SAP-C02 Amazon AWS Certified Solutions Architect Professional – New Domain 5 – Continuous Improvement for Existing Solutions Part 2

  • By
  • August 26, 2023
0 Comment

33. DX – Public & Private VIF

Hey everyone, and welcome back to the Knowledge full video series. So, continuing a journey with the Direct Connect connection. Today we’ll go ahead and understand more about the virtual interfaces. So in AWS, I hope we remember that after we create a virtual Direct Connect connection, this goes into the requested state. Now, after it gets approved, removed, then the next step that we must take is we have to create a virtual interfaces. So there are two types of virtual interfaces. Basically, one is public and one is private. So let’s go ahead and understand. So all credits of this diagram goes to the author because this is something that I have not made. You see the Chinese characters here. So let’s look into how it works. So this is your data center and this is AWS. Now, once the direct connection line is established, this consider this blue cylinder as a direct connection line. Once this is established, we have to create a virtual interface. So each virtual interface can be connected to a virtual gateway. So virtual gateway is something that we can configure directly in the VPC. Let me just show you. So basically, before we create a virtual interface, we need to create a virtual gateway.

So if you’ll see over here you have a virtual private gateway. And when you create a virtual private gateway, let me say test DX and I’ll click on Create. So this virtual private gateway that is created, it needs to get attached to a VPC. So one virtual gateway can be attached to only single VPC. So whenever you create a virtual interface, specifically the private one, it needs to get attached to the virtual gateway. So this interface will get attached to the virtual gateway and the virtual gateway is attached to the VPC. And this is how you can basically connect to the resources which are part of the VPC. So let’s look into how exactly it would work as the overall steps. So the first step is create a Direct Connect connection and it will go for an approval from the AWS site. So this is where we are. Once approved, you get a letter of authorization which is loa from the AWS, which you can share it to the AWS Direct Connect partner. So whenever you want to create a connection, you have to give that Loa, which is approved from the AWS to the Direct Connect partner. And the Direct Connect partner will use that loa to set up a connection on your behalf with the AWS.

So once this gets accepted, you go ahead and create a virtual interface. There are two types of virtual interface, public and private. Public are used to access the public endpoints within the region. And private are used to basically access the private endpoints like private IP addresses of VPC. So EC two instance can have private IP addresses. Even RDS can have private IP addresses. So private vif can be used to access that so once your Vif is created, which is Virtual Interface, you will get an option to download the router configuration file, which you can download and upload it to your router. So let’s start with each an individual step. So in the first step, we create a connection. I hope you remember, we create a connection, we select the location and we select a port speed, which can be one Gbps or ten Gbps directly.

So after we click on Create, it goes into the requested string, and once the request gets approved, AWS will give us the Loa, which you can download, and give it to a Direct Connect partner. So we give that loa to the Direct Connect partner, who will establish the direct connection on your behalf. Second is, once you receive Loa, you can go ahead and create a virtual interface and will take care of the private interface. And look how it actually works. So, each private virtual interface can be assigned to only one virtual gateway. So we have already seen that whenever we want to create a private Vif, we have to create a virtual gateway beforehand. And each virtual gateway can be connected to the VPC resources. And this is the reason why whenever we create a private Vif, it must connect to a virtual gateway. However, when we create a public Vif, public Vif does not need to connect to the private instances. It needs to connect to the public endpoints, like DynamoDB or S Three within the region. So it does not need a virtual gateway, only the Private Vif needs a virtual gateway.

So each private vif can be assigned to only one virtual gateway. So this is the page where we create a virtual interface. So you see, there are two. You have private. And you have public. So whenever you select a private, you have to select the virtual gateway which you have created. This is one important thing to remember. So next important point to remember is that you can associate a virtual interface with your account or with another account as well. So if it is another account, it is called the hosted connection is something that you need to remember. Now, along with that, you have to do a lot of things related to BGP. Remember, direct connect uses BGP. And one of the advantages of BGP is that you don’t really have to configure your routing. BGP will automatically configure the routing for you. So if you remember, generally when we establish the connectivity, we have to manually add the route related data. However, if you use BGP, you don’t have to do that aspect.

So, since Direct Connect uses BGP, we don’t have to manually add routing. BGP will advertise the routes on your behalf. Once your interface gets created, you get the option to download the router configuration. Now you select your vendor, which can be Cisco or Checkpoint or other vendors that you might have. You select the platform and you select the software and you go ahead and click on Download. This will download the configuration file which you have to upload in your router and the connection can get established. Remember, your router will establish the connection with the Direct Connect. It is not the opposite. Now, I am sure that you are confused related to how exactly this process works. Now, I cannot directly show you the exact practical because Direct Connect is something which needs a lot of points related to the connection.

And I don’t really have a hardware firewall or a Direct Connect partner whom I can pay. So what I’ll do is I’ll share with you a very nice video which was recorded by the AWS themselves, which explains the entire procedure on how exactly this works. Because it is AWS, they can approve their own Direct Connect and they can show you on how exactly it would work. So, this is one of the lag I would say on my behalf because there are certain things that I will not be able to show you practicals about. So there are certain important pointers that you need to remember as part of exams. First is by default you have one Gbps and ten Gbps connections which are available. If you need a more less connection, then there are some one GB connections which are available from the Direct Connect partners which includes 50 Mbps, 100 Mbps, you have 200 Mbps, 405 hundred Mbps. And second is Direct Connect uses public interfaces for accessing public resources like S, three DynamoDB within the region, and private interfaces for accessing the VPC based resources.

Now, next very important point to remember is that Direct Connect is not fault tolerant. So if the Direct Connect line goes down, your entire connection will get hampered. And this is the reason why AWS recommends that you have two Direct Connection. Or if that is something which is not affordable, you use Direct Connect along with VPN. So if one goes down, you can have a VPN as a backup. Now, use BGP to automatic failover to a backup connection. So, let’s assume that you have been using VPN connection for now and after a week you have a new Direct Connect connection which is established. Now, how will you route all your traffic from VPN to Direct Connect? One is you directly disconnect the VPN line, that will be a hard failure. And second is you can use the BGP to automatic do an automatic failure. So, we’ll be discussing this in our important pointers in the upcoming lectures.

So, what happens when you use BGP is you can assign a score. So let’s assume you assign a score of 20 and you assign a score of 40. So that way the connection request will go according to the scores that you assign in BGP. We’ll be discussing more about this in the relevant lecture. And last important point is that in US, Direct Connect will grant you access to all the US related regions. So for this, you have to remember that direct connector direct connect is a region specific. If you create a direct connect in Mumbai region, you cannot access the resource in Singapore region. It is a region specific. But only exception here is the US. So you have not Virginia, you have Oregon. As far as US is concerned, you can actually.

34. Direct Connect Gateway

Hey everyone and welcome back. In today’s video we will be discussing about the Direct connect gateway. Now a Direct connect gateway can be used to connect your direct connect connection over a private with to one or more VPCs within the account that are located in same or multiple regions. Now in technical term, it allows us to combine the private wif with multiple virtual gateways in same or remote regions. So this can be better understood with a diagram over here where you have a customer network and you have a direct connect connection over here.

So here you have a direct connect gateway. Now this direct connect gateway can be associated with multiple virtual gateways. And what basically happens is that once you make use of Direct connect gateway, the on premise network will be able to communicate with multiple VPCs which are located across multiple regions. So here you see the connection is between a North California region and the North Virginia region. And if they are connected to the direct connect gateway, then there will be a communication that can be established between the VPCs across multiple regions and your on premise through a direct connect connection.

Now, one important part to remember here is that the Direct connect gateway is a global resource and it is not a region specific resource. And this is important because you have a direct connect gateway which can be associated with multiple VPCs across multiple regions and hence it needs to be globally available. So we can understand this with an example. So let’s say that you have a Direct connect connection in a US seats to one region. By making use of a direct connect gateway, we can connect the VPCs in your account in all the regions except China. So direct connect gateway can be used to connect multiple VPCs across multiple regions and hence you can have an established connectivity. However, as of now, the China region is not supported. Now there are certain considerations that you need to understand if you are planning to use a direct connect gateway.

First is that you cannot use a direct connect gateway that is in your account to connect to a VPC that is within a different AWS account. So if you’re using Direct connect gateway, all the VPCs that you might want to connect it with must be within the same a doubles account. The second important consideration is that whatever VPC that you might want to connect to a direct connect Gateway cannot have an overlapping CIDR block. This is specifically important. So let’s say that you are using a default VPC. Now within AWS, the default VPC has a CIDR of 172 310 00:16.

So you cannot basically make use of two default VPCs in two different regions with the help of a direct connect gateway because then you will have an overlapping CIDR block. And the third point that we already discussed is that you cannot basically use a direct connect gateway to connect to VPC within China region. So in exams, you might get a question on how you can make use of your direct connect connection to connect to multiple VPCs within multiple regions. And the answer to that would be through a direct connect gateway.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img