so last week we started exploring aw networking Concepts right we went further to we started by talking about what we call native networking giving you guys a background of what networking is what Internet Protocol is the different kinds of Internet Protocol that are out there the one that is high used and all of those that background knowledge is very important as you are going to be navigating um your new career at a subject matter level so we we we left from there and then we went into AWS networking specific con Concepts where we started with looking at VPC what vpcs are and we looked at internet gateway we talked about the VPC cider that comes with the VPC we talked about the main route table that comes with the VPC we talked about subnets talk specifically we said there are two types of um subnets we have the public subnet and let me bring in I don't know if I'm sharing my screen let me share my screen one second let me know when you guys can see my screen can you guys see my screen yes [Music] yeah okay so if you go to draw.io we we we interacted with draw.io a little bit um at the in the beginning of the class but if you go to draw.io you click on create a new diagram then you click on create then you should be able to bring in all of those different architectures that you want and then um so let me just bring in some more shapes you can add the general shapes the basic shapes arrows because you're going to use that for architecture and then you go now to AWS AWS has more 2024 icons so you can select those and add add if you want to use because you guys start doing designing for for clients and customers it's always good to use the most recent icons or otherwise you can use the 20 the 18 icons as well so when you add those shapes it's going to show up on the left side of your screen and then um so we started looking at network uh networking right where we talked about public and private subnet so if you want to look that from a design standpoint you can just search for subnet n here so we say we have a public subnet this is what a public subnet looks like can just pull it and put it there you have a private sub this what a private subline looks like and then when we're dealing with high availability you always want to have two of each so that if one subnet goes down you have the other one so we're looking at two subnets two public and two private subnets that gives us High availability and all of that is inside an availability zone so you can search for availability Zone icon once you know the icons the good thing with AWS is they've labeled their icons so well that you can just search for them rather than scrolling through and then you put in the availability Zone icons to show exactly that each subnet is resilient within an availability Zone and that's why we have two so that if if availability Zone goes down we know that we have the other one all right then all of this is inside a VPC so we search for VPC you bring a VPC you can choose to make the VPC a little different and then that VPC is region resilient so it's resilient at the level of the region so you can search for a region and then you put the region doesn't matter how you start if you start with from the subnet or you start from the VPC no it doesn't matter as long as know where to place W then you should be good like I said it's all about knowing exactly where um you're placing your icons then now you can just put in AWS sloud to show that all of this is part of thews clout platform so something like this this is not perfect but this is basically what we talked about last week and then of course we have the internet gateway I think I have to spell it off in full so internet gway so again the internet gateway has to be attached to the VPC so you're putting it on top of your VPC you don't want to take it and place it anywhere that's not perfect and then with this when you're designing some of these icons have come come with their name but some of them don't so whenever you put in an icon before you present it to a customer always make sure you you give the I the the icon and name so you have to specifically say that this is an internet gateway so that if somebody that's not familiar with AWS looks at it the person will know exactly what that icon is and all of that right so this is not perfect but this is basically what we looked at last week from an architectural standpoint we looked at a two-tier architecture where you have the public facing tier that contains public subnets where you sources they have the ability to communicate with the internet and this is because the subnets are associated with a route table that has a route pointing to the internet through the internet gateway okay so again when you want to design this you can put in a rout table icon in there to make it make make make it make sense and then we have the private tier which is the second tier at the bottom the private tier is typically called either the data data tier or the application tier that's where your application actually resides because you don't want your application to be publicly facing where everybody can just reach it from the public you want you want them to be in the private especially if you are using databases so you can put them in the private here as well all right so the private here contains private subnets where the resources do not have direct communication with the public internet so the resources do not have direct communication with the public interet and well as we go forward we're going to talk about the kind of resources that you put in the public tier and the kind of resources that you put in the private tier so that you guys can know the distinction between both but even with the private subnets when you put resources in the private subnet for example your databases occasionally these resources will need internet access they'll need to go to the internet to maybe get more updates security updates or application specific updates okay so think about your your mobile phone for example from time to time you'll see that apple is going to push an upper version of the software that you have on your mobile phone or you need to update some applications on your mobile phone and this is this is this and for you to be able to update these applications you need internet access if you don't have internet access then the application would not be able to get the update so it's the same concept with the um private subnets where you need from time to time the resources in this private subnet will need internet access to go and get those updates um the challenge is how you provide updates okay you would say you would think that some you you you have multiple options to provide that update you can say okay when I want to update it I would make the private subnets public by adding a route table or adding a route on the route table that would give it access to the public but that is defin not best practice because it's you making architectural design changes that what if you make the private the subnet public and then after a while you forget to make it private so it's definitely not the best practice and also when you make it public during that time that you make it public what if somebody from the internet access other resources in that in that subnet so it's definitely not the best thing for you to to do uh give me one second I'll be right back sure but typically in work work environments they have something that's called a high level design document as an H high level design document so this document depending on how granular they want to go it could be like a 20 Page document or a 30 page document in this document you're going to have everything such that if we hire a new solution architect today let's say we hire Brandon and he comes into the organization when Brandon takes the hld and reads through the hld he's going to have an understanding of what is in the actual AWS environment okay so you're going to you're going to know the IP ranges that each account is using you're going to know how many tiers the environment is if it's a three tier four tier you're going to know what which resources are in which um which subnets and then you're going to know even with the route tables so within the hld you have a route table they say the public route table these are the routes that we have this is the IP address that's allowed within within the rout table security groups you have specific rules that details of specific rules that you have at the level of the security groups which we're going to talk about So within the hld this this design that that we just came up with is just high level typically you would you would have something more detailed than that and added to that you have a whole write up of what the design is all about okay all right so we're talking about your resources in the private subject that needs to go to the Internet and get updates from time to time and we looked at the first option which was making your private subnet public when you want to go get an update and we said definitely that's not the best practice because so many things can go wrong you can make it public even even if you say I'm making it public just for one hour when you make it public other things can go on you're opening a door other things can other traffic can pass through that door which may be may make your environment vulnerable or may compromise your environment the second option is that you can choose to take those updates from the internet host them in your public subnet that's option b you go and get all of the updates that you know that you need and you come and you host them in your public subnet and then when your the resources in your private subnet needs those updates they will go to the public subnet and get it from the public subnet and and and update themselves you can definitely do that and that's possible but the only the challenge there is the administrative overhead that you're adding into your architecture the admin overhead that you're adding into your architecture by going with that option okay so option one we said making or [Music] temporarily making the private subnet public when you want to do an update and we said that that's not a good practice because the person that made it public and forget to make it private once the update is done the second option was saying that you can choose to host the update softwares in the public subnet so so that the resources in the private sub can pull the updates when needed this is definitely possible but it's still not a good idea because of admin overhead means that you're going to hire someone who will be responsible for making sure that every time there is a new update there's a new security update from the internet they pull it from the internet and make sure that they put it in the Public Sub that's where we talk about administrative overhead you're increasing your overhead cost option three is by using what we call a not gway using a not gway a that Gateway using aad Gateway which is an AWS service is a highly effective solution that would allow your private subnet resources to access the internet when they need it and let's discuss what a n Gateway is so a n Gateway Nat stands for Network address translation Network address translation Network address translation n Gateway so n Gateway provides what we call outgoing only internet access to your resources in the private subnet if they provide [Music] outgoing only internet access to your resources in the private sub outgoing only internet access to your resources in the in the private sub and he does this without exposing your resources to incoming traffic that's why I we're saying outgoing traffic it means that your resources that are in the private subnet they have the ability to go to the Internet and get updates from the internet and come back but if you in the internet you don't have the ability to reach those resources that are in the private something so it's a you can only go to the internet but the internet cannot come to them so I can go to the Internet and get what I want but the internet if you're on the internet and try to ping me you never reach me because I'm in a private subject that's and that's what the not Gateway does okay and how does it do that the way a that Gateway works is let me bring in I'll bring bring back our architecture okay the way a not Gateway works is the first thing is you create the N Gateway and you place it in your public subnet you place it in your public subnet and the way that it works is when you have let's say this is this is a server in a private subnet when this server wants to go to the Internet and get updates from the internet it would pass through the not Gateway and the not Gateway will do what we call translate its IP address because the Ser that's in the private subet only has a private IP it doesn't have a public IP resources in the private subet only have private IPS they don't have public IPS and for these resources that are in the private subnet to access the wider internet they need a public IP okay from our class last week we said that resources communicate with each other based on their Internet Protocol which is their IP address so if you don't have if they don't have an IP address a public IP an IP address that's routable within the internet then they will not be able to communicate with anything in the internet so for these resources to communicate they need a private IP for to make that communication happen they don't I mean a public IP they don't have that public IP so when you in operate a night Gateway in your design when your resources in a private subnet need to go to the internet to get update they would pass through that n and that n would do what we call translation Network translation is going to translate their private IP and give them a temporary public IP okay so the N Gateway modifies or let's use the word translate because n stands for Network address translation the N Gateway translates the private IP and provides a temporary public IP for the resources to use so that when they go to the Internet they can communicate with the wider internet so when you want to go to the internet you pass through me the N I'll give you a a rout table an internet rout table IP you go to the internet you get what you want and then when you're coming back you give back my IP and they give you back your private IP and you go back to your private sub so that's what do not Gateway does it modifies IPS by changing it to public or giving a temporary public IP so that the inter the resources can reach the internet get the security updates or application specific updates and come back to the private subject that's why we say one way one way communication it can reach the internet but the but the internet cannot reach them because there's no way that you you be in the internet and you want to reach this resources in the private subet it's not going to happen but you can definitely reach the resources in the public subnet okay any questions yeah let me ask a silly one um so because it's um unidirectional sorry because it's one way that concept to somebody who doesn't quite understand it because if you go into the internet from a server that is within the private subnet how does the reply come back if it's coming from the internet and it's supposed to be supposed to be one way okay all right that's a good question so the first thing that excuse me the first thing that you I want you guys to know about network communication is that every Network traffic moves in what we call packets and a packet is made up of a request and a response a request and a response when you go to google.com and you click on the Google page a page loads for you to get the information that you want or when you go to amazon.com and you click on a black shoe it loads to show you the black shoe that you want when you that click is what we call a request and the page loading is what we call a response and that's how how traffic is whenever you send a request that request has to have a a response to show that the communication has been received and responded okay so when the in the case of not Gateway the this is okay in the case of private subnet so these are your servers in the private subnet this is the internet when your servers initiate a request to the internet that request has to have a response from the internet and this is what we call oneway communication because the initiation of that the request will always come from the servers but we're saying that with with private subnets the internet cannot initiate a request for your servers to send a response this is part of the traffic that doesn't work with now with with with this uh the servers that are in the private subnet this one is this is what works when the initiation is coming from the servers and the response coming from the internet but the other hand the internet can never send a request to that server directly than you I don't know if that makes sense thank you no that's it okay any other question is this a free service did not g or it paid for um so it is it is it has some cost implications in it and that cost implication is because the N Gateway uses a specific IP address that's called an elastic IP and we're going to talk about an elastic IP down down the road okay so it leverages that so it has some cost implication when we implement it tonight definitely you want to do a cleanup after that so that AWS doesn't chat you any other questions so far all right let's talk about the configurations of a n Gateway if you guys could see from our design you could already see that the N Gateway resides in which subnet public in a public the public that's that's the first thing that you need to always know you need to always know and when you are when you're designing it you definitely want to make sure that you put your not Gateway in the right sulet I'll tell you that I've seen candidates that have put their n gateways in a private sulet and a candidate actually took the n gway and placed it somewhere in the center here when you have availability Zone one and two but you come and you place your n gway in the center it means you definitely don't know what you're doing so you want to make sure that you understand exactly where these resources go inside your architecture so the first thing is that in terms of the configuration is that the not Gateway resides in a public subnet then the second thing is the N Gateway is resilient I'll let you guys talk about it's resilience what do you see in terms of the resilience of the N Gateway is it regionally resilient or a resilient a resilient a why because resides in the public subnet which is in the a environment exact exactly perfect so it is resilient within an availability Zone that's why you see here we have two not gateways if it was resilient at the regional level look look at the internet gateway the internet gateway is a regional service that's why we have just one attached to the VPC and just one but the N Gateway is resilient within an availability Zone and that's why we have one here and we have another one here so that if one availability Zone goes down we know that we have the other availability Zone and we have an N Gateway there that would give the resources in the private s the ability to still communicate with the internet when they want to okay so second point is the n Gateway is resilient within an availability Zone then the third thing is the n Gateway is a managed service is a managed service this means that AWS handles the maintenance of the N gway all you need to do is you create it and then a BLS takes it from there you don't need to bother whether you need to push upgrades to the that gate you don't need to bother whether you need to maintain it AWS handles the maintenance there are services in AWS that are not manage service that you have to handle the maintenance of those Serv but that getaway is not one of them then the fourth thing is n Gateway uses what we call a static public IP before address okay not gway uses a static ipv4 address it doesn't use an IPv6 uses an ipv4 address and it's a static because remember we we we we started Public ipv4 Public public ipv4 so remember we said that with the public I IP addresses on AWS they change from time to time because when you Spa your resource when you stop your Resorts AWS will take that IP and give it to somebody who needs it and then when you want to use it AWS will make it available for you so there's no way for you to have a specific IP that you can say that okay all through the life of this my application I'm going to have just one IP there's there's no really no way for AWS to to um give you that when you're using the regular public IP address but AWS has what we call a static IP address that you can take it and you keep it and own it for as long as you want and that's the IP address we call it an elastic IP elastic IP elastic IP I know that the one elastic makes it sound like the IP address is changing but no elastic IPS are static ipv4 addresses that they're designed you know for for you to to use you can use it on one you can use it on your not Gateway where you no longer need an that Gateway you can take it and attach it to another resource if you want to use one IP address consistently over a period of time and that's what not get the not gway uses it uses the static elastic IP so that whenever your resources want to communicate with the public it will pass through the N the is going to translate their private IP give them a public IP to use and then once they come back they'll return the public IP the most important thing is for you guys to understand where it is placed why it is used and how and what happens in the background when you're utilizing a n Gateway okay because we also have what we call a not instance there are some organizations that will not use a not Gateway but they would go and use what we call a not instance I've seen one or two organizations gear towards using a that incense an that incense basically does the same thing that the N Gateway does but the only difference is that it's not a manag service which means that you configure it yourself you perform all of the updates and servicing and maintenance of it on your by your by yourself it you have the ability to customize it that's the main reason why some organizations would lean towards a that instance than a that Gateway because a that Gateway you don't have the to to customize it but with another instance you have the ability to customize it so it gives you that flexibility okay but in that instance does the same thing that not Gateway does except that you handle the maintenance the configuration and maintenance and maintenance of the service you handle the configuration and and the maintenance of the service so on the plus side organizations will use it because of the flexibility that it offers flexibility that it offers okay flexibility but you manage everything you manage your security you manage its maintenance you manage the configuration and all of those things now when you create a n Gateway and put it in a public subet one thing that you need to do is if we go back to our our design if we go back to our design when you create a n Gateway and you place it in the public subnet the resources that are in the private subnet will not automat automatically know that there is a night Gateway in the public subnet so all our requests to the internet needs to go through the N Gateway it doesn't happen automatically you need to configure it okay and you configure it by updating the route table so you go to the route table and you create a rule that routes traffic to through the internet through the N gway so it means that on the roundout table our destination will be the internet and then our Target will be the N gway meanwhile the route table in the public subnet will have a rule that routes traffic to the internet through what the na Gateway the one the one to the public subnet to the public Gateway I thought you said from the VP sorry from the VPC to the NAT gateway then to the to the internet gateway right no I'm talking about the resources that are in the public subnet say for example this resource the public subet how which route is going to be on the route table the route table is going to have a route with a destination of the internet and then the target is going to be through the the internet gateway meanwhile the private subnet will still have that same destination 0.0.0.0 Z but in this case the target is going to be the nway the most important thing if if there's one thing that I want you guys to take away from here is to understand the difference between the internet gateway and the not Gateway please do not get that mixed up I've seen a lot of students in interviews getting this mixed up and as we go down the road you hear about other gateways and then you start getting confused that we have so many gateways and it's confusing so create a cheat sheet if you can and start defining these different things so that you understand exactly their use case because if you're telling an an employer that I've been doing this for the past four years then you cannot get things like this mix up unless you just heard it for your first time for the first time okay so understand the use case of a not Gateway and understand the use case of an internet gateway and understand exactly what you have to put on the route table for the private subnet and what you need to put on the round table for the public subnet any questions I I have [Music] one b i see a hand up you have a question um yeah I had a questionning um we're losing you P for some reason we're losing you oh okay now we can hear you can you try Okay so yeah when you talk about option one two and three I didn't quite get what those points for but I put the point yeah I think it's right here what would yeah where would they for I think so yes so this is option one so basically we were trying to the the the problem statement was that we have these resources in a private subnet and these resources from time to time needs to get up they need to get updated just like your mobile phone you have applications you download WhatsApp you download Facebook from time to time those applications need update because the Facebook company would push new features on the application and then you need to pull those features which means that you need to enable all of the updates and for you to do that update you need internet access right so it's the same thing with these resources that are in the private subnet from time to time they would need to get those updates and then we're looking at the different scenarios how would you want those resources to get upd dat so option one was you go and you change you add a route on the route table for the private subet and make them public because we already know what it takes to make a subnet public right right p m are you there yeah what what what does it take to make a snet public to make a subnet what does it take what are the steps to making a sub public oh I don't remember you have to associate it with um a route table that has the route pointing to the internet through the internet gateway excellent for you to make a subnet public you have to associate that subnet I thought I I I I I think I said it a couple times last week you have to associate that subnet with a route table that has a route pointing to the internet through the internet gateway so that's what option one is but option one is definitely not not a good practice because what if you create that route today and you forget to remove the route after the update and what if you have to be doing updates every two weeks it means you have to be making these configuration changes that may may these are design changes that may may not may not represent the real St of your architecture of what you have on your high high level design document so it's definitely not a good practice also when you make these subnets temporarily public other things can transpire while it is public that you may not have visibility to so it's definitely not a good practice and that's that's what we talked about option two which is bringing those softwares and putting it in the public subject but still it's still not a good it's it's possible but it's not a good option because it just brings in more work for you bringing in those softwares it brings in more work because you have to bring the softwares you have to make sure that the software has updated you have to engineer a way in which the the the resources in the private subnet will go to the internet and grab updates from the internet so even though it's possible it's a whole lot of work and re-engineering that you need to do so that's why we say it's not the best option it's an option but it's not the best option option three is using the not Gateway okay and so with the N Gateway you have the ability to have AWS manage everything for you once you create a nade way does that help P perfect thank you so that those were used cases those were options that you had to to solve the problem of you getting your resources in the private subnet to get to the internet okay we had three options and then we looked at what the best option was which was using a n Gateway does that make sense okay FL go ahead doesn't mean the only time you're going to need in that is going to be only for updates say that again I want to know like when need use only for it's that's a scenario it will be for updates and also it will be when so let's you can also use the not gway when you have where where is the architecture let me bring that architecture so you can also use that gway when you have resources in the private subnet that want to communicate with resources in the AWS space such as your S3 bucket or other resources we have other resources here that are not inside your VPC okay so they can also go through the N again is that one way communication it's a one way communication the most the one thing you should know is that these resources cannot directly reach those resources in the private subet does that make sense all right okay an need he's on the nut Gateway um one of the features I think you said something like using the static ipv MH address so I was thinking because think two classes or so you said IPv6 is better than ipv4 so I don't know why this is still recommended don't know just like all right that's a great question so Anita is asking that why is it that the not Gateway use a static ipv4 address as opposed to an IPv6 address which we know that it's readily available and we have a lot of those the internet is running out of ipv4 so why do we have an ipb4 address as opposed to an IPv6 so there is another service on AWS that handles IPv6 okay we call it ESS only internet gateway ESS only internet gateway remember I I told you guys that you hear about hear a lot of gateways right we still have multiple gateways to go so TR add those into what we were saying so that you don't lose track ESS only internet gateway so the ESS Only Internet Gateway is similar to a not Gateway but it is designed specifically for IPv6 traffic so the ESS only interet Gateway functions the same as a n Gateway but it is designed specifically for IPv6 traffic okay it provides the same outbound only internet access to your resources in the public traffic in the in the private subnet it's also configured in the public subnet but it is an it meant for IPv6 traffic okay and that's why you realize when I when I talked about the not Gateway I said the static ipv4 address is specifically ipv4 while the ESS only internet gateway is specifically for IPv6 all right Victor oh okay um almost forgot what I was going to ask but here I have two questions actually so we have we have the NAT Gateway we have the internet gateway each of these things have a public IP because we want to find a way to get it to the public to the to the public to the Internet so the internet gate way I'm trying to remember did did it have a because it's managed right did it also have an elastic IP no it doesn't it it's at the level of the re region so it uses the IPS that you have within at the VPC level okay all of the things that happen at the level of the internet gateway is abstracted for you you don't need to do anything you just need to create it but if you go deeper into AWS documentation and you let's say you want to become a NW workking expert and you want to understand exactly what's happening behind the scenes of the internet gateway you see that that internet gateway is leveraging some IP addresses okay but but all of those as abstracted from us from a conceptual standpoint so we don't need to worry about that so it's not like when you're creating it you need to allocate any IP address to it no it's just the not Gateway that when you're creating it you need to allocate an IP address okay so you just said allocate an IP add address but I thought it was a managed service which means that AWS actually assigns the elastic IP not us no we create the elastic IP so you elastic IP and then or when you're creating the N Gateway it's going to ask you to create that elastic IP within the N Gateway console then you just click on create it it allocates that elastic IP to the N Gateway that's a one time thing and then from there a takes it from there I see I see okay but we have to okay okay yes you need to configure that all right thanks you're welcome Miriam yeah um so I just saw that the N Gateway can also reside in a private subnet however by default it needs to be in a public subnet so under what conditions would it be under a private subnet so there there specific resources or cases that you may want to put a that Gateway in a private subnet for different reasons but in most cases organizations will always it depends on what you you're leveraging it for okay but in most cases organizations you're leveraging it to update those instances that you have in a private subnet for them to get traffic from the public then you need to place it in in um the public subnet okay but use case it's it's definitely based on the use case but Ma most organizations will always leave reg and place it in the public subnet because it's meant to help you translate that IP address from for for your resources that are in the private subnet okay okay thank you you're welcome Ma oh hi Prof um you know the five IP addresses that um AWS takes from us when we create a subnet does it does it have anything to do with the gateways um not because the internet gateway is at the level of the VPC right the those five IP addresses if you look at AWS documentation you see it every to tell you what they're used for but it it mostly around DNS because when you create a resource on let's say you create a server that server has a DNS that you can use same thing there are also servers within a subnet that uses the leverages DNS so you I need to check exactly what those five IP addresses are used for it's detailed in AWS documentation but it's not tied to the internet gateway some of them are tied to to DN they always say AWS specific use cases but yeah you can check the documentation and then you you you look at what it's title okay thank you and someone reached out to me the other day um to find out exactly notes on how you can easily study so on the first day of our class I mentioned to you guys that A J te has some notes but if you want to get the most updated notes go to docs. AWS amazon.com when you go there you'll see it this is the AWS documentation if you want to get the most recent notes I always recommend that you go here and then you search by service you can see we have Amazon VPC you go to user guide don't go to development guide or don't go to other thing go mostly to the user guide when you open the user guide then you start reading all of the different things that you have in there now you can export this to a PDF if you export only VPC to a PDF we're looking at hundreds of pages of notes for you to read when we see in this class we cover VPC for three classes or we cover networking for three classes obviously we're not going to touch everything that you have in this documentation because the truth is that organizations don't use everything but what we do is we look at what majority of the companies out there use that's why I'll say that before you go and start reading the AWS documentation let's introduce the topic here in class we talk about the topic then you can go in there and read for example we've already covered subnet now you can go there and then you look at subnet when you click on subnet a AWS has documentation on subnet and all of the details there then you can read about subnets but I don't I I would not recommend that you go there and you want to read the whole documentation because that's definitely going to overwhelm you and you're going to focus your energy on some things that are not trending in the industry today as opposed to us introducing it to you for you to understand exactly those things that are trending okay so take those take exactly the things that we've talked about and then focus on it when you want to study and then you read read specifically on those things if you look for S3 S3 has way more services than what we covered in s in in in our classes but most of those other services are rarely used by organization or they're used by specific or organizations but we introduce the key things that we know that if you pick up a job today across three companies you see them using or leveraging those features okay but yes um if you check AWS documentation on the what those five ipv4 addresses are used in the subite you definitely see them but don't think it's TI to an internet gateway Victor that was my hand I haven't lowered it oh okay all right but your your your screen is a little small in my in my your shared um the page I don't know whether it's me or it's is everybody is everybody seeing those letters clearly let me let me zoom in a little bit more um I don't have the ability to make it a little bigger here that's fine I think it's okay I think it's I can actually we can see I can actually see it clearly so okay Victor yeah probably take a look at your set it must my settings yes that's okay yes all right so from our last class we said that we're going to be taking five minutes break at the top of the hour do we want to take five yeah okay let's take five and then question please all right we'll take the questions once we come back okay okay all go ahead okay my question is um so when somebody wants to access the internet using the the N Gateway the N Gateway assign ANP address for let me say is it an instant or the person to access something over the Internet so what happened with the in with the IP address that the N Gateway um has assign for the person to use it during that period what happened with the IP address does it um terminate the IP address after the user has used the IP address or what happened with the IP address does it keep it sorry can you come again so my question is if somebody wants to access um the internet when somebody wants to have like do something from the private umet using the the N Gateway um the N Gateway assign a um an IP address for that um user to access what he or she wants to access over the Internet so my question is what happened with the with the with the IP address after it has been use does the not Gateway um let me say terminate the in the IP address or what happened with the IP address can can the IP address still be used it it gives it this temporary IP address for it to use when the the resource is coming back with the update it translates it back and gives it its private IP address and the N Gateway if you want to look at it from the back the N Gateway has a couple of IP addresses that it temporarily gives and that's why you have to when you're creating it you're using that elastic IP it temporarily leverages and when it comes back it takes the returns the IP address to the not getaway waiting for the next resource that would want to reach the internet okay the job is just to translate your IP cover your IP with a public rout table IP so that he can reach the internet then when he comes back it translat it back to the private IP everything that happened outside of that it's it's abstracted from you you don't really need to go and do configuration items or at that level because AWS manages it for you okay make okay sure OB yeah just just wanted to do a quick recap to to understand what you just said about not Gateway so my recap that I have it in my head is this there are two at least that we've talked about two gateways there's an internet gateway there's a na Gateway the job of the internet gateway is to connect a public subate to the internet and that goes both ways so it's see uh it goes uh you can ping the internet and internet campaign the public network or sub and then the second gway is the n Gateway this ties disconnect private networks to the internet but just a one directional connection right so the private networks can pay the internet but but the internet cannot pay the private networks so there that like a good summary of the two getways we've learned and what they do yes yes the only thing that you want to add there is that the N gway specifically for ipv4 addresses and then the egress only internet gateway is a n it's kind of a it functions the same way as a n Gateway specifically for IPv6 addresses okay so take note of that if you go into an environment that's using IPv6 then you not be leveraging n you'll be leveraging the egress only internet gateway okay does that make sense OB yes it does thank you okay then another thing about a not gateways remember I said your not Gateway is meant to have that communication it leverages the internet to communicate with the internet but then you also have resource you also have cases where you want your resources to communicate with um data center resources resources that are in your un premis environment okay so AWS has something that's called a private n that is meant to Route traffic to Virtual private gway we're going to talk about all of that when we get into direct collection in our session tomorrow we're to talk about network communication when you have multiple networks that you want them to communicate with each other you can only also leverage that private that for use cases like that or Transit Gateway we're going to talk about all of those things remember I mentioned that we have multiple gateways and the key there is to understand exactly which of these gateways are which and how you can leverage them their specific use case because if you're going for a networking interview these are the things that you get asked you're going to ask question you're going to be ask questions around network connectivity you're going to be asked questions around how you communicate between private subnet and public subnet or how your resources in the private subnet communicate with the internet and all of those things all right the next thing that I want us to talk about is network security network security network security we'll talk about network security and then if we have time we'll get into logging and monitoring then tomorrow we'll focus on network connectivity because network connectivity is very important network security so let's start with network security so excuse me quickly do you normally pause when you change subject so that the um the recording won't be too unwieldy is that how you normally do it like pause the recording no no I'm just saying is that I remember they were in segments when you sent them out or were they continuous for the whole three hours yeah they were no they're continuous okay sorry about that hry on please okay all right so when it comes to security there are two main security features on AWS that the VPC offers which we I want us to talk about so the First Security feature is called the network access control list network access control list also known as the knackles Knuckles Knuckles so Knuckles are security features that functions like fir walls around your subnets so there are firewalls at the level of your subnet firewalls at the level of your subnet the filter the traffic that is either entering or leaving your subnet So within at the level of your subnet if you look at our architecture again and the level of their subnet you can create a firewall and put it at the level of your subnet that is meant to filter the traffic that's coming to your subnet if you create a firewall and you say I don't want this particular traffic coming from this particular n work to reach my environment you can create what we call a rule that denies that traffic okay you can create one knuckle and Associate it with multiple subnets so it doesn't have to be one subnet one knuckle one subnet one knuckle you can create one one knuckle and Associate it with multiple subnets like all our private subnets can be be tied to one KN so the way that firewall works on awx is when we say firewalls what do you understand by firewalls let me see if someone someone can can throw more light when we say fir walls what do you think you understand by it and it could be anybody just say anything in a lay man's term you don't have to can I say something keeping yeah hang on Brandon go ahead they provide protection in a particular Zone provides protection so we're talking about firewalls provides protection uh can I go uhuh go ahead search so uh basically firewall is a is a device that you have on your network and basically you tell the firewall uh which IP addresses your device can access so basically you tell the firewall that your computer can go and go to this address and you also tell the firewall that this address cannot have a incoming communication to your device so pretty much you know firewall you know you have to enter the IP addresses that you're able to just go to and not for example let's say let's say that everybody here that works with computers there are websites that that are restricted so what you'll do is that you'll put those the IP of the website in the fire wall and then if you are at work and you try to access those websit you'll get the 404 message errors so the firewall Works work the firewall work with IP addresses and that's and so forth excellent okay that's good so firewall firewalls are meant to filter traffic yeah that's either getting into your environment or leaving your environment they're meant to filter traffic to basically deny or allow traffic from coming into your environment or from leaving your environment and these are main these are dependent on the rules that you put in place okay so when we're talking about when we talk about knackles knackles have Knuckles are dependent on rules okay so we create knle rules to filter traffic that is either coming into the subnet or leaving the subnet is it all traffic or just like melicious traffic all traffic it depends on the rules that you have in place okay so what do I mean by that the way that knackles knackles have a table and the table is like two sides we have a table that you create rules for inbound traffic inbound traffic means incoming traffic traffic that's getting into your snet so you have a rule for inbound traffic you have a table for inbound traffic and basically that table has like you have a rule and then you have the type of traffic and then you have a protocol protocol and then you have the part and then you have the source and then you have whether you want to deny or you want to allow the traffic so that if I want to create a rule at the level of the knle I will basically say Okay I want to create rule 20 I'll just give a rule number an arbitrary number say 20 and then I would say in terms of the type of traffic I can say that I want to allow HTTP traffic so I can come here and say HTTP now when you go to a web browser even when you click on google.com when you click on google.com let's let me go there as time goes on you guys will get to understand all of these different ch traffics so when you let's just say amazon.com I don't know if it's going to show on this tablet okay when you click here okay good if you guys can look at the web browser you see that it starts with https that is the type of traffic so there is HTTP and there's https the S there is just meant for the secure certificate remember I said that um we use certificates for intransit data so we're using H the S there just means security meaning it means that this website is secured but sometimes you guys will see a website that's just HTTP without the S it means that it's not secure okay so it's going back to our na we can say that we want to create a rule for HTTP traffic and over the years you get to know exactly which Port that HTTP traffic passes through Port basically means door it's like door if we say HTTP traffic passes through door number 80 or door number this that's what we mean by a port so you're just going to specify here that okay SCP traffic passes through door number 80 and the type of protocol that the HTTP traffic uses is called TCP and then the source is let me say I'll just pick an arbitary Source I can just say 9.1.0 do1 SL 28 let's just say this source is a cider so the source doesn't necessarily have to be a specific IP address it can be a whole network this is a side which means that I am either allowing or denying any HTTP traffic that's coming from this network if I know a particular Network let's say in Russia that is sending viruses to my environment I can say that okay I want to block that network from any traffic leaving that network from reaching my environment then I will come to my network access control L table I'll create a rule that will say HTTP traffic is denied so when it comes to allow or deny I'll put a huge deny here so I'm denying HTTP traffic that is coming from the network 9.1.0 do1 SL 2020 or sl28 and that's how you either that's what I that's what we mean by it's a rule that filters traffic it filters traffic so any traffic that's coming from that Network once it hits the knle the knle will say oh sorry you're denied and the traffic will not be able to get into your environment this is just for inbound you also with Knuckles you have to also create outbound RADS which means that you have a similar table like this you have a similar table like this but it's an outbound table which is meant for outgoing traffic we either say outgoing or we say ESS okay I'm giving you guys the industry terminologies we either say incoming or we say Ingress incoming or Ingress outgoing or ESS okay so it's pretty much the same thing you create the same rule you have a rule number you have a type you have a protocol you have report in instead of source in this case you have a destination because outgoing meaning that you're going out so what is the destination so if I want to block any traffic that has to go into this environment I will have pretty much the same kind of table a rule number a type A protocol a port a destination and then whether it is allowed or denied pretty much the same same thing that we had for incoming but the most important thing is that you have to create those rules you can create as many rules as you want you can be more specific that okay I don't want to block a whole TR a whole network I want to block a specific IP address when you want to block a specific IP address what do you use as a a prefix anyone 32 we talked about 32 exactly so when you want to block a specific IP address you use a sl32 but when you want to block a network or a couple of IP addresses then you use anything smaller than 32 okay but yes this is pretty much how you create a rule in which is a firewall that filters traffic that's either getting into your environmental traffic that's going out any questions Denzel page previous page sure I saw you Han you have a question no it was up from it was up from earlier oh okay so I don't want you guys to worry about all of these start saying that oh am I going to remember TCP and am I going to remember the port number am I going to remember the type of traffic no I don't want you guys to worry about this I want you guys to just understand exactly what this future what this security future is meant to do all of these other things that you're entering in the table is given okay in your work environment you will be given to you if a developer wants to create a knle rule to say that I don't want this environment to communicate with my environment they'll give you all of those details they'll tell you the type of traffic if it's an HTTP traffic if it's an icmp traffic if it's an SSS traffic all of those different things they will give it to you they'll tell you the protocol they'll tell you the port number sometimes they use default port numbers sometimes they use custom port numbers all of those things are given so I don't want you guys to start hitting your head against the wall that you you you don't think you'll be able to figure this out remember this is this is in your work environment it's it's it's it's typically something that if you don't know what it is you ask and you be told pretty much but again I just want you to understand so that if somebody ask you in an interview that what is a network access control list you'll be able to explain what it is you'll be able to say something that you know it's a firewall at the level of the subnet that helps to filter TR traff that gets into the subnet or leaves the subnet full stop okay if you want me to Define it again please let me know all right so we said that Knuckles oper can you say can you say that sentence again you said there's a firewall just one more time okay so it's a firewall that operates at the level of the subnet filtering traffic entering or leaving the subnet so knackles are fire walls at the level of the subnet filtering traffic that is entering or leaving the subnet so you can remember it's not just a deny rule you can create an allow rule as well you can create a rule to allow traffic so the first thing that we said is that they operate at the level of the subnet the second thing that I want you guys to take note when it comes to knackles is that they are they are what we call stad L okay they are stess in nature Knuckles are stess in nature what does that mean it means that remember how we talked about packets of traffic that are getting into your environment right we have traffic is moving into in a packet which means that so we talked about packets of traffic in response to Victor's question earlier today so traffic move moves in a packet which means that when you have a request you have a response this is what we call a packet of traffic a request and a response now this request would pass through the inbound knuckle this response will pass through what the outb B knle please follow with me the request within your packet of traffic the request will be filtered by the inbound knuckle the response will be filtered by the outbound knuckle now when we say that Knuckles are stateless we mean that knackles don't have the ability to understand the state of inbound and outbound traffic it doesn't have so in this means knackles don't understand that a packet of traffic is both inbound and outbound they don't knuckles don't understand that a packet of traffic is inbound and outbound so it's going to treat inbound as a separate traffic from outbound even though it's a packet because a packet of traffic like we can see is made up of a request and response so what does this mean this means that within Knuckles when you're creating a rule you have to create an inbound rule let's say you create rule 100 for inbound then you go to the out outbound table and you also create R around 100 for outbound so you need to create both an inbound Rule and an outbound because they stess Knuckles will not know that okay if a request is coming in then the response have to go out for it to be complete Knuckles do do not know that so when you're creating a inbound rule to allow a traffic to come in you have to create an outbound Ro to allow that same traffic to go up so if I'm opening p 22 if I'm opening an SS traffic on p 22 and I'm doing an allow here I have to go to the outbound and also open S part 22 allow if not if I don't do that the traffic will come in just fine but you'll never get a response the request will come in just fine but you'll never get a response okay does that make sense are you guys still there why is this important this is important because the second fire war that we're going to talk about which is called security groups and stateful it's the opposite of nle security groups are stateful which means that security groups understand that traffic operate In Pockets so when you create an an inbound rule you don't need to create an outbound because now security groups know that anything that comes in if a request comes in then the response has to automatically go out but Knuckles are stateless which means that Knuckles do not understand that both there's an inbound and an outbound traffic a request has to go with a response security groups are stateful which means that they understand the of the environment understand that if a request is coming in then a response has to go out for that to be complete so it automatically sends a response once you allow the request okay Miriam yeah so why do we need both we need both good question we need both because security groups are firewalls that ex operate at the level of the servers okay so if we go back to our Design This is where knackles operate the red circle this is where Knuckles operate this is where security groups operate the green circle okay so I may have a knle that operate at the level of the subnet but I may want to put an extra layer of security at the level of my servers so let's say I have another database here I may still want to put another security there another firewall there okay to make it more secure that if somebody is able to breach my network access control is you cannot automatically just reach everything that you have in my environment you also still heit a fire wall at the level of the service itself it's like you having two doors in your house you have the iron door outside and then you have the wood door so that when you successfully break the iron door then you still hit you still get into a second door okay Franchesca so it means that um knuckles only operat with a private subnet right it doesn't to the public no this is just an example you can still have knuckles here you can still have knuckles here okay yeah thank you you're welcome OBI no I think you just answer it because I I initially thought knuckles areer in public subnets because those are the subnets that actually um you know have a public uh that public facing yeah so I thought per nich was already protected because they're private and you needed to use a knuckle to protect public subance that's how I was thinking about in my head so but but you just answer the question yeah so you can have it at the level of subnet whether it's a public subnet or it's a private subnet you definitely can choose to have it for all subnets in your environment okay so it's not AWS doesn't restrict you on the particular subnet that you can use for your knco so that make the difference between KN and KN not you mean not Gateway mhm not Gateway is not a firewall KN is a firewall those are completely two different features doing two different things okay so we're talking about security features if you go in an interview and they they ask you to give a rundown on network security you don't want to bring in that okay security features we're talking about network access controlers we're talking about security groups because they solve specifically two different things all right still on that I had to talk about Security Group a little bit because I wanted you guys to understand that stateless and stateful um difference and why I'm emphasizing it or not and because we have something different at the level of the security group now go ahead can you just explain that state full that state full part again because I mean stateless I understand you you know it's what's the stateful part for the security groups okay so stateful stateful means that they understand security groups understand that a packet of traffic is made up of request and a response and it understands the state of the request it knows that the state of the request would automatically be the same state as the response because that that's what makes a packet of traffic okay so basically security groups automatically allow outbound traffic ah okay yes so Security Group automatically allow ad bound traffic you only have to Define inbound if I'm opening my incoming traffic to Port Port 80 then automatically Port 80 will be allowed to go out but with Knuckles if I'm opening Port 80 for incoming then I have to go and open port 80 for outgoing as well if not it will come and it's not going to go out okay thanks you're welcome uh M um I just wanted to know where the firewalls is it more um specific to the resources to the resources in the subnet which like when we when we Crea let's say the knuckles or the security groups is it more designed like is it more set to was in the specific subnets so these are just the these are just um think of the firewall as an empty table that's given to you but you are the one who defines the rules on it okay you can still you can you can have the same rule for your knle and the same rule for your for your Security Group okay if I'm blocking Port blocking or denying Port 80 from a particular Network I can also go to the security group and I create a rule there that also denies spot 80 from that same network okay so it's it's it's basically dependent on the rule that you're creating at these two levels but there are some differences so there are cases where you have organizations that will use both knackles and Security Group for extra security there are cases that organizations will say okay I don't want to use Knuckles I'll just use security groups and there are cases that you see some Organization no no you rarely see organization just using knackles but they always use security groups and have and and don't use knackles in all use cases okay but these are just two firewall that AWS offers that can give you to protect your environment from a network standpoint because it's not all traffic that you want to be hitting your environment if you know that a particular person from Russia is sending viruses to your environment you want to find a way to block that person or to block that traffic you want to find a way to Blacklist it so that it doesn't get into your environment every time because again the internet is crazy people can just try to hack your environment and try to destroy your application so these are all security features that you can leverage and block those things from happening okay Miriam well um are these managed by AWS or by the customer they are managed by the customer in the sense that you are the ones you are the one who puts the rules on those tables right you define the rules this a free service it's not like um it cost you anything it's a free service but you define the rules if you know that okay you want to you want to unblock a particular traffic you go there and you define it okay it doesn't do anything you create it and you manage what you want to allow and what you want to define or deny search okay so um you know on the picture I'm seeing you know three let's say squares so uh the knle because I'm seeing three uh private subnets do we have to set up I mean four private subnets do we have to set up a knle for each of the subnets or we can set up a big knle for all of the sub at once okay so the reason why I see three I created a three squares and one of them is tied to a single subnet and the other one is tied to four subnet is just to show you that you can do either okay you can either tie your knuckle to a particular subnet or you can associate tie it to multiple subnets okay if you want this particular rule to apply to all your private subnets you don't need to create four Knuckles you can create one knuckle and then you tie it to all the four subnets okay all right thank you it's the same thing for security groups so you can have all of your your your your resources use pretty much the same Security Group if you want to okay thank you l m please can you come do you say Security Group allow traffic outb allow all outbound traffic yes security groups allow all outbound traffic because they are stateless uh stateful sorry because they're stateful thank you so that is conditional upon if the inbound is allowed right so yes the the one thing about Security Group is that security groups you don't have deny they're not deny rules with knackles you have allow and deny rules so you can create an allow you can create a deny but with Security Group you can only create allow rules okay because everything is denied if you don't allow it then everything is denied so now you start choosing what you want to allow to come into your environment it's just like remember when you created your AWS account your you have that implicit deny that applies to your AWS account then now when you create a user you start attaching policies that allow certain access to different environment so that's another difference between knackles and security groups so with knackles you have both a deny and allow rule but with security groups have only allow everything is implicitly implicitly denied everything is implicitly denied everything is implicitly denied another difference between a knle and a security group is with a security group if I have my environment like this if I have my environment like this I have a resource here here in the public subnet and this resource has a security group let's say Security Group one I have another resource here in a private subet and this resource has a Security Group Security Group Two if I want to allow traffic from from from this resource to this resource if I want to allow this traffic I don't necessarily have to come and create an allow Rule and say I want to allow icmp traffic from let's say this instance is a 10.1.1.1 sl32 I don't have to necessarily come say I want to allow icmp from 10.1.1.1 sl32 I can just say that I want to allow traffic from security group one and then everything all the resources that are ti with that Security Group will have the ability to talk to the resources that are in the database Subnet in the private subnet okay so you don't neily have to put in the ciders or the IP addresses you can relate it with AWS resources okay and that that's that's one of the key differences between a knuckle and a security group do you want me to repeat it or does it make sense try to take notes down so if you please reach absolutely absolutely so I'm saying that security groups support AWS logical resources or let me start with Knuckles knackles create rules for IPs or ciders ciders means a network IP means a specific IP address while security groups support rules for both IPS ciders and and a WS logical resources so take that down first and then I'll go explain what I mean by that Knuckles support just IPS or sers One Security Group support rules for IP ciders and AWS logical resources all right let me explain what I mean by that so I was saying that we have our two-tier environment like this we have our two-tier environment like this within the public tier we have a server and that server is tied to a security group let's say it's tied to Security Group one and then this other server is also tied to Security Group one so we have two set in the public tier and those two servers are tied to Security Group one which means that whatever rule we create on security group one it applies to those two servers within the private year we have a resource that's tied to Security Group to now instance a and instance B wants to talk to instance C that's in the private subnet we need a security group rule here that allows traffic [Music] from A and B so if you want to create that rule you can go and say okay I'll will create one rule for the public Subnet in a and create another rule for the public subet in B which means that on your on your table you're going to have two rules you're going to have the first rule for the public subnet that allows let's say instance a let's just say instance a is 1.1.11 and then instance B is 2.2.2 do2 so you go to this route table oh sorry you go to this Security Group and you create a security group rule that allow 1.11.1 and then you create another rule that allow 2.2.2 do2 now as opposed to doing this because what if you have more than two two two instances what if you have about six different instances six different servers it means you're going to be creating those rules and you'll become a lot as opposed to doing that you can just create a rule that allows traffic from sg1 that's what we mean by supporting AWS logical resources because you don't just focus on ciders and IP addresses I can just say I'm going to allow traffic from security group one then all those instances that are using Security Group one will have the ability to communicate with the instance that's using Security Group Two does that make sense mam does that make sense yes yes yep yep that makes sense I mean I hear it but I don't understand you just you just need to process it okay you just need a minute to go over it and I'll recommend that try to go over it immediately don't wait till till Sunday before you try to go over it again because this is a level where everything that I've said sticks in your brain you've heard it but you need a minute you know when you know when you're getting information but you just need to take a breather and process it in your brain so that it makes makes sense it makes correlative sense to everything that we've been talking about so my recommendation is later tonight or early tomorrow morning if you're a morning person like me I always when I study when when I when I was a student I get up at 5:00 a.m. and I spend the first two hours just studying just going over everything that we we covered the previous day and trust me it sticks it sticks way better than you keeping it till the weekend to go over it again okay so and then when you're studying try to make notes in your own words in a way that you would you will understand it better okay okay thank you I concur awesome thank you Victor all right so we we're not done with knle security groups there are a few more things that I want talk about but we're going to talk talk about them tomorrow we're going to talk about those and then we'll talk about um um logging and monitoring and then um we'll go into more stuff on um network connectivity so I want us I want to give you guys the time to take your break before we get into the handson so for our handson tonight we're going to go over do a recap of what we did in our handson last week and then after that recap you I mean we're going to look at basically the the Run book that we had last week we look at that from an architectural standpoint remember that run book the first page of that WR book had an architecture and then after that we'll go through the hands on again end to end so that you guys can connect the dots on everything that we've done right up to this moment okay so we're going to be doing that with Prof God love I don't know if he's already on the call I'm here okay so um everyone I want you guys to meet Pro godl he's an excellent Prof um I'm going to give him a moment to to to talk about himself before we go on our break and then when you guys come back you continue with him but I just want to say that you you'll be hearing you'll be seeing more of pro God love when we get into um micr services so he's an e eks expert microservices expert and um he has multiple certifications in that area and he works with microservices on a daily basis and he's also a networking expert too so don't hesitate to asking him any questions that you have don't hesitate to reach out to him on slack and leverage his his knowledge anytime um that's not to say you cannot reach out to me as well you can reach out to me and then as we go on you get to know other props that you can also leverage and just uh build the portfolio that you need to um learn everything that we're giving you all right so I'll just give Pro goas few minutes to talk about himself and then we can go on break excuse me can I just say you said something about eks is that the kubernetes yes okay yes so he's a kubernetes expert he he has multiple certifications in that area as well okay cool thanks I have a question my has been up for long oh I didn't see that uh bees what's the question so my question is what happens when you allow traffic um when you allow traffic at the at the Naros level but you deny the the traffic at the security level so we know that um on AWS a deny will always override and allow ride in every case whenever rules are evaluated policies are evaluated a deny always overall the traffic can get into the subnet but you will not get it through true to the server because you have a deny rule there okay okay yep all right I see another hand up Adu you have a question yes I was trying to ask you if if we have an instance right we have um 1.1.1 and then the 2.2.2 for instance if you allow you want to allow traffic from sg2 to just um 1.1.1 but not all the sg1 MH what would be the procedure or how does that work yeah so that's a perfect case where you not use a logical resource for your Security Group rule you use a specific cider so you just create a rule for 1.1.1 okay but when you have multiple resources that need to talk to um the other resource then you can just use the security group ID make sense Yeah so basically you're saying depending on the um instance that you have then you choose what um rule you you would use yeah depending on your use case exactly okay yep all right sorry about that Pro go ahead um good um evening to you guys um nice meeting you here virtually so um I'll be supporting Prof suzan over your journey the next couple of months and um um like she said I I'm experienced with the networking and communities and I'm here to support you guys in your journey and also assist Prof suzan so that we can um help you transition into um um the new career so just a word of encouragement I do encourage you do not feel discouraged do not feel overwhelmed I think everybody that changes career gets that feeling but um just be encouraged keep um putting in a couple of hours per day and just like magic everything will just make sense so I as we work together if you have any questions if you want to know anything more then you can always just ask feel free to just ask raise your hand or drop your question in the chat then um I would respond to you so that's how much thank you guys all right and I'm not able to see you are you on video or something yeah I am yeah Tech Guy you need another glasses I just I just him now so everybody can see him can you see him um not yet if you can see my screen now you can see him I can see your screen and I'm seeing his screen by blank no he's not now we see him we see him don't worry I can see vior okay maybe all right okay all right let's take 15 once we come back then we're going to continue with um Pro God love for the hands on sorry and the M you mean cannot we will not be able to see you anymore from here I'll Are we almost done with this program okay no no no no that's not what I mean pal I mean that we he will take the hands on for for today he will take the hands on most of the time he will take Hands On And Then There are some classes that he will take with you guys as well so we are going to be co- tutoring till the end okay to the Finish Line can you put your name in the in the chat please God love I think is what I I heard that is that correct yeah God love can you see now I see him now okay I was looking for God love but his name was JJ T so okay yes yes I have extra glasses for you no that's okay okay thank you I can go ahead and pause the recording and then um after 15 once you guys get back we'll continue from there thank you can you see my screen now no we can see you on I think I think that's because I pined your picture for p to see let me go ahead and remove that pin are you still sharing no I stopped sharing already are you sharing yes am sharing now yeah yeah good so um we have here a two-tier architecture systems it could be three- tier but generally a multi-tier architecture systems is just a way that you um uh break down your app your application system in different fragments or different Frameworks because this gives you the ability to um scale out different uh um parts of your your infrastructure for example here we have web servers we have a database database here so we can um scale out the web web servers depending on the request that is coming in and also scale out the database depending on the request is coming in so we kind of dis decouple our INF structure so that the web servers can scale out independently of the database servers so it could be a three tier it could be a four tier but in our uh image here the professors shared with us we having a two tier application two-tier um in uh uh infrastructure are we together yeah so the tier requ the tier sorry the can I just raise my hand so at least sure um so when you reference multi-tier it it just basically signifies in from an architectural standpoint let me put it's just showing the these levels there could be numerous of these levels right in the diagram yes they could and it's always represented by the different snet levels that you have for example you're seeing um here we having public subnets and we're having private subnets right and the public subnets here they in different AES but all the public subnets in those different AES represent one tier so here it's the web server tier so and we have the private Subnet in two different availability zones in this diagram and both both uh uh databases or uh uh uh instances which you place in this private sness they represent another tier so here we have a two-tier architecture it could be three tier if your infrastructure or if you your you design your infrastructure to to be three or four So based on the environment where you find you can find yourself with four tiers you can find it with three but I think the three tier architecture is the most common so for Simplicity and for understanding purposes um uh it's easier for us to picture that with this uh 2tier uh infrastructure that we have here okay so if there was going to be a third tier what would that be in this diagram so we can add here we have a web server tier we can have here we will refer to this as a database tier because we are seeing a database inside and we could also have what we called a logic tier so some um um uh documentation will present that as the presentation the logic and the database here so the presentation here the web server here that is where your um front end would be your uh um clients connect directly to the web server tier and all applications are based on some logic right so those Logics they run in a server so we can have those servers running in what we call a Logics tier and those uh application servers need to talk to some sort of database when um uh um uh requests come in or when information is put in for example if you're talking to your banking app or something like that information needs to be stored and some database and all those databases are then having their own tier so in that case we would have a three- tier architecture and within the three tier architecture as Prof suzan mentioned with this uh uh uh how do you call it um security groups Knuckles and you can then uh segment how the different tiers communicate with each other thanks that's it thank you any question I think I cannot I don't see give me a minute yep so if there's no question then I think we can um uh move somebody uh the person that was sharing can reshare then we start with the hands on but if something comes up just drop your question in the chat then I can um um expand or respond to that or you raise your hand so the person that's always sharing you can reshare and we move sharing already great so do you have your uh the Run book um yeah the Run book is not in the chat yet the Run book in the chat it's the one we had last week it's the same run book you had last in the and also in the chat I think I saw it today if I look back to the old messages give me a minute I can also reshare that give me I'm sure this one right yeah set up to tier Network infrastructure V2 I think that's it setting up to tier Network infrastructure yeah okay this is it should I put in for to view it should I move it to the other screen is everybody having access to this if not then I would download and reshare so but um on our infrastructure diagram which we have here if I just can just uml light expand a little bit about the whole infrastructure you can see that we are having um the vpcs and in those vpcs we have um um public and private subnets and for redundancy we they are in two AES so all communication that is incoming goes through the internet gateway which Prof Susan already talked about and traffic once it gets to the internet gateway the Gateway now passes that to the rout tables for the subnet and based on those route uh uh uh route tables traffic Nails where it has to go to so it's it's going to the database uh web server which um is the front end in this case then the web server then has um another routing with the arrows that shows that okay the web the the servers in the web tier now can communicate with um um the database here okay and the question question okay then let's go ahead should I scroll down or should I just allow it this way I think it's we can we can start it with the uh okay hands on okay okay I should go to Jo II no I think it's the hands on we start with the hands on on your console I think we start by creating a virtual private network of AP PC okay and say we we should um I think most most of this was done in your the last session but let's go through it so that every everybody can understand what we are doing and can follow up and if you have questions you you just should okay I will download and reshare or somebody can reshare that in the chat so everybody has access is there somebody without the the the Run book I'm not start the recording now yeah started it is recording so Lena go through the wrong book step by step that way we are following just say what you're doing you need to take your time because we are following what you are doing so please take it as much as give me a minute please as much as you follow what he's doing you you have a run book so you can also um look at it okay from the very first beginning um profis like if you are supposed to work on a particular concept like the VPC you just come to the search bar and you type VPC so whenever whenever you type VPC you just you can start I think we okay sorry go ahead you can you can start it so you can be you can find it up here which you can easily access it then you click on it so you go to vpcs and and you click on vpcs you can set it and you can uh or bookmark it as you said and so that you always have have it on your your preferences tab so you can easily access it so on vpcs you just go to your vpcs VPC so here we are trying to create the uh the VPC which is your vetal private cloud and inside the vpcs then we we will uh put all the AWS resources as as we go forward okay and Prof also explain to us that um this the first VPC whenever you the first time you get in here you meet a VPC already the D VPC which was already being um created by I'm sure it's by AWS um yeah okay for each AWS region once you create an AWS account the different region so every region has a default VPC so you can either use the default VPC which most companies wouldn't do because it comes with a default a side range from AWS which might not be what you need and um so or you create yours so for as we trying to understand what vpcs and all about and all the features I think using the default which has already been created for us is not the best so let's create our own VPC by um go to create vpcs okay now then on this um create VPC right you have VPC only when L your manual input every Stu then VPC and more you do VP VPC it will create the subnet for you it will allocate every other for you like this this view but it's always advisable to do um VPC only so you get to know how to do it more so now um you have to name tag your VPC it's optional but I usually just name it so let's just try to name it so is is everyone following along yeah yes yes okay on excuse me lard so um you can uh follow give your your VPC name according to the runbook or you give what you would you prefer so this is opinion opinionated so you give your VPC a name after giv giving a VPC a name I think Leon is calling it Peter 44 then you would on the CER range which you need for your VPC so in your environment they might tell you what side range that they want for that VPC but for study purposes we already have um a VPC side AR range given to us by Prof suzan with 10.0.0 10 10.0.0.0 t16 so so by default this is a an um ipv4 as Prof Susan mentioned so this is U uh um uh for using ipv4 vpcs you would decide you're in your side range if and because we we do not need IPv6 here so by default we just leave the No No ip6 side of block and we continue with tendency and our tendency should be defa quick question please sure can can we have two VPC that uh have the same side of blow yes we have you can have two exactly so many with the same side block but there is a g you there a cave with that if you have resources in this two side blocks it would it would and and later on in your project or in your environment you want those resources to communicate together it becomes a very big challenge so it's best practice to always have um a side vpcs with ciders which are not overlapping but in some environments where you find yourself is inevitable I have been in such an environment that you're dealing with vpcs that are overlapping so it becomes a challenging task to to enable connectivity in such uh scenario because from last class the one I have is exactly the same side yeah you can create another VPC with the same side but um it's still private so it should work yes um M you just answered my question thanks okay I saw your hand so if we have the VPC we have given it a tag and we can then go to create VPC and they should create us our VPC so once your VPC has been created if you go to your vpcs you should see all the different vpcs that are in this region and the newly created VPC should also be available and If you um scroll to the right towards this direction it would show you um tency default default VPC so it's going to tell you that that's the VPC which we just created which is um 10 do uh 1016 S no so this is the the um uh default VPC like we mention that whenever you create an account in every region AWS already gives you default VPC to use so this is the um uh default VPC so if you look at the best VPC in your list vpcs see the default VPC is yes but the ones we just created should be no great wait are we together yes yes yes BR so we can all see the VPC we just created so um after creating the VPC which is your um Network your private Network you need to now uh uh segment it with soft Nets so Prof suzan already uh went through subnet but if you have questions about it you can still always ask excuse me so in order to create subnet you can uh go to see on the VPC dashboard you can go to subnet so this will give you the ability to create subnet so because we are placing subnets in the VPC when you go to create subnet you're going to need to select the uh VPC into which we want to create a subnet so Peter 44 that's highlighted that's the VPC you just created and we need to decide on this um um side range of the subnet because uh this is basically segmenting the side range of the VPC so we take the the the the the side of the VPC if it's in this case sl6 which gives us about what 65,000 IPS inside we can then break that down to to different um um um segments of hundreds of or thousand different IPS and give those to our subnets and think Prof suzan already gave us 101 10.0.0 one yes so we need to create um do you need to create a subnet name yeah you need you need you need to give it a name but it's optional so you go to create subnet and you select the VPC into which you want to place the subnet very important then you give the subnet name so according to your run book it's j they they have private subnet and it's always very important if you're creating a private subnet or you're creating a public subnet to always um give it the T public or private so that um your colleague or whoever gets into your environment knows that oh the resources in here are supposed to be private and uh and it's easier so you call it Joe private one and you also need to decide on the a basically the availability Zone into which you want to place the subnet so you select an a for your subet and very important the side range of your subnet so you can give the subnet exactly the same side range as your VPC in this case it means um you just have one subnet inside which makes no sense so you would need um um um CER block which is um a subset of the VPC CER and we have here 10.0 10.0.1 10.0.1 024 10.0.1 10.0 1.024 so I have a question please sure um when I was trying trying this before I could get it right I mostly see like overlap um VPC repeated I was like we have 65,000 um 6 5,000 um sub 65,000 subnet since I was using about the 16 what I noticed when I was trying to do it um it shows every time it shows overlap it has overlap so I'm like I kind of solve the problem but I don't know how I do to solve that problem so what was what was what the error that the subnet overlaps with u like when I created the first Subnet so I name it um private one I went ahead I went ahead to create the um public subnet so once I was creating that it was overlapping with the first one when I CH to create the third one is overlapping with the second one so and the numbers were different I think it's because and and and it was all sl24 uh I think something like that yeah from the side up was about4 then the sub follow um above where sl24 anyway I would need to see your um the ranges which you use for me to be able to understand your problem but basically what happens is just keep in mind you have um a a VPC CER and you have subnets so you take the CER range of the subnet and it's a specific range and you give of the VPC and you you take it it's a specific uh it's a block and you split that into for example when we want four subet so we split that that PPC CER into four so it means that two different subnets inside the same VPC cannot have the same uh uh uh range they has to be it has to be different you understand what I mean okay that means it cannot be 24 cannot be the same for example um just give me some time I will get to know your who sharing Leonard yes sir if you just open another tab for all so I can answer this question in in a minute just open another Tab and you type visual subnet visual subnet calculator I think that's the word subnet visual subet calculator yes that's it click on it just open eight so we have here for the side arrange that profan gives us is 10.0.0 for the VPC what is it 10.0.0 16 so go go up here update this to 10 to0 10.0.0 yeah sl6 just do an update that's it right here update is it updated so now you see if you look at down here this is the number of ips which we have inside that side are range 65,000 can we all see that yes so this is the number of ips inside the VPC this is our VPC CER now we want subnets of this VPC if you go to divide just click on divide here here so now we are dividing so we have now a subnet inside the VPC with/ 17 that has 32,000 there is another subnet there two sub right now with 32,000 so you can keep further dividing so until you get to sl24 what happens is the specific range if you keep dividing you will get to here we SL 18 divide 18 to 20 to to 24 so right now we have the 24 side range we have just 2 254 IPS this 24 if we using this which is 10.0.2 55024 and we assign this range to a specific subnet there cannot be the another Subnet in the same VPC with exactly the same reach then it is going to tell you there's an overlap which not possible but you can have another 24 which is 10.0 so 24 2540 24 do you you understand me yeah I'm getting you but not that clearly so basically if you're having an overlap it means you are assigning side ranges the same side arranges to two different subnets which is not possible in the same VPC or you for example um this was uh 10 SL okay this for example you have um um you assign this range 1017 right you assign the SL 17 range to a specific VPC yeah then you assign a SL 20 range sl24 range which is a subset of the SL2 of the SL 17 to another subnet so you will see that this 24 is a subset of a of the first uh SL 17 which we had yeah so this will not work because you already gave the SL 17 to an a subnet so you cannot give uh it subset to another Subnet in the same VPC hope that makes sense I'm sorry can you explain that again how is the um slash4 overlapping with sl17 okay um um Le go to the uh uh first the SL 17 which we have here there is should be an eraser here so if you see there is give me a minute if you see there is a SL 18 here where is my highlighter yeah you so this all this was part of a SL 17 range the one we had before which is I think 10.0 do um I don't remember exactly but this is all part of of a setence SL um 17 make sense yeah so go to the this uh the the initial this one um and we start dividing so maybe it makes others can understand what I'm saying so if you go to this 17 here yeah and click on divide so you see that now we have a sl8 which is part of um the the other SL 17 subet which we had so it means if you gave a uh SL 17 subnet range to a subnet and you now give a 10.0.0 18 to another subnet this 18 is a subset of the of the sl7 which we had and in that case there will be an overlap of between Siders in in two different subnets in the same VPC which is not possible you say I have a have like can I just say something yes let's go back to the uh yeah s yes go ahead okay that means that is um as a result of the submit like for the subit if I have if I want to create for subnet if sl24 it should be sl4 right no it it must not be SL SL 24 for every for all the four subnets it can be SL uh uh um U six it can be SL 20 be 24 be 18 but the both subnet should not have overlapping sers okay I don't think I don't think well let me speak to myself I don't think I quite understand what you mean by overlapping so are we concentrating more on the Slash the the number after the slash or do we concentrate on the two numbers that vary before the slash like I think um this maybe this is a topic we would take um more during U later lesson a later session okay but basically what this means is remember you have a SL 16 and that sl6 has um um um 65,000 IPS inside the need we divide the SL 16 we have SL 17 inside and each uh uh uh um SL 17 would have what about 30,000 let's just say 30,000 so there's a range of Ip in both segments so if in both 17 you keep subdividing you will all have uh SL uh 24s in the different range you can play with this two which which uh L just used and you see what you you you see what I mean and you cannot have an overlap of Siders the same side range and the same VPC on two different Subs so basically your problem was because you place there was this overlap either you using a sl17 and a f sl24 which is part of the SL 17 which is still a subset of the SL 17 range and then you have the problem with the overlap go ahead if if leard could have replicated his error it would have made it a lot yeah it make it make a lot easier for me to pinpoint where your problem is but you basically have job site sir in the job site do you have to struggle with this or do you have some kind of tool like this that can help you with the different different IP addresses that you need to use this is a tool this is what I use okay so the visual subnet calculator so that's what I use there so many tools for it so this is what I use we can actually quickly replicate it so just just you know what we're seeing on the screen because I had the same issue um there is a there's a subnet um block that he has the 10.0.1 point0 24 we can try to add a second subnet and if you gave it the same if you gave it the same address it would it would reject it yes if you gave it this address it would rejected if you gave it this address and it slash I think it like a 20 8 I think it would reject it as well um and so that's probably what you were alluding to yes because 28 is a subset of4 of 24 yes yes so if you already give a bigger sub Network which is 24 to this uh subnet and you're giving a 28 which is a subset of this there is already an overlap the 28 is part of 24 yeah and it would it would would reject yes yeah question please sorry will that is that the reason why when we creating another another subnet and instead of um then we can give it an IP address of 10.0 then change the one to two to make it different from the then then we we we um um uh trying to avoid the overlap the visual subn calculator is a very great tool that would do that I think Prof Susan used a different tool that's what she uses I don't this is what I there are so many of in some environments they they have a network team that they will provide you this side range because they trying to avoid this overlaps when you have overlaps in an environment it's it's it's introduces a lot of of of of challenges so yeah it took about four hours just to like get to the solution of that problem due to overlap so what I always use up let me see something please yeah but doesn't the wrong book have different uh yes the wrong book should have it has different so let's keep the wrong book and and proceed because the wrong book is already uh in yeah let's go ahead go ahead let's focus on what we don't bring all those question again those are great questions and those are challenges that's how you learn those are great question and those are challenges you'll face to be honest so so should we add new sub or should I just create this one so in the Run book um you create a you need to create two subnets so you create the first Subnet with the slash 10.0.0 I think your subnet side is wrong uh so you can create both subnet so we can create both private subnets and then public subnet so we create all of them I think yeah create all of them I think you can do all four at the same time you can do all four at the same time so we we we proceed first time okay so be careful so we don't face the problem um um the other person faced careful with the side CER blocks because if you have an overlap then the C would feel are we all together yeah wait here so we create a second private subate is this okay m that's fine yeah that's fine keep then you can create the uh so you can create a a a public subnet public one and public to remember to always select the VPC the right VPC once you have all the information in there then we can just click on create subnet so we should have all of all subnets in there change the name the name is that a correct name public two yes yeah public one yeah let me see if it's one wow magic just like magic yes is because Prof God's love is here awesome that's good example is always easy but excise are very stressful um you you deleted something she deleted a tag for that one yes that's why it's empty I don't if we can edit it yeah yeah you can edit yeah forgot to give it a name yeah manage tags y do we all have uh subnets yes once we have the subnets then we need to create rou tables so um AWS implicitly Associates a route table to every sub in the VPC so there is a default route table in the VPC once you create it so every subnet which you create in the VPC has by default is implicitly Associated to the default uh route table so you can explicitly associate your own rout table um to your subnet so in this case we need to create our route tables if you just go to the subnet which you created and you look at sub route table associations you'll see that there is a a route table Associated to it it does that so that leard that should be name not it should be na the key subet the four subet are they in four different availability Zone yeah you selected the availability zones as you were creating them right so you need to select them in different AES so that's four AES four different AES for the four subet I wouldn't say four different AES it depends on the region in which you are this is North Virginia I think there are six aces in North Virginia correct so there are six AES I am in in Frankfurt so Frankfurt has four I think yeah yeah so different regions have different uh uh number of AES so during your creation process you decide on if you want to use for example in our architecture diagram we are using just two AES so we can use us one a US 1B for for for for both for the two private and the two public so this should be in two different AES so if I get you clearly it means uh one public subet and one sorry one uh public subnet and one private subnet is in one a the other and other private subnet is another easy correct yes yes thanks so we're going to the next one route tables so the next we have to create a rout tables so you go to select on roundout tables um Leonard is it Leonard just give me some time I'll get to get your names yeah you get Leonard is always the one sharing Leonard um you go to create rout tables yeah yeah I'm already there okay let me just go back then you give your rout table a name so most networking components just FYI most networking components are always in the VPC dashboard so when you go to the VPC dashboard you'll see when it comes to VPC subnet route tables gateways you would also see them everything there it's good to know so you give your route table your name so this is a route table the first one it's um we're creating private rout table and for best practice always give it um a name which is descriptive so whatever you're giving it as your personal uh characters before always give it the private so if I get into your environment I can easily know that okay that's should be private or this it the private rout table which is associated to private subnets Peter 44 so once you want to create a route table it needs to know the VPC that uh you're creating the route tables for so you select the right VPC the VPC which you created in the earen so this the the drop down menu would give present to you all the vpcs that in that region so you select your VPC and you just hit on Create and then you have your route table then you create the public route table same procedure you give it the name and you select the right VPC and we have put rout tables so if we go to rout tables we should see the r tables we just created Joe private and Joe public and you select one of the raw tables which we just created and you click on subnet associations so just give me a minute I want to say something here if you look at the route table which we just created we just created a route table and it's in the VPC it's doing nothing it's not performing any routing because those rout tables are not associated to the subnets because we call it private and public does not mean it auto Associates to the respective um subance so we need to explicitly associate the uh rout tables to a subnet if you go to um um the main or default the subnets go to subnets and look at the subnets which we just created go to subnets look at the software which you created I think it was joob public any of them select any of the subnets go to a route table you'll see that we have a route table which is associated to this subnet remember when we just created the subnet we did not associate any rout table to it like I said AWS implicitly puts a rout table on your every subet which you create in a VPC so that it's a default uh uh route table and the route table is basically giving it local routes this is just if you look at the routes on the route table it says local Target local destination bpc cider basically what AWS is trying to do is ensure that every um um device which you put inside the subnet can communicate with other devices inside your VPC nothing goes out to the Internet so it's just for internal VPC communication so now we want to not use the default but associate our custom rout tables to this subnets which we created so you can either do it from here um uh um you can e either select the subnet and you do you go to a rout table Association or you go the other way around with the route table and you add of the association so okay according to the um using the runbook we go to select the subnet okay this is a subnet should I a Bo public no but for the Run book either way works but for the Run book you select the route table and you go to subnet associations so the route table which we created yeah you go to subnet associations so this was the private uh route table we want to attach this private route table to our private subnet so edit subnet Association so it presents you all the the the subnets that are inside the VPC so you can then select the subnets which you want to associate to this route table so that was a private route table so we associate all the private subnets to it private one private two save so um just FYI um a subnet can be Associated to just one route table but a route table can assciated to so many uh subet as we just saw so we do the same for the public okay are we together some question when Leon selected um Joe public one how did he select the the subnet as Association you go to sub Association go to edit Association come you say so when you go to edit Association it presents all the subnets that are inside that VPC then you select the subnet is which you want to associate to that route table but once you do this so AWS um now this is an explicit Association which trumps implicit so the implicit rout table that was Associated to these subnets are removed okay [Music] once we associate the private subnets to the private rout table to private subnet we also associate the public route table to the public subnet so you do the same thing select the public route table go to subnet associations it is subnet Association are we together yeah yeah yeah so once that is done let's verify that actually um our rout tables our sub Nets are associated to the rout tables which we want so you can just go back to um subnets so is it showing below what yeah is it showing below then yeah you can yeah so you can always see the information from from from different angles so can we all confirm our route tables are correctly Associated to the subnets yeah yeah after after creating our rout tables and putting theing them to the softnet now we need to um enable um uh internet connectivity on our VPC and for communication into the VPC or out of the VPC to the internet we need a Gateway a Gateway device and AWS for AWS it's called the igw you internet gateway so we need to create an internet gateway and attach it to the VPC so let's do that do we attached the same internet gateways to both uh the uh public VPC and the private VPC wait wait there is no yeah they there sorry I'm getting confused to the uh uh public uh subnet and the private subnet so we there's only one VPC I show it to the VPC to the VPC okay my bad my better yeah I'm taking subnet it's just VPC is is the level higher than the than the subnet subet great and you attach gway Internet getways to the VPC and not soft net yeah okay so you can create a an internet gateway and you attach it so you start by creating the internet gway so just go to internet gway like I said everything is on the VPC Dash uh uh dashboard or interface scroll down you see internet gateways then you go to create internet gateway it give your internet gateway a name once you give your internet getaway name you can hit create this will create our internet gateway but to enable the VPC to use this Gateway we need to attach the Gateway way to this PPC so if you look at the internet gateway you just created and you look at the state it would say or it would show detach it means it's there but it's not doing anything for you to use it you need to attach it to the right uh uh uh uh VPC so in order to attach to internet gateway you select the internet gateway and you go to actions attached to VPC yes so um um Leonard you see once you you have three vpcs in this region already but if you see the available vpcs just the one you created popped up because um I think you already have I WS attached to the other vpcs and you cannot have more than one igw per VPC yeah that's good to know once you attach it you can verify that by looking at the igw console and see if it's ATT attached so the state yes is attached you can also just confirm that oh this um Jo igw is it attached to the right PBC which I want it to be attached to which is Peter 44 and yeah so we're good are we together yeah yes so um now we have a VPC we have sub Nets in the VPC we have an igw attached to the VPC we have rout tables attached to the subnets but those rout tables we have called them private and public calling it private or public doesn't make it private or public it's about what it does to traffic that would determine if the rout table or the subnet is private so a subnet let me come from this angle a subnet is private if it doesn't have routes to the internet and a subnet is public if it has route to the Internet so to make our Public subnets public actually we need to add a route to the route table Associated to the public subnet that goes to the internet does it make sense yes sir so if you go to the public subnet you go to subnet let's start from here let's from up so if you go to subnets oh according to public one you can do it either from public but let's let's let's let's follow the Run book so we go to the route tables yeah and we select the public route table remember that the public rout table is already Associated to the public subnet so to actually make it public we need to add a route to the Internet so we click on routes you go to edit routes so so if you see just give me a minute if you look at the the routs on the route table once you create the route table AWS by default at the local route like I said is to enable connectivity within the VPC so now we want this um route table to be able to reach the internet we need to add a route to the Internet so to in order to add a rout to internet we basically need to add um at go to click on ADD routes so that's the destination right yes and destination .0 basically this means all ipv4 IPS in the in the world that's what it means all ipv fors and there are billions of it if I'm correct and the target great so what this means is and you click on Save changes and let me explain something here oh great so now if we look at our routs right this is our R table this is our R table for the public subnet now we have a route inside that says 10.0.0.0 16 local do you see that yeah what this means is remember we said the SL 16 has what 65,000 IPS so for any device is2 instance a port or what that you would use in the subnet any device that has an IP from this range once you traffic you you're sending traffic between two devices in with an IP within this r is going to use a Target local and it's going to stay within the VPC but any device that is not within this range then it would fall in the range of 0000 Z then it goes to the internet does it make sense yes say say that again please can can you repeat that yes I I want to so we have two routes on the route table one is local and the other one is 000000 z like I said 000000 Z means every ipv4 in the world so for short the internet so every ipv4 but we have two routes on this route table there is one that says local and there's one that says igw that has Target local and one igw remember we said the 10.0.0 sl16 this is the side range of the VPC if you remember very well this is not the side range of the subnet it is the side range of the VPC do you remember that can you see that great so this what this means is if there are two um E2 instances I'm not sure you've done E2 but there are two servers inside your subnet both servers would take an IP from this range remember we said they 65,000 so any server you you launch inside this VPC is going to collect one IP from this range it's going to collect one IP from this range so you can have what 60,000 servers inside everything being equal not not considering a AWS limits so if you have 60,000 is servers inside this VPC they are going to all collect a private IP from this [Music] range so if one IP let's say uh we have 10.1.1.1 sl32 which is from that range 10 10 10.0.1 1/32 which is from that range and 10.2.2 SL2 these are two different servers from the same VPC range in inside the same VPC if server one makes a ping to server two because they are both within the 10.0.0 16 cider range they're going to use the target local and the traffic is going to stay within the VPC got you but now if the server is making a call to Amazon I think if you do Amazon is uh different it's going to be out out of this range then it's going to not know where Amazon because Amazon's IP would fall within the 000000 range and because it's not within the local range it uses the igw and goes out to go to the locate Amazon's server make sense is this if you whatever you say had two VPC um if you had two two vpcs um that that are not in this range right would that would it still go through the U internet gateway if you have two two different vpcs so if you have another VPC which you want this VPC to talk to that's your question yeah MH then in this case you add another route and in the place of destination you would put the side range of that VPC okay so in that case I see I think as we go ahead you get it they say uh um uh um um what's the word specific prefix takes priority so in this case because we've specified the side range of the next VPC which we want AWS has the intelligence to use that Target which we have for the VPC when we go to VPC pairing I think professor is going to take it tomorrow and other things you will see what what I mean here so in that case for this VPC we would come to Target destination we go to Ed route add route in the destination we will put the side range of the next VPC and put a Target it's if it's going through the VPC pairing if it's going through the um um VPN or if it's going through the internet so I I have a question you know for example you have an organization and um the IP of that computer is then 0.0.1 and Victor's computer in my organization is 10.0 like let's say Well it cannot be one because AWS takes the one so it's 10.0.0 do. two so that's uh the IP that you have in your organization not in my organization I have the same IP address and Victor has three so I'm from what you're saying I will be able to Ping if I do ping 10.0.0 do3 I'll P Victor but if I do if Victor wants to ping you and do and does at 10.0.2 how does AWS knows that uh the traffic needs to come to me and not comes to you okay that's a very great question and this is when we we have to start dealing with what we call a not Network address translation because remember this your IPS are all internal and they're all internal in your own network it does know the other network so you need to tell it where to go to so in your route table you will tell it what what what what what gateway to go for example if you have a a an attachment to me right in your route table I will say if I want to go to Victor then use the Gateway that goes to Victor then it means that the the route table and that in that sense will know that oh if I see this IP I I have to use this Gateway and I'm going to Victor or I'm going to to to to to to Mao or to Jud that's a great question but I think the question will answer itself once we finish networking I think we it's something uh we would cover going forward and and and to be honest it's something I faced a lot I worked in a very complex environment which uh um um we had a lot of overlaps so it's um it's it's you would Define that long story short you would Define that that in your in your route tables and specify the Gateway it needs to go to so basically you're telling it that please if I see this IP use this target this this target device and go to Jud if I see this IP use this target device and go to to to to to to Luna okay makes sense yeah it makes sense and mizab also ask and I thought I didn't want to answer the question but is that the same thing as the interet I want to say yes but I don't want to say but I'm not sure because the internet is just computer they all connected to each other uh through uh the same uh Network so is that interet is basically your internal Network so for example companies when you you are a company you have an office in in London you have an office in in Chicago you have an office in in in in in where in Legos so you want all these different offices to be to be able to communicate intern so you can build a network so that um if loggers wants to talk to Chicago their traffic flows only within your network and that's your some some sort of your internet it also happens as you you connect um your AWS environment to now most companies are hybrid so they have footprint in the cloud and footprint on Prem so but they don't know they know they do not want their traffic to go to the internet to on Prem so the build sell some this same in between the their AWS and their their uh on-prem uh environment and it still Stills private so that's still your internet so isn't that the same thing as a virtual private uh Network then as a VPC V PC is in the terms of clouding in cloud computing it's virtual private it means for example um Leonard has this VPC with 10.0.0 do6 I can still have 10.0.6 in my own environment that's Leon's private space in the cloud so Leonard can build his applications in his private space and connect that to his uh omem if he wants to right or right I got it thank you thank you there hello yeah where great here so Leonard what's the next step um I just tried to create um security aside but we were supposed to create security so I don't know if we talk about that but said we were supposed to do the CR security that one I just tried of outside the box you mean the Arles or the KN yes yes so let's let's go ahead please are we together yes sir I think my internet is a little bit unstable because I think you froze so let's continue okay next one I think it's not Gateway right next it's the Gateway not Gateway you do the Gateway first before the knackles but Gateway it's downstairs so now let's configure uh oneway connectivity to the internet using the nut Gateway so um basically there are two types of uh not gateways there um public not and private not quotes So if you want to go to um the internet you would use public net which is basically placing that in the public subnet and if you want to enable just private connectivity then you would use a as private nut private nut is actually a feature which is not that old I think it it it's been it was launched two or three years ago so before if you want if you had um this overlapping things and you want to deal with that you would have to do build your your own um uh server that does dut and snuts and stuff like that but can you because I us uh I I consider the N to uh bring outbound only access and that six in the public subnet so how see and the N is like a replacement for the N instance so but how does Private n basically it does the same thing but now it's for private connectivity so you want to go to the internet you use the public n in a public subnet for example let's say you have um um your on Prem cider right and your on Prem cider kind of overlaps with some VPC which you want to connect to because companies are merging every day so maybe you're merging with a company that already has a VPC with the side range which you're using so in order to enable that connectivity you would use private net you don't want to go to the internet you basically use a private net you place the private net in a private subnet it does the same thing when you say on side uh I am a little bit okay now network does that make sense Network okay I thought like Network connect to the VPS maybe two things like DS connection or things like how do we call this a VPN yes um there there are so many layers in that that that connection I think we'll get you will understand it once we get there so but those are these are different layers you it's still a Gateway how do I leave my my my my Subnet I go to the Gateway device how do I connect the VPC to the uh uh uh uh on Prem Network I have my V W or how do you the v w in this case it's it's just like the Internet G you attach the v w to the to the VPC then you put your your VPN on it but we'll get to it once as we go along than great so let's create our n device so we just go to um the VPC dashboard scroll down not gateways and you do create n so we give another Gateway name and we select um um the subnet so by default if you look at the connectivity type it says public so we will need to select a public subnet so this is what I mean so so if you look at connectivity type here it says public so for that we will need to place our net Gateway in a public subnet you selected a private subnet I selected a public no your subet is private according to your tag yeah this is private private public one or public two okay okay okay yeah yeah sorry so any of them should work any of them should work okay sorry I never to not the record so once you select public subnet then you need an IC IP for your n uh uh device so if you go to select an elastic IP you have no IPS already in your in your um account or your region so because it's the first time you need to allocate an El it gives to you provides one for you so should we create can you hear me not on now great I think my my headset uh R out of juice just connect it not should we create it now so we all here you can then create your nkit how did you get the elastic IP again all so it gives you the option to allocate or select an elastic IP if you already have one in your account so if you scroll down to elastic IPS yeah you see something like this m is not highlighted but I'm sure I'm not name it yes not highlighted because you're not you've not given a name you've not taken a subnet you've and stuff like that once you do that it becomes highlighted so the one you allocated was not what we created right but then the elastic IP that was allocated was not we didn't create that El yeah we we are allocating it because we don't know we do not have one okay so there's an option to select an elastic IP so if you already have one in that account or that region then you you'll see it here but because we do not have one if you go to the drop down menu it's empty so you can just click on allocate elastic IP and AWS will allocate one for you in the background yeah so go back to vpcs the VPC dashboard just to see if you go now to elastic IPS scroll down you'll see elastic IPS somewhere left here here here here elastic IPS okay yeah so we should see one now because we've been allocated one y can you scroll to your right okay go ahead go ahead go ahead scoll to the left say can I just rename it and put public you can you can rename it are we together yeah so once that device has been created then we want to Once one that device has been created remember we want to enable oneway connectivity to the internet meaning um in your environment you can have servers which are private there running in the private subnet for example you can be running obuntu in your private subnet obuntu servers in your private subnet you can be running servers in the private subnet that are using um um open source uh applications like PHP web uh how do you call it what WordPress and stuff so these are all applications that are uh uh version controlled right so they are upgrades they new versions every day and you want to upgrade this this this applications from time to time but the server is in the private sub how do I go to the internet to get uh new updates that's when we need to enable this oneway connectivity so your server can go to the Internet get get software updates but no nothing from the internet can reach your server directly are we together yeah great so in order to enable one-way connectivity from our private subnet we need to just like we enabled public subnet connectivity by targeting the igw we need to add a route to the internet using our private n if there is a question you just ask so in this case we will go to our private route tables so you just go to Route table this is a private rout table select the private route table and you select [Music] routes edit routes so add a route so destination of our route is the internet so we want a servers in the private subnet to be able to reach the internet so destination internet 020 0/0 Target not Gateway so this should now give you the not Gateway which you created in the public subnet and you save the r are we together if there is a question please just ask now let me explain what happens here yeah hello yeah we're getting great so what happens here is your servers in the private subnet they want to go to the internet but they they they don't have connections to the internet gateway but they are going to the not device remember we plac the not device in the public subnet so it means this n device because it's in a public subnet and that public subnet has a route table with a route to the igw then that device itself can go to the internet you follow me yes sir y y y y y so now we want servers in the private subnet to also go out to the internet un directional just go oneway traffic go grab your software updates so in all for that to happen once a server in this Subnet in this private subnet wants to go to the Internet the traffic is sent to the not Gateway because you remember we said Target not Gateway so the N Gateway does what we call um Network address translation basically if your server was one11 it takes the IP of that server 1011 which is your private IP for yourself ever it mask it basically it removes the one11 and encapsulates that traffic with its uh uh uh uh uh elastic IP which we we we we we we we allocated to the N device and then sends that traffic to the internet through the internet gateway so the server in the internet for example Amazon.com or if you are going to the obuntu open source stre it will receive traffic or a request from your private uh uh uh uh server as if it's coming from the N device so it would not see the one one one which is the private IP of your server in the private subnet but it would see the IP of the not uh uh of the not not gway does it make sense yes sir great so so the server in the please can you explain this point again please okay remember we are using not gateways for one outbound oneway track traffic it means let me quote you a common scenario you're running servers in your private subnet because you have your subnet and you're putting servers inside there these servers are running applications for example Ubuntu for example PHP for example WordPress these are all applications used for different purposes so these are applications that maybe your team your company has did not build it they using op Source applications so from time to time the project or the project for uh uh uh that uh develop that software is updating so you in turn you need to also update your software running on your machine if you're using your uh how do you call it your OS if you're using Windows or you're using Mac from time to time you need to upgrade your your your OS right so you're upgrading softwares that are running in the operating system by making a call to the uh uh API call to the endpoint so in this case our server is running in a private subnet and it's running applications that we that also needs upgrades but because we want this to stay private we are giving that server the ability to go to the intendet and grab updates but somebody in the internet cannot initiate that communication so I cannot commun communicate to that server directly but the server can come to me grab what it needs for it uh application updates so in this case what happens is the n your server in your private sub goes to the internet through the N Gateway and the N Gateway basically does what we call it's called Nothing which is Network address translation what happens is the the server takes the IP address of the not device takes the IP address of your server so once once it receives traffic from your server it removes it it removes its private IP and replaces that with its own IP address and makes that call to the Internet so the server on the internet receives traffic thinking it's coming from the nut Gateway not knowing it's coming from your your private server your private subnet so it receives that call from the N Gateway does what the request requested or the traffic requested for example if I want to upgrade my application it gives the packages to upgrade the application and it sends back that request to the N Gateway it knows that it doesn't know that it's a private server and a private subnet that is making that request once the n g receives that response it peels off it removes it it IP which it replaced in the outgoing traffic with the destination server IP and sends it back to the private uh server make sense yeah okay so that means one can only see um if they want somebody wants to see your IP they only have access to this IP on the not Gateway yes the the the server in the internet would only see the the IP address of the N device it doesn't see the IP of your private server in the private subnet okay so it thinks that it's the not device that's actually making that call but the not device is just Med man it peels off the private server replaces that private server IP replaces that with its own thenes pushes the request to the internet once the response comes back it does the the Dina thing which is basically removes the the it it it it its own IP which it replace puts back the private uh uh uh uh IP of the server which initiated the request and sends it back to that server remember there can be hundreds or thousands of servers behind this not device so the N device would have that intelligence to say oh this came from 1.11 send it back to 1.1 if this came from 222 send it back to 222 does it make sense yes sir but all the servers on the internet all they see would be the IP address of the not device okay this is would that be for security or that is for security because your server is in the private subnet the initial goal was to keep it private so nobody sees it but you need to go to the internet to get updates for example offer update yeah um does the not Gateway actually go through the internet gateway as well or does it go it goes through the internet gateway remember we place that n device in the public subnet and that public subnet has a route table that has its own Target as igw remember M yeah yeah that was going to be my question so the first time I credited in that table I made a mistake and and put it in the private subject so but but for some reason allowed me to do that it didn't it didn't turn inceptions or anything um but I reckon that's a problem right it would it would just work because it wouldn't just work it would just drop it yeah be a public has to be public subnet yes that has an an internet gateway access it has internet gateway access but if you're using private n it can be in a private subnet but remember now in that case um um it it it would go to the vgw or something like that yeah great quick question Prof yes yes so the scenario there's a scenario I'm just wondering I know it's out out of scope the private um uh the private natat is actually something that been I've been scratching my head so the Des the the the um resources that you want to actually Target in the private n are within your establishment within your corporation can you pull up can you pull up the the diagram if possible I just wanted to um you know the actual the DI the original diagram that would help help me um this one right that one that one so where will the objects that uh where will where would if there was a net a private net somewhere right where would the be because obviously they're not on the internet right we're not in this case in this case I think I understand question in this case give me a minute in this case we will not be having an igw here we will be having something they call vgw virtual private Gateway or Transit Gateway and in that case now we will place our private n in another subnet with in in in a subnet remember for example in this case our n is in a subnet that has a route to the Target igw yes right but now we want to use a private n it would have it would place the private now in its different subnet that the route table of that subnet now has its own Target as a vgw ah so this vgw now now gives us connection to the VPN this is where you when you're creating a VPN you attach it to the vgw and here you will have your own premises yeah make sense yeah yeah okay that's that's the scenario I was trying to understand so we'll be trying to link as it's still private but it's on premise on premises yes it's private it's on premises it's going out to the vgw the vgw is a gateway that goes into your your your your VPN tunnel VPN tunnel okay thanks the igw is a gateway that goes to the Internet so in this case remember the not the public n is in a public subnet that public subnet has a route table that has a Target to the internet which is igw but if I'm going on I would put my private night in a subnet that has a route that has a Target which is a vgw that goes into my tunnel and and and where is um the the vgw resides in what um res what resilience where does it reside AWS handles resiliency just like internet gateways so you create your vgw and you attach to the VPC the VPC yes just like igw so once you create a vgw attach it to the VPC once you want to do a Target and you select bbgw then you will see it as a Target that I want that to be my target for such and such for so and so destination got it thanks great can we [Music] continue almost 11 so I think you you're supposed to end at 11 what is left what is left is um um what Naros it's creating Naros I think that's just all intern on your run book we have just to create your your nles which is youring pardon VPC pairing has not been T so we will do that once uh Prof suzan covers VPC pairing okay it's part of this WR book it it's uh we do that once VPC pairing has been covered I'm not so sure she T VPC pairing already did she no great then the next the security I'm sure she we did the security already did it to right security groups you talking and the network AC YES Network AC I'm saying that that's what is left so we can also end here you can also end here and we do that first 10 minutes during our next demo before we go to um VPC pairing you can also just look at the Run book and so that um uh next handson session you can easily follow up is that okay or it's fine with me if you can give us 10 15 minutes to continue it because I think it's your yes let's let's let's grab over the knuckles then great so let let's go with knas so create and configure knuckles for public facing resources so just like all the other uh devices you go to network ACLS and you create a knle Network address control [Music] list so you give your KN name as you're giving all other AWS resources names you select the VPC that you want the N to be in and you hit create so you're creating a public kner for the public subnet so it's always good to put um public like I said so you know so public Jo Joe public knos something like that so that you know Jo public and we create our knle so we need to associate the knos just like we did with rout tables to the public subnet so you select the knos and you go to subnet associations please during uh the session just don't click try to understand what you're doing okay yeah get the concept and read yeah a lot of reading yeah so you associate because it's a public knco you have to select the public subnets did we already associate our to public subnets yes no I see no Subnet in the region associated with I was just waiting for you so okay so we associate the public n to public subnets we save changes okay so like proor said all the Naros is you need rules for it to do what he needs to do so you need to select the narles and you can see that you have inbound rules and outbound rules okay so in order to edit inbound rules you select inbound rules and a it inbound rues so this is the default this is the default inbound room look at this pleas just go back yes yes go back to knus go back to knos just go back one one one t again yeah knos so click a knle which is um uh default yes go to one of the knos up this one yes so select one of them yeah comment your your custom own and you go to inbound r rules do you see it you have a first rule rule 100 which says everything is allowed this is the default once you're using Naros in your environment you need to know what you're doing because if you misconfigure this it can block a lot it can basically shut down your environment and make applications not not uh uh reachable so if you get into a project that is already live and environment applications are already live you need to really understand what you're doing when you're when you're playing with knos okay so by default AWS always gives you NCO all subnet must be associated with the knle so it gives you this with the default rules you remember it's evaluating rules in in order so the first rule already allows all traffic that's why by default when you create your VPC you can make you can connect to it you can go out because both inbound and outbound rules has default allow if you go to outbound rules outburn rules you would also see a default allow but now if you look at the rule which you just created the KN which you just created there is no allow room do you see that so you need to always make sure allow because AWS implicitly denies everything once you for custom Network address control yeah so you need to create the allow so go to in uh edit inbound rules so if somebody makes makes a mistakes you Inc knle and doesn't set the rules that's it you've lock you've locked you basically the subnets attached if you create the knle it's one thing once you associate that to a subnet that's where the problem is so before you associate it make sure it has the right rules yeah so knos a evaluate n rules in terms of order so the rule number the lowest uh rule lowest number is evaluated first and by their rules once traffic is allowed by a lower number it doesn't evaluate the next rules okay so you need to be very careful so we can add a couple of of rules to that to our inbound so we can add rule one so you just click on rule add rule number rule number one um type we want https traffic H just that typing it I think it would pop up that's it right down in the yeah H yep excuse me so SCE you can add another rule you can add multiple rules as you want I think I don't know the the limit here but it should be 100 let keep adding we have about four to add yeah for the for the demo you have about four rules to add so you have rule number one rule number two rule number three rule number two HTTP so rule number two type of traffic [Music] HTTP just type HT should be po up yeah you add um rule number three for SSH so basically this is inbound rules you are telling it that okay we allowing htps and HTTP traffic into this subnet we're allowing uh SSH traffic into this subnet so s SSH write down yeah so by default he uses Port 22 so these are wellknown pots for these different protocols I think you get to if you don't understand that or you don't you'll get it as you go along and there 22 and what else all traffic the last one is all traffic deny really so yes rule number one rule number two rule number three and Rule Number Four it says all traffic that's it just select all traffic and go to allow deny deny so what this rule is saying is for this subnet that is associated to this knuckle I want uh to be able to receive HTTP traffic https SSH so all other traffic will be blocked remember it says htps allow HTP allow SSH allow all other traffic icmp all stuff like that they all denied it means that if I place a a server inside and you do a ping ping is IC icmp protocol it w't work because you look at the rule number four it says all other traffic is denied on this for this subet for this subnet it means that every sub every server inside the subnet will not you would you would don't even get to the server because at the fire the firewall there's a there's a a fence at the level of the subnet that says oh icmp you're not allowed in so you can't get in can pink yes you can p but I have I have a question you know that last line that is grayed out that's the default that's the default yes so why why doesn't it take the default because it's the same is the same um rule as the number four almost only that there is no number I think it's like a number 100 or something yeah I think you're just giving it a rule number but I think if you remove the default it will still stay there so why are we not allowing the default take effect and we have to put an explicit number four instead of that's what I'm saying because we in this case maybe we giving it a r if you remove the rule number four and you do a save I think we should still see the default there but this is implicit this is okay okay okay s changes so do you understand what this does on the subnet this is inbound so it means that every everything that is inside the subnet will only allow those three protocols https HTTP and SSH s yes no ping there are environments that actually block ping okay God love are we going to be charged what we are doing right now are we going to be charged for for for for for how do you call it nles these things are free oh yeah but you'll be charged for your you'll be charged for the other one elastic IPS that's what you need to look at I think and I think you after that you can do commission that that is 4.5 cents an hour so just remind me again question again yes just quick question just in the spirit of this uh sort of a sequential um following of this rules if we um given that the very last one the one that has the ASAT is it's just set to deny that's the default um if we wanted to to allow all traffic all you needed to do just to create a role and just allow all traffic and so sequentially it starts with that rule and then it will yes and the rule should come before the deny remember it's sequential that's why you remember we're putting deny at the end because if we said all traffic deny as rule number one then we have rule number two would allow nothing happens because he already evaluated the first rule and it said deny so everything is denied okay thanks this is good thanks the order really matters the order really matters and this is the thing somebody goes into an environment makes changes and it's not working and he's saying the rules are there other matters something environment and the lower environment or everything is just one they are always different environments I think always different some have seven stages have a project that have play with environment you can only play with the environment don't play in the prod whatever they don't play yeah so so the effect will not Bebe the effect would not the effect would not be back in in prod because your end users are not affected but if you also go and you you pray playing in something like the staging environment and you do this your your team even though it's internal they will still say something is not working you need to fix it so most most environments always give you personal AWS account so you play there make sure that that thing is working before you carry it in and affect other okay colleagues that makes sense I wanted to find out that yeah okay so once we click on Save changes and all our rules should be there so we verify that we have those rules Leonard are you still with us yeah yeah yeah 100% see if the changes he's sleeping great so basically if you click on knos go to inbound rules and look at it now you see the rules that we already set okay here you see you still see the deny all there are you seeing um um um the person that asked the question the default rule is still there implicit rule is still there if you removed rule number four the effect will still take place okay okay great myu Knuckles are stateless they are not stateful it means this is inbound once you play with inbound if you create an uh uh uh uh if you associate this knuckle to the subnet it has both inbound and outbound so do not fix inbound and think that oh everything is okay and you forget about Unbound the traffic will come in but they CL outside will not get a respond not respond because if you look at your AR bound go to select your knuckle just scroll up yeah look at the album you'll still have the default deny all it means traffic can get into my Subnet nothing gets out okay so I would I would make a ping or I'll make I'll try to SSH into a server in this subnet and I'm looking at my terminal nothing is happening and I'm wondering where the problem is it w't show you the client connecting that oh there's no outbound but there is no outbound because been it has been blocked so you as a engineer your developers will only say I can't connect into this server I don't know what's happening you need to figure it out because you Associated a sub n to that subnet that hasn't got outbound rules and because knos are not stateful okay so once you edit inbound you also have to edit outbound so I think that's your take home you can adjust your your uh uh outbound knle rules and the next slid we would see what you did to to ensure that communication is right all right thank you are we together yeah so I encourage you guys to always take this pieces they in isolation it might not make sense but at the end of it you see the bigger picture everything will just fit I I think you can already see it now if the start saying just VPC you don't get it just just just not not nothing you don't get it but when you see how everything now connects together at the end of it then um um I guess it makes sense makes a lot of sense made a lot of sense yeah Prof one more thing can you tell us or well I have already cleaned up mine those who haven't cleaned up should clean up now or they will get charged yeah so you say we have to clean up the KN no the N gateways and the elastic IPS so you can just go to uh not gateways you click on it and you click on delete and if you need to disassociate the uh elastic IP will tellum delete not goodways type delete we will need this for VPC pairing no you don't need not get with forc pairing we need not giveways to go outside into the internet VPC pairing is bringing two private Network together okay so we are not going to the internet okay so it say you successfully deleted your not gway now verify that your elastic IP is there the thing is with elastic IPS AWS is once it's Associated to a device in in this case a not gway device they they don't charge you for it but if you dis delete your n gate with Device the elastic IP now will not be in use and they start charging you for it I I got that experience myself so I got charge so it me make sure that once you delete a device that is using an elastic IP you also have to disable or deleted elastic IP or a start charging you because this elastic IP which you have now 54243 once you release this and another person makes a request for elastic IP they just ask give the person this so if you're keeping it you're not using it you're blocking some other person you should pay for it release it [Music] then so release elastic IP address so you're releasing it back to AWS so take it and do what you want all right thank you guys done it says you can all right thank you cannot be released with Associated IP check your night Gateway if it's already deleted yeah I don't think it finished deleting yes it it would it will be released after not giveway has been deleted okay it's done now it says deleted now so go back to the elastic IP and let's see try to release it again can be cannot be released with Associated ID that means you scroll to the left yes this associate elastic I IP address go back to um elastic IPS go back just go back to elastic IPS click on it [Music] actions this gr out is gr out why great out should be release elastic IP yeah go why do you have two now so maybe there is refresh your just refresh your P let's start from there brows refresh top left top left I already did he refreshed it okay yeah go action is a disabl transfer that one so so go to actions dis enable update enable disable click disable cannot transer disable transfer I think I think the problem is with the actual um you need to write disable haven't you you need the small box you need to write disable you're not suppos you canite canite cannot you cannot write it no the problem is with the actual n n we needed to disable release the IP before deleting the na it did he released it before deleting the before can you go can you okay is there I deleted it yeah can you go can you go back to the wait wait go back to the N let me see the actions no can you go to the elastic IPS again just I'll delete I'll delete it from here now don't be worried about him he'll figure it out he's a genius do it did it disappear I'll refresh the you do I I'll let you know if it disappear or not oh you can do it I did just like you so let me see delete it it so I I went to view details to do it but I don't know why it's still there t time say deleted my own come tomorrow de can you go to elastic IP but it has not been released click on it go ahead click on it go back go to action no no no not not that just go back okay okay you can do this yeah release release release elastic I go for now so you're you're you're fine you to open open the tab inside no yeah it takes time just keep refreshing it and you'll be good yeah see you tomorrow right all right guys good night thanks God good night everyone okay good night thank you well thank you thank you so much BR God love who stopping I'm to good night good night guys good night good night good night