Amazon AWS SysOps – Networking – VPC part 8
- Egress Only Internet Gateway
Let’s talk about egress only Internet gateway. So egress means outgoing, and outgoing only Internet gateway kind of hints at what it does. But let’s be very, very clear. Egress only Internet gateway works only for Ipv Six. So if you have an Ipv Four instance, that does just not apply to it. So an egress only Internet gateway makes us think of a nut, but Nat is for Ipv Four. So egress only Internet gateway is the same as a Nat, but for Ipv Six, they perform the exact same function. The Nat allowed our private instances that had an Ipv Four to access the Internet, and egress only gateway will basically allow our Ipv Six instances to access the Internet, but not being accessible.
Why do we need this? Well, it turns out that all Ipv Six are public addresses, so there is no private range of Ipv Six for this. For private ranges, we still use Ipv Four. So as soon as your instance is an Ipv Six, it has a public address and it’s publicly accessible. So that’s bad, because what if we don’t want all our Ipv Six instances to be publicly accessible? Then we set up an egress Internet egress only Internet gateway, and that gives all our instances of Ipv Six access to the Internet. So we can still curl Google. com or whatever, but the Internet cannot directly reach our instances, so we effectively make them sort of private.
Okay, and after you create an egress only gateway, to make it work, you need to edit the route table. So let’s quickly see how this works in the UI. So for this, I’m going back to Services Vpc, and in there I go to egress only Internet gateways and create egress only Internet gateway. Now I need to just select a VPC. So I’ll select my demo Vpc, and here we go. My gateway has been created. So if we go here, the gateway has been created and it’s attached to a VPC. But to make it work, basically you would need to open a route table so you can choose whatever route table you want. For example, we can choose let’s select our demo Vpc. We’ll just choose the main route table for now.
So click on Route, edit Route, add route and then Colincollins zero, which represents any ipv six. The target is going to be egress only Internet gateway. And this one save the Route. And we have basically added an outbound route for Ipv Six. This is an Ipv Six address representing anything. So it’s like zero, but for Ipv Six. And the target is going to be the Internet, the egress only Internet gateway. So that’s it. That’s all you need to know. We’re not going to create an instance for Ipv Six. I still think this is very new at the exam, but you need to know what an egress only Internet gateway is anyway. But that’s it for this. Hands on. I will see you in the next lecture.
- VPC Section Summary
So this was a long section, I know. And it is so important for you to master all of this. So now you should see this diagram and say ah, it kind of makes sense. If it doesn’t, that’s okay. What I ask you to do is to sit a little bit for a few days on it and then redo the section again. It’s super important. It took me forever for me to understand all of this and to make sense of it. And even some sometimes I have to go back to this diagram and really make sure I understand things correctly. So super important for you to know all these things. Now, I’m just going to summarize everything we learned in this section to give you a higher level view. So let’s get started. So we started by Cider and Cider as an IP range. We seen Cider for iPV Four and how to express it.
Then we define a VPC. Vpc stands for Virtual Private Cloud and we could define a list of iPV Four and or iPV Six Cider ranges we needed. Then we created subnets and subnets are tied to one specific availability zone and then within the subnets we define the Cider where our instance would be defined. Then Internet Gateway we created one at the Vpc level and that was used to provide iPV Four and iPV Six internet access. But that internet gateway did not work on its own. We had to also edit the route table to add routes from the subnets directly into the internet gateway based on the Cider rule. Then once we had internet access, we wanted to provide internet access as well for private instances. And this was done using a Nat instance.
The Nat basically gave internet access to instances in the private subnet. But the Nat instance is the old way of doing things. We need to manage the set up entirely on our own and also disable the source destination check flag. Instead we saw a better solution, which was the Nat gateway. The Nat gateway is managed by AWS and it provides scalable internet access to private instances and but the thing is it’s only for iPV Four. Then we went on and defined private DNS settings and route 83. So we created Private Zone in Rtg Three and we saw that this private zone would only work if we enable DNS resolution and DNS hostname at the Vpc level. And we saw that one setting was not enabled right away. So we had to tick that box.
Then we looked at network ACL and we saw that they were stateless and that they were subnet level rules and they were going to filter inbound and outbound traffic. And when we defined a network SEL, we saw that we shouldn’t forget Ephemeral ports, otherwise some traffic could not go through. Then security groups, we already knew them, but now with their stateful, that means that if a traffic can go in automatically the response can go out. And this time the security group operates at the EC two instance level. So they’re more like a second line of defense. So if you want to set up a more global firewall network, SDR would be the way to go. Then we went a bit more down the trenches and we looked at Vpc Peering to connect to Vpc and they need to have none overlapping Cider.
And we saw that Vpc peering is nontransitive. That means that if you peer A and B and B and C A and C cannot talk to each other until you also peered A and C. We looked at Vpc endpoints and that was to provide private access to AWS services such as Sray Dynadb, cloud formation, SSM within our Vpc. So without the help of an Internet gateway and we looked at Vpc flow logs, basically that can be set up either at the Vpc subnet or eni level. And we can filter, accept or reject type of request. And this will help us identify attacks. And we can analyze this using Athena because the data will be in S Three or using Cloud Watch logins if the data is in Cloud Watch now. Bastion Host there were public instances that we would set up in our public subnets and we would be able to Ssh into those.
And then these public instances would have Ssh connectivity directly to our private subnet. And this is why it’s called the Bastion Host side to side VPN, which was how do we connect basically our data center directly onto the Vpc and make it seem like they’re part of one network? And for this we need to set up a customer gateway on our data center, a virtual private gateway on the Vpc, and then we can link them to using a site to site VPN connection. But this one is over the public Internet as an alternative. More expensive, but it says Direct Connect, where we also set up a virtual private gateway on our Vpc. And this time we establish a direct connection to an AWS Direct Connection connect location.
So if we have to actually set up a wire between our data center and this location, but then we would have a private connection directly into AWS network. And then if we wanted to do this but on many different Vpc, then instead of setting up many different direct connect, we use Direct Connect gateway. And basically that helps us connect to many different Vpc in different regions. But this is not the same as Vpc peering. Be aware of it. Finally, we wanted to provide not gateway facilities, but for iPV Six, we would use an Egress only Internet gateway. And this would allow us to basically provide our iPV Six instances Internet access while making sure they’re not Internet reachable. So that’s it for this section. I hope you enjoyed it. In the next lecture. We’ll just do the cleanup.
- Section Cleanup
Okay, so we have created a lot of things in this section and it’s time to clean up. So for this, let’s go to EC Two. And first, I’m just going to delete all these instances. I’m going to terminate all these three instances I’ve created and we should be good. All right, next, maybe something we have to do is go to Route 53. So let’s open a tab, go to route 53, and in there I can go to my hosted zone zone. And this was a private hosted zone, but now I can delete it. I don’t need it anymore. Okay, and then before you delete this hosted zone, first we have to do is to delete all the records within it. So this demo record, I can just delete it? Yes, delete it and then back to the hosted zone. I go to the hosted zone and then delete the hosted zone itself and it’s gone.
Okay, excellence in S Three, we have a bunch of flow logs. So if you want to just clean up your Vpc flow log, you can just, for example, delete everything. So we action and we delete all the AWS logs. And then once it’s deleted, we can even delete the bucket. So I go to stiffan Vpc flow logs and I could, if I wanted to delete the bucket, but I’m not going to do this. Okay, Athena, we don’t need to delete everything, anything. This is a serverless and if we don’t use it, it’s not going to cost us anything. But if you wanted to delete that table, you could just click on Delete table here and that table would just go away. Okay, next we have to go to the Vpc specific section. So this is a bit more.
So the first thing we have to do is maybe delete that Internet gateway. So I’ll just detach it from the Vpc and it says for now it has some mapped public address. So we need to wait for these instances to go down first. So maybe we can start deleting the Vpc peering connection. And this is sort of like a trial and error type of thing because all of a sudden you have to delete a lot of things and you know, they’re linked, so sometimes the order won’t work anyway. We’re just trying it out. So Vpc peering connection will also delete the related route table entries. Yes, delete. And this has been deleted. Great. Let’s talk about route table. Maybe we can delete these two route tables. So I’ll delete them and they said, what’s the problem? They have association, so they cannot be deleted.
So we need to first unassociate the subnets with these. So I go to subnet association, edit them, and then untick press on, save. And same for public route. I will untick the associations, press on, save. And now I’m able to delete this route table. Excellent. They’re being deleted. This is the main route table and it will get deleted. When the Vpc gets deleted itself. The egress only Internet gateway, we can also delete it. That’ll be great. Now let’s try to delete this one again. Where will it work? Still not working. We’ll see this later. Okay, for endpoints we can delete that endpoint. So I’ll delete the end point entirely to connect to s three. Okay. Network selves. We have default Nicole and new Nicole. So this one we can delete. Delete the new network ACL.
Okay, now it looks like we have deleted a lot of things already. We could also delete our subnets. So all these subnets we could delete, but I think we delete them automatically if we delete our Vpc. So one thing I’m wondering is if we go now into deleting the Nat gateway, obviously. So delete the Nat gateway. Okay, here we go. This one is in deleting state, so it will take a little bit of time to get deleted. I’ll just wait a minute or two until it does. While this happens, we can go into our Vpc and we can delete the flow log entries. So we’ll just one by one delete the flow log. So this one has been deleted and now the other one delete flow log. So I suspect this Nat gateway that now has been deleted was the problem as well.
We couldn’t delete this internet gateway. So let’s try again, see if this works. Yes, now we don’t have any internet gateways in the region and so now I think we are ready to delete the Vpc entirely. So we’ll delete the Vpc and says, okay, we’ll delete all these things as well. So some things we didn’t have to delete automatically, but whatever, click on delete Vpc and everything gets deleted. It seems like there are no errors. So we’re clean. So now we should be good. No more Vpc. Everything we’ve created is gone. And that’s it for this lecturer. It’s a long cleanup, I know, but it’s a good way to see everything we’ve deleted and everything was created and how they’re linked together. And I will see you in the next lecture.