all right so um last week we just started exploring domain name system and we said that DNS serves as an intermediary that helps to translate IP addresses so computers can understand and translate it back to human readable host names or domain names and most importantly we said that DNS is a database that is distributed and resilient okay I'm trying to share my screen here so we said DNS is a database that distributed and resilient distribution ensures that pieces of the DNS information is stored across different name servers and resilience is achieved through the fact that it's globally available it's available aable globally if you guys noticed excuse me with rout 53 it's a it's a global Service so it's not specific to a particular region or a particular availability Zone it's available GL globally okay so round 53 we mentioned yesterday or last week that Route 53 has two main Services it helps to register your domain and it also helps you to host domains and for hosting domains you have the ability to either register a domain from within Route 53 meaning that you're purchasing a domain name from Route 53 or if you have a domain name that already exists you can bring it into Route 53 now when it comes to hosted zones there are two main types of hosted zones we have the public hosted zones and we have the private Hoster Zone we have the public and we have the priv private hosted zone now the the difference between these two hosted zone is just related to how the traffic is being routed okay so when it comes to the public hosted Zone it contains records that would Route traffic to The Wider internet for the wider internet meaning that with the public hosted Zone you can create your hosted zone or create your records and then anybody from the internet will be able to reach that domain and basically ra 53 would route that person to the particular end point for that traffic so if we have to Define it we can say the public hosted Zone contains records for routing internet traffic the public host Zone contains record for routing internet traffic name servers that are used by the public hosted Zone those name servers are accessible globally okay and these name servers are automatically created when you're registering your domain if you you guys notice when you registered your domain last week the name service were automatically created with your 53 domains and for the private hosted Zone traffic or records the records that you create within the private hostage Zone the route traffic only within your VPC resources okay so it contains records for routing traffic within your VPC okay so it's private host Z is mostly used within an organization or within a company that has subdomains that they just want to Route traffic within the company like the company's internet you don't want anybody from the public to access those application or those domains then you would use a private hosted Zone because you want to keep everything private so the private host Zone can be linked to one or more vpcs and it can only be accessible only within that Network okay so the use case is mostly when you have sensitive data that you don't want to be accessible from the public internet okay and it's pretty straightforward just the same way as your your public hostage Zone was automatically created for you when you want to create you can actually go and you create your own private hosted Zone and then when you're creating it it's going to ask you the VPC or vpcs that you want to associate it with and then you connect it to the VPC and that's all once you do that then you can start creating your records and we're going to talk about um records down down the road so let's talk about record types um think of Records think of records as instructions so record types think of records as instructions that leaves in the DNS servers that helps to basically provide information on how your traffic needs to be right routed so records are instructions within DNS that provide information about domain about the domain okay and so you use these records to basically start determining how you want traffic to be routed and that's where things like routing policies start starts coming in so DNS I mean record types are instructions within the DNS that provides more information about your domain there different kinds of records that you have within your DNS when you guys created your domain last week you had some records that were pre-created for you you had some name server records which is an example of a type of record it's always called NS records or let me put in the name for the acronym we call it name server records also known as NS records the name server records are meant to identify the name servers that are in your hosted Zone again going back to our definition of record type we said record types are instructions within your DNS that provides more information about the domain so with the name server records you basically know exactly that within this hosted Zone we have these different name servers okay it helps to facilitate the process of Delegation because again we we said that DNS is distributed distributed because the root name servers the root name server has delegated some powers to the top level domain name servers and the top level domain name servers has delegated some powers to the authoritative name servers to carry some information so that when when when you're when when you're when you're looking for the IP address you would easily be routed to the correct name server that would give you the information that you're looking for so the name server record is basically that record within the hosted Zone that helps to identify all of the different name servers for that host Z so if we have to write it put it down we say this is a record type this is a record type that helps to identify the name servers for the hosted Zone this is a record T that helps to identify name service for the hosted zone so it helps to the process of dedicated delegation so you can have the name server which is typically the root and then the com name server would direct you to the amazon.com name server which will direct you to the www.amazon.com name server and then if you have if you're using a private host Zone you have multiple subdomain So within the company you not just have ww. amazon.com you have something like mail. amazon.com for mail service and then you have commercial. amazon.com for commercial applications all of those different those are subdomains you have all of those different subdomains Within um the hosted Zone and name service the job of the name service is basically to identify all of these different uh the name server record is meant to identify all of these different name servers for your hosted Zone the next record type that we have is called the A and the a a AA record a and AA record this is this is the most widely used record type in most scenarios sometimes you will create your hosted Zone and then you have the name server record you barely do much with the name server record but again when you start R when you want to start routing traffic from your whole from your domain to your applications that's when you start dealing with the a or the a a a record so the a either of these record either the a or the a a AA they are meant to map your host name or your domain name to an IP address okay these records are meant to map your domain name or your host name to an IP address okay so the a record is for ipv4 and the AAA a record is for IPv6 organizations that are using IPv6 for their networking we use the AAAA record and then organizations that are using ipv before like in most of our use cases we use the a record but basically This Record is meant to map your um host name or your domain name to an IP address all right the next record type is called the canonical Name Records canonical Name Records or the C name a c name record the C name record is mostly used to create shortcuts when you want to rout one domain to another domain for example we can have www do JJ te inc.com and then within JJ Tech JJ has a subdomain that handles all of its mails so that when you want to send an email to me you send an email to me using my work email for example you can see you want to send an email to suzan JJ tech.com so every company that has that specific domain for their Mals has a male server that's running within the company so let's assume that JJ has a male server so and that M the domain for that male server is mail do JJ Tech JJ te inc.com right so if you want Route 53 to be able to Route traffic that hits this domain directly to your mail server then you need to create a canonical name record in round 53 you need to create a canonical name record okay so the canonical name or the C name record creates a DNS shortcut to Route traffic to another domain so C name creates a DNS shortcut to Route traffic to another domain it creates a DNS shortcut to Route traffic to another domain and and It Go here is the goal for having subdomains in every environment is to minimize the overhead of pointing to other servers the complexity of because if you have to Route JJ Tech in.com to the IP address of the mail server then what if the Autos scaling group spins up multiple male servers because of traffic or what if something happens and that mail server goes down and a new one has to come come up it's never it's never best practice to R traffic to particular server because something could happen but when you have a particular subdomain even if there is an Autos scaling group or there's something happening behind that scaling your service up and down it's never going to change your domain because your subdomain remain fixed so this mail. in.com would remain the same even if the backend mail service are changing right so in most cases in most organizations they always use cing records as opposed to a a record o a record Miriam go ahead so in this case what what does it eliminate for it to create the shortcut the shortcut is because it eliminates the overhead the amount of work that you need to create if you you need to you need the complexity of you managing things and handling it and routing traffic to a particular mail servant so when you when you creating that mail application the application for your mail server you can create use as subdomain so that if you have Route 53 and then you have your mail server and mail server in this case is just an example and then you have that subdomain and then this male server has an IP address right and then let's assume that you have two male servers IP address instead of you having Route 53 to Route traffic directly to the mail server you using it IP where you create an a record you it's better for you to route that traffic to the subdomain using the C name record so that if this if this m s goes down maybe it becomes unhealthy or maybe maybe the auto scaling group has to scale in this male saver goes down this other one it's still here around 53 doesn't need to know that the mail server is down and a new one is being spawn up because it's dealing with the subdomain and it has a c name record make sense so what yes it does thank you ask a followup question so the the this the um the C name isn't necessarily mapped to an IP right so so it's um when the backend IP changes does it know how does it know that it's changed or does it it doesn't really care no no no the application owners it's integrated in the application so to hit to hit that application there would be a s name that is used for that server application yeah so the the reason why I say it's a shortcut and reduces complexity is because when you incorporate within the application just the subdomain that will never change because it remain F but if you had multiple servers that are changing then it will there will be some manual intervention every time you have something going on in that environment but with the c name or using the C name it becomes way way easier for things to be automated without that manual intervention make sense because okay tonight we're going to create an a record when you create an a record you see that within Route 53 you're putting the IP address of the server but now what happens if that server is down you have to go to rout 53 and make an update there but now if you're using a c name once you created it in R 53 even if the server is down you don't have to worry about it because it's using a c name record and it's tying it to the host name now on the application side before that application gets deployed on that server that host name or the or the subdomain which is the mail. in.com will be incorporated into that application makees sense okay okay so it's not really resolving to an IP per se but to some kind of fully qualified domain name maybe yes is resolving to that fully qualified domain so that even if the IP is changing it doesn't it doesn't affect that host name because again IP will keep keep changing because of other things okay thanks MAA hi Prof I just wanted to clarify is it is this like the domain and the subdomain is it what m to the load balancer DNS the load balancer comes with its own domain right the load balancer comes with its own domain so it is it is in a sense like the subdomain but in organizations you not you not look that load balancer as a subdomain because the the the the domain name of that load balancer has nothing to do with your Route 53 domain you understand so when you are using when you want to use your when you create your load balancer it has a different domain name or different DNS that has to do with an aw as name but when you're creating subdomains within organization all of those subdomains for example whatever subdomain J Tech has has to end with JJ Tech in.com assuming JJ Tech's main domain name is JJ tech.com so if Amazon's main domain name is amazon.com whenever some domain Amazon is creating has to end with amazon.com so it could be mail. amazon.com it could be php. amazon.com it could be however you want to do it you can only add more prefix to that domain name to make it Sub doain make sense within an organization yes bro yeah um but I wanted to know you know with the AA the a or the AAA records is that was actually m to the um Bal load balancer all right thank you and that's why you see when you want to map it to when you want to map um when you want to create a record set for the load balancer you not necessarily use C Name Records you use you still use a records or AA records yep all right the next record type is txt records abdalah yeah I was just going to ask how many C records can you have in your um R 53 you can create multiple depending on the subdomains that you have in your environment I don't I I'm not sure I don't think I've ever hit a limit maybe there is maybe AWS has a limit but I know that 53 skills it scals so wide that you may not have that limit but I it's something I need to check okay now I just wanted to make sure you can create multiple cing records yeah you can create multiple you can definitely multi especially if your environment is wide and you're a hybrid environment and R 53 is your main DNS product meaning that you don't have any DNS service on premise you're managing everything from AWS then you definitely have multiple c um records that or even C name and AA records that you you need to create got it thank you you're welcome all right so txt records txt records is quick question uh go ahead I just wanted to know with the c record is it was actually is it what the um the application low balancer uses throughout traffic no you know they said the I think the application um load bound sort of inspects traffic and will map it based on where it's supposed to go so the application load balance within Route 53 if you want to map if you want to map Route 53 to an Al for example it's not a cname record that you use it's that there's a specific record type that you you use that has to do with AWS Services if you select that record type that has to do with AWS services but it's not a c name and those the record T has do a Services it's I can't remember the exact name but it's a records AA records and AWS Services it's all it falls under all the same category the use case for your C name record it's mostly when you have specific sub domains within your environment that are related to your applications that you want to Route traffic to those subdomains but if you're routing traffic to um Route 5 to albs or even to cloudfront you use that um record that's is specific to aw services and we're going to do it tonight so you'll see there okay thank you y so txt records so the re txt records is one of those records that you just people use it organization use it to basically verify domain ownership okay it's just TS means text is just a record that you can create to put any arbitary text to your domain so that if somebody steals your domain or if somebody gets your domain name to start to start their business when you've already you you ow you have the the domain is yours then you can basically use that arbitrary text to prove that you own the domain okay it's commonly used to just prove that you own the do Dom to verify that you own the domain for example you amazon.com Amazon can create his domain now amazon.com and then tomorrow somebody steals that domain name and creates their business and use it for their business and they go they go to C and Amazon has to prove the domain ownership the txt record will be something that because with the txt record it gives you the ability to put in some signature or some abitrary text to that domain so that you can prove that you actually own it because the domains that you guys created there's nothing to really prove that you own that domain even if you created a domain and said Miriam boutique.com but I can still create a domain and say Miram boutique.com or I can still say that I created a domain Miram boutique.com there's nothing to really prove that you own that domain but with the txt record you have the ability to add some arbitary text something very unique and specific to you that will prove that you own own the domain so in most cases you you not you not really find yourself using txt records for networking task in an environment you mostly use a records or C Name Records now you can find yourself using NS records when you're dealing with mostly private hosted zones and then you have to manage you choose to manage those name servers yourself then or your organization choose to manage a name service yourself that's where you see yourself you find yourself using a lot of um NS records okay all right the next thing I want us to talk about routing policies but before we dive into routing policies I want us to talk about um one important feature that DNS has that's called TTL which is a time to leave time to leave so rout 53 TTL which means time to leave the TTL value is typically in seconds it's typically written in seconds and it's meant to specify how long DNS records should be cashed by resolvers so it's meant to specify how long DNS records should be cashed by resolvers how long D Record should be cashed by resolvers now we all know that cashing is really important because it helps to reduce latency right for example if you have your resolver within your home internet and you go go to google.com trust me even if you go to google.com after four hours that resolver is not going to go and and do a Genus query to find the google.com server anymore because um it's been cashed because it's been cashed within your resolver so when when it cashes that information it reduces Lo latency but if the cash expires then you will need to go back to the origin and pull the data from there so within Route 53 within Route 53 you have the ability to set TTL for some routing policies and some specific record types so that data can be cashed for a period of time now the question will be when do you said High T and when do you said low TTL you said High TTL when you know that that particular data has infrequent changes hi TTL for example if you want to sell your TTL for 24 hours you know that you're putting into 24 hours because you know that within a day the data may not change so it's okay to cash that data when the data has infrequent changes when the data has infrequent changes and then so during this period anything that anybody that or any when the resolver tries to query that same data when your your the client tries to get that same data the resolver would pull it from the cash and give it to the client low TL on the other hand it's necessary when your data changes frequently okay it's necessary when your data changes frequently or when you're doing migrations where you're migrating so if you want to make sure that your client receives absolute up toate data then you need to reduce your TT because so many things can change when you're doing migrations when you're doing deployment then you need to set your time to leave to a lower value okay so use case is when data changes frequently or when doing migrations this question on TL is an interview question that got asked to a student just this week and the student actually babbled on it the student knew quite well what to tell is but when they asked about the use case when do you what when do you think we need to use high TTL or when do you think we need to use low TTL the student was not particularly sure so it's something that you just need you need to take note that there was a time we were doing some migrations and during that period we went I remember we went and we had to change all of our itl to I think it was one second or two second that when you push those changes the changes will everything cash will be cleared and anybody that wants to retrieve that data will retrieve the most updated information that's important please can you talk a bit on the migration how does migration change the data frequently absolutely so migration will change dat data frequently let's say when you're moving data from one endpoint to another it could be you moving the data it could be you updating the data or it could be you CH making changes at at the the end points of the data so say for example when you're migrating from an un premise environment to an AWS environment your DNS will be routing traffic differently in those in that case so this is on premise this is AWS this is your DNS right so when you're migrating from one end to another typically what happens during migration is that okay well and we'll talk about this more in migration you have different approaches to migration you can do lift and shift meaning that you're just lifting and shifting things as is or you can choose to make some modifications as you're moving the data or as the data once the data gets to its destination so the main thing is that whether you're doing lift and shift or you're doing you're not you're you're making changes to the data you don't want your clients these your these are your clients you don't want your client to pull the data has been catched here you want that during this migration whenever your client tries to reach DNS the DNS should get the data from the origin in case there are any changes or any updates to that data they should get the most recent data that's what I mean because when the when data is being cashed at the level of DNS that data will remain here this is the cached data but now if you having some changes going on here either because of migration or because of application deployment updates or anything of that sort you need to clear this cash and clear clearing this cash you clear the cash by changing your TTL let's say you had a TTL of 3,600 seconds you have to remove it and put it to one second or 5 seconds so that whenever anybody wants to pull data then the person will pull the most recent data makes M yes thanks you're welcome obit yeah my question is still very similar to what Michelle was asking um when we say data are you talking about the name server records like what is the what is the data that we're talking about in here just just because I'm thinking it's it's what gets cash is the name uh server records is that or the whatever it's called the records is that what we're talking about here that gets cashed it's your it's it's basically the IP address your n the the the application server right the IP address of your servers yes and the and the information that you're looking for so when you want to heit an application it's let's say an application like google.com let's say Google's whole homepage righty so many people across the world go to Google on a minute by second by second basis yeah I'll tell you that all resolvers catch a lot of information frequently accessed information at the level of the resolver because they know that people use this information more often so it's not just the IP address but it's those frequently accessed data make sense uh yes um what is an example so in the Google case that you just talked about is it are they cashing everything like a whole website so if I if I went to website and and got some information it would cat that so that if I go back to that link I'm basically reading what's been cashed for the past 3600 seconds is that what it is yes that's exactly what it is so it Cates the information that you when you retrieve that information DNS Route 53 can uh DNS can cash that information for a period of time okay it's not just the IP of the Ser it's not just the IP 6 yeah it's also the information that you retrieve so that for example if you make if I make changes to my website to my web page right let's just say if JJ Tech makes changes to their web page today and change it say from Orange to to Blue but when you want to hit JJ Tech and let's assume that JJ Tech has a TTL of 3,600 seconds if you want to hit JJ Tech within the next 30 minutes you'll still see its old website yeah and you wondering why and that's just because it's been cashed for too long so JJ Tech has to in order to make customers retrieve the new hom page or the new welcome page of the G Tech news newsite JJ has to go and clear cash completely by changing to so that when you want to hit the jch application then you see the new welcome page one final question on that so where does this resolver sit are we talking about the resolver um that's provided by the ISB that basically sits at your home yep okay talking okay and so jch can the TTL is set by jch and it actually um gets um what's the word here even though the resolver is the ISP resolver the TT is actually set by JJ the own of the application yes so JJ Tech sets how long he wants that data to be cached okay yeah thanks Miriam yeah just a followup to his question so I was going to ask if um so at the beginning of setting the TTL do you also configure in such a way that it can detect when data is being frequent changing for it to automatically adjust or is that something that you have to do manually again um you within R 53 you don't have much options to to configure that you can just set um TTL and the TTL would refresh whenever the the TTL expires now within AWS there are some other policies that you can set in place that can push changes to can refresh cash data automatically but um I don't the ra3 doesn't have a lot of those options okay so how do we move from low TTL to a high TTL no by changing it by changing the TTL value low TTL just means you you have 5 Seconds High TTL means you have 3,600 second yeah so what I mean is that do you constantly change it you change it when you need when you want to like for example you have a use case for high right if your data doesn't frequently change then you can use a high T and leave it at that at that but if your data frequently change then the recommendation is to use a low TTL even if your data does not frequently change but you you're undergoing some changes and the application end say you're doing migrations or you're pushing some deployments new code then you want to go and change change T most of those things happen like in the night um I remember when we were doing deployments we don't do any deployments till after 10 p.m. so that because you know that traffic is very low at that time you go and you change TTL and then you do all of your deployments and test it make sure that it's working okay got it yeah thank you you're welcome Prof quick question I just wanted to know what takes president the session history or this um this real CS session so it really it really depends right it really depends you can have some cases where um everything it's going to start from the records but now session history will come in to store your session data right to route you to a remember that session data session session is more about the interaction between between you and a particular server does that make sense when we talk about session history it is this is you this is Route 53 this is the load balancer this is the backend servers server one server two now when you hit Ral 53 let's say you go to www.amazon.com Ral 53 will send it to the load balancer the load balancer now is the one to determine whether they will send you to S1 or S2 does that make sense so session history as is at this level TTL is at this level make sense yes bro if if there's a lot that happens if you have visited that website before and you are not because DNS is all about routing you to the server to get the information that you're looking for if you're retrieving new information then you would the routing would go all the way right down to the server but if you rece retrieving information that you have already retrieved before then that's when it can end at the level of the your resolver because that information has been cashed make make sense the end goal here is to give you low latency does that make sense yes bro are you sure yes BR yes I get it good Emma now just a quick question on a the um high low um it call um time to to leave and the High um so say for example you have migration is done or deployment is done uh just before you to change your uh it to low uh TTL and then um how long after that do you would you think you change it back as you mean you don't change stuff frequently it was just the migration or deployment that cost you to change the TTL how long do you think you can leave it at the low TTL for before um moving it back to the high TL so when we were doing migrations when we change it to low TTL and testing is done we change it back to the itl immediately before we close the ticket so you don't want to keep it too too long because again the goal for this setting your highy tail to is to save you money the amount of load that's coming to your end service you want to minimize that right that's why you're cashing that information so selling that high to TI saves you some cost so we change it to low when you're doing deployment and then right after that within that same deployment call we change it back to high and then we close the ticket thank you you're welcome um I don't know whether the C name is related to Alas Rec I didn't he you talk about the alas I didn't talk about the alas because in a c name translates to Alias so you mostly hear alias in different cases but C name translates to the Alias record Victor uh so um mine is I'm trying to rationalize something so these interventions for the PTL are happening on the on the end of the um let's say the resources that we actually try to access but I remember in the previous life I there was particular command you could run from the client side where you would something like flush DNS um is that basically resetting something in the where does that actual change happen where you have to flush the cached um records and it's initiated by the actual user that that that you know that does that I'm trying to figure out I I I know what you mean so it even happens even right right um on your laptop right when when you've used and you guys are going to see that a lot when we get to multi account account when you've used a particular website over and over and then you want to visit that website it keeps giving you the previous information that you had changed and then now if you're using something like Google Chrome you may need to open an incognito window because the old window had um the information cached there so you to flush DNS on your to flush cash completely on your laptop you go to settings and you can go to settings and you clear your your your history or whatever then that's how you flush everything that's how you clear cash clear your cash information so that that that's basically what you do from the client side but in work environments or in in other environments you can still flush it from from the other side especially that's by either by changing TTL or by clearing cash you hear in some in some environments they tell you that I need to clear cash I need to clear cash because I keep retrieving all information when that information has been updated okay make sense yeah thanks you're welcome all right let's talk about routing policies we have a our hands on today may be a little long so I want to give you guys more time for hands on let's talk about routing policies so when we when we create DNS records in round 53 you need to choose what we call a routing policy and that routing policy is what determines how Route 53 would respond to your traffic or will respond to your queries okay so routing policy determines how Route 53 will respond to your queries okay so let's talk about a few of those rout routing policies I think there are about six or seven of them out there the first routing policy you guys saw that um in the last class it's called the simple routing policy the simple routing policy because in order for you to in order for you to route your Route 53 traffic to your S3 website you had to create some sort of routing policy and you created a simple routing policy and the S the simple routing policy is basically it's used to configure routing that or it's used to configure records that route traffic to a single SS or a single end point okay so it's used to configure records that would Route traffic or direct your traffic to a single resource use to configure records that will Route traffic to a single resource for example we have to Route traffic to S3 we can use a simple routing or you can assume that you have a shopping website say wwww amazon.com for example with the simple routing you you can just create one record and then that would Route traffic to your endpoint server okay the simple routing you just create one report that would Route traffic to your endpoint server or if you have a study website like what we saw last week you can create a simple routing policy that route traffic to that website now there are a few things about simple routing that you need to know and and you it will tell you why some organizations don't use it the first thing is that the simple routing it doesn't support health checks it doesn't support health checks it doesn't support health checks so within Route 53 within the Route 53 product Route 53 has the ability to check if your endpoint is healthy before it routes traffic too which is called health checks but that really depends on the routing policy that you're using you're using the simple routing policy R it's not going to check the health of your endpoint instances it's just going to Route the traffic the instance is healthy good and fine if the instance is not healthy then it it it your your your client would basically never get a response because R of three it doesn't support health checks all values that hit R 53 would with the simple routing would send be sent to the end point pretty much the next routing policy that we have is called the fail over routing policy fail over routing policy B over routing policy fail over routing policy so fail over rout fail over routing lets you gives you the ability to Route traffic to a resource when the resource is healthy and if that resource is not healthy you have the ability to Route it to another resource that's why we call it fail override it can fail over to another another another end point so we with fail over routing you can oh let me I shouldn't say you can traffic gets routed to a resource when it is healthy and when it's not healthy the traffic is rerouted to [Music] another resource this means it has the ability to do health checks because how does it know the resource is not healthy it knows that the resource is not healthy by using the health check capability within it so typically typically let me tell you what organizations will do organizations will have a web server that holds their application then then they will have a study website that sits in S3 then the web server will be the primary the static website will be the secondary so when they because when you're creating a fail over routing policy you have to select which one is a primary and then which one is a secondary so every traffic that comes in will be hitting the primary and then let's say for some reason the primary goes down it will send you to the secondary that's why when you go to amazon.com Amazon when Amazon's website is down you always see they have images of a very nice puppy telling you that oh sorry um we're down or they tell very nice message just for you to see so that that even though the website is down they're doing some maintenance in the back end then you you the customer or you the client you'll be seeing something that's at least good in the eyes not just seeing a 404 error or something that doesn't make sense right so in that in this case Amazon is using fail over routing policy and their secondary is most likely an S3 bucket they probably have an S3 bucket with a with a bunch of those puppy or dog images in there because they know that a lot of us a lot of people like dogs so that if the website is down they're doing some maintenance they're having some issues then their customers will see something that's more friendly in the eyes Okay so I was going to say Airbnb uses ice cream Airbnb uses ice cream I haven't really used andb a lot so that I but I use Amazon like 10 times a day and I see a lot of those images that's why I had to use it as my example but yeah something like that and and a lot of a lot of even private organization or other businesses use something different or you can just have an HTML file in the in in the S3 bucket that would say um if you want to know more about us click this link it's just it's a study website which means that it doesn't really change every time you click you see the same information in the case of the the dogs they probably have a folder in a bucket that just has a bunch of images that changes from time to time but it is what it is static meaning that it doesn't really it's not Dynamic you you cannot really Explore More to see more information on it you what you see is what you get for the most part makees sense how quick question how does this differ from what ALB and Autos scaling group can do ALB is meant to balance traffic that's why it's called a load balancer it's meant to balance traffic to your end service okay yes Auto Skilling is meant to Scale based on your workloads ra 53 is just there for DNS DNS does something really different DNS is there so that you don't have to memorize that long a ALB DNS name or you don't have to memorize IP addresses okay you want what is the name of your business you use it to buy a domain so that people now would know your business by that domain name that's what DNS is all of these different added features heal checks um that AWS has within its DNS product it's just more things that will feed you so sometimes organ so a company can say Okay ALB already has H checks I don't need to use 53 H checks anymore then you just go and you enable you use the ALB health checks but some people can still say okay I I'll use both I'll still use R 53 and I'll use ALB heal checks but these are just added features that AWS is adding to round 53 which is its DNS product so that it just gives you more more stuff so that even if you're in a hybrid environment you may choose to use Ral 53 as your DNS service as opposed to using an on premise DNS service make sense yeah makes sense but but it is really important for you to understand the use case between R 53 Cloud front ALB Autos scaling group please understand the distinction between these four don't get them confused okay because when it comes to understanding or explaining what we call the three tier architecture you would you would need to explain I don't know if I have something like a three tier that starts from R 53 probably not but if I if I um I can share maybe after the break but you have to start explaining from Route 53 it gets to 53 it hits Cloud front from cloud front it gets to the load balancer obviously the load balancer is inside the VPC so you know that it passes through the internet gateway to go to the VPC and then so it gets to the load balancer and then from the load balancer now to your back in service you have to understand that flow and you have to understand the use case in all of that what does r 53 do what does cloudfront do what does ALB does what does internet gateway does what does the Autos scaling does understand the clear distinction between all of them okay interesting story today in in um actually it happened today in a meeting I was having with um a new client that has been operating on Microsoft Azure for a very long time and they are just newly coming and bringing AWS as one of the ploud cloud platforms for their environment right so I I was brought in to help them with setting up something that's called a landing Zone we're going to talk about Landing Zone we're going to talk about Landing Zone soon so I was brought in to help them with the landing Zone but um they there's a lot that they need to do before setting up that Landing Zone because if they don't they not fully ready then is going to you're going to run into challenges so I'm going step by step and doing like the discovery call and talking with them and then we're exchanging emails back and forth to make sure that we're all on the same page right so I sent some list of prerequisites or important things that he needed to do and then the supervisor for that organization replied to my email and she was like she knows for a fact that an S3 bucket is inside a VPC which was really really interesting because they are what I noticed was for my conversation with them is they are trying to mimic everything that's on AWS with what they have on Microsoft azure and then she also mentioned that she knows that you can create an easy to instance without a security group the reason why I'm mentioning this things is for you guys to know your stuff when you know your stuff and somebody's confidently telling you the wrong thing then you can confidently tell the person that no that's incorrect right but now if you don't know your stuff and you're in a call and somebody is saying something with so much confidence you feel you you you doubt yourself even if you know that what you know it's it's it's it's right but you doubt yourself because of other person who may be superior to you is saying something and then you just believe what the person is saying another another thing is I spoke to a student yesterday and that student took an interview and in that interview one of the things that they asked her was for her to explain what she understands by 3T architecture I can bet you that that student has attended almost 20 workshops but she freaked out to actually explain what she understood by 3 architecture that is to say that she even though she knew but she did not have that confidence in herself to say it outright and to say it like what she knows and that this where a small group comes in when I tell you guys that it's really important to get involved in your small groups say these things over and over don't just listen because you listen to everything that I say and it makes sense but if I ask it back back to you you may not be able to articulate it even though you know it in your brain so you need to really build that confidence know your stuff to your fingertip don't assume that okay in an interview it's going to be virtual I can have a Google page open trust me I I I really really discourage that because I prefer that you take your time and study and then you know your stuff and then you'll be able to excel interview and even Excel on the job on the job excuse me so if it makes sense to you connect all of the dot of these Services if it doesn't make sense bring it up let's talk about it let's discuss it and so that you understand all of these dots because if somebody asks you in an in an interview that what is the use of Route 53 what is the use of cloud front what is the use of a load balancer how many kinds of load balancers are there there what is the use of an Autos scaling group you should be able to explain all of that clearly and confidently because you know exactly where where it lies somebody tells you that we need to put an S3 bucket inside of vbc then you can clearly tell a person that no an S3 bucket doesn't recite it's not a VPC resource make sense yes yes Prof very much so very much okay so um the next routing policy that I want us to talk about is called the weighted routing policy weighted routing weighted routing policy so the waited routing policy lets you associate resources to um domains or subdomains based on weight so basically you can have two servers here and you can choose that I want 70% of my traffic to go into this server and 30% to this end point that's how you just we uh uh you just stipulate the weight of how you want your traffic to be routed to all of the different end points in the weighted routing policy and it has specific specific use cases you can use it as part of if you have an active active Disaster Recovery environment you can choose to say okay because it's active active I want to Route traffic to the two end points to just make sure that all of them are functional at all points in time and then you can set awaited routing policy at the level of Route 53 okay so it's or if you have a use case where you want to test new versions of your appc before you push the new version and merge it to the main application you can create a testing environment they call it blue green deployment you can create a testing environment and then you test and if it looks good and then that's when you can reroute your traffic okay so if we have to Define it we say that the waight that the the weighted routing policy is meant to distribute your traffic across different resources based on the weight that you've said okay so weighted routing policy it's meant to distribute traffic to multiple resources based on the way that youve said based on the way that you said and it has its different use cases you can use it when you want to Test new software versions when you want to test new software versions or you can use it when you're running and active active environment an active active environment you can say okay send 99% of my load to environment a and then send 1% to environment B still weighted routing because Route 53 always make sure that um um a portion of your traffic get sent to your primary environment and the protion of the traffic gets sent to the secondary environment it helps to just make sure that the secondary environment is always working as it should and then in the case of testing your new software versions it helps to isolate isolate um your environment so that when you're testing in your secondary environment you make sure that um everything that you're doing is not affecting the primary environment and let me tell you what a lot of organizations do when they're testing new new um new traffic or new software versions so you have Route 53 here and then you have your primary environment they typically call it the blue and then you have the secondary environment they call it the green environment and then within Route 53 even though you're using the weighted routing policy but you would have added to that weighted routing policy you will want to make sure that your direct only transfit from internal or from a subet of people a specific set of people because since you're testing new software versions you don't want traffic from your customers your l customers to come to that new software because again it might not be working the way it should so you might within round 53 you have the ability to choose a subet of people maybe internal users maybe um a particular users based on geographic location to test to direct their traffic to the green environment because you're using them to test that software if everything works well before you promote the green to become the new blue you make sure you you've tested and you have had you have a like 100% success so in most environment they would always deter within round3 you determine exactly where the traffic is coming from that gets to your green environment so that your blue environment or your customers that are hitting the blue environment will never be affected by what's happening in the green make sense okay yes please can you go back to the for screen this one yes sure okay active active you mean uh a disaster recovery strategy right so we can use a to split the traffic 50/50 right yeah you can use it to split it 50/50 so I was saying 7030 just as an example you can split it 5050 if you want yep but the go the main thing is that at the end of the day the traffic traffic should be 100% okay it yeah all right let's talk about latency based routing policy latency based routing policy I have a question Miss Susan go ahead where does um vertical and how do we apply vertical and horizontal Skilling to this policies if that makes sense what what do you mean so for example I was just thinking that this fail over routing policy would it be considered like horizontally scaling your resources not necessarily because the resources are already there the scaling is the job of the Autos scaling group that's what it's meant to do routing policies are meant to direct traffic meaning that if Miram is hitting my application based on my routing policy Route 53 would know where to send that traffic okay so what does the health check checks the health check only checks if the endpoint is healthy if it's not healthy it doesn't do anything it just doesn't send traffic there okay I'm sorry so what is that end point endpoint is a server endpoint when I talk about endpoint I mean like the end service right so you have rout 53 here you have let's say let let me keep it simple you have the here and then you have your servers let's just say you have three servers 7 One 7 two 73 and then with in the IB you have your Autos Skilling group too so you have your Autos Skilling group okay you create a fail over routing policy here it probably means you have set the ALB to be your primary and then you probably have an S3 bucket here that is your secondary when now when you when your traffic leaves your customers and hit Route 53 Route 53 will take the traffic and send it to the ALB and then the ALB now will decide if I should send it to 71 723 now let's assume that only one7 was available 73 was available and round 53 no checks and it shows that 73 is down then R 53 will just send the traffic to the secondary environment scaling doesn't happen if you have Auto scaling Group Incorporated in this design then the Autos scaling group will be working to place this S three but would this be considered would would this U what you just described be considered a simple routing because we are sending it to a single resource whereas the fover is routing to another resource because the primary resource is malfunctioning it would not be considered as simple routing because I have a secondary environment in place simple routing is when I don't have this at all all I have is the primary environment and then round 53 is just routing the traffic it doesn't care whether the Ser is healthy or not it just keeps routing the traffic this is simple routing but fail over routing is when I have a plan B which is my secondary environment I have an environment there where if the primary is down then you fail over to the secondary make sense no it doesn't come ask me a question Miram so I want you you you initially asked about scaling right one thing you know is that ra 53 doesn't have anything to do with vertical or horizontal scaling that's not his job it's the job of the Autos Skilling group to scale horizontally it's your job to scale vertic vertically means that you come to this E2 instances right down here and you increase the the instance type that's what vertical scaling means Route 53 has no business with whether the instances are scaled in or scaled out Route 53 is just there to Route traffic to direct the traffic to an endo based on what you have said in terms of your routing policy and when I say endpoint your endpoint could be an is to server your endpoint could be an S3 bucket or your end point could even a Lambda function I think for me part of the confusion was it felt like s um ra 53 it's also doing B balancing that's what I thought initially but looking at the diagram you have here it's actually not doing load balancing but it will do load balancing only for the weighted right because with the weighted you have specified the weight but it's not really B it's just following it's just following the instructions that you've given it if you tell it that okay send 70% of traffic to this environment and 20 30% to that environment it would follow those instruction but the ALB is meant to equally balance your load you don't need to tell the ALB how you want it to balance it if you wanted to send 20 20 20 or 30 30 30% of traffic it just balances it because that's it job if you're not using the weighted routing policy in round 53 then it round 5 three is not balancing anything for you does that make sense Miriam yes I don't know yeah ask me a question ask me any question if you want me to repeat something go ahead just tell me I'll repeat it no maybe I'm just not able to connect the dot okay so I'll tell you this after t just watch this recording take your time go to your one and make the notes yourself okay just just tonight if you can make the notes yourself put it in writing yourself and let me know if it makes sense to you if it doesn't make sense then give me a call tomorrow okay okay thank you you're welcome um Emma I have a quick question on um when you try to expl um how rout 53 um probably uses the weighted routing policy to like route from um into the testing environment so with that diagram we had just now R 53 is like in the region right no the other one the one before after this one this one yes so Route 53 is in the region area of of of AWS right that's where it resides or it's Global GL yeah okay so he's in the the Cloud area so these two environments that you talked about the production and testing these are separate vpcs it could that's a good question so yes in most cases it will be separate vpcs or it could still be in the same VPC just separate subnets okay trying to see how it will um route because you talked about routing the a using a subset of of the say the internal customers and routes them to the test environment so if the test environment is maybe in a private um subnet how will it do that okay so if it's in a private sub it means that there a load balancer sitting in front of it for a fact because you um traffic from the traffic from the public cannot hit the private subnet directly because it's in a private subnet right so it has to be fronted by load balancers so this is what this is what would typically happen let me let me put it so this is the AWS Cloud so let's just say this is AWS this is VPC this is let's just say this is um I'm trying to keep it simple Public subet Public Sub one Public Sub two private sub one private sub two all right and then this is easy one this is easy to so this is typically where our 53 will be okay this is where your Al would be right you can put your ALB there and then when you want to create your first environment let's say your green environment you can put your green resources here so so this is the green ALB and then you can have the green ac2 let's just say you have three two ac2 behind your green EB so this your AR is connected to your ec2 that's your green environment and then still in this same environment you can have the blue ALB blue and then you can have an E2 E2 and this is your blue environment even though it's orange in color okay so when you're setting your failover routing policy or your weighted routing policy you go to Route 53 and you select weighted whenever you select weighted it will tell you that you need to pick multiple environments either one environment or two or three no either two environment or three and or or more so you cannot be one because you have to specify the weight so you're going to start with environment one you direct it to your green ALB and you say 70% and then you go to ra three and you create environment two you direct it to your blue ALB and you see 20 30% okay so it doesn't really matter if it's all in the same VPC or it's in different VPC or it's in the same Su your environmental can be in a whole different region because R 53 is a global product so it can still be in a whole different region and you can still connect it with your weighted routing okay yeah thank you so this is green and blue deployment or blue and green deployment that's what just blue green Deo yes so you typically use blue green when you want to test new versions of the software then when you have this and then the green the the green environment your test is done and it's working well you now promote the green to become the new blue and you decom the old blue all right the blue becomes um production is that what you're saying no no no the the blue will go away because you maybe you don't want to run maybe you don't want to run two environments at all points in time you're just doing it this because you want to test a new application or a new for software right so you create a copy of your blue environment you just like how you're creating an image of your E2 instance so you take a copy of the entire blue environment and you create a new environment and you call it green then in that green environment you push that new software in that green environment and then you run your test with round 53 you can be sending a percentage a smaller percentage of your traffic in that test environment when you run your test and everything is working perfectly then you now go to Route 53 and you change this and you say send 100% of traffic to this environment and then you decommission the the old loan make sense oh okay all right thanks you're welcome I have a followup question to miam question now uh my question is this the when we have a we have Autos Skilling group and usually the load balancer is usually created before the Autos Skilling group we spin up new is right so my question is how how do to do you map up the new U servers that have been created in aut Skilling group to that low balancer to you know to to serve customers like you know all of them so every time so the load balancer and the auto Skilling group they work really close when you have both in your environment every time a new instance is being spawn up the first thing is that instance gets registered to the load balances before it starts even receiving any traffic okay and it happens automatically it's not something that you need to do it's something that just happens automatically when you're configuring it you're configuring your environment to set up a load balancer with an auto scaling group I think I have a run book for load balance and auto scaling group all together when you're configuring it that way if scaling is happened let's say a scale out event is happening as that instance is being spun out it gets registered to the load balancer immediately make sense still trying to so let's so that means um so we so the lad balancer is what what needs to be mapped to the Autos Skilling group that's when they talk to each other automatically is that what wa both get connect both get get connected to each other because when you're creating your load balancing right you create a Target group make sense and then the I mean the subnet are going to be the the is it going to be the subnet that you going to attach to that low balancer or what it's a Target group so within that the the the Autos scaling group right would have subnets that it kills with them when scal in or scale out but now within that Target group those Target groups will tied to different availability zones so it means that whenever you're creating an istitute instance within that environment that availability Zone that istitute instance will be registered to the load balancer automatically okay yes automatically thank you you're welcome MOA go ahead um yeah I just wanted to um just clarify um in terms of the health check is it is it directly to the the instances or is to the load balancer it's to the end point so if if if um if it's if you're passing through the load balancer because you're passing through the load balancer to get to the instances so the end point with that R 53 knows will be the load balancer and the load balancer already has its own health check so 53 will not even need to go right down to the instance because the load Balan at all points in time is same whether the instance is healthy or not okay so the r 53 will just hit the load balancer so make sure that the end point is healthy and then load balancer gives it a thumbs up and then it routs the traffic makees sense Brandon yes profan I was just trying to um uh get it well in my head so between the uh weighted routing policy and the the uh load balancer does it mean that um the weighted routing U policy will would distribute the traffic uh manually as you select the the according to the weight 30 or 70% then the load uh load balancer will do the same thing but automatically is that the difference so yes in a way I would let me rephrase what you just said with the load balancer you don't need to tell it how to distribute traffic with Route 53 you need to tell it how it should distribute traffic the process of Distributing traffic happens automatically but now you need to configure it with round 53 with load balancer you it have you you don't need to configure it make sense Mak sense thank you Zan yes ma'am so so it's either we use fail over or we use load balancer is that what he meant no or we can have both of them about weight yes yeah waited no no that's not what it mean look at what I just showed in the screen you see that with with um Emma's question we were using a load balancer but we still used weighted routing policy right I'm trying to okay yes we're using a lot so in which so at what occasion we don't need the both of them is my question so you would you on a normal on a normal day you may not need weighted routing policy you need weighted routing policy only when you're doing testing you're testing new new softwares after that testing is done may not need it unless you're running an active active working environment which is rare then you can say okay if I have two life environment running why should I why should one of the environments not be receiving traffic maybe I should send 20% of the traffic to the other environment just to make sure that it's alive all the time you understand that's where you can have weighted routing policy but other than that you will rarely see environments that run a weighted environment it will use the weighted routing policy because they rarely run two environments at the same time because it's costly right yeah it's costly so in an isue whereby um I have a a small uh a business that I know that usually I Pro the max I'm going to have when it comes to traffic is going to be like 100 in a day but I but I I have to have uh some other customer in uh in like Asia I have customers in like Asia and America and I know that there is different policy um you know like compliance on America and in America and in Asia or let's say China so can I use uh that would be like Ed location right or GE location yes okay okay y so there's another routing policy that's called Jo location routing policy and that's what I wanted to talk next and that's a routing policy that gives you the ability to choose which specific resource you want to serve customers based on their geograph geographical location okay so Jo location Ry Prof I don't think we spoke about the latency we did it latency based routing policy okay all right so latency that's right let's talk about latency latency base latency routing policy so latency routing it's mostly used in cases where you have your application hosted in multiple regions I've worked in environments where they have application hosted in US is one and then they have application hosted in an Asia region or they have some application application hosted in some Europe regions so you can use latency based routing policy so that you customers that are in a particular region will be routed will receive traffic wred to customers in the particular region based on the environment the end point that offers them the lowest latency okay so it's not going by their geographic location it's going it's basically with the latency based routing policy it's way it's measuring latency before it chooses where to route you if I am in Dallas today and I want to hit an application round 53 would look at all at all the end points and we the one that gives me the lower lowest latency and route me to that Endo that's just what the latency based routing policy does okay so let's put that in routing the latency based routing policy rout traffic to end points or when I talk about end points I mean in this case I mean is two instances or maybe I should say application service to application servers with the lowest latency okay that's that's what the latency based routing policy does if this is rout 53 this is three regions region one region two Region Three I am located here for example I want to come to your website my traffic will get routed to Route 53 and Route 53 is going to weigh which region offers the lowest latency let's say this one offers 5 Seconds this one offers 3 seconds this one offers one second Route 53 is going to take my traffic and Route it to the one that offers the lowest latency that's what latency based routing policy does it routes traffic to application servers or to endpoints that offers the lowest latency okay there are some businesses that job proximity is not important to them they don't care where you're located all the car is that you have low latency then if low latency is primary to them then then they would use the latency based routing policy unlike the Joel proximity or the Joel location that would basically be based on your geographical location the Jo location will be based on your geographical location okay so Jo location routing policy the jaw location routes traffic to customers to end points based on geography location you mostly use the Jo location routing policies when you're running a business and you have customers in Germany you have customers in France and you want you know that your Germany web page has to be in in Dutch right and then your France web web page has to be in French so you want that every customer that's located physically located in France should be routed to the Endo that is in French language every customer that's located in Spain should be routed to the Endo that's written in Spanish every customer that's located in Germany should be routed to the endpoint that's written in um German language so that's where you use the Joel location routing policy so latency in this case doesn't really matter but you have other things that come Prime to you or more important to you than latency Jo proximity joob proximity so job proximity honestly job proximity it sounds a little bit similar to latency but it it it it it focuses more on distance it focuses more on distance which endpoint is much closer to you in terms of proximity than the other endpoint that's Jo proximity Joe proximity latency offers for directly to records that are closer offers the lowest latency but the joob proximity focus on your geographical um distance between you and the Endo between the customer and the endpoint so it focuses on distance you and the end point okay for today's simulation we're going to touch on cloud front Okay we're going to we're going to deploy the few things that we're going to do we're going to we're going to use our 53 domain that we created last week we're going to use 53 domain that we created last week we're going to connect it to Cloud front so now the traffic gets sent to Cloud front and then from cloud front it hits an application load balancer and then we have Ser one Ser two now in Ser one and in SE two we're going to have two different user data in there and the reason is just because I want you guys to see load balancer you see that when you hit on the DN the domain multiple times it's going going to be trying to balance the load so sometimes you see the information that's in s one sometimes you see the information that's in Ser two and that's the load balancer doing its work so this is basically what we're going to simulate today to connect Route 53 and then Incorporated in this we're going to use certificate manager ACM because we want to make this website secured we want to make it secured so you see that you you need to open https not HTTP because HTTP will not work so you need to open https because we're using certificate manager so we take a CER we create a certificate we install that certific use that certificate at the level of cloudfront so that our website will be completely secured and then we connect it to Route 53 we create a routing policy we're going to start by creating the simple routing policy and then after that we'll create a failover routing policy so that you see exactly how that work either fail over or waited routing policy one of those so that you see exactly how that works in real time but the main goal for tonight is for you to see how all of this connects to each other okay and then after tonight go and sit down open a page on your one note and try to understand the different use case of these different Services it's really important Zane yes ma'am yeah go ahead I'm here I saw your hand up oh oh it was up it was up before apolog let me take it down no worries Victor yeah hi FR um so I have a question that is that just flashed by in my head as you went through can you go back um a couple of slides there's a drawing that keep going keep going uh back up back up that one no no not yeah so so if you look at this drawing and again it has nothing to do with what you're explaining the space between that AWS cloud and the VPC where that's rout 53 resides that's also the same space that the S3 bucket resides correct what do you call that space it's like it's like no man's land really um we call it AWS Global space ah okay and that is why you need VPC and points because there are some resources that reside in the AWS Global space for example SNS Dynamo DB sqs yes s ra 53 all of those different services and so you need VP end point because if you want this ec2 instance to talk to S3 it would need the Internet because it's out of that Network and you want the internet is not very secure so with VPC endpoint you make sure that that traffic remain secured with the Endo okay y thank you um event how are you yes BR I'm fine thank you um please my question is on the simple routing policy mhm yeah you said traffic is routed to um what's thing traffic is routed to a single resource right and unlike um the the fail over routing policy where if the the primary um endpoint is unhealthy it gets directed to uh another or to a backup endpoint so what happens with the simple routing policy because it doesn't there's no health check and what if the endpoint is unhealthy how does that work where does the traffic get directed to it will still be directed to that end point that's when you see 404 right 404 means that you don't have any response when you sending your request for example when you go to the website and you do um google.com and then you just return 44 errors something like that it means that um there's no response you're not receiving any response because the website is down okay all right thank you welcome Emma I have a two questions I know you you just mentioned that S3 was in the AWS Global space I actually thought S3 resided in the region but now um that confirms um it's different so I was expecting that question the fact that you asked that question meant you're thinking and which is really good means you're trying to process What I Said So S3 is very tricky so S3 resides in that Global space but when you're creating an S3 bucket you need to tie it to a region okay and the reason is because of data residency a lot of initially you you you you didn't need to do that but a lot of organizations that are storing data in S3 they had issues with the fact that it was Global because data residency requirements may not permit some sensitive information to be stored in other environments for example you cannot take US citizen Social Security information and go and store it in the data center that's in Europe so because of that data residenc requirements when you're creating an S3 bucket even though it resides in AWS Global space you have to select the region for that my second question is on the handson if you can take us to that diagram I just have a quick question I know you said we needed to create um ACM that's AWS certification manager right we'll go to ACM and we issue a certificate and issue a certificate request certific from there request a certificate and so this lies between the cloud front and ALB right somewhere the where you where you're making the request is it um you request a certificate for the cloud front right to make the cloud font more secure yes you need a certificate to configure the cloud font distribution yes okay so where would um W fit in the web application firewall because it's it's it's a security measure as well isn't it for cloud right yeah good question so yeah w w means where application fire so with one W is not the same as certificate right certificate is just meant for you to have a certificate in place so that you can determine exactly that the kind of traffic that you're receiving in your environment but W is really a firewall that you can use to block traffic that's coming into your environment and so you can create a W room role which is the web application firewall role either at the level of Cloud front or at the level of your load balancer you can choose okay and we'll talk about why when we go to Advanced security tools um I see Hands Up Miriam so regarding the services that reside in the global in the AWS Global space how are they protected how they secure are they all do they all use the that certification thing or each service has a different way of protecting itself so you when you want to communicate with those Services securely you use VPC endpoint that's why VPC especially the interface endpoint that's why you have the interface endpoint there you also have AWS private link that you can use to securely communicate with um those services in AWS space okay okay and then of course encryption you encrypt in transit okay when um with the SSL certificates um do we get it at all levels especially if we terminating um at the instance level does it mean that we get one at Cloud front and Al and at the instance you can if you want to so you can have a certificate even at the level you can have SSL here SSL here and SSL here but it doesn't really this the one at the lower load B and the one at instance doesn't really make sense unless you have a specific compliance requirement for end to end encryption it wouldn't make sense because traffic that's coming from the public has to get to cloud from before it gets to the other environments right so if you have SSL here that should be enough but but there are some environments that would have it at every level and that's what we call the end to end encryption okay thank you you're welcome all right let's take 15 we'll come back here at exactly um 9:20 and then um we'll do our hands on Prof quick question do we use the same certificate if let's say wanted to implement at all levels or we have to use different certificates you use the same the the same you can use that same certificate for multiple note balances okay one thing you just need to know is that that certificate is tied to your domain unless you have different domains then you would need to issue different certificates thanks bro welome all right talk to you guys soon S3 is a goto service for static website hosting so you would always put your static Assets in S3 and point your static end points to the S3 bucket so for dynamic hosting you would always be putting your assets in um stuffs like ac2 instances either directly or using microservices which we are still to get to like ECS and uh eks so we are going to simulate very simple um s up for dynamic website um hosting the goal of the setup is for you to understand how the different features for different features integrate Route 53 airs load balancers uh Cloud front and also help you commit some of the things that we are talking about or Prof is talking about to memory as you do them I I sure you you you be able to commit some of those stuff to remember whatever you have as we are going ahead if you have any question about anything just raise your hand and should and we can always use that as an opportunity to expans shate on some of the stuff okay how do I pronounce his name m yes that's okay okay then somebody need to share and we can startes go ahead is sharing I was just about is sharing how come you not o it's a new month the is just the first right so how he's not supposed to owe that much last month is almost [Music] $30 so um we are setting up a couple of services which we already did before um we already touched load balancers we already touched starget groups we already touched bpcs we already touched is2 instances we already touched Security Group so in the Run book we need all these services but you do not have um you have the steps but you do not have um picture up pictures for those uh uh steps because in the previous round books you already have that like I said if you were putting all the things in the we combining them in the one WR book then one day I'm going to give you about 200 300 Pages here so I assume that most of those things you're already doing them you already know how to do them so we guide whoever is sharing to do that but for the services which I think would be the first time we are touching them you would always have Pictoria um uh guide on how to go about that okay yes good so we have a simple architecture can you share the Run books Let's just discuss the simple architecture here good we have a simple architecture here this is a very very very simple architecture but it simulates everything we want to talk about today so clients just which is you which is whoever your family member you want to share your website with today would go to your browser uh and browse your the domain name which you created last week and that domain name goes to Route 53 as you put your domain name in in the browser and you hit enter that traffic goes to Route 53 and how does Route 53 handles at you remember we talked about walking the tree so ra 50 walks the tree and gets the IP addresses from cloud front sends back that to your client then your client makes connections to cloudfront and cloudfront now has Intelligence to know that oh that's I'm just the front end I can need to talk to the load balancer which is also another hop in front of the actual application web servers okay any question here yes po uh what what is the need of the cloud font is it uh for H locations that catches data temporarily it Cates data that's one thing about it it catches data improves crfr has a lot of functionality but basically it's a Content delivery service so content delivery is just um a service you do not it does not host your content it just sits in front of your content once your um somebody makes um um request to your endpoint to your website Cloud for goes and sech that information from the backend server that's actually hosting that website then cashes that website so with cloudfront you can set the TL which is time to leave how long would cloud cash my content so if I am in Europe and your website is in uh America or your browser or whatever your servers are in America and I'm mean I'm in Europe AWS cloudfront has this Edge locations all over the world Europe Africa Asia Middle East wherever and anybody from that point of present where Cloud front is makes a request to your endpoint Cloud front from Edge location servers will go fetch that that content then hold them in that location so it means that if I set my cloud from TTL to let's say 60 seconds or 6 minutes or 10 minutes or 1 hour it means that cloudone is going to hold that content in that location if any other request is coming from around location Cloud forone immediately serves it does not have to go back to the origin or to back to the web servers the the right terminology origin because it doesn't have to go back to the origin to fetch that content does it make sense it makes sense both uh it gives me another question does that mean the cashing in this setup we want to do is going to be at two different levels because uh from the DNS studies of today uh we are aware that uh from the DNS there is a time to leave also that you can set to also cash data such that it's not fresh from the origin but at the DNS level it is fresh temporarily based on the time to leave so given that we talking about cloudone now shall we be cashing data at cloudone end then also at DNS and DNS time to leave remember when we talk about DNS there's something remember there's walking the tree the DNS job is to go and find the backend IPS and give you when you're talking about cashing at the level of the DNS you're not cashing the content it's cashing the endpoint ipce because when you walk the tree when I talk about walk the tree you understand what I mean right M good when you is is there anybody in the cour that doesn't know what I mean by walking the tree okay I assume everybody walking what does that mean sir no so um it's DNS walk walked tree it's it's a phrase that okay when you go to the DNS you're talking to the what is it root domain that talks to the top level domain that then talks to the name servers that then serves the content all that chain of events is generally refer to as walking the tree you can just gole search walk the tree for Jus and you it would explain to it would um um show you what that means we talked about it in our last last class if you watch the video I pardon the DNS look up right yes the DNS look up we talked about this process in the last class remember that yeah so when catching at the level of the DNS remember that DNS job is just look for those backend IPS because computers don't understand names computer understand IP addresses so DNS is just a friendly way to say that okay this IP address that I'm looking for this is uh this um uh name that I'm looking for this IP address that's gns job so gns caching is it gets that IP and it caches it that's catching at the level of DNS it's not caching content content caching is at the level of Cloud front does it make sense perfectly Pro thanks okay so no questions here then we can go ahead was that clear to everybody that's very important because trust me in your interviews you find people you they ask you questions like this okay that was a great question was that clear Emma ta Franchesca yes yes good thank you please mind you cloudfront is content catching gns is catching of the backend IPS so it's just saying that because you can have um um what is it your load balancer or if you're using service servers without load balancers these back end are actually servers are actually have IP addresses so DNS job in the first place is to go look for those IPS and then send them to the client which is your browser all right so it's sending them IP so if the first request that you made it looked for the IP actually sing the content it was one one1 then it's going if you set the TTL for your DNS to be 10 minutes then it means that every time that somebody goes to your uh browser is going to give it one one one as the backend IP but if AWS changes that backend IP over time and your TTL is still one is still 10 minutes so if within 10 minutes thats swap the server and the IP changes then when somebody goes to your server is it would Ser one11 but that's not the actual um server that is serving your your request right now do you it make sense yes sir good let's go ahead so we need to set up e two instances for our website and for that we need VPC so let's use VPC and more please um I assume everybody here already know what we are talking about so we are going to be fast when we get to the crooks of today then they will take it a bit slow so we go to VPC and more so let's create a VPC so you want to create a VPC so you select V VPC and more we want to just call it R 53 I will call it R 53 so that we all know VPC we are referring to today just put R53 from the beginning yeah R53 as this suffix what is it prefix and we can keep the the um side Ranger it gives us we want no IPv6 we want toose sub two availability zones um number of subnets two number of private subnets also two that's fine but we are going to put our servers all in public subnet because we want to simulate fear over routing at the end and using IP addresses directly would be easier and we do not want that gateways we do not want S3 gateways and we can create our VPC are we together yes he fast he's fast pardon it was fast for me so how do you name the VPC Route 53 just put R 53 then uh what side did you use there's a default side that is going to pick for you keep it okay don't change the side don't change the only thing you need to do is say that you do not want S3 gateways the number of subnets is okay it's going to to by default pick two public two private for the demo we don't need the private but that's fine and no no S3 gateways are you hit crate is this your first time using VPC and mo no but he was fast for me I'm sorry no that's okay that's okay you don't have to be I just I was just curious because I think we've used this a couple of times yeah now that we have our VPC let's pin up some eory instances in the vpcs I'm assuming everyone in the call can do this is there somebody that cannot no yes you Franchesca no don't mind me I'm just joking no I'm asking because I know that some people joined later some people miss classes if you have a problem it's a good time to pay attention and we can be a bit slow so you you follow up if you're not then I assume we can all we can use the speed of light so for the is2 instances we need two is2 instances and we're going to create the first is2 instance I will call it Ser one so it's easier and we want to put in the public subnet so just call it s one we pick we pick our default uh Amazon Linux to that we always use so go to Amazon Linux 2 we want we don't want Keepers no sshing into it in the instance today we want to keep it free tier eligible we want to make sure we using the network which we just created no key pair no key pair not recommended and we want to use the vpcs we just created so you pick the right VPC it's going to be called r v R53 as we said and we want to ensure we are putting it in the public subnet so in by default I think it picks the private subnet so please make sure you put it in the public subnet and we want to Auto assign public IPS so that AWS gives you the public IP we want to create um new security we want to create a new security group for for our um Prof sorry the um um the subnet is it public yes public because we want we want it to be public okay please Auto assign public IP very important make sure it's there if not you will not be able to do our all our hands on right yes enable want make your scen bigger we want we want to um create a new security group for it let's just call erra 53 SG so that we know that this is the security group we're always talking about and for the security group you can give it a descriptive name testing R routing or whatever you want you can leave it like that but it's a description and we want to we want to leave SSH part 22 open we also want to add um Port 80 and Port 443 so we're going to add Security Group rules click on ADD Security Group rules and type you can say custom HTTP just scroll scroll down you look for HTTP it should be there somewhere please um yes after the description the inbound security what did you do can you go back a bit that's that's where we are the first one by default it gives you SSH that's fine leave SSH then we click on ADD Security Group rule there is a small um do you see that yes I good so add Security Group Rule and we want HTTP and and uh from anywhere that's fine you add you add the third group rule which will be https from anywhere are we together we need to pass in instance metadata so I it's in the Run book I would also put it in the chart so you need to put in this instance metadata for our server one um so basically we are installing stpd and we are putting um some text into index.html and we say starting the scpd and just checking the config so that's basic there's nothing there you sent this a couple of times please B can put the metod data on Slack should I put the what on slack user user data on slack do you have a problem with it from Zoom yes I find difficult to copy can someone just share the Run book and slack then you can copy it from the rad book it to it on slack I did it the round book is on Slack yeah Miss also put the U the user data black okay yeah okay I can see that now and um let's just verify everything is as is as we want then we we launch this instance so I want public IP so Public Sub public ifps we call it Ser one ensure it's in it is in the right VPC then we can launch hold on it's you use what Amazon lenux 2 right yes Amazon Linux 2 let me see okay all right thanks you talk so let's launch then we do the same thing for the the second instance and we use this the the second instance meter the user data what do I do we do not need keypads for today nobody's into the instance so you can proce yeah please I would always say just don't click understand what you're doing if you do understand what you're doing pause ask me a question then maybe I can elaborate right the goal here is not for you to click and see something in your browser the goal here is to commit what you're doing and understand how things are talking to each other okay so I shared the second instance metadata so you follow the same procedure ensure you're using the right VPC we call it server two now you would use the security group we already created proceed without keeping sure we are in the do we do we use the same um sub or second the second public um you can use the second public no I do not want the private I want the public oh please I said I do not want the private because I want public IPS for those instances because um the last part of this wrun book we want to simulate okay I in public okay me a sec can we use say public the one we use for the first one as well why do you want to use the first one L to always put them in different subnet since you have your high avilability is a very important concept when it comes to cloud computing so always if you have one subnet you put it there yes if you put it in the same subnet it's going to work okay to answer your question I know okay I guess so you can put in the next subnet so I was saying that I want this instances in the public sub and to an public IPS because I want to simulate or we want to simulate field over routing at the end of the uh demo today and we would be using the public IPS of these instances if you do not do that you're not going to able to do that at the end of it this is just a use case this is just for our demo purposes but uh in work environments I actually have one pro one project that we um doing it directly in to web servers and public sofnet but most environments you would probably be using a load balance sign for H check for the load balancer and stuff like that I would also show you what what I mean when we get there Auto auto assign yes Auto assign Auto assign public IPS Pro for the user um what's like the base 64 encoded basics for in in encoding as um how do I explain this have you ever seen a certificate the raw data and a certificate it looks like some gibberish you don't understand what's there yeah the key like yes that's B 64 that information is base 64 encoded so if you encode any information that high displays to you you understand what I mean oh so it means if we provided key P we have to check it key P are already based for encoded if you take this information this thing and you go to your server you can there is basis for encoding is always in the terminal you can do just do Echo that that information Bas for encode then you'll see what output you get your encoding you some sort of not just presenting your information in plain text so if so basically if we um B 64 encoded we check the box yes but you're not doing that so forgot about the box and let's go ahead okay if you basic for encoded you put you have to check the box because AWS is going to understand that I need to BAS for decode it before I can put it in your instance oh thank you so prop we use the same Security Group here or create yes yes you use the same Security Group because you already created one okay so that's fine and you put the next uh uh um uh metadata when we go to kubernetes you you would see basically for very much because all secrets and stuff in kues are based um should be at least basic for included yes sir so if you basics for encode this user data you're just going to see some G it's not going you cannot read it it doesn't make sense to you on you basic for decoded so what if um part of the data is BAS 6 for encoded do we still check the box the box if your data is basically for encoded just like part of it why you encode part and not the other part maybe you have like because it's code right so might giving it some logic um to take some code to access certain things on the system I don't think you that you're talking about your user data right yeah the user data all your user data inside here is either encoded or not- encoded so I'm I'm assuming AWS is asking you this information because it needs to either encode it before you put it into your server or decode it or something like that I don't know but I don't see a use case where you have part data encoded and the other one not so let's launch the second instance and let's go ahead please so at this juncture I am assuming we all have two instances running in our newly created VPC all both instances have public IPS please ensure they do have public IPS once we have that then let's create a Target group I can't find my other one my second server instance you sure you created it yes I refresh refresh your dis oh thank you it's got it Tage [Music] fure I wish you them yeah yes bro so let's create a Target group so we created Target groups here through one of our demo so you should be familiar with us so we go to is to to Target groups create Target groups yeah you still have your target groups here books or something else you created so you want to create Target groups create a Target group I will just call R the target group so because I see that some of you already have Target groups there so instances yes so I call it R all 53 Target group protocol is okay ipv4 it's fine we need to select the VPC where this target group is so the VPC which you created I think the um other defaults are fine let's scroll down that check is good next and we register targets to the Target group so we select both instances server one and server two scroll down include as spending below do you all remember this processes this procedure good yes Pro there's no h check path right it's already there by default so create Target group so the default head check part which is using is fine when you're working in enironment your application team would always tell you the heal check P so then you would pass that okay okay because they the ones developing the application they should tell you which heal which path for the heal check please give me a sec [Music] oh yes Francisco why are you quiet you don't want to talk I'm just uh walking in the background so what do you want me to say you at least when you going to the next something just let people know that well this is what you are choosing and all that cuz already the prophet is talking so I don't want to say anything can you hear me yeah very well ad be are we good yes we are great so do we have our health our instances registered and [Music] healthy refresh the why that is registering let's create an application load Baler we already created an application load balances some time ago who sharing ma yeah I can see you you have stuffs there you from the uh one of the labs yeah and you did not did you not clean up uh I'm not worried about it's just some little CH okay let's create a load balancer that's using the target Group which we just created so we want to create an application load balancer Pro quick question while you're doing that yes the um in the Target group creation I noticed that it used the um private the private IP for those two instances I'm trying to figure out why I did that it used what so if you in the creation process and I just looked through this summary of each of those Target groups selected that is not Target the two instances selected MH I didn't see any public IP in that list I just saw the private IP um so it doesn't matter at this point really that it didn't display the public IP of those two instances I don't know whether it happened most most um um please go back to but I I I understand AWS tends to always use um private IPS but yeah that's a good thing I guess because it won't change when it would change change when the2 is restarted yeah private I please don't change please scoll uh go down I want to see the target groups wow you have a lot of them what was it called 53 yes go scroll down I want to see go to the right didn't see it though it's not here on this one but but when I was just before I created it and I selected the two instances uh it only displayed the private and I I guess that's the question I was asking maybe because that doesn't change yeah why is this on use can you uh uh refresh the space are we having healthy targets for some somebody this is taking more than more than taret groups taret might show unused as well well it's probably because we don't have an ALB Associated yet I believe yeah okay let's go ahead let's go ahead with a load balance please so we want to create a road balance just call RA 53 a so that we know we are talking to R 53 lb so R 53 lb an application load balancer we wanted internet facing internet facing means it would put it notes in the public subnet we want ipv4 that's fine and we want to put it in the VPC which we created R 53 VPC then we want enable two availability zones that are used for our VPC so you have a problem with the first a a 1 a because your R your load balancer is internet facing but you're putting your note in the private supp so you need to change that are we together just hold here are we all here yes yes please ensure that your load balancer notes are in the in the public subnet if you put it in the private subnet it going to display your message so if you look at the screen if you look at the screen if you put it in a private subnet then it is going to tell you oh there's a problem so ensure that you put your load balancer in in the public subnet somebody was about to ask a question okay let's go ahead so for the security group for the load balancer you can you should can use the one we created and listener rules HTTP is fine okay so you can either have at the level of the load balancer you can either have HTTP or https all right so for if you want htps then you would need to add the certificate here but we would do that for cloud front Okay is can you scroll up a little bit for the okay okay s out 53 security [Music] go got it are we together yes are we doing both https and HTTP or just no um you can do both but for the this this the simulation for today https would be handled at the level of Cloud front so our origin request that from Cloud front to the origin which would be the load balancer it will use HTTP so we are telling the load balancer that please accept HTTP because Cloud phone is going to use HTTP to make request to a load balancer however you can also tell cloudon that please I want you to only do htps to um our origin okay so some some actually have what one of my projects here it's a bank and and um the environment was running like that before we joined before I joined the company but later on they did some was a security incident and people were reviewing all their security stuffs and they came awesome we had to change that so Cloud phone origin request could either be HTP or https or you can tell it that use viewer request have we cover cloud from in this here no next thing we're supposed to do yes because I'm trying to when I'm trying to to to explain the things I'm I want to use some phrases and I'm wondering if you're going to get it please use it cloudone has two distinction when it comes to request there one we call viewer request and there what we call original request viewer request from the name is the viewer you making the request VI your browser so you go to your rout 53 your your domain name and that domain name talks to cloud from that's viewer request origin request is your Rod 53 no your Cloud fromont trying to fetch your content from the back end so there's this distinction between viewer request and origin request so you can tell cloud from that I want that my viewer request only accept viewer request which is HTP or https or both and you can also tell Cloud that I want your my original request to be HTTP https or both or you can tell either redirect HP to scps or match the viewer request that's a lot of information yeah yes let's go ahead so in this instance what you're trying to do is on the origin side it's going to be HTP origin side yes or in this in exactly on the origin side it's going to be HTP but on the viewer request side it's going TOS okay good doesn't doesn't have to select the secur security group yes you can pass your Security Group at the level of your load balancer go ahead you know go up because I think that you didn't select a Target group you need to S the Target that was just me Target group yes like the the target Group which we just created so we together yes sir yep scroll down so we do not want to include W that's okay leave that unchecked we we are not using Global accelerator and that's fine so this looks okay scroll down sorry Pro my target group is not um showing up for me to select it's that okay that normal because I can't proceed without it most likely because you're using you a different VPC for the load balancer and a different VPC for the Target group please check that if you're using different vpcs it would't work no did you create your target group yes I did can you see the target group your sh who can use one two minutes to figure out what the issue is I think you can just override what here I'll sort myself out no please [Music] share T in under two minutes we can figure out what the issue is can you share um yeah I can share but I created a Target group I can't see anything there now yeah that was stop no no no don't worry I can't see anything share share so that you know share so that us two tomorrow when I try to do it by myself I can remember you know because all this yeah and the reason I want you to share is because we are still at the beginning of this demo there's still the Clone there's still the other things we need to do if you do not have this target you would go ahead can sharing sharing please stop sharing I'm sorry I thought I did already I'm sorry sh right here I am um can you see my screen yep yeah yeah yeah so I created tget group I can see any refresh your browser browser go down go up to the browser at the top top left top left top left refresh did you yeah then I'm I'm not so sure you created the target group just to create another one yes just go ahead and create another one I guess you did all that but you did not hit create at the end maybe okay thank you just just create another one right here let's see fast so yes you have instances so t group create Target group instances that's fine scroll down you need to select the VPC here 53 protocol is fine hair check is already default wait wait wait did you name it give a name please so ra 53 Target group no space that's fine you understand what that is so go down that you should go to next register the target select both instances sorry can you stop here for a minute this is what I was trying to show you earlier um to the right scroll to the right let's see scroll to the right yeah there it's okay good yes I can see what you mean uh here that's fine okay go ahead so includ as below did you already do that yes yes yeah then you create create click on create Target group ah I didn't I didn't click that yes I didn't good thank you okay thanks okay so now we are creating the load balancer can you just go ahead and create a load balancer um who was that jenta um yes me if you if you still have the the browser tab where you were creating the load balancer if where you're looking for your Target group just go there and refresh it now it would appear okay thank you yeah I'm sure that so we're good um for the load balancer you can hit create so AWS will provision your load but in the background now we want to what now we want to create um you want to request a public certificate with ACM so why does is creting in the background can you hear me yes BR why why does it creating in the background let's go request certificate for domain so just ACM is another ad service like ra3 so you just open a new tab and you search for ACM so ACM stands for stands for Amazon what certificate manager so ACM is basically a service for AWS where you can request certificates for your your your domains there are so many of them out out there open source Solutions this less encrypt I think it's cool the second [Music] one so right there we can see request certificate so we want to request a public certificate so you need to pass in your domain name here so the domain name here is going to be the domain name you registered in the last class is um what's his name give me the guy the person that did not create a domain last that we created a support ticket Jude Jude he's not here so prop we're going to use our domain name we created yes you're creating you're creating a certificate for your domain name so you your certificate is basically to ensure that Communications to your website are secured with SSL okay and for you to um enable SSL or TS encryption you need certificates and you cannot create a certificate for a domain you do not own because when you're requesting a certificate for a domain the certificate Authority would always try to ensure that you're trying to create a certificate for a domain you own does it make sense yeah I cannot go today and I request a certificate from amazon.com I do not own the domain during the request procedure or the request process whoever is issuing that certificate will try to ensure that I have the right the authority over that domain so your domain which you created last time Franchesca apok I think if I remember asked if you remember my domain name. yes I cannot request a certificate Franchesca apoko because I do not have authority over that domain you cannot a um a a certificate for my domain okay so please at this point you put the your domain name so it's going to be different for everybody be is that understood well a question yep good you said this is for SSL certificate when is it because I know that there are two certificate in transit TLS or SSL so how do it's same thing the same okay same thing SSL is they they old protocol TLS is just a modern protocol so they basically the same thing okay so if you're reading documentations people use that interchangeably all right it's just they the same so the fully qualified domain name the one with the ww dot because the info has no the ww dot is a subdomain that's thought okay so the fully qualified domain name here is your T it's your TLD your top level domain okay so heymans.com it means that you created a hosted Zone that has the name he man.com is there something behind your hop zone hans.com why am I seeing Chinese hey okay it's he man [Music] he okay I'm trying to reach the domain I'm see he. so then okay Finish okay I guess there's nothing behind this your website your S3 bucket you took that down okay it's still available this is it right here ma.com yes good I can reach your domain okay um we want to create a certificate for this domain so you put the the top level domain that's fine then we can add another add another name to this certificate so this is where you can add subdomain so if you're having he.com and you want to say um what is it test. he.com pro. he.com or whatever soft doain if you if this your he me if you're selling clots or you're selling whatever you have a hardware store you can put it Hardware you can put it clothing. those are basically subdomains for your T TLD you understand what I mean right can we Circle back and do that after we've created the first one after weest can we always go back and do the sub domains after we've requested the main the T yes you can do that but in that case you'll be having two different certificates but I want the certificate to be able to handle the top domain and top and sub domains you understand what I mean so it means that you can use one certificate for your top domain he me.com in this case and the same certificate will support numerous subdomains so for us to support numerous subdomains we can use a y card so you go to add another name to this certificate then you just put a star. he.com okay okay okay so this star here means anything anything before.com all right so one level you cannot have um victor. m. he.com it can only victor.com then you understand what I mean got you I quick question yes you have like multiple domain names pointing to the same server yes you can means you having you be having different records but why will you do that but that's possible right okay because um yeah it's because I read somewh it was about Amazon I think relentless.com points to amazon.com what relentless.com points to like the main Amazon website Relentless yeah relentless.com points amazon.com I think it was um the initial um um DNS that Jeff Bezos came up with yeah you can have records it's about records it's that in that case you would have something like relentless come creating a c name record that points to amazoncom Amazon is a c name so you can have you can you can play with us there so many different so it doesn't have necessarily have to be a subname what do you mean by subname um because a subname still have the domain name inside relentless.com and amazon.com those are two different tlds these are two different uh top level domain but you can have Amazon l.com you can have something whatever it is for the subdomain do your TLD is that does that make sense if it doesn't make sense you tell me so I explain it another way so you have your top dver domain in this case we have Heyman hey.com hope I'm pronouncing that right in this case we have hs.com this top level domain does not change but you can have so many subdomains which is anything before.com represented here as t so it could be test.com it could be pro.com it could be whatever.com it could be example.com anything. he.com this star represents the sub domain the minute we change the top level domain those are two different domain names so the question is can you have two or three top level domains pointing to the same yeah you can have but why will you have that it doesn't mean that to reach your we I just wanted to know if that can be configured on a that will be configured because you're creating it's at the level of Records whatever back in you're telling that record it would point to it but now there is no way you're going to have that on the public internet there's no way you're going to have an application live like that okay a quick example is like when you type fb.com it still leads you to facebook.com how how did they do that that's a c name redirect it's a redirect it's a c name so you can change you can change um how do you call it you can chain records what's it what's the thing you called fb.com yes it leads you to facebook.com it's a redirect or.com don't know how you guys got and you know a lot of people do that where yes if you make a mistake in the in the domain name you know big companies it still take you to them stuff like that it still brings you to them take you to the the same thing yeah so give me a minute please pending sorry so to to to the person that said fb.com and facebook.com if you do dick fb.com and you do dick on facebook.com you will see that they they're talking to the same back end the answer section for that thing is still the same I just did it is 15 15957 2402 2735 they're talking to the same back end so yes you can always have that all right can you repeat like what you say you say you did a dick like yes D on your Terminal D space then the name oh D get it no problem pending validation means I have to go to my email and U no no please it's very easier to use DNS validation so email validation is fine if you use email validation then it means that a certificate Authority is going to send you an email a link to your email address the email address which you Associated to this hosted Zone when you were creating it you remember when you're registering the domain that's where they're going to ensure that you're the owner of that domain and you can you can request the certificate but DNS validation once you're you're using rout with 3 is is way easier so we will use DNS validation and um scroll down and we create I think that's okay we request once we request is going to stay pending then you can scroll down at some point here just give it a minute it's going to give you the the ability to to tell ACM to create this records directly in rout 53 that's it right up there create records in rout 53 so once you hit create record if you go to your Route 53 Hoster zone now you'll see that ACM has added some record in Route 53 now this is possible in in AWS because it already knows your posted Zone and it also knows your your so it can establish that trust okay y okay it does take a minute toid are we together so now we can look at what our certificate it should be issued so once the trust is established the certificate should be issued just refresh good so our certificate has been issued uh after clicking the request how do I validate the record before creating the record you don't create the record you just go to to the domains UMO can you scroll up a little bit at this point once you click on request scroll down a bit at this point here you can see this says create record in Route 53 you just click on this okay okay thanks so in in your case you're still will be pending this will be stay pending to the records are created so now we've requested a certificate for our domain name and we can proceed once we have the certificate now let's create a r 53 distribution sorry a cloudfront distribution so we just go to Cloud for another AWS service um how what you need to Cloud watch we Cloud front Cloud front Cloud front Cloud yes are you good for CH yeah um yeah so we want to create Cloud front distribution the main feature of cloud front is called a distribution so the distribution is where we configure everything about our front end okay remember right give me a minute we come still coming there this is where we allow HPS so if you remember when we were talking about when I was trying to give an overview about cloudone I told you about An Origin which is where cloudone actually goes and fetches the content you remember so this origin could be S3 it could be your load balancer that is talking to your um servers in the back end so we go to S origin choose origin domain so you click in there you can see so hman give me a minute these are the different buckets you have in your account ww. testing bucket so it could be any of this origin but we do not want an S3 origin so we want a cloud from a load balancer origin so we will select the load balancer which we created today R 53 lb does it make sense Miriam you have a question yeah I was just wondering um Can Corporation use the same process to assign private email addresses to their um employees I do not understand um maybe she's trying why you thinking about is like companies right I'm sorry is companies yes okay why are you thinking about emails uh the reason I I thought of that is because um where um I don't remember this specific place but where he put the arteric D hey.com signifies anything that whatever that come right so it could be the employees name right so or yeah no that is for the certificate for the domain so if you want he.com to have an an email server then you can go as a subdomain and you have email. gs.com but there is another service that will require that certificate which is called SES so it's a simple email service that's another service in AWS okay but now to secure your email server you need a certificate to for that security and you can use the same yard certificate in that case and the domain for the email or the records for your email then will be email. he.com make sense yes it does thank you welcome so you see this is what I was talking about so the protocol so these are the different protocols that cloud fund can use to go to the origin so the protocol will be HTTP only https only or match viewer match viewer means if you go to your browser and you're doing HTTP it would match that viewer request to go to the back end if you go to the browser if the viewer request is htps you use htps to go to the back end to origin if the viewer request is HTTP you use HTTP to go to the region so we want HTTP only for now so there environments that that that they would want to support this different uh protocols okay so enter your HTP what is 18 which the default uh HTTP it's fine origin part we can leave that okay so we already have enter in name for this origin because we selected it above we have everything entered here we have to configure cash P settings so we scroll down so this is where you have the view protocol um hold on um Miss can you please go up a bit um origin origin nothing nothing no that's fine because for example origin part here is for example when you go to an environment they are serving that content at specific path so if you do not pass the path to that content you will not be able to get it all right all this information would most likely be coming from the de team whoever developed the application to tell you at what path in the server or what path that this application is available at okay okay so that was for the or that was for the origin request so now we we and then did you enable the origin Shield or it's no okay okay okay so keep settings as default we want to change the default cash Behavior we want to compress that's fine default is fine yes and we want to change the viewer protocol policy so viewer protocol policy here means what protocol is the viewer using is it HTTP and https it means that cloud form will accept those that come to your website um without TLS and we do not want that we want to tell cloudone to redirect every request that is HTP to htps okay so we are forcing TLS for every request here you can also tell your Cloud phone that I want htps only it means that if you go to your browser and you type HTTP for the domain name then is is going to throw you an error so so um I I do not I haven't faced a use case but maybe there would be an environment that says that okay no we do not want it most environments would always redirect HTP to htps so that we can self request from wherever okay I'm not sure I understand that okay you you remember as you go to facebook.com if it's secure there's uh um if you look at the browser it always tells you if it's https or it HTTP yeah good so when you look at the https it means that it is using TS to enable or to establish that connection all right however there are some websites that do not have certificates if you've G gone to some websites they tell you that connection to this website is insecured have you ever faced that yeah they have it means that that website is not used there's no certificate attached to it or they are using a self- signed certificate that's another topic of conversation not for today so in that case if your website is sitting behind a cloud fromont distribution and you see um I want HTTP and https it means that those that establish connection without TLS certificate without TLS security they will still be able to reach your endpoint they will still be able to reach your website those that establish it with TS they'll be able to reach your website but most environments don't want connections to their endpoint that are that are unencrypted so to ensure that all request to the website is encrypted would tell Cloud phone that for anybody that comes with HTTP please redirect them to https before you establish that connection does it make sense now yeah it does so the redirection has to be done before you can have access to that website yes okay thank you let's go ahead so we want to also um cach key and Origins we want to to to configure the caching policy so we scroll down so we C from the something they call Cash policies we're not going to look at it today we just go scroll down to use 9 go back up and under cash policy and the drop down menu we want to disable caching here yes right here give me a minute yes scroll up is up yeah that's the day the second one the second one yeah so when you disable C cashing here do you understand what will happen with cloudfront it means that each time cloudfront is receiving a request it goes to the origin all right wow doing that here I mean isn't that one of the core features of cloudfront yes that's one of the core features of cloudfront but we doing here just for simulation so that as you you're um hitting the browser you would see that it is going to the back end and changing the different serving content from the from the different is instances which we we we created yeah the Public Sub yes however that one of the that's one of the core features but how another feature of of of some environments can use it because um they don't want cashing at at Edge location maybe they are changing information every time all right let's go ahead so in other words there's no TTL which means yes in other words it's no TL so we scroll up Scroll up I think we have to scroll up was it down or up I think it's down you need to scroll down so that we can enable the TLs for the cloud phone yes down here we do not want to use wa at this level with our Cloud phone so we do not enable security protections here right here are we together W okay so we do not want to enable W with our cloud from distribution um hold on how did he get that just scroll down what is you don't select anything what what will it will it default to enable yeah it will I think by default it's Ena okay okay we do not want that so let's scroll down so the price class you can use um H locations all over the worldall only in America and Europe America Europe Asia Middle East Africa whatever so we using we're doing this just for and after this we'll disable that so that's fine so you can use all Edge locations then scroll down we want to configure it slsl so we want to add an alternative domain name so we first of all need to add an alternative domain name so this is where you tell because AWS has a default domain name your cloud from distribution so you can either reach your website using the AWS default DNS name which doesn't make sense because you do not control that or you can add an alternative do domain name so in this case your domain the domain name that you own to hman he.com so you can either reach this website via he.com you want to use a subdomain ww. he.com you can also add w he me come at this point I need to add another okay if you want so if if you want wws.com to reach this website then you would do this at this point so because you're adding an alternative domain name we want to also configure SSL so you you would click on SSL and you a question please certificate you created just give me a minute and you say select the certificate which you created in ACM once that's done scroll down wait wait wait wait wait oh no what happened scroll down so there's logging for cloud phone there different protocols we do not want all that so we can just leave the defaults and we hold for me I've been lged out of my account I don't know why yes okay the question so you can create a CL from franisco we'll take it through somebody had a question uh no it's okay Prof I don't think you make sense it's fine ask this question that doesn't make sense okay like what we need when we when we're creating the certificate that we did um start dot for example um MOS domain name can we also do that here like when we say alternate domain name like adding the item so if we you need to add the domain name the subdomain itself you cannot just put a y card oh okay thank you so the Y the Y cut cific you remember the star dot that was so that in this case ww dot which is a subdomain will be able to support SSL because ww do in this case represents the star that star is like a placeholder for every every character that comes before payment.com so in this case it's ww. it could also be test. he.com could also be pro. he.com it could also be whatever.com does it make sense yeah it does thank you so uh and to Victor's question that he asked if you remember we we were putting uh when we were creating the ACM certificate we used the top level domain which was h.com and start.com so if we did that for just start. he.com this top level domain here which is he.com will not be able to support that SSL you understand me does it make sense Victor is he here yeah was mute did you get my my explanation okay let's go ahead wait for me one minute please so it's like if because the top level domain doesn't have anything in front of it so because yeah then that other subdomain has the star that which means anything that has um in front of the top level domain is what it will give the cic ifate two two yes yeah so but the other one doesn't have anything in front of it so it doesn't get one yes okay BR so after I select the um I select my certificate I just go ahead and create right did you add your domain names yes I did did you add the tldd the top level domain and and subdomain which is W Francesca yes I yes yes then then you can create okay thanks so once you create your distribution if you just go to Cloud fun distributions select distribution this is here scroll down slowly please up up up Can you close all this popup tabs thank you I I want this you can take this this is the default domain name that AWS always gives to every distribution it's always something random contractor. cloud.net we do not want that but you can also take that to the browser and see that your Cloud phone is talking to the right back end so you see so if you refresh keep refreshing so you can see that it's talking to a load balancer because the load balancer was the origin which was selected and that load balancer is balancing the load between the is two is servers that are in in its Target group are we together does it make [Music] sense yes I'm expecting a corus answer yes yes cool I've tried this before without uh the cloud front and it's still it worked yes because Cloud front is just a front end it's fronting the load balancer so from the load balancer if you use the load balancer it also has a DNS name it will do the same thing so it's balancing load to whatever targets that uh uh um connected to it they both have different data so how like if I go to this website now for example okay it's given two different it's given two D and datam give me a minute so for this demo I want we wanted to show you two things we wanted to show you that the load balancer is actually talking to the different servers that are inside it's Target group now one and ser two right and that's server one and server two because you see we give two different user data for Server one and server two so these are the two datas that we Supply to server one and server two in the real world you will not have two different servers with the same with different data talking to the same load balancer you understand what I mean yes yeah got no you would have but they will be in separate Target groups so you will not have load servers with diff with different content in the same Target group you understand what I mean so this was just to try to because we telling you that the load balance is balancing load to servers we just wanted to you to also see that maybe and so it Mak sense to you okay uh it doesn't make sense uh good question my um I'm just saying that what you just say makes sense because when I try to refresh uh it's not refreshing it's only going or is refreshing but still going to the same page but then I just realized that one of my target is unhealthy yes and one of your target if you're one of your targets is not healthy then the load balancer remember we also talked about the load balancer using health checks to ensure that everything in in its back end is also healthy so if the target is not healthy then it keeps going to just to the healthy Target to the same one yes so Prof in in his situation if um Autos scaling was was configured that it will create a new exactly if Auto scaling was configured it would kill that server and now start bringing up a new server add it to the Target group and register into the load balancer and once it's healthy it tells the load balancer that oh I have a new Target for you that's healthy the load balancer also establishes own heal check to make sure that that guy is healthy if it's healthy if it s passes the heal check then it starts routing traffic to that back end we good yeah one more question so in the real work assuming you have um the two target groups one target group will be getting um one one set of like is having the same user data that one of those um uh ec2 instances have then the target group will have a group of servers that have the same message that's what you're saying right so so a Target group is basically a group of instances saving the same content Okay so you can have so many different Target groups one load balancer can support I don't know the maximum but it can support different Target groups with different back ends so now if you remember when we were doing load balancer we we we configured routing rules and we were used with what was it was it booking or something like that I forgotten what we they exactly um but we we had two target groups and we routing it based on rules to the the the specific Target group do you remember that demo order and payment order and payment thank you very much okay so it means that in that in that Target group for order all the insute instances that will be in the other Target group will be serving the same content all the insute instances that will be in payment Target grp will be saving the same content okay and based on the load balancer rules which you would Define it would know which Target group to route your traffic to we did that in the in the in the in that hands on you remember yeah good hope some of these things are making sense how did he get this um page right now cuz I know I was able to get my distribution domain name but how did he get this one today just put the just put the distribution domain name in the browser that's it that's I'm not getting what he had I think mine is different from keep refreshing it says JJ Tech distributor recovery strategy refresh refresh okay now we are using we are talking to the L Cloud um uh domain name which AWS gives you by default for every every um distribution which you create but if you remember we said we want this distribution to also handle alternate domain names scroll down here and we said we want it to handle he.com and ww. he.com however we do not have records for this now the cloudfront.net works because by default aw has already created a record for this domain name in their hosted Zone the cloudfront.net hosted zone so we need to also create our own record in our own host Zone app points this to this distribution does it make sense because if you take ww. he.com to the browser now can you take that to the browser I expect it to not Ser any backend do you know why we seven this back end it's catched no this TPS no can you can you hit enter do you know why it's saving this back end somebody tell me why it's the static one uh yes because in your hosted Zone in your hosted Zone you already have a record for this hs.com that's pointing to a different back end okay so for you to point to the right to the right to the back end today you need to go create another record he.com that is pointing to the cloudone distribution so we go back to our hosted Zone my God what's your time some few minutes to 3 just to 11: yeah 4 minutes to 11: so go back to where route um Route 53 okay so search for about 53 please let's be fast so I don't keep you for long so we can do the routing policies and we go so this is we are going to create a simple routing policy to talk to our Cloud distribution so what it means is before we have not connected our to our right we're just about to do that pardon we haven't connected our we haven't link up our our to our to the instance that we have to the Ser yes we haven't linked Route 53 to Cloud fund which links to the load balancer which links to the instance yes we have so usually if we just put you know the domain name is is not going to find anything no the domain put putting the domain name in Cloud fund doesn't do anything it's just telling Cloud fund that you can also be available under this domain name but you need to create a record that points to that domain name distribtion yes that's what we want so if we haven't link up the ra to that and we just put in our domain name it's not going to find anything in it's it's not supposed to find anything else so let's create our record M please let's be fast we go to the hosted Zone here click on the hosted Zone nine you're creating a Hoster Zone we want to create a record in the Hoster Zone yes so hold On's so you go to hosted Zone yes click on hosted Zone can you can you remove this so we have space to see good and we want to create a record for h.com but now you already have a go back please go back if you continue with the simple routing policy for hm.com it's going to tell you that there's already a record there called hm.com so we need to delete this record he.com so you cannot have um two records for a simple routing policy with the same name it doesn't work okay we need to delete this the one you already have we need to delete both type a record what do you mean by both type A because you have the the subdomain as well I have the subdomain yes you also delete both if you want to create a subdomain for the type A just let's be fast then now we create a record I'm I'm not getting what which one we should delete okay be very careful do not delete any record that says NS o OA that will mess up your host Zone it's fixable but we don't want to do that so if you remember um in your hosted Zone Francesa you have a record for what was it Franchesco something it's a simple record that is pointing to an S3 bucket those are the records we want to delete so there's an a record that points to an the A1 yes there's an a record that points to an S3 bucket another a record for the subdomain that also points to another S3 bucket so those are the ones we want to delete okay please ensure you select the right records Fran do not delete the a record for the simple for the right so I'm deleting the ones in the S3 bucket right the ones that point to the S3 bucket yes okay thank you and then afterwards I go to create record after that we go to create records and we want to create a simple routing so using the wizard you just go to simple routing we did this last time right so you should be familiar with this this place already I think so but so do I go to switch to wizard yes switch to wizard by default it will stay it will take you to the quick crate menu it's also you can also use that but wizard is easier okay so switch to Wizard and you select the simple routing policy which you have here yeah and you scroll down you go to next we want to configure the simple R record so Define simple record so we want to create it for the top level domain just like we did last time so that's fine we leave it as it is and record TI route to IP address and some AWS resources so we choose the value to Route the traffic to you choose endpoint now that's okay so choose value to Route traffic to so we are routing to rout to Cloud distribution so you select Cloud for distribution you already pass it as it I so the next yeah there you go so once you select the cloud from distribution you should be able to find the cloud for distribution in your account now so choose the distribution the distribution we created is already there then def click on Define simple routing and create record are we okay um hold on BR a quick question please should go please so go back to previous go back to previous yes quick from switch to reason can I ask my question real quick please yes go ahead so under the hosted uh Zone um there were four NS assigned is there a reason for that there four name servers yeah four name servers so the name servers is whenever you create a hosted Zone AWS always creat those four name servers for you so those name servers are basically the authoritative name servers for that hosted Zone by default they four are they all equal in um what is it in Authority they all equal is also ensuring high avability on AWS side so it's not something you control or something you should bother about by default AWS will give you that okay thank you wait please we routing it to Cloud s yes you have to route route to but I don't see that I don't see that option on should be there I see ip5 I pv6 see name not not record type record type you leave it a r traffic to ipv4 address then you go down to Value to route your traffic to there is where you look for cloud from are you together are we together I can't see it on my what are you where are you looking at just read it well under record type the record type leave it as it is it's by default a RS traffic to an ipv4 address and some a resources that's it then under value to route your traffic to under this is where you look for cloud from look at his screen please it's already there yeah I've seen you now thank you welcome so you once you choose you select alers to cloud from distribution then you can you're able to select the distribution which we just created love question yes so um I think oh okay don't mind that's fine I had that's okay it's okay then let's define our simple record let's let's just uh go ahead and finish with the Run book then I can take questions after okay so we don't make the record too long and also keep people here so once you create the record now you should have a simple record that talks points to your Cloud phone distribution yeah so before it was S3 now is your distribution so now if you go to the he.com to your browser you should be able to reach this back in does it make sense yes sir do we do the same for the subdomain yes you can do you can do the same for the subdomain so you can do the same for the soft domain but that's a simple routing policy please let's just hold on let's finish with fail over routing then you can test the subdomain as you go ahead so we want to create fail over routing and for us to do fail over routing there are so many ways to do it so you can fail do fail over routing to your load balancer and to S3 bucket or whatever uh setup which you have in your environment for us to simulate it here we want to use IP the public IPS of the two instances which we created so fail over routing is all based on Hell checks right so the route 550 has to do a hell check to ensure that the record or the the the domain which is talking to it has to help check the back end to ensure that it's healthy so once it detects that the health the back end is not healthy then it fails over to a secondary record which you created okay does it make sense yes sir good so let's do fail over for us to do failover routing we need a heal check so you go to Route 53 on and you click on heal checks we want to create a heal check but let's let's he create a heal check for the first instance so I can call it instance hell check so I can say Ser one heal check or um Ser one instance heal check whatever T are we okay yes for good and we what do we want to monitor we want to monitor an endpoint so heal checks can be heal checks to endpoints it could be heal checks to other heal checks it could heal checks to Cloud alarms so there are so many things you can use for this H checks okay so here we want to help check an endpoint and what type of endpoint it could be a domain name if it it's a domain name then we can put the domain name of the load balancer here but now we want to make it simple so we want to H check our server IP so an IP address then we put in the IP address for Server one since we said this is the H check for Server one so go to your browser take the public IP of that 7 one and we put it here so together we go to instances right yes together you have to go to instances so just leave the the Route 53 console open open a new tab go to your instances and look for the public IP of your server one and you put it here okay [Music] are we together yes sir public please if somebody is not here you speak up um M could you please go back to instances and copy the um IP and let me see where you went to so you just select the instance once you select instan Francesca it gives you details The Details page should give you every information to Public public yes want the public IP of your okay are we here yeah EV yes Prof I'm there I'm there good jenda I'm here Prof I'm just following I'll try TR so all right so um you can leave that as default just go to advance configuration so we can reduce the time it takes for the he check so by standard it takes it do a h check every 30 seconds one 10 seconds so we are fast we can get our result faster and um did you click something Advanced configuration so you go to advance Advan configuration and we remove from standard to fast okay so with h checks you can tell um um R 53 to look for a specific string like when I go when I you do a health check I want to see this specific string in the respond before I can determine that my my endpoint is healthy okay we don't have time in in a workshop we we try to do this in more details but you can also just go through the consur look at the things that you have there please what are we changing on the advanced configuration standard to fast okay standard will still work it just will take you a longer time from 30 minutes to 10 seconds that's just all we are trying to do here and um for the IP end point is s one IP right public one IP yes public IP um Prof for the string marching it when it like checks the website to sees if like some text matches on the website it means you you want to see for example a success code so let's let's go ahead I'll show you on once we create a head check so scroll down and click on next and we create the health check so you can create an alarm for this heal check so basically to say that oh I want to get notified when my health my my target is not healthy so you can create a cloud wash alarm and ass it to this heal check so it means that once it does a heal check and heal check fails it's going to send you a notification to n SNS topic that alerts you that oh this thing is not working then let's create a health check so it takes some time because AWS has Health Checkers now that are trying to check this Endo to see if it's healthy so if you select the heal check the heal check and you click on heal checkers you should see now you have health Checkers all over the world that are trying to Ping this your your uh reach this your end point to ensure that it's healthy so status 200 always means okay means healthy so you can tell your health Checker when you're creating it that I want to always see a status code of 200 I want to always see a status code of success or a message of success so whenever they're doing the health Checkers are checking the health if your end is healthy if this specific string is not in this respon it's going to determine that this this this end point is is not healthy does it make sense yes sir Prof I created a name for my health check but the name is not there but but it's not there I don't know I don't have the name just create it again so you can keep refreshing at some point you'll see if your your point is healthy so now your end point is healthy we need this health check for our primary record because the fail over um routing how doesn't work it needs to always use a health check to ensure that the primary endpoint which we are talking to is healthy once it detects that this primary endpoint is not healthy then it fails over to a secondary okay yes sir good so let's go back to routing let's go back to to host host Zone Franchesca are you lost yeah Prof please hold on for me I'm I'm still writing the name check I don't know why the name given any name instance heal check doesn't matter it's not it's not even giv it's not enable me can I share just a minute and you see let's do that Victor you've been very quiet today this one is quite straightforward okay no what screen are we looking at that's my so it doesn't give me I don't know why the name H the hell check you can edit it if you select it click it and edit it does it up there right edit H check yeah so you can give it a name here okay are you giving it a name I'm just stopping I'm I I just who what did I do all right let's go ahead right for [Music] me we want to go back to Route 53 and create a fail over routing policy fres have you been able to add add your name to your hair check hold on I I just put out my so I need 15 minutes at least 15 minutes of your time one minute please so um give it any name S1 yeah S1 instance check right that's one heal check that's fine once we have the heal check we go back to fail over routing so I joined when Prof suan was talking about your routing policies but for fail over it needs to fail over when something has failed and how does it know that it has failed by in always watching the health check once the the end point becomes unhealthy then it fills over to another secondary endpoint okay let's go ahead so we want to create a record fill over record in the hosted zone so we go back to the same hosted Zone and create record fill over scroll down to the bottom Francesca are you good yeah um create record and go where fail over okay fail over you should be familiar with this this interface right now so go to next we want to fill over we have hs.com that's fine and uh give me a minute just just hold hold here so what do we do here do we just we create for the the let's let's let's create records for subdomains okay so we do not have to go delete the initial um top level domain which we created you understand what I mean that's yeah good so just ww. he.com so that's that's good we want to Route it to to ipv form the TLs the TTL here is 300 seconds let's put it to 1 minute so click on 1 minute so it's 60 seconds and we want to go down to Define fail of record so we want to Route our traffic tool yes this it's fast for me can you just go back with a bit sorry about that can you just take it so you it's the same procedure which we've been doing for records so you just go to create records you go to the wizard you select the routing policy which we want it's fail over have you done that policy p over routing policy at the at the at at the bottom of the page you click on next then it should open you this window or this interface to configure the record so we want to create records for the F we want to use subdomains because if we keep it with a domain we already have a record in the same hosted Zone with the the name him him he.com so if you create another record is going to complain okay yeah so we want to create um a fill of let's use subdomains and we are deciding we're using um ww. he.com so you could be using test or whatever so basically you're failing over with the same domain name it must be the same domain names that we using to fill over okay yes sir okay to leave to 16 we change the time to leave to 60 seconds so by just clicking um um one minute that's there scroll down are you good yes I'm good now thank you now we click on Define f over record and we want to Route our traffic to an IP so the first option which you get you have the IP address and we want to put in the IP address so this this was server one so we need the public IP of server one here um okay oh boy what did I [Music] do fris you good yeah we go to instances and then take the IP for Server one again yes remember this is the IP for the server you you created a heal check for do not mix that up so it was server one so we take the public IP of server one and we put it here the same IP which you used for the heal check yeah so we can we choose the record type so this will be the primary so primary means once whenever this is healthy this is going to be where our record is served from okay so we want a heal check ID so we already created a heal check so we select the heal check and we give this a descriptive uh unique name so we can just say um S one um record something and we defin The Fill over record are we together yeah once we do that then we can create a record so um this pay over you can use it for so many things you can use it for Dr you can use it to give your users a custom message have you ever gone to a website and they tell you that oh things are not working we're working on it we'll be back soon it could be fail over the primary website is down they already have probably a static bucket somewhere with a configured with a message that says oh uh we are working on this sorry for the inconvenience site will be available soon so once the H check fails for the primary website it starts telling you serving that that content until the primary website again becomes healthy then R 53 has that intelligence to go back to the primary record okay now we want the secondary record so let's go scroll down scroll again if you go to your browser now we already created a record for ww. he.com so ww. Francesco whatever it should be sing serving you the content which is in the server one so if you keep refreshing that that should not change ww. ham.com um today the awesome JJ model is that it yes so now we are talking to the to a specific back end so we want to create a failover record to server two then we simulate a field over for S one yes uh when you went to F record you choose you put the IP address right for one yes then the F record type you choose primary primary primary here means that this will be your main um it's the primary page it's a primary side it means that once this is healthy this is what will be served if this is healthy this is always what will be served okay then primary just means this take priority then for health check you choose the health check right you you choose the H check which you created yes got it so now let's create let's do the same procedure for the secondary record so you have to do the same proposed for the second second record so the secondary record health health checking it is optional okay so you could decide to have a health checked or not and if you have your secondary end point or also being held checked if it's h check is filling then R 53 revers back to the primary and would self you whatever is filling in the primary uh endpoint so fill over next we are creating health checks for fill over records for the same domain name so you cannot have ww. he.com and he.com it has to be the same so that yes please give me a minute give me a minute so that people when they getting to your website to this domain name then they can fil over to um sparen yes well since uh we have created record just of my one now I'm searching from the web browser my domain I'm still getting both applications on the two servant why because you're not using the subdomain I use the WW he said we should use that right yes it it should not it should not be the case you because you're you're talking to directly to an E2 server so if you're still doing that you're probably talking to cloud phont or something you're talking directly to one server which you put it the IP address there so you cannot be having it's impossible you cannot be having um um content from both servers so there's some misconfiguration on your end let's just finish with this then I I I I'll check check it check that with you okay okay so let's create the secondary record so we call ww. he.com wwwww ww. he.com rout to that's okay we want one minute we want to define the failover record we want to Route traffic to an IP address so choose endpoint IP address and now depending on the record pardon no I was just reading what IP address or another value depending on the type of record depending we can you could it could be routing to load balancer it could be routing to so many different things so here we are using the IPS of the servers like I said so now we want the SEC this is the secondary record we want the IP at the public IP of server two then we choose record type secondary he check is optional so no h check then we just say secondary server for the um unique description or say server two server two endpoint so Define define your fa over record that's also fine it has to be unique secondary 7even Define it and create the record so if you stay go to your browser and you keep refreshing on ww. ww. he.com it would always be serving you only the content for S one reason being S one is healthy so now let's simulate that s one simulate S one uh failure by stopping Ser one so you go to your instances and stop Ser one if you stop server one after a while you should start serving the content in server two because right now that you you've stopped Ser one if you go back to the heal checks and you keep refreshing the heal check after some time it would is going to show you as unhealthy so Route 53 go to Route 53 53 go to the he checks so it's still healthy you keep refreshing refreshing okay you can also just select the health check and look at the health Checkers and let's see if it's already uh getting a bad response go to health Checkers so it's still give see it's already filling you see that so after after after a while um the H check will also fail then ra 5 will move to our secondary record so just refresh your website give it a minute keep refreshing I should I expect to see the content for the server to ww. hem.com refresh refresh somebody already getting this yeah do you already have fil over TI yes yes sir so um you have some latency here let me see your heal check if it's still healthy Prof you said when you go to health check what next um just keep refreshing it should show unhealthy very soon here Che is feeling so yeah I'll check unhealthy refresh your browser let's see if if it filled over already you see there it f does it make sense the m still says [Music] healthy It Takes a Minute um sir yes mind um the WW do if I um go through https it doesn't work https was for cloudfront but now we are talking directly to the server okay okay yeah all right thank you so Pro which one are we going to stop the server one or Ser two can clear everything and do it again so that you you can really commit it to memory yeah I stopped sever one but I'm getting um okay you mean which one are we stopping for fa you're stopping the primary record the primary record that was your server one right oh yeah so you have to stop server one okay thank you so some sites would have the secondary record that is displaying a friendly message telling you that oh our Engineers are working on it our website will be back soon or it should be it could be der you can use it for so many things so always think out of the box they they would always ask how can we um do this you could use this feature to solve so many different scenarios okay okay can I stop the recording now yeah yes you can