1 00:00:06,882 --> 00:00:08,775 - Here we'll talk about routing 2 00:00:08,775 --> 00:00:11,775 within Amazon Virtual Private Cloud. 3 00:00:12,838 --> 00:00:14,800 So, routing is the method 4 00:00:14,800 --> 00:00:17,099 by which we can control the flow of traffic 5 00:00:17,099 --> 00:00:21,453 within our AWS virtual private cloud or our private network. 6 00:00:21,453 --> 00:00:25,536 So, let's take a classic three tier architecture, 7 00:00:26,741 --> 00:00:29,237 where we might have a load balancer out front 8 00:00:29,237 --> 00:00:32,778 accepting public traffic coming in from the internet. 9 00:00:32,778 --> 00:00:37,160 We might have an application server in the background. 10 00:00:37,160 --> 00:00:41,108 We also would have that communicating to a database. 11 00:00:41,108 --> 00:00:42,501 Now, in that situation, 12 00:00:42,501 --> 00:00:46,170 we would want to keep our application servers 13 00:00:46,170 --> 00:00:47,690 and our database servers private. 14 00:00:47,690 --> 00:00:50,001 We don't want people to be able to come in 15 00:00:50,001 --> 00:00:52,985 from the internet and get access to those directly. 16 00:00:52,985 --> 00:00:56,944 We might also want our database to communicate back 17 00:00:56,944 --> 00:01:01,727 to our on-premises network over a VPN, a secure connection, 18 00:01:01,727 --> 00:01:05,059 so that we can do various administrative tasks. 19 00:01:05,059 --> 00:01:07,520 So, the way that we control that flow of traffic 20 00:01:07,520 --> 00:01:10,028 is by way of route tables. 21 00:01:10,028 --> 00:01:12,327 So, what we want here is this sub-net 22 00:01:12,327 --> 00:01:14,649 to have access to the internet 23 00:01:14,649 --> 00:01:17,490 and we can do that with a route table. 24 00:01:17,490 --> 00:01:20,660 So, we have a route table with, you can see here, 25 00:01:20,660 --> 00:01:23,075 a couple of route entries in there. 26 00:01:23,075 --> 00:01:27,242 The one by default, you'll notice your 10.2.0.0/16 27 00:01:28,829 --> 00:01:32,498 matches the address range of the VPC. 28 00:01:32,498 --> 00:01:35,366 So, that means that any IP address 29 00:01:35,366 --> 00:01:37,510 in this range as a destination 30 00:01:37,510 --> 00:01:41,246 will be routed locally throughout that VPC. 31 00:01:41,246 --> 00:01:45,321 The next entry, you can see here we're using all zeros, 32 00:01:45,321 --> 00:01:49,744 it's the widest open range we can possibly use. 33 00:01:49,744 --> 00:01:52,577 That essentially says that all other traffic 34 00:01:52,577 --> 00:01:55,012 will be routed to an internet gateway. 35 00:01:55,012 --> 00:01:59,018 Now, an internet gateway is a separate device 36 00:01:59,018 --> 00:02:01,398 that we create and attach to our VPC, 37 00:02:01,398 --> 00:02:05,635 so that we can get bidirectional internet traffic. 38 00:02:05,635 --> 00:02:07,110 And that's important to know, 39 00:02:07,110 --> 00:02:09,943 that when I say bidirectional, 40 00:02:09,943 --> 00:02:14,215 we mean that resources within this particular subnet 41 00:02:14,215 --> 00:02:17,582 can not only reach out to the internet, 42 00:02:17,582 --> 00:02:22,084 but devices out here on the internet can also reach in. 43 00:02:22,084 --> 00:02:22,978 And that's important to know 44 00:02:22,978 --> 00:02:26,159 because it means that devices here, 45 00:02:26,159 --> 00:02:28,283 in order to communicate to the internet, 46 00:02:28,283 --> 00:02:29,897 will have a public IP address 47 00:02:29,897 --> 00:02:32,602 and they will be reachable from folks on the internet, 48 00:02:32,602 --> 00:02:35,876 good folks and folks that might be nefarious. 49 00:02:35,876 --> 00:02:37,397 And so, that's why we have routing. 50 00:02:37,397 --> 00:02:39,498 We want to control the flow of traffic, 51 00:02:39,498 --> 00:02:43,678 so that those mal-intended users can't get access directly 52 00:02:43,678 --> 00:02:47,602 to our application servers and database servers. 53 00:02:47,602 --> 00:02:51,245 In this example, we would allow our application servers 54 00:02:51,245 --> 00:02:53,311 to use the default route table 55 00:02:53,311 --> 00:02:55,726 that just maintains local traffic. 56 00:02:55,726 --> 00:03:00,568 We would create a new route table for our databases, 57 00:03:00,568 --> 00:03:03,215 so that we have this additional entry. 58 00:03:03,215 --> 00:03:04,352 You can see here again, 59 00:03:04,352 --> 00:03:06,988 we have local traffic routed locally, 60 00:03:06,988 --> 00:03:11,155 and then we have our on-premises network range 192-168/16 61 00:03:12,723 --> 00:03:14,581 routed over our VPN. 62 00:03:14,581 --> 00:03:17,460 And again, we'll talk about how to create VPNs later. 63 00:03:17,460 --> 00:03:21,082 So, here our database administrators can, 64 00:03:21,082 --> 00:03:23,578 from the on-premises network over a VPN, 65 00:03:23,578 --> 00:03:27,735 get in and do what they need to do on the database, 66 00:03:27,735 --> 00:03:29,662 our application servers can communicate 67 00:03:29,662 --> 00:03:31,671 to the database locally, 68 00:03:31,671 --> 00:03:34,631 and our load balancers can communicate 69 00:03:34,631 --> 00:03:38,219 to our application servers locally. 70 00:03:38,219 --> 00:03:42,213 So again, routing is how we control the flow of information 71 00:03:42,213 --> 00:03:44,395 and how we control the flow of traffic 72 00:03:44,395 --> 00:03:45,788 between different subnets, 73 00:03:45,788 --> 00:03:48,017 between our network and the internet, 74 00:03:48,017 --> 00:03:51,684 and between our network and VPN connections.