so for today we're going to look at VPC end points and Bastian H so this is an endpoints VC endpoints VPC endpoint services and Bas this are actually networking um features which we should have covered under the networking section Prof should have C Net but we decided to bring it here because we want wanted to the handson for VPC endpoints and endpoint Services basically uses B chain host and we wanted to talk about it so you understand compute uh so before we can then run up with this uh feature my wife can you see my screen so um if you remember the AR architectures that we've always been talking about in the in class it's um you having a PPC which is your private Network inside AWS space you have your subnets private and public then you want to have communication to the Internet it's either you use the internet gateway from the public subnet directly or from the private subnet you go via ESS or not Gateway devices into the internet okay to the Internet so assume U for example that this is our sub and this is this is our VPC right and we have um um our devices in both private and public subnets but any device to be able to make communication outside of the VPC it needs to go via the internet gateway or you have a pairing connection that we talked about T tgws and pairing and and pairing connections before however there are AWS services that are not VPC bound that are not inside of VPC okay for example S3 which you covered already there's Dynamo DB there SNS and a bunch of other AWS Services cloudwatch those are services that are not bound in a VPC so for you to be able to reach these AWS end points your traffic needs to leave your VPC via the internet gateway inside uh via the internet gateway to the internet then back into the AWS public space so most companies when AWS basically was coming up this is the architecture they had so most companies trading companies and stuff like that they are having sensitive data which they are keeping in S3 so they are facing an issue security issue with their traffic leaving their virtual private clouds to the internet and back into their buckets so with these they basically presented a problem to AWS and and in order for AWS to mitigate this issue they created um it came out with a service known as VPC end points so what are we seeing if we have for example this is our AWS what happens is we have call this the we assume that this is the AWS public space right so inside the adbs public space we have S3 we have S3 we have SNS we have um SNS we have Cloud watch these are all AWS services that are within the AWS backbone they within the AWS public space but for instances of running inside our VPC so if we have an E2 instance running here or running in the public subnet for the E2 instance to be able to get to S3 what happens is from the public subnet we have a route to the internet gateway it moves out into the internet and back to S3 from the private subnet the instant will have around VI not Gateway in the public service in the public subnet which still goes outside the VPC via the igw into the internet and back into AWS public space so this presents security issues for most companies and they do not like that so in order to mitigate this problem AWS created what we know as VPC endpoints so what are VPC endpoints the VPC endpoint is that feature of the uh of uh AWS or that service of AWS that enables customers to privately connect resources inside their VPC to resources in the awf public space or resources in other aw customer vpcs does it make sense yes BR is it it POS you write it down take sure I would uh I see hand up Victor yes Pro so I was just trying to figure out something because it what you just said breaks my entire concept of what I thought was was um the case I didn't know there was another space that the S3 for example resided because in all the diagrams we did when we did S3 it did appear that they were within uh a VPC or because I think I think I think the last I thought they were resilient within a region right yes so it's resilience within a region for example it's easy when you're creating S3 you do not select a VPC when creating the V se you do not select softness do you no that's true true that's true yes they are not VPC bound they in a region they are highly available available across all the EES in the region but this are not a this is not a resour that you place in a VPC all S3 do not have private like private IPS you cannot assign a private IP to an S3 Bucket from your VPC subet so this when we are talking about VPC bounds Services we are talking about services that for example is tools when you're creating an to you need to select a VPC to put it inside you need to select a subnet to put it inside okay so these are resources that are VPC bound other resources are in the AWS public space SNS we created an SNS if you remember in the last demo we did not select a VPC to put it there it is within the AWS public space so connections from our VPC to SNS goes outside our internet gateway and back to SNS so that's what we are trying to avoid Goa thank you good evening p uh I'm sorry I I joined when you already started talking and I didn't attend the last class uh right now I'm not seeing po stud so I'm where are we um are we with a revision or we moved to a new top I'm somehow lost please I just want to know where we are so um profan this week is not available so I'm calling I'm taking the next few topics for for this week then she will be back next week but last week what I think she covered load balances and they we running off with compute and to run off with compute we are touching VPC endpoints which is a VPC feature but also with Bastian host which we are going to use to for demo so we just rounding off so if you do not if you can't make it to class just um I think they recordings right so you can always go back to them and watch thank you so like I said a VPC endpoint is a service that enables private connectivity between resources in your VPC and AWS managed services services in other AWS customer vpcs if you have a problem writing you tell me okay and also services offered by AWS Partners through the AWS Marketplace Market places one more are we together yes Pro so what this means is if we have our resources inside our VPC these resources now can reach services in AWS public space in ads customer vpcs in other ads customer vpcs without going through the N Gateway without going through the internet gateway so in this case we do not have to put an Gateway in our in our uh uh VPC this cost money so that would probably reduce cost we do not have to even give public IPS to Services inside our VPC the services in the VPC can then privately reach services that are not not inside our VPC that are inside the AWS public space that are AWS managed and also services in other AWS customer vpcs using PPC endpoints well please can you go back to the for thanks the definition give me a minute okay so with VPC endpoints there is no need for of VPN for example connectivity between two AWS customers there is no need for example VPN connectivity between two AWS customer vpcs in different AWS accounts there is no requirement for internet gateways not gateways in our vpcs to enable connectivity to the end points are we together yes yes we are yes Goode can you explain again I didn't quite get it so you remember we always talking about um when we dealing with internet connectivity um or vpcs for example you guys create cre an S3 bucket we created um what was it um is2 instances and we ped the internet I also ping somebody's um in instant during the last class to enable that connectivity so far the architectures which we've been dealing with we always need to have an internet gateway attached to our VPC or we have other AWS Network connect connectivity devices like vpns like Transit gateways like pairing connections between two customer vpcs to enable that private connectivity you remember so however there is no way for you to set up pairing connections between your VPC and AWS public endpoints for example AWS offers some Services which are widely used but these services are not PPC bound S3 is one of them SNS topics are one of them is another Cloud watch is another example lambdas they another example of services that are not VPC bound you create and use these Services they are within the AWS public space but they are not found inside your private bpc so what happens is if you have applications running in E to servers inside your V PPC and these applications need to make calls to get data from S3 or to publish to an SNS topic or to trigger some Lambda functions what happens is these applications if they are running in a public subnet they there is a route table remember we talked about this that always sends the traffic from the public subnet into through the the internet gateway to S3 SNS lambdas Etc okay these are all within AWS these are all within AWS but these services are in the AWS public space so if your application is running inside your VPC for it to reach these endpoints it traverses the internet gateway out through the internet and then back into aws's public space and this presents some security problems for most companies they do not like their data traversing the internet that's a question I want to ask most companies don't want your data to Traverse the internet even when you do VPN connections you still using the internet to set up that VPN some companies say okay that that's a VPN connection but that's not secure enough for us so they presented this problem to AWS and AWS figured out using VPC endpoints to solve customer Problems by giving them the ability to reach these public end point without going to the Internet so in that case we still have our services in the AWS public space you will not need an internet gateway again you just create a VPC endpoint and then VPC endpoint AWS places what we call elastic network interfaces inside your VPC so depending on the type of VPC endpoint basically it is an endpoint that is placed if I use this as my impc endpoint let's assume that is it all traffic to um S3 SNS Lambda can leave your private subnet directly through the VPC endpoint into to s three so there is no more a requirement for this traffic to move through the N Gateway that is in the public subnet via the internet gateway over the internet and back to S3 does it make sense yes good this this this is widely used yes o uh you just talk about the VPC end point that we connect to S3 uh I I thought uh it should be instead of VPC I don't know about what the Gateway point will be the use case for that I'm still coming to that okay thanks so VPC endpoints are the technology which is being used to reach the public and uh um um services so you cannot you don't only use that to to to to reach S3 or AWS maning Services you can also use BBC endpoints to reach other AWS customers for example Victor is a customer in AWS Victor has developed a service that he he wants other AWS customers to reach Victor now in let's say we have you have 500 clients that want to talk to your service you will not establish pairing connections between your VPC to 500 clients that becomes a lot of admin overhead so there is also an endpoint service which you can create to expose your service and other AWS customers can reach your service using the endpoint service does it make sense so what I'm saying is this assume I have no igws here this is account a and this is account B so you create your service or an application that is running inside your your your your VPC and I have my own Services running inside my own VPC in account a and you want to give me access to your service in that case we do not need to create a VPN we do not need not connections we don't need tgw connections to enable op paring connections to enable this connectivity between our device our two vpcs what we do is simply use VPC endpoint services so I can be I can be that has the service which is being offered to other customers creates what we call excuse me an endpoint service and I account a that wants to consume the service in account B uses a VPC endpoint that establishes the connection to the endpoint service inside account B so there are two things here there is a VPC endpoint and there is an endpoint service for you to understand this let's define some two um important terms we have what we call the service consumer and a service provider so the service provider is a person that has developed the application or whatever it is and he he wants he or she wants to make that application available to other service consumers a consumer is you trying to reach that service for example if you're trying to reach S3 you're consuming S3 AWS on the other hand is the service provider does it make sense so the service provider creates an endpoint service in order to make their services available to other customers is service consumer on the other hand creates a VPC endpoint that next to the endpoint service provided let me see a different word made available by the service provider is it clear I have a question though yes so if this is a more secure and probably even a simpler solution why do we have peering then VPC to VPC peing I mean if it's it sounds like the VPC to VPC peing would probably be more expensive because of all the added uh devices for the connection and this one appears to be is going to be very you know straightforward and cheap why do we have the other one okay and the tra ways too as well yeah um at this level when you develop your application you're making applications um available to customers you're doing that probably via HTTP behind a load balancer right okay and first of all the first reason would be the The OSI level that this is available at we cannot use VPC endpoints to talk directly for example if we want to do a post directly to an is is2 instance or do a ping or just to establish uh um to to ensure that two in instances in two different vpcs are are are are talking together okay for you to use an endpoint service that instance needs to be behind an NLB this is one of the use cases for example when I joined your class last time I heard somebody asking that when will you decide if you want to use an En or an ARB this is one of the cases that you would only use an NLB endpoint services are made available only with network load balancers okay so if you have for example a service an already available service on uh uh to be access with HTTP htps we can make that service available to multiple customers using endpoint services so if I want to make my service available to let's say 300200 different AWS customers I do not have to set up uh um Transit Gateway connectivity between these two different accounts this 300 different accounts of pairing connections between this different accounts first of all the lay layer at which it works secondly the ease of it okay so those those those those those uh different factors basically help you to decide all right if it's just enabling connectivity with my instances in one VPC talking to instances in another VPC then that's that that's fine all right with with VPC pairing but endpoint services are mainly used for um for already how do I say really readily consumable services that you want to expose to customers privately okay ex excuse me Prof yes yes so so according to what Victor the question Victor so can we say um VPC peing is for redundancy then uh uh VPC endpoint is to create U this connection private connection between the VPC and the the uh like the the customers no u v pairing is a different technology which you can use to establish network connectivity at that level so it's for network connectivity but these now I want to make my service available to other customer customers to other AWS partners and stuffs like that so if you want to just establish network connectivity between a couple of vpcs then you can do that okay please could you go one slide backward if that's okay the other one no the ones that talks about the PBC need yes yeah that than yes Miriam um I just want to clarify my understanding so we know that VPC is needed in order for different devices to communicate with each other right mainly using the IP address right so with endpoint VPC endpoints does it eliminate the use of um IP addresses no bpc and points are created in a VPC and those end points are using private IP addresses from the CER range of your subnet so once you're creating a VPC endpoint you're going to tell the VPC endpoint where which VPC it needs to go into and depending on the type of endpoint interface endpoints for example it uses an one of the I uh uh it uses an IP address from each subnet which you enable so for example if you have your VPC you have three subnets and you have side ranges for these different Subs right each time you create a VPC endpoint it picks an IP address from one of from the side range of that subnet okay so those are placed inside the VPC okay but the endpoint service is created on other side and you attach your endpoint service to a load balancer you create the endpoint service and I can consume your endpoint service by um creating a VPC endpoint in my account that reaches these endpoint service okay this is something sorry are we are we done here sure sir thank you very much good this is something which is widely used let me just give you a scenario which I face at work okay before I do that o go ahead okay P when we're doing Autos scaling uh we integrated it with SNS topic for notification now uh is it that there was defa there was an endpoint that was created in the background that permitted that communication from the VPC to the SNS giving that SNS the VPC in that case that VPC had an internet gateway so the communication was via the internet gateway to SNS okay but we want to avoid that communication to go through the internet then we would use an endpoint service so there is an endpoint for SNS so if you want applications inside your VPC to reach SNS you would go to that VPC and create an endpoint for ssns each AWS service has a specific endpoint in a specific region so once you create that endpoint AWS places an eni inside your VPC you can see it but AWS manages it and that is what establishes the private connectivity between your VPC and the service in the public space so now your E2 instance in this case that needed to publish to our endpoint what happens is it would go need that to publish to our SNS what happens now is either rather than using the internet gateway to reach our SNS topic it goes through the VPC endpoint to the SNS topic got it pro thanks so much yes Pro I just want to understand something uh you said the the VPC end point is when we have to access services within the AWS ecosystem which are not within our VPC in order for that connectivity to be private it doesn't have to Travers the internet yes and that uh we can still use the VPC peering because with for VPC peing we only access services within our VPC and not services within which are within the aw AWS public space and I understand that the the end point helps to eliminate cost because if connectivity does not travel through the internet cost is minimize and in a not share also enhances performance right I didn't talk about cost and I'm not so sure I mentioned that eliminates cost no I am the one who just trying to to think I'm like if connectivity if connectivity is not going out through the internet so it's easier to access his Direct and so cost is minimized because I know that everything that has to go through the internet like VPC actually I think to an extent the reverse is true because interface endpoints do cost money okay because AWS once once they put the Enis in your VPC they are billing you per hour that that eni is provision and they are billing you per gigabyte of data Traverse that traverses that year okay all right okay thank you my understanding about the VPC endpoint is correct yes thank you okay um hi Prof um so my question is so you're saying that for two vpcs to connect using the VPC endpoint both vpcs um would have to be configured to have um with the VPC endpoint and the endpoint service not both right there is like I said we have something we call service consumer and service provider okay the person that is providing the service the application or whatever endpoint or whatever it is that you're trying to give Grant access to other awx customers you would create an endpoint service in this case let me let me just explain the scenario maybe this answers your question okay I face um a situation at work and basically maybe this helps I have a customer that is on premises right and this customer needs to reach three different ad accounts so this account one this account two and this account three however all the side ranges of the three accounts they overlap with the side range of the the on Prem uh uh environment so we cannot in this case establish a direct connection either uh uh uh VPN or whatever to this onr because of side overlaps when we discussing networking we talked about the issues when you have over overlapping Siders right remember so in this case what we did is what I did is I told the customer that okay yes all your three accounts which you want to talk to already have side ranges that overlap with your environment it is a very big networking um provider in in Europe so most side arranges which you you would pick if even though you would say they are private they have already consumed it because they providing services to a bunch of services all over Europe so they had to give me a very small side range a SL 24 I think I don't remember how many IPS are in the sl24 that this is the only side range that we can resolve in our environment so with that SL TR fall cider range I created another VPC with the customers resolvable IP side ranges okay now this customer needs to access services that are running in our eks clusters exposed by a load balancer in all these different accounts privately they do not want to go to the Internet so we establish a DX connection here to this VPC and in this VPC I have three different endpoint Services sorry three different end points so I have .1 let me make this bigger so I can write inside so I have n.1 n.2 and n.3 and in this VPC this is another account these are actually four different accounts this is account four and in account one I create n. service one a create end point service two and . service 3 now the customer comes from onr through our direct connect connection and talks to our endpoint service to if he wants to reach uh um two he talks to endpoint service 3 if he wants to establish the connection to endpoint service three and same for endpoint service one does it make sense yes so I have three different accounts and the customer gets into one this is where they have connectivity to if I if they leave un and come directly to my account one all the IP addresses in account one they can't resolve because of C overlaps that's a neat solution sir I I have one question you you kind of said something give me a minute give give me a minute um okay did this answer the previous question yeah yes yes yes it did but I do have a full up question here yeah maybe I don't understand it so what I'm my question is so they all connect to to account four right using the um EPs and in this case the three other accounts can't talk to each other right so where you know they can all talk to each other they can only talk to account form no they cannot talk to each other because that's how we configured it it's not because there is an overlap between them we just don't want the different accounts to talk to each other okay if we want to establish connection with between each other we can establish the connection using the endpoints too you can either use the endpoints but remember you're using endpoints when you're exposing a service okay okay okay so but if you just want to talk to if you just want the accounts to talk to each other then you probably use a Transit great way or if you want to establish network connectivity between the accounts then you would use a Transit Gateway or VPC pairing or whatever other uh method which you can okay yeah okay yeah makes sense thank you good so in this case sorry s account one to three are service providers and when they are in account for they are from the perspective of a service consumer make sense MAA your facial expression doesn't convinces me yes it makes sense sir good so um um Victor you can go ahead yeah the question I was going to ask is something related to what ad was saying um but you did mention it kind of SK through it because again has to do with VPC to VPC connection um you mentioned something about uh network connection so can you just help me understand which layers of the OSI uh the peing would occur and then of course the end point will occur because it seems like they're on different uh layers of the OSI yeah you exposing a service because that service has to be behind an NLB so already at an NLB we are already talking at almost HTTP level okay but then NLB opat at transport layer for Network layer all right but you're also using the NLB to self STP traffic okay that is for the endpoint service in these two case this account these two different environments can only talk using the endpoint service so I can only move from account one to account two to the endpoint service of account two and I can control who which account or which principal in that account can access my endpoint service if I want to establish complete network connectivity between two vpcs or two accounts then I can use Transit gateways or VPC pairings and stuff like that okay okay for example if I want to establish Network contivity in uh to two different accounts and I want to for example jump into a server into one account then I switch into another server in another account I can use endpoint services that I need to establish PPC pairings that gives complete network connectivity I put a a jump hose there and I can then make that switch okay so this is basically when you providing a service and you want others uh uh uh um consumers to be able to access your service okay thank you so they are different types of VPC endpoints depending on the service which you want to reach so AWS offers two main VPC endpoints They just added a third now so we have an interface PPC endpoint we have Gateway end points and we have gway load balancer end points are your hands still up Victor Ora yes um I have a question yes yeah so you talking about the VPC uh one is I mean the end one is consuming service and one is providing service uh and I'm just thinking so in the case whereby I have uh I have I have like uh a an application for a business that takes payment now um zel is is a payment processing uh system oh let me let me just like PayPal and uh Vio now when I'm bringing the uh their service into my into my website like the link for for my customer to connect to the service is that the work of an endpoint can you repeat your question again not so sure I got it so I have I have like a like a PR a business letum like Walmart and I want I want to get I'm trying you're trying to purchase something on Walmart website you can either use your your card your credit or debit card which I'm pretty sure that connects to their their card processor directly now there is uh you can also choose to use PayPal you can use bimo or you can use cash app now those three other services they're not wmart uh inous service M you will have to be leaving wmart or website to go to server to go into of PayPal what's it called domain and also to other ones now what service is or the service that is being used by Walmart to bring in to direct you to go and get that payment done with Vio or PayPal or cash app is that the work of of of an endpoint it depends on the architecture of the application okay let me put it this way now you have a front endend that you're talking to that's that um for example Walmart okay let me use for example Amazon or Walmart yeah there's a front end which you're talking to that front end is making an a call to the back end that backend which is the payment service could be running in a different account so you as a consumer you get to now this is a consumer from the perspective of a client using the service over the Internet because over the internet I have made my connection to Amazon.com or to wmart wmart okay and I am typing and I want to pay there is another layer behind your front end which you're saying that's making API calls to the back end that API call for the payment service could be running in another account the architecture of the application now would with it all depends if the if the the payment the how do you call it the payment service is running in in another account then this application the front end application should be able to make the API calls to the endpoint service of the payment service in another account so that can work okay so I I I I take now I take on so so I guess API call is what is happening when I'm using a third party payment processor on like Walmart website not an endpoint doing the job right API call is something AP an API call is basically application programming interface is you trying to make a call to um an um any device for example each time you click on your browser Amazon you are clicking something that's an API call but that's a topic out of that's that's a topic that's not part of this conversation okay I'm just saying that these different applications that are in the back end for example your Walmart your payment service those different applications can be in connected using an endpoint service okay the application which I'm actually talking to you which I we we we uh develop for this this uh customer is actually um a trading platform and the endpoint services are payloads are basically the stocks that you see so they are running in different AWS accounts and stuff like that and once you go to the front end the front end takes you to the C to the onrite front it actually takes you to on Prem site once you're doing your trading and picking stocks it needs to get those stocks data from different environments in different a accounts privately through Direct Connect and all that stuff okay so it all depends on the architecture of the application all right yeah understand in the case of your customer your customer is actually they own all these three account the four account and the onr right I they are stakeholders I would not say they own because these are actually three different customers three different customer accounts and it's one application which is developed by I think there are multiple companies inside so they are making different calls to different ends and those calls all need to stay private make sense yeah I think part of this question is um the the architecture that you shared with us those three accounts are sitting in AWS right the account one two three but I think his question is if one of those accounts weren't in AWS no no that's not what I'm saying now what I'm trying to get is this uh now I understand about so those account we what I'm I'm talking about is like PayPal or vimo or um cash app they are these are a separate organization that has to do with Walmart this this could be separate organizations it depends on where they are running if these separate organizations are offering payment services that Walmart wants to use yes then the the application guys of Walmart and the appliation guys of pay payment they need to sit together and Walmart will tell them how can I make private connectivity to your endpoint and they can use endpoint services to establish that connection that's one way of doing yeah that's what I'm trying to get that the service is going to be used in that in that regard is going to be an endpoint service right says the the person offering the service in this case which is Paypal would create an endpoint service then Walmart application would create a VPC would create an endpoint and the applications running inside Walmart's a account need to know how to make to connections to the payment service via the endpoint service make sense yeah understand now so I understand so uh the reason I want to be sure because um I don't I don't know if there is a way that I have that you know for like a smaller business can just pick uh uh like an endpoint directly but probably on I I know there is like a Google endpoint that people put on their on their link to get a Google search or something or I'm not sure if there has to be like some sit and talk with the company or some real companies like that do have like like an interf like like an endpoint where developer can actually get stuff for and and you know configure their own login and account with their own account so they don't have to to have like direct connection with them in a way like a public no I'm not so sure I understand what you're you're actually talking about but mind you this is for private connectivity so the accounts can establish connections privately they not moving over the Internet so they are not public endpoints okay so so this is what I'm saying like you you have a you have a clothing company and with your clothing company you you want to be accepting uh PayPal vimo and you have your card processing stuff now I don't know how it's going to be easy for a smaller a startup business to have that talk with PayPal like hey I need an endo from you guys yeah that's that's a different conversation which is not part of our um our um program for today okay no problem thank you do you understand how to architect using endpoint Services that's my goal yes yes good we can after the call now have a conversation about your use case all right exactly you can do it behind the SC I'm sorry guys I was just trying to get understand something I'm not trying to put you guys backwards so um Obie I see your hands up yes right it's very simp it's really along the lines of the question that he had but so my question is um to set up these endpoint Services you have to be within the AWS environment on both sides is that right if you as you as a customer if you want to set up an endpoint service yes and receive the consumer and the consumer would create a VPC endpoint so both sides yeah however there's also you can also create endpoints a VPC endpoint to access um um uh how do you call it endpoint services for customers using the AWA partner Marketplace that's something I don't know if you guys have covered it or you've seen it but it's B basically for example Cisco is an AWS partner they can be offering their different Services which are developed I do not know where they are running but they exposing those those services to us using endpoint services so you would go to your your account if your VPC if your application wants to talk to some Cisco backend you just create an uh uh VPC endpoint and why creating the VPC endpoint is going to tell you who or how do you want to establish the connections to okay if it's just an AWS service there's a category for AWS Services if it's another AWS account you would specify the other Ed account and the other Ed account should already have an endpoint service waiting for this connection so you'll specify the name of that endpoint service which the account must have provided to you and you establish the connection it will stay pending and the other account is to accept that connectivity to the endpoint service okay good thanks so the three main three types of PPC endpoints which is interface Gateway and load balancer endpoints so interface endpoints is used for majority of AWS Services Gateway end points is mostly used if you want to establish connectivity from your VPC to Dynamo DB Dynam DB Dynamo DB and S3 interface endpoints connects to I wouldn't say all most a services including S3 and gway load balancer endpoints if you remember when when um profor was teaching you guys load balancers the different types of load balancers albs nlbs and Gateway load balancers she said if you want to establish connectivity to a back end Fleet of is2 SE servers or is2 instance or back end Fleet of of private virtual Appliance is then you would use something like a Gateway load balancer you remember that yes good so in that case if your back ends are running behind a Gateway load balancer then in order for you to establish connectivity to those service virtual Appliance is running behind a Gateway load balancer then you would create a Gateway load balancer end point okay it's as simple as that please any questione I do understand can you repeat that get balance again so basically you can [Music] use Gateway load balancer end points I'm trying to sh hand to establish connection to a fleet of virtual appliances running behind a gate we load balancer does it make sense yes ma Miriam are we good which option is the is the cheapest I know Gateway endpoint that's free the interface uh end point is costly but what about the Gateway load balancer endpoint actually I don't know the pricing for gway Lo balancer end points okay get you you can just look that on wor we'll do so so if you remember when Prof was talking about gway load balancers we saying for example if you environment or customer outside is uh having some uh virtual appliances and you want to make that virtual appliances available inside AWS then you can use Gateway load balances that those that talk directly to the IP addresses of this your virtual appliances so if I if I created a a service like that I have my security um application running on these virtual appliances and I want to make it available outside or to customers inside the AWS environment I create a g Gateway load balancer that talks to my um endpoints then other customers that want to reach these viral appli appliances would need to have a Gateway load balance at endpoint okay because we have let me say these are my virtual appliances this is my fleet then I put a a Gateway load balancer here that round rubins between my appliances okay now I want to establish connectivity from another AWS account to this Fleet of backend virtual appliances for either security or whatever case that might be then in this account I would create a g we load balance and pointment that connects all traffic in this other PPC or subnet to the Gateway low balancer a typical scenario for this is let me let me see we have something like this I have a service provider okay then I have um this is the providers VPC Pro in the providers VPC they have this Gateway load balancer I talking to their back end is two instances then I have another customer so I have igw in this case and traffic is incoming this is mostly mostly when you want to do some security stuffs then in this consumer VPC I would have a subnet here and in this subnet I create my Gateway load balancer endpoint and establish connectivity to this provider VPC and the let's say a private submit this is private and inside my private subnet I have my application servers whatever it's running in here but I want to ensure that any Cent connection or traffic that wants to get into my or reach my um is2 servers running in my private subnet goes goes through some security check okay so in that case the traffic would come via my igw to the Gateway load balancer endpoint in this subnet there is a route that takes you back to where the security appliances are running the security appliances do all the check and ensure that the traffic is confirming to your compliance requirements or whatever that might be if that succeeds then the traffic is routed back to the Gateway load balance of VPC to the to the V to the sub net where your gateway load balancer endpoint is and now to your application s does it make sense do you follow yes sir to understand you so when traffic is coming from the from the internet from the igw it the Gateway load balancer endpoint good and then from the endpoint it goes to this uh VPC where the the appliance security Appliance is and then when traffic is checked and it is good and then it is red to where the gway low Balan itself sit the Gateway low balance itself sit exactly so this happens both two and fr so incoming traffic and outgoing traffic if you want if you want your environment to to do security checks on all your all the traffic that enters you can use an an architecture like this okay so and then this get Gateway load balancer do you do you use it only for like AWS services or for third party appliances like let me say like if you want to use a I don't know AWS uh security or firewall Appliance you use a Gateway load balancer right and uh when you want because the last time suzan talked of poo third party Appliance you also use a Gateway low balancer to check the traffic and then exactly those those P servers where the security thing is running on it's running outside so you're using a k load balancer that establish conne connection remember I think profor Z also mentioned that you can use load balancers to establish connections to to to on Prem on Prem servers you remember yes sir so in that case our getb load balancer is making that connection to our on Prem it stays private so for the VPC I am I am running my applications in my VPC but I want to use some Security checks for for p out for example Al so Cisco Security checks then if that's established using Gateway load balancers as traffic enters my VPC through the um uh uh internet gateway there is a subnet that I've created my Gateway Lo B endpoint inside in that subnet there is a route table the route table remember all subnets have a route table the route table of that subnet will have a route to the par devices okay so and also have a route to my private subnet so the private subnet and the par AO devices they don't have connection via routing okay so the Gateway load balancer endpoint subnet takes the traffic sends it to the security appliances it does all the check if it if it it it is compliant if everything checks then the traffic is routed to your backend servers in your private subet if the traffic if there's a problem with the traffic it's immediately dropped and that happens both ways so incoming traffic can go through security Appliance checks and and outbound traffic can also go through so in that case incoming hits um gway load balancer endpoint goes to your security appliances then comes back to your private subnet the same way if you're sending traffic out it goes via from your private subnet to the Gateway load balancer endpoint goes through your security checks back to the the Gateway load Baner endpoint subnet and out to wherever it's going to so one last question says so when the traffic is coming from the from the internet I presume it is a a public IP and so when is going to the Gateway load balancer is it still that public IP or it is like encapsulated okay once it gets into your gateway load balancer endpoint Gateway load balancer endpoint each time you create create this things they pick an IP address from your private IP range of the subnet then that is what is making all the the the the um the it's encapsulated and the private IPS is being used okay thank you so much so we have um gway Lo Balan end points which you just touch we have we have um Gateway endpoints this is relatively new the Gateway load balance endpoints the Gateway endpoints is used to establish connections to two main AWS Services Dynamo DB and S3 the so if go you go into an interview I've heard this question so many times and you are trying to tell you I want to establish private connectivity to S3 and E uh uh what is it Dynamo DB from instances running inside your VPC what do you do what do you use so many times I've heard that in in in interview scenarios so you have a situation like this and let's assume that we we don't have the Internet G we here and we have our private subnet and we would create a Gateway load balancer endpoint no sorry a Gateway endpoint and these Gateway endpoint will then establish connections to S3 and Dynamo DB so this is within AWS so in the subnet where our service uh these two instances are running or the services that want to establish connections to S3 and and Dynamo DB how does it reaches how does it reach this AWS adds what we call um a prefix list onto the rout tables of your softnet so in this case for Gateway load balancers you create a Gateway load balancer and you associate it with the route table of the subnet and AWS automatically adds the prefix lead for all the services onto the rout table so you will see that this is what we we're going to do during our demo okay so you remember like I said before if you want to reach S3 you would have to go out via the uh internet gway to S3 and in now in this case traffic leing your private subnet just moves from the route table of the private subnet to the Gateway load balance to the Gateway we so the Gateway end point is actually a Target on our route table on our route table you remember when you're adding routes on the route table and you looking your target pairing your target igw your target tgw the Gateway load barand is G the Gateway Endo is actually going to be another Target on our route table does it make sense hello yes makes sense we're processing so I would say a gway endpoint targets specific IP routes in a vpc's route table in the form of a prefix list did you people talk about prefix list before no we didn't is that not the one that have used numbers right trafficed give me a minute to Dynamo DB and S3 what you're saying something yeah I was saying is that where you set this the priority of uh of uh ucation on the draw table the prefix list is that what it does no a prefix list is basically a list of uh different IP ranges basically a list of IP address ranges for a service when we go to the demo you'll see it and you understand it's it's pretty straightforward so if your service is is is available via so many different um IP then you can just create a prefix list let me take for example if you if you want to add a route let's let me use this scenario maybe it's easier for you to understand if lesie seu ta and d and all these other people they have their um you've established network connectivity to your vpcs in different accounts right and you want to establish connection from your VPC from your subnet to this different vpcs or to this different environments you remember you have to add a route on the route table right so these different side ranges am I making sense yeah good so rather than adding each destination one after the other you can just create a prefix list and in that prefix list you specify all the different IP addresses all right or all the different ranges so there is a prefix list now that has all the different C ranges and if you want to add a route on your route table that goes to these different endpoints or to these different networks in your destination rather than entering your CER range like 10.0.0 16 you will just select that prefix list okay got it make sense you'll see a prefix list all AWS services for example Dynamo DB um S3 they have a prefix list basically those are the different IP address ranges that AWS exposes those end points all right they're changing because ad is doing Round Rob so they're changing over time all right ads is managing that in the background so for you to reach these end points and they are also adding them for you to reach these end points you need to basically have a route to all these different Siders so if there are more than 50 or more than 30 different side ranges rather than adding destined for all these different just use a prefix list create a prefix list in that prefix list you have all the side ranges then you add that prefix list as your destination on your rout table that's basically a prefix list thank you and the last type is interface endpoints which is basically what we've been talking about okay using um a private link and interface end points is an endpoint service is is an endpoint type that uses like we mention an IP address of the uses a private IP from the subnet range from the subnet side range of your of your subnet it make sense so once you're creating the interface endpoint you would select which vpcs you want to place your interface endpoints in then each VPC that you select AWS places an endpoint interface inside that VPC that uses an IP address from the subnet range Miriam are we good Brandon yeah so um so we are saying it is an endpoint selected from the prefix list no prefix list is different prefix list is with with with with with um is with get with end points for interface endpoints we have nothing to do with prefix list so gway endpoints uses prefix list for example manage services interface endpoints has nothing to do with your route tables it's putting an eni inside your subnet and traffic that is destined for um uh for your service then goes through the interface endpoint yeah so Pro the the IP for the interface endpoint is private right yes the IP for the interface endpoint is private so when the IPS for the interface PR endpoint is coming from your side range the side range which you gave to that subn when you created it so a just picks one IP from that range you remember when you're creating your vpcs you're using private CER ranges right yes the 10 dot the 190 is it 192 198 and 172 so all those things are private side so once you create create an interface end points it picks an IP address from each subnet all right it auto picks you can also tell AWS that I want this specific IP to be used you can also specify an IP that I want my interface in point to be to have this specific IP but I wouldn't see why you would do that but a gives you the possibility and mind you those IP addresses don't change they don't change for that interface endpoint for the LIF span of the interface endpoint to use delete that okay so all this um ability or this technology which is used to establish this private connectivity between your VPC and third party Services AWS Services is what we call AWS private link so ads private link is is the service that is used that basically enables you to achieve this private connectivities to the different different endpoints to the different yeah different services are we together can you give that definition again for the private link okay so I said it private link is we we talked about private connectivity right so I'm saying that all of this interface end points and uh things they are [Music] being established using AWS private link so aw private link is a technology that you can use to privately connect your VPC to services as if these Services where in your VPC you remember so VPC end points interface endpoint interface endpoints and um what is it endpoint Services they both use private link however gway end points gway importence do not use private link so do not use this technology okay because like I mentioned Gateway endpoints are using um destination IP addresses which are added onto your route table so that's how you know or that's how Services running ins your VPC know how to reach um S3 and Dynamo DB for example because the pr the prefix list of these services are added onto your rout tables so once um your route table wants to get to S3 and stuff like that it's resolved to IP addresses that are inside the prefix list or that are part of the prefix list and it establishes Connection in that case it doesn't use an igw it doesn't need a n gway or an internet gway to still to get to S3 are we together yes sir good I'm proud yes yeah there was there was a particular table you were writing but I don't think you populated it it would have helped a little bit so so I think you were for each of these types of um of endpoints you each of them uses particular Technologies I think you just specify okay for example the the interface one uses something like an eni um the Gateway uses previous click you know those are those are the kind of buzz buzz words that would allow I think me kind of map those Technologies to to each of the Endo or service scenarios I could only I only CAU the on the okay give me a minute my pen is not working I don't know why did I run out of juice already run out of juice no just okay so about that yeah I was trying to to figure out my issue you're seeing something Victor uh yes um I was saying that there was a table you had started off but I think you got pulled by a different question I think you were trying to tabulate out of these three end points that you just described the uh interface uh it Rel balance end points that they were specific technologies that are associated with each of them for example inter the interface one I think I recall eni was one of those things that helped make iten the prefix list you just mentioned for the um gate gate uh B gway end points yeah gway end point I I don't I didn't catch the last one what the technology for the Gateway load balancer would be one of them had prefix prefix list so that was how a Str to compartment Deliz it in my head but I think basically the person okay are you done Emma with my slide can I move on yes yes so basically we have um what is it how much time do we have okay basically we have um interface endpoints and endpoint Services most people always confuse these two these things because you you are hearing services and endpoints everywhere these and I think get will and get we load balancer end points these three are powered by um private link then we have gway end points remember that's still part of a type of endpoint okay it's type of VPC endpoint but gway endpoints uses um it does not use no private link it uses uh prefix list which is automatically added onto to the r table of the associated subnet so when you create a gole get Goodway Lo balancer you would pick a subnet to put it there and it's route table then AWS would add this prefix list onto that route table you can see it but you can't manage it it's removed from that route table when you delete the Gateway load balancer endpoint okay yes m um hello sir I just wanted to know for the for the X3 backet if you're trying to reach it um are you going to use the interface end points or the Gateway end point since they're both okay thank you very much I almost forgot that point it's very important this is very important if you have a scenario like this and you want to reach S3 thank you very much I forgot to bring up the scenario and you want to reach S3 if you coming from the VPC let me put this give me a minute if you're coming from the VPC to S3 from the VPC to S3 the then you would use um Gateway endpoints what what what do I mean by that if your applications are PPC bound your applications are already running inside a VPC all right then Gateway endpoints would establish the connectivity to S3 however if you want to reach AWS you want to reach S3 from on premises okay in that case the application that wants to reach AWS is coming from on Prem so I consider this all my on Prem environment okay on Prem in that case you would establish a connect connectivity between your on Prem and your how is it called and your VPC either via VPN either via a VPN Tel or DX whatever technology you want to use okay and create an interface Endo inside the VPC so this was our gway load balance gway endpoint then we will create an interface endpoint so this is interface then connections coming from on Prem would go through our tunnel let me try to beautify this a bit the connections coming from on Prem will go through our tunnel VI are the inter face endpoint that is inside the VPC 10 to S3 make sense so if your applications are already running inside an AWS VPC then you can use a Gateway endpoint to reach your S3 but if your application is coming from on premises you are not able to use a VPC endpoint you're not able to use a Gateway endpoint in that case you would have to use an interface end point do you remember this I think at the end of this session I would I would really discuss this architecture which I buil for this customer because it's it's really really complex and it it uses almost everything I'm using not gateways here I'm using private KN here I'm using tgw I'm using direct con I'm using VPN over Direct Connect and everything in this same customer remember which we talking about they coming from on Prem where is that scenario here some of the applications that are running inside um these different AWS environments they need data which is provided by an application running on premises and the only way they can get that data is if om Prem drops that data for them in S3 and in that that case I have a subnet which I'm calling inbound here and in that subnet I have created another VI interface endpoint for S3 so this goes to S3 so the customer comes in here okay uses the interface endpoint drops that data in S3 then the all these other environments they have Gateway end points because they already inside AWS all the other environments now have Gateway end points that established connectivity between Services running inside their vpcs to S3 does it make sense Brandon good give me a minute we already too late I would show that maybe next time okay we want to discuss Bastian host then we go for break then we come back for our our hands on sorry before you move forward can you just go back slide 94 please mind yes thank you is there somebody in the call that has never heard about basan H jump boxes and stuff like that yes BR all of us yes bro yes I've never first time never heard of it my first time good um I think the Bastian is coming from a military world or something like that that they had to deal with fortification for for barracks and something like that however what's the basan host let's assume we have this scenario all right we have two networks okay we have um um our bpc which we have created in a in that VPC we are establishing we have have putting sensitive applications in that VPC there is two servers that are running in the VPC for our web servers the servers are running there for application servers however we do not want everybody to be able to get into that environment we also do not want these application servers and and database environments to be in public sness so that maintenance devops guys which you're going to be can maintain these different infrastructure components but we want to be able to give some sort of controlled accessibility to the different components in our infrastructure what is widely used is what we call a jump server also known as a basan host so a jump server is based basically a bridge between your two different networks in this case it might be a a bridge between your your your your your your network which is your home network and your network which is in AWS does it make sense why take it from another angle shant can you please repeat that I was good so I have two different networks let me still use this my architecture diagram a good idea yes maybe so let's assume I have this architecture diagram and in my private subnet I am having sensitive days data running on each two instances in here okay so I'm having sensitive data running in east2 here okay but Victor is our dev's guy or you shant devop girl and we need to maintain this servers from time to time however we do not want the servers to be publicly available so that everybody can connect to it we also want to lock it down by also keeping it private by putting it in a private sub but we want you to be able to make connections into this server when you have to do some maintenance work or whatever or for whatever reason in that case we would create what we call a jump server which is basically another machine or another E2 server in the public subnet and in this jump server we can have we can have controlled access we can give the different um team members access to this seven it could be one scenario which is very common is the security group of the bus chain hose would only allow connections to eat from the VPN of your company I'm coming Obi so it means that if you're the devops guy for this environment okay you need to connect to the VPN you know once you connect to your VPN you're you're using your your using an IP address now from your your your company's Network or from whatever Network that the VPN is is for and the firewalls of the basan H only allows connection from the um this from this um vnid so Chantal in this case would establish connection via internet gateway to the basan H her Target is our app servers for the UPS servers and from the basan h once you get to the basan H then you can have connection to the Ser private servers or the servers that are in the private subnet there are different ways to give authorization for this connectivity okay does it make sense now so it's basically a jumpbox it's basically a jump server if I want to get to servers that are in a private subnet I connect to my basan host which is in the public subet which allows connectivity from my app that allows me to connect using whatever authentication method that is set up for the basan h and from Once I'm in that basan hose I can then jump into the private servers that are in the network yes yes hey um H how's this different from I thought we had the not get way which did something similar not Goodway is for outbound now we are coming inside we want to control access for those coming inside our Network okay okay so basically it does the reverse of the not almost the reverse of the N get S almost the reverse of the N get so basically a basan host manages access to an internal Network or private network if you prefer that from external sources that's basically what a basan host is so I have my internal network but I need to allow my devops people or my operations guys to be able to con connect to it how do I give them that connectivity I have a database that is running inside VPC that database is running in a private subnet there is no internet connectivity to that database but you need to connect to to the database okay for for for for um um users that are outside our VPC they need to be able to connect to the database to run SQL scripts to run whatever scripts they need to run how do we give them connectivity to that database ptin host is a typical example that has been used something we are using extensively cvpn is another one for databases but we're dealing with with with um p h for now it's cheaper than client VPN so almost con must go for it so you just create Bastian host another is2 server in a public subnet we establish connectivity to that public subnet for all uh those that need to connect to our our um database once they connect to the basan host from the basan host then we can ex they can jump to the database and this enhances security because in this case take for example our database I can tell the security group of the database that accept only connections that are coming from the Bastion H does it make sense so it means for you to reach the database you need to be making that call from the basan hose and for you to reach the basan hose We Now set up guard rails firewalls to ensure that whoever is connected is supposed to be connected or is allowed to be connected yes Victor yeah I think you you kind of partially answered the question I was going to ask because in order to have what the concept the construct that the basan host you you must have a complex um um uh security maybe a t of source because it seems like you will you will have to open up practically all the the entire ports that will access the resources within your private SE private subnet so that folks that get on the on the on the Bastion host then have the access but which means that the the real security is on the Bastion host level before you actually get in actually get in and we can tell the the how is it called we can tell the the instances running in our private subnet that please only accept connections from the basan host we're going to do that in our demo okay actually okay so disregard this part this is our instance that is in a private subnet and in order for us to reach the instance that in our private subnet we need to first of all connect to the basan H then from the basan h we jump into the instance and the security group of this instance we can remember we talked that we can use Security Group to to reference other logical a resources this B host would have his own Security Group and I can tell the security group of this instance either a database or an application server which is running the private subna that please only accept connections coming from the basan host it means that whenever you want to reach that app server you must be in the basan H and at the level of the basan H We Now set up firewalls to say that please I can you can only accept connections that are coming from this side range that CER range could be the side range of your VPN your company VPN that side range could be your IP address at home because you Victor if you go to the internet I do what is my IP tells you your IP address your address right now and if I set up a b hose and I want you to reach my B hose from your house you would give me your IP address and with a sl32 I can then enter that IP address in uh uh what is it the inbound Security Group for this basan H then you are allowed from networking perspective however we all know that for you to connect to these two instances you need key pairs right yes right so the keypads could be the keypad you created when you launching the instance or it could be a key pair that you create and you give me and I add it into um your is2 instance you guys are starting Linux very soon so I guess you will do it once you create an in instance there's something they call authorized Keys all right if you go to if you're in an instute instance or in a Linux Mission or something like that there's a SSH folder and it has a authorized Keys file so if I have 30 or 500 different employees that need to make connections into my basan h i don't need to share the key pair which I created during creation of my instance you just go to your your machine and you do SSX key gen SSX key gen that command basically generates a key pair a public key and a private key and you share your public key with me I take your public key and I put it in the authorized key file it's basically a door okay it's basically an analogy like a door I'm opening a door into this basting H to your public key to your public private key so it means that each time you want to connect to the basan H you just need to use the private key of the public key which you gave me and now you establish connection so in that case I don't have to use the keeper which we generated here and we share it to everybody okay that stays with admins that's what we do for example there are so many developers that want to be able to reach their databases but they need to go to The basain Host all you need to tell them is give me your ke they give they share with you their public key and they keep their private key once you want to kick them out you just remove delete their keypad from the the the server and they can no more access your basan host yes Brandon like you you already answered the question I was to ask if we have to create an elastic IP address the Bastion host to connect to the instances you you answer the question already you you don't have to but you can elastic IP address is a different different Tech right because public IPS do change okay if you stopped your instance and you started the public IP changes all right actually we actually faced this for one of my customers I like the way you guys answer the question most of the St are faced we actually face with one of my customers this exact scenario which I just explained we are adding developers key pad using anable anable needs to establish connection to a public key to to an IP address right to be able to know the Bas host is talking to so AWS is changing this IPS because apparently somebody stopped the basan host and started it so it got the different um how do you call it public IP so later on when we wanted to to to run our anible pipeline it was failing because the IPS have changed so in that case you can decide that okay now I need an elastic IP you create an elastic IP and you attach it to that basting hose if the isance is stopped and started in the background it's public IP changes but that elastic IP stays so now your anable script now can establish connection to the to the basan host using that EIP make sense y but you do not have to that's the point I'm trying to make okay yeah that how we fix the problem so we don't have the same issue again yes yes I have a question are there different levels of security right if yes at what level is this um Bastion you know on that makes sense I think your question is different levels of security trust like as in this is critical this is acceptable this is high risk this is that's what you mean right so I will not place the basan holes as in the different levels of security threats I would say it depends on how you expose your basain holes then we can categorize that to the level of security threats there are actually some customers right now that have told us that please we do not want our basted horses to be to be to be to be public because AWS is giving us new technologies to be able to not use SS keys to to to to how do you call it to establish connectivity to this Bast holes so in that case they might say if my b h is is public my security threat there is critical some might say if if it is public but it is accepting only um um connections from the VPN or the company's VPN then it's my security level there is medium so I cannot really place your basan h on what level on the security skill it is it it is basically boil down to how that was configured all right because let me put it this way if I have a basan h and I'm saying that allow SSH from Z okay it means that everybody that lives an who comes in contact with the SSS key no matter where you are you can establish connection to my basan host I can go one level down I say yes I want basan host public but I want you to have the key and only be in the company's VPN so if you get my SSH key but you are not able to use the company's VPN you still cannot uh establish connectivity to my to my basan H does it make sense so there are different way there are different ways you can typ that down okay okay thank you pus couple of questions then we go for breakdown that if you're talking your M we can't hear you Abdullah yes uh so in what environment will you consider your bashian host would that be in your development or will it be in your um test environment is is actually present in all environments we have environments that are present in all environments if each environment has resources that are privately placed and needs connectivity to them from the dev team or from engineers then you need to place a basan host then okay okay got you you need to place we we we have environments that each environment has its own basan host for example the de environment it's Baston H we we we accepted IP addresses of the individual developers their home IPS so we just say okay give give me do your what is your IP and tell me your static IP for your your home router then we put that in the how do you call it the security group of the basan H but in the prod environment you need to lock into the company's VPN before you can access that b h so as just different levels of security how we lock it down and those Pro environments now they are telling us that some of some customers are saying that we don't even want that thing public put it in the private subnet and lock it down in another way so it all depends got it okay thank you um barus so I have a question I wish find I this question what can between you post and to get into your server I'm I'm I'm I'm having trouble really hearing you clearly I don't know if I'm the only one what difference between you using your PO and your get into a server what is the difference between me using a Baston host and keeper to get into a server yes because I think both of them almost they do the same thing like they are used to get a server I'm not I do not understand that question this very very the question I was asking I was going to ask I think what if I understand it correctly he just trying to get the difference or is they the same between direct SS into servers versus going through the Bastion course yes to the key requirement there is remember the key requirement here this might answer your question is remember consider that this instance is my application server I can tell my application server here that please the security group here only accept connections that are coming from this Bain host but I cannot tell my application server to use a security group from your local machine does it make sense I can tie it down to your IP address but no there are different requirements or there are different advantages of using the basan host in that basan host we can set up logging monitoring and alerting it tells us when somebody lcks in there and is trying to do some power play it has a record of everybody that locked in if something happens in our database and developers are saying that oh hey I'm not the one I'm not the one I'm not the one you can either use cloud tray or I can go into the Bon holes and I just look at the locks and I know who came in here when so it basically enhances the security long story short okay so it basically enhances the security posture of your environment I cannot tell everybody from all over the world because you have some environments that workers are in India in Greece in Slovakia in the US Canada and I'm telling them everybody to directly go to my database okay no I'm saying go to the basan host from the basan host then you can reach my database okay and I tell the database in that time in in that case I my security P of my database is is is also enhanced because I can tell my database that only only accept connections from the basan host okay then we can go for break and we are back in 15 and we can continue Pro can you take it back to to the slide that has the ARR through the tunnel get access in the S3 pleas yeah this slide is not explicit no it just passed it it's in front I ask my last question real quick please before we go on break Sho this one so I know that there are different types of um attacks right that can um threaten your security like viruses right troen and um the different ones so do we have systems in place where maybe these different services are able to identify or no that's not what I'm trying to say so do we have different services that attack this different traits different services that attack what like the different security threat like for example right yes a hacker is different from a virus that is trying to attack the network right so um I think the the um yeah there is we get to Security in AWS there are different AWS Security Services that you can use to further enhance your the security posture of your environment this um what we call Cloud Shield your SEC remember the security groups that we are talking uh here now we at the level of the instance you remember we also talked about narles those are at the level of the subnet you can go to firewalls um dos um AWS Shield that's at the level of your environment I can put my AWS Shield at the level of My Cloud from right up you're not even in my VPC yet but you're entering my environment and I'm putting a level of security at there and there are different different security levels or Security Services which you can use in in in in AWS okay there's even a different service which you can use to also ensure or monitor security um transactions in your S3 I think it's called Amazon Macy Amazon m m a c i e something like that all right so they different Services we'll get to to to it security then we'll discuss security service at that point guard Duty right good guard duty is another adwa web application firewall that's another service so we'll get them but remember AWS always tells you they are responsible for the security of the cloud you are responsible for your security in the cloud okay so for recording purposes basically this is the architecture of our demo so we have um VPC in AWS and we have an S3 bhead in the public space and in our VPC we have a private subnet and a public Subnet in the public subnet we will place our basan host here and in the private subna we would place an is2 server let's call it app server I want to call it app server okay and we will tell the app server that you only accept connection from the past 10 holes as we discussed in class and we will test that once we get we jump through the igw to the private inst the instance in the private sub we are not able to reach S3 Services because the route table in the private sub will have no route to the internet gateway okay then we will create a Gateway endpoint and test again to ensure that we can now connect from the p app server to um an S3 bucket or at least an S3 bucket or basically something like that does it make sense yes sir so each subnet is going to have its own rout table then we were going to test connectivity via um I call this Gateway endpoint so we be connectivity from our app server via our gway endpoint to S3 okay okay any question so far no question then let's start boom then I want to stop sharing quick question sir sure go ahead is it possible to have all the three end points you mention today in one architecture I don't know if you like the Gateway end interface end point and the Gateway balancer Endo can one architecture incorporate all those three Ms yes okay thank you each each of them actually actually using um all of them in apart from the gway Lo balancer but okay interface and Gateway end points in in one architecture the only thing is you cannot have forget end point you cannot have um multiple routes to different multiple routes on the same route table but yes long story short you can do that okay thank you okay who sharing um hello sir good I wanted to know if it's possible for me to share today go ahead is your I think I tried but it was already is sharing can I thank you okay I Shar the Run book in um the chart and we start so we already discussed basically all of this so what are we going to do today we are going to create VPC um according to architecture diagram we're going to create a VPC with two subnets one public one private we're going to create um rout tables as I say those rout tables we're going to create security groups for the basan h and the app server then we are going to SS into the basan H then from there we move to the app server and from the app server we try to reach S3 initially without the end point we would say that that time out then we would enable our end point then try again okaya is your hand you you have your small when I need to enlarg in it yeah it's on slack ol Ina your hand is up you have a question if you're talking we can't hear you or I can't hear you I need to increase your screen can we use the default VPC or we should create a a brand new hello VPC VPC yes I can hear you now we are going to create a VPC one minute um because last Dayo I discovered that some of you had problems because of your VPC configuration so like I said going forward we would most like we would mostly try to create our vpcc using the easy create functionality but do not get comfortable with the method we're going to use today if you do not know how things happen under the wood because you would succeed but if you find yourself on the job and there is a problem because you do not know how things connect talk to each other you will not be able to stro that's why we took the time to go through the initial phases of creating individual components and linking them up so let's start area yes I'm here your screen is really small M we are seeing the Run book we are not seeing your console we don't okay hold on exactly um do you see my desktop no no okay hold on do you see my deskt no stop sharing the screen you're sharing then you share the other screen well you can just move those around you can or you can carry it you can move your TOS around if you can do you see my screen now no still same justop okay W is it working yeah yeah okay thank you I'm ready so we start by going to um VPC console this would be a pretty fast session I think in under one hour everything being equal we can complete great go to the VPC VPC console and go to vpcs we want to create the vpcs that we want we need please everybody follow up this step because it's not in the Run book because these are things we've done already but we want to do it now no go to VPC and more VPC you go to create VPC and VPC and more VPC and more hold on here can every is everybody here yeah yeah yeah yes sir so in the VPC and more I want you to give the name VPC end point the hold on can you increase your font a bit please thank you okay you can also do command plus is it better yes thank you so on the project name I want you to use or the project name yes I want you here I want you to use PPC npoint or endpoint VPC whatever this is going to tack all our subnets and R tables and stuff said VPC and point yeah MH so you see that that taxs sorry that taxs our route table and the other components is going to generate if you look at it here is already creating a subnet called. VPC subnet public VPC private that's what I wanted so we can use the S the side AR range which is uh given to us that's fine scroll down default tendency that's fine number of a I want one you can just use one that's okay scroll down I want uh number of private subnet one number of public subnet one go down not gway we do not want not Gateway VPC M Points S3 known are we together no so VPC Endo known not going known number of public and private one for each are we together is everybody here yes yes good then you you're here you hit create this would create everything we need subnets rout tables associations and everything can you see that yeah if we didn't check the non button for three gway it was just going to create that basically end point it's going to create create that for endpoint for us these are easy these are the the easy easy methods of doing these things but trust me I don't know if somebody if if if we just got into VPC and we did this would you understand how it works in the background no absolutely so enable DNS host name we enable all of those yes you can enable DNS name and DNS um resolution resolution this is something for called called private host when you're using a private hosted zones we're starting rounde 53 next week I think then you would you would understand what that actually does if you remember when Prof was teaching VPC she said that one of the vpci sers I think it's a DOT to it's used for the PPC resolver DNS server so basically what this is a private host in fact let's not get into it we'll talk about that next week okay so we have all the networking which we need please I want to stress it is very convenient using the VPC and more to create everything I am pleading with you understand what happens under the hood if you do not trust me you would have problems in in in in in in on the job if you do not understand what's happening under the hood you will not be able to troubleshoot that people have lost their job because of that okay yes sir so now we have all the the um VPC and rout tables that we do need we can start by creating sir please I'm sorry um I'm behind I'm sorry I had to eat my brain was tired can you walk me through please how do you do our creative VPC m i just show how to create a new one but do not create so you create you go to create VPC and select VPC and more you change you change the name to I believe VPC and points and points um we kept um the CER range that was given to us number of availability zones we restricted it to one and number of subnet public subnets one number of private subnets one no n gateways VPC end points now okay DNS host names and DNS resolution okay so we leave those checked we leave those checked and then you on create VPC perfect thank you welcome now Miriam I'm sure your vpcs if you if you you did that your VPC and Route tables and and everything should be there now we want to create we want to create security groups because our Bastian who like I showed you would be using its own Security Group and we need to reference the security group of the Bastian H in the app server is Victor in the call okay I heard earlier so um I was on mute sorry about that okay let's create the Bastian host SG so you just go to security groups security groups it's under E2 it's also under VPC so so so we want to yes we want to create a security group if some people did succeed last week because of security groups this can mess up your availability so we want to give it the name Bastian SG for the Bastian host can we be a bit fast and we just say allow SSS to the basan for the description and you need to pick a VPC where the security group will be created so you need to pick the VPC you just created this is the VPC on point yes by default it's going to use a default VPC for that region so please make sure you select the right VPC because once you are creating the E2 instance if you did not select the right VPC you will not see this is Security Group and for add rule inbound rules we want to add a rule and we want to add SSH from anywhere so what are we seeing here we are seeing that if you're coming from anywhere you can access the instance that this SSH is this um Security Group is attached to okay anywh iv4 quick question anywh I4 yeah yes um usually I guess if you working for an organization you restrict it to like the organization's Network restrict to the organization's Network yes in that case you would not say anywhere you will put in the side range of your organization's Network you can also try it but I don't want to troubleshoot if you do what is my IP in your browser it's going to give you an ipv4 address if you put that address in SSH from that address you should be able to enter into that instance that will work but I don't want to go through troubleshooting this even please I guess we can practice in our own time yes you can do it time so if that's done then let's create the security group we need to create another security group called UPS server SG same thing Observer SG same VPC so in the upser AC we are allowing SS from the basan host yes so we want to add a rule SSH rule what's going to be the source in this case 10.0.0 SL 16 I want to I want to allow connection to the app server only from the basan host what's going to be the the the basan security group The Bastian security group right good what did you put allow s from is it a Bashan host Security Group yes so Source go to custom go to back to the custom go to custom then they put the IP of there b why I'm supposed to see a security group here it should be there refresh sh p no it it has to be under search you click on search yes it's down then you go down and you see best no good how did he get that click on the search button Okay click on the search button under security I got it thank you welcome are we all here that's hold on one second um s that's for inbound can I just ask a really very basic question SSH BAS me trying to get access using keys right security Keys that's when we SS that's basically what it is yes okay okay so once you say Source custom what else did you take the Bastion SG yeah yes B click on the search sign there and you look for the basan SG and if you do not have the basan SG in this PC you won't see it let's go okay once that's create done then we can create do we restrict um the that's okay we don't need to restrict outbound is fine anything that comes should go out okay now we want to create our is2 instance so let's create the first instance the basan host so we go to is2 do we create a ke here before creating the E2 good yeah thank you very much good we need to create a ke here before create the E to instance so call to keep Bastion those that are using Windows here do you have what is it called G bash yeah some yeah gig bash I hope that works okay Bastian and we private key format is pem and we can create our key pair so once you create the keypad it's automatically the private key is automatically downloaded to your local yes then we now to uh now we want to launch the instance so I call it basan I want Amazon Linux 2 Amazon Linux 2 next is it this um Amazon Linux 2 T2 micro is fine the KE select the KE you just Creed which Amazon Linux is it the two or SL down please L Amazon Linux 2 it should be in the hold on L after Linux 2023 okay then type is still T2 micro T2 micro is fine so you're not charged for it if you're still within your quarter keeper please select the keer which you just created which was basan which was called Bastian network settings this is very important by default is going to use a default VPC change this to the VPC you created network settings click on the edit so sir on the quick start which one did we choose which um operating system I didn't get your question on the on the quick start which opport chose window 2 micro Linux 2ii hbm 5.10 did you find it yes I saw it thank you oh you're welcome I think I believe the instance type stays the same T2 micro instance Tye T2 micro then we need to go to network settings that's the important part for me because by default it's going to try to use the default VPC for that region we want to change that to the VPC end end point to the VPC you just created and this is the Bastian H the Bastian H is supposed to be in what's priv private or public Public Public Public Public Sub right so we are able to reach it so we need to change the subnet to public subnet to public enable enable public something that's what I mean enable auto assign public IPS you need to change to enable so that AWS attaches a public IP address to the server when is created okay if you do not do any of those things you will not be able to reach this basan H thanks select the um Security Group we created then you select the security group which you created so you go to select existing Security Group and Bastian Host this is the Bastian host you guys understand what we doing yes sir good then yes once we are done I guess the other settings can stay for then we can create this question I believe you're up to speed yeah well quickly the way we created the VPC did it automatically add the internet gateway igw for us yes it created an igw attached the igw to the VPC it created all the different rout tables it created different rout tables for the VPC because you remember that we said that H VPC has a def rout table when you do this way it creates each yeah each rout rout tables for each subnet okay so it does everything which we've been doing everything okay so somebody might ask that so this it was this easy why were we doing what were we doing yes yeah it's probably too easy yeah yes we're not used to it being this easy yeah we doing we're going the hard way so you understand what's happening makes sense sense please give me a sec right when I refresh again and see mine is running now so loging I believe it's low latency yeah huh everybody m is running that means hey today m is not wow so P okay now let's create um no Pro he is still pending it's not running yet it's going to it's going to come on are We launching a new instance yes for the server okay I guess it's going to be ready before is done with this one yeah and create the up server we call it up server we use the same uh um drro Amazon Linux 2 we ensure we using the right VPC um um ma please come down again did you take the second one second one Amazon Linux 2 air all right thanks um do we need a key yes we need a key PIR the same key we creating the second one sir no we're using the same Keir for both instances no I'm sorry I mean we creating another instance right yes we are creating another instance this is the important part this is the app server so where is it going to be okay so it's we name this app server okay my just show how what you did um so we I selected the key has to be the same as the bash and host which is the bus and keypad and then in the network settings we have to select the VPC in this created the VPC endpoint that um that we created this has to be private and it has to go in the will be in the server will be in the private subnet please um I don't know who ask the question Ure you you give your P Ure you give your the new server the name app server so when we see it in the console we know what we are dealing with okay okay sir so um okay the okay that's you so network settings we select the VPC we created we change the subet to private because we want our Observer to be in the public sorry private subet private subnet we do not want the UPS to have uh public IP so it stays disabled then we select the security group which we created from the beginning which is a up server SG which is the ab server SG which is refering the B who SG everything stays same SG okay it's private dis okay oh Pro should I create it should I launch the instance one second B leading just wait is everybody here somebody behind if if no complaints then you hit great everything being a call thank you you go back to your instances uh which instance no don't worry thank you you're welome this juncture we should have two instances in the same subet right yeah so in the same VPC sorry different subet same VPC so we want to SS into the basan H there are different methods of doing it so you can select the basan hes and you instance connect then you would Connect using the S key which you have which you created and um is there somebody in the call who at this point doesn't know how to S into a server I think we do will be probably still have forgot I think we've done it few times but the uh the scripts to do that may still um have to look it up or something the reason why I asked the question is not because I want to put somebody on the spot the reason why I asked this is because I want to use an easier way to establish this connection which is not going to the thing which we are doing I want to do SSH s SSH agent forwarding and he going to cut down a couple of our steps what what is on the what is on step six and step seven is everything you should already have been doing oh that's why I asked so if you look at if you scroll down to there is a note there in italic that step six and seven could be achieve using S agent forwarding that's what I want to use but I want to understand if there's somebody in the course in the class that doesn't know how to do um or haven't been able to SS into your server before you can do it okay all right let's let's do it this way Prof I think you can just use one step to do the SSH and then the next one will do the what what what you are telling us the app server we go to the new one you want us to learn no s agent folding is basically because the noral method is you need an SSH key to SSH into your server right so the S key we we remember we downloaded it is in your local so if you go to instance connect it's going to pick that SSH key using this- I in that command select the basan H and go to connect what I'm what I'm saying there is a d i in this command which is basically telling the identity it needs to use and it's using the public m point DNS so this will connect you into an instance that's what we've been doing but I want to do SS agent forwarding which is adding the SSH key which you downloaded into the SSH agent because SSH is a Serv which is running on your local is an agent you can add that key to the the agent then we want to carry that key as we SS into the basan host once you SS into the basan host the key is carried from your local machine into the basan hose then we can use the same key to S into app server that's why we use virually the same key to do the launchboard instances do you understand what I mean yeah yep good so let's do s key forwarding that's pasta where is where is Key forwarding then where where do we find the option I'm I'm going to take you through the stair steps in the in the the how do you call it the run which I gave you between steps seven and eight there's something I put in it Alex seven and eight yes yeah at the bottom at the bottom um um it's you're not going to find that on your how do you call it console console yeah I'm looking at my okay so everybody please let's do SS agent forwarding I am doing this because I assume that we all already comfortable logging into is two instances in the normal method that we should all know are we yes sir we need to a new way so so with the SS agent forwarding please you need to still do a CH mode from the basan host so change permissions on the key which you use for launching the is2 instances so you need to go to your terminal that's right yes search mode so you need to go to your terminal this is your local terminal somebody was asking a question what was a question I was asking how Marina you get to this page by selecting the instance and you just hit connect then it will take you there n that's not what we are doing okay that's this is instance connect that's not what we doing M yeah there are different methods of sshing into an instance instance connect with SSH will take you into that instance but it doesn't have that key which I need to move into the next instance that's why I want to use SS agent for forwarding gotcha let's go if except or else you can use instance Connect into the basan H then you would need to copy the pen fire into the basan H then another make another connection it's easier with SS a forwarding trust me as you get into the working environment this this method is makes your life easier and when you use it some people say okay this he understands Linux you guys are doing Linux now right now I think started yesterday good so let's use S agent forwarding so in your terminal as look for the keyp which you downloaded please go to your terminal Marena please pay attention can we use G bash or the teral yes I'm assuming G bash should work too because from gitbash you also do SS right yes yes so it should have the SS agent to be honest I never tested gitbash so fingers crossed but I assume it should work so my I need the private key which the private key which you downloaded so you need to CD into downloads um I have it here good you can do a GP if you understand but anyway forget about it so I don't confuse you C into download then you copy the chm basan chm 400 basan host that that changes the permissions of the key if the key is not there then it's going to throw us an error nothing happens it means it's there I'm so how do I do that there is a command when you want to connect to an instance using the SSS client on your console stay here just show me your console conso good that is a command three just copy C mode 400 basan host and you run that in your terminal the directory where your basan H key is is everybody here yep so run the command ss- add does no no space s iPhone add a a a ss- add for/ um um how do you call it I want to see if you have something in your agent already do iPhone capital L let me give me a minute let me put the command in the chart I want to run SS iPhone l so this command basically tells tries to list if they already arei my my agent so it says here the agent has no identities please the those who get bash please tell me you have this result if you're using your gig bash what would you do I just have to answer the command you just brought up yes go to G bash and you you have you already search m your basan no that's important please don't m is saying could not open a connection with your authentication agent are you in front no we just stay the same um you know DL as I said add DL that's what it shows it shows what could not open a connection to your authentication agent this is good bash yeah when somebody will get B show me okay if this doesn't work for G bash then we will do the normal thing this my G bash oh sorry so this your G bash do a CD please come again CD CD CD type CD enter oh sorry enter enter yeah I want to SSH add where Hy like yeah add space iPhone she's not in download directory no this this this I just want to this is the agent um iPhone the is it not called Dash Das I want capital L yes enter could not open a connection to your classification agent okay do a do do CD into downloads is it a space yes a space downloads download Capal from here I want you to type LS yeah what directory are you enter let's see no just go back go back yeah you guys will get comfortable with this as you're doing now you're in the downloads directory so so this tells you that you've changed your directory to the downloads okay don't worry please don't be overwhelmed with this thing you guys are starting l so you understand it if not we would organize two three Saturday session so that we trash some basic L things so you're comfortable with it okay if you do LS you see everything you download so if you do LS LS basically means list everything that in this this directory so we should be able to see the basan key which you created it should be here so now you have so many things here there are other commands for you to filter this like grab and stuff like that but let's foret about that so do a SE mode the command which you do which you which you change the permission CH mode 400 b.p you can copy it from your conso I think I already copied it there not your your console in your clipboard CMD right 400 should I paste it there yes I want you to hear nine this is not what I'm looking for no I'm looking for the other command this is I think the command number four I'm Looking For command number three okay good that worked for me number three this would work you guys are not getting my point this would work I expect it to work but I want to do SSS agent forwarding so yes enter okay wait can you clear your screen where is this F it probably doesn't no no no the problem is that patient key PA I think he used PPK not P yeah PPK instead of um pam pam P so you have to go to um um parten to convert it from PPK to P oh just go go and download it again that's no the thing is you used the PPK to to create the instance to create the instance [Music] true say we're looking for that pem I don't know how to get from here who is this Franchesca yeah thanks of sharing all right we're gonna have to use can someone share can someone share with pen please I share okay let me stop sharing all right stop sharing than I got there so I can sh leard leard get that's what I'm looking for so please type type SSH dad SSH dard space Bastian pem copy the name of that pem key and put it there n no no hyphone want the name of your key basan pm that's what I want to add to the S agent without the without the quotes Okay enter okay you guys will get bash you it's not going to work let's forget about this method like you'll not be able to do what I want to do are we able to do it on the terminal yeah your teral work it's not going to work so what do we do let's go the normal way longer way so I have we can continue with the terminal though we we all have terminal so we can still do it with the terminal rather than do G bash what terminal is that is it a Windows terminal yeah Windows to be honest I don't know I don't know how to use windows windows terminer and G batch almost is is almost same thing for Windows if your window operating system how do you get he's an Apple operating system uses app so window terminal is going to be like the command line yeah but the thing is I don't want to spend 15 30 minutes on this because we need to also go yeah it's not going to work if it doesn't work on the G bash for window it's not going to work on the window stamina but it should work on something different when I click on it is using a Mac right using laptop oh what does it say uh SS no option i i d you see and some user interface and something please copy the error message and put it in the chat and then I can make sense of it but let's let's continue with according to a run book forget about the H agent forwarding for now okay I can basically what SSS agent foring does is you remember that you have this keyp downloaded on your local machine and we always need this private key to be able to SSH we use the same Keir to lock to what do they call it to create the instances so if we SSH into the basan host and we want to jump from the Bas H via SSH into the app server we still need that private key which at the moment is not on the Baston H you know that okay yes the private key at the moment is on your local so what the SSS agent forwarding does is it copies the private temporarily and it's moving with it so if I SSH into the basan H there's a command once you want to do SSH you do s then- a which is basically telling you that please trans travel with my my private key it moves into the basan H it holds the private key if you want to move into the app server now it still uses the same private key which it already has some kind of in its clipboard to provide to the to to the UPS server does it make sense yep good but in this other we now we have to do it the way we have to do it now please normally SS into the server as you would normally do then you create a file in the server and copy the key into it as in the Run book are we together so now we log on onto our BAS Bas H server first right yes yes now you lock on your basan H server first okay you said we shouldn't use it that's copying right copying the example command on the on the console right yes copying copying the example command on the console as you would normally log into the Bas gen host so you go to the bend host you click on it you click on connect you follow the steps that it gives Mara what are you showing us yeah okay we're expecting to see your console oh my console okay let's go back to the console this is the B host so s client this is what we want then you can copy um how is it call the ID you you you already SE mode then you do um yes copy that wait wait wait wait wait you use the example command the example command which they give you that should also take you into the instance can you split your screen I don't know what you're trying to do I'm trying to spray the screen if it's trouble no problem just let Let It Be then let's continue yeah good thank you make it 50/50 that should also be fine Franchesca are you able to SS using your PK P PPK yes I use my PP and SSS so I was wondering do I come out of it or no no no I need s that's fine PPK not them PPK P PPK finds PPK is okay now the question is it's PPK format how do you use that in the basan host because in the basan host we need to move to the app server I thought the PPK was for party yeah that was for party yeah but I don't know you try it if it works please weet pem would I not clear because I'm assuming G bash works with with pem right but I'm not sure why I spin another one and it didn't get me in there I'm not sure understand your question I spin another key but it didn't still s it in there he didn't get into it let me come work me through I was not sure why he should have just gotten me into it because I SP another one I was my download for the P you launch another instance another ke yeah but you you're using the key when you once you're launching the instance from creating the instance you can't change that once the instance has been created I got it why okay yeah I think I think you're right we can actually copy the Pam instead and not the PPK I said we should be able to um go into the app server with the PM yes you need a PM so that's why I'm saying those who PPK I'm not so sure that works I think there should be online resources to change PPK top but I'm not I don't know yeah I think you have to download like uh party gen and then you can convert it so I tried the example and I was able to connect me too from where which example the SSH uh example from below the agent 4ing yeah yeah the agent foring is it's really fast so now you sharing you have to go through the long procedure you can take shortcuts why you're in the um Bastian H you need to click on you say yes it's adding it this while you're in the basan H let me let me show you what I I was talking about authorize Keys file and you run this Command right where you are just CD into SSH do CD SSH enter do an LS so you see cut do a cut authorized key fil enter so you see this is what I meant when I was talking about um adding different s keys from developers so this is the authorized Keys f b basically a door so right now in this machine is just one door and the one door is to to the B gen host key so if you have different developers in your team and they you tell them give me your public key then you will come here and you add your public Keys into this file then they can use their private keys to connect here without you sharing the original P five with them make sense yes sir so do a CD do you do you add their their public keys to the beginning or to the end of this um it doesn't matter doesn't matter the thing evaluates everything that is in the file okay so you just you just give a space from one public key to another you add the key once the person is trying to connect using their private key the SSS agent is Curr going to come to this file by default and go through all the keys are in that fire if it finds the corresponding public key then it allows asset if it doesn't find it tell that person please you're not authorized so and and CD please enter I want to go back to home so at this point I want to copy the pem key which you downloaded into this file so you do a VI P space ban. PM um do I is a is is is a method we used in creating files on um on our in Linux okay it's a Linux command you get to it you can use VI you can use uh uh touch whatever can VI this is now opening a new file inside our machine so we need to copy the content of our pem key and put it here the pem key you have in your local machine the private key menu please so you need to find a way to open this uh uh you can is easy go back to your local machine just do a cut no with the terminal please terminal you know he's a Unix guy um you're using Mark right and that is what I think type command D that should open another terminal for me so close this close this I'm using item the item Works a little bit different from from this so close go back to your terminal I want a terminal okay cut look for your penile is it here you need to go to downloads CD downloads enter l is there it's okay okay there you a cut space basan yes card enter I want you to copy everything in your clipboard if you if you leave something we have a problem as you learn Linux there other commands you can do this so there's something they call SCP secure copy you can use SCP to just push this key directly into that into that um server but I don't want to start when you when when we start using that maybe get you a little bit confused so basically we are copying it so we s back into our uh Busan H enter go to your basan H can you blow up your screen so we can see everything then now we create the file which we want VI Bastian h pem you paste the content in here and you do um WQ bank is it call you wait wait wait you press shift Escape first sorry Escape press Escape colum WQ bang so you see you see yeah somebody Shar the the the thank you this is what I wanted to avoid with all the s for with the S agent folding now we have to se mod this file you just created so do another CH mod here CH mod 400 Bastian B if you copy the connection string now now for the app server and you try to connect from here it should be able to connect if I go on the OB OB server they go to connect just go to the last step last one example SSH that's it right there go back to your B to your terminal so right now you're inside the host and we want to go now to our app server enter yes pleas pass phrase for key was there a pass phrase for that key no you can get it please do enter let me see I'm not so sure permission denied why is he asking for a pass phrase that is a strange one is that the same thing for everybody oh I haven't got here at all I was just watching enter yes let me see still asking for as right this is a strange one m is not even connecting it's just it didn't it didn't it didn't do nothing just blanket okay m is connected without asking without asking for a pass phrase yes so what you have to do Mara is that your um Bashan if they if you spelt it with a capital B it might not work so make sure that whatever name you have cuz that's what I did then I just change it I just copy the same thing and change the name so I use the CP command change it to the name which is expecting and let's see yeah now do an LS over here are you clear yeah what clear just type clear n and nine not exit clear is this the basan H yeah I created can you ping gole just do a ping to Google let me see yes that's the person um um um I create recreate C control C no you don't do an LS just type copy CP CP CP space basan then you do another Bastian B capital b capital B what do I dope Bastian but capital B is okay now basp enter Then dos mode 400 for this B the new one we need TOS 400 for the new one yeah then then run the command is an issue with this your key yeah I think can you open the can you open your key on it maybe you copied something else in there because if you don't copy the right thing it's that's another thing do enter enter enter can you open let me see the key you need to exit anyway yes cut this is this supposed to be here the last uh the percentage the percentage is not supposed to be there the percentage is not supposed to be there do a VI and get into the key and remove that percentage sign at the end I will start by checking the key itself yeah hit I type uh type on I click on I I means get me to insert mode then you scroll down use your arrow down that arrow down right to the end okay okay Escape then escape the same thing Escape WQ Bank hold on I me says read only option is set out to override I think he has to do he has to do sud sudo for this one no now the file is a read only remember shode is um yes changing the permissions yeah yes change the permission just copy the file again please that'll be faster yeah copy this one just copy what you have in here you create a new file and yes how do I get out uh just quick press Escape Escape n w q q bangang so the same command without w means don't save anything no just Q one q and then uh exclamation you need a bang you need the exclamation Escape yeah K yes so just remove this F do R um RM Bastian you don't really need to force anyway go ahead mhm it's okay it's okay you create a new one so cont your is what you have in your clipboard Prof it's also asking for public permission I'm also get permission I'm coming um yes 400 you now SSH should work want the SSH command from here there you go there we go my is timing out what is timing out uh the connecting to the private uh the app server from the uh bus channels no you're not going to have internet my way now because remember we didn't ask I was just you're on the basan H yes I couldn't connect to the to the hub server can you share your screen a screenshot of your error message from there can so are we all here we've spent a lot of time on this SS that's what I wanted to avoid with the agent forwarding who is having a problem balagon yes sir just share your share your screenshot of the message in chat that's faster something like that are we all here no are we here no sir I'm just saying permission do you mode yes okay we would go ahead just for the sake of the recording then I would spend some time to troubleshoot those at the end but I'm curious why you have permission derived if you use the vpcs we use the security group which you you yeah I just sent the my screenshot give me a minute I'm trying to open [Music] it this um um server you're connecting to is a security group is Port turn to open for 22 no that with this is the uh abver yes did you open port 22 yes I believe so uh on the on on the security group right yes of the up server of the up server let me look at it just a then make sure that the security group of the abver we set for 22 from the security group of the basan host then you can have connection this this should be on neing thing let's go ahead so at this point if you try to do um AWS S3 LS it should be able to list all um how do you say it all S3 buckets are in the region where this this this thing is this your server is okay Mar m you're the one sharing right good yeah that's what I did SSH please I I'll will get back to you let's just continue then we'll troubleshoot your issue but just pay attention so we we I'll try to fix it yes but I I think your issue is your security group or make sure you're using the right sub Nets so if you do at this point if you do AWS S3 LS AWS S3 LS LS so it's telling you that you do not have credentials because you remember that you're making an API call to an to an S3 endpoint and he needs credential for that I'm sure you covered with this with Prof Susan you need to always configure credentials for every um machine that needs to make connection to AWS if you're in your own local machines you able to use the AWS CLI because you configured credentials on your local machine right yeah so as even though the server is within AWS hasn't got credential to make API cost to other El endpoints so there are there are multiple ways of doing this the easier method to do it we can attach an instance uh role to this um instance and it would give it the permissions that the RO har or you can configure the CLI of this is to instance okay franches are we good yeah are we good what is it I'm still with the issue although I spin up another instance and um I'll get back to you please just just just put pause on your issue we'll talk about it at the end and follow up what I'm saying okay so we are we are using that we are ins inside an instance in AWS but we're trying to make API calls to endpoint and we need credentials to make that to make that API call if you remember when you configured your laptop you passed it credentials by configuring your profile and you put secret keys and access keys and each time you're making an call from the your local Machine by default that call goes and uses the credentials which you passed okay so this machine that's why it's telling you that there are no credentials it needs credentials to make this to make calls to AWS endpoints okay so there there are multiple ways of getting this done we can attach an I am Ru to this instance or we can configure the security the credentials okay and I think the role is faster are we together yes sir yes so either way works so is there somebody here that cannot create that attach um uh configur CLI there is um screenshots in the Run book so you basically on AWS configure then you you follow the steps you need an access key you pass the access key you need the secret key you pass the secret key and that should be it so in this case it means you would have a user in your account you can just go to that user which you you you have or the key Keys which you've generated and you use those keys that should solve the problem okay if you do not have the key each user can have I think up to two keys so if you already have a key you can just go add another key pair and for the I am user it will generate you another set of keys you can use that are we together somebody was about to ask a question the origion what region are you in US US East one so others can can attach a role if you attach a role to that instance that would also work that would also give the instance the permission in is can you walk us through the row sure are you done configuring your CLI what about the out performance is it just Jason Jason is fine yes I'm done okay now bring us back your St do want a S3 LS it should not tell me about credentials issue again but you should not be able to leas S3 buckets in your account come because we do not have a Gateway endpoint yet so now we're good so exit do an exit so we that takes me back to the basan H do an S3 AWS S3 LS here we should have credential problems because you did not configure this right now to solve this problem using the r which the r method which IAL talked about go back to your console sorry Prof if you do not specify the region name doesn't matter the region name basically means the default region that you're working working in right please mute person it's always good to to specify um I'm not so sure I can tell you the how do you say the the issue you might face if you do not specify because I've never I've actually never done that but basically your specifying means I this is the default region for example when you're doing terraform when you start creating resources using terraform Cloud information you need to tell terraform in which region to place those resources if your resource itself does not you do not pass a region to it then it uses the default Reg region in your profile okay so here we need I am Rob go to the go to the easy to easy to no easy to easy to good I want to I want the basan H server go to in in actions security modify IM am r so this is demo row AR read only I think this can also work but you do not have a a row here so we can create a row so you need to can create a new IM am room those asking I'm hope you're following up so we just creating a role for E2 so you go to create Ro create Ru right yeah so a service that's it so go down service name E2 use case service use case then you look for E2 that's it then you go to next give the permissions so I can give it admin permissions for this case so we don't start troubleshooting please just sck on admin permission then we create this rule give next give the rule a name so we call it vbc endpoint rule PVC endpoint un me rule then you create a row invalid row name it should be no space R PR rule then you do the same thing which you did go back to the instance security modify admin rule then you look for this rule refresh once you attach this rule to the instance go back into the instance and run the s LS thing again we should not have credentials problem because it should be using the credentials that it gets from that rule are we together Mike um which which instance are we using the Bastion server host any of them would work so we have we have done both ways any of them would work so you can either configure your CLI or you attach a r to it can you is this the basan H this is the basan H so can AWS S3 LS let's see if we see have credential issues reboot the instance please I think it's taking time to propagate just go back to the instance and reboot you can also type reboot here but it's going to kick you out it's still going to kick you out anyway then you connect back into the instance just do an up Arrow should give you the last command you Ed up arrow in your terminal um the last command you write down go to the nine go to the end the end copy the the command from from your conso then but an up Arrow should have taken you to the last last command you run which should be the commander took you into the instance I exited back into the Bing host I think that's why it's not working no now right now you're on your local so go back enter it's still rebooting I think I'm going to take about 15 minutes more of your time today think why are we not in the instance I think it's rebooting just um do do control C and do it again oh I see why is not working why um I think was I named it with a small B in my folder and then do that oh God I hope you did not change this and we have to start doing all should it should be all right if I'm connecting to it should be all right um with a file in the Bion and do that let's see good so run the AWS S3 LS here up Arrow should be fine so now we don't have configuration problems okay now we have we we have permissions and you see that this can L buckets these are the buckets you have in your account m m yeah in your region okay so the basan host is going through the internet gway over the internet to get to this bucket but you have the same credentials with your private server but not nothing happens because there's no route to the internet okay so that's why we want to solve using Gateway endpoints so now let's go back to the console and we create our Gateway end points so for us to create Gateway end points can you enlarge your your now I want to remove the terminal now don't need right now or you can you can you can compress it good so we go back to the termin to the console go to vpcs and we go to VPC end points nine go to VPC go to sorry PPC console you scroll down and you see end points so if you see end points you look right on end points you have endpoint Services that's what I was talking about endpoint Services okay but we want endpoints so we want to create an endpoint so we give the endpoint a name we can call it S3 gway endpoint so it's here you see this is the type of uh uh connections you can make so we S3 is an AWS service so we AWS Services provided by AWS private link that we're talking about other endpoint Services a Marketplace Services okay so these are the different types of connections you can use endpoints to make so we need to search the service which we want to make connection to which is S3 says S3 so we we are not using an access point we are not using out post we want S3 please yes that's okay then we want to select the S Doom interface endpoint not not access point not output not express we want the normal um where's my pen the interface here this is what we want so I want to select S3 yes with the Gateway end point okay yes sir I'm sure you guys did S3 so there what we call xray access points at S3 Outpost those are other features of S3 but the standard S3 is those are the standard S3 okay so once you select the Gateway endpoint we need to select the VPC that we want to um VPC end point the VPC endpoint and we want to select the route table that we want to associate the Gateway endpoint with so in this case what is it going to [Music] be I was expecting a corus probably you don't sound convincing EV what what would it be private it's got to be one of them private I think it's public get to the S3 through the private OB what do you think it was going to be so so our S3 is going to be out is outside of our VPC so if the S3 is outside your VPC is going to be public okay those are say public can you give me can you tell me why it's a Public Sub that we need to select here it's going to be a private why private CU we are connecting it through our um the private the server and the private subnet okay any other reason from somebody that's the yeah Miriam what do you think I'm thinking it's going to be public since S3 is public facing okay this makes me feel like you do not get the concept I think it's public it has to be public it has to be public because oh okay go ahead I was going to say it's a Gateway endpoint and Gateway endpoint uses um the endpoint to connect you to Services outside your VPC h but is a rout table that that's that's that's that's so far true but I'm asking that in this VPC which we want to conect we want to associate which rout tables should we select there's a public roundout table and there's a private rout table so which of the rout tables do we need priv table the private is attached to the the the okay give me a minute the person that says public why public I want to understand your reasoning please please I'm I'm not trying to put anybody on the spot I want to understand your reasoning and see where we if if there is a confusion where the confusion is uh you think it's public I would say public because uh there is no way for the uh for the TR for the gateway to connect to uh for the private subnet to connect to EST because it needs to connect via internet okay and if it's a private sum that needs to go through S3 then why are you associating your gateway to the public subnet because because your your gateway is outside your VPC Network even though it's within AWS but it's outside your VPC your gateway is outside the VPC okay we already saw that yeah is somebody about to say something so I sto want to hear I was going to I was going to say that your gateway is not outside is attached to your VPC yeah if you're going to go through the private subnet you need to have an interface endpoint but since we didn't configure an interface endpoint and we configured a Gateway endpoint what's happening is that it is going through the um Gateway endpoint to access your S3 and because the private subnet doesn't have a not Gateway it's not going to have access to the let me say this again we have two subnets and we said S3 is in the public space if you have routes to the internet gateway traffic Lees your VPC through the internet gateway to the through the internet and back to S3 in the AWS public space that's what we said if you remember Marena already tested from The Bu CH hose and he was able to reach EST right yeah did you all see that yes sir he was able to reach S3 because if you look at the rout table of the uh the rout table attached to the public subet there is a route to the Internet gway so that traffic leaves be the internet gway back to S3 but if you do that from the private subnet it times out because there is no route to S3 if you want to reach S3 now from the private subnet without using VPC endpoint you would need a not Gateway in the public subnet then you can connect your private subnet to the N Gateway which then transfers your connection through the internet that still goes through the internet but like we said companies don't want that we won't stay within AWS Network and we want to be able to reach S3 so in this case we are not attaching the Gateway endpoint to public subnet because the public subnet already has it can reach S3 publicly we attaching S3 to the private private subnet okay we can also attach it to the Public Sub that would work then there's something they call on routing they say what longest prefix takes priority then is going to use that to get to the S3 but for the purposes of our demo which I explained at the beginning of the session we want to be able to reach S3 from our private subnet without traversing the internet does it make sense now EV yeah that makes sense yes BR it does so which so which subnet are we which rout table are we taking now private private I think we're taking private can you scroll up a little bit I'm Sor once you select the VPC select right route table then you can create click on create VPC Point create uh point I guess I can go ahead and create it yeah so now let's look at the route table of this private subnet where is the route table of the private subnet please the route table yes I want the route table of the private subn private so I'm seeing the public where is the private the second one in the it's supposed to also have a name VPC end point rout table private private yeah scroll down I think it's it's it's covered yeah right there that's yeah if you look at the routes refresh refresh VPC endpoint private I want to look at the routes this is what we call a prefix list can you see that so now you're seeing that AWS has added onto this route table a prefix list for all the side ranges that can reach S3 in that region and it's telling you that the target of this prefix L is the VPC endpoint which you just created that's why it's called VPC does it make sense to you now yeah so click on the prefix list click on that destination Pi 63 let me show you what previous L is all about click on it again click on it yeah you see a prefix list is just different side ranges that have been bundled together to make it easily manageable so there are different side arranges that have been added here so AWS is saying that uh the IP of your S3 endpoint can either be from the 161 uh 182 1834 1834 3552 that and all that okay so this are AWS managed prefix list so if there's any update they will do it and you will automatically updated for you [Music] here Victor do you is it clear now pre pleas oh yes it is please can you explain it again I didn't quite I didn't get it a prefix list is basically a set of IP address ranges okay so remember these are different these These are six different IP address ranges if we wanted to if we wanted to add this on our route table we would need to add a destination of this another rule for this destination another rule for this destination and for this and all this this there are some Services a um for example cloudfront they have ranges that are even up to 50 50 different CER ranges so if you want to add that on your route tables you have to do add those entries Fe three different times okay so for for for manageability for better user experience there is what we call a prefix list which basically B which basically bundles all those entri different cider ranges into this simple service prefix L then you can reference all these side ranges by just calling the prefix list on the route table which is what a does for you by adding that prefix list on your routable does it make sense yes BR thank you so at this Junction now that we have a route to S3 can we go back to our ups server and see if if we can call S3 again and see the buckets are in that region in your basan host you need to go to your up server the command should be there just go back into the basan host which you already there you up Arrow up up up yes now you're in your app server should be able to reach S3 now bom you there work so the traffic now is going through the Gateway end point it's it's not going over the Internet congratulations Mo well thank you that was awesome good that's basically what we wanted to cover today any question so far you can clean up by destroying your in instances and also deleting the gway end points or and deleting the vpcs if you want okay I think going forward each time we will need a VPC I will create one so we are all on the same page but the VPC doesn't cost right it absolutely doesn't cost is the RO going to cost what the that we created no doesn't cost what did you say we delete again for clean up these two instances you have those two instances there they will cost if you're out of your free ti so can I stop the recording now I think this should be just beyond 15 minutes above time yes bro