In this lab, we will understand the VPC privatelink architecture and create a sample Customer service which we will expose via the PrivateLink.

By definition, AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.

In this exercise, we will host a Webserver service in one of the VPC in private subnet and will expose this service to service consumer in other VPC.

In my opinion, in order to be able to design great architectures or build any solution or troubleshoot any issues it's very important to understand the AWS foundation i.e. AWS Networking and AWS Security (specifically IAM). Hence I have built this course after 8+ years of my experience working extensively in AWS and focusing specifically on AWS Networking. I hope you enjoy this course  as much as I did in the process of making it.

Download course slides from the resources section of this lecture or by visiting the link shown in the video.

[Skip this lecture if you already have active AWS account]

First thing you need is an active AWS account. In this pre-requisites lecture we will see how to create AWS account, create an IAM user for yourself, how to set some cost controls and check some ec2 limits.

This is an optional automation setup which is useful as sometimes we tend to forget stopping or terminating EC2 instances and then we need to pay for AWS usage. This automation will send daily email to you so that you get notified about any un-intended EC2, EBS or EIP usage in your AWS account.

Use following link to launch AWS CloudFormation stack for this simple automation:

https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.amazonaws.com/awswithchetan.com/assets/cost-optimization/daily-usage-report-cloudformation.template&stackName=DailyUsageReport&Schedule=19

It's important that you see the big picture before diving deep into individual AWS services. In this lecture, I have tried covering most of the important AWS Networking services in a simple architecture where we deploy 2-Tier web application in scalable and secure mannger in AWS. This big picture will help you visualize and relate AWS services in much better way.

In this lecture, let's dive deep into VPC subnets, Route table and Internet gateway. This lecture will build the foundation for designing the network architecture.

In this lecture, I will demonstrate few scenarios by modifying different Network ACL rules. There is an assignment for this at the end of the next section.

Understand what is NAT and importance of NAT in network design. NAT provides outbound internet access for the EC2 instances launched in the Private subnet. In this way, your instances are not exposed to the internet and they can still access outbound internet.

AWS creates a default VPC in every region so that you can launch EC2 instances and other VPC resources easily. However, in real-world you may not want to use default VPC for your workloads but rather you should create custom VPC and configure the routing and security as per your application need.

This is our first exercise and its very simple. Make sure you follow each step carefully and remember what we did so that while doing next exercises, it will be easy for you to set the things up quickly.

In this exercise, learn how to setup VPC with Public Subnet and connect to EC2 instance launched in this Subnet.

Here, we are not using default VPC. In the real world scenario, when you would require a Web application to be accessible over internet, typically you will create this kind of the setup. Optionally, you may choose to assign Elastic IP to EC2 instance instead of Public IP as Elastic IPs remains associated with the instance even after instance restart or you can detach and re-attach to another EC2 instance.

In this exercise, learn how to setup VPC with Public and Private subnets. We then create EC2 instances in each subnet and connect to Private EC2 instance via EC2 instance in Public Subnet.

In real life, you would have Web server or public facing instances in Public subnets and Application servers/Database servers in private subnet. You can build your network as explained in this video and achieve the desired network security and isolation.

In this exercise, learn how to NAT Gateway to allow EC2 instances in Private subnet to access internet.

In real life, you will have Application servers/Database servers in private subnet but still need to have internet connectivity to download packages from the internet. For this NAT can be used where it allows instances in private subnet to access internet but we can not reach to these instances from over the internet

In this exercise, learn how to use EC2 instance as NAT instead of NAT Gateway.

Understand that NAT Gateway is managed AWS service which automatically scales and is highly available in the AZ. When we use EC2 instance as NAT, its called NAT Instance. In that case, the availability and bandwidth scaling is limited and hence NAT Instance might not be a good choice for deploying in production environment. Typically people deploy NAT instance in Dev/QA environments and use NAT Gateway in Production environment.

In this exercise, learn how to setup VPC peering between 2 VPCs across AWS Regions. VPC Peering is very important feature of AWS networking by which you can create private connectivity between 2 VPC. The EC2 instances in these VPCs can communicate with each other over Private IP addresses.

With VPC Peering, you don't require to have VPN connection and no need to expose your applications over internet if only other customers in AWS need to access it securely.

This lecture captures the VPC peering features, limitations and use cases. Though VPC Peering is an important offering from AWS, it has been designed in a way that it does not allow transitive access. Due to this, VPC peering is a safe networking construct which you can use to allow private communication between workloads hosted in same or different AWS accounts in same or different AWS regions.

In this lecture, let's understand the VPC endpoint and VPC PrivateLink features. We will also see when and where to use these networking components.

In this exercise, we will see how to use VPC Endpoint gateway which enables a private connection between VPC and another AWS service (currently only S3 and DynamoDB). If enabled, you do not require IGW or NAT when EC2 needs to access S3 or DynamoDB in same AWS region. The traffic between VPC & AWS service does not leave the Amazon network.

VPC endpoint gateway scales automatically and provides consistent bandwidth for S3 or DynamoDB access. Using VPC endpoint gateway instead of internet to access S3. It saves you considerable data transfer cost (and NAT charges). Also VPC endpoint gateway scales automatically as more bandwidth is required.

In this lab (Part2), we will create a PrivateLink for the Customer service that we created in the Part 1 and then access the Customer service from the consumer VPC over the VPC PrivateLink.

Try to play around with Network ACL rules and see how it impacts the inbound and outbound traffic.

Let's understand the basics of Hybrid connectivity in AWS and when and where you use Site-to-Site VPN connections.

In this exercise, we will see how to setup Site-To-Site IPSec VPN connection between AWS VPC and simulated data center. As we don't have our own datacenter (physical) router on the other end, we will use EC2 instance as VPN endpoint which has OpenSWAN VPN software installed.

After completing this exercise, you will know how VPN works in real world. As a next step, you may also want to setup VPN connectivity between AWS and Google Cloud or AWS and Azure cloud.

We earlier learnt about AWS Site-to-Site to VPN. In this lecture we will understand the basics of Client to Site VPN and then AWS Client VPN service, its components and architecture.

Let's setup the AWS Client VPN from our local workstation to AWS VPC. AWS Client VPN setup is slightly more complicated the site to site VPN and have few more components like Authorization Rules, Authentication etc. But we will see all these components one by one and then will create those as we progress through the lab.

In this lab, you should be able to setup Client to Site VPN successfully.

When we setup Client to Site VPN, by default all the traffic from local workstation is routed to VPN including your outbound internet traffic. Now if the VPC to which we are connecting does not have explicit outbound internet connectivity via the IGW then we also can not access internet from our local workstation while we are connected to VPN.

In this lecture we will see how to enable internet connectivity by two available options.

1. Via VPC VGW

2. Using local workstation internet (Split Tunnel)

In earlier lecture, we saw how to access internet via VPC IGW however this is probably not the correct approach in all scenarios. In many cases you might have to access other networks from your local workstations e.g may be home network or you want to use internet connection directly from your workstation. In such situations you can configure split tunnel on your openvpn client. In that case you route only the desired traffic through VPN tunnel and rest of the traffic is routed through your local network.

In this lecture, we will see how to configure Split Tunnel while using AWS Client VPN.

In earlier lectures we saw few scenarios where we can access internet via IGW or use local internet using Split Tunnel method. However as you now know the Client VPN traffic lands into your VPC's target subnet and from there you can literally access any other network connected to your VPC. You can access IGW, Peered VPC, other IPSec VPN connected to your VPC, transit gateway , VPC endpoints etc.

In this lecture, we will see how to access peered vpc while you are connencted to base VPC via AWS Client VPN.

In this lecture, let's understand the functionality of the Transit Gateway and what problem does it solve.

Let's see how Transit gateway routes traffic across the attachments and how default route table routes are propagated

AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. As you grow the number of workloads running on AWS, you need to be able to scale your networks across multiple accounts and Amazon VPCs to keep up with the growth. Today, you can connect pairs of Amazon VPCs using peering. However, managing point-to-point connectivity across many Amazon VPCs, without the ability to centrally manage the connectivity policies, can be operationally costly and cumbersome. For on-premises connectivity, you need to attach your AWS VPN to each individual Amazon VPC. This solution can be time consuming to build and hard to manage when the number of VPCs grows into the hundreds.

In this exercise, instead of using default route table of Transit Gateway we will create attachment specific route table and manually add routes in these route tables to selectively allow the connectivity between the VPCs.

Launch a simple web server using EC2 and then allocate and assign Elastic IP to this EC2 instance. At this point you can access your website using the static Public IP.

Let's access this webserver using our own public domain name. For this, we will be using Amazon Route53 DNS service.

In this exercise, we will see how to use Route53 to achieve AWS Region level failover. As you already know we can use ELB with backend EC2 instances to achieve high availability within same AWS region. However many a times its required to distribute your workloads across AWS regions e.g for failover, country specific regulations, providing lower latency to endusers etc. In this case, we need to manage the traffic at DNS level and its done using different AWS Route53 routing policies.

In this exercise, we will be using Failover routing policy where we configure the Primary and Secondary sites in different AWS regions and then simulate the primary site failure which results in DNS switching to secondary site.

In this lecture, we will see how to host static website on S3. However AWS provides custom aws dns names for website hence we need to map our own domain name to AWS provided dns name. This is done using AWS Route53 service. Here for this exercise, I have got my domain from Godaddy and I updated godaddy DNS to resolve to AWS Route53 DNS. Then added record set in AWS Route53 to point the my custom domain to S3.

Note that AWS S3 does not provide a single IP address for websites hosted on S3, hence we have to use Route53 Alias record set to point our domain name to S3 DNS.

In this lecture, we will see how to enable HTTPS for websites hosted on S3. In the last lecture we hosted static website on S3 however we can't make it HTTPS as S3 does not support uploading SSL certificates. For this we need to have CloudFront (CDN) which acts as a front end for our website. We can deploy SSL certificate on CloudFront and it also caches the static contents like Pictures/Media giving user better experience by serving the contents from the nearest edge location.

For this exercise, we need to have your own domain name. You can buy that either from AWS or from any other domain registrar like Godaddy or namecheap etc. To know how to redirect your DNS queries from domain registrar to AWS Route53, please refer to the Pre-requisites section.

In this lecture, let's understand the basics of Amazon Elastic Load Balancer (ELB) service. ELB is an important AWS service for building highly available and resilient applications. It distributes the incoming traffic to multiple backend application servers across Availability Zones. ELB supports multiple network protocols and comes in different flavours depending on at which layer of network (OSI) your application works. AWS provides 4 types of Load Balancers - Classic Load Balancer (CLB), Application Load Balancer (ALB), Network Load Balancer (NLB) and Gateway Load Balancer (GWLB). In this section we will primarily foucs on Application Load Balancer as it is the most widely used Load balancer.

In this lecture, let's understand the components and features of Application Load Balancer. Before we get into the exercises, it's important to understand how ALB routes traffic to tagets using routing rules and algorithms.

For ALB exercises, we will launch the backend ec2 instances in the private subnets and hence we need to launch EC2 instances such that they already have the webserver configured so that we don't then need to connect to EC2 and manually install the webserver. Also, being in the private subnet, these webservers can not access outbound internet so they can't even download the webserver (e.g. httpd server) from the internet. Hence, we need to create EC2 Amazon Machine Image (AMI) and use it to launch these backend webservers.

In this lecture, we will start with basic ALB with two backend EC2 instances. Important thing here is the VPC network setup. Note that ALB is internet facing and hence should be launched in Public Subnets across AZs however the backend EC2 instances need not be public facing and ideally they should be launched inside Private subnets across AZs.

In this lecture, we will setup the VPC and launch ALB and backend EC2 instances. Also, we will see that by default ALB does the round robin routing to backend ec2 instances.

In this lecture we will see how to use our own domain name to serve application hosted using Load Balancer. For this we need to have our own domain name purchased and use AWS Route53 DNS service. In Route53, we will create A record (Alias) and point our custom domain or subdomain to ALB DNS.

In this lecture we will see how to enable session stickiness so that the request from any particular client will be served by same backend EC2 instance. This is often required when you are doing any transaction or session data has to be persisted for some time till user takes some action. Here AWS Application load balancer using AWSALB cookie.

In this lecture, we will see how can we use Application Load Balancer to route traffic to different backend EC2 instances based on URL/Path of the HTTP request. As you know ALB works at Layer7 and hence HTTP requests can be intercepted by ALB. Further based on certain string in the path e.g /image /vidoes etc, we can configure the Rules in ALB listener to route traffic to different Target groups which eventually distributes traffic to different group of backend EC2 instances.

In this lecture, we will extend the earlier setup and server our application over HTTPS instead of HTTP. As you already know, in order to enable HTTPS (SSL) communication, we need to deploy SSL certificate for the domain. Hence, we will acquire the SSL certificate for our custom domain from ACM (Amazon Certificate Manager) and deploy it on ALB.

Like ALB Host based routing, in this exercise you should implement the URL/Path based routing. For this you need to first have the webserver which serves the web pages for a specific path e.g. /mumbai or /london. For this you need to  manually configure corresponding directories in the webserver. In this exercise, you should first create EC2 AMIs similar to what we did in the host based routing exercise. But this time you have to make sure that webserver can server the path based pages as described earlier.

In this lecture, let's understand which are the different ways to automate the infrastructure creation in AWS. We will touch upon AWS CLI, SDK, CloudFormation and CDK. And we will see how to deploy VPC,Subnets etc. using AWS Cloudformation. I have also provided cloudformation template for you to download (in the resources section for this lecture) so that you can deploy it in your AWS account. 

Make sure to delete cloudformation stack after you are done.

In this assignment you have to deploy 2-Tier web application with Application server and MySQL database.

Once you have your basic web app working as expected, modify the infrastructure deployment to support high availability by deploying application servers across Availability zones and also configuring DB in multi-AZ mode. For this you also need to introduce Application Load balancer.

Further to make the web app secure over the network, you need to use custom domain name and also deploy SSL/TLS certificate on the ALB.

Congratulations on completing this course. I hope you have done all your hands-on exercises and also tried to complete the assignments. I hope that you liked the content and I am sure you must be feeling much confident to work in AWS when it comes to AWS VPC and networking services.

Kindly provide your valuable feedback for this course !!

So what's next? In this lecture I will be sharing my experience on which AWS certifiaction you should target based on your role. So, let's continue this journey together.

Finally, thank you for investing your time in this course, I am glad to be a part of your learning journey.

Keep learning !

~Chetan

https://www.awswithchetan.com