1
00:00:06,427 --> 00:00:08,743
- Now let's talk about,
what we refer to as

2
00:00:08,743 --> 00:00:12,910
public, private, and hybrid
subnets within AWS VPC.

3
00:00:15,455 --> 00:00:19,174
Now, there's nothing
necessarily within AWS

4
00:00:19,174 --> 00:00:22,862
that you will find that
inherently labels a subnet

5
00:00:22,862 --> 00:00:26,383
as being either public,
hybrid, or private.

6
00:00:26,383 --> 00:00:29,503
These are terms that we're
adding just to denote

7
00:00:29,503 --> 00:00:32,676
the types of routing that are possible.

8
00:00:32,676 --> 00:00:35,096
What we might call a public subnet,

9
00:00:35,096 --> 00:00:38,623
is a subnet that has a route table

10
00:00:38,623 --> 00:00:40,411
that gives us access to the internet.

11
00:00:40,411 --> 00:00:44,228
So, like we've seen before,
we have a route table,

12
00:00:44,228 --> 00:00:46,523
and this route table would be attached

13
00:00:46,523 --> 00:00:48,774
to this particular subnet.

14
00:00:48,774 --> 00:00:52,157
And that route table, by
way of this open range

15
00:00:52,157 --> 00:00:54,575
and routing to an internet gateway

16
00:00:54,575 --> 00:00:57,385
would give us bi-directional access

17
00:00:57,385 --> 00:00:59,685
to and from the internet.

18
00:00:59,685 --> 00:01:02,201
So that would be a public
subnet, because it has

19
00:01:02,201 --> 00:01:05,509
access to the public internet.

20
00:01:05,509 --> 00:01:08,205
As we've also seen before, we might keep

21
00:01:08,205 --> 00:01:10,464
some of our networks private,

22
00:01:10,464 --> 00:01:12,284
meaning that there are no additional

23
00:01:12,284 --> 00:01:14,150
entries in this route table.

24
00:01:14,150 --> 00:01:17,757
The only thing we have is local traffic.

25
00:01:17,757 --> 00:01:20,819
Now, what might create a hybrid network,

26
00:01:20,819 --> 00:01:25,121
is where we might have our
application servers here,

27
00:01:25,121 --> 00:01:27,862
that need to reach out to the internet,

28
00:01:27,862 --> 00:01:32,029
in order to do things like
posting to a monitoring service,

29
00:01:32,892 --> 00:01:36,160
posting to some kind of, something like

30
00:01:36,160 --> 00:01:38,719
PagerDuty or Loggly
where we're sending logs.

31
00:01:38,719 --> 00:01:41,552
We're sending alarm notifications,

32
00:01:43,392 --> 00:01:45,477
so we need to get out to the internet.

33
00:01:45,477 --> 00:01:48,339
Maybe we wanna do patch
updates and software updates,

34
00:01:48,339 --> 00:01:50,018
we want to connect to GitHub.

35
00:01:50,018 --> 00:01:53,469
Whatever it is, our
application servers need to

36
00:01:53,469 --> 00:01:57,391
communicate with the internet,
but at the same time,

37
00:01:57,391 --> 00:02:00,545
we don't want people
coming in from the internet

38
00:02:00,545 --> 00:02:02,628
directly to our application server.

39
00:02:02,628 --> 00:02:04,249
That's just bad security.

40
00:02:04,249 --> 00:02:07,736
So, in this particular example,
what we're going to do,

41
00:02:07,736 --> 00:02:09,965
is we would have a NAT server,

42
00:02:09,965 --> 00:02:13,340
or a network address translation service.

43
00:02:13,340 --> 00:02:15,506
This is also a resource that we can create

44
00:02:15,506 --> 00:02:18,673
within AWS, here in the public subnet.

45
00:02:20,093 --> 00:02:22,224
And so, the network
address translation server

46
00:02:22,224 --> 00:02:25,365
has access directly to
and from the internet,

47
00:02:25,365 --> 00:02:26,971
and can send and receive traffic

48
00:02:26,971 --> 00:02:29,509
directly to and from the internet.

49
00:02:29,509 --> 00:02:33,184
And then our application
server would essentially route

50
00:02:33,184 --> 00:02:35,316
all of its internet destined traffic

51
00:02:35,316 --> 00:02:38,200
through the NAT server.

52
00:02:38,200 --> 00:02:40,485
And we can do that by way
of this kind of routing.

53
00:02:40,485 --> 00:02:43,564
Notice that we have another route table

54
00:02:43,564 --> 00:02:47,189
that would be attached to
this particular subnet.

55
00:02:47,189 --> 00:02:51,806
And so that we would say,
aside from local traffic,

56
00:02:51,806 --> 00:02:55,889
all other traffic gets
routed to the NAT gateway.

57
00:02:57,298 --> 00:03:00,298
So, not only can we route to devices

58
00:03:01,213 --> 00:03:03,511
like an internet gateway, we can also

59
00:03:03,511 --> 00:03:05,949
route to other ec2 instances.

60
00:03:05,949 --> 00:03:09,390
So in this particular case, our NAT server

61
00:03:09,390 --> 00:03:10,658
could be the Amazon service.

62
00:03:10,658 --> 00:03:13,791
It could also be something
like a virtual F5.

63
00:03:13,791 --> 00:03:16,383
It could be a virtual vyatta server.

64
00:03:16,383 --> 00:03:19,531
It could be just software
running on an ec2 instance,

65
00:03:19,531 --> 00:03:21,338
if we wanted to do it that way.

66
00:03:21,338 --> 00:03:25,071
And we would route this
traffic to the NAT gateway,

67
00:03:25,071 --> 00:03:28,408
and that way our application servers

68
00:03:28,408 --> 00:03:32,075
can reach out to the
internet, but are still

69
00:03:33,150 --> 00:03:37,836
protected from malicious
users coming in directly.

70
00:03:37,836 --> 00:03:41,581
So again, public subnets
would be considered public,

71
00:03:41,581 --> 00:03:44,026
because they have access to the internet.

72
00:03:44,026 --> 00:03:46,661
Private subnets are considered private,

73
00:03:46,661 --> 00:03:49,733
because they don't have access
to and from the internet.

74
00:03:49,733 --> 00:03:53,483
And hybrid subnets are
simply private subnets

75
00:03:54,408 --> 00:03:56,730
that have outgoing access to the internet,

76
00:03:56,730 --> 00:04:00,392
by way of a network
address translation server.