Amazon AWS Certified Developer Associate – Virtual Private Cloud (VPC) Part 5

6. Custom VPC’s and ELBs

Okay, so here I am in the AWS console. I’m going to go ahead and go down to EC Two, and then if we go ahead and have a look at our instances, if you remember, we have our Web Server and our MySQL Server. Our Web Server is in our public subnet, and our SQL Server is in our private subnet. So I’m going to go ahead and create a load balancer. There’s two different types of load balances you can choose from now. There’s application Load Balancers, otherwise referred to as layer seven Load Balances, or Classic Load Balances, which are layer four load balances. It really doesn’t matter what you choose. I’m just going to go for the classic one at the moment.

Go ahead and hit Continue, and I’m going to create it inside our custom VPC. Now, if you scroll down, we’ll give our load balancer a name first of all. So myelb now, if we scroll down, it says here you will need to select a subnet for each Availability Zone where you wish traffic to be routed by your load balancer. If you only have instances in one Availability Zone, please select at least two subnets in different Availability Zones to provide higher availability for your load balancer.

So basically, if you want high availability for your load balancer, you’re always wanting to have two public subnets, and that’s an important design consideration. So if I click in here and try and add another one, I’m going to get this little warning, and it’s saying this is an Internet facing elastic load balancer, but there is no Internet gateway attached to your subnet that you have just selected. And this is my private subnet. So what this means is that let’s say my Availability Zone goes down, EU central one A, which is my public subnet. If that actually goes down, there’s no way for this load balancer to serve traffic to any instances in another Availability Zone.

And that’s because, first of all, I don’t have a public subnet in another Availability Zone, and my load balancer needs to be in two public subnets to begin with. So that’s all. It’s just a design consideration. I’m not going to actually go through and create this load balancer. The thing you have to remember is if you want something to be highly available, you always want at least two public subnets, and you probably want two private subnets as well.

It depends how your architect, but you obviously don’t ever want to just be reliant on one Availability Zone because Availability Zones can go down. So that’s it for this lecture, guys. If you have any questions, please let me know. If not, feel free to move on to the next lecture. Thank you.

7. NAT’s vs Bastions

Have a look at a network diagram and I’ll show you the exact difference between them. If you remember, a Nat instance was used to route traffic to our EC two instances that are in our private subnet and that’s Internet traffic. So it’s giving these instances Internet traffic. They are able to connect out through to the internet, but people within the internet couldn’t use like SSH or RDP to connect via a net into our instances to basically administer our servers. If you wanted to do that, what you would typically do is have what’s called a bastion host or in Australia we call them jump boxes. And that basically allows you to SSH or RDP into your bastion and then initiate a private connection over the private network to your instances to administer them using SSH or RDP.

So basically bastions are used just for administration only. And the idea is that instead of having to harden a fleet of EC two instances for security purposes, you can just have one hardened bastion and then you access all your instances in a private subnet through that hardened bastion. So this is the one that you would really beef up. You’d probably lock down your SSH and RDP ports to your specific IP addresses, for example. And then that way only you can connect to the bastion and administer it. And then you do that over a private network connection. So hopefully that all makes sense to you guys. Net instances are very much on their way out.

We are starting to use net gateways now, but net instances still come up in the exam and that instance will always be behind a security group, whereas a Nat gateway is not behind a security group, is security group independent. And of course with net gateways as Amazon do all the security patches for the instance and they also make it highly available. Now you probably are going to get a lot of different scenario questions around how to make a bastion instance highly available with any kind of high availability. Obviously you’re going to want multiple subnets. One subnet always equals one Availability Zone, so you’re always going to want at least two public subnets.

You could have a bastion in each public subnet and you could do things like auto scaling groups so that if you have a minimum of one bastion and then that way if that bastion host goes down, the auto scaling group will deploy it into either one availability zone or the other. And then you could have Route 53 running health checks on that bastion server. So that’s how you build out a highly resilient bastion network. With Nat instances you do something similar, but you’d have to have some kind of script to automatically fail over your net. But with Nat gateways, which I don’t have on this diagram, amazon handle that failover for you automatically.

So in terms of my exam tips, it’s pretty easy. Just remember the differences between a Nat instance and a Bastion instance. A Nat instance is used to provide Internet traffic to EC two instances in private subnets so they can go and install MySQL or Apache, for example, whereas a Bastion instance is used to securely administer the EC two instances using SSH or RDP in private subnets.

And in Australia we call them jumpboxes. The reason I tell you we call them jump boxes is because it adds actually makes a lot of sense. You basically jump onto that server and then once you’re in there, you can SSH or RDP from that server into your private subnet. So that’s it, guys. If you have any questions, please let me know. If not, feel free to move on to the next lecture. Thank you.

• Category: Uncategorized