Okay, hello Cloud Gurus

and welcome to this section of the course.

This section of the course is on VPCs.
Now, it is super-important to understand VPCs inside out
both in real life and going into your exam.
You're going to get at least five to 10 questions on VPCs,
as well as VPC architectures,
public and private subnets,
etc., etc.
Now, the easiest way to learn VPCs
is to go ahead and build our own.
So, that's what we're going to be doing
in this section of the course.
Before you go and do your exam,
and I mean literally on the day of doing the exam
or the day before doing the exam,
you should be able to build out your own VPC from memory.
If you can do that,
then you'll be able to pass
the Certified Solutions Architect Associate exam.
So, the question has to be asked,
what is a VPC?
And basically, just think of a VPC
as a virtual data center in the cloud.
Amazon's Virtual Private Cloud, Amazon VPC,
lets you provision a logically isolated section
of the Amazon Web Services Cloud
where you can launch AWS resources
in a virtual network that you define.
And you have complete control
over your virtual networking environment,
including selecting your own IP address ranges,
creation of subnets and configuration of route tables
as well as network gateways.
And you can easily customize the network configuration
for your Amazon Virtual Private Cloud.
For example, you can create a public-facing subnet
for your web servers that has access to the internet,
and then you can place your backend systems
such as your databases, your application servers
in a private-facing subnet with no internet access.
So, in doing that,
your web servers are exposed to the internet
but your sensitive application and database servers
are not exposed to the internet.
And you can leverage multiple layers of security,
including security groups
as well as network access control lists
to help you control access
to Amazon EC2 instances in each subnet.
And additionally,
you can create a Hardware Virtual Private Network
or VPN connection between your corporate data center
and your VPC,
and leverage the AWS cloud as an extension
of your corporate data center.
So, why don't we go ahead
and have a look at what a VPC looks like?
Okay, so here's a diagram of a VPC.
So, this red line represents a region.
So, this is us-east-1.
And inside this region we have our VPC.
And on the outside of our VPC,
we have two ways of connecting into it,
we have an Internet Gateway and a Virtual Private Gateway.
And both of these connections go to our router
or router in our VPC.
I'm going to call it router
because that's what Americans call it.
And the router then directs traffic
to our different route tables.
And then our route tables will then direct traffic
through our network ACLs.
So, this is our first line of defense.
These also act just like firewalls,
very much like security groups.
But if you remember from the EC2 part of the course,
we looked at security groups and they were stateful.
Network ACLs are stateless,
they allow you to do "allow" rules as well as "deny" rules
and you can block specific IP addresses on your network ACL.
We then move over to security groups, which are stateful.
And that acts as a further line of defense
against our EC2 instances.
And in here, we have two different subnets.
We have a public subnet,
so internet traffic is accessible
or the internet is accessible for any EC2 instances
in our public subnet.
And then we have a private subnet.
And this simply means that our EC2 instances
cannot access the internet on their own.
And you can still connect into these EC2 instances
but the way you'd do that is you would go through here,
all the way into your public subnet
and then you would SSH directly from an instance in here
to an instance there.
So, that's the way you would access them.
We're going to have a look at how that works.
And in Australia we call those "jump boxes"
In the rest the world we call it "bastion host"
So, a bastion host is just an EC2 instance
in a public subnet
that you then use to connect
to an EC2 instance in a private subnet.
So, this is all a VPC is.
It's a collection of Internet Gateways, route tables,
network ACLs, security groups, EC2 instances
and then of course, your public subnets
and your private subnets.
Now, you will note here, this IP address is 10.0.1.0
and this one here is 10.0.2.0.
So, they are completely different subnets.
And the Internet Assigned Numbers Authority
actually has three different sets of IP addresses
that are reserved for private IP address ranges.
So, these are ranges that are available on private networks,
they're not available on public networks.
And the first is 10.0.0.0
and this is a 10/8 prefix.
Now, Amazon don't allow /8,
the largest subnet that you can have
inside a VPC is a /16.
And we'll come and have a look at that in a second.
We then could also use the IP address range 172.16.0.0.
This goes all the way up to 172.31.255.255.
This is a /12.
And then we have the most famous
which you're probably used to
from your own home networks, which is 192.168.0.0.
And this goes all the way up to 192.168.255.255
and this is a /16 prefix.
Now, if you don't know what that means,
I want you to go over to your browser.
So, this is a website I like to use,
it's called CIDR.xyz.
So, if you just type this into your browser,
"CIDR.xyz" you'll be able to create subnets in here.
So, if we're going to use 10.0.0.0
and we're going to use a /16,
straightaway it's going to tell us
what our first IP address is,
what our last IP address is,
how many available IP addresses that it gives us
and also give us the subnet mask.
And we're going to be using this
throughout the rest of the course
because this is the largest subnet
that you can use within your VPC
and it's also the most commonly used
amongst corporate networks.
So we're going to use 10.0.0.16
and then we'll go up for every subnet.
So, this could be our public subnet
and then 10.0.1.0 could be our private subnet,
etc., etc.
Likewise, you can go up here,
you can change this to /24.
And you can see the first IP, the last IP
and then how many IP addresses are available
in a /24 subnet.
We can go all the way up to /28.
/28 is the smallest subnet
that you're allowed to have within Amazon VPC.
And again, you don't need to understand any of this
going into the Certified Solutions Architect Associate exam.
However,
going into the Certified Advanced Networking Specialty exam,
you will need to be able to do subnetting,
you need to be able to calculate the first IP address,
the last IP address and then how many IP addresses are,
you know, in that subnet.
And we do cover off how to calculate these values
in the Certified Advanced Networking Specialty course.
So, if you do have the time after doing
your Certified Solutions Architect Associate,
and you really enjoyed the VPC section,
definitely check that course and that certification out.
It is one of the most valuable certifications
in tech right now because it is one of the hardest to get.
So, don't worry if this diagram still looks a bit scary.
Like with anything, with AWS the best way to learn it
is to go ahead and start building out your own VPC,
and that's exactly what we're going to do
in the next lecture.
So, what can we do with the VPC?
Well, we can launch instances into a subnet of our choosing,
so we can choose our own subnet address ranges.
We can assign custom IP address ranges in each subnet
which is what I just said.
We can configure route tables between our subnets.
We can create Internet Gateways
and attach it to our VPC.
And we get much better security controls
over our AWS resources.
And we can assign security groups to individual instances.
But we can also have subnet network Access Control Lists
or "ACLs" as well.
And we're going to look at how we can use those
in a lecture coming up.
So, in all the rest of the sections of the course,
we have been using our default VPC.
And what we're going to do in the next lecture,
is we're going to create our own custom VPC.
And you might be wondering what the difference is
between a default VPC and a custom VPC.
Well, the default VPC is super user-friendly.
It allows you to immediately deploy instances.
You don't need to know anything about networking
to be able to provision an EC2 instance in the AWS console.
So, that's why Amazon gives us a default VPC,
they're trying to make it easier
for our developers to use AWS.
And all subnets in a default VPC
have a route out to the internet.
That means they're all internet accessible.
And each EC2 instance has both
a public and private IP address.
So, those are the main differences.
If you do delete a default VPC, you can recover it now.
So, it's not a problem if you do delete it.
Try not to delete it though.
In the next lecture,
what we're going to do is create a custom VPC.
We can also do VPC peering,
which we're going to look at later on
in this section of the course.
This allows you to connect one VPC with another
via a direct network route using private IP addresses.
And instances behave as if they're
on the same private network.
And you can peer VPCs with other AWS accounts
as well as with other VPCs in the same account.
And peering is always in a star configuration.
This means you have one central VPC
that peers with four others.
You can't do transitive peering.
You might be wondering, "What does that mean?"
You can also peer between regions as well now,
so you can have one VPC in one region
and you can have another VPC in another region
and you can peer across regions.
So, do bear that in mind as well.
So, let's have a look at what transitive peering means.
So, let's look at VPC B.
So, VPC B is peered with VPC A,
so the instances in this VPC
can talk to the instances in this VPC.
Likewise, the instances in VPC A
can talk to the instances in VPC C.
However, in order for VPC B to talk to VPC C,
it can't go through VPC A.
Instead, what you have to do is you have to do
another peering connection directly between VPC B and VPC C.
So, transitive peering just means
you can't peer through one VPC to another,
you must set up a new peering relationship.
And again, we're going to have a look at VPC peering
in this section of the course.
So, don't worry if this has overwhelmed you a little bit,
like anything, with AWS, the easiest way to learn about VPCs
is to go ahead and create your own
and get your hands dirty.
That's what we're going to do in the next lecture.
So, just remember the following -
I want you think of VPCs as a logical data center in AWS.
It consists of IGWs, so Internet Gateways
or Virtual Private Gateways for VPNs,
then route tables, network Access Control Lists,
subnets and then security groups.
One subnet always equals one availability zone.
So, 10.0.1.0 will be in us-east-1a, for example,
10.0.2.0 might be in us-east-1b, etc.
So, to be clear, you cannot have a subnet stretched
over multiple availability zones.
However, you can have multiple subnets
in the same availability zone.
So, when we say one subnet equals one availability zone,
all I mean there is you cannot have one subnet
spread across multiple availability zones
but you can definitely have multiple subnets
in one availability zone.
So, I hope that makes sense.
Remember that security groups are stateful
and network Access Control Lists are stateless.
That basically just means with network Access Control List
that you can add "deny" rules as well as "allow" rules.
And when you open up a port on inbound,
it doesn't automatically open up a port on outbound,
you have to go in and add that as well.
And also remember,
with VPCs you cannot have transitive peering.
So, if you have VPC A who needs to talk to VPC B
who then talks to VPC C.
VPC A has to, if VPC A wants to talk to VPC C,
you have to create a peering connection between the two.
So, that's it for this lecture, everyone.
In the next lecture what we're going to do,
is we're going to go in and get our hands dirty.
We're going to build our own custom VPC.
It's going to be super hands on,
you're going to have lots of fun.
So, if you've got the time,
please join me in the next lecture. Thank you.