Amazon AWS SysOps – Networking – VPC part 7
- Bastion Hosts
So let’s talk about Bastion Host. So this is the diagram. We have our Bastion Host users. We Ssh into the Bastion Host, which is in a public subnet. And then from the Bastion Host we’re able to Ssh into other Linux instances. So the Bastion Host is used to Ssh into private instances and it sits in the public subnets. And the reason we do this is that’s because the public subnet is connected to all the other private subnets, what we need to do is make sure that the security group of the Bastion Host is super strict to only allow the IPS that need to go in. So as an exam tip, you’ll get this.
As the exam, make sure the Bastion Host only has port 22 traffic coming from the IP. You need so your own IP and not from other security groups. From other instances, the only thing the Bastion Host needs is port 22 coming from your IP.So let’s have a quick hands on this. So it turns out that we’ve already used Bastion Host without really knowing about it. But when we have a public instance, well, that public instance is also a Bastion Host. Why? Because we did allow Ssh access into it. So we allowed Ssh and it sits in a public subnet, so we can access it.
And from this Bastion Host, we’ve Ssh into our private instance. So let’s have a look at how this works. So let’s go back. So let’s ssh into our public instance, our bastion host. And from there we ran the Ssh command to Ssh into our private instance. Now, this is not perfect, and there are ways not to use the private keypayer onto the Bastion Host directly to pass it more as a proxy. There’s ways to improve this, but it gives you the general idea of how a Bastion Host is used. And I hope that was helpful for you. I will see you in the next lecture.
- Site to Site VPN, Virtual Private Gateway & Customer Gateway
So we are almost complete with this diagram and the last thing we have to do is to connect our corporate data center. So this is where you have your own infrastructure, your own computer to the AWS cloud somewhat directly or not. So the idea is that to do site to side VPN, this will establish a visual private network that will basically make it seem like your corporate network and AWS cloud Vpc are part of the same network work for this. How does that work? Well, we have to create a customer gateway onto the corporate DC. And this is something you have to set up. It could be software, it could be hardware. There is a list on the AWS website around what’s possible.
And then on the Vpc side we’ll provision what’s called a VPN gateway. And once the VPN gateway is provisioned in between the VPN gateway and the customer gateway, we will set up a site to site VPN connection that will basically link the two and our Vpc and our corporate DC will be able to talk to each other. Okay, that’s for the theory. It’s really simple and there’s no hands on because we don’t have a corporate data center at our disposal. But you just need to get the idea customer gateway is on the corporate data center side, VPN gateway is on the Vpc side, and site to site VPN connection links the two together. So virtual private gateway is called a VPN concentrator and you set it up on the A side and the virtual private gateway.
So vGW will be created and attached to the Vpc from which we want to create the site to site VPN. So it has a VPC level. You can customize the asn if you know what that means. And then for customer gateway, then it’s a software or a physical device on the customer side on your corporate data center side of the VPN connection. And there’s a list of all the devices that AWS has tested here at this URL. So I invite you to look at it in your own time. And for the IP address of your customer gateway, I think that’s a very important part for the exam. It’s either the static Internet rotable IP address for your customer gateway device so it will have a static IP address, or if it’s behind a Nat okay, if it’s behind a Nat and that Nats need to have Nat T enabled, then instead of using the public IP of your customer gateway, you need to use the public IP of the Nat.
Now make sure that Nat in this case is not the Nat on Amazon site, it’s the Nat on your network side. So if you have set up a Nat on your network and your customer gateway is behind that Nat, then use the public IP address of the Nat instead of the customer gateway. That’s all you need to know. But that’s super important. Going into the exam. Now let’s look at the UI just to make this rock solid. So to set up a VPN connection, we have to go all the way to the bottom here and look at virtual private network. And here we can set up customer gateways, virtual private gateway, and site to site VPN connection. So let’s go one by one. Customer gateway is what you set up on your own side, okay? It’s something you have to set up.
So if you know customer gateway with tested, this is what you type into Google AWS, and it will give you a list of all the customer gateway devices they’ve tested. So all these things have been tested and you can set it up in your own infrastructure and that will set up a customer gateway. And then once you have that, you create a customer gateway in AWS. You give it a name, you say whether or not it’s a static or a dynamic routing. And you put the static IP address. Okay? And as you can see in the information box here, it says specify the Internet rotable IP address for your gateway external interface. It must be static and it may be behind a nut, okay? And if you have the nut, then put the static IP address of the nut. Okay, cancel.
And now with that we have a customer gateway that has been created. We set up a virtual private gateway and we click on virtual private gateway. We give this a tag. So whatever you want, demo VpG. Yes. And then basically or vGW. And then basically here you can either set the Amazon default Asn, or you can set up a custom Asn. This is more details. This is when you really know what networking gains. And then once you’re done, you have a customer gateway and you have a virtual private gateway. And here you set up a site to site VPN connection. So you create the VPN connection, you give it a name, then you have to select a virtual private gateway, then you have to select a customer gateway.
And then basically you set up tunnel, tunnel instructions for setting up two tunnels, just some kind of redundancy and you’re done. And then you have a VPN connection between the two. Now obviously you see I haven’t created anything because I don’t have a corporate data center available to me. But this is the process. What you have to remember is that you create a site to sign VPN connection. On your corporate data center side you need to set up a customer gateway, and on your AWS side you need to set up a virtual private gateway. And then you connect the two using sidetoside VPN connection. So that’s it for this lecture, just a bit more architectural, less hands on, but I hope you liked it and I will see you in the next one.
- Direct Connect & Direct Connect Gateway
So let’s talk about direct connect now. So we’ve seen how to connect our data center to our AWS Vpc using a site to site VPN. And that site to site VPN was basically set up on the Internet. So your traffic between your corporate data center and AWS Data Center goes over the public Internet. But there is an alternative. What if we don’t use the public Internet instead, we can set up Direct Connect and that will provide a dedicated private connection from your remote network. So your corporate data center directly into your Vpc and the dedicated connection must be set up between data center and one of Aws’s designated Direct Connect locations. We’ll see them in a second.
For this, on the AWS side, you still need to set up a virtual private gateway on our Vpc. So remember in the past lecture we saw virtual private gateways. We still have to set up one up on our Vpc side and then we set up Direct Connect. Direct Connect will allow us to access both public resources. For example S Three and private resources for example, EC Two on the same connection. So it channels really everything on the same private connection. So why would we want to use this? What’s the use cases? What’s the exam asking? Well, anytime you need to increase bandwidth throughputs, especially when you’re working with large data sets and you want lower cost on your bandwidth, then having a private connection may definitely help.
Maybe sometimes you need more consistent network experience because you’re experiencing data drops, you’re experiencing connection shutdowns. You want to have real time data feeds on your application and they’re shutting down too often. Direct Connect is a great option for this. Or maybe you want to just have a hybrid environment of on premise data center and cloud data center. Direct Connect is awesome because it also supports both iPV Four and iPV Six. So now let’s just look at a diagram. So this comes straight from the Aws’s documentation. And so here what do we see here? We see that in our Vpc we have set up a virtual private gateway. So just like before when we set up a site to site VPN, we also need a virtual private gateway.
So this doesn’t change on the right hand side. Now our customer networks, our data center is linked directly to a customer or partner router. And this is what we have to look at. And this comes directly from an AWS direct connection location. So there’s a list of those and then this will be connected to a Direct connection, a Direct Connect endpoint. And so this is a private linked being established and that we have to physically establish between our network and this Direct Connect location. And then it will use its own private link directly into a device’s cloud. And so as you can see, if we want to access EC two instances we go directly into our Vpc.
So this is a private connection right here, and the green one is a public connection. It still goes through Direct Connect, and we get access, for example, to S Three or Glacier. So this gives you an idea of how Direct Connect works. We have to physically establish a new line of connection between our customer or our data center and a Direct connect location. Okay, and what if you want to connect to multiple VPCs? So do we want to repeat this process for each Vpc? Well, the answer obviously is no. In case you want to connect to multiple Vpc, you can use a Direct Connect gateway. And a Direct Connect gateway is if you want to set up a Direct Connect to one of our Vpc, it could be in absolutely different regions, but they have to be in the same account for now.
And how does that work? Well, we set up our Direct Connect connection and then using a Direct Connect gateway will be connected to as many Vpc as we want. And each lock right here is a virtual private gateway. So basically here we’re able to have one point of connection for our customer network, which is a Direct Connect gateway, and this is directly connected to many Vpc. The thing you have to realize though, these Vpc must not have overlapping Ciders. So here this Cider and this Cider are different. So this works. And when you do a Direct Connect gateway, be very careful. Even though it looks like this Vpc is connected to this Vpc, they’re not. Okay? The Vpc are not peer.This is not replacing a peering connection.
This is just allowing our own data center to access both Vpc at the same time. This does not peer vpc. Okay, very common question. So anytime you see at the exam, we need to set up a Direct Connect to many different Vpc or extend Vpc to a different region from our data center, then Direct Connect Gateway will be the answer. So Direct Connect has two type of connection. The first one is a dedicated connection and it comes in two flavors, one gigabit per second or ten gigabits per second capacity. And this is a dedicated connection. And therefore you’re going to get a physical Ethernet port that is going to be dedicated to you. And so to get that port, you need to first make a request to AWS.
And then once you have that port, you need to contact an AWS Direct Connect partner to establish that connection. So you can expect this dedicated connection can take a lot more time to do because AWS has to provision a port for you. Otherwise you can do a hosted connection and it comes in different flavors. We have 15 megabits per second, 500 megabits per second, all the way up to ten gigabits per second. And the connection requests are made directly via the AWS Direct Connect partner. So you don’t talk to AWS and the cool thing about it is that you can add or remove capacity on demand. So if you have a big migration to do and you know you’re going to need a better Internet just for a week, you can ask for more capacity.
And then once you’re done, you can remove the capacity. You get options which are one, two, five, and ten gigabits at some of the select AWS Direct Connect partners. And for the other one, you get either 50 megabits per second or 500 megabits per second. Now the lead times for Direct Connect either way are often very long when you want first to establish the first connection. So it’s going to be longer than one month to establish a new connection. And so as a solution architect, you need to ensure that the time requested is going to be long enough in advance before you transfer your data. Okay, now let’s talk about encryption. So data intrinsic Indirect Connect is not encrypted, but it is private.
It belongs to a private network between you and the Direct Connect partner and then the Direct Connect partner and AWS. So even though it’s private, it is not encrypted very, very important. And so in case you need to have encryption, you can combine Direct Connect with a VPN solution which will provide you Ipsec encrypted private connection. It’s good if you want to have an extra level of security by making sure everything is encrypted, but it’s slightly more complex to put in place. And the diagram looks like this. You have your on premise installation and then you connect your customer one to the Direct connect location and you establish a VPN connection in between the two to make sure that the traffic is encrypted.
All right, let’s just have a look at the UI, how this works. So as I said before, we need to set up a virtual private gateway for each Vpc. If we wanted to set up Direct Connect, so we would have to create one right here. And then you go to services. This is a wholly different new service. So it’s called direct connect. So this is not in the Vpc side. And Indirect Connect, you click on get Started and you give them a connection, for example, my connection. And then you set up a location you want to connect to. So these are all the connections that I can connect to right now. So you have to basically establish a connection to these things. And then after everything is set up so I’m not going to do it right now, but after everything is set up, we’ll have a direct connection to this location.
And then we’ll be ready to have a direct connect established between our AWS and our data center. Now, as you can see here, there’s Direct Connect Gateway and we could create a Direct Connect gateway. And it says this allows you to use Direct Connect connection to access your Vpc in remote Aws’s region so we can connect to different VPCs in different regions. So this is basically what we need to create if we wanted to have one point of contact for a direct connect solution. Alright, so that’s it. We’re not going to do anything because we don’t have a data center on hand again. But it’s good to see it very quickly in the UI. And I will see you in the next lecture.