Amazon AWS Certified Advanced Networking Specialty – Virtual Private Networks & IPSec Tunnels Part 7

  • By
  • January 17, 2023
0 Comment

19. Direct Connect Gateway

Hey everyone and welcome back. In today’s video we will be discussing about the Direct connect gateway. Now a Direct connect gateway can be used to connect your direct connect connection over a private with to one or more VPCs within the account that are located in same or multiple regions. Now in technical term, it allows us to combine the private wife with multiple virtual gateways in same or remote regions. So this can be better understood with a diagram over here where you have a customer network and you have a direct connect connection over here. So here you have a direct connect gateway. Now this direct connect gateway can be associated with multiple virtual gateways. And what basically happens is that once you make use of Direct connect gateway, the on premise network will be able to communicate with multiple VPCs which are located across multiple regions.

So here you see the connection is between a North California region and the North Virginia region. And if they are connected to the direct connect gateway, then there will be a communication that can be established between the VPCs across multiple regions and your on premise through a direct connect connection. Now, one important part to remember here is that the Direct connect gateway is a global resource and it is not a region specific resource. And this is important because you have a direct connect gateway which can be associated with multiple VPCs across multiple regions and hence it needs to be globally available. So we can understand this with an example. So let’s say that you have a Direct connect connection in a US seats to one region.

By making use of a direct connect gateway, we can connect the VPCs in your account in all the regions except China. So direct connect gateway can be used to connect multiple VPCs across multiple regions and hence you can have an established connectivity. However, as of now, the China region is not supported. Now there are certain considerations that you need to understand if you are planning to use a direct connect gateway. First is that you cannot use a direct connect gateway that is in your account to connect to a VPC that is within a different AWS account. So if you’re using Direct connect gateway, all the VPCs that you might want to connect it with must be within the same a doubles account.

The second important consideration is that whatever VPC that you might want to connect to a direct connect Gateway cannot have an overlapping CIDR block. This is specifically important. So let’s say that you are using a default VPC. Now within AWS, the default VPC has a CIDR of 172 310 00:16. So you cannot basically make use of two default VPCs in two different regions with the help of a direct connect gateway because then you will have an overlapping CIDR block. And the third point that we already discussed is that you cannot basically use a direct connect gateway to connect to VPC within China region. So in exams, you might get a question on how you can make use of your direct connect connection to connect to multiple VPCs within multiple region. And the answer to that would be through a direct connect gateway.

20. AWS CloudHub

Hey everyone and welcome back. In today’s video we will be discussing about the AWS Cloud Hub. So behind this voice you might hear some nice rain sounds. It has actually started to rain and it is pretty amazing time to record lectures. So let’s begin in this great time and record one more important lecture for the exam which is AWS this Cloud Hub. So AWS Cloud Hub by default is not like an entirely new service which is designed. It is actually a byproduct of the features which has been provided by the virtual gateway. So let’s go ahead and look into what exactly it means. Now, we have already looked into this architecture where on the left hand side you have a virtual gateway and on the right hand side you have a location A and location B. Now, in these two locations you have a customer gateway and you have a virtual gateway. And there is a VPN tunnel which is established. So this is a VPN tunnel which is established between location A and location B.

So we have already discussed about this in the earlier videos. Now, let’s assume that the network prefix associated with this location A is 192 one, 6810 00:24 and the location b also has a network prefix. Now, assuming that we are working with BGP, location A will have an ASN number, it’s 65,000. For our example, location b also has a network prefix ten 00:10 00:24 and it should also have an ASN number. Now, same goes on the left hand side where you have EC. Two instances they have a network prefix of it also has the as and number.

So, entire part is working based on BGP. Now, one of the great features of virtual gateway is this ability to re advertise the routes that it receives. So assuming that location A is advertising its routes, what the route table will look like for this specific virtual gateway is that 172 310 00:16 is local 192 116 ten 00:24 is remote peer IP one and ten 00:10 00:24 is remote peer IP two. Now, we were speaking about read advertisement of route. So let’s look into what exactly we mean by that. So let’s assume that this location A is advertising its route to virtual gateway and even the location b is advertising its network routes to, I would say network prefixes to be more aligned to the virtual gateway.

So now what virtual gateway will do is that once it receives this specific network prefix of location A, it will advertise to all the endpoints which are connected to the virtual gateway. So in this type of architecture, if you see location A is connected to virtual gateway, location b is connected to the virtual gateway. However, location A and location B are completely isolated. They do not really know if both of them exist. They are not connected by any way other than the common connection of virtual gateway. Now, if both of them are advertising its network prefix routes. What would happen is virtual gateway will re advertise them to all the endpoints. So now if you look into the route table so this is the route table of the location B where you have 172310 00:16.

So it is seven two to four. This is the ASN number and local. Then you also have 192 one, 6810 24. This is a network prefix and the path is 7244. This is the ASN number followed by 65,000 of the Location A. And you also have ten 00:100, which is I, which is the local one. So what virtual gateway is doing is that it is advertising the routes, the network prefix of Location A to Location B as well. And this read advertising of network prefixes between all the connected endpoints allows the connectivity between the Location A and Location B. So let’s assume that the location A wants to communicate with the Location B or vice versa. What Location B can do is that if location B wants to send the traffic to Location A, it can send it to the virtual gateway. Virtual gateway can then send it to the Location A. Now, one good part is this virtual gateway is highly scalable and highly available.

So you don’t really have to worry about this going down. And what you have is you have a seeming less connectivity between these two locations without any scalability or high availability related challenges. So this is one of the ways in which Cloud Hub can be utilized. In fact, this is what Cloud Hub functionality is all about. So tomorrow if you have a Location C, you attach Location C, you connect it to virtual gateway. And essentially what you will have is if you are re advertising the route from the location C. From the Location C you can connect to Location A, you can connect to Location B as well through the virtual gateway.

So this would act like a middleman, like a proxy. So certain important pointers for the exam. So in order for the architecture of Cloud Hub to work, it is necessary for the customer router to advertise the network prefixes that it has. Very important to remember that this network prefixes has to be advertised by the router to the virtual gateway. Then only this would work. Second important point virtual gateway will re advertise those prefixes to all the endpoints which are connected. So if this location A has advertised this prefix 192 one, 6810 24 to this virtual gateway, virtual gateway will re advertise this to the Location B.

And if you have a Location C, then it will re advertise it to the Location C as well. So basically it will re advertise those prefix to all the endpoints connected. And the reason why it re advertises is because it can then act as an intermediary for multiple locations to connect with each other. And last important point to remember is that direct connect is also supported in the design pattern of Cloud Hub based architecture. Now, the reason why Direct Connect is supported is because it also terminates to the gateway and then you can and have a location C which is based on Direct Connect and essentially that would also work. So these are some of the important pointers for Cloud Hub that you need to remember for the exams as well.

21. Inter-Region VPC Peering

Hey everyone and welcome back to the Kblapse course. So in the region, VPC Peering was one of the very recent features which were released by AWS and lot of the customers were really expecting this feature because configuring IPsec tunnels was a little bit pain and we needed something like a managed service which can connect multiple regions. So as of February 2018, it has been few months. Interregional VPC Peering support has now reached various additional regions.

So I just wanted to let you know that interregion VPC Peering will allow you to connect multiple regions via VPC Peering. So on the left one tab, I have a region called North Virginia. And on the right hand side, I have a region called Singapore. So what we’ll be doing is we’ll be configuring the VPC Peering across the VPCs belonging to both the regions. Now along with that, I am connected to the AC two instances of both the region. So this is one. And on one more side, I have one more instance which is configured. So you see, the IP address range is completely different. So they belong to the completely different VPCs. Perfect. So the VPC C idea of the North Virginia region belongs to the 172 31 series and the VPC C idea of the Singapore region belongs to the Ten series. Just that we can note it.

Perfect. So let’s begin. I’ll go to VPC. So in order to establish the peering connection, we’ll have to go to VPCs and then select the Peering Connections tab. Now click on Create a Peering Connection. The peering connection name I would say Virginia to Singapore. So VPC requested would be the one. Let me just quickly confirm. So the BBC CIDR ends with a three. So I’ll just use a three as a requester. So these are the CID air blocks ranging from IPV four to IPV six. Now select another VPC to peer with. This can be your account as well as others account. So currently I’ll be using my account now region would be another region since we are doing a peering of different regions.

Now, these are the regions which are supported right now. Quite many. So initially when the peering was launched, only three or four regions were supported. But after a few months now we have a huge chunk of regions which are now used. So we’ll have to select Singapore. So this is the VPC acceptor. So VPC acceptor will be the VPC ID of the Singapore region. So this is the VPC ID that we’ll be putting over here and will create a peering connection. Perfect. So now that you had created a peering connection, what will happen is the destination VPC will have to accept this peering connection. So currently, this peering connection is still on pending acceptance. It has still not been accepted. And this is the reason why we have to go to the destination region, Singapore and we have to manually accept the peering connection. So I’ll go to Peering connection and you see, it states that it is pending acceptance. I’ll go ahead and accept this peering connection request. Perfect. So now it is provisioning and it takes a little time, sometimes two minutes for the provisioning state to complete. Perfect. So it seems to be instant. Now, once you have done that, let’s try.

I’ll copy the private IP address and I’ll try to ping from Singapore to Virginia. Let’s see if it really works. And you see it doesn’t seem to be working. The reason why is the route table. So route tables have still not been modified although the peering is established. So you have to modify the route table of each of the regions. Great. So let’s find out the VPC ID and we’ll modify the route table accordingly. So the VPC ID of this instance belongs to two F. So I’ll go to two F. I’ll look into the route table. There is one route table which is created and I’ll add one more. So here would be the subnet ID of the destination VPC 172 31 00:16. And this would go with the peering connection. Perfect. Similarly, very similar to this, we have to find out the CID 100 00:16 and put this in the route table of the North Virginia VPC. So within the VPC of the North Virginia region, let me a three. I’ll go to the route tables and this is the main route table which is associated. I’ll click on Edit and I’ll add one more entry. I’ll say 100 00:16. So this is the CID R of the VPC in Singapore region. And I’ll select the peering connection. Perfect. So route table seems to be working perfectly.

Now let’s go ahead and try and ping. And again, it seems to be not working. So what could be the issue? The next issue would be the security groups. So currently you see, the security group is not allowed. So let’s do one thing. I’ll allow all the traffic from the 100 zero 00:16 network and similarly in the destination region. Also, I have to verify whether the traffic is allowed. And it seems all the traffic is allowed. Perfect. So now we have done everything to make the connectivity possible. So we should be able to ping the instance. And you see the instance I am able to ping perfectly. So let’s try from one more. So from here I’ll try to 100 zero 63. Let me verify if the IP address is perfect. 100 zero 163 my bad. Perfect. So it seems the connectivity is established perfectly from both the regions. And this is how the VPC interregion VPC peering can be established. Quite simple in fact. It is the same process on what the region based VPC peering was all about. So this is it. About this lecture. I hope this has been informative for you and I look to see you in the next lecture.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img