Amazon AWS SysOps – Networking – VPC part 5
- VPC Peering
So now let’s talk about Vpc peering. And Vpc peering allows you to connect to Vpc privately, directly, using Aws’s network and to make them behave as if they were in the same network. For this, you need to have non overlapping Cider. So be very careful when you create your Ciders and your Vpc, make sure there are different, make sure they don’t overlap. So let’s take an example. We have Vpc A and Vpc and we want them to be connected somehow. We have to create a VPC peering connection between the two and then update some root tables and we’re done. So Vpc peering connection is not transitive. That means that for every Vpc that needs to connect to another Vpc, you need to establish a VPC peering connection.
So if you have VPCC and it needs to talk to Vpcb, we establish a VPC peering connection between B and C. But in this case, A and C are not connected. Because for them to be connected, we need to create a special dedicated Vpc peering connection between A and C. And that’s super important for you to understand this. It’s not transitive. Okay? So we can do Vpc peering with another AWS account if we wanted to. And when we do, Vpc peering super important. For each Vpc subset we want to peer, we need to change the root table. Otherwise the instances will not be able to communicate. So the transitiveness and the updating root tables part are very tricky exam questions that they ask all the time.
So be very wary of this. We’ll see this in the hands on. Obviously a few elements that are good to know for Vpc peering. The first one is that it works interregion cross accounts. So you can peer across region and across accounts. And you can also reference a security group of a peer Vpc cross account. So this is really good for your security. So for example, if you have a security group and these are the two rules. For example, it allows Http on port 80 from a security group in your account, maybe in another Vpc, or if it’s another account entirely, you have an Http rule on port 80 and it references a security group slash the account number that the security group account belongs to.
So it’s really really good because you can really enhance your security group and make sure that only other security groups in peer Vpc have access to your applications. So this is where we are in our hands on so far. We have just seen network Access control list and so on the left hand side, we’re going to add Vpc peering to the default Vpc and that will start to complete the diagram a little bit more. So let’s get started. So what I would like to do here is to connect my default Vpc to my demo Vpc. So if we go to our Vpc and we remove the filter, we have these two vpc and they have none overlapping Cider and would like them to be able to communicate. So first let’s prove that they cannot communicate.
For this I’m going to create an instance. I’m going to launch an instance linux AMI two T, two micro. I’ll configure the instant detail and this time I will launch it in my default Vpc. I don’t care about the subnetism, it doesn’t matter and I’m fine. I’ll add storage, add tags, configure security group and I will just have port 22. This is fine. Review and launch launch and I will Ssh into it directly. So now let me wait for my instance to get started. I will get the IP address and get Ssh into it. My EC Two instance is now running. I’ll call it default EC Two just to know that it’s in a default Vpc. And so here is the IP address, the public one. So I’m going to go ahead and Ssh into this instance.
So on the left hand side I will Ssh into the instance that is in my created Vpc in the public subnet and on the right hand side I will Ssh into the instance in the default Vpc. So let’s just see if that works. That worked too.Okay, here we go. So as we can look at the IP, this one is the IP 1108 whereas this one is the IP 107 231-2626. This one, if we curl localhost port 80 we should see Hello World which is because there is a Hello World web page and so the idea is that we want to be able to do the exact same thing but from this instance. So if we curl 100 zero 108 port 80 we want to see Hello World. But right now we don’t see Hello World because well, we can’t access this network from this network. So we need to peer our Vpc to access each other’s network.
So now that we see the problem, let’s look at the solution. We go to VPCs and on the bottom left there’s a peering connection. So we create a peering connection. We’ll call it Demo peering. And then we have to set up a VPC requester. So that is the Vpc you own. So demo Vpc and then you select another Vpc to peer with. It could be in my account or another account. It could be in this region or another region. So we get lots of flexibility here. So I’ll select one from my account from this region and the accepter Vpc is going to be my default Vpc. So it looks like yes, the Ciders right here, they do not overlap. So I create the peering connection and the peering connection will only work when it gets accepted.
So right now this is pending accepted, so we have to accept it. And so for this I right click and I will accept the request. So this looks fine. I want to accept this request that peers this EPC from this account to this Vpc? From this account. Yes. Accept. Okay, so it says your Vpc connection has been established, but to receive and send traffic across this Vpc peering connection, you must add a route to the peer Vpc. So yes, let’s have a look right now if I do my curl, it still doesn’t work because we’re missing the roots. Okay, let’s get back to it. Now I’m going to my root table and so we basically have to update my public root table and my default Vpc root table. So let’s go update the public root table first that is in my demo Vpc.
So here’s a route and I’ll say okay, I will edit it and I will say for this cider and I need to find the cider. So let’s have a look at what the other default Cider is. So this is the default Cider from my default Vpc. So let’s go back to root table. I’ll say okay, for this route I’ll edit it, I’ll add one and I say for all traffic that goes to this kind of Cider, then the target is going to be my peering connection. And that makes sense. Now we’re saying OK, if you start to hit that IP, then use this Vpc peering connection. Save root. And it’s not enough to do it in one root table, you need to do it in the other route table. So we’ve done it on the demo Vpc side, but we have to do it in the default Vpc side.
So here’s a route and I’ll say okay, this time when the destination is 100 zero slash 16, which is basically my demo V PC that we’ve created in this X section, then the target is going to be peering connection and save root as well. So now basically we have route going both ways from my public to my default and from my default to my public. And so this should be good enough to have the instances been connected. But let’s try it out. We’re going to curl this URL, press Enter and we get Hello World as a response. So now my instances in my default Vpc are connected and peered to my instances in my demo Vpc. So pretty awesome, right? We’ve just connected the two. It was really easy. But what we need to see is that we need to create a peering connection, make it accepted, and then update the root tables. Okay, that’s it for this lecture. I will see you in the next one.
- VPC Endpoints
Okay, so our diagram is getting fuller and fuller by the day. So now let’s talk about how do we talk to AWS services. So, as we know, Dynamodb Cloud Watch S Three, these are all within the AWS cloud. Although if we want to access those right now from a private EC Two instance, what we need to do is have that easy to instance, talk to our Vpc Nat gateway and then into the Internet gateway. And then all of a sudden there is an internet route through the public Internet directly into, for example, Dynamodb. And that is problematic because we’d like all this traffic to remain private because Dynamodb after all, is a service offered within AWS. So enter Vpc endpoints right here. And so Vpc Endpoints are meant for you to access AWS services within a private network.
So how does that work? Well, with the Vpc endpoint and we’ll create maybe an endpoint to S Three or an endpoint to Cloud Watch. There’s a way to create endpoints to many different AWS services. And our instances through some root table will be able to, for example, from a private subnet, access directly that endpoint and talk to our Amazon S Three or Amazon Cloud Watch service privately, which is really cool, but it is something we have to set up directly. It is not something that’s available out of the box. So Vpc Endpoints allow you to connect to Aos services using a private network instead of the public Internet. They will scale horizontally and they’re redundant. So it’s really good.
And they remove all the need to set up an Internet gateway and that gateway, et cetera, to access all these AWS services. So there’s two kind of Vpc endpoints. There is the interface Vpc endpoint to provide an eni, and that’s a private IP address as an entry point, and we must attach a security group to it. That is how most AWS services work. And then there is a gateway to provision a target and it must be used in a root table. For example, S Three and Dynamodb are the two services that require a VPC Endpoint gateway. Don’t worry, we’ll see this in the hands on right now. Now, in case of issues, two things to check, you need to check the DNS setting for resolution in your Vpc. So we’ve seen this before.
And the other thing to check, if you have a gateway, you need to check the route table to make sure that the traffic does indeed go straight into the gateway. Alright, let’s have a go at this. In this lecture, we’ll set up S Three as a gateway. And so for this, we just need to do a few bits of setup. So in the first one, we’re going to go to our EC Two instances and we’re going to go to a private instance. And this one we’re going to assign to it an IAM role that has access to S Three. So I’m just going to quickly go into IAM to create a role that has full access to S Three. So for this, I go to roles. In here I’ll create a role for EC Two and click on next permissions. Then I will search for S three and it will say Amazon. S Three full Access is a great policy. Next tag. Next review.
Then I’ll call it s three full access and click on Create Role. Okay, the role has been created. So now I can go back to my EC Two instance and I can right click on it. I can go to instance settings attach replace I am Role. And here we type s three full access and we apply it. Okay, so now let’s Ssh into our and did I assign to the wrong one? No, assigned to the right one. So this one. Okay, so now let’s Ssh into this private IP. So for this we’ll do the Ssh command on my instance. On the right hand side I can remove this one and we don’t need it. So we’re going to Ssh into our private instance from my public instance and press Enter. And here we go.
We’re in it. And so if I do eight of us S Three LS, I should be getting an answer from it. It says here are all the buckets that are available for me. So this works, right? But now what we’re going to do is that we’re going to completely cut off the Internet off of that instance. So let’s go to our private root table. And now we’re going to remove that destination as a net because we want to remove Internet access. So I save root and here we go. Now our instance does not have access to the net. And so if I do a rest S Three LS again, now it just times out it cannot access the S Three service over the public nets. So now let’s solve this problem using a VPC endpoint.
So for this I’m going to go to Endpoints and I need to create an endpoint. Okay, this is great. I need to select a service category. So it could be AWS services or Marketplace services. For now, the only thing we need to do really is to go into S Three. And so let’s look at it first. These are all the AWS services. So you can see there’s a lot of them and some of them are interface. Actually, most of them are interface, but S Three and another one up there, sorry, dynamodb is a gateway. So these two are going to be gateway set up and the other one is going to be interface setup. So let’s look quickly at, for example, interface setup. So let’s look at cloud formation.
When you do an interface set up, you have to define in which subnets your endpoint is going to live and then whether you want to enable private DNS name. And for this it says if you do enable this and ensure that enabled DNS hostname and enable DNS support are set to true in your Vpc. So that’s a very common troubleshooting question. And then we need to assign a security group to this endpoint. But we’re not going to do this for cloud formation right now. What we’re going to do is go straight to S Three and set up a gateway. So when you set up a gateway, it’s a little bit different. You need to select your Vpc. So we’ll select our demo Vpc and this will basically create a rule with a destination.
PL will be added to the root table you select below. So let’s select the root table we want, and we want to have our private route table. So that’s this one. And I knew it because if I hover over the subnet it says private subnet A and private subnet B. So I’ll click on this route table and in this root table automatically they will get updated with a rule to this destination which represents Amazon S Three and that will go through this Vpc endpoints. Okay, policy is full access. This is if you wanted to control and restrict access to the Vpc endpoint in some way. So we’re not going to go over this right now and click on Create endpoint and the Vpc endpoint has been created. So if we look at it, it looks like it’s pointing to the S Three service name.
It’s available. It’s a gateway type of endpoints and it’s in our demo Vpc. And if we look at our root table, it’s associated with this route table ID that is associated with two subnets. Now the tricky bit here is that if we look for this route table ID go back to a root table and look for it. So we’ll filter, press Enter and go to routes. As we can see now we get to have the target of this destination, which is basically our endpoint, into the Vpc endpoint. So really, really cool. Now it says anytime you hit this URL, these Ciders basically, which are the Amazon S Three siders, then go to this target. If you wanted to edit the route, you could basically add a route, but you could not directly change this one in this UI.
What you would have to do to change this one is go back to your endpoints and in there in your root table, you would have to manage it from here. So now let’s look at, see if it works. So remember, this instance does not have access to the Internet. For example, if you go to Google. com, it just does not work. But let’s do Amazon S three LS. And as we can see, things don’t work. So the trick is here that because we use the AWS cli, the default region of the AWS cli is US East one. But if we go back to our Vpc endpoint, it was provisioned for EU West One. So very important thing to remember is that when you do run these commands, make sure you do select the region that you’re into.
So EU West One and now if I do this, this will talk to the Amazon s three endpoints in the region EU West One, and then it works and I get the results from it. So very, very important to understand that, because it could be a trick question as well at the exam. But that’s it. As we can see, our private instance does have access to s three in the region EU West One, and still cannot access Google. com. So it could be a way to make your private subnets and give them access to some sort of SR AWS services without giving them full access to the Internet. So that’s it for this lecture. I hope you enjoyed it, and I will see you in the next one.