Amazon AWS Certified Advanced Networking Specialty – Virtual Private Networks & IPSec Tunnels Part 5
13. Overview of Border Gateway Protocol
Hey everyone and welcome back to the Knowledge Full video series. So, continuing a journey with the networking section. Today we have an overview about Direct Connect. Now Direct Connect is a pretty important topic as far as the exams are concerned. And when it comes to the advanced networking specialty certification, direct Connect is one of the most important topic. So let’s go ahead and understand the necessity of Direct Connect. Now in the normal communication, let’s assume you have a customer and you have a VPC in AWS. So if you want to connect to the VPC, what happens behind the scenes is the internet comes into the picture. So this is the internet and then you route your traffic through the internet and you get the data back through the internet. So this is how most of the communication works. Now when you talk about internet, the packet basically travels in hops. So there are a lot of routers which are present all over the place. And let’s assume I have my client in India and server somewhere in Oregon.
So the packets which will actually have to travel in hops all over the world to reach to the Oregon region. And as you might have assumed, it leads to a lot of latency as well. So let me just show you on what do I mean by that. So here I have done a simple trace route on Google. com and you see it actually took around 17 hops for my packet to reach the Google server. So this is the first hop from first hop to second hop. So you can assume that this is the first router to second, second to third, third to fourth and so on. So total there were 710 hops which were required for my packets to reach from client to destination. Now it actually sometimes goes much more higher. This is because Google has the local servers in India, but certain times most lot of clients, they host their websites in North Virginia or Ireland or even Oregon. And to reach there it actually requires like 20 hops or sometimes 25 hops. And that leads to a lot of latency and the website basically starts to get slow.
And this is the reason why this approach is definitely good. But certain times when there are critical applications where latency is one of the most important, then internet is something which is not preferred ideally. So let’s look into the challenges. First is internet is good option if amount of traffic is within a certain limit. Now there are always latency which are involved if you go through the internet way. Now many of the organization have hybrid architecture. Like some of the servers are in data center, some of the servers are in AWS. In one of the companies that I used to work with, we had a hybrid architecture. Like some of the application servers were in data center. So some of the application servers were in data center. And some of the application servers were in the AWS cloud and both the servers needed to communicate for the website to work properly. So for the client request to complete successfully, both the servers in the data center in the AWS and the network connectivity should be optimal for the things to work in an ideal manner.
Now, if the network connectivity between the data center and the VPC let’s assume ISP. So if the ISP is down or if the ISP is slow, then the entire website gets hampered. That is one thing. If the ISP is not providing good bandwidth as was requested, again the website becomes slow. So there are a lot of challenges when you go through the Internet, specifically if you have your infrastructure both in data center and in cloud and both of them needs communication. So many of the organizations are following this approach and this is the reason why AWS came up with a new feature of Direct Connect. So in order to solve this challenge, AWS introduced Direct Connect.
So AWS Direct Connect lets customer establish a dedicated direct network connection from the clients network and one of the Direct Connect locations. So what you do is you have a data center here, you have a VPC here, and you establish a direct connection like a lease line from the data center to the VPC and thus you bypass the Internet. And this is very effective because you don’t really have to worry about things slowing down or other things. You have a Direct Connect, you have an extremely fast network between your data center and your VPC and you go ahead and implement a hybrid architecture or whatever you want to implement. So there are a lot of benefits of Direct Connect connection. First is that having direct connection between the customers data center to AWS brings tremendous amount of benefits.
Some of them include consistent network performance. So I’m sure many of you must be familiar. Like if you have your WiFi you will not get fast speed all the time. Certain times you will get very slow speed, certain times the WiFi will not work only so that is inconsistent network performance. So when you go with Direct Connect you have a consistent network performance because that amount of bandwidth is allocated to you and it is not overused. That is first part. Second is reduced bandwidth cost. So again, this we can refer to the ISP. Now generally when you go for an Internet service provider WiFi connection at your home, they have various plans. Plans for 30 GB, plans for 40 GB, plan for 100 GB. The more higher you go, the more money you have to pay. And same way when you go to data center, the more higher you go, you have to pay a lot of money.
And when you go for the Direct Connection, since this is something like a lease line which is directly connected, you don’t really have to pay a very high cost. The cost of bandwidth is much more lesser than that of the ISP. So this is 2nd. 3rd is private connectivity to your VPC. And this is also quite good because you don’t have to worry about maninthemiddle attacks or other things. You have a direct dedicated line to your VPC. So these are few benefits. Now actually, let me show you. So this is the architecture of the Direct Connect connection, where on the left hand side you have your data center and on the right hand side you have your Amazon VPC.
And in the middle you have a Direct Connect provider. So what you do is you connect a line from your data center to a Direct Connect provider. And the Direct Connect provider has a dedicated fiber optics like line to the AWS. So all you have to worry is about connecting your data center to one of the Direct Connect providers. So in order to establish this, you have to definitely you have to contact some Direct Connect provider who will help you in establishing line between your data center and them. And after that, you don’t have to worry, they’ll take care of the other section. So let’s do one thing. Let me show you on how exactly that would work in a high level overview.
So this is the AWS direct connect page. Now, if you see, the first step is to select a location for Direct Connect. Remember, direct connect is region specific. So you have to select a specific region for the Direct Connect location. So in every region you will have a different Direct Connect that you need to establish. Once you select the location, then you can basically configure the virtual interface. So if you’ll see over here, the first part is the connection, then is the virtual interface. And then you have to connect. You can connect your data center, office or colocation environment to AWS Direct Connect. So let’s do one thing, let’s go to Connection and let’s click on Create Connection. Now I’ll just say KP Labs Hyphen Testing and then there are various locations of direct connect which are present. You can select any one of them.
Let me just select any random one. And then you have to specify the port speeds. Now by default Direct Connections, it comes with a port speed of one Gbps and ten Gbps depending on how fast you need this pipe. You can select either one Gbps or ten Gbps as a default. There are other speeds that are also available that we’ll be discussing. Select one of them and click on Create. Now after you click on Create, what will happen is that the state is requested.
Now you have to wait for the Amazon to approve this specific request. And once this request is approved, then only you can go ahead and go to the virtual interface and create a new virtual interfaces. So what we’ll be doing is we’ll be discussing more about virtual interfaces in the upcoming lecture. But just remember that when you have a direct connect connection between your data center and the VPC, then the traditional approach of connecting to S Three via Internet will not be required. Ah. You can directly send all the traffic from the direct connect connection, which can directly connect to S three, bypassing the Internet. So this makes things extremely fast.
14. Understanding Direct Connect
Hey everyone, and welcome back to the Knowledge full video series. So, continuing a journey with the Direct Connect connection. Today we’ll go ahead and understand more about the virtual interfaces. So in AWS, I hope we remember that after we create a virtual direct connection, this goes into the requested state. Now, after it gets approved, moved, then the next step that we must take is we have to create a virtual interfaces. So there are two types of virtual interfaces. Basically, one is public and one is private. So let’s go ahead and understand. So all credits of this diagram goes to the author because this is something that I have not made. You see the Chinese characters here. So let’s look into how it works. So this is your data center and this is AWS.
Now, once the direct connection line is established, consider this blue cylinder as a direct connection line. Once this is established, we have to create a virtual interface. So each virtual interface can be connected to a virtual gateway. So virtual gateway is something that we can configure directly in the VPC. Let me just show you. So basically, before we create a virtual interface, we need to create a virtual gateway. So if you’ll see over here you have a virtual private gateway. And when you create a virtual private gateway, let me say test DX and I’ll click on Create. So this virtual private gateway that is created, it needs to get attached to a VPC.
So one virtual gateway can be attached to only single VPC. So whenever you create a virtual interface, specifically the private one, it needs to get attached to the virtual gateway. So this interface will get attached to the virtual gateway and the virtual gateway is attached to the VPC. And this is how you can basically connect to the resources which are part of the VPC. So let’s look into how exactly it would work as the overall steps. So the first step is create a Direct Connect connection and it will go for an approval from the AWS side. So this is where we are. Once approved, you get a letter of authorization which is loa from the AWS, which you can share it to the AWS Direct Connect Partner.
So whenever you want to create a connection, you have to give that Loa, which is approved from the AWS to the Direct Connect partner. And the Direct Connect partner will use that loa to set up a connection on your behalf with the AWS. So once this gets accepted, you go ahead and create a virtual interface. There are two type of virtual interface, public and private. Public are used to access the public endpoints within the region. And private are used to basically access the private endpoints, like private IP addresses of VPC. So easy to instance, can have private IP addresses. Even RDS can have private IP addresses. So private vif can be used to access that. So once your vif is created, which is Virtual interface, you will get an option to download the router configuration file, which you can download and upload it to your router.
So let’s start with each an individual step. So in the first step, we create a connection. I hope you remember, we create a connection, we select the location and we select a port speed, which can be one Gbps or ten Gbps directly. So after we click on Create, it goes into the requested string and once the request gets approved, AWS will give us the Loa, which you can download, and give it to a Direct Connect partner. So we give that load to the Direct Connect partner, who will establish the direct connection on your behalf.
Second is, once you receive Loa, you can go ahead and create a virtual interface and will take care of the private interface. And look how it actually works. So, each private virtual interface can be assigned to only one virtual gateway. So we have already seen that whenever we want to create a private vif, we have to create a virtual gateway beforehand. And each virtual gateway can be connected to the VPC resources. And this is the reason why whenever we create a private vif, it must connect to a virtual gateway. However, when we create a public vif, public vif does not need to connect to the private instances, it needs to connect to the public endpoints, like DynamoDB or S Three within the region. So it does not need a virtual gateway, only the private vif needs a virtual gateway.
So each private vif can be assigned to only one virtual gateway. So this is the page where we create a virtual interface. So you see, there are two. You have private. And you have public. So whenever you select a private, you have to select the virtual gateway which you have created. This is one important thing to remember. So next important point to remember is that you can associate a virtual interface with your account or with another account as well. So if it is another account, it is called as. The hosted connection is something that you need to remember. Now, along with that, you have to do a lot of things related to BGP. Remember, Direct Connect uses BGP, and one of the advantages of BGP is that you don’t really have to configure your routing. BGP will automatically configure the routing for you.
So if you remember, generally when we establish the connectivity, we have to manually add route related data. However, if you use BGP, you don’t have to do that aspect. So since Direct Connect uses BGP, we don’t have to manually add routing. BGP will advertise the routes on your behalf. Once your interface gets created, you get the option to download the router configuration. Now you select your vendor, which can be Cisco or Checkpoint or other vendors that you might have. You select the platform and you select the software and you go ahead and click on Download.
This will download the configuration file which you have to upload in your router and the connection can get established. Remember, your router will establish the connection with the Direct Connect. It is not the opposite. Now, I am sure that you are confused related to how exactly this process works. Now I cannot directly show you the exact practical because Direct Connect is something which needs a lot of points related to the connection. And I don’t really have a hardware firewall or a Direct Connect partner whom I can pay. So what I’ll do is I’ll share with you a very nice video which was recorded by the AWS themselves, which explains the entire procedure on how exactly this works. Because it is AWS, they can approve their own Direct Connect and they can show you on how exactly it would work. So, this is one of the lag I would say on my behalf because there are certain things that I will not be able to show you practicals about. So there are certain important pointers that you need to remember as part of exams. First is by default you have one Gbps and ten Gbps connections which are available. If you need a more less connection, then there are some one GB connections which are available from the Direct Connect partners which includes 50 Mbps, 100 Mbps, you have 200 maps, 405 hundred Mbps. And second is Direct Connect uses public interfaces for accessing public resources like S, three DynamoDB within the region, and private interfaces for accessing the VPC based resources. Now, next very important point to remember is that Direct Connect is not fault tolerant.
So if the Direct Connect line goes down, your entire connection will get hampered. And this is the reason why AWS recommends that you have two Direct Connection. Or if that is something which is not affordable, you use Direct Connect along with VPN. So if one goes down, you can have a VPN as a backup. Now use BGP to automatic failover to a backup connection. So let’s assume that you have been using VPN connection for now and after a week you have a new Direct Connect connection which is established.
Now, how will you route all your traffic from VPN to Direct Connect? One is you directly disconnect the VPN line, that will be a hard failure. And second is you can use the BGP to automatic do an automatic failure. So we’ll be discussing this in our important pointers in the upcoming lecture. So what happens when you use BGP is you can assign a score. So let’s assume you assign a score of 20 and you assign a score of 40. So that way the connection request will go according to the scores that you assign in BGP. Will be discussing more about this in the relevant lecture.
And last important point is that in US Direct Connect will grant you access to all the US related regions. So for this, you have to remember that direct connection direct connect is a region specific. If you create a direct connect connect in Mumbai region, you cannot access the resource in Singapore region. It is a region specific. But only exception here is the US. So you have not Virginia, you have Oregon. As far as US is concerned, you can actually connect to all the resources.
15. DX – Public & Private VIF
Hey everyone and welcome back to the Knowledge Pool video series. Now, in the earlier lecture we had an overview about what exactly dynamic routing is all about. And in today’s lecture we’ll have a very high level overview about one of the dynamic routing protocols called as BGP or Border Gateway protocol. So let’s look into how exactly it really works. So BGP is an exterior dynamic M, a routing protocol which generally figures out on how the packet can further go out to the internet. Now, in the earlier lecture we had discussed that if I want to send a packet from my current city, let’s assume Bangalore to North Virginia, then the packet actually has to traverse through a lot of routers. Now, in order to do that, there has to be a path which the router must know. Now, this path can be predefined with the help of static routes or it can be generated in dynamic nature. Now let me just show you what do I mean by this? So, I had done a simple trace route to Kplabs in.
So this is the IP address of Kplabs in. Now you see the first, whenever I do a trace route, the first the packet reaches my gateway which is 109 216801. From there it reaches some different destination, from that it reaches to some different router, from that another router. And at the end you see it has reached the digital ocean ISP. And from digital ocean ISP there are more hops. And finally the packet has reached the destination. So the packet from my laptop first reached the WiFi router. And from the WiFi router there are so many hops across various countries routers to reach to my destination. Now the question is how come this router know where to send the packet? Or how come this router knows where to send the packet? And this is actually defined by the BGP. So I have four routers over here. It can belong to some different destination. Now, the first important thing to remember as far as BGP is concerned is that these needs to be connected. So there needs to be a TCP connection that needs to be established. Now, let’s begin with A. So this A router knows that it is connected with B, it is connected with C. So within the A routing table you have B and you have C. And hop is one. So the B is one hop of it and C is one hop of it.
So now what would happen in BGP is that the router will constantly exchange information. So A will exchange the route information with B. So now B by default contains route of D and A as hop of one. So when A sends the routing table information to B, what will happen is the first two routes are the one which B already knew. But once A sent it route table to B, b came to know that there is one more router called C, and it is two hops away. So the first hop is A, second hop is C. So this is new information which the B router came to know. And then it added one more entry within its route table, saying that the C is to hop away via A. Now, B will exchange the information with the D router. D router? As we discussed, it knows that it can connect to C and it can connect to B. By default, it does not have any information about A. Now, when B will exchange the route table information with D, the D will come to know the presence about the A router, and it will also come to know how to reach A.
So whether it can reach via B or it can also reach via C once the routing table is exchanged across all of them. So. Same with B. So if B wants to reach to C, b can go via D, b can go via A. Now, let’s assume if A stops working due to some reason, the B will automatically update its route table and it will send all the traffic to D. So this is called as the dynamic routing. If A stops working, you don’t have to manually remove A form the route table, it will automatically come to know, and B will then send all the traffic to C via the D router.
So this is the high level overview related to dynamic routing. Now, there are a lot of tiny griny details involved, like autonomous systems, so we’ll avoid speaking about those for now. Otherwise, this will become an advanced networking specialty. Video Course so I hope you understood the basics about dynamic routing. One important takeaway from this lecture is that whenever a BGP is used, you don’t really have to manually configure the route. The route routes are automatically configured.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »