1 00:00:06,261 --> 00:00:07,805 - Now let's talk about routing 2 00:00:07,805 --> 00:00:10,520 within Amazon VPC. 3 00:00:10,520 --> 00:00:14,330 Routing is concerned with the flow of traffic, 4 00:00:14,330 --> 00:00:16,910 whether or not any and all traffic is allowed 5 00:00:16,910 --> 00:00:21,790 to move between two different ranges of IP addresses. 6 00:00:21,790 --> 00:00:26,330 Routing is not at all concerned with protocols and ports. 7 00:00:26,330 --> 00:00:29,635 Routing is not concerned with TCP versus UVP, 8 00:00:29,635 --> 00:00:33,280 port 22 versus port 443. 9 00:00:33,280 --> 00:00:35,280 It's only concerned about whether or not 10 00:00:35,280 --> 00:00:38,490 any and all traffic can move, right? 11 00:00:38,490 --> 00:00:42,200 And so, once we have routing in place, 12 00:00:42,200 --> 00:00:44,190 then we can start to filter the traffic 13 00:00:44,190 --> 00:00:47,460 based on protocol and port and so on. 14 00:00:47,460 --> 00:00:51,210 And so looking at this diagram, 15 00:00:51,210 --> 00:00:53,050 we can understand routing by talking 16 00:00:53,050 --> 00:00:57,280 about how do we get traffic from one place to another? 17 00:00:57,280 --> 00:01:02,280 And within AWS, every VPC has an implicit router. 18 00:01:04,880 --> 00:01:09,100 It already exists and it's already fully-managed by AWS. 19 00:01:09,100 --> 00:01:11,860 We don't need to create or manage the router, 20 00:01:11,860 --> 00:01:16,290 but we can configure routing by creating route tables. 21 00:01:16,290 --> 00:01:18,964 So you'll notice here that we have 22 00:01:18,964 --> 00:01:21,570 a couple of different route tables, right? 23 00:01:21,570 --> 00:01:25,250 So here's a route table, and here's a route table. 24 00:01:25,250 --> 00:01:27,540 And we configure the router 25 00:01:27,540 --> 00:01:30,733 by adding routes to those route tables. 26 00:01:32,010 --> 00:01:37,010 You'll see that both route tables have the default route. 27 00:01:37,470 --> 00:01:40,760 So this local route says that for traffic 28 00:01:40,760 --> 00:01:42,050 that is destined for, 29 00:01:42,050 --> 00:01:45,780 you'll notice this range here, 10.2.0.0.16, 30 00:01:45,780 --> 00:01:48,750 for traffic that is destined for that range, 31 00:01:48,750 --> 00:01:51,780 it remains inside the VPC. 32 00:01:51,780 --> 00:01:56,053 So you'll notice that this default range here, 10.2.0.0.16, 33 00:01:56,907 --> 00:02:01,730 matches the range here of the VPC itself. 34 00:02:01,730 --> 00:02:04,201 So all route tables that we create 35 00:02:04,201 --> 00:02:09,201 will ensure that traffic destined for the VPC remains local. 36 00:02:09,930 --> 00:02:14,510 And what that means is that every subnet in that VPC 37 00:02:14,510 --> 00:02:19,510 is inherently allowed to route traffic to other subnets. 38 00:02:20,100 --> 00:02:25,100 Right, so all of these subnets are inherently allowed 39 00:02:25,300 --> 00:02:29,360 to communicate with one another based on that local route. 40 00:02:29,360 --> 00:02:31,780 And without any other routes in place, 41 00:02:31,780 --> 00:02:34,760 that's the only communication that would be allowed. 42 00:02:34,760 --> 00:02:38,420 And so if we wanted to communicate with the internet, 43 00:02:38,420 --> 00:02:42,130 then first we would need an internet gateway. 44 00:02:42,130 --> 00:02:45,060 Again, a gateway is a device that allows two networks 45 00:02:45,060 --> 00:02:46,540 to communicate with one another. 46 00:02:46,540 --> 00:02:51,380 And so by creating and attaching this internet gateway, 47 00:02:51,380 --> 00:02:56,380 and then by creating a route, you'll notice here 48 00:02:56,670 --> 00:02:58,724 that we have a route, we're saying, 49 00:02:58,724 --> 00:03:02,266 with all zeroes, we are essentially saying, 50 00:03:02,266 --> 00:03:07,266 for every other range of IPs, aside from 10.2.0.0.16, 51 00:03:09,200 --> 00:03:13,320 we want to route those packets to the internet gateway. 52 00:03:13,320 --> 00:03:17,880 And so if we then associate this route table 53 00:03:19,410 --> 00:03:24,410 with this subnet, that would then allow devices 54 00:03:24,740 --> 00:03:28,660 in that subnet to communicate to the internet 55 00:03:28,660 --> 00:03:31,530 by going through the internet gateway. 56 00:03:31,530 --> 00:03:34,770 And then the same thing applies to a VPN connection. 57 00:03:34,770 --> 00:03:37,670 Over here, if we wanted to create a VPN 58 00:03:37,670 --> 00:03:41,490 between our VPC and on-premises, 59 00:03:41,490 --> 00:03:43,990 then we would need a VPN gateway. 60 00:03:43,990 --> 00:03:46,030 And we would also need a route. 61 00:03:46,030 --> 00:03:47,870 You'll notice here, what we're saying is that 62 00:03:47,870 --> 00:03:52,870 for any network traffic that is destined for 192.168.0.0/16, 63 00:03:54,570 --> 00:03:56,980 essentially our corporate range, 64 00:03:56,980 --> 00:03:59,180 then we want to route that traffic 65 00:03:59,180 --> 00:04:01,980 from our, say, databases or what have you, 66 00:04:01,980 --> 00:04:06,980 through the VPN gateway and back to on-premises. 67 00:04:07,870 --> 00:04:10,910 And so again, routing is concerned with 68 00:04:10,910 --> 00:04:12,840 whether or not traffic can flow. 69 00:04:12,840 --> 00:04:16,070 And I always liken routing to 70 00:04:16,070 --> 00:04:18,640 the plumbing at your kitchen sink, right? 71 00:04:18,640 --> 00:04:21,210 It's the plumbing at your sink that allows water 72 00:04:21,210 --> 00:04:23,280 to be delivered to your sink. 73 00:04:23,280 --> 00:04:25,470 And it's only once that plumbing is there 74 00:04:25,470 --> 00:04:27,880 that you can then filter the water. 75 00:04:27,880 --> 00:04:29,160 And the same thing applies here. 76 00:04:29,160 --> 00:04:32,810 It's once routing is in place and traffic can flow, 77 00:04:32,810 --> 00:04:36,980 then we start worrying about filtering that traffic 78 00:04:36,980 --> 00:04:38,800 based on ports and protocols. 79 00:04:38,800 --> 00:04:41,800 So routing is the first place that we start, 80 00:04:41,800 --> 00:04:44,250 and then we can start applying firewalls 81 00:04:44,250 --> 00:04:45,743 and different security mechanisms 82 00:04:45,743 --> 00:04:47,763 that we will talk about later.