have to establish the connections between all the VPCs, you can just create one connection from each VPC to this transit gateway. And of course, you can also connect to the VPN gateways and to your on-premises networks. But there is just one connection from each VPC to your transit gateway required. And this is all you have to know about trends. It gateways. 38. VPN Subnet: Now, last but not least, the BPM. And there's not much to say regarding this topic. You can just create your VPN gateway here in your VPC and then you can establish a VPN connection to your client. You can also replace this VPN gateway with a transit gateway. As we already learned, you can connect to the transit gateway, VPCs and VPN connections and also AWS Direct Connect connections. This is also an approach to do it. We can just switch back to our VPC console. And here in this section you can find them. Your Virtual Private Gateway, for example, you can launch one if you want, and then you can create one site-to-site VPN connection to your On-prem networks, for example. Yeah, this is how it works and this is everything you have to know regarding this whole connection topic, especially if you just want to do this, AWS Solutions Architect, associate, exome. And as I already said, if you want to dive deeper into this topic, into this whole connection to on-prem networks topic. Then, yeah, you can read more in the documentation or you take another advanced course to do that. 39. Outro: Unfortunately, this is the end of our VPC course. Congratulations. I think you learned much stuff. To summarize it, we created public subnet. We created a private subnet and we placed some EC2 machines into each of the subnets. Then we created Internet access for the public subnet, we created also why your NAT gateway. One direction Internet access. And we talked about security groups and network access control lists. We talked about monitoring and also some advanced connecting stuff. Yeah, in the end, this is the way you can build your production ready cloud native, AWS, VPC. And I hope you learned much stuff. I hope you can do know your own stuff in the Cloud. You can play around there and you have a understanding how the basics work. What we want to do now is we want to go again through all our resources and we want to delete all the stuff which is left here. First, I want to go through this VPC dashboard again. And of course we can see here now we have two running instances. So first I will terminate this two instances here, terminate them. Then we have inside this EC2 service here, I think nothing more. We have elastic apiece. We deleted already. I think I think that's it. So we can go back to the VPC management console, and then we can go to your VPCs and then we can delete the Praat one VPC. So delete VPC and it is unable to do so. That's why we have to wait until the EC2 machine is down here because there is a elastic network interface assigned to this machine, and that's why it copy deleted currently. So we can go back to the to the EC2 dashboard. Now the states are terminated, both of them. So we can try it again. Delete the VPC, Okay, now it works. As you can see here. We delete now also the Internet gateway will lead the route table and also the subnets and the ACL and one security group. Now this is deleted and we have just our default VPC left here. And when we go to subnets, we have just the default or the subnets from the default VPC. We have one route table, we have one Internet gateway here. No elastic appear address know endpoints anymore. We have no gap, no NAT gateway. And I think that's it. Security groups, just one security group and ACL is also just one ACL. Yes. Then we can switch over to the we we have here that you see to the VPC Service. Now we can go and have a look into the CloudWatch service because we also created a log group, but I think we already did deleted it. Yes, it is deleted, so nothing more to do here. And then maybe you created also SQS queue. Yeah, This is still here so I can delete this SQS queue. This was in our interface endpoint section. If you remember. Back then we can also clean up a bit our IAM console. So I think our, I don't know. I'm not sure if I already didn't need it. Yeah, I already deleted. But maybe you have here your role for the EC2 machine because we assigned to the private EC2 machine the role that it has, the permissions to connect to S3, SQS in our VPC endpoints section. So maybe you have to delete your IAM role here. I think we also have no policies which are created by us know. Yeah, I think that's it. We cleaned everything up and yes, this That's it. Well, we appreciate that you took this course and I hope it helped you a lot. Especially if you want to do this AWS Solutions Architect, associate XM, then you are well-prepared in the sense of the whole networking stuff. I think this is a good base to do that. Yes, congratulations again. Maybe we will see each other in another course and have a really great time. Best records your film.