hello everyone my name is abishek and welcome back to my channel this video aims at explaining the networking Concepts right from the fundamentals even if you don't understand what exactly is an IP address you can go ahead and watch this video this is a 3our long video I broke this video down into five chapters and using each chapter you will learn networking con Cs and towards the end of these five chapters you will Implement two networking related projects on AWS so you will not only learn the networking fundamentals you will learn Advanced networking Concepts on AWS and you will be able to implement a two architecture project as well as you will learn Advanced networking Concepts such as security groups and NSS so what are you waiting for IP address IP address is a very simple concept so IP address is used to generate or to provide a unique address to a particular device that is connected to your network don't worry I'll make it simple let's say you have a home network there is a house and within this house there is a Wi-Fi or local network that is created through a router and there are two people or two persons living in this house and each person has two devices so overall there are four devices that are connected to this local network or the Wi-Fi network now what happened was one of the these devices was used to connect to a payments website and made a payment you want to track which of these devices was connected to this payment device and you want to block access in the future probably also uh there's a kid in the house and you might want the device that is used by the kid to access Instagram or you might want one person who is using this particular device to block access to youtube.com now if each of these devices does not have a unique identification number how can you do that right it's practically not possible and you will end up doing all these devices access blocked to these websites So to avoid that each of this devices should should have a unique number and that unique identification is nothing but IP address it's not just about blocking access probably you want to track the activities of a particular device or you want to monitor activities of a particular device in all of these cases IP address comes into handy now your next question should be abishek okay I understood IP address is a unique number that is given to device let's say in my house if there are four devices each device gets a unique IP address but my next question is how does this unique address look like so you said this is a unique address but how exactly does it look like so just like human beings have names or houses have the house number which are unique right of course human beings names are not unique but if you take about houses where you have a unique identification number for each house so this particular representation is done through IP V4 for devices there is also a standard called IPv6 we'll talk about it later but for generating unique address for each device the standard that is followed is ipv4 and using ipv4 you can generate huge number of unique addresses now why is that required you might say that abishek why do I need to follow this particular practice in my house Network there are only four devices so I can simply uh say one device as 1.1 one device as 1.2 third device as 2.1 and fourth device as 2.2 now each of them got unique identification but what if there are 10 more devices that got added or instead of this house let's take example of your school or your University where there can be 10,000 or uh 20 ,000 devices that are connected to a particular number so for each of these things to maintain a proper standard see for your house if you maintain this particular standard so for your school and University you have to create a different standard so to maintain a proper standard the one that is used is IP V4 so using IP V4 what you will do is you will generate a unique identification number in the format such as 172 2.6.3 do4 or 10. 1.2.4 so these are the IP addresses that is if you are using IP V4 standard for your device you will see addresses in this particular format today you can go to your laptop and uh type the command called if config or uh ip config and you will see this kind of representations for your device now these things are called as IP addresses now let's try to understand what is the significance that you get when you assign this kind of numbers so if you watch carefully for each number there is a DOT right so here there is a DOT here there is a DOT here there is a DOT and here there is a DOT what is the advantage so the advantage that you get is each of this number can vary from 0 to 255 so that means the number number of unique identifications that you generate varies from 250 0 to 255 multiplied by 0 to 255 multiplied by 0 to 255 multiplied by 0 to 255 so this is the number of unique IP addresses that you can generate using IP V4 standard now your next question has to be abishek why 255 why can't it be 0 to th000 so with ipv4 standard what you do is of course this is a number that you see but for computer it does not understand numbers it only understands bits so each of this number is one byte or eight bits right so overall what exactly is an IP address IP address is nothing but four bytes or 32 bits and each bite right four bytes each by is separated by a DOT so how does an IP address would look like IP addresses would look like 0 to 255 0 to 255 0 to 255 got it so why 255 that is because in computer language in pv4 standard you have four bytes and one by is nothing but eight bits so four bytes is nothing but 32 bits so overall each of this number that you can see can be varied from 0 to 255 only so this is a standard you cannot change it and this standard is called as ipv4 if I repeat one more time got it so how does IP addresses look like so tomorrow if you create an E2 instance or a virtual machine in Azure what are the numbers that you would usually see you will not see something like 600. 400 do 150 do10 this will not be possible numbers that you would see can probably be 192 do 168 do 12.14 any number in all of these four places that is separated by dot should be varied from 0 to 255 only I know I'm repeating this multiple times but I want to make sure you all understand how the IP address is represented it is only represented between 0 to 255 that is because in computer language ipv4 represents IP addresses in four bytes and each of the bite right each of the four bytes is nothing but eight bits right and how are this eight bits represented if I have to write this IP address I have to write 32 hyphens for example okay this is 1 2 3 4 5 6 7 8 this is one bit 1 2 3 4 5 6 7 8 this is another bit 1 2 3 4 5 6 7 8 this is another bit 1 2 3 4 5 6 7 8 this is another bit so this is bite one bite two by three and bite four so this is how IP addresses are represented now when I say 192 what happens is how does computer understand this 192 computer understands this 192 as 1 1 0 0 0 0 0 now how did I write this particular thing that is very simple for each bite sorry each bit that you see here you start with zero you call it as two 2^ 0 this is 2^ 1 this is 2^ 2 this is 2^ 3 2 power 4 2 power 5 2^ 6 and 2 power 7 because the first number is 192 2^ 7 + 2^ 6 that is 128 + 64 which comes to 192 this is how computer understands your IP address the reason why maximum number that you can see here right if you want to see here even if you put one one 1 1 1 1 1 computer understands this as 2^ 0 + 2^ 1 2^ 2 2^ 3 4 5 6 and 7 which combinely comes to 255 that's why maximum number in an IP address can be 255 only if you see something like this 192 do 600 do 12. uh 254 this is not an IP address because 600 is not possible now I hope it is very clear how IP address is represented in the IP V4 format now if you want to try out few IP addresses you can give it a try like your assignment can be convert this particular IP address that is 172 probably uh dot 32 dot 16 Dot fun convert this IP address into the format that I have explained that is using the bits format how does computer understand this particular IP address so to to do this what you'll simply do you will convert each bite into eight hyphens you will write two hyphens and under two under this eight hyphens you can write 2 power 0 2 power 1 2^ 2 2^ 3 and convert this particular thing let's say if I have to write this by default I know 32 is just 2 power 5 so this is first decimal second decimal third fourth fifth sixth 7th right if I have something like this in the fifth place I'll just put one and in all of the places I'll put zero right so this is how IP address is converted in the decimal sorry hexad decimal or octed format it's octed format it's not hexa so this is how number is converted into octed format and how computer understands the IP address perfect now you will understand later point of time why I'm stressing so much on this particular representation when we try to understand subnets and cadr this comes very very handy so I hope IP address part is clear now let's move to the next concept that is subnet abishek IP address is very clear where let's say if I have a home Network or a school network and within the school network what I'll simply do is I will say I just need some whenever I'm creating uh this particular Network let's say I'm creating a VPC on AWS or I'm creating something on open stack okay so I'm requesting the network provider let's say some 65,000 IP addresses and I got 65,000 IP addresses I know the maximum people that would connect to my network if it is a school network or office Network maximum people that would convert connect to it is only 40K so I have just taken 25k IP addresses as a space so I know okay this amount cannot be exceeded now I'll create a school Wi-Fi or office Wi-Fi right let's call office Wi-Fi and we will call this uh office Wi-Fi as free Wi-Fi because anyone can connect to it so any new employee that is joining this company has started accessing this network right this person this person this person everyone has started accessing this free network now what happened one day was there is this employee who accessed a malicious website okay so this person has accessed a malicious website that was written by a hacker and because this person has accessed it hacker got access into this particular device and now if you understand carefully all of these devices are connected to the same network that means hacker got access to one device but because they are connected to the same network hacker can access all the devices right so technically all the devices are hacked now if this is your office Network there can be some sensitive files or there can be payroll of the employees or there can be some financial data of the company that are stored in some servers such as your bank details or any any such thing so hacker got access to everything so your complete company Network got hacked now this should not happen right of course this should never happen so there is a concept in networking which is called as subnet what exactly is this concept of of subnet very simple subnet is basically if you look at the name itself it says sub networking where if you take the same example you can create a VPC in AWS or you can create a new network on your open stack with 65,000 IP addresses and what you will simply do is you will say out of this 65 IP addresses okay or out of this complete Network I will split it into two parts okay and one network I will use only for finance related things all the sensitive information of the company I will call this network as secure network like sometimes if you go uh to a uh to your company or if you go to your school network you will see some secure networks which you don't have access to and then you'll have some free network or this network can have a password but this will be shared if you are an employee you just go to your admin and you ask for a password and they will share this password with you so I'll call it as a free network and so I will try to split this network into two parts and I will say Network one should be strictly used by Finance team and network 2 can be used by anyone now even if the hacker one of these people tries to access a malicious website and hacker gets access to it all the devices in this particular Network are compromised but still all of these are sensitive this is important for the company this concept is called as subnetting and this particular network is called as subnet and this particular network is called as subnet why are they called as subnets because they are part of a bigger Network and you have tried to split it so that's why you call it as subnet right understood the advantage of creating a sub subnet the advantage of creating a subnet is you get security you have the privacy and you have a proper isolation that's why subnets are used today you can go back and you can create Subnet in your home Wi-Fi network as well right you can say only the uh heavy usage appliances should use a particular subnet and other appliances should use a different subnet that's totally possible you can create subnets in any kind of network right so this will give security privacy as well as isolation now I'll come back to the concept of subnet uh addresses like uh how subnet one gets IP addresses and how subnet 2 gets IP addresses but before that just understand that there are two types of subnets one is private subnet two is public subnet if you ever used the cloud provider you might have uh heard about this terms called private and public subnet but what exactly are these so private subnet is some Network that does not have access to Internet and public subnet is a subnet that has access to Internet that's the only difference it's a very simple difference right so private subnet has access to to uh does not have access to Internet and public subnet has access to Internet how do you do that how can you enable access to Internet don't worry it's a very simple concept uh you know if you already know about Cloud providers like AWS or Azure all that you need to do is you can go to this particular subnets and you can attach route tables to this particular subnet and destination of a particular route of this subnet you can provide as an internet gateway and that will grant access to the internet even if you don't know this particular concept you can ignore FNA because right now we are learning the fundamentals of networking so just understand access to Internet public subnet no access to Internet private subnet now let's go back to the concept that I was explaining right abishek you mentioned in the last slide in a very simple way that you have a office Network right and in the office Network you said you will simply split finance and free subnet where everyone can join you mentioned it as very simple way where there are 65 IP addresses but how do you actually know how many IP addresses this Finance uh subnet gets and how many IP addresses that this particular subnet net gets right overall when you created this VPC in AWS you have requested for 655,000 IP addresses what is VPC VPC is just nothing but a private Network so you have requested for a private network from AWS and you said you need 65,000 IP addresses now you are saying you will create two subnets in the 65,000 IP addresses one is finance and two is a free subnet everyone can access but how will you say that this Finance subnet let's say it only needs 2506 IP addresses and this need rest all IP addresses how will you divide that it's very simple again wherever you are creating this subnet right so if you're creating on private Cloud you have platforms like open stack if you're creating on public Cloud providers like AWS or Azure in any of the cases when ever you are creating this subnet you will be asked to provide a cidr range this is also called as cider so this cider or cidr is a way of explaining how many IP addresses are available in a particular subnet right here I want to say my finance particular thing just needs 256 IP addresses and rest all can be given to this free subnet where anyone will access this particular Network now how will you do cidr is the solution how does cidr work right so concept of cidr is very very simple don't worry I'll explain it in a very simple way people usually get uh find it difficult but the calculation is very simple so what you will do when you create this particular subnet let's use AWS as an example so you will go to AWS and you will say I want to create a subnet of course you need to go to the VPC first right this is the VPC that you have initially created you'll go to this VPC inside the VPC you'll go to the subnet and within the subnet what you will do I mean you are creating the subnet when you are creating you will be asked for a cidr and when you want to create this cadr The Simple Solution is you say 17216 do 3.0 SL 24 so if you require 256 IP addresses you will provide Hyun 24 now how did I do this right this should be your million dollar question that is abishek how did you understand if I need 256 IP addresses I need to provide 176 do uh 16.30 sl24 or 192 16. 4.0 sl24 whatever is the IP address of the VPC followed by sl24 how did you understand this it is very simple again like I mentioned you pick up any IP address in the VPC range okay let's say while creating VPC you have provided the range as 1726 do 0.0 pick up any IP address uh I mean you said the VPC IP address name should be 172.16.0.0 to 17216 do 255.255 that is you have 65,000 IP addresses now pick up any IP address so let's pick up 172 dot 16 do 3.4 let's take this as an example and as I've told you represent this in the uh octet format that is 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 and finally 1 2 3 4 5 6 7 8 right so I'm representing this particular IP address you can pick up any IP address I'm representing this particular IP address in the ipv4 by standard where for each bite I have written the bits so overall if you combine here there are eight bits here there are eight bits here there are eight bits and here there are eight bits so if you combine all of these things what is the output 32 bits right and as I have mentioned you each of this particular thing can represent only between 0 to 255 and I have mentioned I just need 256 IP addresses for the finance domain so only this last thing is enough right so if I just provide 17216 3.0 to 17263 255 I got my required 256 IP address addresses so I don't need this eight this eight this eight that means this eight can be common this eight can be common this eight can be common only this thing will vary so what was my VPC IP address bpc IP address was 172.16.0.0 to 255.255 right so all these three things can be common for my device so this can be the host Network or the common things and this has to vary so that's why I'm providing 17216 do3 do0 sl24 why 24 because I've cancelled 24 that is all this 24 bits can remain static can remain same and only this eight bits have to vary so that's why I said 0o followed by 24 don't worry I'll try to explain it one more time if you did not understand so what was my VPC IP address or the primary uh uh Network address 1721 16. 0.0 to 17216 do 255.255 this was my IP address range right now if I just need 256 IP addresses I can pick up something like 17216 3.0 3.1 3.2 3.4 to 3255 right what are the number of IP addresses here 256 IP addresses right so this solves my problem either I can pick 17216 3.0 to 3255 or 17216 4.0 to 4255 5.0 to 5255 anything solves my problem so what I can simply do is if I need 256 IP addresses from this particular VPC range to provide to the finance Network thing either I can use 17216 Dot 3.24 4.24 6.24 or even 2440 sl24 right I can provide any of these things as the cidr range for my Subnet now let's make it even more simple let's say right this is my office Network and here here same I want a finance domain uh sorry Finance subnet and this is my free subnet and in the finance subnet I just want two addresses nothing more than that I just want two addresses and here right here I want to provide rest all addresses for the devices that are getting connected so if I just need two addresses what I can simply do is I can provide one 72.6 do 3.0 /31 why 31 so if you remember the uh hyphens thing there are 32 hyphens right out of which I have cancelled 31 hyphens so there is only one hyphen left and one value of a bit is nothing but it can be either one or it can be zero so there are two IP addresses that are generated when you are calculating the cidr thing right you should not calculate from 2^ 0 so if you have 32 and out of which 31 are stried out so there is only one that is left so always try to calculate 32 minus the number that is provided here if 31 is provided 32 minus 31 and 2 power the number that is left so here 2^ 1 is left so the answer is two so similarly if we are taking 24 here 30 2 - 24 what is left 8 what is 2 8 256 IP addresses right so if you just want uh let's say 32 IP addresses what you will do 32 minus 27 is 5 and 2^ 5 is 32 so I can simply provide here 27 so depending on this particular calculation you will take the cidr range so if there is a IP address like this right so if there is some IP address like 10 do sorry subnet with cidr range like 10.0.0.0 sl8 what does that mean 32 - 8 which is 24 so the number of IP addresses is 2 power 24 which is almost like I think a very huge number right 256 into 256 into 256 so that's a very huge number 2^ 24 so whenever you are seeing something with sl8 which is nothing but it is also called as class a IP addresses and if you are seeing something with sl6 which are called as Class B and you see sl24 which is called slash C here you just have 255 or sorry 256 IP addresses here you have 256 into 256 and here you have 256 into 256 into 256 this is just a common representation don't worry most of the times you will see sl8 sl6 and sl24 but along with that you might see sl27 you might see sl28 you might see /29 as well whenever you are seeing something like this don't get panicked just simple thing that has to come to your mind is 32 minus 27 which is five so number of IP addresses is 32 when you see 29 32 - 2 9 which is three so number of IP addresses 2^ 3 which is 8 very simple calculation and straightforward right so this is the thing that has to be in your back of mind so next time when you create a VPC observe these things carefully or you are on open stack you are on Azure anywhere whenever you are creating a new network okay it will immediately ask you for the range of that particular Network so let's say when I'm creating VPC it will initially ask me for a range and range I can provide like I told you either 10 172 198 anything so I'll just say 19260 do0 sl16 that is I will have 65,000 IP address and now when I create subnets inside this VPC depending on the requirement from the development team or depending on the requirement from the team if they are asking 32 IP addresses only what I'll simply do I'll say 19216 do3 do3 or four anything here 3.0 sl27 this is what I'll give you and why I'm doing it very quickly because I'm very used to this particular calculation so you can take few calculations as example in Internet you just search for cidr calculators you will get hundreds of it and verify if your calculation is right so tomorrow if someone is asking me that abishek this is my VPC and I want to create a new VPC uh sorry subnet with 64 IP addresses I just want subnet with 64 IP addresses immediately what I'll do is I'll just okay look at this IP address randomly I'll say 19216 whatever is my uh favorite number so I'll just say 5.0 SL okay 64 this is 2^ 6 so 32 minus 28 sorry 26 is six so 2^ 6 is 64 so I'll just say SL 26 right now why I'm only modifying this particular number because they are asking below 256 So Below 266 I'll just modify this particular thing this will be staed I'll just put this as zero if they're asking more than 256 let's say someone is asking me 65,000 IP addresses so what I'll do 19216 do0 /6 this is the cadr range that I would provide I hope these examples made the concept of cadr clear to you and what you will do is go to the cidr calculator on internet and take random numbers like this and try to estimate what will be the cidr number for it or what will be the number of IP addresses for it I can give you some assignments what is the number of IP addresses for this particular C IDR range okay let me write in a new one what are the number of IP addresses for this particular cidr that you see 172 do 168 dot 3.0 sl30 and what is the cadr for 10.0.0 sl8 so in the comment section you can mention what will be the number of IP addresses for both of this cidr range let me see how many of you can get this right and before we move to the next topic there is one more thing that you have to remember most of the times when we talk about private subnets you will see this numbers only 192 172 10 right why you would uh see mostly this numbers is because these are the ones that are used for private subnets okay so this just like a practice so even with Amazon or wherever you are creating you would see these numbers as the starting ones when you create private subnets because these are the numbers that are used for private subnets right so when you are creating a private subnet your cidr range cannot be 3.4. 5.6 or 5.0 SL 24 this cannot be your thing because probably this public one of these public IP addresses has been taken by some particular website for example 8.8.8.8 is a public IP address that is taken by google.com this is the DNS for the google.com so if you keep this for your application there will be a conflict so anytime private IP addresses should be starting with this only right so I hope this concept is clear so what did we cover till now till now we covered the concept of IP address we covered the concept of uh cidr we covered the concept of subnet within subnet we try to cover what is private subnet we try to cover what is public subnet as well these are the things that we have covered till now and the next concept is about ports ports is again a very very simple concept you don't have to get confused with it so whenever we provide IP addresses to connect to websites we provide some ports right uh colon 80 colon 443 or we say uh colon 36 or colon 808 what exactly are these things so basically to bind an application so let's take a virtual machine okay on this virtual machine I have deployed an application okay now on this virtual machine there can be number of applications okay so what you you can do is for application you can provide a unique Port again ports are also in a particular range only you cannot create port with number one lakh right so and there are some ports that are taken also right for example um there is a specific for port for MySQL better not to take that particular port or uh there can be a uh port for Jenkins usually Jenkins starts on 8080 so better not to take that particular port so whenever you are starting your application start with unique ports such as 9,000 right or you can take 9191 these kind of ports right for example better not to take ports like 3306 which are taken by other kind of applications so these things comes with practice and uh you know what if you go back to the topic that we are discussing whenever you create application on a virtual machine to ask access this application from the internet you need two things one is the IP address of this virtual machine of course if it's a public IP address only you can access it from the internet if it's a private IP address you can access only within your network let's say this is a public IP address so to access this particular application if this application has Port 9191 so you will say 172 do 16 sorry public IP address let's say 3. 4. 5. 8 colum 991 91 now if this application has Port uh 5162 so you will access using 5162 so what is a Port Port is a unique number for your application in an instance there can be hundreds of application and using Port you can distinguish the request has to go to which particular application let's quickly recap what we have learned as part of episode one in episode one we learned about IP address what exactly is a subnet what are the different types of subnets we learned about cidr how to read write and perform calculations on cidr blocks if you are not aware of this networking Basics I'll highly recommend you to watch episode one and the link to episode one is in the description now let move towards the Whiteboard and start understanding the concept for today that is OSI model we all interact with servers on a day-to-day basis let's take a simple example let's say I open my laptop open one of my favorite browsers and search for google.com within a fraction of seconds I receive a response back which is nothing but Google homepage a HTML page basically but how does this thing happen how is my request from my personal laptop sent over the internet to one of these Google servers and how is the response received back to my personal laptop what are the different components that are involved and what are the different layers in which the Journey of data takes place I'm calling it as journey of data because whatever you are trying to request and whatever you are trying to send is all data so OSI model is one of the popular models that helps you understand the Journey of data across the internet what are the different layers that are involved and OSI model explains this entire thing in seven layers layer 7 to layer 1 sometimes it can be layer 1 to layer seven if you are at the receiving end of the data but what exactly each of these layers do what happens to my data in each of these layers when I say layer seven layer 6 layer five layer 4 layer 3 2 and 1 what what each of these layers actually do how my data gets transformed in each of these layers and finally how does it reach one of these Google servers let's try to understand the same thing in today's video we will use the same example that is request to google.com and let's try to understand the complete workflow here before we understand the Journey of data that is even before your browser initiates a request to the Google server there are two things that happens that is even before the OSI model comes into picture they are number one is DNS resolution it is also good to understand these Concepts before you understand the OSI model and what each and every layer does because this is also part of the entire workflow that you are trying to learn the networking Concepts DNS resolution and the second thing that happens is the TCP handshake now why these things happens even before your request is initiated right even before the request starts or even before the request is sent why these things happens because let's say you are searching for or you are trying to make a request to https www.google.com first of all what your r router that is your home router or your browser tries to do is they will try to verify if www.google.com is mapped to any particular IP address so there is a system called DNS which is nothing but domain naming service you can understand it as a simple database right just try to understand it as simple database where records are maintained right if I have to explain this in a very simple way just try to understand that every router has this information which is records of domain name mapping with IP address right so when you are saying www.google.com in this domain naming service there is an IP address against the google.com domain name now when you search for this www.google.com router verifies this initially in the local cache right just like your laptop has a local cache or you know you have uh the local memory similarly your router initially searches this for in the uh local cache where previously if your router has made a request to this particular website it might have maintained it record its records in the local cache if this information is not available in the local gache then it goes to your internet service provider and verifies this particular mapping if there is any mapping for the domain name in your internet service providers DNS every internet service provider maintains a DNS where the complete records are available right so google.com is usually mapped to the IP address 8.8.8.8 so if this mapping happens if this domain that you're trying to reach is actually valid only then you will move to the second stage why this needs to be performed because let's say I'm trying to access something like the www. abishek vera.com now this is something that does not even exist I did not create this domain I did not map it to particular IP address now what's the point of you know starting with this entire data Journey sometimes you might be uploading some 10gb file or you might be sending a huge amount of data now if the DNS itself is not resolved what's the point of even starting the dat Journey or what's the point of even initiating the request why should your browser or router initiate a request right so this is the first step that happens DNS resolution if the DNS resolution happens then comes your second stage which is nothing but TCP handshake now what is the TCP handshake again it's a very simple concept let's say this is your laptop and this is the Google server now you are trying to send a request to it you are ready to send a request but is the server that you're trying to send is ready to accept your request what if it denies your request even after sending this entire thing right what if you cannot make a handshake with it hand check is nothing but you are just trying to say hi and it says hi I'm okay to accept your request so there is a TCP handshake which is usually called as a three-way handshake that gets performed even before your request initiation or even before your OSI model comes into picture now how does this three-way handshake perform So when you say www.google.com what your router or browser what they try to do is they initially send a high to the server like let's say this is your laptop and this is your server so initially router tries to send a high in networking terminology we call it as sync and if this server is ready to accept if it says that okay I'm good then it says hi which is in the networking terminology sync acknowledged and finally your laptop says acknowledged so so this happens in three steps that's why we call it as a three-way handshake now you might ask me but abishek why can't it be very simple as you say sync and it says sync techn knowled and it's done so it's a very uh detailed explanation let's not go into it but if you are interested there is also something called two-way handshake and there's also something called four-way handshake so if you are interested you can go through these things you can read about difference between two way 3way and four-way handshake 3-way is the most popular and which is mostly used so that's why uh I'm talking about the three-way handshake but you can also read about these things so these are the two you can consider as prerequisites even before your data uh request initiation takes place one is DNS resolution two is the TCP handshake now that you understand both of these Concepts that is if DNS resolu ution is done and TCP hand check is also done then your data initiation or your data request initiation starts now let's try to understand that in terms of the OSI model now I hope you understood why did I explain this even before the OSI model because when you are learning networking it's important to understand the end to endend part of it now to start with OSI model let's take same example when you search https www.g google.com and I'm assuming DNS resolution is successful and TCP handshake is successful so what happens after that is your are browser right understand this carefully your browser initiates a HTTP or https request to the server that is this one right so you are searching for google.com in the browser so your browser is initiating a request now it did not send the request but the initial process has started now when the initial process has started it says use HTTP based request why because you have asked for it let's say you're asking for FTP then your browser initiates a FTP based request right so this particular stage is called as layer 7even which is the initial stage and also called AS application layer in this particular layer you can pass some headers right and you can also provide information for the authentication or whatever is required but this happens in the layer 7 then comes like once you or browser has initiated the HTTP request right if I go back to this particular thing once the request is initiated now what should be the next step if you think about it the next step should be data encryption right because no one in the entire process like from your laptop to the server data goes through multiple routers I'll talk about it what are these routers but basically data first goes to your home router then it goes to your internet service Provider from them it goes to a different router different router and finally it goes to the Google server so if your data is encrypted then even if someone tries to hack your data they don't understand what exactly it is and that's where we use https right so when you use https The Next Step that has to happen after the HTTP request initiation is data encryption which is also called as data formatting and this layer in OSI model is called as layer six which is also called as presentation layer now all of these layers are virtual just for you to understand so Osa model is trying to just explain you that okay this is the first step that happens this is the second step that happens and once HTTP request is made data is encrypted what should be the next step The Next Step should be your browser should create a session what exactly this is very simple let's say today you can go to facebook.com and probably search for facebook.com/ abishek vamala 20 minutes later take a different tab or probably take a different window as well and search for facebook.com/ Raju or John your browser will not ask you to authenticate one more time initially when you search for facebook.com/ abisheka it will ask you to log into Facebook but even after 20 minutes if you search for slj orxy Z facebook.com does not ask you to authenticate because there is a session that is maintained and this session is very very important because sometimes let's take example of your banking transaction okay so initially you log to your bank and probably you try to send someone uh some amount or you know you try to make a transaction what if your session gets disconnected in one minute you just have one minute you complete your transaction or you make a transaction and you want to make one more transaction right unless you log out your bank server should not ask you to log in one more time and that happens only if your browser creates a session we all use sessions on a day-to-day basis whether you're using Instagram Facebook or anything there are session that are maintained so once the HTTP request is initiated second thing that happens is encryption which is nothing but data formatting in the presentation layer and then a session is created with you and the server so so that the server does not ask you to authenticate multiple times and this particular thing is called as session layer and one interesting thing about all these three layers right layer seven layer six and layer five is that all of these three layers are maintained by your browser right so all these three layers happen at your browser level what does that mean let's say you're using Chrome or you're using Firefox or you're using any particular browser layer 7 layer six and layer five are taken care by those browsers itself right your browser initiates a request then your browser depending upon https and what kind of certificates that you're providing it takes care of encryption and your browser only takes care of session if you want an example just go to your browser go to your browser settings and try to clear cash as well as cookies and then try to authenticate with the facebook.com let's say you authenticated facebook.com 2 minutes later if you delete the cookies and cash it will ask you to authenticate one more time because you have deleted the session session is basically stored in cookies and cash right so layer 7 six and five are taken care by your browser itself we did not even come to the router part if this is my laptop and this is my server laptop is connected to my home router till now whatever I discussed happening is happening in the browser itself my request even did not reach this particular browser if I'm talking about only layer 6 5 and four now the next thing that happens is once the session is also created to transmit the data right if we are taking this example some cases the data that can transmitting can be of 10 GB also right probably you are trying to upload a movie or you are trying to do something so if if you are trying to do data in one at a time right if 10 GB if you're trying to upload at once or you know even simple things such as requesting to google.com what usually happens is your data is segmented right that is the data that you are trying to send or the data that you are trying to receive is segmented and split into parts so this particular particular thing is called as segmentation and this happens in layer four along with the segmentation in this particular layer the protocol is also defined whether you want to use TCP or UDP right so there are only two protocols which are like these are the widely used TCP as well as UDP and in layer four once all of these things happen data segmentation takes place and the particular protocol is also identified in this layer how is the protocol identified mostly these are standardized let's say if you're using HTTP the protocol is TCP if you're using something like DNS or something else the protocol is UDP so these Protocols are standardized and whether I mean if you are using HTTP PCP is the protocol that is used to transmit the data from here on that is the segments of data that got split are transmitted using the TCP protocol and this layer is called as transport layer now once the data segmentation is also done now it's time to send the data and to send the data the first thing that happens is the data that send is received by your router and what your router does is router does two particular things one is to the segmented data let's say say you want to travel from Delhi to Mumbai here you know what is your destination right you know that you want to travel from Delhi to Mumbai and second thing is what is the shortest path probably you can travel from T to Mumbai in 20 different ways but you will only pick up the shortest path similarly even in this example data from your personal laptop to google.com that is from India to the US there will be multiple hops for your data that is there are multiple routers that are involved probably your home router then your internet service provider from your internet service provider to etc etc XYZ and finally it reaches the Google server so which routers or which hops should your data take to reach the Google server in the fastest way to understand that what we will do in the layer three is that we will add Source IP address as well as destination IP address to each segment right and here once you add the source IP address and the destination IP address we call this data as packets right so packets have a clear information of how to travel which path to take and who takes this decision this decision is taken by your router and this layer is called as networking layer just try to take this example Delhi to Mumbai if you have to travel you need to know what is your source and what is your destination if you want to send 100 people from Delhi to Mumbai to each and every person you will tell them that okay this is the path that you have to take similarly in layer three your router comes into picture and your router tells each and every packet that okay this is the source this is the destination IP address and you need to travel through these hops right and this layer is called as Network layer then comes your Layer Two and in Layer Two like okay now your router received the information but if you understand it carefully usually these routers are connected to switches right even if you look at your uh home network your router is connected to a ethernet port and from the ethernet port your router is connected to the cables right so if you're talking about this e ports or if you're talking about this switches right now data has to be sent some or the other time to these ethernet uh ports or to the switches right so at this point of time when the data has to be sent to the ethernet uh ports the data has to be transformed from the packets to frames depending upon the medium that you're using if you're using router the data is converted into packets then if you're using these switches the data is converted into frames and in this frames along with this IP address that you have provided Mac information is also added which is nothing but Mac information tells these switches what are the other components within your network right so here Mac components are also added now you might be thinking but why can't I use packets because your medium has changed from router this request is being sent to switches and switches only understands how data can be transmitted in the frames so this layer is called as data link layer finally you have layer one that is your data end of the day or your router switches end of the day are connected to optical cables and guess what language this optical cables understand the language these optical cable understands is electronic signals right so here your data is transmitted into electronic signals and using optical cables data is transmitted very fast right and this is how your data is transform right if if I have to explain this in one single slide one more time you have layer seven layer 6 layer five layer 4 3 2 and 1 so if you take take your personal laptop and this is your Google server for example now when you initiate a request to www.google.com so initially what your browser does starts with layer 7even I mean the process starts with layer 7 where first of all it defines what is the type of request so mostly we use HTTP type request so HTTP or https now once it identifies that okay I have to initiate a HTTP based request second thing that it does in the layer six is encrypt the data once the data is also encrypted the next thing that happens is create a session with the server now once the session is created with the server because data has to be transmitted within fraction of seconds segmentation of data is important and that happens in layer four and here along with the segmentation the protocol is also identified depending upon the request that you are making if it is HTTP TCP request is most widely used once the segmentation is also done right now the data is divided into small parts after that data reaches your routers and within the routers the path to transmit the data is identified because in this layer we add the IP address for each and every segment and here we call them as packets once packets are also created then the next thing is from the routers you will move towards the switches and here data is converted into frames where you add the MAC address of each and every component that is there so that you know like you add the MAC address so that within the network this switch can understand what are the other components to transmit the data and finally layer one is a physical layer where these switches are connected to optical cables and here the data is converted to electric signals or electronic whatever you would like to call right so when you initiated the request from layer seven layer 6 5 4 3 2 1 what happened from your laptop it went to your router from router it went to switch and it connected to the cable now it goes through multiple hops over the internet and finally it will reach one of these Google servers right from layer one which is let's say this is one of the cables then it is connected to other routers other switch and again cable and this entire thing happens and the data is transmitted and finally it reaches one of these Google servers Now understand carefully what happens here when this data received by one of these Google servers again the OSI model comes into picture where initially data is received by one of these Google physical servers so one of these Google physical servers is connected to a optical cable so L1 from there it will go to one of the switch boards then it identifies which router to use from there the data which you have been using as uh packets like whether it's a TCP or UDP right let's say we are using the TCP protocol so here the TCP data is taken into place from there once you have the TCP data here then session is validated after that de encryption takes place from there it will go to one of the Google's applications and this Google application will say hey okay this is your request so let me give you a HTML page as a response P here this application is a microservice or any particular monolith application which has the source code and it understands depending upon your request okay I want to generate a HTML p now again this HTML page is sent back to your personal laptop and same thing happens right before it reaches your personal laptop your router is connected to a physical cable so it has to move from L1 L2 L3 L4 5 6 and finally reach your particular laptop so this is the entire OSI model and you know basically when you are sending the request L7 to L1 data is transmitted right data is transmitted through L7 to L1 layers now when you are at the receiving end data is received from layer one to layer seven so these are all the these are not the physical layers right these are just a way of explanation of OSI model for you to understand the data transmission in a better way OSI model explains it in this particular P of course Osa model is not the latest model there are models like TCP IP model right which is again based on OSI model but the thing is in TCP IP model L7 L6 L5 is combined because you know more or less these are our performed by the same component that is your browser so L7 L6 and L5 are combined and called as a single layer in the TCP IP model so why people usually prefer OSI model because this is a standard and if you understand this standard you typically understand the entire transmission of data whether it's TCP IP model or any new model they are all based on the OSI model right so don't get confused if you see TCP IP model it's exactly the same only difference is L7 L6 and L5 are combined and usually they are called as one single layer in the tcpip moduel right so this is the video for today and how this I model is helpful for the devops engineers I will tell you that it is not completely must have thing right this knowledge is kind of a good to have thing I'll tell you the reason why because these days all of these things is standardized and this entire thing is completely automated like you won't see anyone using wi Shack these days unless you are working in the core networking company and probably if you're dealing with the layer three layer two or you know if you are involved in any sort of uh networking companies only then you see people using these kind of things right the wire Shar or any tools to decrypt the packets understand these things but if you have a high level knowledge of OSI model that is more than enough you don't have to dig dive and try to understand what are the different protocols in layer three right you don't have to understand what are the different types of uh techniques that are available in layer 2 because there are this is a ocean and whatever I taught in this particular video it's more than enough if you are trying to understand networking as a devops engineer so today's class let's learn what is virtual private Cloud let's understand why you need virtual private Cloud what are the different components of virtual private cloud and also how do they interact with each other and finally there is a fear amongst a lot of people that virtual private cloud is a difficult topic you might say that yes abishek we have that concern because VPC involves a lot of networking there are multiple components and it's difficult to understand why and how each of these component is interacting what purpose are they solving so don't worry if you have any such fear or even if you are completely new to networking and VPC after today's video you along with me will say that virtual private cloud is an easy concept and I understand this concept end to end so we will do practicals as well but practical will not be of today's video because it is very very important to have strong foundational knowledge on VPC so today's video I will try to add that foundational knowledge on VPC for you and in tomorrow's video we will Deep dive into slightly more complicated topic of uh VPC that is related to security and in day after video we will try to do a practical video deploy application inside VPC and explore the complete flow of VPC so that will be the entire thing but how will I make this concept easy for you you might ask me what I'll do is I will take a real life scenario okay so we will take a very much real life scenario that um all of us understand and we will use the same real life scenario to understand the concept of VPC so this real life scenario has nothing to do with AWS but still I will correlate and make this concept very very easy for you in the lines of AWS so let's quickly start the video and understand virtual private Cloud so to start with the example the scenario that I was talking about let's say that there is a huge land okay so let's call this as a village okay so we have a village and there are lot of people in this Village but there are specific set of lazy people in this Village okay so these lazy people are lazy enough that they can't construct their own houses why they can't construct their own houses because they don't want to maintain their houses they don't want to manage their houses and also so they don't want to go through all the construction process and everything related to their houses so these people they are actually looking for some people and at the same time there is one wise person in this Village okay let's say that this wise person is called ABC so there is a wise person called ABC in the village what he has done is he saw this opportunity of lazy people and he said that okay let me grab this opportunity and make money out of it so this wise person ABC what he has done is he went to this Village and he acquired a huge land in this Village okay so he acquired this entire land in this Village and he said that okay hey lazy people what I'm going to do is I'm going to construct the houses for you but for that you have to send me a request with your entire requirements like what are the resources that you require in this house what is the capacity uh that you require in this house and fill me all the details and give it to me and in return I'll give you house and I'll take money from you right so this person has started the process and what this uh ABC or the vice person has done is he has constructed this house in the land that he has acquired so he purchased this entire land and he uh constructed a house and he said that I'll maintain this house for you so this person felt happy for it and then seeing this other person also approach and he has constructed house for the other person as well so in future there is one more person and he has constructed house for that one more person so it is going well and all of these people their problem is solved that they don't want to maintain the entire construction and maintenance this person the vice person ABC is taking care of it and they are all happy but there are other bunch of people what they have done is they saw this they were happy about it but they realized that these bunch of people they have realized that there is some kind of security issue here there is some kind of privacy Beach that means for the purpose of uh saving a lot of money money what this person has done is he has constructed the houses but they are very nearby and there is some kind of security bridge that anyone who access this house can has can hack hack or access the other house and can also access the other house so that way there is some kind of security bridge that is happening here so these people said that okay we are also looking for houses from you but we want it in a much better way not in this way where if one of these houses compromised that the other houses are also compromised so this person to not to lose the business and you know uh because he want to construct more and more uh these things what he said is okay give me some time and he came back with A New Concept called secure land okay so what he said is okay I have this entire property but if you come as a group where if you want uh a group housing or something what I can do is I can build a secure property for you people so inside this entire land what this person ABC has done is he has buil a secure property for these people and this security uh secure property what he said is only people who have access to the secure property like he said that I'll construct a gate here which will act as a Gateway right so this gate will act as a Gateway and only this people or the people's relatives or people who know these people only can enter this secure property right so what happens is let's say someone wants to meet this person okay and this person has one property here the other person this person has one property here and this person has a property here right so now there is one of the relatives of this person right let's call this person as a now the relative of a wants to meet this person so what the secure property does is this person can definitely meet him but he first has to pass through this gate so there can be a security guard or someone who will guard this property and once he enters this so this is a property that all of these people own right so the secure property this is all the public thing where everybody owns this but if this person this XY Z person let's say he wants to go and meet this person called a now he need to understand how to go to this property right now because I'm drawing this picture you know how to go from here to here but eventually to go from here to here there has to be another guide here so this guide basically explains okay uh move from here to here and finally you'll reach the person a again once you reach this person a there will be another security guard or there will be some kind of person here who will validate okay is this the right person you entered the Gateway you moved into the secure property but again do you want to meet a do you want to meet B do you want to meet C so if you are a valid person who wants to meet a then only I will accept your request to meet the person a so this way what this ABC the wise person has done is he has solved the problem of security breach and solve the problem of security and now everybody is enjoying the secure property looking at these people there are another bunch of people who came to him and he has built another secure property another secure property another secure property this way he started making his business now why did I explain this story to you people you might be thinking has abishek gone mad why is he saying all of these things and how is how is it going to be related to AWS okay now let's try to relate the same thing to AWS in in the last class I showed you how to create an easy2 instance how to deploy an application and how to access that application right so now let's go to the same scenario where there is this big region okay so let's call this region as Mumbai or Ohio or whatever you would like to what happened was there are people okay so there are companies let's say this company as example.com this company as example 1.com then there is another company called example 2.com so these people initially they were maintaining their own data centers but it was becoming too hectic for them so they said that okay uh if there is someone who is going to help us with this data center we will offboard that to them or there is a new startup now they said that okay we can't affort to build a new data center we can't affort to maintain it now we are also looking for someone so AWS saw this opportunity right so in this case who is the vice person AWS is the vice person what aw said is hey okay what I can do is inside this region let's say there is region called Mumbai or Ohio or throughout the world what AWS did is AWS started building their own data centers in the previous example that person has acquired a lot of land right the vice person here what AWS did is AWS started purchasing or building their own data center so AWS built this entire data center in Mumbai region for example or Ohio region or Frank uh Frankfurt anywhere AWS started building their own data centers now what AWS said is hey lazy companies or hey startup hey example one example two example three so we can host your applications inside our data centers or you can request us saying that hey uh I want one virtual machine I want 10 virtual machines I want 20 virtual machines and we will take your request you give me money and I will create the instances for you so this was going by uh I mean this exact same thing what we did uh previously and this was going very fine where example.com 1 they requested and what AWS did so this is the story of 2013 2014 okay so during this time what AWS did is if example.com is requesting it uh 10 ec2 instances so it went to the data center in region Mumbai or whichever region it requested and it created 10 E2 instances okay so again inside the data centers there will be multiple physical servers let's say this is a phys phical server and example.com requested 2 E2 instances so it gave 2 E2 instances inside This Server let's call it server one so then there is example two and what AWS did is it created again request of example two in the server one only then there is uh example three and what AWS did is again it went to here and it created server let's say it requested for one server it created in server one only here what I'm talking about virtual machine one virtu two virtual machine Mach and two virtual machines so this is fine all of this problem is solved and AWS is also giving them virtual machines inside the data center inside data center like I told you there can be multiple servers for one server AWS choose one server and soled all of their problem but what happened is let's say so this is a uh Theory what happened what can happen is that in this case so if there is a hacker and let's say this is startup okay let's say this is startup if there is a hacker here because they were not maintaining proper security he entered into this server he tried to make some false request to this application inside uh the physical virtual machine and he was able to hack this particular server now because all of them are in the same physical server inside the AWS data center hacker can easily come here hacker can easily come here hacker can easily come here and he can hack the entire thing right so just because of example three or just because of startup what happened is all of the servers are hacked because AWS was creating entire instances or AWS was creating all the things in same things or it can also create in different things but what happens if it creates in the same server right so till 2013 2014 this was happening so to solve this problem like I told you even in the previous example to solve the security breach what AWS said is okay we will come up with a new Concept in that case it was Secure community in AWS terms it is called as VPC right so what AWS said Is We will build a VPC for you or in the other way around like in the previous case the Builder will build the entire secur community and give it to you but in the AWS terms AWS will give you documentation AWS will give you examples who is the one who builds this entire VPC and maintains the VPC it is devops or AWS devops Engineers okay so AWS devops engineer looking at the documentation of AWS they will go to the AWS portal and they will request for the VPC and they will configure everything inside the VPC now let's see what is inside the VPC using the same example itself in the same example what I told you I'll try to convert that into AWS example right so this is AWS data center again so there is uh let's take example of one company here so let's say there is TCS and inside TCS there is uh one project and this project is owned by a devops engineer so what this devops engineer does is he will go to AWS and let's say there is a region called Mumbai he'll go to AWS and say hey AWS give me a VPC now how do you define the size of a VPC in the previous case because it was a land you can Define the size of land in some Acres or in some hectars or something but how do you define the size of a VPC so for defining the size of VPC there is something called as IP address range okay so what is this IP address range so IP address range whenever a devops engineer creates a VPC what AWS asks is what is the IP address range so if you say for example the IP address range is 172.16.0.0 sl16 that means AWS will allocate 255 into 255 now don't worry about this calculation what is abish calculating and what is happening here you will understand this in future for Now understand that AWS will give you 6536 IP addresses okay so how do you define the size of a VPC you can Define the size of VPC using the IP address ranges so devops engineer will say hey for our project in TCS I need this particular IP address range for the VPC which means I need 6536 IP addresses so technically you can assign these IP addresses to 6536 applications instances whatever you would like to call to right so this much IP addresses can be allocated using the VPC but what devops engineer will do is PC can be one project but inside the project there will be multiple sub projects right so there can be one project related to payments one project related to transactions one project related to XYZ so what this devops engineer will do is for One internal project let's say there is one internal project here there is one internal project here one internal project here so this devops engineer will split the IP address ranges right so what he will say is okay for this particular uh sub project this particular sub project and this particular sub projects divide the IP addresses so here he'll say 17216 1.024 2.0 sl24 3.04 so this particular thing will get some 255 IP addresses this particular thing will get some 255 and this particular will get some 255 okay now again don't worry about the calculation how abishek is calculating and all that is irrelevant to this discussion for now just understand that for TCS there will be internal projects and depending upon the internal projects this devops engineer will split saying that okay even the VPC might have one IP address range but I will split them to three different IP address ranges for three projects and this particular concept is called subnet okay the name itself says that it is sub Network right so it is subnet what you are doing here the VPC is created with a particular IP address range you are splitting the IP address for your sub projects devops engineer is splitting this for the sub projects calling it subnet and inside this sub project let's say this sub project has only one application so you deploy an E2 instance and you deploy that application here there can be two instances here can be three instances depending upon the sub project it is up to the sub project development leads how many applications do they want to deploy inside a subnet they will they will contact devops engineer as well but for now let's say this is the configuration so there is sub project sub project sub project one application two application three applications so now what devops engineer will do after this once he creates the subnet and all now devops engineer like we discussed in the previous example he will create a Gateway right why is this Gateway required if there is no Gateway nobody can access this particular uh uh VPC right so without a gate nobody can enter the Gated Community or the secure Community similarly without this gate nobody can access or enter to this entire uh property itself let's say there is a relative uh in previous case here let's say there is a customer who wants to access application in this ec2 instance there is customer who wants to access application in this ec2 instance so he has to definitely come through this uh uh Gateway itself to the VPC so firstly there will be a Gateway and what this Gateway will do is Gateway is just like a pass for someone to enter to this VPC now once they enter what will happen like I told you this is one subnet this is one subnet and this is one subnet but this is all a free space right inside the VP see these are the subnets which we call as private subnets because they don't have access to Internet but then there is something called as public subnet right so what is public subnet public subnet is the one that a user first access inside the VPC so how does public subnet connect to the user or how does public subnet connect to the internet basically is using the internet gateway so this particular thing this particular Gateway here we call it as internal Gateway sorry internet gateway through the internet gateway there is a public subnet from which the user enters to this okay once the user enters basically there let's say there is a load balancer here okay what is load balancer load balancer is the one uh that forwards the request depending up the load for example there is this application and the user from the internet want to access this application now how will the request from this public subnet from the load balancer goes to this application right so there has to be a particular path so for this public subnet what you will do is you will create something called as a router in AWS terminology you will call it as a route table so you will create a route table this route table defines how should application or how should the request go to the application right so you have a load balancer load balancer can send the request depending upon the target group we will discuss about load balancer in detail later but for now just understand that there is a internet gateway once from the internet gate there is a public subnet from the sub subnet request goes to the load balancer load balancer is assigned with the public subnet and for the load balancer what you will do is you will create a Target group of this application okay so now what happens is if the request from the load balancer has to go to the subnet load balancer does not know how to go to this particular thing so what you'll do is for the subnet you will create something called as a route table okay so this route table defines and tells the load balancer okay go through this particular part so that you'll reach me and once the request from internet now reached here but still at the E2 instance like I told you in the previous example there can be a security guard here who can block your request similarly for the E2 instance there can be something called as Security Group okay so there will be something called as Security Group where this Security Group can say okay so on which Port do you want uh do you want to access me or from which which IP address are you coming from what is your IP address then the security group can say okay only if it is coming from this particular IP address in the Internet only if you're trying to access me on a particular IP address then I will allow the access and that way you will finally reach your application okay so what is happening on the whole if someone from the Internet is trying to access an application in the private subnet here first of all he has to the request has to go through the internet gateway once it reach the internet gateway it will go to the public Subnet in the VPC right what is public subnet it's a common subnet across the VPC once it goes to the public subnet there is a load balancer here right what is load balancer doing load balancer is attached with the public subnet and load balancer has a Target group so when request goes to the load balancer load balancer is the one that takes the request to the private subnet and to the application right so to reach I mean for the load balancer to understand how to go go to this application the subnet is here but what is the route path for the subnet so there is something called as route table right so route table is the one which defines the path once the path is defined it can go here but still there is something that can block that is called as a security group once the security group also allows you your request is finally reached now let's try to write these things okay so that you understand what exactly has happened first of all from the internet right so let's say this is internet there is person in the internet here he is using a laptop and what he is trying to do is he's trying to let's say access an application which is called for example example.com or okay let's leave the uh a domain and let's call he is trying to reach uh something called 172 do 16. 3.1 SL something okay in General he'll not use the private IP address he will use the load balancer IP address to reach there but for your understanding let's say he's trying to reach one application in the private submit okay so to reach what I have told you first is there is a devops engineer who has created a VPC right inside the VPC what is there here there is basically an internet gateway okay so let's say this is the internet gateway and then inside this VPC right if you call this entire thing as VPC which has has a basic IP address block or the IP address range this entire thing has a IP address range inside this what he has done is for project a he has created a subnet Project G Project B has created a subnet and project C has created a subnet again what is a subnet this is the entire IP address range so for each project you can divide the IP address range if this IP address range is 172.16.0.0 sl16 this can be 17216 1.0 24 2.04 3.02 24 that way you can split now let's say there is one application inside the subnet one easy to instance and end goal is to reach from here from the internet which is completely outside of VPC you want to reach from here to here okay so what is the process firstly it will come here it will see that there is an internet gateway here it will pass through the internet gateway and once you pass through the internet gateway like I told you there is a public subnet here okay what is public subnet public subnet is the one that can be accessed to the public outside the VPC but they have to pass through the uh internet gateway once they pass through the internet gateway in the public subnet there is something called as load balancer in AWS world you will call it as elastic load balancer okay so you have elastic load balancer it can be application load balancer Network load balancer we'll talk about that later now you have an elastic load balancer here so what this elastic load balancer does is your request Quest from the external world has reached the elastic load balancer from the elastic load balancer now it has to go here but how will the load balancer understand that it has to go here this is a private subnet right but for elastic load balancer or for the load balancer to send your request to the private subnet there has to be a proper route okay so who will Define this route there is like I told you something called as a route table okay okay now you need to have a route table and using this particular path your request has to flow right so what you will do is for elastic load balancer one thing you will attach the private subnet and you will attach the target group okay so what is Target group you will understand when you learn more about the elastic load balancer but for the load balancer to understand request has to go here firstly you need to create something called as Target group and you have to assign this instance to the Target group and at the same time the subnet should have the route so that the traffic is Flowing here okay so and here like I told you there is a Security Group which can block the request or accept the request so these are the entire flow what are the components that we talked till now one is internet gateway then we talked about public subnet then we talked about load balancer then we talked about route tables which are basically routers in uh other terminology so routers are the one which forwards a request even from your home laptop if you're trying to access a particular website there are routers and there are multiple hops using multiple hops different routers connect to each other and forward your request and finally your request goes to a particular server even in AWS that's the same but you call it as route table here so you have route table that you understood then you understood about security groups right so these are the critical components of VPC additionally there are few things which I'll cover very quickly but in future class that is in tomorrow's class we will talk about them in detail one is like let's say you have one Security Group here you have another Security Group here you have another Security Group here okay but within a subnet okay if you want to define the same Security Group to multiple applications multiple E2 instances or you want to repeat the security group configuration there is something called as NSS okay NSS are basically automation for security groups where instead of defining the same thing again and again you can Define that as part of NSS okay and finally there is one more concept that I will explain and I'll conclude today's class that is the concept of NAD gateways now what is n Gateway I'll try to explain in this scenario itself instead of directly explaining you the example and see uh the concept of NAD Gateway now the request from here has reached this application which is well and good but now what if the request I mean sorry now what if this particular application here tries to access something from the internet okay now till now we talked about this workflow right workflow flowing from here to here but what if the application tries to access something from the internet from google.com let's say this application wants to download a package which is quite common right U you might want to download something to your server so there is a server here and you want to download something from internet so what is a problem here you might say that okay again it can use the public subnet and it can flow and it can access it the only problem is that okay uh okay the request can flow how the request will flow is a different challenge we will discuss that but the only thing is when someone tries to access some resource from the internet one of the critical things that you have to remember is if this is in the private subnet that means that there is some sort of security here so it is a bad practice to expose your applications or to expose your servers IP address to the internet okay so whoever is receiving this in the internet so let's say you are trying to download something from xyz.com okay so xyz.com should not know the IP address of your uh server or it should not know the IP address of your application anything it should not know uh sorry it should not know the IP address of your private subnets applications or the servers easy to instances it is going to be both Theory and practical and theoretically practically we will understand one of the most important concepts of VPC which adds additional security that is security groups as well as n right so this is what we are going to learn in detail today both theoretically and practically so please watch the video till the end so that even you can perform this act uh activity like even you can take this as an assessment and you can try this at your end by watching this entire video got it so now without wasting any time let's quickly see what is this Security Group what is this nccl and what exactly they are going to do within the VPC so if we go back uh to yesterday's video very quickly what I told you is if you consider this as VPC right let's say this is a virtual private cloud and I have explained that okay in the world of virtual private Cloud the very first thing what you will do this is a real life example right how organizations use VPC as of today this is the same thing so initially you will have something called as an internet gateway right so usually what happens is within the VPC there will be a public subnet so and there will be private subnet right so what is a subnet basically I explained in the last class when you create VPC you will Define what should be the I i p range or what should be the IP address range of your VPC it is just in the similar terms you can consider how many IP addresses you want inside this VPC right so usually uh let's say that when I create VPC if I say that the IP range has to be 10. 1.0.0 hyph 16 then that technically means you will have within the VPC 6536 IP addresses okay so this defines the size of VPC how big a VPC or how small a VPC so when you have 6536 VPC uh IP addresses that means technically you can use 6536 applications components within this VPC okay so let's not go into the detail of this but just understand that when you create VPC then you define an IP address range which defines what should be the size of your VPC now within that you can divide subnets so subnets are basically like within VPC if you have multiple projects okay so as a devops engineer you have created an AWS account then you have created a VPC for one of the project within the project also there will be internal projects right so for each internal project for group of applications you can Define private subnets okay so this private subnets basically will not have access to Internet that's why they are called private subnets so by default these applications cannot be accessed from internet so that's where VPC comes comes into picture and what VPC does is whenever let's say this is a user okay I know that I'm taking time here but this is very very important for everyone to understand when user eventually want to reach here like you know user want to access an application here what happens is user firstly tries to go through this internet gateway okay and this is a public subnet where anyone can access this P public subnet okay saying that you can add few conditions here through the internet gateway and through the apaa gateways you can add conditions and validate few things is this user good user bad user hacker or whatever it is we will talk about that later so through the internet gateway initially what happens is within this public subnet devops Engineers usually place a load balancer okay so load balancer can be directly accessed from outside world and what happens is this load balancer will talk to this private subnet okay so load balancer is the one that has access to private subnet and this user has the access to load balancer and within the load balancer also you can do lot of configurations you can restrict traffic you can say that okay uh etc etc and you can make this more secure with the load balancer as well but today's topic is about once the load balancer forwards the request to the private subnet okay so there are two things one is you can add additional security at the layer of the subnet okay for each subnet AWS says that hey you can add more SEC security at the subnet level okay so if you add more security at the subnets level what we will do is we will start using using nscls whereas even if you bypass this let's say you have not added anything at the uh sublet level you can as a devops engineer or the application owner what you can do is you can add more security at the ec2 instance level okay the level where your application is actually deployed so at the ec2 instance level if you add security then we call it as security groups so using security groups you can add more security at the ec2 instance level whereas if you want to add more security here at the subnet level then we will call I mean we will use NSS okay don't worry even if you haven't understood exactly what is happening here when I deep dive and explain it further you will understand but for now here what I wanted to explain is in AWS there are multiple layers where you can add security because security is one of the key components for any organization if they want to move to public Cloud what they will first see is is that public Cloud secure enough or not you can talk about costing you can talk about any level of things but for any public Cloud tomorrow if there is new public Cloud what you will first see is how secure this public cloud is because you are going to put all of your application in the public Cloud right so if you if your organization is using AWS it will have your organizational user details you will have uh details like the database and everything is hosted on AWS so first thing organizations look at is how secure is AWS and that's where AWS says that okay we will do our part so the fundamental thing that AWS says is in AWS security is a shared responsibility understand this sentence very keen in AWS security is always a shared responsibility what does this mean so AWS says that okay from our side we will try to add as much security as possible like we will tell you that you can use VPC we will tell you that hey uh you can add uh security groups you can add nsel's you can add uh API Gateway you can add a lot of security but along with that we will need that means AWS is saying along with the things that we are adding we need help of devops Engineers or AWS admins whoever it is like right most of the times AWS admins are also devops Engineers these days or network admins system admins whatever your company calls it but AWS says that security should be a shared responsibility we will do our part as devops Engineers AWS admins or network admins you also have to do your part and that where I mean that's exactly where all of these component comes into picture whether adding load balancer for your organization uh do you want to use default load balancer different load balancer do you want to use API Gateway or not and how exactly you want to configure security groups and NSS all of these things devops engineer play a very critical role in today's topic we will debug and deep dive into security groups and NSS which comes at the last point of security right which comes at the last point of security but this is very critical because if you are not taking necessary actions at the last point then your application will be easily hacked right nccls and security groups are very critical because of this very reason that is they act as a last point of security in your AWS account just before the user request reach the application right if this is user and this is where the application is it has to travel a long path right the request has to travel a long path within the VPC it goes through multiple components but when it reach here before this point the last point of security is served by security groups and nscls okay so that's why this is very important and we will try to focus I will explain you like what and when to use Security Group and what and when to use nscls so firstly let's start with this concept on understanding what is the primary difference between security groups and nsls so Security Group basically serves at the instance level okay now what do I mean by this on day three so whoever has followed our day three's video or in general what we have done on day three is firstly we created an AWS account right in the AWS account in the default VPC like whenever you create AWS account itself AWS will give you a default VPC without VPC AWS will not deal with anything if you want to create custom vpcs you can do as we will do today but by default AWS will give you a VPC and what we have noticed is we created an E2 instance and within this ec2 instance we tried to deploy a Jenkins application and and as a user we tried to access this genkins application what happened we were not able to access this application by default because as I showed you in that video there was something that was blocking this one right so by default as I told you in AWS security is a shared responsibility and by default what AWS says is we will not allow anything to your instance directly okay so if you want to do that you need to configure your Security Group okay so if we want to configure anything at the instance level that we do within the security group Concept in AWS and that's exactly where to access the genkins application deployed in the ec2 instance we have allowed port 8080 or you can also allow all traffic okay so this is where devops engineers and the applications owners have to be very careful instead of opening port 8080 let's say in your organization you have opened some other Port let's say you have opened Port 9,000 10,000 and multiple other ports and there was one hacker who was trying to access this and they were luckily able to access these ports and they tried to hack something okay or additionally whenever you open ports that are not used or you keep opening a lot of ports then there can be some kind of unwanted traffic that can flow to your ec2 instance and reach the application so AWS is doing the part of by default not accepting any traffic whereas as devops engineer you have to do your part by allowing only specify traffic into your ec2 instance and into your application that thing is done by security groups Concept in AWS I hope this is clear if you still feel that this is not clear when we do the Practical you will understand we will deploy a python application and I'll show you the same thing again using the security groups now you might ask me okay this is a very easy topic so it is an easy topic but there are few things to understand in the security group so within the security group basically there are two things one is there is inborn traffic and there is outborn traffic what is inborn and what is outborn basically when you deploy your application inside the ec2 instance right so if this is an ec2 instance and this is your application there are two kind of activities right what is the first activity as a user user will try to access your application and as an application probably you will try to access google.com or you will try to access something to get some kind of information or you want to access some third party application so this traffic that is flowing into your application okay this is called as inbound traffic and this traffic which is Flowing outside of your application is called as an outbound traffic for example let's say uh this application that we are talking about is amazon.com this is just a blunt example okay so user today I can be an user who will try to access amazon.com and amazon.com probably can access any thirdparty application for example Razer pay or amazon.com can access other application like Amazon pay to access Amazon pay amazon.com this request has to move out of uh this one right go out of your ec2 instance and access some other application that is Amazon pay and user will try to access the application so this access where user is trying to access amazon.com is called as inbone traffic whereas amazon.com trying to access the razor pay or the Amazon pay is called as a outbound traffic okay so as part of security groups you can manage both inbound traffic and you can manage the outbound traffic that is traffic coming into your E2 instance and traffic going out of your E2 instance again like I told you you should be very careful because AWS by default what it does okay by default when you create a security group or by default when you create an e to instance AWS will assign a default Security Group because AWS will also take care of your security right so in this default Security Group what AWS says is hey what I'll do is by default I will allow all the outbound traffic okay all the outbound traffic I will allow like using your application you can access anything in the internet except for Port 25 I will tell you why uh there is a story behind this port 25 but except for Port 25 I'll allow you all the outbound traffic and what AWS says is but anything that is coming inside okay anyone who is trying to access your application as inborn traffic I will deny everything by default okay in the security groups what aw is doing is for the inborn traffic and for the outbound traffic okay for the inbound traffic what AWS is saying is okay I have lot of restrictions here I don't want to allow anything if you want to allow anything then you can use the concept of security group inbone Traffic rules and you can add the specific port number or the specific IP address where the traffic has to be accepted but as part of outb traffic I'll allow everything and if you want to restrict okay or if you want to do any uh specific configuration you can do in the outboard traffic okay so this is the thing related to inbound and outbound traffic we will see in the practical video how we can use this inbound traffic outbound traffic now talking about the story of Port 25 so what happens with Port 25 is that so in this story AWS does not allow the outbound traffic default on the port 25 because Port 25 is basically a mailing service okay so AWS does not want you to uh you know there AWS does not want any kind of spam activity or you know AWS does not want to record the IP address of this ec2 instance or record the IP address where your application is hosted so AWS by default blocks the port 25 only outbound traffic there can be a lot of spamming activities or something like that okay so now let us see if Security Group is doing all of these things now why I need NL first of all what is NL right you might have this question abishek you have been talking about NL you keep saying NL NL what exactly is this NL so NL basically stands for Network Access Control list okay so this is a very complicated name that's why in the world of AWS people just call it as n okay so NSL network access control list basically goes a level Beyond okay so security groups is applied at the ec2 instance level whereas NSL is applied at the subnet level okay NSL is applied at the subnet level now with NSL devops Engineers can play even critical role because let's say you gave an E2 instance for development team one and what this development team did is you know just to make their process quicker what they have done is they have deployed a Jenkins application or any other application they know that they should not allow all the traffic but to make it easy what they have done is they just said that okay I'll have all the traffic inside my E2 instance instead they could have just opened Port 88 but what they've done is they said okay accept everything allow all the traffic to my E2 instance and allow from all the IP address in the world it can be IP address from Turkey it can be IP address from India all of everywhere everything and you know I'm fine with it so the problem is that this particular instance owner or this particular development GP Development Group they have for some reason they have ignored the security aspect in the AWS right because security groups are meant to open only specific ports and allow only specific traffic into the ec2 instance so how and what you can do as devops Engineers is instead of okay so this is fine every instance owner they can open specific ports whatever the traffic they would like to but additionally what AWS says is if you go back to the previous diagram where I said uh this is VPC and and if this is public subnet this is private subnet right similarly there will be lot of private subnets so what aw said is we will give you more access instead of instance owner defining what kind of ports or what kind of traffic is allowed if they do some kind of mistake there and if they say that allow all kind of traffic as devops Engineers or administrators you will have one more layer where at the subnet level at each of the subnet level what you can do is you can Define what can of traffic do you want to deny understand this carefully here I'm saying what kind of traffic do you want to deny so if you deny some traffic at the subnet layer even if you try to do that or even if you try to accept that at the security group layer there will not be any advantage so devops engineer Network Engineers or AWS administrators what they can do is they can make advantage of nscls to Define their organizational Network traffic okay so if something is applied at the subnet level then it is by default applied to all the instances within the subnet okay so if there are 50 ec2 instances sorry if there are yeah if there are 50 ec2 instances inside this private subnet let's say you give this private subnet to development team three this is just an example you gave them to development team three and what they have done is they have created 50 E2 instances in inside this private subnet and for some reason they said allow all traffic but because you have applied NSL configuration and you said by default deny all the traffic and allow only specific things if you say that at the NSL layer what will happen is AWS will deny all the traffic that is flowing in and only allow the configuration that is defined in the NSL so NSL will add as an additional layer of security got it so instead of applying the configuration for E each and every E2 instance also you can use NSL for automation so maybe in your organization devops Engineers are the one who is taking care of the instance level security that is security groups as well as nsls then what you can do effectively is instead of adding security groups for each and every E2 instance if you just apply NSL to the subnet if there are 10,000 E2 instances also this NSL configuration is directly applied to all the 10,000 ec2 inst es okay so that you can automate this manual activity of assigning the rules to each and every instance using Security Group so it is up to you whether you want to use Security Group whether you want to use NSL or you want to use the combination of Security Group plus NSL okay so NSL basically the primary purpose is you can deny what kind of traffic that you would want to and you can allow what kind of traffic you want want to whereas security groups is only for allowing Security Group does not have deny uh thing in Security Group you will only configure the rules for allowing so now we discussed so much here uh probably for some people there might be some kind of confusion so what we will do is we will try to deal this same thing practically and make it understandable for people practical part that I going to demonstrate on the AWS account today so if you watch this carefully what I'm going to do today is this dotted lines represents virtual private Cloud so firstly I'll create a custom virtual private Cloud you haven't seen how to create virtual private Cloud so that's going to be interesting so firstly I'll show you how to create this virtual private Cloud on AWS and when you create virtual private Cloud as I told you security is a shared responsibility so as I create virtual private cloud and provide the IP address range AWS by default will create an internet gateway for me AWS by default will create NL with default configuration and AWS will create a route table additionally what I'll do is I will create an ec2 instance and attach a security group to this ec2 instance now once we do this we will play with this Security Group configuration and NSL and we will see how traffic flows into this ec2 application sorry application inside the ec2 instance what happens if I block something in the security group what happens if I allow something in NL and block that thing in uh sorry uh allow something in Security Group and block that in NL right all love all love block all love we will try a lot of things so let's see how does this configuration go and you can also try the same thing as your assignment so because I'll share you all the steps right now you can watch the video and you can follow the steps as I do so let's quickly go on to the A s Management console here so this is the AWS Management console right so what I'll do now is move to the service called VPC so this is the VPC service some people might be watching this for the first time they might have not seen VPC before so what we will do here is once you go here you have lot of things within the VPC don't get scared some of these things you have already learned about uh in the previous classes what is VPC what is subnets Route tables internet gateway security groups today we learned about Nel's as well if there are few things that you don't understand don't be scared eventually you will understand all of those things so click on VPC and let's click on create VPC okay so there is two options here I mean there are two options here VPC only VPC and more go for VPC and more because AWS will take care of creating the resources for you I mean the default resources for you for example when I create this VPC using VPC and more what AWS is going to do AWS is going to create public subnet for me as well as private subnet for me in both the availability zones right I'm in the region North Virginia in North Virginia there are two availability zones Us East 1 a Us East 1B so AWS will create four subnets the public subnet and private subnet for me so that I don't have to create a lot of configuration in realtime example like I told you public private subnet comb is used more then AWS is also going to create route tables for me finally it creates internet gateway igw stands for internet gateway and it also creates some VPC endpoints for S3 bucket which I'll tell you later right now S3 buckets is not taught in this series so don't worry perfect now what I'll do after this is you can provide any name or you can use the random name so I can provide some name here for this VPC let me call this name name as demo VPC okay and this is exactly what I've been talking about so here if you see if I provide this configuration sl16 what AWS is saying me that you'll get 65,536 IPS if I want to modify if I just say this as 1.0/4 see what happened AWS said that you'll get only 256 IP address so in future if you require more than 256 IP address then you have to modify this VPC or you have to add additional uh configuration so whenever you create the VPC if you have an understanding of what is this going to be what is the size then that's better and you can modify these things as well uh for example instead of 10.0.0 do uh something you can also change this to 192 series or whatever series that you would like to so let me just change this to uh whatever AWS was giving me by default and now what I'll do is here you can configure number of availability zones that you want technically I want only one availability Zone because this is just a demo thing but let it be you can go with the defaults at this point of time because you are just learning number of public subnets I want public subnet because if you go back to the diagram I'm going to do this entire thing using public subnet only perfect uh all the configuration is provided now I can simply like this VPC endpoint uh right now you can put it as n as well but if you want to go with default let it be as S3 Gateway click on create VPC now the VPC configuration will be created see what exactly VPC is doing firstly it created the VPC then it is configuring the DNS we will learn about DNS tomorrow don't worry then VPC creation is done it has created subnet for me these are combinations of public and private subnet then it created internet gateway that's why I keep saying security is the shared responsibility a s will create configurations for you Additionally you have to look at those configurations you have to modify those configurations if required add additional security if required AWS has then created route tables create route associate the route tables with the public private subnets and finally you know AWS has also done the route table creation okay so this is uh all the things uh that are created as part of this VPC workflow now let me go back to the VPC that is created for me and here you can also look at the rough diagram of how does this VPC look like just go to the resource map and here you'll get a total picture of how your newly created VPC is looking like so just spend some time here and try to understand what is happening here this is exactly what I've taught you on day four so you can understand if you don't understand you can ask me any specific question as well perfect now this part is done I've created the VPC AWS has created internet gateway for me see this is the default internet gateway in this picture you can see if you scroll down so this is the default Ingress greatway that AWS has created for me and AWS also creates NL and security groups which you will see so let me go back and create the ec2 instance now because I want to place the E2 instance in the public subnet of the VPC and demonstrate security groups as well as NL go to inst instances click on launch instance what we will do different in today's class from the previous class where we created E2 instance is let me call this as demo instance let me choose the flavor as ubben to T2 micro is fine for this class no problem provide the key value pair whatever you would like to use uh I'll use this one called AWS login for example here in the network configuration you have to edit this right so edit the network configuration and in the network configuration don't go with the default VPC default VPC is the one AWS creates for you so that you can start working with it if someone does not know the concept of VPC they just entered or they just started with uh AWS they can use this default VPC and they can play with it that's what we did on class three on the day three we use the default VPC which comes up with all the default configurations of AWS but now I want to play with my custom VPC in your organizations you will always use the custom VPC only so demo VPC let me click on this one and see what subnet is getting allocated to your instance right in this case AWS is saying that I will allocate the private subnet for you which is a General Industry practice by default your ec2 instance and the application should be in the private subnet but because today we are trying to understand this concept and not going in detail load balancer and all the other configurations so I will change this to the public subnet how do I do that just go back here and change the subnet demo subnet public one Us East one okay so because I'm in the availability Z I want to play with only one availability Zone I've choose the US East one availability Zone assign public IP address yes I need a public IP address for my E2 instance create security group or select any existing Security Group like I told you if you are not aware of these Concepts then you can ask AWS you know uh to select any existing security groups but in this tutorial I'm going to play with the AWS use custom VPC so let me let AWS create Security Group for me and then let me tweak it rest all the configuration looks okay to me let me create on launch instance now what we will do is inside this AWS cc2 instance that is getting created for me I will install a python application okay I will just use a very simple python application on this E2 instance and what I'll do inside this uh python application is I'll run the application on Port 8,000 and now I'll try to access by default you will I mean I think most of you already know that when you try to do this the security group will block because the default security group that AWS created for you will not allow the traffic directly you need to all the traffic explicitly so I will enable all traffic I will enable Port 8,000 and show you what happens and then we will try to block the traffic we will say block all traffic in NL and see what is going to happen Okay so this is going to be interesting now the ec2 instance is also running let's get the IP address of the ec2 instance and log into the ec2 instance using my terminal so this is my terminal what I'll do is SSH uh I hope I have that pem key AWS login pem perfect change the IP address also great so let's see uh log to the E2 instance and what is the first thing that you would do after log to the ec2 instance you need to update the packages right because I want to run the python application so firstly I want to update the packages see python is installed and then I will run a simple HTP server so firstly do sudo appt update it will not take much time all the packages are getting updated it will not take much time here perfect all the packages are updated now now let me see see if python is installed or not so let me just run Python 3 command perfect python is also installed now I will just run a very simple HTTP server on python for that you don't even write you don't even have to write a single uh command or you don't even have to write a single file just say Python 3 minus M HTTP do server and provide the port whatever you would like to so a simple HTTP server is now running on Port 8,000 I ideally if you open this instance on this IP address and access the port 8,000 you should be able to access but let's see what would happen so we saw the same thing uh in the last class as well on day three there have used genkins and I start I tried to access the IP address on Port 8,000 which failed and then I enabled right so let's try to do the same thing now this is my instance copy the IP address just say HTTP Callum IP address colon Port 8,000 the application will not be accessed because what is happening let's go and see this is the ec2 instance this ec2 instance is attached with a security group this is the default security group that is attached and what is happening in this default Security Group is that you know what AWS is saying is I will allow only Port 22 this is the port 22 that is only allowed the reason is also because because AWS want only you I mean AWS only wants to allow the SSH traffic if this is also not allowed then we will not be able to even log to the E2 instance so only SSH is allowed and let us see what is the NSL configuration as well right so if we look at the NSL configuration just go uh take I'll take a different tab here and open VPC Network ACS so what is the network ACL attached to rvpc this is rvpc right demo VPC so let go to that specific thing and see what are the inbound rules why are we looking at inbound rules because inbound rules is the one that is coming to our uh application so it says all the traffic is currently alled so Network ACL which is the first layer of Defense okay which is the first layer of defense for the end ire subnet what is configured here it said that okay allow all the traffic I don't have any problem you can say that there is also deny rule here but deny rule will only be triggered if this condition is not met okay so order goes with the order of priority whatever is here in the first row so it depends upon the number so least number will be here first let's say I'll configure one more rule uh and the rule number is 200 so first rule 100 will be verified then rule 200 will be verified and finally it will go to rule star okay star is the last thing here this condition is met right if this condition meets that is if all the traffic is allowed then there is no problem okay let's say here instead of all traffic I can also say only all Uh custom TCP traffic of Port 8,000 or I can say all love only custom uh TCP traffic of Port 9,000 which we will see but for now all traffic is enabled so no problem from NSL what AWS did here is from the internet gateway you got entry into the subnet okay because NSL is allowing all the traffic so internet gateway can forward the request to the route table if there is a load balancer here then the request would have gone to the load balancer from the route table request goes to the load balancer but because there is no load balancer here from internet gateway if NSL accepts then the traffic goes to the route table right so let me add an arrow here so that it is much clear so this is what has happened here from the NSL Now traffic goes directly to the route table and Route table would forward the request to the ec2 instance let's see what is happening and why if NSL is accepting why the request is not going to the E2 instance that is because Security Group is blocking it first layer of defense is cleared but the second layer or the last layer of the defense which is Security Group is blocking the request now let's try to unblock it so for that go to the security group edit the inbound configuration add one more Rule and inside this say allow Port 8,000 so custom DP TCP means the custom Port 8,000 of TCP you're allowing Port 8,000 from any IP address for now you can say uh any IP address anywhere in the world uh the uh the resource that is using ipv4 anywhere in the world just save the rules and as soon as it is saved you will see that the configuration will be applied to ec2 instance and if I just refresh this page you will see the output what is this output basically I'm just running a simple HTTP server right I'm not running anything more than that this is a very simple HTTP server so that's why what is happening here is the request that you have sent is listing out the directories that are available in that folder anyways you got the request output you can verify or validate this request output here as well so you got 200 response that means the request is successfully sent and you have got the response back now what if okay what if you have opened this port right so where is this in the security inbound rules you have opened this port let's say you are the instance owner you are not the devops engineer and as part of the instance ownership what you have done is you have enabled Port 8,000 but your organization has a very strict rule that the port 8,000 should not be enabled so as devops engineer you can configure this you can control this thing at the NSL level itself because you cannot monitor each and every ec2 instance and you cannot control every ec2 instance you can say that for my organization or for this particular VPC I will block Port 8,000 in the naacl right or the network ACL configuration see the what would happen so the power of devops engineer using NSS this is Security Group where is NSL let's go to the NSL Yep this is NSL this is the inbo rule what I will do is edit inbo rules instead of allowing all traffic just remove this add new rule and what you will say is in this specific rule let me call this rule as 100 custom TCP Port range 8,000 I want to block anything that is coming from internet just deny now let's save this change okay and let's try to copy this URL take in a different browser and just try to enter it and see now you will see that the request will not reach the application that is because devops engineering team has blocked that specific IP range or devops engineer has denied that particular traffic in the NL so it will be blocked for the entire subnet whether you are e to instance owner whether you can be anything because the network configuration is blocked you cannot access now again let's try to edit this inbound traffic Rule and say that for 100 I will just say all traffic Al Love Save changes edit inbound rule I will add one more inbound rule okay and that inbound rule number is 200 okay custom TCP Port 8,000 any guesses on what would happen I will deny this let's see how much you have understood here I have added this rule number as 200 and I've have denied the traffic let's see if I save changes and refresh this you will see that the traffic is sent even you have denied the configuration in the NSL because NSL goes in this specific order right so the order would be first you will verify the I mean AWS will verify the first lowest number the lowest number is 100 or it goes with the specific order that is mentioned here it is mentioned in the ascending order itself so firstly it will check rule number 100 which says all traffic is allowed so this rule is met AWS will forward the request the request goes to Security Group in the security group also you have allowed that Port 8,000 so it directly reach the specific application what happens if I simply rename this one like if I make this as 200 and if I make this as 100 save changes now okay so let's save one by one so let's keep this as uh 200 let keep this as 110 okay you can keep any number it just has to be the order that's it now try to save the changes so it will reflect and 110 goes above of so this is the first first rule what it says is if the port number is 8,000 block if the port number is not 8,000 then it will go to the next rule what does the next rule say all love all the traffic now let us see what would happen just copy this URL take this in a different Tab and try to refresh again the traffic will not reach the E2 instance the thing is now the application developer will be confused hey what happened I have allowed the port 8,000 here but still my application is not getting the traffic because devops engineer or the network Engineers have blocked this specific Port now this port they might have blocked because there might be some security reasons there might be some concerns it's not just about the port but with the NSS you can play around with different things you can play around with IP addresses let's say you are worried about some IP address that is coming from XYZ country and you know the IP address range you can say block the IP address that is coming from 3.4. 5.6 range or if you know the specific IP address you can provide the specific IP address if you know this if you don't know the specific IP address you can provide the range as well 3.4. 0.016 right you can say anything you can block on the IP address you can block on the port range you can play around with NCL and Security Group configuration so what you have understood at the end even if you allow the configuration in the security groups NCL acts as the first layer of defense and devops Engineers as well as system Engineers Network configurations or the admins who has access to nscls they can overall block the configuration at the subnet level right so today we understood the top topic of NSL and security groups with respect to allowing the access and blocking the access please take this as an assessment you can watch this practical part one more time and you can try this at your end this is really really important today we just tried with one public Subnet in future we will enhance the scope we will add the private subnets we will add load balancers we will add API gateways We'll add a lot of configuration multiple availability zones so there this concept you will understand even more in detailed way when we play with other components of AWS but for that today you have have to practice this and let me know in the comment section were you able to try the assessment were you able to solve this do you have any questions please let me know in the comment section and I'll more than happy to reply to it so firstly let me give you a brief overview and you know what is this project about what are we going to implement what are some things that we need to understand before the implementation of the project firstly this project demonstrates how to create VPC and how to secure your applications within a VPC in a production environment right so if you look at the architecture diagram here there is a VPC and inside the private subnet we have deployed the applications and there is a public subnet where you have load balancer and the N Gateway users would access this application through the internet gateway to the load balancer and from the load balancer it will reach the applications in the private subnet right so this is the entire architecture that even I'm trying to explain here so you can pause the video here and you can also just R read through this entire thing so that you can explain this same thing when interviewers ask you in the interview process but just a overview like in four lines first we will create a VPC that has public subnets as well as private subnets in two availability zones now why I need two availability zones you can ask me like AB when you explain the theory part you were just using one uh VPC in that VPC you are only using one public subnet and one one private subnet and that to in one single availability Zone but when you do this in production just you need to create two availability zones instead of one so that for some reason if the data center of AWS in a specific region or the availability zone of AWS in a specific region goes down you will still have the other availability Zone that is serving the traffic for you so that's the only purpose we create a VPC with public subnet and private Subnet in two availability zes and in the public subnet what we will do is we'll deploy a ad Gateway and a load balancer why you need load balancer I'll explain you but why you need an ad Gateway let's say this applications here if they want to access something from the internet probably they want to get some uh you know Json information or they want to get some kind of information from other apis in the the internet so it is better to mask the IP address of this applications when they send a request so that's exactly what n Gateway does so let's say the IP address of this one is 17216 1.0 or 17263 do4 when the application or the when the ec2 instance tries to access something from internet what this n Gateway says is okay let me change your IP address to the public IP address of mine and send the so that your information will be hidden even if that third party application is a false application or even if it is hacked there will not be any problem because you don't know I mean that person does not know the IP address of this server that is about the public subnet and in the private subnet you will launch these applications using an autoscaling group okay what is Autos scaling group I'll just explain you in a minute finally we will see how to reach this application through the internet traffic flows and we will also I mean I'll also tell you how this applications access internet using the NAD Gateway so this is going to be the complete overview and before I jump onto the video you should know about these four things because I covered these things in the day Zero to D6 but I did not cover them to an extent that it is registered for everyone basan is something that I did not cover at all but the other three things I covered but not to the fullest so let me give you an overview Autos scaling group load balancer they have dedicated sessions in this AWS Z2 hero series but in this project I'll use them so that you should understand the summary of it firstly what is an autoscaling group so autoscaling group is you know you can just understand it as a concept let's say you want to deploy your application in two availability zones instead of creating your ec2 instance two times what you can do is you can just tell the aut scaling group that okay so create minimum of two replicas and in case in case my application receives more requests and if two servers are not enough to load this uh uh two servers sorry uh two servers are not enough to accept the traffic incoming traffic let's say two servers can only accept 100 requests but there are 200 requests that are coming at you what autoscaling group can do is it immediately can take a decision and scale your servers to four in number five in number six in number right so this is a very basic example of Autos scaling group in future we will discuss about Auto scaling group in detail so don't worry about it for now then you have load balancer what is load balancer the name itself says what is load balancer it is something that balance the load let's say there are 100 requests now we have two servers right there is server one here and there is server two here hosting the same application so load balancer takes the responsibility of sending 50 requests here and 50 requests here or if you have this instance very powerful right so you can say send 60 request here 40 requests here 80 here 20 here and load balancer will exactly balance the load right apart from that using load balancer you can also do path based routing host based routing different kinds of routing mechanisms which we'll cover in depth when we come to the load balancer Topic in the AWS Z to Hero series and one final topic is what is basan or a gum server this is a very very simple concept ccept so these ec2 instances right that we are creating are created in a private subnet so they don't have a public IP address or we cannot SSH into these instances directly so what we will do is because we want to keep them secure we will not create any IP addresses public IP address for them but we will create a basan host or just a jump host in this public subnet and through that basan or jump host we will connect to this E2 instance and there are multiple advice ages of using basan host the one mechanism is the same thing that I've just told you if you use basan host instead of directly connecting to the server you can connect from the Bastion so that there will be a proper logging mechanism you can do proper auditing of who is accessing this private subnet you can configure bunch of rules in that Bastion host where the traffic actually moves or the SSH traffic actually goes to this application in the private subnet through the basan host right so we will discuss about advantage of basan host again because this is not the topic where we want to discuss about Bastion but this is a topic where we want to implement this entire architecture right so I think we have enough information now we can get started with the project and let's see how to implement this end to end on an AWS account okay so I have logged into my AWS console and let's start with the creation of VPC so go to the search bar type uh VPC so you will see an option for isolated Cloud resources VPC click on that so you'll find an option called create VPC click on create VPC and there will be two options here one is to create VPC only or create VPC and more if you click on VPC only then you have to create all the things by yourself like for example uh you need to create all the subnet configuration ipv4 IPv6 and a lot of other configuration but the better thing is to go with VPC and more so when you click on VPC and more you will see in the preview diagram what AWS creates for you so AWS creates a public private subnet uh in US East 1A availability Zone and it will also create a public public subnet and private Subnet in Us East 1B as well so if we go back to our diagram which we have been talking about right so as I told you uh you can search that in the AWS black blogs as well just search for AWS uh public private subnet architecture so this is the blog that I was talking about uh which I wanted to share in the description this blog also has the information but you don't have the complete details in this blog like they are very high level probably uh you know someone might not be able to follow this and execute this so I'll explain in much better way so just use this diagram as reference and we can Implement that in our own style the style that we have learned from day 0 to day six so see what we are trying to do here when you click on VPC and more what AWS is creating one public Subnet in Us East one a one public Subnet in Us East 1B which is what we want right one public subnet here one public subnet here and then you have one private subnet uh here in Us East 1 a and one private Subnet in 1B exactly same one private subnet here and one private subnet here so VPC is getting created subnets are getting created and what all so along with the subnets of course the subnets have to be attached with the route table when I explained the VPC architecture I told you route table is the one which defines how to route the traffic within the subnet so if the subnet is not attached to Route table technically nothing happens with the subnet so if you look at the public subnet it is attached with a route table that has a destination as internet gateway awesome that is exactly what we want this public subnet should have a route table with internet gateway attached to it so that traffic flows into the public subnet so that is also done by the VPC here great and finally you have two private subnets which have two different route tables expected because these two route tables are different and it is attached to a VPC endpoint uh for S3 bucket now I don't want this one uh because this project has nothing to do with VPC endpoint and when we talk about S3 buckets uh you will understand about what exactly this is for now just ignore this and I'll also remove this from the configuration so okay VP and more is what I want then uh select the name of the project let me call this as uh AWS prod example use the same subnet uh there is no problem here because uh in this VPC you have 6536 IPS which is too much uh so that's totally fine I don't want to touch it no IPv6 I don't want to play with IPv6 I'm just using ipv4 configuration number of availability zones it is two that I require perfect number of public subnets two if I change this one the reference diagram also gets changed number of private subnets two n gateways yes I want one n Gateway in one particular availability zone so let's say one per availability Zone and this is the VPC endpoint that I talking about just click on none you will notice that this diagram also changed and now there is no VPC endpoint for S3 bucket perfect now let's click on create VPC here and see that AWS creates bunch of resources for you so take a pause here and read what are the resources that are getting created because this is very very important okay maximum number of addresses have been reached the elastic IP addresses that's not a problem uh let me go back and see uh how do you delete that you can just go to the ECT console this is again something uh useful information while you do demos this is the advantage so then there is an issue here while I was creating the VPC so the number of public uh elastic IP addresses is reached so let me go here and release some elastic IP addresses okay so these are some previous projects that I was doing so let me release those IP addresses if the IP address is released then AWS will allocate this elastic IP address to the other things that that I using so now if I go to the VPC console let me click on retry here so you will see at this point of time the elastic IP addresses will also be created what is elastic IP address elastic IP address in AWS is nothing but an IP address that will remain the same even if the instance is deleted let's say you terminate an ec2 instance I'm just giving an example if you assign ec2 instance with an elastic IP address what will happen even if the ec2 instance goes down and comes back the IP address will remain the same in general it does not remain the same but if you're using elastic IP address then the IP address will remain same in very simple language if I have to explain in a plain English elastic IP address can be called as a static IP address because it never changes okay so in this case the elastic IP address in my example it will get attached to the N Gateway because like I explained you what is n Gateway it will mask the IP address of my ec2 instance or the applications with the public IP address of the N Gateway so this is where the VPC is using the elastic IP address perfect let's see the VPC creation so VPC creation takes a little time uh at this stage creation of NAD gateway to activate uh I mean for the NAD gateway to activate uh it will take couple of minutes so you need to wait patiently here uh for the N gateway to be activated so now all of this is created but even then you need to wait for a couple of minutes sometimes okay so sometimes your VPC is created but sometimes AWS takes one or two minutes to reflect this in the VPC tab so if in case in when you are performing the demo when you click on these vpcs and you see that the VPC is not visible here or it is taking time please be patient sometimes it takes time okay now the VPC is created let's go to the VPC and see if the resource architecture that we have created till now okay till now whatever we have created is available or not okay till now what we have created we created a VPC with public subnets private subnets public subnets attached to the route table and the internet gateway and the private subnet is attached to different route tables perfect everything everything is looking fine till now now what are the other things needed so the other things that are needed is the E2 instances where your applications are deployed we will do them with autoscaling group as I've mentioned and the load balancer is also missing now once these things are deployed we will try the traffic from outside but there is a thing that you need to do additionally will'll get there so please watch it carefully okay now let's go to the console again and create the auto scaling group so search for ec2 in the ec2 you can go for auto scaling option just scroll down you'll see this option called autoscaling groups click on create autoscaling group autoscaling group in AWS cannot be created directly you can use launch template so why you need launch template because you can use this launch template across multiple uh autoscaling groups or this template acts as a reference like tomorrow if you want to understand how your autoscaling group is behaving is your autoscaling group scaling one instance 10 instances 100 instances you can use this launch template as reference so let me click on this launch template firstly create that launch template will not have much configuration uh you just have to mention what is the name of this launch template uh let me just call this name as the name of the launch template as uh AWS prodad example let me give the same and uh what will be the name what are you trying to do here basically uh deploying okay verification or proof of concept for AWS private subnet for app deploy in AWS private subnet perfect now it is asking what should be the operating system of your or the you know what should be the Ami not operating system what should be the Ami which image do you want to use ubo SOS let me just pick up what I've been using that is the uento configuration click on the recently launched and uh this is the uento configuration if you want to browse more you can click here what should be your instant type always pick the free instances when you're are doing this proof of Concepts whenever it is required to use an additional configuration I'll let you know in the key value pair pick up the key value pair that you want to use do not touch anything with respect to this uh specific option here the subnet configuration uh let it be uh create a new subnet sorry create a new Security Group okay and uh provide the name of the security group again let me give the same thing AWS prodad example just say Al love SSH accent this is just a description you can give anything and here comes the important thing in which VPC do you want to launch I want to launch this autoscaling group The instances in the VPC that I just created and here you can add any inbound Security Group rules for the E2 instances that are getting created so my application that I'm going to deploy I know that uh it is going to be deployed and access using Port 8,000 but what you can do is you can just open all of the things as well if you're not sure about your application configuration but it is always um you know suggested to keep the port that you are deploying I mean that your application requires so you know what you can also do like I'm saying is just open all traffic but if you open all traffic then you are not following the security standards so what I'll do is I'll open the ports that I require one is the SSH Port that is Port 22 that is the port 22 from which source anywhere uh SSH Port I want to access from anywhere so you know this is one and now add another Security Group for the application that is deployed inside these instances so I'm going to deploy a python application very simple one so I'm will open port 8,000 so custom TCP Port range 8,000 in your case you can change this according to the application that you want to deploy and again let me put accessible from anywhere and I don't want to add any EBS volumes or any other configuration so let me click on launch template you must be feeling abishek this is exactly similar to E2 instance configuration yes it will be exactly same because here you are using the autoscaling group to scale ec2 instances right so once you create that just refresh the page so that autoscaling group will find the launch template Autos scaling group name again let me say AWS example uh prod or AWS prod example what is a launch template AWS prodad example is a launch template and now let me click on the next button here you need to choose the VPC okay which VPC do you want to choose you want to choose the VPC that you have created with right what is it saying for more applications you can use multiple Ava a ability zones okay but in my case I want to choose the VPC that I've have just created availability zones and subnets in which you want this ec2 instances to be available where this ec2 instances should be there if you go to the diagram they should be there in the private subnet so let's put them in the private subnet this is the private subnet right private one and this is the private Subnet in Us East B so I'm choosing two private subnets perfect now all the things are available let me click on next do you want to attach a load balancer now or do you want to attach a load balancer later so I'll not attach any load balancer here uh let's just not go with any load balancer I'll attach load balancer in a different context I'll just create this load balancer okay so I'll create an application load balancer in the public subnet but in the autoscaling group configuration for this project I'm not creating any load balancer so okay health checks everything is good let's click on the next button desired capacity specify the size of Autos scaling Group by changing the desired capacity okay so let's say you want two E2 instances select this as two what is the minimum and how much it can go up to maximum what is maximum like you are saying to start with two E2 instances but let's say during Christmas or during uh Diwali or some other festival occasions if if you receive lot of traffic then autoc scaling group when the scaling when the traffic goes to 80% 90% depending upon the CPU monitoring what you can do with auto scaling is you can tell Auto scaling to automatically go up to maximum capacity of three instances and four instances so you don't have to worry about this right now you will learn this uh when we go to the in-depth topic analysis of autoscaling groups so you can configure the scaling options here that's what I was talking about like when do you want to Define when the E2 instances have to scale up and scale down so for now just keep it none and click on the next button add notifications you can add notifications through SNS topics when an E2 instance is added or terminated for now I don't want any of those things so let me click on next button and launch configuration perfect now my autoscaling group is also getting created again this will take 1 minute so just wait here before you move to the next so after a minute you will see that the desired capacity is two and the instances are two now let's go to the AWS ec2 and see if this autoscaling group indeed has created two instances for us or not and I'll also verify if one of the instance is created in Us East 1A and the other instance is created in Us East 1B or not okay for that let me go to uh ec2 here perfect and uh click on the instances yes there are two instances perfect click on one of the instance where is this created uh see this is created in Us East 1A now let's click on the other instance go back here click on the other instance and see where is it created uh see this is created in Us East 1 B perfect so you have this configuration also done so Autos scaling group is created instance is created here and here now before going to create the application load balancer you have to do one thing that is install the application inside this servers right I want to install applications inside This Server so now what I'll do for that is just go to those instances so here comes one thing that you have to watch carefully and this is very important so let's go to the instance and try log to this instance so you will notice that this instance does not have a public IP address and that is expected right so I have not given any public IP address here because these instances have to be secure now you might ask me but abishek how do I log into this so that's where our basan or the jum host comes to the picture so as I explained in the theory part what does a Bastion or gy host does so it enables it act as a mediator between your private subnet and it acts as a mediator like between your private subnet and the external persons or the public subnet so I'll create a basan host here and access the private subnet from there okay so what we will do is go back to the ec2 console click on the instances and start creating a Bastian host launch instance so this is I think all of us already know just call it as uh Bastian host and uh choose uento as the image you can choose anything then choose T2 micro provide key pair AWS login and what you will do here is make sure you add a Security Group which has access to SSH right so because you need to SSH to the ec2 instance that is the basan host and from there you have to s s to this private subnets and install the application so perfect SSH is added uh sorry where is it yeah so SSH is already there so I don't have any problem now there is one specific thing here called network settings edit and make sure this basan host is created in the same VPC okay so if that is not in the same VPC then it will not be able to access inside the VPC so I changed that configuration and added it to the VPC perfect Auto assign public IP address yes enable without public IP address it will not be of no use now just go and launch this instance okay I will launch the instance and once the instance is launched what I'll do I'll SSH to this particular instance from there I'll SSH to the private host okay so what I'm doing for my personal laptop I'll SSH to basan from basan I'll SSH to the private subnet but to SSH to the private subnet again you want the key value pair which is present on my laptop so what I'll do firstly I'll show you okay so I'll copy my key value pair to the Bashan host as well why because if the Bashan host does not have the key value pair let's say Bashan host is here it does not have the key value pair how can it log to the private host key value pair is in my personal instance so I will use a shell command called SCP don't worry I'll show you all of these things practically so let me refresh the instances now you will see three instances this is Bash and host and these are instances in the private subnet perfect so let me get my terminal this is my terminal and uh what I'll do is I know my SSH key is here uh I've used an SSH key called uh AWS so just search for GP AWS log I think I've used this pem file so firstly I want to copy the PM file definitely I log into this Bashan host but along with log to this Bashan host I also need to log to these instances for that this Bashan host should have the SSH access for these instances right it should have the pem file so firstly let's copy the pem file so open this instance get the public IP address of this instance okay now I'll use this command I'll also try to paste this command in the description so that you can use this is called as a SCP command secure copy so what I am securely copying I am copying this specific thing called AWS login pem which is the pem file for my private subnet instances as well from my personal laptop to where am I copying it I am copying uh sorry yeah I'm copying it to the UB to E2 instance okay so here I'm using the identity file and then I want to copy this file to the instance okay which instance is this this should be my Bastian post instance so let me change the IP address of it it is very clear right what does SCP do SCP securely copies file from one host machine to the different host machine now from where I'm trying to copy I'm trying to copy from my personal laptop to AWS ec2 instance that is the Bashan host so let remove this IP address and copy the IP address of the basan host so you will see what will happen let me just copy say yes and you'll notice that the pem file is copied to the basan host perfect it is copied now let's go to the bastan host and see if it is copied or not how do I log to the bastan host just copy this IP address again say SSH minus I your key value pair pem file location UB to at theate this IP address just do LS you will notice that the AWS PM file is available here if the pem file is not available here you will not be able to perform the next command which is very very important that is I will not be able to log into any of these instances I need to log into one of these instance because I want to install the python application in one of the instance first okay so take the private IP address SSH minus I AWS pem file Ubuntu at theate private IP address see I am able to log in to this specific instance with the private IP address 10 014109 1014 0109 perfect so that means now I'm able to log to the private instance as well I mean what is a private instance easy to instance in the private subnet awesome now all that I'll do is install the python application here so very simple python application uh let me do one thing let me create a HTML page as well index.html so let's pick up a very simple HTML P W3 School tools HTML basic I'll pick up a very random example let's take this one copy this entire thing and put this in my file so that I just want to host this file let me say that my first AWS project to demonstrate apps in private subnet okay let me remove this and now save this file and just run the python server using Python 3 minus M HTTP do server on Port 8,000 okay let me run it on Port 8,000 so my application is running in one of the instance that is 10 014109 so what I've done till now is I've used the autoscaling group perfect let's go back to the diagram I've used the autoscaling group created the ec2 instance created a Bastion host logged into only one of the instance so see why I've logged into only one of the instance because while using load balancer I want to demonstrate that traffic is going to one particular instance it is hitting and giving you back the response whereas when it goes to the other uh particular particular application in a different subnet it is giving you a error response because this page is not available or the application is not available okay so for that purpose I've installed python application in one E2 instance and I did not install in other E2 instance so this is a effective way of explaining you the load balancing concept okay we will see 50% of the traffic should go to one instance you should get the response and 50% of the times it should go to other and it should not get the traffic perfect now what I'll try to do is create the load balancer and attach these instances as Target groups that will be our final stage so again let's go here search for load balancer or go to E2 that's a easy way and in the easy to you have load balancers so there are three different load balancers now you don't have to worry about it what is application load balancer what is Network load balancer classic load balancer Gateway load balancer we will come to that when we discuss about load balancer Topic in detail that will come after day 20 or something so don't worry about it right now let's go with the default uh that is the application load balancer not default I mean let's go with this one click on the create button and what is an application load balancer on a high level it does the HTTP and https which is L7 load balancer layer 7 load balancer so provide the load balancer name let's call it as AWS prod uh example the load balancer should always be internet facing it should be in the public subnet right so we have discussed this multiple times load balancer should be in the public subnet and should have access directly from the internet gateway ipv4 makes sense what is the VPC that you want to provide so you know what should be done provide the VPC that you have just created in which of the availability zones just pick up both the availability zones no problem and it should be with the public subnet right so change to the public subnet even if you put that in a private subnet AWS will give you an error so put both the subnets both the availability zones and put the public uh subnet range now the security group uh you can select any Security Group does not matter like you know or you can create a new security group as well what you are trying to do in a security group is for the load balancer are you allowing all the traffic or not or in the VPC where the load balancer is there are you providing access where in the security group you can Define okay open port 80 open port 8080 whatever it is so whatever I attached here is the default VPC you can remove this one uh the VPC for AWS prod example and launch wizard so if it does not work what we can do is we can create another Security Group and we can attach that another Security Group here so that what will happen is load balancer which is listening on Port 880 should be accessed from the internet what is this Security Group doing it is allowing SSH traffic and Port 8,000 traffic what is this doing uh I'm not sure I need to look into this Security Group so let me remove this as well for now just add this one and if it does not work I'll go to the security group and add Port 80 as well listeners and routing okay so you need to create a Target group where you will Define which instance should be accessible so create a Target group first just like launch template firstly we'll create a Target group and uh what is the target group ec2 instances so which E2 instances do you want to access Target group name just provide AWS prodad example perfect and uh what you're trying to do is you are trying to use the HTTP protocol only to the instances this is the VPC perfect heal check HTTP perfect move to the next tab select the instances this is one instance and this is the other instance one instance has the application other instance does not have the application but it is perfect for the demo later you can also add the instance uh add the application to that instance and see that the traffic is Flowing you can try different things in one you can say hi this is abishek in one you can say hi this is vamala and see how the load balancing is happening targets perfect include as spending now create Target group okay so if you have noticed here what I'm trying to do is I have misconfigured I said that the target group on Port 80 so I need to just go back there is no problem go back to your application and just change the port 80 right so the application that is running I can just simply go here and run the application on Port 80 the reason is that I have misconfigured or just keep it like this and create the target group just modify the target group this is the one right so what you will do is go back to the Target group and here where you have option for Targets this is the port I'm saying on Port 80 but actually the port is 8080 so let me delete the target group no problem and recreate create Target group instances let me do it very fast Target group name AWS Brad example just say put 8,000 where I'm trying to access http1 VPC fraud VPC health check is fine these are the instances which I'm trying to access on Port 8,000 perfect click on create Target group oh sorry just include as spending below and click on the create Target group now the target group is getting created so just wait uh for one minute here as well and what is this target group doing basically it has two E2 instances which it is uh verifying on Port 8,000 now I'll just go back and add this target group to the load balance answer you might not find it at this point of time just wait for a minute or do the configuration one more time okay go to the load balancers create load balancer go to application load balancer create AWS prod example internet facing yes click on the VPC prad example both the subnets and both the subnets using the public thing right and then the security groups like I told you firstly let let me put one Security Group if it does not work I know what to do uh because I'm accessing the load balancer on Port 80 I can simply open the port 80 in the security group because I'm accessing the load balancer on Port 80 Brad example perfect or I can access the load balancer on Port 8,000 because I know this particular Security Group is exposing Port 8,000 but okay for the purpose of video uh just to show you how this thing exactly work I'll just use the port 80 which is default addon Services load balancer tags you have used the uh Target group as well everything is looking fine create the load balancer load balancer is created view the load balancer it will take again a minute so wait for a minute here for the load balancer to provision and once the load balancer is provisioned let's try to access it from the outside world the expectation is when you access the load balancer from outside world you should see that load balancer gives you a response of the application so let's wait for a minute here so now the load balancer is in active state right so all the configuration is created at this point of time and what I've done intentionally I did not create application in one of the uh servers right but all the other configuration is completely created I have load balancer internet gateway public private all the things are available now let me go back to the load balancer and try to access the load balancer you will see that the load balancer is not accessible because the subnet that you have attached to the load balancer does not expose Port 80 I've already told you so let's see that in practice so even if you go to the load balancer you'll notice an error so just scroll down down you will see that okay it says that the port 80 is not reachable why just click on this you it will say security groups for your load balancer don't allow traffic on the listener Port so what you need to do is either go to the security group so this is a security group right click on this Security Group open it and allow the HTTP traffic on it how do you do that just go to the inborn traffic rules edit inborn traffic rule add a new rule called HTTP open port 80 perfect anywhere from the Internet is fine save rules after a while once this configuration is reflected you should see this error will disappear what is this error The Listener where you'll see this should disappear okay so it might take a minute perfect now it is reflected now let us access this particular IP address from the internet and see if I'm able to access the my first AWS project to demonstrate app in private subnet congratulations you have implemented your first AWS project and you have demonstrated a very complicated project the project that is used by most of the engineers as devops I mean most of the devops engineers in their organizations we have implemented this entire concept again like I told you I have intentionally not deployed in one of the instances so sometimes you'll get an error okay so if you see here carefully what is happening is the page is not getting reflected let me do it in two different types okay so Okay the reason why it is going is uh there is a target group here uh which is actively monitoring the healthy Parts uh so for example this is a target group right so what is happening here this target Group which I've have created has a heal check okay and it is only forwarding the traffic to the healthiest ec2 instance so one is healthy and one is unhealthy so what is happening is the load is always going to the healthiest ec2 instance okay so in future videos I'll show you don't worry where I will configure this heal check in a way where it should send irrespective of the heal check like you know you can disable this heal check and send that uh send traffic to the both is instances but for now perfect you don't have to bother about it the project is demonstrated and what you can do to see the load balancing concept is go to the other E2 instance right so we have created two E2 instances right in one of the E2 instance I created python application saying this is my first AWS project go to the other E2 instance in the same way that I've explained and call this as this is my second AWS project okay deploy the application deploy the HTML page with my second AWS project and now when you hit the load balancer once you should see my first AWS project and second time when you hit you should see my second AWS project okay because that time both your E2 instances will be in a healthy State and Target groups will forward one request to one E2 instance other request to other E2 instance so this is your assignment try to do it and let me know in the comment section if you were able to perform the assignment or not thank you so much we'll meet in one more interesting episode of AWS in episode 8 thank you so much see you take care bye