0 1 00:00:15,420 --> 00:00:17,240 Welcome back to backspace Academy. 1 2 00:00:17,580 --> 00:00:24,150 If you have made it this far you're well and truly on your way to getting that much prized associate 2 3 00:00:24,160 --> 00:00:26,390 certification with AWS. 3 4 00:00:26,610 --> 00:00:27,490 Now this lab. 4 5 00:00:27,690 --> 00:00:34,740 It's an absolute monster of a lab it's a 10 part lab so unlike the other labs where you're just learning 5 6 00:00:34,740 --> 00:00:41,130 a concept and then moving on to the next subject and then learning another concept this lab is going 6 7 00:00:41,130 --> 00:00:47,500 to cover a great deal of concepts that you've covered more or less previously. 7 8 00:00:47,610 --> 00:00:53,220 But we're going to go into a lot more advanced detail and it's really going to challenge you and you're 8 9 00:00:53,220 --> 00:01:01,980 going to have quite a bit of time spent on this lab and it's not because I don't like you quite the 9 10 00:01:01,980 --> 00:01:03,840 opposite in this industry. 10 11 00:01:03,840 --> 00:01:11,520 There are two types of people those that think they know and those that know their stuff and I produce 11 12 00:01:11,520 --> 00:01:18,900 people that know their stuff because I take the effort to produce labs like this so please follow this 12 13 00:01:18,900 --> 00:01:24,690 lab download the lab notes and make sure you get to the end because at the end of this you're going 13 14 00:01:24,690 --> 00:01:27,210 to be very very confident. 14 15 00:01:27,240 --> 00:01:32,070 So we'll start off talking about the lab and what we're going to be doing and then we'll be jumping 15 16 00:01:32,070 --> 00:01:39,840 straight in and creating this three tiered advanced VPC architecture that's going to have public and 16 17 00:01:39,840 --> 00:01:47,460 private subjects and it's going to have a whole different levels of permissions within those tiers then 17 18 00:01:47,460 --> 00:01:55,620 we'll look at securing our VPC resources within this VPC with security groups and applying those or 18 19 00:01:55,620 --> 00:02:04,860 associating those security groups to our resources but also look at how we can monitor and log IP activity 19 20 00:02:04,920 --> 00:02:12,400 in and out of our VPC to our VPC resources using VPC flow logs. 20 21 00:02:12,450 --> 00:02:18,930 Look at elastic network interfaces and how we can actually take one of those off a running instance 21 22 00:02:19,410 --> 00:02:26,130 and then attach them to another instance so that the IP address and all of the traffic that is going 22 23 00:02:26,130 --> 00:02:33,090 to that elastic nitwit interface will then go over to that other instance and that can be quite handy 23 24 00:02:33,090 --> 00:02:35,870 force in different situations. 24 25 00:02:36,090 --> 00:02:42,330 Then we'll look at building high availability by replicating our architecture into another availability 25 26 00:02:42,330 --> 00:02:43,710 zone. 26 27 00:02:43,710 --> 00:02:50,850 We'll create an application elastic load balancer that will span those multiple Availability Zones in 27 28 00:02:50,880 --> 00:02:59,130 a public subnet and an auto scaling group in a private subnet that will also span those multiple Availability 28 29 00:02:59,130 --> 00:03:07,380 Zones and then we'll deploy a multi A-Z Aurora service cluster that will span multiple Availability 29 30 00:03:07,380 --> 00:03:11,920 Zones in a locked down private subnet. 30 31 00:03:12,600 --> 00:03:19,050 Then because that Aurora service cluster is going to be in a private subnet we're going to also create 31 32 00:03:19,140 --> 00:03:28,140 a bastion host using the cloud nine service it will allow us to remotely access our raw cluster without 32 33 00:03:28,140 --> 00:03:30,680 causing any security issues. 33 34 00:03:30,690 --> 00:03:39,210 And finally we're going to create another highly secure layer using network access control lists 34 35 00:03:43,020 --> 00:03:43,470 okay. 35 36 00:03:43,490 --> 00:03:49,950 So this is what our architecture is going to look like we're going to have a VPC which will be located 36 37 00:03:49,950 --> 00:03:53,080 in the US east one region. 37 38 00:03:53,160 --> 00:03:58,290 So make sure that you use that region so you can follow on with the lab notes quite easily. 38 39 00:03:58,290 --> 00:04:04,050 We're going to have multiple subnets and we're going to have those subnets in multiple Availability 39 40 00:04:04,050 --> 00:04:08,630 Zones obviously to take advantage of high availability. 40 41 00:04:08,760 --> 00:04:14,370 We're going to have a public subnet that is going to receive traffic from the outside world from the 41 42 00:04:14,370 --> 00:04:17,130 Internet through an Internet gateway. 42 43 00:04:17,130 --> 00:04:22,830 We're going to receive that traffic with an elastic low balance that is going to span those multiple 43 44 00:04:22,830 --> 00:04:30,510 public subnets the elastic low balance that will then distribute that traffic to an auto scaling group 44 45 00:04:30,750 --> 00:04:38,700 of easy two instances that will have a lamp web server running on that and that load those lamp web 45 46 00:04:38,700 --> 00:04:49,500 servers will communicate with an Amazon Aurora database that will be located in a DP subnet group that 46 47 00:04:49,500 --> 00:04:54,550 will be spanning those two private subnets. 47 48 00:04:54,630 --> 00:05:01,500 Now we're using an auto scaling group but in the future we may want to use Elastic Beanstalk has a lot 48 49 00:05:01,500 --> 00:05:07,920 of advantages where we can just update our code we can integrate it with a C I C D pipeline and that 49 50 00:05:07,920 --> 00:05:13,020 sort of thing but for now we're just going to create an auto scaling group with instances in that but 50 51 00:05:13,020 --> 00:05:20,390 we're going to make sure that our our application architecture can support those requirements. 51 52 00:05:20,400 --> 00:05:27,720 Now one of the requirements of Elastic Beanstalk is it needs to have outbound access to the wider internet 52 53 00:05:28,140 --> 00:05:33,280 so that we need to have a route from our subnet through to the Internet gateway. 53 54 00:05:33,390 --> 00:05:37,800 But by definition a private subnet doesn't have that. 54 55 00:05:37,800 --> 00:05:45,680 So what we're going to do is that we're going to create a net instance in one of the public subnets. 55 56 00:05:45,750 --> 00:05:53,850 Now in that instance can be used as a gateway between our easy two instances or the Elastic Beanstalk 56 57 00:05:54,120 --> 00:06:02,290 environment and to the wider internet to receive updates and for other downloadable stuff that it needs. 57 58 00:06:02,310 --> 00:06:06,800 So we're going to launch that using the NCT service and we're going to use a net. 58 59 00:06:06,800 --> 00:06:18,230 Am I to do that now because our Amazon Aurora cluster is located in a private subnet. 59 60 00:06:18,590 --> 00:06:23,390 We're not going to be able to communicate to that from the outside world which creates a bit of a problem 60 61 00:06:23,390 --> 00:06:29,390 because we might want to connect into that database and do some Eskew El commands we might want to update 61 62 00:06:29,390 --> 00:06:33,910 that database manually we might want to download some information manually. 62 63 00:06:34,070 --> 00:06:42,740 So to allow that to happen we're going to be creating or launching a bastion easy to instance again 63 64 00:06:42,740 --> 00:06:48,590 in the public subnet and we're going to use a cloud nine service because as we'll see later on it does 64 65 00:06:48,590 --> 00:06:53,600 have some advantages of using that rather than just launching an easy to instance on our own and that 65 66 00:06:53,600 --> 00:07:01,250 will allow us to communicate safely and securely with our database without compromising security and 66 67 00:07:01,250 --> 00:07:06,450 allowing access from outside our VPC. 67 68 00:07:06,470 --> 00:07:11,240 The other thing that we need to do is that we're going to have some way to store our files which might 68 69 00:07:11,240 --> 00:07:13,250 be images documents whatever. 69 70 00:07:13,250 --> 00:07:15,580 So we're going to be using Amazon S three. 70 71 00:07:15,610 --> 00:07:19,850 I mean this like we're not going to actually create a bucket because you know how to create a bug it's 71 72 00:07:19,850 --> 00:07:21,140 pretty straightforward to do. 72 73 00:07:21,620 --> 00:07:30,800 But when we create our VPC we're going to create a VPC endpoint to connect to the Amazon S three service 73 74 00:07:30,830 --> 00:07:36,440 because he s three service and our bucket is not located in our VPC. 74 75 00:07:36,440 --> 00:07:45,280 So we need to have an endpoint to allow communication between our Web services or our Web servers our 75 76 00:07:45,290 --> 00:07:53,360 lamp web servers in our private net subnets to communicate with the Amazon S3 bucket and to receive 76 77 00:07:53,390 --> 00:08:00,350 images documents and whatever and present them through to the elastic load balancer to our end users 77 78 00:08:05,770 --> 00:08:12,400 the first thing that we're going to do is that we're going to use a VPC wizard to create a VPC in the 78 79 00:08:12,400 --> 00:08:19,720 US East 1 region and we're going to use it to create public and private subnets and also to automatically 79 80 00:08:19,720 --> 00:08:29,170 create a net instance for us and also a VPC endpoint for the Amazon S three service after we've created 80 81 00:08:29,170 --> 00:08:37,060 those public and private subnets we're then going to create another private subnet using the VPC console 81 82 00:08:37,390 --> 00:08:43,960 and that will be a locked down private subnet with no inbound or outbound traffic from the wider internet 82 83 00:08:44,230 --> 00:08:52,530 and we'll be using that to launch our database service. 83 84 00:08:52,600 --> 00:09:00,460 Okay so starting off in the VPC management console we need to launch the VPC wizard if you don't see 84 85 00:09:00,460 --> 00:09:02,110 that big blue button there. 85 86 00:09:02,380 --> 00:09:07,840 It means that you're not actually in the VPC dashboard so just click on VPC dashboard and you'll get 86 87 00:09:07,840 --> 00:09:13,750 to there and you will see that launch VPC wizard button which we're going to click we need to select 87 88 00:09:13,750 --> 00:09:17,100 a VPC with public and private subnets. 88 89 00:09:17,260 --> 00:09:21,170 If you have a look at the diagram there on the right we're going to have a VPC. 89 90 00:09:21,450 --> 00:09:28,210 So you have a public subnet with a net instance that's going to lay our connections from or outbound 90 91 00:09:28,210 --> 00:09:31,900 connections from our private subnet through to the Internet. 91 92 00:09:31,900 --> 00:09:39,550 We're also going to have a connection an endpoint for the Amazon S three services well Let's select 92 93 00:09:39,550 --> 00:09:50,450 that will leave our side a block as 10 0 0 0 forward size 16 we're going to give this VPC a name backspace 93 94 00:09:50,540 --> 00:10:01,970 dash lab will leave the public subnet there is 10 0 0 0 24 the availability zone will be us e 1 I make 94 95 00:10:01,970 --> 00:10:08,960 sure that you are operating in US East North Virginia and we're going to call this public a subnet a 95 96 00:10:08,990 --> 00:10:17,520 because it's located in the one a availability zone and our private subnet will leave that is 10 0 1 96 97 00:10:17,580 --> 00:10:25,500 0 it's like 24 availabilities only a game we're going to use US East 1 a.m. We're going to call this 97 98 00:10:25,560 --> 00:10:35,820 private net subnet a because it's going to be what's going to allow connections between a net and this 98 99 00:10:36,390 --> 00:10:37,830 private subnet. 99 100 00:10:38,010 --> 00:10:43,210 So we're going to call it the private subnet or private net subnet. 100 101 00:10:43,200 --> 00:10:51,690 The next thing that we need to detail is a net gateway or a net instance the VPC management console 101 102 00:10:51,690 --> 00:10:53,350 remembers what you used last. 102 103 00:10:53,350 --> 00:11:01,950 So last time I did this I used a net gateway for this lab I'm going to use a net instance instead because 103 104 00:11:01,950 --> 00:11:08,730 of the cost the net Gateway is a a perfect service it's highly available it's highly fault tolerant 104 105 00:11:09,120 --> 00:11:15,560 and it's what you would use in a production environment for any decent sized company because this is 105 106 00:11:15,630 --> 00:11:21,720 is only a lab we're just going to use a net instance instead so it just click on that use a net instance 106 107 00:11:21,720 --> 00:11:29,250 instead or select 80 to micro just select the key pair there so we can connect into it later on if we 107 108 00:11:29,250 --> 00:11:36,820 need to nixing we need to identify is a or define is a service endpoint. 108 109 00:11:37,110 --> 00:11:41,190 So we've got their dynamo D.B. will select Amazon S three. 109 110 00:11:41,190 --> 00:11:46,380 So we need to connect into a bucket and the subnet we've got a number of selections there is a public 110 111 00:11:46,380 --> 00:11:50,800 and private subnets a public subnet or the private subnet on its own. 111 112 00:11:50,880 --> 00:11:55,270 Now our public subnet is just going to contain our elastic low balances. 112 113 00:11:55,290 --> 00:12:01,650 So our web servers are going to be located in the private subnet and they are what needs to have access 113 114 00:12:02,070 --> 00:12:09,570 to the Amazon S3 service so we select the private subnet give that full access and we scroll down a 114 115 00:12:09,570 --> 00:12:25,780 little bit further and create VPC. 115 116 00:12:25,990 --> 00:12:31,410 Okay so after a short amount of time we've got these VPC successfully created. 116 117 00:12:31,440 --> 00:12:32,390 So just click on. 117 118 00:12:32,410 --> 00:12:34,190 Okay. 118 119 00:12:34,400 --> 00:12:38,200 And then we can see backspace dash lab has been created. 119 120 00:12:38,240 --> 00:12:46,010 So what I'm going to do now is just going to go into the easy to management console and just see that 120 121 00:12:46,790 --> 00:12:48,650 net instance has been created. 121 122 00:12:48,740 --> 00:12:54,730 And so there we can see we've got one running instance and there is our net instance say that's another 122 123 00:12:54,730 --> 00:12:56,760 one that I created previously that I've terminated. 123 124 00:12:57,580 --> 00:13:00,360 But here is the one that we just created. 124 125 00:13:00,370 --> 00:13:08,990 So what I'm going to do now is just going to give that a name so that we know what it is. 125 126 00:13:09,050 --> 00:13:13,580 Okay so now we know where we go and look at our list of easy two instances we're going to know what 126 127 00:13:13,580 --> 00:13:14,540 that is all about. 127 128 00:13:14,540 --> 00:13:19,520 So we jump back into the VPC management console. 128 129 00:13:19,640 --> 00:13:19,970 Okay. 129 130 00:13:19,980 --> 00:13:28,450 So there we can see we've got a network access control list allocated or created forced by the VPC wizard. 130 131 00:13:28,460 --> 00:13:30,450 We've also got a round table there. 131 132 00:13:30,830 --> 00:13:36,150 And that is the main round table that is associated with the VPC. 132 133 00:13:36,170 --> 00:13:44,990 What that means is that if there are any subnets within these VPC they don't have a root table explicitly 133 134 00:13:45,230 --> 00:13:47,270 associated to them. 134 135 00:13:47,360 --> 00:13:53,180 Then the main rate table will be automatically associated to those subnets. 135 136 00:13:53,300 --> 00:13:57,140 So we can see there it ends in six easy to there. 136 137 00:13:57,560 --> 00:14:06,720 If we go to subnets and we select our private net subnet a here which is going to be again for our backspace 137 138 00:14:06,720 --> 00:14:15,060 lad there what we will see is it has the same root table. 138 139 00:14:15,130 --> 00:14:22,640 There it is six easy to on the end of it has its same root table the main root table associated to that. 139 140 00:14:23,040 --> 00:14:28,990 And our public subnet has a different one has a different round table associated to that. 140 141 00:14:29,000 --> 00:14:30,260 So let's have a look at these two. 141 142 00:14:30,260 --> 00:14:33,980 So let's first have a look at the private net subnet. 142 143 00:14:33,980 --> 00:14:36,680 So it's going to open that in another screen or another tab 143 144 00:14:39,920 --> 00:14:46,710 and we'll have a look at the root entries for that so they can see it has a root entry there for local 144 145 00:14:46,710 --> 00:14:48,810 traffic within the VPC. 145 146 00:14:48,810 --> 00:14:50,010 So that's fine. 146 147 00:14:50,010 --> 00:14:55,410 But it also has destination to the wider internet. 147 148 00:14:55,960 --> 00:15:04,390 So if instances within this private subnet need to access a wider Internet outbound they can do that 148 149 00:15:04,390 --> 00:15:11,590 through the elastic network interface which is attached to our net instance. 149 150 00:15:11,590 --> 00:15:14,160 And that is exactly what we are looking for. 150 151 00:15:14,200 --> 00:15:17,100 So it doesn't allow traffic coming in from the wider internet. 151 152 00:15:17,620 --> 00:15:25,440 But if we if instances within or services within that private subnet need to download updates or whatever. 152 153 00:15:25,480 --> 00:15:32,800 And again the elastic beanstalk service does require that it can do that through a net instance. 153 154 00:15:32,800 --> 00:15:39,240 So going back to our subnets we'll have a look at the public subnet a and we can see it's got a totally 154 155 00:15:39,240 --> 00:15:40,190 different rail type. 155 156 00:15:40,190 --> 00:15:44,030 It's not the main round table we'll open that one and have a look at that. 156 157 00:15:44,040 --> 00:15:53,000 So this will be a public round table with round table entries to allow access from the wider internet. 157 158 00:15:53,030 --> 00:15:55,490 So again we've got local traffic a rep for that. 158 159 00:15:55,490 --> 00:15:56,480 So that is fine. 159 160 00:15:56,570 --> 00:16:07,260 But we've also got for traffic to and from the wider internet it allows it to go through to an Internet 160 161 00:16:07,290 --> 00:16:07,880 gateway. 161 162 00:16:07,890 --> 00:16:13,450 So again that is that is what defines a public subnet. 162 163 00:16:13,500 --> 00:16:14,790 So that's fine. 163 164 00:16:14,790 --> 00:16:22,680 So what we're going to do now is we are going to create another subnet which is going to be locked down. 164 165 00:16:22,680 --> 00:16:30,930 It's going to be a private subnet that's not going to create or allow any traffic from to or from the 165 166 00:16:30,930 --> 00:16:39,320 wider internet now because we're going to be creating multiple custom roundtables for these VPC just 166 167 00:16:39,340 --> 00:16:43,720 going to give this one a name backspace lab public. 167 168 00:16:43,720 --> 00:16:50,260 That'll be fine just so that we can identify easy enough later on and I'll just close it down and we'll 168 169 00:16:50,260 --> 00:16:56,350 just go back into subnets and what we want to do now is when to create a subnet we'll give that a name 169 170 00:16:59,360 --> 00:17:06,670 and we'll select our best backspace dash lab VPC and we'll select their availability zone again is us 170 171 00:17:06,700 --> 00:17:07,720 e 1 8. 171 172 00:17:08,440 --> 00:17:21,140 And aside about this time is going to be 10 dot 0 dot to dot 0 forward size 24 and we'll create that 172 173 00:17:24,860 --> 00:17:31,060 and they revised so there we can see we've got our private subnet a that has just been created with 173 174 00:17:31,060 --> 00:17:36,880 this side a block 10 0 2 0 forward size 24. 174 175 00:17:36,930 --> 00:17:44,670 Now one thing that we haven't done yet is that this has got the main round table implicitly associated 175 176 00:17:44,670 --> 00:17:48,460 to it because we didn't define a round table for this subnet. 176 177 00:17:48,480 --> 00:17:55,530 So what we need to do now is we need to go into round tables open it up in another screen and we need 177 178 00:17:55,530 --> 00:17:58,870 to create a round table for that subnet. 178 179 00:17:58,890 --> 00:18:00,620 And so that's going to be completely private. 179 180 00:18:00,620 --> 00:18:04,620 It's only going to allow local traffic and nothing else. 180 181 00:18:04,650 --> 00:18:12,950 So we just click on Create round table we'll give this one a name and we'll select our VPC the backspace 181 182 00:18:12,950 --> 00:18:16,080 dash led VPC and then create that 182 183 00:18:21,380 --> 00:18:21,700 okay. 183 184 00:18:21,720 --> 00:18:25,500 So we scroll down here we can see that we've got our pub our private subnet. 184 185 00:18:25,500 --> 00:18:28,400 So what we're going to do now is we're going to have a look at the route say. 185 186 00:18:28,430 --> 00:18:33,420 So we've got here a local route for local traffic and nothing else. 186 187 00:18:33,420 --> 00:18:35,260 And so there is all that we need. 187 188 00:18:35,280 --> 00:18:40,140 We don't need to have net access for these private subnets so that is fine. 188 189 00:18:40,500 --> 00:18:44,670 But we need to have a subnet association so there's no subnet association. 189 190 00:18:44,670 --> 00:18:50,130 So this privates all these private roundtable is not associated to any subnet. 190 191 00:18:50,130 --> 00:18:57,690 So what you need to do is edit subnet associations and we need to select our private subnet that we 191 192 00:18:57,690 --> 00:19:07,080 created and so we can see here we've got private subnet A it's currently has the main round table implicitly 192 193 00:19:07,320 --> 00:19:08,880 associated to it. 193 194 00:19:08,880 --> 00:19:09,960 We need to change that. 194 195 00:19:10,290 --> 00:19:18,710 So we'll select that and save and now we can see that we have that subnet. 195 196 00:19:18,750 --> 00:19:23,730 If we go back into that subnet or just click on it and we can see private subnet. 196 197 00:19:24,360 --> 00:19:30,800 Now has that rare table private subnet artsy associated to it. 197 198 00:19:31,220 --> 00:19:31,640 Okay. 198 199 00:19:31,640 --> 00:19:39,050 Coming up next we're going to be securing this VPC by creating some security groups that we can associate 199 200 00:19:39,530 --> 00:19:42,950 to our resources inside of these VPC. 200 201 00:19:42,950 --> 00:19:45,110 Look forward to seeing you in that next one.