SAP-C02 Amazon AWS Certified Solutions Architect Professional – New Domain 5 – Continuous Improvement for Existing Solutions

  • By
  • August 25, 2023
0 Comment

31. CloudHSM

Hey everyone, and welcome back. In today’s video, we will be discussing about the cloud HSM. Now, a cloud HSM is basically a HSM device. And HSM stands for the hardware security module. Now, these devices, this is a hardware device. It is basically a special kind of a device, which is specifically designed to safeguard and manage the digital keys for a stronger authentication. So let me give you an example. So let’s say this is a key. I hope you are able to see it. So let’s say that this key is of a locker and you have a very, very important data inside the locker. So the safety of that data or the safety of that item which is present inside the locker is dependent on this specific key over here. All right? Now, if this key is lost or if this key is stolen, then the data or the item which is present within the locker is at risk. So I actually took it from my mom. I’ll quickly give it back to her before she comes anyways. So, similar to the key example that we took, when it comes to data, we make use of encryption keys. So let’s say that you have generated an encryption key and that encryption key is used to encrypt all the data within your database. Now, the problem is, where will you store that encryption key? Will you put it in your notepad file or will you put it in Evernote or where?

So this device basically solves the problem for that. Now, HSM device is primarily used for storing the keys. However, it is not just limited to that in terms of functionality. It can do a lot of other functions, but the primary one is storing the keys. Now, this device, typically it must be tamper resistant. That means that if anyone tries to tamper with this hardware, because this is a hardware device. Now, let’s say that you have this hardware device stored in your data center, and data center is managed by some different organization. And if someone from that organization tries to open up this device to maybe take the hard disk out.

So you need to be very careful with that, because if he gets the access to the hard disk and if it is not encrypted there, then he’ll get the access to your key. So this device is a tamper resistant. Basically, what happens is that if anyone tries to tamper with this device, it automatically deletes the key. So this is one of the important characteristic of a typical HSM. Now, the problem with this HSM device is that they are quite expensive. And if you go for compliance and you are storing some kind of a PIA data or some critical data, compliance will mandate you to have a HSM. And these HSM devices are quite costly. And this is the reason why AWS has really come up with a great offering of Cloud HSM.

Now, cloud HSM is AWS offering of using a dedicated HSM within your cloud. Now, prior to the cloud HSM, what organization used to do is that they used to buy this HSM device and they used to store it in their on premise location, and then they used to encrypt all of the data, maybe in the database in AWS or in any other cloud provider. So, since there was HSM in on premise and data in cloud, it used to bring a lot of latency. And this is the reason why. If your data is in cloud, you can go with the cloud HSM and you will have a minimal amount of latency there. Now, you need to make sure that the HSM device that you are buying, make sure that it is internationally recognized against the standards like Phipps 140 or Common criteria. Now, when it comes to the cloud HSM pricing, this was the older pricing. So earlier the problem was that organization had to pay an upfront cost of $5,000 if you wanted to get a cloud HSM. And on top of that, you had to pay an hourly fee of $1. 88 per hour. And because of this upfront free lot of startups, a lot of organization, they were not really opting for the cloud HSM device. However, now, good news is that AWS has removed the upfront pricing.

So you see, it says that there are no upfront cost to using cloud HSM. So the only thing that you pay is for the device at hourly basis. So for Virginia, you have $1. 60 per hour, then you have $1. 45 per r. In Ohio, Mumbai is quite expensive. It is $2. 5 per r anyways. So I hope you understood what a cloud HSM is at a high level overview and also the pricing aspect. So let’s discuss some of the important pointers for exam, as far as the cloud HSM is concerned. First is that cloud HSM is single tenanted. That basically means that it is a single physical device which can only be used for you.

So it is not a shared device. Now, the second important point is that it must be used within the VPC. Now, we can also integrate cloud HSM with various other services like Redshift and RDS for Oracle and new services, they’ll keep on coming. Now, for fault tolerance, we need to build the cluster of two HSM device. So let’s say that you purchased one cloud HSM and due to some reason it might be power network or the hardware issue, if this cloud HSM goes down, then basically your keys will not be accessible till that time. And this is the reason why it’s better to have a fault tolerant in place.

And in order to do that, you need to build a cluster of two cloud HSM. Now. AWS uses SafeNet Luna HSM appliance for the Cloud HSM. This is an important point to remember. Do make sure that you remember the safe net Luna SA part and also these HSMs are FIPS validated. Now, the cloud HSM, they typically have two partitions. One is for the AWS monitor, and second is for the cryptographic partition where you can store the keys. So the cryptographic partition is something that no one except you has access.

32. Understanding Direct Connect

Hey everyone and welcome back to the Knowledgeable Video series. So continuing a journey with the networking section. Today we have an overview about Direct Connect. Now Direct Connect is a pretty important topic as far as the exams are concerned. And when it comes to the advanced networking specialty certification, direct Connect is one of the most important topic. So let’s go ahead and understand the necessity of Direct Connect. Now in the normal communication, let’s assume you have a customer and you have a VPC in AWS. So if you want to connect to the VPC, what happens behind the scenes is the internet comes into the picture. So this is the internet and then you route your traffic through the internet and you get the data back through the internet. So this is how most of the communication works. Now when you talk about internet, the packet basically travels in hops. So there are a lot of routers which are present all over the place.

And let’s assume I have my client in India and server somewhere in Oregon. So the packets which will actually have to travel in hops all over the world to reach to the Oregon region. And as you might have assumed, it leads to a lot of latency as well. So let me just show you on what do I mean by that. So here I have done a simple trace route on Google. com and you see it actually took around 17 hops for my packet to reach the Google server. So this is the first hop from first hop to second hop. So you can assume that this is the first router from first router to second, second to third, third to fourth and so on. So total there were 710 hops which were required for my package to reach from client to destination. Now it actually sometimes goes much more higher. This is because Google has the local servers in India, but certain times most lot of clients, they host their websites in North Virginia or Ireland or even Oregon. And to reach there it actually requires like 20 hops or sometimes 25 hops. And that leads to a lot of latency and the website basically starts to get slow. And this is the reason why this approach is definitely good. But certain times when there are critical applications where latency is one of the most important, then internet is something which is not preferred ideally. So let’s look into the challenges. First is internet is good option if amount of traffic is within a certain limit. Now there are always latency which are involved if you go through the internet way.

Now many of the organization have hybrid architecture. Like some of the servers are in data center, some of the servers are in AWS. In one of the companies that I used to work with, we had a hybrid architecture. Like some of the application servers were in data center. So some of the application servers were in data center and some of the application servers were in the AWS cloud and both the servers needed to communicate for the website to work properly.

So for the client request to complete successfully, both the servers in the data center in the AWS and the network connectivity should be optimal for the things to work in an ideal manner. Now, if the network connectivity between the data center and the VPC let’s assume ISP. So if the ISP is down or if the ISP is slow, then the entire website gets hampered. That is one thing. If the ISP is not providing good bandwidth as was requested, again the website becomes slow. So there are a lot of challenges when you go through the Internet, specifically if you have your infrastructure both in data center and in Cloud and both of them needs communication.

So many of the organizations are following this approach and this is the reason why AWS came up with a new feature of Direct Connect. So in order to solve this challenge, AWS introduced Direct Connect. So AWS Direct Connect lets customer establish a dedicated direct network connection from the clients network and one of the Direct Connect locations. So what you do is you have a data center here, you have a VPC here, and you establish a Direct connection like a leased line from the data center to the VPC and thus you bypass the Internet. And this is very effective because you don’t really have to worry about things slowing down or other things. You have a Direct Connect, you have an extremely fast network between your data center and your VPC and you go ahead and implement a hybrid architecture or whatever you want to implement. So there are a lot of benefits of Direct Connect connection.

First is that having Direct connection between the customers data center to AWS brings tremendous amount of benefits. Some of them includes consistent network performance. So I’m sure many of you must be familiar. Like if you have your WiFi you will not get fast speed all the time, certain times you will get very slow speed, certain times the WiFi will not work only so that is inconsistent network performance. So when you go with Direct Connect you have a consistent network performance because that amount of bandwidth is allocated to you and it is not overused. That is first part. Second is reduced bandwidth cost. So again, this we can refer to the ISP. Now generally when you go for an Internet service provider WiFi connection at your home, they have various plans, plans for 30GB, plans for 40GB, plan for 100GB. The more higher you go, the more money you have to pay. And same way when you go to data center, the more higher you go, you have to pay a lot of money. And when you go for the Direct Connection, since this is something like a lease line which is directly connected, you don’t really have to pay a very high cost. The cost of bandwidth is much more lesser than that of the ISP. So this is 2nd. 3rd is private connectivity to your VPC. And this is also quite good because you don’t have to worry about maninthemiddle attacks or other things. You have a direct dedicated line to your VPC. So these are few benefits. Now actually, let me show you.

So this is the architecture of the Direct Connect connection, where on the left hand side you have your data center and on the right hand side you have your Amazon VPC. And in the middle you have a Direct Connect provider. So what you do is you connect a line from your data center to a Direct Connect provider. And the Direct Connect provider has a dedicated fiber optics like line to the AWS. So all you have to worry is about connecting your data center to one of the Direct Connect providers. So in order to establish this, you have to definitely you have to contact some Direct Connect provider who will help you in establishing line between your data center and them. And after that, you don’t have to worry, they’ll take care of the other section. So let’s do one thing. Let me show you on how exactly that would work in a high level overview. So this is the AWS direct connect page. Now, if you will see, the first step is to select a location for Direct Connect. Remember, direct connect is region specific. So you have to select a specific region for the Direct Connect location.

So in every region you will have a different Direct Connect that you need to establish. Once you select the location, then you can basically configure the virtual interface. So if you see over here, the first part is the connection, then is the virtual interface. And then you have to connect. You can connect your data center, office or location environment to AWS Direct Connect. So let’s do one thing, let’s go to Connection and let’s click on Create Connection. Now I’ll just say KP Labs Hyphen Testing and then there are various locations of direct connect which are present. You can select any one of them. Let me just select any random one. And then you have to specify the port speeds. Now by default Direct Connections, it comes with a port speed of one Gbps and ten Gbps depending on how fast you need this pipe. You can select either one Gbps or ten Gbps as a default.

There are other speeds that are also available that we’ll be discussing. Select one of them and click on Create. Now after you click on Create, what will happen is that the state is requested. Now you have to wait for the Amazon to approve this specific request. And once this request is approved, then only you can go ahead and go to the virtual interface and create a new virtual interfaces. So what we’ll be doing is we’ll be discussing more about virtual interfaces in the upcoming lecture. But just remember that when you have a direct connect connection between your data center and the VPC, then the traditional approach of connecting to S Three via Internet will not be required.

You can directly send all the traffic from the direct connect connection, which can directly connect to S Three, bypassing the Internet. So this makes things extremely fast.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img