1
00:00:06,540 --> 00:00:08,980
- Now let's talk about public, private

2
00:00:08,980 --> 00:00:12,340
and hybrid subnets within Amazon VPC.

3
00:00:12,340 --> 00:00:15,910
So, earlier we talked about routing

4
00:00:15,910 --> 00:00:19,150
and how routing allows the flow of traffic

5
00:00:19,150 --> 00:00:21,710
between different ranges of IP addresses.

6
00:00:21,710 --> 00:00:25,600
And so, within Amazon
VPC earlier we talked

7
00:00:25,600 --> 00:00:30,280
about using an internet
gateway and a route

8
00:00:30,280 --> 00:00:33,550
to the internet gateway
to allow communication

9
00:00:33,550 --> 00:00:38,550
from a device in a subnet
through the internet gateway

10
00:00:39,190 --> 00:00:42,530
and to the internet, and so by doing that,

11
00:00:42,530 --> 00:00:47,530
by creating that route,
we then essentially create

12
00:00:47,580 --> 00:00:50,950
a subnet here, this
particular subnet would

13
00:00:50,950 --> 00:00:55,950
then be considered public
because the devices

14
00:00:57,190 --> 00:01:00,000
in that network have both direct access

15
00:01:00,000 --> 00:01:02,060
to and from the internet.

16
00:01:02,060 --> 00:01:05,600
Any device within this particular subnet,

17
00:01:05,600 --> 00:01:08,670
so long as it has a public IP address,

18
00:01:08,670 --> 00:01:11,850
it would be reachable from the internet,

19
00:01:11,850 --> 00:01:15,820
and so we could then again
call this subnet public.

20
00:01:15,820 --> 00:01:19,580
And so, generally when we're
talking with other folks

21
00:01:19,580 --> 00:01:24,580
working with AWS, if talk with
Amazon solution architects

22
00:01:24,750 --> 00:01:26,460
and we describe to them that we have

23
00:01:26,460 --> 00:01:29,870
a public subnet, you
are essentially implying

24
00:01:29,870 --> 00:01:34,430
that that subnet has a
route to the internet

25
00:01:34,430 --> 00:01:36,320
through an internet gateway.

26
00:01:36,320 --> 00:01:40,380
We also, in many cases,
have application servers,

27
00:01:40,380 --> 00:01:43,940
like here, for example,
we have this EC2 instance

28
00:01:43,940 --> 00:01:45,760
that has an application running on it,

29
00:01:45,760 --> 00:01:49,030
and perhaps for some
reason that instance needs

30
00:01:49,030 --> 00:01:51,830
to reach the internet
in order to, perhaps,

31
00:01:51,830 --> 00:01:55,470
download code from GitHub or make calls

32
00:01:55,470 --> 00:01:58,857
to a logging service like Loggly or call

33
00:01:58,857 --> 00:02:03,450
to some third party
configuration management service.

34
00:02:03,450 --> 00:02:06,110
Whatever the case may
be, it's very often that

35
00:02:06,110 --> 00:02:09,730
we have application
servers that need to reach

36
00:02:09,730 --> 00:02:13,380
out to the internet and
get the responses back,

37
00:02:13,380 --> 00:02:16,890
but at the same time, we
want them to remain private.

38
00:02:16,890 --> 00:02:21,410
We don't want someone on
the internet reaching in.

39
00:02:21,410 --> 00:02:24,090
We kind of want one-way internet access.

40
00:02:24,090 --> 00:02:27,820
And in order to do that,
we can use Network Address

41
00:02:27,820 --> 00:02:31,500
Translation and you'll
notice here that we have

42
00:02:31,500 --> 00:02:35,950
a second route table and this route table,

43
00:02:35,950 --> 00:02:40,800
being associated with
this particular subnet,

44
00:02:40,800 --> 00:02:45,800
we have a route that says
for every other IP address,

45
00:02:46,300 --> 00:02:51,300
aside from 10.2.0.0/16,
we want to route those

46
00:02:51,540 --> 00:02:55,890
through the Network Address
Translation gateway,

47
00:02:55,890 --> 00:02:58,880
or the NAT gateway, and
so what that would do

48
00:02:58,880 --> 00:03:02,500
is so, if this instance were communicating

49
00:03:02,500 --> 00:03:07,120
with the database, then the
traffic would simply talk

50
00:03:07,120 --> 00:03:09,960
to the database because
of the local route.

51
00:03:09,960 --> 00:03:11,810
But if this instance needed to call out

52
00:03:11,810 --> 00:03:14,230
to the internet in order
to, like I mentioned,

53
00:03:14,230 --> 00:03:18,020
to download code from
GitHub or what have you,

54
00:03:18,020 --> 00:03:21,773
the request would first go
through the NAT gateway,

55
00:03:22,800 --> 00:03:26,570
and the NAT gateway would then translate.

56
00:03:26,570 --> 00:03:28,870
The reason we call it
Network Address Translation

57
00:03:28,870 --> 00:03:32,360
is because it would
translate the private IP

58
00:03:32,360 --> 00:03:37,360
of this instance into a
public IP that would allow

59
00:03:38,270 --> 00:03:40,703
the NAT gateway to talk to the internet,

60
00:03:41,810 --> 00:03:45,240
and then when those responses come back

61
00:03:45,240 --> 00:03:47,880
from the internet, the NAT gateway

62
00:03:47,880 --> 00:03:51,490
then forwards those responses
back to the instance.

63
00:03:51,490 --> 00:03:54,890
So that way the instance has the ability

64
00:03:54,890 --> 00:03:58,150
to reach out to the
internet, get its responses,

65
00:03:58,150 --> 00:04:02,460
but it also remains protected from host

66
00:04:02,460 --> 00:04:04,830
potentially malicious
activity on the internet

67
00:04:04,830 --> 00:04:06,000
trying to get in.

68
00:04:06,000 --> 00:04:08,750
There's no way, in this
particular diagram,

69
00:04:08,750 --> 00:04:11,538
there's no way for someone on the internet

70
00:04:11,538 --> 00:04:15,020
to actually get into
the instance directly.

71
00:04:15,020 --> 00:04:17,460
So these two networks
would be, we would have

72
00:04:17,460 --> 00:04:20,850
a, this subnet, again, would be public,

73
00:04:20,850 --> 00:04:24,470
and then using these mechanisms
that we just talked about,

74
00:04:24,470 --> 00:04:27,430
the NAT gateway and the routing table,

75
00:04:27,430 --> 00:04:30,780
this particular subnet
we could call hybrid.

76
00:04:30,780 --> 00:04:34,660
It has some limited access to the internet

77
00:04:34,660 --> 00:04:38,060
while also remaining private, right?

78
00:04:38,060 --> 00:04:40,940
So, again, if you were talking
with an Amazon solutions

79
00:04:40,940 --> 00:04:44,540
architect and you described
having a hybrid subnet,

80
00:04:44,540 --> 00:04:48,100
you would be implying that
that subnet communicates

81
00:04:48,100 --> 00:04:50,638
to the internet through
Network Address Translation.

82
00:04:50,638 --> 00:04:53,360
And then, of course, back here we have

83
00:04:53,360 --> 00:04:56,550
our database in a private subnet.

84
00:04:56,550 --> 00:04:58,310
It is truly private.

85
00:04:58,310 --> 00:05:01,740
According to this diagram,
this particular subnet

86
00:05:01,740 --> 00:05:04,120
over here can only communicate

87
00:05:04,120 --> 00:05:06,700
with other subnets in the VPC.

88
00:05:06,700 --> 00:05:09,890
There's no way, according to this diagram,

89
00:05:09,890 --> 00:05:12,270
there is no way for this particular subnet

90
00:05:12,270 --> 00:05:15,020
to communicate to the
internet, not through

91
00:05:15,020 --> 00:05:18,110
the gateway directly, not
through Network Address

92
00:05:18,110 --> 00:05:20,730
Translation, it is truly private.

93
00:05:20,730 --> 00:05:23,350
And so, for databases and for perhaps

94
00:05:24,760 --> 00:05:27,900
sensitive information,
that's exactly what we want.

95
00:05:27,900 --> 00:05:32,027
We don't want any way for these particular

96
00:05:33,210 --> 00:05:35,680
servers to be compromised, right?

97
00:05:35,680 --> 00:05:38,200
And so, when we think
about running networks

98
00:05:38,200 --> 00:05:41,030
within Amazon VPC, we need to keep in mind

99
00:05:41,030 --> 00:05:43,890
that there are ways for us to
reach the internet directly.

100
00:05:43,890 --> 00:05:45,600
There are ways to reach the internet

101
00:05:45,600 --> 00:05:47,650
in a protected kind of way through Network

102
00:05:47,650 --> 00:05:49,670
Address Translation and then of course,

103
00:05:49,670 --> 00:05:52,940
we also have the ability
to keep certain subnets

104
00:05:52,940 --> 00:05:55,913
and certain parts of our
network completely private.