Amazon AWS Certified Advanced Networking Specialty – Networking & AWS Primer Part 5
13. IPv6 – Integrating it with VPC – Part 02
Hey everyone and welcome back to the KP Labs course. So in the earlier lecture we had launched two instances in the new VPC which has the IPV six configured. So if I go to the EC two so these are the two instances which are created. Now within the two instances you see I have a public IPV four and I also have the IP address which is configured for both the instances. So let’s just name these instances, I’ll say demo IPV six and I’ll just name the second instance as demov six client. So what we’ll be doing in today’s lab is from this IPV six client we’ll go ahead and try and connect to this demo IPV six server via the IPV six protocol perfect. So let’s do one thing, let’s go ahead and connect to both of these instances via the public IP. So the reason why I am not able to connect right now with a private IPV six so you can actually certainly do the IPV six part as well.
Let me do a quick less so I can run the command. Something similar to this. But within my terminal, the routes for the IPV six are not properly configured. And this is the reason why. You see I have the network is undricable but whenever you launch Amazon like instance which has the IPV six the routes and everything locally within the instance are configured correctly and this is the reason why we launched two. Instance to actually check if everything works perfectly. So great. So let’s connect to the first instance and along with that, let’s connect to the second instance. So if you go to the console the IPV six address associated with the first EC two instance ends with 7663 so let’s quickly verify if I do an if config you see 7663 so this is the initial add which is the IPV six address associated. So things seems to be working perfectly so the first thing that you should ideally try verify whether you are actually able to ping this specific instance. So from my second instance I’ll do a ping six. Remember ping if you just try ping it will not work, we already discussed this so you need to use a different package ping six to verify if it actually is working. So currently it doesn’t seem to be working. This is because the security groups are not configured for the IPV six.
So let’s quickly go to the security group and let’s add one more security group rule for the ICMP version six this is what we are interested in and we’ll allow it for all. Let me click on save perfect. So now let’s try and ping and you see it seems to be working perfectly so now you are actually able to ping based on the IPV six address. So the next thing that we would like to try is try connecting to this specific server from our client. So in order to do that we’ll definitely need the key for which the server was launched for. So I have the key locally. So what I’ll quickly do, I’ll do the SAP on Kplabs PM to easy to user at the rate let me fetch the IP address of the client. Perfect.
So the key is uploaded to the server and I’ll copy the key from the temp directory to the SSH folder and once this is done, quickly do a ch mode on the key which has recently been uploaded. Perfect. So things seems to be working perfectly. Let’s go ahead and try to do the SSH to the server. So I’ll specify the ePath, I’ll specify easy to user added. This time I’ll use the IPV six addr the entire address. Let me copy this up, I’ll paste it and you see I am logged in perfectly. Great. So this is how you can actually configure the IPV six within the VPC and you can actually get it working. So this is it about this lecture, it’s quite simple, isn’t it? So initially the earlier thoughts were like IPV six configuration is actually difficult but if you’ll see it’s quite simpler. Anyways, this is it about this lecture. I hope this has been informative for you and I look forward to seeing you in the next lecture.
14. Egress only IGW
Hey everyone and welcome back to the KP Labs course. So in today’s lecture, we’ll be discussing about the egress only internet gateways. So this egress only internet gateways are specifically designed for VPCs which have IPV six enabled. So let’s look into why this type of gateway is required. So when it comes to IPV six, the IPV six addresses which have been assigned by the AWS are public Routable. So you can consider this very similar to the elastic IPS that you receive from the AWS. Now, since these IPS are public Routable addresses, this means that the instance in the public subnet can initiate the connection towards the internet through the internet gateways. So this is very similar, and I am sure that you already know that if an internet gateway is attached to the route table and you have a correct route, then the EC two instance will be able to connect to the internet. Now, in a similar way, the resources from the internet can also connect to the EC two instance.
So I can initiate the connection if I have the public IP of the EC two instance and provided the firewall rules are allowed. So, since IPV six addresses are globally unique and thus they are public by default, so many times during the use cases, there is a requirement to have a functionality where you can connect to the internet, but internet should not be able to directly connect back to you. So a simple example is Nat gateway in the private subnets. So all the instances within the private subnet can connect towards the internet, but from the internet you directly cannot initiate a new connection back to the instances. And egress only internet gateway provides a very similar functionality to the Nat gateways. Thus for the IPV six. So let’s look into how the internet gateways can be established.
So, before we do that, I have one easy to instance running. And if you’ll see, I have both public and IPV four and public IPV six addresses. So if I quickly do an online IPV six pin and let me copy this IPV six address and I’ll just paste it up here and let’s check whether the internet can initiate the connection. So let’s quickly verify and you see I am able to get the perfect reply back.
Great. So now let’s go to the VPC and enable the Internet only gateways. So generally in a subnet where you have a Nat gateway, you cannot directly from the internet, you will not be able to ping to that instance. So the egress only gateway will perform similar function. So within the VPC console, go to the egress only gateways, create a new egress gateway and I’ll create it in the demo IPV six VPC where the EC two instances perfect. So this is our gateway. Now I’ll just filter out by the VPC, I’ll go to the route table and there is one route table which is associated with the VPC. And within this you will see that I have two entries over here, and both the entries are going to the Internet gateway. So this means that anyone from the Internet will be able to connect to my EC Two instance, both on public IPV Four and public IPV Six, provided the security group is allowed.
So now instead of the IGW, I’ll remove the IGW entry and I’ll select eigw and I’ll click on save. Perfect. So now this is like a Nat gateway. So the EC To instance will be able to reach the Internet. However, from the Internet, you will not be able to have the direct connection back, or I would say direct new connection to the EC To instance. So let’s go back and let’s try a ping again. So you see, this time I had 100% packet loss. So this is actually acting like an ad gateway. So no new connection. So I will not be able to direct initiate a connection via the IPV Six towards the instance. So this is what the Egress only Internet gateway is all about. So if you look into the architecture, you can have an architecture which is very similar to this, where you have the destination for IPV Four, which is local, you have the IPV Six union addresses, which is again local. And for the EC To Instance to connect back to the Internet, you use the eigw. And so that EC Two instance will be able to reach the Internet. However, the Internet will not be able to reach back to the EC Two instance very similar to that gateway. Again.
15. IP Address Reservations in VPC
Hey everyone, and welcome back to the Knowledge Pool video series. And in today’s lecture we are going to speak about IP address reservation in AWS. So generally, whenever we create a network, be it in AWS or be it in a data center, there are certain addresses which needs to be reserved for a specific functionality. Now, in today today’s lecture we’ll be looking into what are the IP addresses which are being reserved when we create a subnet under the VPC in AWS. So let’s get started. Now, by default, EC two and VPC uses the IPV four addressing protocol. Now, IPV six addressing is also supported. So thus when we create a VPC, we must assign an IP v four CIDR block. So let’s just revise this specific aspect. Now, under the VPC console when I go and create a VPC, so in the VPC I have to give the IPV for CIDR block as a mandatory option.
Now the question is, can I create any IPV four CIDR block? Let’s try it out. So if I do a 100 zero eight network, you see it is giving an error saying that the block size must be between a slash 16 net mask and a 28. Net mask. And this is very, very important for us to understand. So the maximum amount of IP address we can have would be under the slash 16 and the minimum amount of IP address that we can have would be slash 28. Now, for those who are not much aware about subnet, there is a nice little website from MX Toolbox which basically calculates the net mark. So if you want to know on how many IP address there will be in total under the 16. Netmark, let’s try this out. So let me put 100 zero zero and in the net mask I’ll put it as 16. And if I click on view subnet, you see it is saying that the maximum amount of IP address that we can have is 65536. So under a VPC we can have a maximum of 65536 IP addresses that we can assign as far as the private IPS are concerned. Now, this is the maximum limit and the minimum limit it has said is 28. So let’s try 28 as well and see on what is the IP address that we can have if we select a 28. So I’ll select 28 over here and I click on view subnet and you see the maximum amount of IP address under 28 is 16.
So in short, the minimum amount of subnet range that we can have or minimum amount of IP addresses that we can have is slash 28 and maximum is slash 16. So this is very important for us to remember. So coming back to the PowerPoint presentation, the IPV four block must be between slash 16 and slash 28. So this is something that we have already discussed. Now, when we specify slash 16, we can have maximum of 65536 IP addresses. And when we specify 28, we can have maximum of 16 IP addresses. So whenever you create a VPC, make sure that you design in such a way that it fulfills your future requirements. So if I put a Slash 16 over here, I can create multiple subnets. One for slash 24 which will have 256 IPS and another for 24 which will have 256 IPS again. Now, many people make a lot of mistakes. Like let’s assume that you only need maximum of let’s assume 200 machines in a specific subnet.
Now if maximum you need 200 machines, do not assign a larger range like do not assign a Slash 16 for the subnet, then a lot of IP addresses will get wasted. If you only need ten machines in this subnet, then give the range of 28. Do not give 24 wire. And this will save you a lot and a lot of trouble. Specifically, when you are going to do a tunneling between your organization and different organization. Let me just show you. Let’s create a VPC as a KP Labs Hyphen demo and I’ll give the range of 100 zero 00:16, okay? And I’ll click on Create. So once this VPC gets created, we can have a maximum of 65536 IP addresses within this specific VPC. Now let’s go ahead and create a subnet. I’ll name the subnet as KP Labsubnet. Now, what should be the CIDR block of this subnet is a question. Now, in order to understand this, you have to map out on what is the maximum amount of servers that you will be needing in a subnet as far as future is concerned. So let’s consider next five years. And if you are 100% sure that the maximum amount of servers in this subnet will be no longer than 200, then you can assign the CIDR range of 100 zero 00:24. So I’ll click on yes, create.
So if you select 24, then maximum amount of IP addresses would be 256. Let’s just quickly verify. I’ll select the 24 and click on view subnet. You see maximum would be 256. So you cannot really have more than 256 IP addresses in this specific subnet. So after five years, if you want to launch more servers like 300 servers in this specific subnet, you will not be able to do that. Very, very important to remember. Now, let’s create one more subnet. And I’ll say KP Labs hyphen subnet to A. Now in this specific subnet, you have a requirement that there will be around 3000 to 4000 machines as far as the future is concerned. So what is the IPV for CiTR block? You cannot have Slash 24 because slash 24 will not accommodate more than 256 servers.
So in that case, what you need to do is you need to go down less. So the more less you go down, let me show you. The more down you go, the more larger the IP sets you will get so let’s try slash 22 and I’ll click on view subnet. So 22 is giving me one zero twenty four. That is quite interesting. If I go more down, let’s go to 2020 is giving me 4096. So, since our futuristic is requirement is around 3000 to 4000 servers, slash 20 is the optimal net mask for our second subnet. So if I do 100 zero slash 20 and I’ll click on yes Create. And you know what it says? It says that this CIDR block is overlapping with one more CIDR block. So this is very important to remember that two CIDR blocks cannot overlap each other. This is extremely important to understand as far as the exams are concerned. So let’s do one thing. Let me just delete the CIDR block and let me create one more.
I’ll say KP Labs subnet two A and let’s give the range of 1020. And when I do a yes create. Any instances that you will be launching within this will can have a maximum of these many IP addresses. So this is one very important thing to consider. Now, one mistake, as we already discussed, that lot of organization makes that they blindly give the CID a block of like 16 even for subnets. And this is not an ideal solution if you only need maximum of 200 servers, never give slash 20, give only slash 24. So this is one important thing that I would really encourage you to follow. Perfect. So let’s go back to our presentation. Now, talking about reservation, as far as Amazon is concerned, whenever we create a subnet, there are five IP addresses within that subnet which are always reserved. So what are those five addresses? Among those five addresses, the first four IP address and the last IP address in each subnet is not available for us to use and cannot be assigned to an instance.
So, whenever you create a subnet, remember the total of five IP address will not be available for you to use. So, let’s take an example for that. So, if you have a subnet block of 100 zero 00:24, we know that among this five IP address will not be available for us to use. Now, what are these five IP addresses? The first is the network address. So network address and broadcast address are generally reserved for most of the networks. So 100 zero zero and 100 zero 255. So this is the first and this is the last IP address. They are always reserved. Then Amazon uses 100 zero one for the VPC router. So this is the IP address reserved for the VPC router. 100 zero two is reserved for the AWS DNS. And my mistake, this should be ten three and that is reserved for the futureistic use. So, let’s do one thing. Let me just make the changes right now so that it will not be confusing to us.
So, as a solutions architect, we need to remember that there are five IP addresses which are reserved. First is for network address, last is for broadcast. Then we have one for VPC router, second for VPC DNS, and third is reserved for future use. So, let’s try this out. So, we know that within 1024, let’s try, you know how many IP addresses can be reserved. So there will be total of 256 IP addresses within the 24 subnet. So you see, 24 is 256 IP addresses. Now, we know that whenever we create a subnet with 24, five IP addresses will always be reserved. And if you subtract five from 256, you will get 251. So in total, you will have 251 IP addresses that you can assign to your EC two instances. So, let’s try this out. I’ll delete the older subnet and let’s try and create a subnet of this is a skill app subnet. Let’s create a subnet of 100 zero 00:24. Now, we know this will have 256. Minus five would be 251. So there will be total of 251 IP addresses that you can assign. Let’s check.
So, good thing about AWS is that under the available IPV four, it will tell on how many IP addresses are available. And you will see total is 251 only. Although this subnet has 256 IP addresses in total, the only available you have is 251. Now, one last thing I wanted to show you is that the IP address for AWS DNS. So let me log into one of the EC two instance, and generally what happens is the dot two at the end is generally reserved for DNS. So whenever you launch an EC two instance, if you do a cat on at result conf, you will see that the dot two, the last octave two. This is generally reserved for the AWS VPC DNS So this is something that you need to remember very well for exams. So this is it. About this lecture. Important points to remember for exams, understand the minimum and maximum net mask that you can have, which is 16 and 28. Know that phi IP address in each subnet is reserved. And as we discuss, IP address of subnet cannot overlap each other like two people cannot have the same phone numbers. Similarly, IP addresses cannot overlap.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »