00:00:00
what's up everybody it's Travis here
00:00:01
from Travis dot media after today's
00:00:03
video you are finally going to
00:00:05
understand basic AWS networking I
00:00:07
guarantee it because I'm going to
00:00:09
explain it all to you but before we get
00:00:11
started let me give you a short
00:00:12
backstory about three years ago I
00:00:14
switched over in my job to a site
00:00:16
reliability engineer and I got put on a
00:00:19
team of like 30 people most of whom were
00:00:21
not primarily programmers in their
00:00:23
previous careers we had system admins we
00:00:26
had Network admins we had Cloud
00:00:28
Architects we even had one guy that
00:00:30
worked at Dell like 20 years ago all of
00:00:32
these guys and girls were like way over
00:00:33
my head an experience and I immediately
00:00:36
got thrown into the cloud with everybody
00:00:37
and everybody understood it and they
00:00:39
were architecting and doing all these
00:00:41
diagrams and planning all this stuff and
00:00:43
I didn't know what I was doing because I
00:00:45
was primarily a programmer and I
00:00:47
eventually came up to speed within a
00:00:48
couple of months but looking back I see
00:00:50
that my biggest struggle was networking
00:00:53
as programmers we don't have to do a lot
00:00:55
of networking we write code and we build
00:00:57
apps but we don't have to understand VPC
00:00:59
and subnets and Route tables and
00:01:01
gateways and all of those things so I
00:01:03
decided to make a video for programmers
00:01:05
if you're one of those people who wants
00:01:07
to get into the cloud or is looking to
00:01:09
move up to a senior level and need to
00:01:11
learn these networking Basics then this
00:01:13
video is going to be for you so in
00:01:14
today's video I'm going to teach you
00:01:16
basic networking and I'm going to use
00:01:17
AWS as our example and I'm going to do
00:01:20
it practically it's not going to be a
00:01:21
theory it's not going to be PowerPoint
00:01:23
so we're going to look at the
00:01:24
architectural diagram of what we're
00:01:25
building we're going to step through
00:01:27
that we're going to look at terminology
00:01:29
what each of these terms mean like vpcs
00:01:31
subnets route tables Nat gateways and
00:01:34
then we're going to go in AWS and build
00:01:36
this out practically and see these
00:01:38
things in action and we're going to
00:01:39
cover a lot of neat topics like side
00:01:41
arranges and you'll even see my quirky
00:01:43
way of explaining it so go make you a
00:01:45
pot of coffee sign in to AWS and let's
00:01:47
get started and as always if you find
00:01:49
this helpful give it a thumbs up and
00:01:51
consider subscribing to the channel
00:01:52
let's go alright so here's our final
00:01:54
diagram of what we're building
00:01:56
so we have a VPC and we have all of
00:01:58
these components within it so if I get
00:02:00
rid of all this and bring us to the
00:02:01
starting point we just have the AWS
00:02:03
Cloud so if you go and log into AWS
00:02:06
you'll be all caught up with me now
00:02:08
within AWS you have things called vpcs
00:02:11
so a VPC or a virtual private Cloud
00:02:14
works like a private Network to isolate
00:02:18
the resources within it so a VPC is like
00:02:20
a fence around a bunch of resources it
00:02:24
separates all of your resources within
00:02:26
it from another VPC with all of its
00:02:28
resources in it so let's add that to our
00:02:30
diagram now we have a VPC but like I
00:02:33
said this is not a theoretical video
00:02:34
this is practical so let's go and create
00:02:37
one in AWS so to do that just go up here
00:02:39
to search type in VPC and click on VPC
00:02:43
all right then select vpcs so here you
00:02:45
see we have our default VPC and that's
00:02:47
it so let's create a new one so that we
00:02:49
can build out all of our components so
00:02:51
click on createvpc and you can now do
00:02:53
VPC and more which gives you a VPC e
00:02:56
gives you four subnets three route
00:02:58
tables into network connections we're
00:03:01
actually not going to do this once you
00:03:02
go through this video and you understand
00:03:03
all of these services or all of these
00:03:05
pieces then you can go and do this quick
00:03:07
start but until then let's do it
00:03:09
manually so click VPC only
00:03:12
name tag I'm just going to call it my
00:03:14
new VPC and next you have a ipv4 cider
00:03:17
block so what cider range is this VPC
00:03:19
going to fall within now this was a big
00:03:22
thing for me a big hurdle for me when I
00:03:24
started out like what is a cider range
00:03:26
right and what is this slash 24 and why
00:03:29
am I doing that so let me give you a
00:03:31
quick rundown like a like a dummies
00:03:32
guide to this
00:03:34
so the way I like to look at it is if I
00:03:36
do what they have here they have
00:03:38
suggested
00:03:39
10.0.0.0 24. so here's the way I explain
00:03:42
this and it's not going to be
00:03:44
conventional and people are going to
00:03:45
give me a hard time but let me tell you
00:03:47
you'll remember it after this so each
00:03:49
one of these numbers is called an octet
00:03:51
and each one represents eight bits and I
00:03:54
actually wrote an article here on medium
00:03:56
explaining it but basically each one of
00:03:58
these is eight Bits And if you add them
00:04:00
all up that's 32 bits so the way I do it
00:04:03
is if you see a slash 24 this means the
00:04:07
first one being eight second one being
00:04:09
16 and the third one being 24 this only
00:04:12
lets you change the IP range on the last
00:04:14
number if you have
00:04:17
10.0.0.0 16 you start at the beginning
00:04:21
so this is eight this is 16 and those
00:04:24
are locked you can only change the
00:04:26
numbers or the ranges on the last two
00:04:28
numbers
00:04:29
and of course if you have 10.0.0.0
00:04:34
8 that means you can change the numbers
00:04:37
on the last three octets
00:04:41
hopefully that makes sense that's the
00:04:42
way I remember it it's not technical but
00:04:44
it really helps me out and I think I
00:04:46
have the numbers here
00:04:48
that might help you out a little better
00:04:49
so if I paste this in so slash 24 if you
00:04:52
see here that's the IP address is
00:04:55
10.0.0.1 through
00:04:58
10.0.0.254. see how we're only able to
00:05:01
change the last one we have 1 through
00:05:03
254. the 10 0 0 don't change we got the
00:05:07
16 we got 10 0 0 1 through 10 0 255 254.
00:05:14
so you can't change these first two or
00:05:17
16. so anyway I think if you remember
00:05:19
that you won't have any problem with
00:05:20
this going forward you can't explain it
00:05:22
technically to people who are like
00:05:23
purists but we're not trying to do that
00:05:25
we're trying to be practical and
00:05:26
understand things in our own way and I
00:05:28
think that'll be helpful for you so what
00:05:29
I want to do here is I don't want this
00:05:30
24 I actually want to do
00:05:33
10.0.0.0
00:05:34
16. so that means these first two
00:05:37
numbers are locked I can only change the
00:05:39
ranges in the last two numbers that's
00:05:41
where I want to start this that gives me
00:05:43
a lot more IP addresses than a slash 24.
00:05:46
and if you look this up IP range IP
00:05:49
subnet calculator we're going to get to
00:05:50
subnets in a minute but if I just type
00:05:52
this in
00:05:53
10.0.0.0 and then I change this to 16
00:05:57
you'll see we have tons of IP addresses
00:06:00
calculate and you have 65 500 and
00:06:03
something IP addresses you can play with
00:06:05
because we have 10.0.0.1 through
00:06:09
10.0.255.254. and we'll use this in a
00:06:11
minute when we get to subnets but but
00:06:13
remember my dumb down version and you'll
00:06:15
do well so let's set that IP cider let's
00:06:18
leave Tennessee default I don't need any
00:06:20
tags it sets One automatically but I'm
00:06:22
just going to click create VPC to create
00:06:25
it and now you have a VPC with this
00:06:27
cider range so if we go back to our
00:06:28
diagram we're good to go there now
00:06:30
within a VPC you have these isolated
00:06:33
networks in these different cider ranges
00:06:35
called subnets and the terminology is
00:06:38
this a subnet is a defined set of
00:06:40
network IP addresses that are used to
00:06:43
increase the security and efficiency of
00:06:45
network communications you can think of
00:06:47
them like postal codes used for routing
00:06:48
packages from one location to another so
00:06:51
anyway they're just these defined set of
00:06:53
Ip ranges and what you normally see here
00:06:56
is a public Subnet in a private subnet
00:06:59
so you have a public subnet for all of
00:07:01
your public applications and a private
00:07:03
subnet for things that you don't want to
00:07:05
be public so let's add that to our
00:07:06
diagram first to see what we're doing so
00:07:09
we're going to be creating a private
00:07:10
Subnet in a public subnet two subnets so
00:07:13
let's go back make sure you're in the
00:07:15
VPC dashboard and click on subnets and
00:07:17
we have all these default subnets we
00:07:19
don't have to worry about those but go
00:07:20
up here and click create subnet
00:07:23
select your VPC ID this puts your
00:07:25
subnets within that VPC so I'm going to
00:07:27
select my new VPC the one we just
00:07:29
created and subnet settings so subnet
00:07:32
name let's do public subnet now
00:07:35
availability Zone what you normally see
00:07:38
people do is they create two public
00:07:39
subnets and two private subnets one
00:07:42
being in different availability zones so
00:07:44
you'll make a public Subnet in this
00:07:47
availability Zone in another public
00:07:49
Subnet in this availability Zone you'll
00:07:51
do the same for private you'll put one
00:07:52
here and one here that way if an
00:07:55
availability Zone goes down you have
00:07:57
high availability by having another
00:07:59
availability Zone available to serve
00:08:01
your applications but we're not going to
00:08:03
do that today because we're keeping this
00:08:04
basic so we're just going to do one
00:08:06
public and one private so this is going
00:08:08
to be a public subnet I'm just going to
00:08:10
choose us East 1A all right now ipv4
00:08:13
cider block what are we going to do here
00:08:15
well it has to be within this side of
00:08:18
range 10.000 16 we're going to make it
00:08:21
easy a lot of the times people want lots
00:08:24
of private and not as many public
00:08:26
because not as many things are going to
00:08:27
be public for this demonstration it
00:08:29
doesn't matter so let's do let's do what
00:08:31
it gives us here
00:08:32
10.0.0.0
00:08:34
24. that means we'll only be able to
00:08:36
take this from 1 to 256. this last octet
00:08:40
and that's our public subnet let's go
00:08:42
ahead and add a new one you can click
00:08:43
this add new subnet here and let's
00:08:45
create the private subnet so let's do
00:08:46
private subnet
00:08:49
and availability Zone doesn't matter I'm
00:08:51
going to choose the first one
00:08:52
in this one we're going to do
00:08:55
10.0.1.0 24.
00:08:59
and that again allows us 254 here and
00:09:02
it's going to be different from the
00:09:04
other subnet because this one is 1.0
00:09:06
whereas the other one is 0.0 hope that
00:09:08
makes sense and so we have our public
00:09:11
subnet and our private subnet so let's
00:09:13
click create subnet to create both of
00:09:15
those and one thing about a subnet is
00:09:17
you have to have a subnet to launch
00:09:19
resources in your VPC
00:09:21
so you can't just do a VPC and then
00:09:23
launch ec2 instance you have to have a
00:09:25
subnet to put resources in so now that
00:09:27
we have a subnet let's go ahead and
00:09:28
launch an ec2 instance and we're going
00:09:30
to launch it in the public subnet so
00:09:32
let's go to our diagram
00:09:34
go to the next step here which is going
00:09:36
to be our ec2 instance so we're going to
00:09:38
launch an ec2 instance into our public
00:09:40
subnet so we have a VPC we have a public
00:09:43
and a private subnet and we're going to
00:09:45
launch an ec2 instance in our public
00:09:47
subnet so I'm going to come back here
00:09:48
and under Services I'm going to click on
00:09:50
ec2 and open a new tab and I'm going to
00:09:54
click launch instance to launch a new
00:09:56
one I'm going to call it my public
00:09:58
instance
00:09:59
and I'm going to leave it Amazon Linux
00:10:01
instance type I'm going to choose a T2
00:10:03
micro because it's in the free tier
00:10:06
key pair I'm going to choose a key pair
00:10:08
make sure you create one if you don't
00:10:10
have one create a new key pair I'm going
00:10:12
to choose the one I have
00:10:13
and for my network settings click on
00:10:15
edit change this to your VPC my new VPC
00:10:19
and then your public subnet like I said
00:10:22
you have to launch resources into
00:10:24
subnets Auto assign public IP enable we
00:10:27
want a public IP this is a public ec2
00:10:30
instance and then create a security
00:10:31
group
00:10:33
I'll call it
00:10:35
SG public and then Security Group rules
00:10:38
we're going to get to security groups in
00:10:39
a little bit but this rule allows me to
00:10:41
SSH from anywhere into my instance so
00:10:44
TCP protocol Port range 22 Source type
00:10:47
anywhere I should be able to SSH into
00:10:49
this after you're done with that click
00:10:51
launch instance to launch it and while
00:10:53
that's launching regarding security
00:10:54
groups a security group acts as a
00:10:56
virtual firewall for your ec2 instances
00:10:59
to control incoming and outgoing traffic
00:11:01
so security groups are related to ec2
00:11:03
instances and as you recall we set a
00:11:05
rule there to allow incoming SSH traffic
00:11:08
but again we'll get to that in a few so
00:11:11
my instance is running let me click on
00:11:13
it and go to connect and
00:11:16
I'll go to ec2 instance connect and
00:11:18
click connect to connect to the instance
00:11:20
do you think this will work it will not
00:11:22
work we get a message here it says ec2
00:11:24
instance connect is unable to connect to
00:11:26
your instance why because we don't have
00:11:28
any way out to the internet we just
00:11:30
created a subnet we called it public
00:11:32
subnet that doesn't make it public we're
00:11:33
still completely isolated in our VPC so
00:11:36
to allow internet access to our subnets
00:11:39
we need something called a Gateway
00:11:41
that's our next item here
00:11:43
so let me click this and more
00:11:45
specifically we need an internet gateway
00:11:47
but let's talk about a Gateway for a
00:11:48
minute a Gateway in general connects
00:11:50
your VPC to another Network so you have
00:11:53
your VPC here a Gateway just connects it
00:11:55
to another Network
00:11:56
for example we're going to use an
00:11:59
internet gateway to connect your VPC to
00:12:01
the internet but then there are Transit
00:12:04
gateways there are Nat gateways which
00:12:06
we're going to see in a minute but just
00:12:08
remember that a Gateway it just connects
00:12:10
your VPC to another Network we're going
00:12:12
to be using an internet gateway as you
00:12:14
see on the diagram here that's going to
00:12:16
allow our subnets out to the internet
00:12:18
so let's set that up so go back to VPC
00:12:21
and you'll see here on the left internet
00:12:23
gateways
00:12:25
yeah right here internet gateways we
00:12:26
need to create a new one no internet
00:12:28
gateways found in this region let's
00:12:29
create one and you can only have one per
00:12:32
VPC I believe
00:12:33
and let's call it like it says here my
00:12:36
internet gateway
00:12:39
and create internet gateway it's really
00:12:42
that easy and now we have our internet
00:12:43
gateway but you see a message up here
00:12:45
the following Gateway was created you
00:12:47
can now attach to a VPC to enable the
00:12:50
VPC to communicate with the internet so
00:12:52
we have an internet gateway but it's
00:12:54
detached it's not attached to any VPC
00:12:56
it's not doing anything so let's attach
00:12:58
it to our VPC so go to actions click
00:13:01
attach to VPC and click your VPC and
00:13:04
attach internet gateway again just go to
00:13:07
actions and attach here you can detach
00:13:09
if you want but we attached our internet
00:13:12
gateway to our VPC all right so let's go
00:13:14
back to connect to an instance click on
00:13:17
connect and see if we can connect and it
00:13:19
still doesn't work I mean we created the
00:13:21
Gateway why are things not working well
00:13:23
because we have to give our subnet a
00:13:25
route to the internet gateway and we can
00:13:28
do this with something called route
00:13:29
tables so let's pull up our diagram
00:13:33
and let me add that
00:13:36
route tables so right here you see a
00:13:39
route table we need to alter this route
00:13:41
table on our public subnet to allow a
00:13:44
route out to the internet gateway and
00:13:46
don't mind this router here that's what
00:13:47
this symbol is
00:13:49
every VPC has a router you don't have to
00:13:51
worry about it it's already there
00:13:53
so we need to alter the subnet to go out
00:13:55
to the internet gateway you see this
00:13:57
Arrow here going back and forth between
00:13:58
the subnets the route tables already
00:14:00
allow that private traffic we just need
00:14:03
to create a rule to go out to the
00:14:04
internet gateway so let's do that let's
00:14:06
go back to VPC management and go to
00:14:08
Route tables now you'll see here that
00:14:11
your VPC already comes with a default
00:14:13
route table that's what this is and it's
00:14:15
called the main route table see right
00:14:17
here it says main yes all unassociated
00:14:20
subnets use this so if you go to this
00:14:22
main route table you look at routes we
00:14:24
only have one route
00:14:25
and it's the local traffic so all the
00:14:28
traffic within the VPC that's why we had
00:14:31
this Arrow going right here there's our
00:14:33
this is already allowed in the route
00:14:34
route table now subnet associations any
00:14:37
subnets that don't have explicit
00:14:39
associations default to the main route
00:14:41
table so this private public subnet by
00:14:44
default use this default main route
00:14:47
table so what we want to do is we want
00:14:49
to create a route table for our public
00:14:51
subnet and for a private subnet we don't
00:14:54
want to use this default because we
00:14:55
don't want to treat them the same we
00:14:57
want to have them explicitly different
00:14:58
and it's just good practice to do that
00:15:01
so let's create a route table
00:15:03
called a public route table
00:15:07
create route table oops I got to choose
00:15:09
a VPC make sure you choose your VPC this
00:15:11
route table will be associated with it
00:15:16
and let's create another one called
00:15:18
private route table
00:15:22
and Associate it with your VPC
00:15:26
and let's go back to Route tables so now
00:15:28
we have our main route table but we also
00:15:31
have two more created called public in
00:15:33
private public and private have nothing
00:15:35
to do they haven't been associated with
00:15:37
any subnets they're just created what we
00:15:39
want to do is we want to go to public
00:15:41
route table and we want to associate it
00:15:44
with air public subnet so that we can
00:15:47
control what's going on there so let's
00:15:49
edit subnet associations
00:15:52
and we're going to choose public subnet
00:15:54
and Associate it with this route table
00:15:57
so the route table belongs to the VPC
00:16:00
and we associate subnets to Route tables
00:16:03
so we Associated that subnet the public
00:16:05
subnet with our public route table we're
00:16:08
going to do the same for private so
00:16:09
here's private route table we're going
00:16:11
to go to subnet associations edit and
00:16:14
Associate the private subnet with the
00:16:16
private route table and now if you look
00:16:18
at error default or main route table
00:16:22
you'll see that we have no subnet
00:16:23
associations they're now associated with
00:16:26
other route tables ones that we created
00:16:27
explicitly so we have this public subnet
00:16:30
route table how do we get it to route to
00:16:33
the internet gateway well it's very easy
00:16:34
we just go to our public route table
00:16:36
click routes and then click edit routes
00:16:40
click add route and for Destination we
00:16:43
want to choose everything so the 0.0.0.0
00:16:46
that's all IP addresses and this covers
00:16:49
all IP addresses outside of this VPC
00:16:52
cider range so all of these IP addresses
00:16:54
in this VPC can talk to each other
00:16:55
subnets can talk to subnets no problem
00:16:58
but everything else the public internet
00:17:00
all the IP addresses out there we want
00:17:03
to make this wide open and our Target is
00:17:05
going to be the internet gateway which
00:17:07
we can choose here
00:17:09
once we've done that click save changes
00:17:14
and you'll see that now our public route
00:17:17
table has a destination out to the
00:17:19
internet gateway so now if we try to
00:17:21
connect to our ec2 instance via SSH we
00:17:24
should be able to because we have a
00:17:26
security group rule that allows us to
00:17:28
SSH into this and our instance is now
00:17:31
available out on the public internet so
00:17:34
click this go to connect and ec2
00:17:36
instance connect
00:17:39
and let's see if we can do it
00:17:42
there we go so now we have public access
00:17:44
to our ec2 instance over the Internet so
00:17:47
we can do something like sudo yum update
00:17:50
Dash y to update our packages and
00:17:52
everything works fine great so let's go
00:17:55
back to our diagram so now we have a
00:17:57
route out to the Internet so out to our
00:17:59
internet gateway out to the internet
00:18:01
let's include that so what do we want to
00:18:03
do next well let's launch an ec2
00:18:06
instance into our private subnet and
00:18:07
learn about Nat gateways so go to ec2
00:18:10
instances and launch instances and we're
00:18:13
going to call this my private
00:18:17
instance
00:18:19
and we're going to choose Amazon Linux
00:18:21
T2 micro my key pair
00:18:24
and
00:18:25
network settings is going to be my VPC
00:18:28
and the subnet is going to be this time
00:18:30
my private subnet
00:18:32
and we don't need a public IP because
00:18:34
it's private and let's create a new
00:18:36
security group called SG private
00:18:40
and that looks good we have an SSH rule
00:18:43
that's fine let's do that it's not open
00:18:45
to the Internet so nobody can do that
00:18:47
but we'll talk about that in a minute so
00:18:48
launch your instance so we do have a
00:18:50
security group on our private instance
00:18:52
that allows SSH access so let's try to
00:18:55
SSH
00:18:56
into our private instance from our
00:18:59
public instance we should be able to do
00:19:00
that right and to do that we need to
00:19:02
upload our key remember to SSH we have
00:19:05
to create a key pair we need to upload
00:19:06
our key that's on our computer up here
00:19:09
to This Server so that when we SSH into
00:19:11
the private server we have that key to
00:19:13
use and that's pretty easy to do so I
00:19:16
have an SCP command if you're not
00:19:17
familiar you can just Google it this
00:19:19
allows you to upload a file from your
00:19:22
local computer onto a server with one
00:19:25
command so it allows you to log in
00:19:26
upload all in one command
00:19:28
so what this does is pseudo
00:19:31
scp-i is a flag that indicates this is
00:19:34
your key that you're using to access
00:19:37
that public instance air public instance
00:19:39
and then the file that you want to copy
00:19:41
up there is going to be the key pair and
00:19:43
you want to copy it to your
00:19:45
public server this is my IP address it's
00:19:48
going to be the ec2 user at this public
00:19:51
IP address and then the location that
00:19:52
I'm copying it to is a home ec2 user
00:19:58
so I'm going to grab this again this is
00:20:00
just copying our key pair up to that
00:20:02
server so that we can access our private
00:20:03
server so I'm going to open my local
00:20:06
terminal and just run this command
00:20:08
and put in my password for sudo
00:20:13
and it copied it so now on my public
00:20:16
instance here I should have it LS
00:20:19
there's my TM AWS keypair.pin now from
00:20:23
this public address I want to try to SSH
00:20:25
into my private server
00:20:28
so let me get my private server
00:20:31
IP address
00:20:33
here it is I mean the route tables allow
00:20:35
subnet to subnet access so this should
00:20:38
in theory work so let's do SSH
00:20:42
Dash I and my key pair which is in the
00:20:45
same
00:20:46
directory
00:20:48
and then ec2 user at that IP address
00:20:54
and type yes
00:20:57
and it worked so everything's working
00:20:58
fine we can access our private server
00:21:01
from Air public server and that worked
00:21:03
fine we can't go directly to our private
00:21:05
server we can't access that from outside
00:21:07
of the VPC but we can access the public
00:21:10
server and from there SSH into the
00:21:12
private server so that works fine and
00:21:14
now that we've sshed into our private
00:21:16
server let's try to do something like
00:21:17
updating our yum packages so sudo yum
00:21:20
update Dash y
00:21:22
and you'll see that it's not going to do
00:21:24
anything why because we don't have
00:21:26
access to the internet and you might
00:21:28
think hey that's the point we're in a
00:21:30
private subnet we don't want access to
00:21:32
the internet and that's true but how do
00:21:34
we update our packages is there a way
00:21:36
that we can reach out to the internet
00:21:38
but nobody can reach into where we're at
00:21:41
well there is there's something called a
00:21:43
Nat Gateway so a Nat Gateway is a
00:21:46
network address translation service you
00:21:48
can use an ad Gateway so that instances
00:21:50
in a private subnet can connect to
00:21:52
services outside your VPC but external
00:21:55
Services cannot initiate a connection
00:21:56
with those instances so I can reach out
00:21:59
and I can update my packages but nothing
00:22:02
outside the VPC can come in and access
00:22:04
that server that's pretty neat so how do
00:22:06
you set something like this up well
00:22:08
first you create a Nat Gateway and you
00:22:11
actually want to do it in the public
00:22:12
subnet so let's click on that Gateway
00:22:15
here to reveal what we're going to do
00:22:16
you're going to create the NAT Gateway
00:22:18
in a public subnet because this public
00:22:20
subnet has a route out to the internet
00:22:22
and then you're going to use your
00:22:24
private
00:22:25
route table to Route out to that Nat
00:22:28
Gateway so this Nat Gateway is going to
00:22:31
allow our private subnet to reach out to
00:22:33
the internet and do things while at the
00:22:35
same time allowing nothing outside of
00:22:37
the VPC to come into our private subnet
00:22:40
and access that directly and actually we
00:22:42
want to add our private ec2 here so this
00:22:45
ec2 instance
00:22:46
by way of this route table can reach out
00:22:49
to the NAT Gateway in the public subnet
00:22:51
and use the internet so let's create
00:22:53
that if you go to subnets and Nat
00:22:56
Gateway click on create net Gateway
00:22:59
and let's create one so let's call it my
00:23:02
Nat Gateway
00:23:04
subnet I want to put it in the Pro in
00:23:07
the public subnet connectivity type is
00:23:09
public and we need to allocate an
00:23:11
elastic IP just click that button to do
00:23:13
so
00:23:15
and click create net Gateway and I think
00:23:17
this takes a couple minutes
00:23:19
to actually get into a run and state so
00:23:22
I'm going to pause this and come right
00:23:23
back when this is running and actually
00:23:25
while this is initiating we can go ahead
00:23:28
to our route tables
00:23:30
and our private route table
00:23:32
and add a route out to our NAB Gateway
00:23:35
so edit routes and add a route we're
00:23:38
going to do everything
00:23:40
and then the target is going to be a Nat
00:23:42
Gateway it's going to be this one that's
00:23:44
still creating it's not going to work
00:23:45
yet but we can go ahead and set this up
00:23:47
so edit routes and save changes
00:23:50
and it's creating a route and you'll see
00:23:52
here in our private route table we now
00:23:54
have a route out to our Nat Gateway
00:23:58
so let's go back to that and again I'll
00:24:00
come back when it's running all right so
00:24:02
our Nat Gateway is available we've
00:24:04
already set the route so now let's try
00:24:06
again and see if we can update our yum
00:24:09
packages so try again
00:24:12
and there we go so that's working but if
00:24:15
I were to get my uh private IP address
00:24:17
this private address of course it's not
00:24:19
going to work if I try to SSH into that
00:24:21
so A Nat Gateway allows you again to let
00:24:24
your private instances reach out to the
00:24:26
internet to update or upgrade whatever
00:24:28
you need to do but nothing to access
00:24:30
them back so looking at our diagram
00:24:32
we've done a lot we've created the VPC
00:24:34
we've created the subnets the ec2
00:24:37
instances the route out to the internet
00:24:39
and the route over to a Nat gateway to
00:24:41
allow our private subnet the ability to
00:24:43
use that to grab things off the internet
00:24:45
and I think that's a lot I do have one
00:24:47
more thing I want to tackle but I want
00:24:49
to kind of leave you guys with that
00:24:50
today I think that's a lot to take in
00:24:52
and if you understand this much you've
00:24:53
understood a lot we don't need to get
00:24:55
into Transit gateways and VPC peering
00:24:58
yet
00:24:58
take this information let it soak in but
00:25:01
there's one more thing that we need to
00:25:03
talk about and that is knackles and
00:25:06
security groups so I'm going to enable
00:25:08
this last piece of the diagram and talk
00:25:10
about these so knackles network access
00:25:13
control lists a network access control
00:25:16
list is like a virtual firewall that
00:25:18
protects the subnet so it's another
00:25:20
layer of protection around the Subnet in
00:25:23
this network access control list is
00:25:25
stateless so if you allow something into
00:25:27
the subnet it doesn't remember that
00:25:29
state and then allow it back out
00:25:32
you allow it in you have to have also an
00:25:34
outbound rule to allow it back out of
00:25:36
the subnet
00:25:37
so that's a network access control list
00:25:39
or a knackle as people call them
00:25:42
it's a virtual firewall for the entire
00:25:44
subnet and the reason why I'm not going
00:25:46
to get into it is because most people
00:25:48
leave that default in the default is
00:25:50
that it allows everything in and allows
00:25:52
everything out and most people don't
00:25:54
need to change that because you have
00:25:55
routes and you have security groups and
00:25:57
things like that one one use case people
00:25:59
do use them for is to block an IP
00:26:01
address at the subnet level that's a
00:26:03
good use case for it but normally you
00:26:06
just leave the default and it's kind of
00:26:08
an added layer of protection for your
00:26:10
subnet if you need it now your knackle
00:26:12
protects your subnet but once you get
00:26:13
through that you have something called a
00:26:15
security group and a security group is
00:26:17
like a virtual firewall that protects
00:26:19
your ec2 instance so every ec2 instance
00:26:23
gets associated with a security group
00:26:25
and the security group protects the ec2
00:26:27
instance now the security group unlike
00:26:29
the knackle is stateful if there's an
00:26:32
inbound Rule and some data comes in
00:26:34
it's going to remember that state and
00:26:36
also allow that same rule out so the
00:26:39
knackle is stateless if you allow it in
00:26:41
you also have to set a rule to allow it
00:26:43
back out a security group when you allow
00:26:45
something in
00:26:46
it's going to automatically allow that
00:26:48
back out it's going to remember the
00:26:49
state and this is where I stopped today
00:26:51
again like I said it's a lot to take in
00:26:53
but if you understand these basic
00:26:54
concepts I think you'll do well
00:26:56
and if you enjoyed this and you want to
00:26:58
see like a more advanced version of this
00:27:00
where we do get into Transit gateways
00:27:02
and peering and things like that then
00:27:04
let me know down in the comments and
00:27:06
I'll get that made in the future hope
00:27:08
you enjoyed the video and I'll see you
00:27:09
in the next one
