Amazon AWS Certified Advanced Networking Specialty – Virtual Private Networks & IPSec Tunnels Part 8

  • By
  • January 17, 2023
0 Comment

22. Understanding BGP Community

Hey everyone and welcome back. In today’s lecture we will be having a high level overview about the BGP communities. Now, understanding BGP communities is important for the exams. You might get a question or two which is related to this specific topic. So let’s go ahead and understand more about what BGP community is. So in a simple term, a BGP community is a bit of extra information that you you add to one or more prefixes which is advertised to the BGP neighbors. So basically we can understand this with an example. So let’s say that you have EC two instances and you tag EC two instances by dev stage and prod. Now along with that you create a lambda function which basically at night 10:00 a. m. Stops all the EC two instances which has a tag of dev and it will not stop any instance which has a tag of stage and prong. So that extra information, that extra tag that you attach to the EC to instance basically helps in performing a certain task. Now very similar to that BGP community again is like a tag that you attach to the prefix that you advertise.

Now generally many times ISP instructs customers to tag the prefixes with the BGB community so that it can be treated accordingly. So if you tag your prefixes with the BGP community ISPs will know on what are the things that needs to be done with that specific prefix. Now there are four well known BGP communities which are generally used. First is the internet. So internet basically if you are using this community, the BGP, the router will advertise the prefix to all the BGP neighbors. So generally in BGP you have a router which advertises the prefix to all the neighbors. So if you have this tag as internet, it will go ahead and advertise the prefix to all the BGP neighbors. Now certain times you want that it should not advertise to all the BGP neighbors. So in such case you can add this specific tag or this specific BGP community which is no advertised and this will basically instruct a router to not advertise that specific prefix to any of the BGP neighbors.

You also have a tag of no export as well as local AIDS. So you don’t really have to understand each and every one of them, just understand what BGP community is and I hope you understood what is the difference between an internet BGP community and a no advertised BGB community. So if you look into a no advertised BGB community with no advertise community as such, the router will not advertise your routes or your prefixes to the neighbors. So this is one part that you need to understand. So basically you do have to send a no advertised BGP community to the router and this will basically tell this router to not advertise any of the routes that you send to its neighboring routers. Now, similar to this, when it comes to AWS. AWS Direct Connect does support a range of BGP community tags to help control the scope and the route preferences of the traffic. So there are three important BGP communities which you can use.

One is seven to 24910, which is basically local AWS region. Then you have all AWS region, and third is you have global. Now, when you have the tag of all AWS region, or let’s assume you have a tag of global, then what AWS will do is AWS, whatever prefixes that you advertise, AWS will advertise your prefixes among all the regions. So certain times you want that AWS should not advertise your prefixes to all the regions, it should only advertise it among the local region. Then you can go ahead and use this specific BGP community. So depending upon the BGP community that you use AWS, the advertisement will really differ. Now, among this, one important part to remember is that if you do not apply any community tag, prefixes are advertised to all the public AWS regions which is global by default. Now, there is one important point which needs to be understood. So let’s assume that you have a direct connection in Mumbai region and you have a public width and you advertise your IP pool over the Direct Connect customer gateway is advertising its IP pool over the Direct connect. Now that has a Community tag of global which is associated. Now, AWS will see that it has a Community tag of global. So it will go ahead and it will advertise that specific IP pool among all of the regions. Now, there is a use case which needs to be understood. So let’s assume that you want to use that specific IP address pool from the Ohio region. So you have a Direct connect in Mumbai region, however you want to use that IP pool that you are advertising from the Ohio region.

So if your Community tag is global, then the traffic will go from the OIO region to Mumbai via the AWS backbone network and then it will be delivered over the public with so it will go from the Direct Connect to the customer gateway. However, in case you advertise the public IP pool to the local AWS region only, then when you try to access the IP pool that you advertise from the customer gateway, if you try to access those IP addresses, then the traffic will be routed over the Internet. So this is very important to understand that if you are planning to access these IP pool from other regions, then itll you should have a Community tag of global which should be associated.

Then whatever traffic that you send from different regions, it will travel from the backbone network and it will be delivered to the customer gateway over the direct connection. Otherwise it will be going through the Internet. So when I say that Community tag associated is global, that I mean this specific number 72249 300. So this is what the community tag is all about. So this is it about today’s video. I hope you understood what BGP community is in a high level overview and also what the importance is for various BGP communities which are offered by the AWS. Do remember that there are three BGP communities which you can actively use as far as the direct connect is concerned by default.

23. Overview of Transit Gateways

Hey everyone and welcome back. In today’s video we will be discussing about the AWS transit gateways. Now a transit gateway is basically a network transit hub that you can use to interconnect your VPCs and on premise network. So this diagram is something which makes it easier to understand. So here you have a transit gateway and there are multiple VPCs which are attached to the transit gateway. So you have a VPC one over here and you have a VPC N. So this can be two VPCs or three VP or more VPCs. Now both are connected to the transit gateway over here. And once you set the roots properly, that basically means that all of these VPCs will be able to communicate with each other and the traffic, let’s say the VPC one wants to connect with the VPC two.

So the traffic goes to the transit gateway and from transit gateway it can connect to the other VPCs. Now within the transit gateway, one of the very important use cases that on premise networks are also can be attached. So if you look into this diagram you are more expanded. You have multiple VPCs over here you have a transit gateway and here you have the On premise data center and you have an IPsec tunnel over here. So this also connects to the transit gateways and if the routes are correct, you will be able to interconnect between all the attachments which are made to the transit gateways. Now typically if you go ahead and design a mesh kind of network, it becomes really messy and with the architecture of transit gateways it is much more easier to control things. Now it is important to understand some of the terminologies of the transit gateways. Now we’ll be having a demo after we discuss this concept so that it becomes easier for us to understand. Now the first terminology is the attachment. Now attachment is basically we can attach a VPC or VPN connection to the transit gateway. So anything that you attach to the transit gateway is referred as the attachment.

Now do remember as of now, which is January 2019, direct connect cannot be attached to the transit gateway. You only have option for VPCs and the VPN tunnels. So that is the attachment part. Second is the transit gateway route table. Now, route table I hope you already know it basically can include the static as well as the dynamic route that basically tells the next hop should go to which destination based on the routing that you configure. Now whatever attachment that you create, let’s say you attach this VPC to a transient gateway, that attachment can be associated with a single route table. The third one is association. Again it’s quite similar.

So whatever attachment that you have, you can associate that attachment with a route table. And the last one is the route propagation. Now a VPC or a VPN you can dynamically propagate the routes to the transit gateway route table. Now, when it comes to VPC, you must create the static routes in the route table which is associated with the VPC. And for the VPN connections, the routes are propagated with the transit gateways to Onpremise router using the Border gateway protocol which is BGP. So this is a theoretical perspective. Let me give you a quick demo so that it becomes much more interesting there. So I’m in my transit gateway console. So transit gateway can be basically it’s under the VPC console. So if you go into the VPC and you go a bit down, you have the option for transit gateway. Now within the transit gateway, you see that I have one transit gateway which is currently available. Now, if you look into the attachments over here, we already discussed that you can attach VPCs or you can even attach the Onpremise VPN. So currently within the attachment over here, I have three attachments. You have the VPC one, you have the VPC one, you have the VPC three.

So there are three VPCs which are currently attached to the transit gateway and you also have the transit gateway route table. And if you look into the association, it basically has the attachment ID and it has the resource ID over here. And along with that, let me quickly go to the EC to console. So there are three EC Two instances which are available over here and each one of these EC Two instance is in a different virtual private cloud. So if you see here the my EC one, you see it is in the VPC ending with the IDA 17. Then if you look into the EC Two, it’s in a VPC ending with 92 D and you have the third EC Two instance it is in 50 F. So these all EC two instances are in a different VPC. Now, let me quickly show you whether things are working or not. So I’ll quickly log into one of the EC Two instance here. So this is the EC two instance. I am connected via CLI. If I quickly do an if config, the IP address is 107 2318-9145. So this is a default VPC. So let’s do one thing from here.

Let’s try to ping the VPC two with EC Two instance. So it has the IP of 170 to 16. So let me try and ping here and you see you are getting the reply perfectly. Now similarly, let’s try to ping another EC two instance in a different VPC. I’ll just copy this up. It starts with ten dot 77 and if I ping here again, you are able to get a perfect reply over here. Now, there is no VPC peering which we have done over here. Now in fact, if you just want to see that, let me open up one of the VPC. In fact, let me open up the default VPC where we had logged in. And if you look into the VPC here, this has the CID of 172 31. Now, if you look into the subnets, these are the subnets and if you look into the peering connection, there are no peering connections which are established.

Now if you look into the routing table, this is where it would be easier to understand. Now here you have various routes. So this is the local route here. And for the another VPC which is in the 10770 00:16 range, the target is basically the transit gateway warrior and same goes with the destination of 170 to 16. The target here is the transit gateway. So typically if you want to establish the communication between two V PCs and if you have the peering established, then the target would typically be the peering connection. However, here we have instead of the peering connection, it is the transit gateway. So this is how the highlevel overview in terms of demo of transit gateway might look like. So this is the highlevel overview. I hope this video has been informative for you and in the next video we’ll be discussing in detail related to how we can create the transit gateways and establish the connectivity. So I hope this video has been informative for you and I look forward to seeing you in the next video.

24. Transit Gateway Practical

Hey everyone and welcome back. Now in today’s video we will look into how we can configure the transit gateways in terms of practicality. So the overall architecture that we’ll be performing will be something similar to what we had seen in the earlier video where we have two VPCs and both of them would be associated with the transit gateways and we look into the connectivity there. Alright, so in order to do that, we are in the AWS management console and the first thing that we need to do is we have to go to the VPCs. So as a prerequisite I would assume that you have two VPCs which are up and running. Now I have two VPCs and I also have two EC two instances. Now the first EC two instance is in the default VPC over here and the second EC two instance is in the second VPC. So VPC creation is quite simple. Let me quickly show you here.

So currently I have three VPCs, but for this demo I’ll just make use of two VPCs. So this is the default VPC. So this comes in all the regions. So this is something that you do not have to create. You will have to create one more VPC. You can give it a CIDR. In my case it is 170 2160 00:16 and that specific VPC if I can quickly show you here. So in this VPC I have the internet gateway attached so that my instance can connect to the internet. So this is the simplistic setup. All right, so this is something that I am assuming that you will be able to do.

Anyways, once we have that, let’s go a bit down and we have the option for transit gateway. So let’s click on Transit gateways here. And currently I have one transit gateway in the state of deleted. So this was the transit gateway that we had used for our demo purposes. Now make sure that if you have transit gateway and after you complete the practical, go ahead and delete it. If you look into the transit gateway pricing, you get the pricing of $0.

5 per hour. So if you just leave it for a day or two, you will get charged for that. So make sure you delete it after you’re practical. Anyways, so the first thing that we can do is let’s click on Create Transit gateway over here. So you’ll have to give a name tag, I’ll call it as my transit demo. Now we’ll leave everything as default for the time being and let’s click on Create Transit Gateway. So the transit gateway request has been succeeded. And if you see here, you see that this is the transit gateway. The state is pending. It takes around 1 minute or two minute for the state to be available. So let’s quickly wait here. All right, so it took around two minutes and our transit gateway is ready. Now the next thing that we have to click on is the Transit gateway attachment.

So these were the attachments again that we had used for the demo. Now, what we need to do, as we had discussed in the next slide, that we can attach the on premise BC VR VPN as well as we can attach the VPC. So whatever attachment that you want to associate with the transit gateway is something that you need to do over here. Let’s click on create transit. Gateway. Attachment. And there are two attachment type. One is the VPC and second is the VPN over here. So now in the Transit Gateway ID, we have to give the Transit Gateway ID that we just created. And within the attachment, let me call it as VPC Demo One. And here we have to select the VPC. I’ll select the default VPC which has the Cidi block of 172 30 116, and I’ll use all the subnets and I’ll click on Create attachment. Great. So the attachment request has been succeeded. And again, this also takes a minute or two. However, let’s do one thing. Let’s also attach the second VPC that we have. We’ll attach it to the same transit gateway. I’ll call it as Demo VPC Two. And the VPC ID this time would be the one which has the CID R of 170 2160 00:16. So there are two subnets.

I’ll click on create attachment. Great. So the attachment request has been processed. So let’s quickly wait for a moment for both of these estate to become available. All right, so both the attachments are now available. Now, if you look into the Transit gateway route table and if you look into the association, you will see that two VPCs are associated and within the routes you have these routes which are present. So now let’s do one thing. Let’s connect to one of the EC Two instance here. Great. So I am connected to the EC two instance. This is 107, 23189, 145. The same is here. So from this EC Two instance, let’s try and ping the second EC Two instance over the private IP. So let me do a ping here. And currently the ping is not happening. Now, if I quickly show you the security group. The security group has the ICMP of full allowed. So you see the source is now in case if you just want to see on how you can enable the ICMP, if you look into the inbound, this is the all ICMP V four. So if you just add a rule, you have to select the version four of the ICMP traffic here.

So now the connectivity is still not present. Now, the reason why it is still not present is because of the route table. So let’s go to the default VPC over here. And if you look into the route table, so there is the route table. This is the main route table. And within the route you only have two routes which are available. One is for the local and second is for the Internet. You do not really have a route for the subnet of 170 to 16. So this is something that you can add directly in the VPC route table. So I say 170 2160 00:16. So this is the CID R of the second VPC and the target this time would be the transit gateway. And I’ll select the transit gateway, which is VPC demo one. So ideally, the second transit gateway should not come primarily because it is in the deleted state.

Let’s just quickly verify. So if I go to the transit gateway, you see the eight. Let’s click here. The eight here is in the Delete It state. Anyways, I’ll consider this as a bug. So we just make sure you select the right transit gateway ID, which is six C four. All right. I’ll click on save routes. Great. So this is the first part. Now, again, you have to change the route of another VPC. So this is the 172 16 VPC. And let’s add a route over here. So I’ll say route of 172310 00:16. So this is the CID r of our default VPC. I’ll send it to the transit gateway of C Four and I’ll click on Save Routes. Now, let’s also verify there is a second route table. Let’s also add the same route here. I’ll say 172310 00:16.

I’ll connect it to the transit gateway of C four and I’ll go ahead and save the route. Great. So once the route is saved, let’s go back to the EC Two instance. I am already logged into this EC Two instance, which is in the default VPC. So from this EC Two instance, we’ll try and ping the second EC Two instance, which is in the 170 216 VPC. So now let’s do a ping. Count is four, and I’ll copy the private IP and you see the connectivity is perfectly established. So this is the high level overview about what transit gateways are all about. Again, for practical, make sure that once you have done and tested all the things, you should go ahead and delete it. Otherwise you’ll get charged. Along with that, make sure that if you have more VPCs, like currently we had only two VPCs, but if you have more VPCs, you follow the same steps that we had currently taken in order to ensure the connectivity. So this is the high level overview about the transit gateways. In terms of practicality, I hope this video has been informative for you and I look forward to seeing you in the next video.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img