- Hey there, and welcome back.

Now, in today's video

we'll be discussing about the gateway VPC endpoints.

Now, before we go ahead

and discuss about the VPC endpoints in great detail,

let's quickly understand

the primary types of VPC endpoints that are available.

So the first one is the gateway endpoints,

and then you have the interface endpoints,

and then you also have the gateway load balancer endpoints.

And each one of them has a specific use case.

Now, the primary aim of today's video

is to go ahead and understand the gateway VPC endpoints.

Now, in the gateway VPC endpoint based architecture,

the traffic is routed from a specific EC2 instance

to a supported destination service,

with the help of appropriate route.

So the subnet in which this EC2 instance lies,

it needs to have a route table,

where there is a destination,

and the target is the VPC endpoint.

Now, one of the question that comes is

what exactly this destination implies.

So at a high level overview,

this destination is associated with a CIDR range.

And this CIDR range that you see over here,

it is associated with the destination service.

So let's assume

that you have a destination service of Amazon S3,

then this CIDR range will be associated with that.

And whenever a EC2 instance

sends the traffic to this specific CIDR range

which is associated with S3,

then the traffic is automatically routed to a VPC endpoint.

And this is the basic architecture

based on which the gateway VPC endpoint works.

Now, do note that

Gateway VPC endpoint only supports limited services.

So you have a Amazon S3 that is supported,

and you have a DynamoDB which is supported.

So with this basic set,

let's go ahead and implement gateway VPC endpoints

from scratch.

So for today's video,

we'll go ahead and select one of the regions

where default VPC is present,

and we'll go ahead and create gateway VPC endpoints.

So within this search, let's go ahead and type VPC.

All right, so we have a default VPC that is available.

The CIDR is 172-31-0016,

and it'll have multiple subnets associated with it.

So now what we'll go ahead and do,

is we'll go ahead and assign one of the subnet

as a VPC endpoint subnet,

or you can just see it as a private subnet

without a net gateway.

So let's just call it as VPC endpoint subnet

so that it is easily identifiable.

All right.
And for this specific subnet,

we'll also go ahead and create a new route table,

so you have a default route.

Let's create one more route table.

Just call it as VPC endpoint route table.

And we'll associate it with a default VPC.

Let's create a route table.

All right.

Now, at this stage,

you'll see that you only have one route that is available.

The target is local and the destination is 172-31-0016.

So this specific route table

will not allow communication to internet

both inwards as well as outwards.

So now what we'll do is

we'll associate this route table with the subnet.

So we'll be associating it with the VPC subnet.

That's great.

So for our first part of today's architecture,

what we have, we have a VPC,

where there are certain subnets.

These were a public subnet,

among which we selected one subnet

to make it as a private subnet.

And we associated a new route

so that the resources within the private subnet

does not have any inbound or outbound internet connectivity.

So now the next step is

we'll go ahead and launch two EC2 instances,

one in the public subnet,

and second one within our private subnet

that we have created.

So let's go ahead and go to the EC2 instance service.

Now, within the EC2 instance console,

first thing let's go ahead and do for today's video,

is we'll go ahead and create a key pair.

All right.

So this is a temporary key pair that we'll be creating.

So let's just call it as temp key pair,

and we'll create a file format of premier.

All right, so this keeper should be downloaded.

Once then, let's go ahead and launch EC2 instances

in this specific region.

We'll use the Amazon Linux 2 AMI.

The instance type,

just select the one associated with the free tier eligible.

The subnet,

make sure that you first select the VPC endpoint subnet.

And we do not really need a IP,

so we'll go ahead and disable the autos and IP.

Once then, let's do a review and launch,

and we'll launch this with the key pair here.

All right, so let's go ahead and open this up,

and let's just call it as private EC2.

In a similar way, do note that

since this EC2 does not have any communication

both inbound and outbound towards the internet,

we'll not be able to connect to it directly.

So what we need for it to be connected

is one more EC2 instance in a public subnet.

So we'll first connect to this EC2 instance

in public subnet.

And from this EC2 instance,

we'll go ahead and do an SSH to the private subnet EC2.

All right.

So this is more if you have worked with

the Bustin host-based architecture.

It's similar to that.

So let's go ahead and launch one more instance

in a public subnet this time.

(keyboard rattling)

Make sure you select one of the subnets here.

Let's use subnet 2A.

We'll do a review and launch.

We'll do a launch with our key pair.

Perfect.

So let's go ahead and call this as public EC2.

(keyboard rattling)

That's great.

One more thing that we have to do is

we have to associate IAM role

primarily because in today's practical,

we want to ensure that the EC2 instance

through the VPC endpoint

is able to connect to the S3 bucket.

So for this, we'll be making use of a IAM role.

So let's go to the IAM service here.

(keyboard rattling)

We'll go to role, let's create a new role.

The role use case would be EC2.

And within the permission,

let's just give it as S3 full access

just for our testing purpose,

and let's call it as VPC endpoint role.

All right,

that's great.

So now we'll go ahead and attach the role

to both of the EC2 instance here.

So let's quickly do that.

Under security, I'll modify the role,

and we have the VPC endpoint role.

Let's associate with the first instance.

And in a similar way,

let's also go ahead and do it for the second instance.

(keyboard rattling)

So I'll select the VPC point role, we'll do a save.

Perfect, so now we have our base architecture set.

First, let's go ahead and connect to the EC2 instance.

We have the public IP.

Now, from the SSS terminal,

whichever SSS terminal you are using,

you can just specify that tempkey.pen.

And let's go ahead and connect to the EC2 here.

All right, so we are connected to the EC2.

So this is the public EC2 instance here.

So from here, if I quickly do a AWS S3 LS,

you see we are able to see a set of S3 buckets

that are part of this specific AWS account.

Now, what we'll do is, since we want to connect

from the public EC2 instance to the private EC2,

we need to have a key pair

associated with the private EC2.

Now, since the key pair is in my local workstation,

there are multiple approaches to take care of that

but we'll be using the simple one.

I basically copy the private key earlier.

Let me copy the private key,

and let's go ahead and create a new key here,

call as tempkey.pen.

We'll paste the private key contents.

Let's save this,

and let's also change the permission to 400.

(keyboard rattling)

All right.

So now using this specific private key from the public EC2,

let's go ahead and connect to the private EC2 instance

via the private IP.

All right, let's do that.

I'll do a yes,

and perfect, we are connected.

So since this EC2 already has IAM rollover here,

if you go ahead and do a AWS S3 LS,

and let's also specific a region.

Let's say US phase two.

At this stage, you'll not see any result

primarily because there is no connectivity

towards the S3 that is available.

Perfect.
So our next step is

to go ahead and create a gateway VPC endpoint.

So let's go back to the VPC here,

and let's go a bit down under the endpoints here.

Let's create a new endpoint.

And if you look here, there are multiple endpoints type.

One is the interface endpoint.

And if you go a bit down,

you'll also see a gateway endpoint here.

So let's go ahead and filter by service.

Now for the S3 service,

you have both the interface as well as gateway endpoint.

We are more interested in gateway endpoint

for the time being,

so we'll select that.

And now the next part is

to which route table this endpoint

should be associated with.

So this specific destination

and target associated with the VPC endpoint,

needs to be associated with each of the route table.

So we want it to be associated

with the VPC endpoint route table.

All right.

Once then, let's go ahead and break down the policy.

We'll just leave it as it is for the time being.

Let's go ahead and create an endpoint.

Perfect.

So let's do a close.
And now you should see

you have a VPC endpoint that is created.

Now, if you'll go to the route table,

let's open up the VPC route table here.

Let's go to the routes.

And you should see you have one more route that is created.

And this has a specific destination

and the target is VPC endpoint.

As we were discussing,

this specific destination intern

is like logical destination

which has a CIDR range associated with the S3 service.

All right.

So any traffic going to the S3 service

will be targeted towards the VPC endpoint.

So that is the basic idea here.

So now, once the specific VPC endpoint is associated,

let's go ahead and do a AWS S3 LS once more.

And you see it is working perfectly well.

So from our private EC2,

we are able to communicate with the S3 service.

Great.

So I hope with this you understood

the basics of how the gateway VPC endpoint

as well as the routing related to it works.

Now let's go ahead

and look into some of the downsides of Gateway VPC endpoint.

First among them is the overall architecture.

So in this type of architecture,

the actual VPC endpoint is not part of the VPC,

it is outside of the VPC.

So with help of the route table,

the traffic is directed towards the VPC endpoint.

Now, since this VPC endpoint is not part of your VPC,

it is not possible

to use it directly from the VPN or direct connect.

So this is one important thing that you should know.

Second important thing is that

the endpoints are supported within the same region only.

You cannot create an endpoint between a VPC

and a service in a different region.

This is very important part to remember.

Now, if you'll just do AWS S3 LS from the private EC2,

you see we are not getting any result over here.

And this is the reason why

we had explicitly specified a region over here.

So this is the region where our EC2 is created.

And if I press enter, you are able to see the buckets here.

Now, one more important part to remember here is that

you'll only be able to do operations

on the bucket that is part of the same region.

So although it is listing you all the buckets right now,

but the operation will only work

on the bucket that is part of the US phase two region.

So for example, let's say I'll do AWS S3 LS,

let's specify a bucket,

let's just call it as any bucket.

So I'll just select a random bucket that is available.

Let's press enter.

As expected, you are not able to see anything.

So in case if you'll even specify a region of US phase two,

something similar to what we had done earlier,

you'll see you are not able to see anything here

even though the EC2 instance

has a full S3 permission available.

Now, in order to also demonstrate

this point in great detail,

let me go ahead and create a bucket.

So we'll be creating a new S3 bucket in the same region

where this end point is created.

So let's create a new bucket.

Let's just call it as temp endpoint US phase two.

You can just give any region.

Make sure that the region is same as

the region where the end point and the EC2 is present.

We'll go ahead and leave everything as default.

We'll go ahead and create a bucket.

So now let's go ahead and do AWS S3 LS again.

As expected, we are seeing this specific bucket.

Let's copy this, and let's do AWS S3 LS.

Let's specify the bucket name,

and also let's specify the region of US to phase two.

And you see, it is working perfectly well.

Now, since this bucket does not have any contents,

it basically did not show you anything.

But in case there is an image or whatever contents,

it should show you the data.

Now, in fact, let me also show you this

so there is no doubt that arises in this specific video.

So let me go ahead and add a random file.

All right.

So I'll just simply add a PNG file.

So this is a VPC PNG file.

Now, let's run the same command again.

And you see, we are able to see the contents as expected.

Great. So I hope this first point makes sense now.

Second is that the endpoint supports IPV for traffic only.

And the third one is that

you must turn on the DNS resolution in your VPC,

or if you're using your own DNS server, ensure that

the DNS request to the required services such as S3,

are resolved correctly to the IP address maintained by AWS.

Now, this is important

primarily because the destination in your route table

is associated with a specific CIDR.

So if your DNS server is not giving you the resolution,

so when you try to connect to the S3 endpoint

and it is giving you different IP address,

then the one that is part of this specific destination,

then the overall routing will not work.

And this is the reason why it is important to ensure that

either you user a DNS resolution that is part of the VPC,

or for your own DNS server,

you have to ensure that request is resolved correctly

to the IP address that is maintained by AWS.

That's great.

So I hope with this,

you understood about the Gateway VPC endpoint

in great detail.