Amazon AWS Certified Security Specialty SCS-C01 Topic: Domain 3 – Infrastructure Security Part 2
December 19, 2022

6. Using AWS VPN for On-Premise to AWS connectivity

Hey everyone, and welcome back. Now in the last lecture we were discussing about the ways in which we can connect the on premise environment with your VPC. To accomplish this, one of the best approaches is to set up a virtual private gateway in AWS and a customer gateway on-premises, and then establish a VPN connection between the two. Now, ideally, this specific customer gateway is a firewall that supports the VPN functionality. So generally, most organizations have something like a dedicated firewall hardware box, and that hardware box has the capability of establishing a VPN connection. So let’s do one thing; let’s go ahead and see how we can implement this scenario at a very high level. So the first thing we need to do is go to the VPC.

So I’m under the VPC section, and if you go down, there is a VPN connection. There are three options within this. So you have to follow ideal sequencing, which is the best. So go to the customer gateway, and you need to create a customer gateway. So before this, you need to understand the topology of both environments. So in my case, I have a VPC with a CIDR of 100 00:00:16 and an on-premises environment with a topology of 192 1680. The important thing to remember is that these CID blocks should not be overlapping. For example, if my on-premises IP address is 100 00:16, you cannot establish a VPN connection. So you need to have a different range for the VPN connection to be established. Perfect. So now that we know this, let’s go ahead and create a customer gateway. So within the customer gateway, I’ll give it the name of the Bangalore office, and you have to basically give the IP address of the firewall. So if you look at the diagram, we have to give the IP address of the firewall where the VPN connection will be established to. So within my document I have a sample IP address. I’ll paste it and I’ll put it over here. So this needs to be a public IP address. Remember, this is very important. Both ends need to have a public IP address. I’ll click on “create a customer gateway.” Perfect. So now the customer gateway has been created. So this is our customer gateway. Now I can go to the virtual private gateway.

So now this part of the connection is done as far as the AWS side is concerned. Now we have to create a virtual private gateway. So let’s click on “create a virtual private gateway.” I’ll say it as a payments VPC, and I’ll click on “create a virtual private gateway.” Perfect. So our virtual private gateway was also created. One thing you will notice is that this particular virtual private gateway is detached. So one important thing to remember is that one virtual private gateway can attach to only one VPC only.So I’ll click on “Actions.” I click on “Attached to VPC” and I’ll select the payments. VPC. And I’ll click on “Attach.” So it is attaching the virtual private gateway to the VPC, and perfect, it is attached. So now we have a virtual private gateway. We have a customer gateway. So now we have to create a VPN connection. So let’s go down to the last option of “VPN connection” and click on “Create a VPN Connection.” So in the VPN connection, I’ll say Bangladesh. office to make payments. VPC? Within this, I must select the virtual private gateway that we created, as well as the customer gateway that we created. And within the routing options, there are two routing options. One is BGP, and one is static. I’ll be selecting static for the time being. And within this section, you essentially need to provide the IP prefixes, the static IP prefixes. So if you look into the help menu, we have to put one or more IP prefixes in CID and notes separated by commerce to advertise to your VPC. So basically, we have to give the IP prefix of my on-premises network.

So I’ll put 109 21680 00:16 and I’ll click on “Create VPN connection.” So it says that the VPN connection has been created successfully. One thing to keep in mind is that it usually takes some time for the VPN connection to be established. After you’ve established the VPN connection, you’ll see this menu; select Download Configuration. Now, depending on the firewall that you have and the firewall that you have on the customer gateway side, the configuration that will be present will be different. So as you can see, there are a lot of vendors here, including OpenSource, which is the open-source one. There are free ones, such as PFSense, and paid ones, such as Cisco. So once you select the vendor, you have to select the platform, and you also have to select the software version. After you select all three, you go ahead and click on “Download,” which will basically download the configuration. Now on the firewall side, you have to upload this configuration file, and then connectivity will be established between the virtual private gateway and the customer gateway.

As a result, the downloaded configuration file must be uploaded to the customer gateway site’s firewall. Now after that, there will be certain configurations that you need to do, and the VPN connection will be established between a virtual private gateway and the customer gateway. So this is a very high-level overview of how you can establish the VPN connection between on-premises and AWS. I currently do not have a hardware firewall as of now; otherwise, I would have shown you directly how you can do that. But we’ll try to record a video with Opens One or PF Sense on the way. So this is it for this lecture. As far as exams are concerned, you need to remember the three steps and always remember that the connection gets established from the customer gateway side to the virtual private gateway side. The virtual private gateway will never establish communication. Communication is always established from the customer gateway to the virtual private gateway. And one last point to remember is that a virtual private gateway can be attached only to the VPC.

Now, one last thing that I forgot to mention is that once your VPN connection gets established, you have to update the route tables as well. So within the route table, you have to add an entry for the on-premises network. So currently, my on-premises network had a value of 109 21680 at 00:16. I’ll save this and put the VGW entry over here. So it says you must fix the error. Let me just refresh the page. I’ll click on “add another route.” 192 168 00:16 Perfect. I’ll insert a VGW and save it. Perfect. So now the save has been successful, and this is one thing that you need to remember. Otherwise, even if your VPN tunnel is established, traffic will be routed from the customer gateway to the VPC but will not reach the on-premises network. In your exam, they may try to quiz you on the fact that the servers from your on-premises can reach them, but the VPN, the servers from your EC2 or from your VPC are able to reach the on-premises, which could be the problem. So the issue is routable. So this is it. About this lecture: I hope this has been informative for you, and I look forward to seeing you in the next lecture.

7. Configuring first IPSec tunnel with OpenSwan – Part 01

Hey everyone, and welcome back to the Knowledge Pool video series. Now in the earlier lecture, we had a veryhigh level overview about the demo related to howtwo instance in different region can communicate via privateIP address with the help of IPsec journals. So, in this lecture, we’ll start from scratch and see how we can create a tunnel between multiple instances in different regions. So in this reinvent last week, AWS announced interregional VPC peering support. However, this is limited to certain regions.

But in 2018, maybe by the end of the year, more regions will be added. And one of the major criteria for creating IPsec VPN tunnels will be whether they can be replaced by VPC peering. When connecting an on-premises data centre to AWS, however, an IPsec tunnel is always required. So this is quite an important topic for us to understand. So now that we have our base, let’s go ahead and look into how we can create an IP SEC. So the first thing you should do is let me show you the setup. So far, I’ve got one EC2 instance running in the Mumbai region and one running in the Ohio region. So at the end of the lab, we should be able to connect the EC2 instance. So I should be able to reach this Ohio region from my EC2 instance in the Mumbai region via the private IP. So this is what we expect at the end of the lecture. Great. So in order to do that, the first thing that we must do is set up the VPN connection. So let’s try this out.

 So within the VPC, you see there is a VPN connection. So we need to connect, or we have to establish this VPN connection in the Ohio region. So let’s get started. Let me click on “customer gateways.” I’ll click on “Create Customer Gateway.” I’ll give this Ohio Mumbai a name and an IP address. I’ll give the IP address of the EC2 instance. So this will be the customer gateway. So this EC2 instance will be establishing the connection to the VPN that will be set up here. So I click on “Create Customer Gateway.” Perfect. So once the customer gateway is created, we’ll go ahead and click on the virtual private gateway. I’ll name it the same, and let’s create it. Perfect. So once we have created it, the current state is detached. So what we’ll do is attach it to the default VPC that is already present over here.Perfect. So it takes around a minute for the Virtual Private Gateway to get attached. So let’s do one thing. Let’s go ahead and click on VPN Connection. And click on “Create a VPN connection.” So again, I’ll just name it the same way.

Now, within the virtual gateway, we’ll select the virtual gateway. We just created it. Same with the customer gateway; we’ll select the one that we just created. There are two routing options. Static will be chosen over dynamic. So if you use BGP, you don’t really have to input the routing information because it will be propagated. Anyway, I’ll put the IP address of the IPsec tunnel here, and I’ll click on Create a VPN Connection. Perfect. So, from the time this VPN is configured, it takes a few minutes to establish. We’ll be using OpenSwan to configure our IPsec EC2 instances. So I am connected to the EC instance. So this is the EC-2 instance. So let’s quickly go ahead and install the Open Swan.Now one important thing to remember is to make sure that you have a version higher than 2.6.32. So, if you’re using Amazon Linux, it has a higher version, but if you’re using Sent toit, chances are you have a 2.6.32 similar version that has a bug that causes some terminal connectivity issues. So just make sure that you have the right version.

So I’ll just click on Y, and the open swan gets created. Now there are two important configuration files. One example is the IPsec conifer. So this is where we’ll be configuring our terminal-related configuration. And second is the IPsec secret. And this is where we’ll be putting our preset key. So there is some kind of authentication as well that you must have if you want to establish communication from the open source to the AWS VPN. Perfect. So let’s start with the first one, which is the IPsec configuration. So what I have done is create a base configuration file which I have created. So this is the base configuration file. This should be within the IPsec configuration, and I’ll paste it over here. So let’s click Save and make sure our terminal is up and running. So I’ll just click on Refresh. Perfect. So the current state is sometimes pending.

Okay, great. So the state is available. Now, sometimes it does take quite a bit of time for the state to be available anyway. So within this VPN, if you go into the terminal details, you see there are two terminals that are present over here. Each one has a different IP address. So this is basically for redundancy or high availability. So what we’ll be doing is, for the time being, establishing communication with this specific terminal. So let me copy the IP address over here for the first terminal. This is something we’ll include in our configuration parameter. So, as you can see on the right, on the right hand, we need to enter the IP address of the established VPN terminal. So I’ll paste it over here on the right subnet. We have to put the subnet CID R of the destination VPC. so in the Ohio region. If you see the VPC, the CIDR is 172 310 00:16. And this is precisely what we have over here. Now, on the left subnet, enter the CIDR of your current VPC, where your IPsec terminal is located. So currently I am in the Mumbai region. So if you go to the VPC, let me select the KP Labs VPC. 10770 00:16 is the CID r.

So just put that detail over here. So these are the parameters that we have to input, and go ahead and click on Save. Perfect. So this is one of the first steps. The next step that we have to do is establish the VPN connection in the Wire region. So in the VPN connection, once a VPN connection state is available, you have the option of downloading the configuration. So click on “Download configuration.” The vendor would be generic, and you would press the “Download” button. So this will basically download the configuration file. And this file basically has a lot of details, including the pre-shared secret that we will need when we establish communication. So this is the file. Let me just open this up with a word processor so that we can have good formatting. So within this, you will see I have IPsec Terminal One, and if you go a bit down, you have IPsec Tunnel Two. So currently, since we are working with only one tunnel, we’ll be looking into IPsec tunnel one. So within this, there is the option of a pre-shared key.

 So you see, you have a pre-shared key over here. Now you need this to be configured within your IPsec. Otherwise, the connection terminal will be unavailable. So let’s quickly configure this. I’ll say, for example, IPsec dot secret. And within this folder, we’ll store the configuration file. So again, I have the base configuration over here. I’ll just copy this base configuration. I’ll paste it over here, and let’s go ahead and replace things. So I’ll replace this secret with the one that we have. Great. So I’ll just copy this and paste it along with this. You have to replace the first column with the IP address of the terminal one. So let’s go to the terminal details. I’ll copy the IP address and paste it over here. Perfect. So once you have saved this, go ahead and restart IPsec. Great. Now, let’s click on status. One terminal is now operational. Perfect. You can now see that the status has been updated. One important thing that I would like to share is that sometimes the status will remain down even though the terminal is up and running.

As a result, updating this specific status may take five minutes or even ten minutes. However, the connectivity is already established. So sometimes, even though it might let you down, just make sure to wait some time. If you have done everything correctly, then the status will be up. Perfect. So once this is up, Let me just quickly create a static route. I’ll say 10 77 00:16. So this is my destination VPC’s route. And there is one more route that you will have to create. Let me show you the route table for the Ohio. And here you must enter 1077 00:16, followed by a click on the VGW. So what this basically means is that if my EC2 instance from the OIO region wants to communicate with the EC instance in the Mumbai region and that EC2 instance in the Mumbai region has this specific CIDR, So any traffic that goes to this CIDR should go through this virtual gateway where the VPN is connected.

So this is what it really means. And I’ll click on “Save.” Perfect. So once we have configured this, let me go to the EC2 instance and let’s quickly go ahead and do a ping. And now, as you can see, I am actually able to get the reply from the destination region. So currently, if you see my source IP, it is 1077 to 88, and I am able to connect to the EC2 instance in the Wire region via the private IP. This is all about how you can set up an IPsec terminal between AWS regions. So go ahead and try this out. In the upcoming lecture, We’ll look into much more details related to some of the important configurations. And I hope to see you again in the next lecture. 

8. Configuring first IPSec tunnel with OpenSwan – Part 02

Hey everyone, and welcome back. So in the earlier lecture, we discussed how we can create an IPsec-based VPN tunnel. Now, in today’s lecture, we will look more into how we can make sure that all the EC-2 instances that are part of this region should be able to communicate there. because this is what the requirements are. So, basically, what should happen is that I show you. I have one simple instance that I have created. Let me just copy the public IP and let’s paste it over here. Perfect. So this is the instance that I am connected to. Now, let’s quickly verify the IP address of the Ohio region’s EC-2 instance.

We are interested in private IP addresses. I’ll go ahead and ping. And now you see that I am not able to ping. Now, the reason why I’m not able to ping is because the terminal is currently established between this new IPsec EC2 instance and the AWS VPN on the Ohio region side. So, if I want the EC-2 instances to communicate there, I have to route the traffic to this specific terminal. So this is a very important thing to understand. So all the traffic that is destined for 172,310, 00:16, should go to this terminal. And this is how it would really work. To accomplish this, the first step is to disable the source and destination checks. So you’ll select “yes” and “disable.” So this is something that you do even for the Nat instances, which I hope you remember. So you disable the source-destination check. The next step is to design a route. So let me click on the VPC. I’ll select the route table. There’s one route table and you have to select a route saying that the traffic that goes to 172, 310 dot zero slash 16. So this is the CID R of the VPC in the Ohio region. So any traffic that goes here should go to the IPsec instance over here. So you see, this is the IPsec instance over here, and I’ll click on save.

So this is the route that is configured. Now, the next step that you must do is enable IPV4 forwarding in the IPsec instance. So I’ll log in to the IPsec instance. Perfect. So I’ll log in over here, and if you go to etc. CTL con F, the IP packet forwarding is disabled. So let’s go ahead and click on Enable and do a service network restart. Perfect. So now this seems to have been restarted, and we should be ready to go. So let’s log out and let’s login back to the EC2 instance that we had logged in earlier, which is the IP address of 127. Perfect. And if I ping now, you’ll see that I can connect to the EC2 instance in the Ohio region. So this is how the setup would really look in a high-level overview. So maybe in the upcoming lectures, if you need, we can discuss more detail related to the configuration parameter. However, for the time being, I hope this lecture has been informative for you, and I look forward to seeing you in the next lecture.

9. Inter-Region VPC Peering

Hey everyone, and welcome back to the Kplabs course. So in the region, VPC peering was one of the very recent features that were released by AWS. And a lot of the customers were really expecting this feature because configuring IPsec tunnels was a little bit of a pain, and we needed something like a managed service that can connect multiple regions. As of February 2018, it has been a few months. Interregional VPC peering support has now reached various additional regions. So I just wanted to let you know that interregion VPC peering will allow you to connect multiple regions via VPC peering. So on the left tab, I have a region called North Virginia. And I have a region called Singapore on the right side. So what we’ll do is configure the VPC to peer across the VPCs in both regions. Now, along with that, I am connected to the AC in two instances for each region. So this is one. And on one more site, I have one more instance that is configured. So you see, the iPad address range is completely different. So they belong to completely different VPCs. Perfect.

So the VPC CIDR of the North Virginia region belongs to the 170–31 series, and the VPCC idea of the Singapore region belongs to the 10 series. just that we can note it. Perfect. So let’s begin. I’ll go to VPC. So in order to establish the peering connection, we’ll have to go to VPCs and then select the Peering Connections tab. Now click on “Create a peering connection.” The peering connection name is, I would say, Virginia to Singapore. So VPC requested that be the one. Let me just quickly confirm. So the BBC CIDR ends with a three. So I’ll just use “three” as a requester. So these are the CID air blocks, ranging from IPV 4 to IPV 6. Now select another VPC to peer with. This can be your account as well as others’ accounts. So, for the time being, I’ll be using my account for another region because we’re doing peering of different regions right now, and these are the regions that are currently supported. Quite many.

So initially, when peering was launched, only three or four regions were supported. However, after a few months, you will have a large number of regions that are now used. So we’ll have to select Singapore. So, this is the VPC acceptor. So the VPC acceptor will be the VPC ID of the Singapore region. So this is the VPC ID that we’ll be putting over here and which will create a peering connection. Perfect. So now that you have created a peering connection, what will happen is that the destination VPC will have to accept this peering connection. So currently, this peering connection is still pending acceptance. It has still not been accepted. And this is the reason why we have to go to the destination region, Singapore. And we have to manually accept the peering connection. So I’ll go to Peering Connection, and you see, it states that it is pending acceptance. I’ll go ahead and accept this peering connection request. Perfect. So now it is provisioning, and it takes a little time—sometimes two minutes—for the provisioning state to complete. Perfect.

So it seems to be instant. Now, once you have done that, let’s try. I’ll copy the private IP address and try to ping from Singapore to Virginia. Let’s see if it really works. And you see, it doesn’t seem to be working. The reason why is the route table. Although peering has been established, the route tables have not yet been modified. So you have to modify the route tables for each of the regions. Great. So let’s find out the VPC ID, and we’ll modify the route table accordingly. As a result, this instance’s VPC ID is two F. So I’ll go to 2 F. I’ll look into the route table. There is one route table that is created, and I’ll add one more. So here would be the subnet ID of the destination VPC 172 at 31:00:16. And this would go with the peering connection. Perfect. Similarly, very similar to this, we have to find out the CI 100 00:16 and put this in the route table of the North Virginia VPC. So within the VPC of the North Virginia region, let me give you three. I’ll go to the route tables, and this is the main route table that is associated. I’ll click on Edit and I’ll add one more entry. I’ll say 100 00:16. So this is the CID R of the VPC in the Singapore region. and I’ll select the peering connection. Perfect.

So far, the route table seems to be working perfectly. Now let’s go ahead and try to ping. And again, it seems to not be working. So what could be the issue? The next issue would be the security groups. So currently, as you see, the security group is not allowed. So let’s do one thing. I’ll allow all the traffic from the 100 00:00:16 network and similarly in the destination region. Also, I have to verify whether the traffic is allowed. And it appears that all traffic is permitted. Perfect. So now we have done everything to make connectivity possible. So we should be able to ping the instance. And you see the instance where I am able to ping perfectly. So let’s try one more. So I’ll try to get to 100 0: 63 from here. Let me verify if the IP address is perfect. 100 0 163 My bad. Perfect. So it seems the connectivity is established perfectly in both regions. And this is how VPC-interregion VPC peering can be established. It’s quite simple, in fact. It is the same process as what region-based VPC peering was all about. So this is it. About this lecture: I hope this has been informative for you, and I look forward to seeing you in the next lecture.

10. VPC Endpoints

Hey everyone, and welcome back to the Knowledge Portal video series. And today we’ll be speaking about a relatively new feature that got introduced, which is VPC endpoints. So let’s get started with some simple use cases to learn about VPCEndpoints. We now have an Eco and an S-three-way scenario in this use case. So you’ve got an EC2 instance and an S3 instance running. Now, if you want to send traffic from EC 2 to S 3, like if you want to upload a lot of log files or if you want to upload certain backups, the regular traffic must go with the Internet.

Now this is a problem because if you have a lot of big files, like a lot of big MySQL backups, then all of those backup files will have to go via the internet. Now, this is quite fine, but there were a lot of customers who were requesting that if you have an EC2 instance in, let’s assume, the Mumbai region and if you have an S3 bucket in the Mumbai region as well, then ideally, instead of going through the Internet, there should be connectivity within the private link itself. Because both resources are within the same region, it is ideal to have private link connectivity because it will bring a lot of benefits. The first advantage would be increased security because traffic would no longer have to pass through the Internet. The second is the performance. Remember, if you send traffic across the Internet, the performance will always be lower. And since AWS will have private connectivity, it will definitely be like fiber optics. So the amount of time it will take to send the data to the S3 bucket will be a huge boost when compared to sending the traffic across the internet. Now, in order to solve this issue, AWS actually decided to introduce the VPC endpoints. So, if the EC2 instance and the S3 buckets are in the same region, you can now send data between them via the AWS internal private network.

Now, AWS’s internal private network is very, very fast, and thus it allows us to bypass the Internet. It also allows us to save cost, because now you will be charged for the data charges of our internal network and not the Internet. And it will also allow you to send huge amounts of data extremely fast between the EC-2 instance and the S-3 service. So this was one of those use cases. AWS introduced the S3 service as the initial parameter when they launched VPC endpoints, but now they are bringing a lot of services in support of VPC endpoints because a lot of users are actually using this specific functionality. So let’s do one thing; let’s try this out before we go ahead and understand more about the theoretical aspect.

So, I have two instances over here. The KP Labs Python 2 is one example. So by the name, you’ll see this is in the third availability zone, and you have an instance called EnhancedNetworking, which is in the second availability zone (B). So let’s do one thing. Let me just open up the VPC, and I’ll select the appropriate BBC and go to the subnet. So there are three subnets over here. So when you look into the subnets that are associated with the second availability zone, where our Enhanced Networking instance is launched, within the route table, you only have one route, which is the local route. You do not really have any route related to the NAD gateway or the Internet gateway. So ideally, this EC2 instance will have no connectivity to the Internet. However, when you talk about the EC to instance intoC, I’ll click over here, and the route table has Internet connectivity because there is an IGW attached. So, based on what we know, we can connect to this EC, say two C, but not to the Enhanced Networking because it lacks an IGW or even an Nd gateway as a route entry. So I’ll go ahead and let me go ahead and connect to the Kplabs Hyphen Two C instance, which we’ll be using as a proxy to connect to the Enhanced Networking instance. Now that both of them are within the same VPC, there will be communication between both these instance.

Now, since I want to communicate with this Enhanced Networking instance, I’ll be using this as a proxy to connect over here. So let’s do one thing. Let me connect to the public instance. So I am connected over here. Perfect. So I have a key call called MyKey PEM, which I can use to connect to the ECTwo instance, which just has the local route enabled. So 100 2178 will be connected. Perfect. So I’m connected to the EC2 instance. Now, if I try to do a ping on, you see, I will not be able to reach anywhere. This is because there is no Internet connectivity of any sort within this EC2 instance. Now. S 3 is the same. If I do AWS S 3 LS, it will not return me any output because this instance is isolated within the private network. Now, let’s go ahead and create a VPC endpoint. This is actually the thing that becomes much more interesting. I’ll go to the endpoints over here, and I’ll click on Create Endpoint. Now, if you see, there are a lot of services that are present. Now, endpoints have two types. One is a gateway, and one is an interface. We’ll be speaking whenever the relevant section comes. However, remember, within the gateway there are two services that are supported. One is DynamoDB, and the other is S3. So we’ll start with S 3 for the time being. Once you select S3 as the gateway, select the right VPC, which is KPU in my case. And now it will show you that there are multiple route tables that are associated.

So let’s do one thing. I’ll open up VPC, and we need to select the route table that is associated with the enhanced networking instance. So, if I go to the subnet, the route table associated with it is of type 4B, and if I go to the route table, which is of type 2B. Perfect. So I’ll add the letter “B to it, as the route table policy will just ignore it for the time being; otherwise, it will become much more confusing. And let’s click on “close.” So you have one VPC endpoint that got created. Now, this VPC endpoint will also have to be added within the route table. So let’s just quickly verify whether the endpoint status is available. It seems to be available. Now, if you go to the route table within the VPC endpoint, it says that it is associated, but it has not yet modified the route table entries. So if you want to see the route table entry, it has not yet been modified. We still have just one entry over here. Now we have to add one more entry. So if I go to the endpoints, I click on the route tables. Manage route tables. Choose the route table. Click on “Modify route tables.” Perfect. So this would have modified the route table for us.

 Perfect. As you can see, there is now one route table entry that has been associated. So this route table entry is basically for Amazon. AWS US West. Two hyphens, s, and three. So this is the new route table entry. So now let’s try this out. So, even if I don’t have Internet access, let me just because we were discussing how the resource, which is the EC-2 instance, should be in the same region. And the S-3 bucket will pass on the AWS S-3 LS command with a US West Hyphen-2 region. And now, as you can see, I am actually able to see all the contents that are part of the S-3 bucket. So if I do AWS.S., LS.S., and THREE billings, I’ll end up with So one important thing to remember over here is that if you just try it this way, it will not work. You have to explicitly specify the region, which is US 2. Now, I had not specified this while running the AWS credentials file. So you have to specify the region explicitly. And now, as you can see, I’m able to see all the contents, which are part of the S-3 bucket. So now what you have is that even though you do not have any Internet connectivity, if I do a, I don’t have any Internet connectivity over here, but still the S3 works perfectly. So I will be able to push the data to S3, I’ll be able to pull my data from S3, and so on.

So this is a major, major boost for those who needed a private link to the AWS S3 bucket. Again, the upload and download will be much faster because this time you’ll be using the AWS private link instead of S 3. Now, there are a few important things that I want to show you before we conclude this lecture. Looking into some of the important points related to the VPC endpoint The first important thing to remember is that earlier, for instance, to be able to access public resources like Three, the traffic needed to be passed via the Internet gateway or Nat at a minimum. AWS has now simplified the approach by introducing VPC Endpoints, which are basically highly secure and highly reliable connections that provide direct connectivity to resources in the same region. Now, EC2 instances within the private VPC can connect to the search services without the use of a NAT gateway or even an internet gateway. So, AWS is soon launching connectivity with various other resources. Earlier, only three were supported. So now you have DynamoDB, and more and more resources will be supported for VPC endpoints. So this is a very great feature that got introduced, and many organizations are now moving to VPC Endpoints because it is much faster to restore and backup data.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!