17. [SAA] Direct Connect & Direct Connect Gateway
Now let’s talk about Direct Connect, and you may also see it as DX in the exam. So it provides a dedicated private connection from a remote network into your VPC. So you need to set up that dedicated connection and it is using an AWS Direct Connect location. You also need to set up a virtual private gateway on your VPC side to make the connectivity between your onprem missus data center and AWS. The idea is that on the same connection you can access both public resources such as Amazon S Three and private resources such as EC Two instances using the public if and the Private Ziff.
So what are the use cases for Direct Connect? Well, you get increased bandwidth throughput that means that if you’re working with large data sets, it’s going to be faster because it doesn’t go over the public Internet. And also you’re going to have lower cost because you’re using a private connection. Also, if you have connectivity issues using the public Internet while using Direct Connect, you get a more consistent network experience, again, because it is private. So this is especially helpful if you have applications using real time data feeds.
Finally, it supports hybrid environments because you have connectivity between your on premises data center and the cloud. It supports both IPV Four and IPV Six. So let’s look at a diagram of Direct Connect. So we have a region and we want to connect it into our corporate data center. So for this, we’re going to commission an AWS Direct Connect location. There are physical locations that you have to find, but it’s all obviously on the website of AWS and there’s going to be a Direct Connect endpoints and there’s going to be a customer or partner router that you have to rent from a customer or partner cage. So you have two cages in this Direct Connect location and then on your on premises data center, you’re going to set up a customer router with a firewall. Now you’re going to set up a private virtual interface. So, private viv first to access your private resources into your VPC.
So to do so, you set up the private viv between all these locations into a virtual private gateway. And this virtual private gateway is attached to your VPC and through the private vif, you are able to access your private subnets with your EC two instances. And as you can see, all these things happen privately. So you need to set up that connection manually. It can take a month to set up, but none of this goes over the public Internet. It is all a private connectivity. The alternative is to connect to public services within AWS such as Amazon Glacier or Amazon S Three. And for this you’re going to set up a public virtual interface or public this. And so it goes through the same path, but it doesn’t connect into a virtual private gateway. It connects directly into AWS. So what if you want to connect to one or more VPCs in different regions, for this, you must use a Direct Connect gateway.
So we have an example where we have two regions and they have two different VPC with two different Ciders, and we want to connect our on premises data center into both VPC. So we’re going to establish a Direct Connect connection. Then using the private VIP, you’re going to connect it to Direct Connect Gateway, and this gateway will have a private resource interface into a virtual private gateway in the first region and another one in the second region. So using the setup, we can start connecting to multiple VPCs and multiple regions. Okay, now let’s discuss the connection types.
For Direct Connect, we have a dedicated connection. It could be one gigabits per second or ten gigabits per second capacity, and we get a physical Ethernet port that is dedicated to us. And first we need to make a request to AWS, and then it will be completed by an AWS Direct Connect partner. Or we can get a hosted connection and they come in different flavors, such as 50 megabits per second, 500 megabits per second, up to ten gigabits per second. And again we make connection requests via the AWS Direct Connect Partners. And then we can add capacity on demand. So we can add or remove capacity on demand. So it’s a bit more flexible than a dedicated connection. And so we can get one to 510 gigabits available at select locations. And to set up either a dedicated or a hosted connection, the lead times are often longer than one month to establish a new connection. So in the exam, they will ask you questions around, hey, we want to transfer some data within a week and we want it to be fast. So an answer cannot be Direct Connect because Direct Connect takes often more than one month to establish. So you need to look into question whether or not there is already a Direct Connect established and whether or not the time to transfer the data is less or greater than one month.
Now, when you have a Direct Connect, there is no encryption. So data InTransit is not encrypted, but it is private because it is a private connection. And so if you wanted encryption on top of it, you can set up Direct Connect to be alongside a VPN to provide IPsec encrypted private connection. So it’s good to get an extra level of security, but it’s slightly more complex to put in place. So the setup is to get the same Direct Connect location, but then on the connection, you’re going to set up a VPN connection on top of it to have encryption for your Direct Connect, and therefore all the traffic between your corporate data center to AWS is going to be encrypted. Now, one last thing that can come up in the exam is around resiliency for Direct Connect. So we have two modes of resiliency and architectures. And you need to know them both because they will be coming up at the exam. You have high resiliency for critical workloads, where we set up multiple direct connects.
So we have two corporate data centers and we have two different direct connect location. And this gives us some redundancy. So in the first case, we have a private VIP here and we have a private VIP here. And so here we get one connection at multiple locations. And so if one of the direct connect location goes down, then at least we have some backup direct connect location somewhere else. And so this gives us high resiliency and this is good for critical workloads.
But if you want to get maximum resiliency for critical workloads, and I emphasize the word maximum because it can come up in the exam, then you’re going to have to set up again two direct connect locations. But this time, each direct connect location will have two connections independent to give you maximum resiliency. So in this use case, we have four direct connect locations. Four connections across two locations. Sorry going into AWS. And so maximum resilience is achieved by using separate connections, terminating on separate devices in more than one location. So that’s it for direct connect. I hope you liked this lecture and I will see you in the next lecture.
18. [SAA] Egress Only Internet Gateway
Let’s talk about egress only Internet gateway. So egress means outgoing, and outgoing only Internet gateway kind of hints at what it does. But let’s be very, very clear. Egress only Internet gateway works only for IPV Six. So if you have an IPV Four instance, that does just not apply to it. So an egress only Internet gateway makes us think of a Navy, but Nat is for IPV Four. So egress only Internet gateway is the same as a Nat, but for IPV Six, they perform the exact same function. The Nat allowed our private instances that had an IPV Four to access the Internet. And egress only gateway will basically allow our IPV Six instances to access the Internet, but not being accessible.
Why do we need this? Well, it turns out that all IPV Six are public addresses, so there is no private range of IPV Six for this. For private ranges, we still use IPV Four. So as soon as your instance is an IPV Six, it has a public address and it’s publicly accessible. So that’s bad because what if we don’t want all our IPV Six instances to be publicly accessible? Then we set up an egress Internet egress only Internet gateway, and that gives all our instances of IPV Six access to the Internet. So we can still curl Google. com or whatever, but the Internet cannot directly reach our instances, so we effectively make them sort of private. Okay, and after you create an egress only gateway, to make it work, you need to edit the route table.
So let’s quickly see how this works in the UI. So for this, I’m going back to Services VPC, and in there I go to egress only Internet gateways and create egress only Internet gateway. Now I need to just select a VPC. So I’ll select my demo VPC, and here we go. My gateway has been created. So if we go here, the gateway has been created and it’s attached to your VPC. But to make it work, basically you would need to open a route table so you can choose whatever route table you want. For example, we can choose let’s select our demo VPC. We’ll just use the main route table for now.
So click on Route, edit Route, add Route, and then column zero, which represents any IPV Six. The target is going to be egress only Internet gateway. And this one save the route. And we have basically added an outbound route for IPV Six. So this is an IPV Six address representing anything. So it’s like ah, zero, but for IPV Six. And the target is going to be the Internet, the egress only Internet gateway. So that’s it. That’s all you need to know. We’re not going to create an instance for IPV Six. I still think this is very new at the exam, but you need to know what an egress only Internet gateway is anyway. But that’s it for this hands on. I will see you in the next lecture.
19. [SAA] AWS PrivateLink – VPC Endpoint Services
So in this lecture we are going to talk about AWS Private Link. But before we do so, I want to expose the problem to you. So the problem is we have VPC in our account and we have a service. We’ve created our application and we want to expose that application to other VPCs in other accounts. So option number one is to make our application public. If we do so, maybe we create an application on the balancer. We make it public and so all the traffic will go through the public Internet. And it’s a bit risky, it’s tough to manage access, you need to manage firewall rules. But that works.
So we have our servers VPC with our application service and we have a bunch of customer VPC that have an internet gateway to access the Internet. And overall we expose our application publicly, it goes over the public internet and that works. But the problem is it’s public, it’s not great. Option two is to do VPC peering. We’ve seen this before. So in that case we must create many peering relations between all the service VPC and the customer VPC. And when you do appearing connection, it opens up the whole network. Not just that one application we’ve created, but every single application in our VPC will be networkly accessible from the other VPC.
So that works, but that doesn’t really scale. So let’s have a look. We create a peering connection. Here another one here, and another one here. And it’s a little bit difficult, right? So this is not great solutions, they work, they definitely work, but they’re not great. And so AWS came up with this genius way of doing so. So it’s called AWS Private Link and it’s also called VPC Endpoint Services. So to me it is the most secure and scalable way to expose a service. Not to one, not to ten, but to thousands of VPC, either your own or from other accounts. And this solution does not require VPC peering does not require an Internet gateway or not or route tables. It requires nothing of that.
So let’s have a look to see how it works. We have our service VPC and we have our application service and we want to access it from a customer VPC which has consumer applications. So how do we do this? We have to create a network load balancer or NLB in the service VPC and we have to create the corresponding eni in the customer VPC. So let’s have a look.
We create our network load balancer and our elastic network interface in the customer VPC. And now we have to link these two things privately, hence the name Private Link. So here we go. Boom. So we have Private Link in the middle that’s going to link the network load balancer in the service VPC to the eni in the customer VPC. And these two are going to tuck together through that link that is going to be private to within the AWS network. So no VPC peering is required.
It doesn’t go through the public internet. You don’t need to update any route table. The eni in the customer VPC makes it look like the application in the service VPC is within their network. So I think it’s really awesome, it’s really genius. And on top of it, cherry on the cake, if the NLB is in multiple Availability Zone and the eni is in multiple AZ, then our solution is absolutely fault tolerant, which I think is great. So to create a private link or an Endpoint service we have to go on the left hand side to Endpoint services and click on Create Endpoint Service. And here we have to select a network load balancer within our account to associate this service with.
So we don’t have one right now, but we would need to create a load answer, a network load answer and then we’ll be all good. Then we have some settings to reconfigure but we’re good to go. And then we would create the service. I’m not going to do this, I just want to show you the process. Once we have created that Endpoint service, we need to go to Endpoints and create a new endpoint and this will be in the target VPC obviously maybe another account. And instead of choosing AWS service, you can select Find service by name and here you enter the private service name and you would verify it and this would be how to get access to an Endpoint service from here. And you would create an eni and it would be good to go. This is very simple and I really like the beauty of the solution of how we can link our services together through a private Link.
So in the exam, if you see any question that asks you to expose services from one VPC to another, hundreds of VPC think Private Link. Remember this diagram and hopefully you’ll get the answer right. So here is how you would expose an ECS service to Private Link. So you have a VPC with maybe two private subnets, an Amazon ECS service running multiple tasks and they’re all exposed as part of an application load balancer because this is how the ECS service works. But for Private Link we need to have a network load balancer. So we want to make sure we can access this ECS service through our corporate data center or through a VPC privately. So for this we’re going to create a network load balancer and connect it to our application load balancer.
And from then it’s very easy what we just saw. We can have Private Link connect to the network load balancer and then we create an eni in the target customer VPC to connect to the private link. Or we can establish a direct connect or a set. You set VPN connection to access that private link and the network load balancer. So that’s it they’re easy but you just need to sit once. You know how this works. So that’s it for this lecture. I hope you liked it, and I will see you in the next lecture.
