1 00:00:07,582 --> 00:00:08,599 - Alright, so let's take a look 2 00:00:08,599 --> 00:00:11,353 at Amazon Virtual Private Cloud. 3 00:00:11,353 --> 00:00:14,446 Amazon Virtual Private Cloud 4 00:00:14,446 --> 00:00:17,190 is a way to give us essentially 5 00:00:17,190 --> 00:00:20,531 our own private networks within Amazon Web Services. 6 00:00:20,531 --> 00:00:22,090 Typically our applications 7 00:00:22,090 --> 00:00:25,586 need some kind of predictable IP address range. 8 00:00:25,586 --> 00:00:28,572 We need to know where they're gonna fall. 9 00:00:28,572 --> 00:00:29,630 When these machines come up, 10 00:00:29,630 --> 00:00:30,981 we need to know the kinds of ranges 11 00:00:30,981 --> 00:00:33,822 that they're going to get so that we can determine 12 00:00:33,822 --> 00:00:36,162 routing and firewalling rules. 13 00:00:36,162 --> 00:00:39,209 We want to segment our networks, 14 00:00:39,209 --> 00:00:42,454 in terms of: some networks need access to the internet, 15 00:00:42,454 --> 00:00:43,994 meaning they need to be public. 16 00:00:43,994 --> 00:00:46,896 Some networks need to remain private. 17 00:00:46,896 --> 00:00:48,664 We only want them to be available 18 00:00:48,664 --> 00:00:52,870 either internally or via some kind of VPN, 19 00:00:52,870 --> 00:00:55,608 or between different, private networks. 20 00:00:55,608 --> 00:00:59,600 We need the ability to control what ports are open 21 00:00:59,600 --> 00:01:00,497 and what ports are closed. 22 00:01:00,497 --> 00:01:02,674 So in the case of a web server, 23 00:01:02,674 --> 00:01:06,209 let's say that we have some kind of a web application 24 00:01:06,209 --> 00:01:10,674 running on an EC2 instance, then we might want to 25 00:01:10,674 --> 00:01:14,698 allow common http and https ports to be open. 26 00:01:14,698 --> 00:01:18,865 Our database should probably allow port 3306 open, 27 00:01:20,037 --> 00:01:22,006 but we want to block all other ports 28 00:01:22,006 --> 00:01:24,473 from this untrusted network. 29 00:01:24,473 --> 00:01:27,522 So, we need the ability to allow our web application 30 00:01:27,522 --> 00:01:29,362 to receive public traffic. 31 00:01:29,362 --> 00:01:33,504 But we might also want to keep this database private, 32 00:01:33,504 --> 00:01:35,824 and not allow access directly from the internet. 33 00:01:35,824 --> 00:01:38,110 And, we can do that, and more 34 00:01:38,110 --> 00:01:41,564 with Amazon Virtual Private Cloud. 35 00:01:41,564 --> 00:01:43,958 So with Amazon Virtual Private Cloud, 36 00:01:43,958 --> 00:01:45,999 what we would do is we would create 37 00:01:45,999 --> 00:01:48,416 a VPC in a particular region. 38 00:01:49,960 --> 00:01:50,793 We're going to choose-- 39 00:01:50,793 --> 00:01:53,231 in this case we're using us-west-2 in Oregon. 40 00:01:53,231 --> 00:01:57,051 And we're going to, at the time we create that VPC, 41 00:01:57,051 --> 00:02:01,134 we're going to choose a particular address range. 42 00:02:02,646 --> 00:02:06,813 Now, in this particular example we're using 10.2.0.0/16. 43 00:02:08,670 --> 00:02:10,782 So that's a pretty large range, 44 00:02:10,782 --> 00:02:12,138 that's the largest range 45 00:02:12,138 --> 00:02:15,964 that we can choose within Amazon Web Services. 46 00:02:15,964 --> 00:02:19,963 We can go as small as a slash 28 as well. 47 00:02:19,963 --> 00:02:23,027 So, it's important to note that, 48 00:02:23,027 --> 00:02:25,870 when we divide this network up into subnets, 49 00:02:25,870 --> 00:02:28,109 you can see here we have three subnets, 50 00:02:28,109 --> 00:02:30,037 one per availability zone, 51 00:02:30,037 --> 00:02:33,999 that subnets are specific to availability zones. 52 00:02:33,999 --> 00:02:37,582 The VPC itself will span the entire region, 53 00:02:38,449 --> 00:02:43,202 but a subnet will be specific to an availability zone. 54 00:02:43,202 --> 00:02:45,538 So when we go to launch virtual machines, 55 00:02:45,538 --> 00:02:49,429 we don't choose the availability zone directly, 56 00:02:49,429 --> 00:02:52,647 we choose the subnet we want that machine to be in. 57 00:02:52,647 --> 00:02:56,008 And through this subnet and the availability zone 58 00:02:56,008 --> 00:02:57,744 association is how we determine 59 00:02:57,744 --> 00:03:01,643 where that machine will actually be launched. 60 00:03:01,643 --> 00:03:04,477 So you can see here, that when we create subnets, 61 00:03:04,477 --> 00:03:07,442 we have to be sure that our subnets don't have 62 00:03:07,442 --> 00:03:10,025 any kind of IP address overlap. 63 00:03:11,228 --> 00:03:14,454 So our first one would be 10.2.0.0/24 64 00:03:14,454 --> 00:03:18,621 that would give us somewhere around 250 usable IP addresses. 65 00:03:20,663 --> 00:03:23,831 The next one is 10.2.1.0/24, 66 00:03:23,831 --> 00:03:25,137 so again we want to make sure here, 67 00:03:25,137 --> 00:03:28,917 that we're not getting an IP address overlap. 68 00:03:28,917 --> 00:03:29,910 And of course the last one, 69 00:03:29,910 --> 00:03:32,883 you can see we chose a slightly different range, 70 00:03:32,883 --> 00:03:34,344 with a slash 28. 71 00:03:34,344 --> 00:03:37,970 Perhaps we want web and application servers up here, 72 00:03:37,970 --> 00:03:39,886 in these subnets. 73 00:03:39,886 --> 00:03:42,877 And we might reserve the last one for databases, 74 00:03:42,877 --> 00:03:46,139 and we don't really need that many IP addresses, 75 00:03:46,139 --> 00:03:48,472 so we chose a smaller range. 76 00:03:49,921 --> 00:03:51,944 So again, Amazon Virtual Private Cloud 77 00:03:51,944 --> 00:03:53,775 is a networking construct. 78 00:03:53,775 --> 00:03:56,008 It allows us to create private networks. 79 00:03:56,008 --> 00:04:00,199 It allows us to divide those networks into subnets, 80 00:04:00,199 --> 00:04:04,366 whereas, each subnet is specific to an availability zone, 81 00:04:05,246 --> 00:04:08,829 and the VPC itself spans the entire region.