AWS Advanced Networking Course | FREE AWS Full Course | AWS Networking Training | AWS BGP
AWS Advanced Networking Course | FREE AWS Full Course | AWS Networking Training | AWS BGP
Welcome to the AWS Advanced Networking Course | FREE AWS Full Course | AWS Networking Training | AWS BGP course. This is Part 1.
In this course we will provide a full and FREE AWS advanced networking certification course. This course will have a heavy emphasis on Networking for Cloud Computing, cloud network training, and networking skills training. This is part of our mission to provide free aws certification training!
We will go beyond the basic AWS Networking typically provided in certification training programs. We will begin with a cloud networking overview, cover what is bgp, and get into depth on networking and cloud computing.
Networking for cloud architects are essential cloud computing technical skills, and critical cloud architect skills!
We are grateful to have you watching this video on our Channel. On our channel we do everything we can to help you with your cloud computing career. We provide cloud architect career tips, Cloud Architect Career Guidance, cloud career tips, cloud career training, cloud architect job training, and everything to help you with cloud as career!
We hope you have enjoyed this FREE Training Series - AWS Advanced Networking Course | FREE AWS Full Course | AWS Networking Training | AWS BGP course.
If you enjoyed this content, please subscribe to the Go Cloud Architects channel; where we provide content for cloud career tips, cloud architect training videos, cloud networking training videos, cloud architect career tips, and additional content for those interest in the cloud as a career.
Want to get started on your path to being #cloudhired, learn more about our Cloud Architect Career Development program, see the link below, and use our code “cdp20off” at check out for 20% off:
https://gocloudcareers.com/cloud-arch…
We’ve just announced our new “Get Hired Interview Program” on Pre-Sale now, use the 50% off coupon “gethired” before November 15th, and the link below:
https://gocloudcareers.com/interview-…
Register for our next Exclusive FREE How to Get Your First Cloud Job Webinar, and learn how to get #cloudhired, click the link below!
https://gocloudcareers.com/free-cloud…
Are you looking to get AWS Certified? Get your FREE AWS Certified Solutions Architect Associate (SAA-C02) eBook for FREE at the following link below:
https://gocloudcareers.com/books/
Are you looking for a FREE AWS Certified Solutions Architect Associate Online Training program, please visit our FREE Full AWS Certified Solutions Architect (SAA-C02) Training program? The link is below!
• AWS Certified Solutions Architect Ass…
Last month we hosted a AWS Certified Solutions Architect Associate Bootcamp, you can find the recordings here, and follow along with our free eBook.
• FREE AWS CSA-A Bootcamp
Download a FREE AWS Certified Solutions Architect Professional Practice Exam at the link below:
https://www.gocloudcareers.com/free_e…
Learn more about us, and what we have to offer for cloud career training here: https://www.gocloudcareers.com
Please follow, like, or subscribe to us on our other platforms:
Go Cloud Architects Facebook Page:
https://www.facebook.com/gocloudarchi…
Mike Gibbs LinkedIn Page:
https://www.linkedin.com/in/michael-g…
Go Cloud Architects LinkedIn page:
https://www.linkedin.com/company/go-c…
Twitter:
https://twitter.com/Gocloudtech
Instagram:
https://www.instagram.com/gocloudarch…
#cloudarchitect #cloudcareer #cloudjob
Content
0.05 -> [Music]
31.679 -> welcome everyone this is michael gibbs
34.16 -> from go cloud architects i'm so excited
36.32 -> to be here with you today
38.079 -> today to let you know what we're going
39.44 -> to be doing is we're going to be doing
41.6 -> and teaching an aws advanced networking
44.96 -> bootcamp
46.239 -> and it's going to be a wonderful
48 -> wonderful wonderful time now let me tell
50.8 -> you a little bit about the boot camp and
52.559 -> what we do and why we do it and the way
54.64 -> we do it so i can give you some insight
57.28 -> as to what we're going to be doing for
58.719 -> the next week
60.32 -> for those of you that don't know me my
62.48 -> name is michael gibbs and i'm the
63.84 -> founder and ceo of go club architects
66.799 -> and we're an organization that's really
68.56 -> dedicated towards building cloud
70.08 -> computing and networking careers
72.4 -> as everybody really knows the cloud is
74.08 -> nothing more than a virtualized network
75.52 -> and a data center and i love the network
77.92 -> in fact i've been working on the network
80.159 -> for so long it's all i really remember
82.88 -> back in the first cloud i worked on was
85.119 -> the frame relay cloud back in 1997 then
88.159 -> i worked on the atm cloud the vpls cloud
90.479 -> the bgp vpn so i've been working with
92.799 -> clouds now for 25 years and i've loved
94.96 -> every last minute of it
97.2 -> so i'm one of the original cisco
98.799 -> certified internet experts i spent a
101.04 -> decade working for cisco and i've been
103.2 -> involved in the design for most of the
104.72 -> world's largest internet service
106.079 -> providers and i am just so excited to be
108.32 -> here with you today i'm going to let you
110.24 -> know the format for the class because
111.92 -> it's going to be a little different
113.6 -> i want to make this as close as possible
116.399 -> to a real live
119.04 -> training classroom experience for you so
121.2 -> what we're going to do as follows we're
122.56 -> basically going to teach for
123.439 -> approximately 20 minutes and then we're
125.36 -> going to give you guys about 10 minutes
126.96 -> to actually ask questions
128.879 -> and by doing it this way um 10 minutes
132.319 -> of presentation and it sounds like
133.84 -> there's some background noise chris in
135.2 -> the background so 20 minutes of
136.959 -> presentation and 10 minutes of actual
139.92 -> question and answer i want you all to
142.16 -> become great now
144.56 -> as many of you know at glow cloud
146.16 -> architects we typically focus just
148.879 -> on architecture and as architectures
151.92 -> architects we're system designers but
153.92 -> you know what i've been having a lot of
155.599 -> fun we've been creating a lot of
156.8 -> engineering courses as well i've been
158.72 -> working with some of the linux engineers
160.48 -> that are here i've been working with
161.84 -> some of the cloud engineers that are
163.12 -> making some of our cloud engineering
164.56 -> training and you know what i'm bringing
167.28 -> in an awesome engineer and we're going
169.36 -> to do a bonus round tonight and a few
171.76 -> other days per week i'm super excited to
174 -> say that my good buddy imran kor is
176.48 -> going to come in and not only are we
178 -> going to do the architecture training
180.72 -> from 12 to 3 but some days in the
183.76 -> evenings including tonight we're
185.68 -> actually
186.72 -> going to do some hands-on configuration
189.28 -> we'll build some vpcs we'll do some vpc
191.84 -> peering we'll do all kinds of load
194.08 -> balancer work and maybe some
196.48 -> load balancer sandwiches and we're going
198.159 -> to get really really really heavy so
200.239 -> we're going to give you both the cloud
202.08 -> infrastructure architect perspective
203.599 -> which is my world i'm a ccie my cci
206.48 -> number 7417 and my good buddy imram the
209.28 -> court who has dual ccies he's got 25
212.56 -> years of networking experience he's an
214.08 -> aviatic multi-cloud network professional
215.84 -> engineer is going to come in and do some
217.92 -> hands-on stuff with you guys later today
219.84 -> it'll be after this class so we're going
221.28 -> to have some bonus classes going on all
222.959 -> week to make it an incredibly good
225.44 -> experience for you
227.36 -> now when we run this class a little bit
228.879 -> of housekeeping because our class is
230.319 -> going to be run very differently
232.48 -> there's what you need to know for the
234.239 -> exam
235.439 -> which is basically so so easy
238.56 -> and then there's what you need to get
240.159 -> hired
241.2 -> which is so much more
244.08 -> in the context of this week we're going
245.599 -> to balance it out we only have one week
248.4 -> to do this so we don't have the ability
250.239 -> to give you all that you need but i want
252.879 -> to make sure you understand what is the
254.56 -> network i want to make sure you
256.079 -> understand how networking works and i'm
258.32 -> going to make sure you get some of the
259.84 -> other really critical things you need
262.16 -> we're going to go into bgp for example
264.56 -> because you need to know bgp and it's
266.4 -> not covered in this course
268.479 -> so we need to do that and we're going to
269.84 -> give that to you
271.919 -> we're going to explain what routers are
273.919 -> and what switches are and what they do
276.479 -> because you're going to need that so the
278.72 -> way we're going to do this is we're
279.84 -> going to start today and bear with us
281.84 -> we're going to spend about 16 minutes or
283.68 -> so maybe 90 minutes on the foundations
286.72 -> of networking because if i just teach
289.36 -> the advanced networking concepts without
291.12 -> teaching the foundations
292.88 -> i'm worried that a lot of you are going
294.24 -> to miss a lot of critical things
296.72 -> as someone that's been in the network
298.479 -> for decades here's what i can tell you
301.84 -> if the network doesn't work nothing
303.84 -> works if the network is optimal
305.68 -> everything is optimal
308.08 -> and you know
309.6 -> after 25 years of networking being one
312 -> of the original ccies back when it was a
313.919 -> two-day test consulting to everyone i
316.16 -> got to tell you nearly almost all the
318.16 -> problems you'll deal with in your life
319.6 -> are related to the network not being as
322.16 -> great as it needs to be so we're going
323.36 -> to spend a lot of time on the network
325.039 -> and i just wanted to let you know why so
327.199 -> when we talk today it's going to start
328.8 -> off we're going to talk about what is
330 -> networking we're going to talk about
331.52 -> some routers we're going to talk about
333.199 -> some switches we're going to talk about
334.639 -> some vlans then we'll get into the aws
337.52 -> and then when we start approaching
338.8 -> things like direct connections where bgp
340.639 -> is required well then we're going to
342.479 -> cover that as well because i want to
343.68 -> give you more because i want you guys to
345.6 -> be ready to go
347.28 -> i want you guys all getting cloud hired
349.44 -> so if you're excited if you're ready to
351.28 -> start training if you want to learn
352.4 -> career skills and certification skills
355.199 -> put hashtag cloud hired and let's get to
357.36 -> work everyone
360.4 -> so let's begin
362.639 -> what
363.68 -> is
364.84 -> networking
366.4 -> i want to start there and i know it
368 -> sounds very fundamental but i want to
369.84 -> start there what is networking
372.8 -> networking is connecting of computer
375.199 -> systems that's what networking is and
377.039 -> it's really important it's the
378.88 -> connection of the computer systems this
381.68 -> is the most critical tenet of networking
383.6 -> it is the connection of your computer
385.52 -> systems
387.28 -> the network is the plumbing that enables
390.96 -> everything to talk to each other so no
393.919 -> network no website no network you can't
397.039 -> attach to your source
398.56 -> nothing so the network is the plumbing
400.72 -> that connects your computers so now what
403.12 -> is that network
405.12 -> well
406.24 -> it's routers we'll talk about what
407.84 -> routers are
409.759 -> it swishes
411.28 -> we'll talk about let's switches do to
412.639 -> some degree
413.84 -> it's cables copper cables fiber optic
417.28 -> cables
418.319 -> lan and wan connections that's
420.24 -> networking networking is not load
422.16 -> balancers networking is router switches
424.88 -> wide area connections local area
426.8 -> connections and that's it that is the
428.96 -> network so let's talk about what those
431.36 -> networking things are
433.199 -> so
434.96 -> let's walk through
437.12 -> an actual network and we're going to
439.12 -> spend a few minutes talking about these
440.72 -> networking fundamentals before we get
442.319 -> here because i want you to understand
444.08 -> how it works it's just so so so
446 -> essential so let's pretend for an
448.56 -> example let me give you a visual
450.479 -> representation of a network of router
452.319 -> full of routers and switches
454.16 -> over here so let's look at what happens
456.479 -> in this environment
458.8 -> which you'll be able to see in about
460.88 -> we're going to actually talking about
463.039 -> this is networking and action so let's
465.28 -> say you've got a user
467.199 -> on pc one
469.44 -> and let's say the user wants to reach
471.599 -> something that's on pc2
473.759 -> so for example
475.68 -> i'm at pc one and when i get to pc1
478.56 -> there's a web server at
481.96 -> 172.16.5.9 you can see it it's a pc2 on
484.479 -> the bottom of my screen here you can see
486.24 -> it it's over here on the bottom
488.08 -> if i am a user over here and i want to
490.879 -> connect to this site down here i've got
492.8 -> to get my traffic there so this is what
495.36 -> occurs from routing i want routing to
497.36 -> make sense to everyone
499.44 -> so what happens i'm a user i'm on my pc1
502.72 -> and i want to hit the website that's pc2
504.72 -> so i enter
506.56 -> well there i have the ip address so i
508.16 -> enter 172 so i enter in my web browser
511.199 -> 172.16.5.9
514.479 -> my web browser pulls it up and now my
516.719 -> host wants to connect to this server so
519.68 -> the first thing that happens is my pc
522 -> looks and says do i have a route to 172
525.92 -> 16.5.9
527.68 -> and guess what
529.12 -> the pc is not a router it doesn't have a
531.279 -> route on its routing table and it has
533.64 -> absolutely no idea how to reach 170 to
537.6 -> 16.5.9
539.279 -> but what does this one pc have this pc
542.16 -> has a
543.12 -> route that says if you don't know where
544.88 -> to go send your traffic to router one so
548.399 -> what happens is the pc and if you're on
550.64 -> your computer and if you're on a unix
552.88 -> system you do ifconfig and if you're in
555.44 -> a windows system and you go from the
556.8 -> command prompt and you type ipconfig all
559.76 -> what you'll see is something called the
561.12 -> default gateway which is the pc's router
563.839 -> if you don't know where to go send your
566.08 -> traffic to the router so what's going to
567.519 -> happen is when pc1 wants to talk to pc2
571.279 -> it looks in its routing table and it has
573.44 -> a default route that says send your
575.04 -> traffic to router one now router one has
577.839 -> this traffic and router one says do i
580.32 -> have a path to
584.44 -> 172.16.5.0 that's the 24 subnet and
587.519 -> router 1 says guess what i know how to
590.24 -> get there what i have to do is i have to
592.24 -> hot potato and i have to send my traffic
594.64 -> to router 2
596 -> so i send the traffic to router 2.
598 -> router 2 now does a lookup in its
600.48 -> routing table and it says do i know how
602.56 -> to reach 170
604.839 -> 216.5.0 and router 2 says i sure do take
608.64 -> that gigabit ethernet link and go to
610.32 -> router 3
611.519 -> router 3
613.04 -> gets to the routing table and the packet
615.2 -> gets there and the router says do i know
616.88 -> how to reach 172 16.5.0 and the router
620.399 -> says yes i do it is directly connected i
622.88 -> have a directly connected route so the
625.12 -> router does an arp broadcast which says
627.279 -> who has the mac address or 172 16.5.9
631.12 -> 172 16.5.9 says i have that mac address
635.04 -> 172 16.5.9 which is pc2
639.36 -> then says how do i reach pc1 of
641.92 -> 172.168.1.2
645.6 -> so pc2 says i know how to get there i'm
648.72 -> going to take my default gateway to
650.16 -> router 3.
651.839 -> when that packet gets to router 3 it
653.6 -> says wait i know how to get to pc1 i'm
656.32 -> going to go to router 2
657.92 -> and router 2 looks in his routing table
659.839 -> and says wait i know how to get to
661.92 -> router 1 pc1 i'm going to go to router
664.079 -> 1. and when it hits router run router 1
666.32 -> is going to say i know how to reach this
668.8 -> i know how to reach this because it's
670.48 -> directly connected it's going to send an
672.079 -> art broadcast it's going to say who has
674.24 -> the mac address the 172 168.1.2
677.519 -> pc1 is going to respond and these two
679.519 -> guys are talking to each other and
681.68 -> that's how networking occurs networking
684.399 -> provides the path
686.64 -> and networking provides the intelligence
689.6 -> to get your traffic from point a to
691.279 -> point b if you just had a wire between
693.839 -> two locations but you didn't have the
695.68 -> route or the path to get there you still
698.48 -> couldn't get there so i want you to
700.959 -> really think about networking and we'll
702.88 -> talk about routing a lot but i just want
704.8 -> you to think of it this way let's say
706.48 -> you wanted to go to a friend's house
707.92 -> that is a thousand miles away
711.6 -> if you have a car but you don't know how
713.76 -> to reach your friend's house it doesn't
715.76 -> matter how many highways there are you
717.44 -> still can't get there so what do routers
719.92 -> do what is the network does the network
721.76 -> build a map
723.519 -> of all the roads just like your gps does
727.2 -> so you can say i want to go to my friend
729.12 -> chris's house or my friend alonzo's
730.8 -> house you get in your car and it says
732.48 -> make a left here make a right that's
735.04 -> what the network does the network
736.32 -> determines how to get your traffic
738.639 -> through the network oh wow eric i'm so
741.279 -> happy to see you there so you know these
743.519 -> are kind of those kind of things that
745.6 -> we're talking about this is what
746.959 -> networking is so i want you to get there
748.959 -> now when we talk about networking i want
750.959 -> to talk about the basics really really
753.519 -> fast
754.88 -> and when i talk about the basics i want
756.72 -> to talk about the osi model
759.44 -> so when you're a networking person you
762.24 -> spend a lot of time with this osi model
765.12 -> and people that know me they're like
766.56 -> mike you hate theoretical frameworks
768.959 -> mike you hate stuff that it's not
771.2 -> concrete but the answer is i love this
773.36 -> model and here's the reason i do
776.48 -> in networking everything we network
778.48 -> people do is between layer one and layer
781.12 -> three
782.24 -> for the networking professionals of the
784 -> world
784.8 -> so let's talk about what these are why
786.88 -> does this osi model matter so much
789.839 -> well it matters because when things
791.519 -> break and i promise you if you work in
793.68 -> tech things will break they're going to
796.24 -> break a lot
798.24 -> you've got to have a troubleshooting
799.839 -> methodology
801.279 -> not only do you have to have a
802.16 -> troubleshooting methodology you have to
804.16 -> have a systematic approach to
805.76 -> communication
807.12 -> when a doctor calls another doctor and
808.959 -> says the patient has a maculopapular
810.8 -> rash the doctor on the other end of the
813.12 -> phone call knows what that means as a
815.519 -> network architect if i tell somebody
817.839 -> we've got a physical problem a physical
820 -> cabling problem
821.76 -> the other person knows what that means
823.92 -> so in order to troubleshoot in order to
825.92 -> debug in order to do things
828.639 -> you've got to have a common language so
830.72 -> the common language is the osi or the
832.639 -> open systems interconnect model and what
834.88 -> happened is this seven layer model that
837.36 -> kind of explains to us what happens so
839.12 -> we know how to work
840.639 -> at networking it's really layers one
842.399 -> through three occasionally we get
844.079 -> involved into layer four but you know i
846.72 -> wanna cover them all because you're
848 -> gonna have to troubleshoot all layers of
849.76 -> the stack we're gonna begin at the
851.92 -> bottom or the wire the physical layer
855.44 -> the physical layer is the cabling
858 -> between your routers
859.76 -> so you have two devices and they don't
862.24 -> have any kind of connection between them
864.079 -> they can't talk to each other so
867.04 -> if you built a house on an island in the
869.68 -> ocean
870.639 -> and there was no road to it you couldn't
872.639 -> reach it without a boat so the physical
874.8 -> layer is going to be lagger one and
877.04 -> that's going to be either a copper wire
878.88 -> or a fiber optic connection so when you
881.6 -> get
882.839 -> your direct connection to aws for
885.519 -> example and you stick the lasers
888.24 -> inside of your switch that plug into
890.8 -> your wan provider that's your physical
892.56 -> layer the single mode
894.72 -> fiber optic cable that's layer one that
896.72 -> is the single layer the physical layer
898.959 -> now when we're dealing with networking
900.639 -> we also have a layer two
902.48 -> layer two which is the data link layer
904.959 -> so with the physical layer we're
906.399 -> basically transferring photons if we're
908.48 -> dealing with lasers or electrons if it's
910.639 -> a wire
912.56 -> the data link layer or layer two is
914.72 -> where our network card is
917.199 -> so the ethernet card in your computer
919.76 -> layer two the wireless access point
922.959 -> layer two
924.959 -> the frame relay that we used to use
928.32 -> layer 2 a mac address layer 2 so layer 2
932.88 -> is a hard coded address for
935.6 -> communication so layer 1 wire
938 -> layer 2 card or data link layer
941.12 -> now layer 3
943.199 -> this is where the magic happens with
944.8 -> networking this is where your ip
946.959 -> addressing is this is where your routing
949.199 -> is your path determination is
951.759 -> and what we're actually transmitting at
953.68 -> layer 3 is something called a packet
957.199 -> so layer 3 sort is basically figure out
960.639 -> you know your your ip addressing
963.279 -> layer 4 of this model and i don't want
964.88 -> to stain on it forever layer 4 as we get
967.199 -> related to the transport layer so
969.44 -> realistically speaking here we can send
971.12 -> our data via tcp
973.279 -> udp or icmp we'll briefly talk about it
976.56 -> now but we'll talk about it more in a
977.92 -> minute
978.8 -> you use the protocol transmission
980.32 -> control protocol when you need reliable
982.079 -> transport and we'll talk about that
984.639 -> so if i needed to send a file to one of
986.639 -> you and guarantee that you received the
989.12 -> file i would use the transfer control
990.88 -> protocol but if i'm streaming video to
993.279 -> you right now i'm going to use the udp
996.24 -> because i want real time data so the way
999.44 -> you send your data in networking we'll
1000.959 -> get to that at some point through the
1002.079 -> pro through this course is based upon
1004.32 -> the kind of data that you're sending
1006.72 -> now layer 5 which is not a networking
1009.04 -> thing the session layer is really about
1011.36 -> you know
1013.04 -> controlling the session between uh hosts
1016.16 -> layer six or the presentation layer
1018.079 -> again not a networking thing but this is
1020.079 -> where encryption does occur
1022.24 -> layer seven is what you as the user use
1024.559 -> that's the application layer so think
1026.559 -> application layer level seven so one
1028.319 -> more time physical wire layer one we
1030.88 -> transfer bits um electrons or photons
1035.12 -> layer two the data link layer this is
1036.799 -> the ethernet card
1038.4 -> with a mac address it's a physical
1040 -> address and we're dealing with frames
1042.72 -> layer three we're dealing with the
1044 -> network layer we're dealing with the ip
1046 -> addressing things and we're
1047.28 -> realistically sending packets
1050 -> layer four the transport layer we're
1051.84 -> dealing with tcp for reliable udp for
1054.72 -> real time
1056 -> and we're dealing with icmp for network
1058 -> control and these are called segments
1060.48 -> and then at layer 5 we're actually
1062.24 -> dealing with basically managing the
1064.16 -> session for inner host communication
1066.08 -> we're dealing with sockets layer six is
1068.559 -> the presentation layer think encryption
1070.24 -> and layer seven is what the users use so
1072.72 -> i know we did a little bit of academic
1074.16 -> work there but i just wanted to make
1075.679 -> sure of it so let's get our fundamentals
1078.32 -> down real quick
1081.28 -> let's talk about the difference between
1084.64 -> a lan
1085.919 -> and a wan because we're going to need
1087.76 -> this when we get to the cloud
1089.76 -> a lan is a local area network so think
1093.12 -> inside of a building
1095.28 -> local area network inside of a campus
1098.32 -> local area network an availability zone
1101.679 -> local area network what's the key of a
1104.08 -> local area network
1105.679 -> it's
1107.84 -> it's not a big separation of things so
1110.72 -> local area network is local
1113.84 -> wide area work by comparison is not
1116.88 -> i get a connection to my friend ian's
1118.799 -> house in london that is a wide area
1120.799 -> network connection
1122.72 -> i get a connection between my location
1125.28 -> and the aws availability zone in ohio
1128.4 -> that is a wide area connection because
1130.32 -> palm beach to ohio is like 1500 miles
1133.2 -> 1300 miles whatever it is it's a long
1135.12 -> distance local area connection
1138.08 -> fast
1139.12 -> low latency
1140.64 -> high performance if i want a 100 gig
1143.36 -> connection between two things i buy 100
1145.6 -> gig card on both sides i run my own
1147.36 -> cable and i don't pay for the connection
1149.76 -> wide area connection new york to london
1151.6 -> i got to call a t verizon vodafone
1155.039 -> or somebody or bt and i've got to order
1157.6 -> a connection it's going to take weeks
1158.799 -> and they're going to build me a
1159.44 -> connection and it's going to be slow and
1160.64 -> it's going to be real expensive so that
1162.799 -> is what we're talking about
1165.44 -> so let's look and make it real quick so
1167.76 -> you guys get a better feel for a land
1170.32 -> a land is going to be very simple you've
1172.16 -> got two buildings for example and these
1174.64 -> two buildings which you can actually see
1176.72 -> is we've got two sets of switches
1179.679 -> and we've got two sets of switches
1181.12 -> they're connected but everybody's close
1182.559 -> to each other real high performance real
1184.72 -> high speed networking and everybody's
1186.24 -> having all
1188.08 -> all kinds of fun we absolutely love this
1190.559 -> so
1191.28 -> that's what's going on so now
1194.64 -> when we're talking about lens
1196.64 -> and i know we're gonna we're kind of
1198.72 -> hitting you with a lot of network stuff
1200.559 -> right now before we get into the aws
1202.559 -> stuff and i'm doing this for a reason i
1205.84 -> want you guys to have the fundamentals
1207.36 -> so when we talk about an 802.1q tag with
1209.44 -> the direct connections you're going to
1211.039 -> understand because i don't want you
1212.88 -> memorizing stuff i want you knowing it i
1215.84 -> want you when you guys go on your
1217.2 -> interviews for people to know you so
1218.96 -> well they're like i need that person on
1220.72 -> my team and that comes from depth of
1222.88 -> knowledge so let's go build some good
1224.24 -> knowledge so let's look
1227.12 -> at the concept of a virtual lan
1230.4 -> so
1231.28 -> networking as i mentioned is routers
1233.84 -> and switches
1235.12 -> routers direct your traffic through the
1237.039 -> network switches is where your users
1241.6 -> are plugged into if you guys aren't
1243.84 -> familiar with the switch i happen to
1245.679 -> have a couple of them right next to me
1247.52 -> here you can see in this picture you can
1249.36 -> see my actual switch i'm going to keep
1251.039 -> it here until i can actually see it so i
1253.2 -> can explain the concept of a virtual lan
1256.08 -> note when you guys all see the switch
1258 -> which is sitting on top of my head right
1259.679 -> now
1260.96 -> you'll notice there's a whole bunch of
1262.24 -> ethernet ports where you plug your
1264.32 -> servers in
1266.159 -> this is a typical switch
1268.159 -> now
1268.96 -> right now out of the box everybody in
1271.36 -> this single switch can talk to each
1272.96 -> other
1274.08 -> which might be great but what if i
1276.72 -> didn't want that to occur what if for
1279.039 -> example i had some finance users over
1280.88 -> here some accounting users over here and
1282.559 -> some qa users over there and i didn't
1284.72 -> want them to talk to each other could i
1286.72 -> do that could i keep them separate on
1289.36 -> the same switch could i find a way to
1292.159 -> increase my security
1294 -> and the answer is i can and that's
1295.919 -> called a virtual lan so go back to that
1298.64 -> switch that looks like a pizza box with
1300.24 -> a whole bunch of ethernet ports
1302 -> let's say i group 10 ports together and
1304.24 -> called it accounting and another
1305.919 -> potential ports together and called it
1307.36 -> finance and another tenant called the
1309.44 -> dev and another ten that called it test
1311.679 -> dev could talk to dev test could call to
1314.08 -> test
1314.96 -> accounting could talk to accounting and
1316.4 -> finance to finance but nobody else would
1318.96 -> talk to each other it's called the vlan
1322.64 -> so
1323.44 -> that works
1324.88 -> just basically virtualization of a
1326.799 -> switch
1327.84 -> server virtualization
1329.679 -> vlan virtualization which became thing
1331.6 -> first
1332.4 -> vlans 30 some years old virtualizing the
1335.2 -> switch
1336.24 -> vmware esxi about 10 15 years later now
1339.6 -> you know where it all comes from so now
1342.4 -> let's look at it so i want to walk you
1344.64 -> through some architectural situations of
1347.039 -> switching real quick so let's go back to
1349.36 -> my diagram and well i'm not sure
1352 -> we'll i'll do what i can to try and make
1354 -> this diagram look a little better if at
1356.08 -> all possible given you know me being in
1358.48 -> the corner but let's try to move this up
1362.72 -> sometimes slides don't necessarily fit
1364.559 -> youtube
1365.52 -> as pretty as you'd like them but okay so
1367.28 -> let's do this so now let's say i've got
1369.679 -> two switches
1371.36 -> just like the previous switch that i had
1373.12 -> on top of my head i chopped up into four
1375.039 -> vlans
1376.32 -> this is really important because we're
1377.76 -> going to be dealing with this when we
1378.88 -> deal with the 802.12 tagging for the
1382.08 -> direct connection so that's why i'm
1383.36 -> spending some time here
1386.4 -> i took my switch and i created four
1388.72 -> vlans in that switch vlan a let's call
1390.799 -> that accounting vlan b let's call it
1392.48 -> finance vlan c let's call it dev and
1394.48 -> vlan d let's call it test
1396.64 -> i've then decided to create four
1400.159 -> additional vlans on another switch
1402.88 -> and the and they're basically accounting
1405.28 -> finance dev and test the same ones
1408.24 -> so now i want to get my switches
1410.24 -> communicating to each other
1412.64 -> i want you to understand what my options
1414.64 -> are because when you stand where these
1415.84 -> options are it'll make lots and lots of
1417.36 -> sense to you so what i could do is as
1419.44 -> follows i could run a cable between vlan
1422.72 -> a and vlan a and then vlan a will be
1424.64 -> able to talk to each other on both sides
1426.4 -> then i could run a cable from vlan b to
1428.48 -> vlan b and then vlan b could talk to
1430.64 -> vlan b over this cable i could run a
1432.799 -> cable from vlan c over to v n c and then
1435.76 -> c could talk to c through this cable and
1437.84 -> then i could run a cable from vlan d to
1439.919 -> cable from dbland d
1441.76 -> everybody can talk to everybody and i've
1443.919 -> got four cables and everything is
1446.159 -> perfect
1448.159 -> now
1449.36 -> this is perfect
1451.76 -> now if aw if you and and and you could
1455.279 -> conceivably do this imagine doing this
1457.6 -> with aws
1459.039 -> every single person runs a new cable to
1461.52 -> aws
1462.799 -> aws has a million customers a million
1465.279 -> cables would need to be run by aws under
1467.76 -> the ground under the ocean you get the
1469.44 -> concept so
1471.2 -> what is this so now let's talk about
1473.84 -> trunking
1476.08 -> so previously i just told you that we
1477.84 -> could run a cable from vlan a to vlan b
1481.44 -> and we could run a cable from vlan b to
1483.44 -> vlan b and a cable from vlan c to vlan c
1486 -> and a cable from vlan d to vlan g and
1488.08 -> it's all going to work and it's going to
1489.039 -> work awesome
1490.559 -> but what if we only had one cable
1493.2 -> what if we had one fiber optic
1495.2 -> connection between our switches just one
1498 -> cable
1499.36 -> how could we do this how could we get
1502 -> vlan a talking to vlan a and vlan b
1505.039 -> we've got a single cable
1507.36 -> so by the way this is one of the first
1509.2 -> virtual private networks that was out
1511.039 -> there
1512.559 -> what did we do we came up with the
1515.84 -> concept of a trunk port and basically
1518.4 -> what a trunk port is is you run a single
1520.72 -> cable or a group of cables between two
1523.039 -> switches
1524.24 -> then what you do is you add a tag to the
1526.799 -> frame so let's say you've got um you've
1529.52 -> got something from vlan a that wants to
1532.24 -> reach vlan a when vlan a goes on the
1535.76 -> wire
1536.799 -> the switch on the way to the wire puts a
1538.96 -> tag that says vlan a
1541.12 -> and when data leaves b it has a tag that
1543.12 -> says vlan b it's called an 802.12 tag
1545.919 -> and then vlan c will pop its tag that
1547.919 -> says it's on vlan c and then vlan d will
1550.08 -> pop it will put its tag on it now
1552.72 -> meanwhile these uh frames start going
1555.44 -> over the trunk to the far end switch now
1557.44 -> the far end switch says wait a second
1558.96 -> i've got a frame that's destined for
1560.4 -> vlan a because it's got vlan a's dot one
1562.48 -> q tag strips the tag drops the message
1564.96 -> into vlna
1566.96 -> then the next frame comes and in vela
1568.799 -> and the switch says wait it's destined
1570 -> for vlan b removes the tag and puts it
1572.559 -> here it does the same thing for c and d
1575.039 -> so what is an 802.1q tag what is the
1578.559 -> thing that makes the direct connection
1580.24 -> possible you basically take your
1582.48 -> ethernet frame you smack a tag on it
1585.039 -> that tag that you smacked on it tells
1587.679 -> this wire to keep your traffic separated
1590.4 -> so when you connect to aws and you send
1593.039 -> them a vlan you know they've got a layer
1595.44 -> two network that they're sending these
1597.279 -> vlans that they're bridging your traffic
1599.44 -> back to your vpc across the aws network
1602.32 -> and this is how and why this works so
1606.96 -> what we'll do is we're going to go for a
1608.159 -> few more minutes i'm sure there's going
1609.919 -> to be some networking questions we'll
1611.919 -> answer your networking questions and
1613.919 -> then after we do this stuff we're going
1615.36 -> to start getting into the aws stuff
1617.36 -> which is really fun and exciting but i
1619.2 -> want you guys to all make sure we level
1621.12 -> set on the network thing so we're going
1622.32 -> to talk about a couple more networking
1623.84 -> things and then we are going to go back
1626 -> to um aws content but i wanted to give
1628.72 -> you something so i want you to actually
1631.44 -> give you some look for some of the
1632.96 -> things and feeling the things going on
1634.48 -> we're going to walk through some logical
1636.64 -> views of some networks
1639.2 -> so when you connect two locations
1642.399 -> realistically speaking what happens is
1644.799 -> let's say i've got a site in new york
1646.72 -> and a site in san francisco what happens
1649.279 -> is you typically buy a link to your
1651.679 -> service provider your
1653.36 -> and verizon
1654.64 -> and what will happen is they will send
1656.399 -> you over their private network to your
1659.36 -> ultimate destination so that's what
1660.96 -> these things typically look like
1664 -> there's going to be switches that the
1665.44 -> service providers use to go from either
1667.44 -> one telco to another telco or there but
1669.84 -> i just wanted to make sure this is
1671.2 -> pretty much there
1672.88 -> so let's look at the other type so it
1674.88 -> used to be when we did wins we did
1676.399 -> something called serial points t1 t3
1678.72 -> frame relay atm various cloud services
1681.52 -> but but now we're typically doing
1683.36 -> ethernet so how does this work and by
1686.32 -> the way this is going to look a lot like
1688.64 -> um the way you'd set up a direct
1690.48 -> connection so the way
1692.64 -> typically ethernet wands work and it's
1694.559 -> going to be very alike to a direct
1696.08 -> connection but we're going to spend a
1697.039 -> lot of time on direct connections like
1698.96 -> possibly a half of a day because they're
1700.48 -> so important
1703.6 -> so
1705.039 -> you've got the customer site
1707.039 -> you connect it to a switch
1709.84 -> service provider
1712.72 -> switches your information over their
1714.64 -> network and then it goes to your end so
1716.96 -> guess what
1718.32 -> nothing's different whether it's
1720.559 -> frame relay atm or ethernet i just want
1723.2 -> to show the point that that's
1724.159 -> realistically what's going on
1726.159 -> so let's look at one last things let's
1728.559 -> look at
1729.84 -> let's uh
1731.36 -> let's uh look at the ip header and then
1734 -> we're going to get into the aws content
1735.84 -> so we'll open up for some questions and
1737.44 -> then we'll have fun with aws content so
1741.52 -> let's look at what's in a header of
1743.12 -> these frames
1744.399 -> when a packet gets to a router and it's
1747.279 -> a packet at layer 3 it's got a
1749.52 -> destination iep address that's what the
1752 -> routers use the routers look at the
1753.52 -> destination ip address and say go out
1755.84 -> this interface is the closest one or go
1757.44 -> out this interface or go out this
1758.799 -> interface or go out this interface so
1760.88 -> there's a destination address there's
1763.12 -> also a source ip address
1765.279 -> by the way guys
1766.399 -> and girl is everyone out there where do
1768.399 -> you think this information that's part
1770.559 -> of a firewall or an access control list
1773.919 -> is able to get this information
1778.399 -> the header of the packet so the
1779.919 -> destination address the source address
1782.799 -> okay let's walk through what is this
1784.399 -> header checksum if the header checksum
1787.2 -> is basically a hash
1789.2 -> that basically run a one-way
1790.559 -> mathematical house to show that the
1792.48 -> frame wasn't damaged so basically source
1794.799 -> address destination address the checksum
1796.72 -> just means your data is good
1798.72 -> the protocol
1800.559 -> this is where your tcp is or your udp is
1804.96 -> so
1806.24 -> source destination rest protocol wait
1808.72 -> that's what goes into an access control
1810.32 -> s that's what goes into a security group
1812.159 -> that's what goes into a firewall rule
1815.84 -> then what else do you have in this
1817.6 -> you've got a length that tells you how
1819.36 -> many bytes the packet is you've got this
1821.84 -> thing called the ds field degree of
1824.159 -> service you can set that to red or high
1826.799 -> priority and if the network if you've
1828.559 -> made your network aware to look at the
1830.84 -> prioritization and send higher priority
1833.679 -> data over lower priority data you can
1836.159 -> match that by taking your messages and
1838.159 -> changing them in the ds field
1840.399 -> and then of course the version is which
1842.32 -> version of ip that we're using so
1845.279 -> i hope we've had a little bit of fun
1847.039 -> doing some intro to networking conte
1849.6 -> concepts that we'll talk about
1852.559 -> before we actually go on and we'll do
1855.2 -> some aws content so i'd like to take a
1857.279 -> break for a few minutes i'd like to
1859.2 -> answer some questions i'm sure you guys
1861.039 -> have some i want to make this the best
1863.12 -> experience i want you guys to be able to
1865.36 -> ask questions
1866.64 -> if there's something you want more of i
1868.24 -> want you to tell us if you guys need
1870.159 -> help with something i want you to tell
1871.6 -> us i just want to know that you guys
1873.6 -> have the absolute best experience and
1875.36 -> learn so much that will get you all
1876.559 -> cloud hired so chris if you want to
1878.24 -> bring in some of the questions that have
1879.36 -> transpired as we're waiting for
1880.96 -> questions to transpire if you can uh hit
1884.159 -> the hit the like button or tell others
1886.32 -> to join us we love educating and
1888.32 -> training others and if you can bring
1889.519 -> others and invite others we'd be more
1890.88 -> than grateful so
1893.6 -> chris if you want to bring in some of
1894.64 -> the questions that popped up
1899.6 -> every big
1901.12 -> every p how big of a perimeter would be
1903.039 -> considered a land i don't really think
1905.039 -> there is a perimeter effort p um it's
1907.519 -> really based on how how big so you know
1910.32 -> you could create a lan
1912.24 -> that would have
1913.84 -> data center data center data center data
1916 -> center data center data center and that
1917.6 -> whole data center com building could be
1919.6 -> five miles and it would still be a land
1921.279 -> because you're going to be using a
1922.72 -> single mode fiber to connect them all so
1924.96 -> that could still be considered a lan i
1926.72 -> don't really think there is necessarily
1930.559 -> a definition of 100 meters but it's
1932.88 -> really how how close and densely packed
1935.039 -> you can get it
1936.48 -> chris you want to bring on the next one
1938.159 -> a scene are the frames carrying the
1940.32 -> source as well as the destination tags
1942.159 -> on the cable um okay a seam the only tag
1945.36 -> they're actually carrying is an 802.1
1947.6 -> cue tag or a vlan tag
1950.24 -> so
1951.039 -> the frames themselves always have a
1953.6 -> source mac address and a destination mac
1955.519 -> address and that will definitely be
1957.6 -> there but it's going to add that 802.12
1960.399 -> tag so it's going to basically take the
1961.84 -> frame it's called encapsulation it adds
1964 -> something so yes they will have the
1965.2 -> source mac address and the destination
1967.2 -> mac address but they also realistically
1969.12 -> speaking are going to have that 802.1q
1971.36 -> tag that's what the magic is it's that
1972.96 -> 802.12 tag
1974.64 -> chris want to bring in the next one
1978.399 -> teller made media what if a wants to
1980.399 -> connect to b c or d
1982.32 -> teller made media they cannot without
1984.24 -> going through a router
1985.919 -> so
1987.44 -> in the old days we used to do this thing
1990.399 -> called a router on a stick where
1992 -> basically we would create a trunk port
1993.44 -> between the switch to the router
1995.36 -> and the router would route between vlans
1997.44 -> we haven't done that in about 20 years
1999.36 -> ago for anything other than a
2000.64 -> certification exam but we used to do
2003.44 -> that about 20 years ago what we do now
2005.76 -> is the switches themselves actually have
2007.679 -> router modules that sit inside the
2009.36 -> switches and what we would do is we'd
2011.279 -> create a vlan
2012.64 -> and then we create an ip address for the
2014.559 -> an ip interface for the vlan and then we
2016.88 -> would turn on our routing protocol ospf
2019.12 -> eigrp intermediate systems intermediate
2021.519 -> systems and then route between vlans so
2024.24 -> that's what would occur they can't tell
2026.32 -> or made media that's the whole point of
2027.6 -> vlans is they keep people from talking
2029.44 -> to each other and then they use routers
2031.6 -> to connect the vlan so that's what you
2033.12 -> have to do you actually have to set up
2034.399 -> your routing in order to make that
2035.519 -> happen telemate media and that's an
2037.44 -> excellent question by the way
2042.72 -> kachori patrick can i show you a picture
2046.24 -> of a socket tag i don't know what you
2048.8 -> mean by a socket tag a tag that we're
2051.28 -> talking about is it layer 2 of vlan so
2053.839 -> an 802.1 cube tag
2056.24 -> and a socket is actually at uh layer 5
2061.04 -> which is a tc ipa which is an ip address
2063.839 -> and a port number so they're not really
2065.2 -> related
2067.599 -> dimple patel
2068.879 -> is wan connection over a different
2070.639 -> country connecting country to country
2072.639 -> would be a win connection but connecting
2074.96 -> a state to state would be a win
2076.879 -> connection even going from say mysore to
2080.32 -> bangalore figure like 80 to 100
2082.399 -> kilometers that would be a win
2083.839 -> connection so it could be patel it could
2086.399 -> be going from india to pakistan that
2087.839 -> would be a wan connection it could be
2089.599 -> going from delhi to bangalore it could
2091.359 -> be going from my sort of bangalore to
2093.839 -> even though that's not that far away so
2095.52 -> a wan connection realistically speaking
2097.359 -> is just over a wide area so anytime
2099.92 -> you're dealing with you know more than a
2101.599 -> couple of miles and even a couple of
2103.359 -> miles could be considered a land
2104.72 -> connection
2106.24 -> land just means longer distance
2109.76 -> would the connection between aws
2111.44 -> services be atlanta's connected to the
2113.28 -> backbone
2114.839 -> predominantly abdul that predominantly
2117.119 -> most of those services are land services
2119.599 -> some of those other services are also
2121.599 -> land services but in general the most
2124.079 -> likely land because you could call them
2126.32 -> land because even if you're using a
2127.92 -> server listing like dynamodb chances are
2130.8 -> it's going to be hosted in the same
2131.839 -> availability zone as you or one of the
2134.079 -> local availability zones so that would
2135.76 -> still be considered a lamb and that's
2137.599 -> one of the things that's so good about
2138.64 -> them is you've got high performance
2142.079 -> are there switch to switch cable
2143.599 -> connections that do not run over trunk
2145.119 -> ports
2146.079 -> sure
2147.599 -> you can do a switch to switch and just
2149.599 -> run a single cable like a cable between
2151.28 -> vlan 2 and vlan 2 and vlan 3 and vlan 3.
2154.4 -> lots of reasons that could be done
2156.8 -> generally speaking
2158.72 -> people don't they use trunk ports due to
2160.56 -> the flexibility
2162.079 -> and they tell the trunk ports which
2163.44 -> vlans they'd actually use so you could
2165.68 -> set up multiple trunk ports
2168.16 -> you could send vlans one and two over a
2169.76 -> single trunk and vlans three and four
2171.28 -> over a single trunk and vlans five and
2173.2 -> six it doesn't matter their traffic is
2174.8 -> separated but you might actually want to
2176.88 -> do this for the following reason to
2178.32 -> generate more
2180.079 -> to generate more bandwidth so that is
2181.76 -> something you could do but you typically
2183.119 -> wouldn't for the complexity and for the
2184.88 -> simplicity of the trunk
2188.16 -> chris are there more
2197.28 -> is a vlan the same concept as a vpc
2201.2 -> not exactly
2203.68 -> so a vlan realistically speaking is a
2206.72 -> group of ports on a switch
2209.28 -> a vpc which some of the certification
2212.079 -> providers mistakenly call a virtual
2213.92 -> private network
2215.28 -> is really a virtual private data center
2218 -> so
2219.28 -> a virtual private network for example is
2221.359 -> basically you've got a public network
2222.72 -> like the internet and you secure and
2224.8 -> encrypt your traffic privately over the
2226.88 -> public internet but when you create that
2229.359 -> ipsec tunnel or a virtual private
2231.28 -> network there's no servers there there's
2233.68 -> no load balancers there it's just
2235.52 -> connections
2237.28 -> so
2238.8 -> when you're dealing with a vlan i'm
2240.8 -> going to go back to this tech with mufas
2242.72 -> you're dealing with a grouping of a
2244.079 -> couple ports on a switch whereas a vpc
2247.359 -> is your virtual private data center so
2249.599 -> your virtual private data center will
2251.28 -> have your ip addressing they'll have
2252.96 -> your routing they'll have your load
2255.04 -> balancers they'll have your servers
2256.48 -> they'll have your storage so they're
2257.68 -> they're completely different tech with
2259.119 -> my files um vlan is a switch okay so
2262.079 -> perez the dev what's the difference
2263.52 -> between a frame and a vlan wow that's a
2266.32 -> good one so let's go back to that osi
2269.28 -> mile perez the dev because that is a
2271.68 -> really good question let's pull up this
2274.32 -> osi model let me share the screen one
2276.4 -> more time perez the dev
2278.4 -> so
2280.079 -> let's go back to this
2281.92 -> at every layer of the osi model
2285.68 -> we transmit something different
2288.56 -> so at the physical layer let's say
2290.4 -> you've got a wire like this this wire
2292.16 -> just happens to be for my keyboard
2294.48 -> for whatever reason my my keyboard's
2296.4 -> battery i bought this super expensive
2298.079 -> logitech thing not my keyboard and the
2300.24 -> battery dies every three days so i've
2301.92 -> got a physical wire over here to charge
2303.68 -> it in what are we sending a wire
2305.68 -> electrons
2307.119 -> so
2308 -> they're referred to as bits at layer one
2310.079 -> but really it's electrons so
2313.119 -> at layer two of the data link layer we
2316.24 -> send what's called the frame
2318.72 -> and at layer three of the osi layer we
2322.24 -> send what's called a packet
2325.119 -> so that's realistically speaking
2327.76 -> the names so when you're in the vlan
2331.76 -> president you're communicating using
2333.68 -> layer 2 technologies mac addresses
2336.48 -> so a frame
2338 -> is what's being used to communicate
2339.92 -> inside of the vlan so if server one says
2344.24 -> here's a video of mike's cat cindy and
2346.88 -> that's that's a file that's inside of
2348.48 -> the vlan all the other users inside that
2351.04 -> vmware better see it but when i send the
2353.359 -> message to you perez the dev and the
2355.04 -> same vlan i'm going to send you a frame
2357.359 -> because we're both at layer 2. but if
2359.359 -> you and i were at layer 3 i would send
2360.96 -> you a packet
2362.24 -> i hope that makes sense if not if you
2364.16 -> want to re-ask the question i'll get
2365.28 -> back to it
2368.96 -> vijaya in the case of an aws
2371.52 -> site-to-site vpn
2373.599 -> the on-premise subnet and the aws subnet
2377.119 -> need to be different
2378.56 -> well
2379.68 -> always your on-premise subnets will have
2382.48 -> to be different than the cloud provider
2383.92 -> subnets in fact anything outside of your
2386.24 -> vlan will have to be on a different
2387.76 -> subnet but the connection between the
2390.8 -> two has to be on the same subnet
2393.04 -> so
2393.839 -> if you've got a 192 168.1.1
2396.8 -> 30 the opposite side of that wang
2398.56 -> connection is going to be a 192 168 1.2
2401.599 -> 30. so both sides of any connection need
2404.48 -> to be on the same subnet but if you've
2406.4 -> got a router that'll say let's say
2408.48 -> let's say my hands are routers my my the
2411.28 -> the fingers that are pointing to each
2412.8 -> other that's the direct connection they
2414.4 -> need to be on the same subnet but my
2415.76 -> thumbs are each going to be on a
2416.88 -> different subnet so that so
2418.56 -> realistically speaking you're always
2420.079 -> going to have a combination of subnets
2423.04 -> going on
2424.64 -> so
2426.079 -> abigail marks how fast are these packets
2428.48 -> being transferred are we talking the
2430.4 -> speed of light yeah pretty much so
2432.4 -> abigail marks i want to let you know
2433.92 -> that even the speed of light which is
2435.44 -> 186 000 miles per second
2438.4 -> we're not getting that fast but we're
2439.92 -> getting close
2441.28 -> so i send a fiber optic connection to
2444 -> you abigail i think you're in california
2445.44 -> i could be wrong but i'm going to
2446.319 -> pretend you're in california
2448.48 -> i now have uh let's assume we had a very
2452.319 -> long
2453.2 -> fiber optic connection between you and
2454.96 -> me for these 3 000 miles
2457.04 -> it's going to take some time
2460.4 -> for me to send my data to you
2462.96 -> even at the speed of light so when i
2465.76 -> send a laser the laser sends the light
2467.839 -> over the wire now the wire has what's
2469.839 -> called some resistance the wire isn't
2471.839 -> straight air so it's going to add some
2473.359 -> drag so to speak which is going to slow
2475.119 -> it down but when we're dealing with
2476.96 -> cables and electrons we're pretty close
2478.48 -> to the speed of light abigail so it's
2480.079 -> moving very very very fast
2485.359 -> okay chris from my team has notified me
2488 -> that
2489.119 -> we've answered the max amount of
2490.4 -> questions that we can do to keep you
2491.599 -> guys up
2492.8 -> and moving on time so we're going to get
2495.44 -> into some aws stuff
2498.079 -> which is going to be really fun and then
2500.079 -> when we get to some routing inside of
2501.76 -> these things we're going to do some
2504.079 -> really cool things so before we begin
2506.8 -> you guys can let us know you're having a
2508.319 -> good time hit the like button tell
2510 -> others to join us and type hashtag
2512.48 -> cloudhired
2513.92 -> the whole point of doing training is to
2515.68 -> get hired not just to pass the
2517.52 -> certification so we're going to go abou
2520.079 -> way above and beyond to give you a lot
2522.64 -> more than is necessary to pass the exam
2524.319 -> because i want to get you all cloud
2525.52 -> hired and tonight and chris from my team
2528.319 -> will tell us what time but tonight my
2530.4 -> good buddy imran with the dual ccie and
2532.56 -> i'm also a cca we're going to come in
2534 -> and we're going to have some lab time
2535.2 -> and it's gonna be lots of fun so let us
2537.119 -> know that you're here by hashtag
2538.56 -> cloudhired and hit the like button tell
2541.28 -> others to join us we love when other
2543.04 -> people join us and we're super excited
2545.119 -> to have you here 5 pm eastern we are
2548.16 -> going to have imran decor and we're
2550 -> going to come in and do a
2551.04 -> multi-multi-multi-hour
2553.839 -> hands-on lab and i'm going to get my
2556.079 -> inner geek on with my buddy and it's
2557.52 -> going to be really fun i haven't don't
2558.96 -> get to do it that often so super super
2561.119 -> super excited about it so let's talk
2563.359 -> about the aws cloud and how it's
2565.68 -> organized
2568 -> so when we talk about it we're going to
2569.44 -> break this down into a couple of things
2572.16 -> we're going to talk about regions
2574.24 -> availability zones local zones and edge
2577.76 -> locations
2579.28 -> so let's really bring it in
2582.16 -> so i'm going to talk about the concept
2583.52 -> of a region
2584.88 -> and what is a region it is a huge
2587.68 -> geographic area
2589.76 -> so
2591.76 -> the u.s is a region actually it's two
2594.48 -> regions but it could be a region
2597.119 -> a region think continent or some big
2599.119 -> area
2601.04 -> now we're dealing with these cloud
2602.24 -> providers they have the concept of an
2603.76 -> availability zone
2606.56 -> what's an availability zone it's just a
2608.4 -> data center that's it
2610.4 -> so
2611.359 -> availability zone data center so you're
2613.359 -> going to have these big geographic areas
2615.52 -> and inside of these geographic regions
2617.44 -> you're going to have data centers and
2618.96 -> we're going to walk through each one and
2620.24 -> we're going to get very detailed
2621.359 -> throughout this but we've got to start
2622.4 -> with the foundations get your foundation
2624.4 -> straight ramp up fast don't get the
2626.64 -> foundation right when we ramp up you
2629.119 -> know we carry problems so the next thing
2631.44 -> we're going to talk about are local
2633.28 -> zones
2634.4 -> so
2636.56 -> abigail just asked what is
2639.119 -> a wide area connection
2641.2 -> and let's say for example
2643.28 -> i want to connect to the us east in ohio
2646.16 -> when i'm in florida
2647.68 -> it's not fast it's going to take time
2650.96 -> two three milliseconds to reach that
2653.28 -> data center what if i need to access my
2656.079 -> servers faster what if i need fast
2658.96 -> speedy high performance criticality what
2662.16 -> if i need that so badly
2664.8 -> i can't get it with the cloud because
2666.64 -> i've got to go a thousand miles to get
2668.4 -> to the cloud provider
2670.079 -> but what if
2672.16 -> what if
2673.92 -> on the way
2675.52 -> to the availability zone i had a little
2678.56 -> mini data center where my direct
2680.16 -> connection might be where i can access
2682.24 -> my servers quicker
2684.24 -> that's what the local zone is and we're
2685.76 -> going to talk a lot about that local
2688.319 -> zones and edge computing when we walk
2689.92 -> through it but i want you to understand
2691.2 -> what it is and then we will talk about
2693.2 -> edge locations which are part of the
2695.28 -> content delivery network cloud front for
2697.68 -> those of you that are writing these nice
2699.119 -> messages i am so grateful to have you
2701.359 -> here and i'm thrilled to do this and i
2703.04 -> really want to help you all so thank you
2704.96 -> all for your nice messages
2707.599 -> so let's walk through this
2709.599 -> let's look at it graphically so when we
2711.76 -> look through this environment here this
2713.52 -> is what it looks like you see you can
2715.359 -> see this nice large geographic region
2717.76 -> and you can see the data centers called
2719.52 -> the availability zones
2721.52 -> you can see this is what it looks like
2726.16 -> so
2727.2 -> let's
2729.2 -> so that's the availability so now let's
2730.88 -> talk about local zones so previously i
2733.68 -> talked about the latency
2736.16 -> of reaching somebody far away
2738.64 -> and what makes the data center in many
2740.96 -> cases so much better performance wise
2743.2 -> than the cloud
2744.48 -> is when you're dealing with the clouds
2746 -> you've got to get to the cloud and if
2748.079 -> that cloud's a thousand miles away that
2749.92 -> can introduce some latency
2752.079 -> now i want you to think about
2753.68 -> applications and latency if i want to
2756.24 -> call my cat cindy over a video
2758.24 -> conference call and she's in i'm in
2760.64 -> california for the week and she's home
2762.319 -> in palm beach and i have a video
2764 -> conference with my cat cindy if it takes
2766.56 -> me an extra three milliseconds to see my
2768.64 -> cat it doesn't matter
2771.68 -> it's meaningless now let's pretend i'm a
2774.56 -> financial organization
2776.72 -> and i want to buy
2778.24 -> 800 000 shares
2780.4 -> of cisco
2782 -> because there's good news
2784 -> or and then after i buy 800 000 shares
2786.4 -> of cisco i want to sell it make because
2788.8 -> i made 3 cents per share and now i want
2791.28 -> to buy 800 000 shares of meta or
2793.76 -> facebook and then i want to trade that
2795.52 -> and after that i want to trade that and
2797.359 -> i want to buy 800 000 shares of amazon
2800 -> and if i can buy it a nanosecond faster
2803.04 -> than my competition i might be able to
2805.04 -> make three or four cents per share but
2806.88 -> i'm doing that for eight hundred
2807.839 -> thousand things i may then sell that
2809.76 -> stock three seconds later and make it
2811.44 -> another three cents on it per share and
2814.16 -> i might do it again a thousand times a
2816.319 -> day and if i can do it better and faster
2818.4 -> and cheaper than my competition that
2819.68 -> could be billions of dollars per year
2822.88 -> so sometimes the latency that it takes
2825.44 -> to go from your data center to the cloud
2827.839 -> is so bad that it can kill an
2830 -> organization's competitive advantage
2832.64 -> that's where the concept of the local
2834.64 -> zone comes from the local zone
2837.2 -> effectively is as follows
2839.599 -> it's a little mini data center that is
2842 -> closer to you than your actual date than
2844.88 -> the actual availability zone and you can
2847.44 -> put some of your stuff in there the way
2850.16 -> it's going to work is you'll opt in to
2851.68 -> create a local zone
2853.68 -> you put your ec2 instances or your
2855.52 -> virtual machines your load balancers
2858.16 -> your containers in there and now let's
2860.96 -> say you connect to the direct connection
2862.319 -> location say this is right by the direct
2863.839 -> connection location it's close to you
2865.68 -> it's fast the performance is good it's
2867.68 -> pretty terrific and that's still
2869.76 -> connected back so you can use the cloud
2871.76 -> for where the cloud's good and you can
2874.24 -> actually do this in a local zone
2877.119 -> now there are a few local zones
2879.52 -> such as the ones in la
2881.599 -> that give you the file systems for
2882.96 -> windows elastic map reduce elastic cache
2885.119 -> rds databases and even dedicated hosts
2887.599 -> so some of these local zones can get
2889.2 -> some pretty darn sophisticated and
2891.04 -> pretty capable
2893.52 -> why do the organizations do local zones
2896.48 -> what's in it for them to create these
2898.079 -> local zones well i'll tell you right now
2901.2 -> if you need guaranteed performance and
2903.2 -> super performance better than you can
2905.359 -> get in the cloud you've got two options
2907.44 -> you stick it in your data center or you
2909.76 -> stick it in a local zone by providing
2911.76 -> the local zone the cloud providers are
2913.599 -> trying to mitigate the need for you to
2915.28 -> do this in your own data center making
2917.119 -> the cloud a more simple and elegant
2918.559 -> solution giving you near data center
2920.96 -> like performance in the cloud remember
2922.72 -> the data center always performs better
2924.64 -> but it's not agile it's not as scalable
2926.8 -> so for that's all the good reasons why
2928.4 -> we're using the cloud the cloud is
2929.68 -> amazing but it has that latency problem
2933.119 -> so as architects we can't ignore the
2935.28 -> latency problem we have to understand
2936.88 -> the work arounds to the latency problem
2939.28 -> let's talk a little bit more about local
2940.96 -> zones and look at what they look like
2942.48 -> visually so typically speaking you know
2944.72 -> this would be a good aws representation
2947.2 -> of it you got the concept of local zones
2949.44 -> you you enable it you'll extend your vpc
2952.24 -> to it and then you'll run your
2953.119 -> applications but let's look what it
2954.64 -> really looks like you've got your region
2958.72 -> and then you've got your data center
2961.119 -> called an availability zone and then
2963.119 -> you've got your local zone so this is
2964.96 -> realistically what it's working for
2966.88 -> think about it this way think of it
2968.559 -> let's let's try and make it look
2971.2 -> a little easier so let's pretend over
2973.839 -> here this is your data center let's
2975.92 -> whiteboard our way through this and if
2977.52 -> you guys at any point want us to
2978.88 -> whiteboard anything this week to truly
2980.72 -> help you guys understand it i'm happy to
2982.72 -> do some on the fly whiteboard sessions
2984.559 -> or really anything just let me know what
2986 -> you guys need we're giving you a great
2987.2 -> experience
2988.24 -> so we have our data center
2992 -> and let's say this is a direct
2993.92 -> connection
2995.2 -> facility so like look at it this way we
2997.52 -> connect to the direct connection
2998.88 -> facility and the direct connection
3000.8 -> facility let's say is kind of hosted
3002.559 -> right around the same place as your
3003.76 -> local zones you got some servers in here
3006.64 -> and then the rest of your stuff is here
3008.24 -> so you can access your local performance
3010 -> when you need it and at the same time
3012.079 -> you've got your cloud performance and
3013.92 -> your scalability factors for everything
3015.68 -> else so that's realistically speaking
3017.119 -> what's going on here right organizations
3019.359 -> are using local zones so i wanted to
3020.96 -> make sure that was pretty clear to you
3022.079 -> guys
3024.16 -> now the last part of the cloud's
3026.96 -> architectural layout
3029.119 -> are going to be the following we're
3030.8 -> going to talk about something called
3032.24 -> edge locations so
3034.88 -> love edge locations
3036.72 -> love content delivery networks we are
3039.359 -> going to spend a lot of time talking
3041.52 -> about content delivery networks
3043.76 -> a lot of it but right now
3046.8 -> we're just going to have some fun we're
3048.319 -> going to talk about some edge locations
3050.16 -> because edge locations and local zones
3051.76 -> are very different edge locations are
3054.16 -> for content delivery systems the local
3056.559 -> zones that we just talked about are used
3058.88 -> for edge computing so now let's talk
3061.44 -> about edge locations an edge location is
3064.559 -> where the user is going to access the
3066.16 -> cloudfront content delivery network
3068.48 -> and i'm going to walk you guys through a
3070 -> content delivery network just in case
3071.52 -> you're not sure
3073.52 -> the edge locations provided by
3075.359 -> cloudfront provide a local access point
3078.4 -> for you to access the content delivery
3080.16 -> network
3081.119 -> so edge locations are going to really
3082.88 -> help with performance and they're really
3084.88 -> going to help with latency and i'm going
3086.24 -> to walk you through
3088.24 -> how this works and why it works so this
3090.8 -> is what these look like
3093.44 -> so from an edge location perspective
3095.52 -> you've got your geographic region
3098.96 -> and you've got your data centers within
3100.96 -> these regions and then you've got these
3102.319 -> edge locations
3104.319 -> so now let's walk it through
3107.28 -> so here's a user they're sitting in
3109.44 -> their house
3111.04 -> the user that's sitting in their house
3113.76 -> wants to connect to
3115.44 -> www.gocloudcareers.com
3121.92 -> so the user enters
3124.92 -> www.gocloudcareers.com in their browser
3128 -> the computer then does a dns lookup and
3130.559 -> says please give me the source ip
3132.4 -> address for www.gocloudcareers.com
3137.04 -> an address is given to the user
3139.28 -> and sends the user's traffic to the edge
3141.599 -> location
3142.72 -> so here we've got the user the user's
3145.2 -> traffic is sent to the edge location
3147.839 -> now
3149.68 -> if the edge location has access to my
3152.559 -> traffic
3154.48 -> the edge location will send the data
3156 -> right back to me the user and it'll go
3157.839 -> straight from the edge location to the
3159.359 -> user
3161.04 -> that's optimal
3163.44 -> now
3164.839 -> if i go to request
3167.839 -> www.gocloudcareers.com
3171.04 -> and i go to the edge location in the
3172.48 -> edge location doesn't have it the edge
3174.559 -> location will stop at something that's
3176.24 -> called a regional cache and then if it's
3178.64 -> not at the regional cache it will go to
3180.4 -> the source website if it's static
3182.48 -> content it'll go to that s3 bucket if
3184.16 -> it's dynamic content it'll hit the load
3185.68 -> balancer in front of the ec2 instances
3188 -> which will then
3189.68 -> stop at the regional cache which will
3191.44 -> then stop at the edge location which
3192.96 -> will then send the webpage to me
3195.52 -> now ten minutes later my wife decides
3198.079 -> that she decides to go to the
3199.839 -> www.gocloudcareers.com
3203.599 -> place so now she
3205.839 -> sits here in the same place as me she
3208.16 -> goes to the same edge location and is
3210.24 -> immediately
3212.24 -> immediately
3217.04 -> what's the word i'm looking for so she
3218.72 -> immediately
3220.4 -> gets access to her information because
3222.16 -> she requests it from the edge location
3224.48 -> and then it immediately gets sent back
3225.92 -> to her she requests it from the edge
3227.2 -> location and immediately gets sent back
3228.8 -> to her cush i already quested it so what
3231.92 -> do these edge locations do they cash
3234.88 -> information so what are the edge
3237.119 -> locations of the content delivery
3238.8 -> network cloudfront they are where you
3241.04 -> the user enter the content delivery
3243.359 -> network and it's where your information
3245.44 -> is cached to improve your speed
3247.119 -> throughput and performance
3249.04 -> so let's talk about this so
3252.4 -> i will go back to these so
3255.68 -> let me just do one thing i want to make
3257.28 -> sure we
3259.04 -> because this kind of this this is that
3260.4 -> this kind of stuff over here has the
3263.2 -> potential to be a little bit tricky so i
3266.079 -> want to make sure everybody understands
3267.92 -> these zone concepts so i'll spend two
3270.88 -> minutes here any questions on the zones
3272.96 -> before we move on to the next content
3274.8 -> does anybody have any questions about
3276.319 -> you know the availability zones the
3277.68 -> local zones the edge locations or is
3279.76 -> that clear to everyone i want to make
3281.2 -> sure
3282.64 -> okay matthew burke
3284.4 -> are edge locations the same as local
3286.88 -> zones
3288 -> absolutely not
3289.52 -> so
3290.24 -> an edge location
3292.48 -> is where the user comes to access the
3294.4 -> content delivery network you type
3296.559 -> www.cisco.com
3299.68 -> and you get a resolution to the akamai
3301.68 -> content delivery network you hit the
3303.52 -> akamai content delivery network that's
3305.119 -> the equivalent of an edge location
3308.64 -> so we should all go visit brandon
3310.88 -> bowman's website if he pops the link
3313.119 -> he's got it hosted and he's using
3315.119 -> cloudfront as a content delivery network
3316.96 -> so everybody let's show brandon's
3318.88 -> website some love
3320.4 -> let's hit brandon's website brandon is
3322.319 -> an exceptionally good cloud architect um
3324.559 -> so let's in let's hit brandon's website
3327.28 -> that is where we hit the edge location
3330.24 -> through cloudfront now by comparison
3333.359 -> if i wanted to stick a server
3335.92 -> close to me
3338 -> i can't stick my server in somebody
3340.4 -> else's content delivery network because
3342.16 -> that's something everybody else is but i
3344.24 -> can put my server in another aws owned
3347.359 -> data center that they don't call an
3349.2 -> availability zone that they call a local
3351.2 -> zone so what is a local zone it's an
3353.76 -> availability zone that's close to you
3355.28 -> that's really all it is it's an aws data
3357.2 -> center that's not a thousand miles away
3359.28 -> they call it an edge location
3362.079 -> so
3363.119 -> realistically speaking that's it
3365.44 -> a local zone is another aws data center
3368.96 -> that's close to you
3370.72 -> whereas the cloudframe content delivery
3372.24 -> network is a cache
3374.4 -> for web applications the local zone are
3377.119 -> for your applications does that make
3378.88 -> sense matthew and others um if so great
3381.04 -> if not just let me know in the chat box
3382.4 -> and i'll try it one more time but
3385.2 -> availability zone geographic region
3387.76 -> data center
3389.2 -> availability zone
3391.359 -> data center closed to you
3393.119 -> for speed and reduced latency local zone
3395.52 -> content delivery network
3397.44 -> edge locations
3400.24 -> assim has how does one decide
3402.72 -> what to store in the local zone since it
3404.4 -> has may have limited storage in any data
3406 -> center
3407.359 -> asim hans the only reason you ever would
3409.44 -> use a local zone is if you have low
3410.96 -> latency requirements
3412.559 -> you would never use it otherwise so if
3414.799 -> you've got extremely local low latency
3417.04 -> requirements you're like use the look of
3418.88 -> them otherwise you can stick it all in
3420.079 -> your data center or stick it on your
3421.599 -> cloud there's no reason to do it the
3422.96 -> whole point of the local zone is to not
3424.48 -> have to wait to go so far away that's
3426.48 -> pretty much it
3429.28 -> so an edge location is not like dns dns
3432.319 -> maps a name to an ip address dns will
3436.079 -> so if i type www.cisco.com
3439.52 -> it gives me an ip address for the
3440.72 -> website that is dms
3442.64 -> but
3443.599 -> a content delivery network speeds
3445.68 -> content to people but here's the good
3447.599 -> news we're going to spend about an hour
3449.359 -> covering content delivery networks
3454.64 -> sm7 so when your info was in the cloud
3457.04 -> isn't in both local zone or an az or
3459.28 -> both sm7 for 95 of the populations it'll
3462.72 -> never be in a local zone
3464.72 -> for 95 of the population they'll just be
3466.559 -> in their availability zones
3468.88 -> for for organizations they can't get
3470.88 -> away with the low performance of the
3472.16 -> cloud that needs something faster they
3473.92 -> will use local zones but it's for a
3475.2 -> small number
3480.799 -> local zone is not something you put in
3482.559 -> the hosting data center local zone is
3485.04 -> another aws data center
3488.64 -> that's closer to you
3490.72 -> now azure has the ability to run your
3493.359 -> workloads on the azure software sitting
3496 -> in your data center and that would be
3497.44 -> their version
3498.72 -> of a much improved version of a local
3500.64 -> zone
3504.799 -> which or higher number of local zones or
3506.48 -> edge locations are going to be more edge
3508 -> locations that are out there
3509.68 -> because
3511.04 -> and is the edge location a physical zone
3513.119 -> like a local zone
3515.119 -> edge locat an edge location is where
3518 -> it's a data center it's got routers and
3519.92 -> switches and servers and caching just
3522.319 -> like any other data center
3527.599 -> where's the regional cache located
3529.04 -> there's re there's various regional
3530.48 -> caches throughout the world
3534 -> how do you get access to the local zone
3536.16 -> well exactly what i had had told you the
3538.72 -> steps are as follows
3540.4 -> you have to opt in to a local zone then
3543.76 -> you create a subnet in the local zone
3545.68 -> and then you put your ec2 instance load
3547.76 -> balancers in that subnet that's pretty
3549.839 -> much it
3555.359 -> okay well let's go back to coming into
3557.92 -> some content i just wanted to try and
3559.76 -> you know do what we could to clean
3561.2 -> things up so let's do this
3563.52 -> is everyone
3567.119 -> let's let's do some ip addressing stuff
3569.76 -> um and then we're going to get to the
3571.119 -> vpc how much knowledge does everybody
3573.359 -> have about ip addressing are all you
3574.88 -> guys familiar with the private ip
3576.48 -> addresses and subnetting and things like
3578.24 -> that if you've got great ip familiarity
3580.88 -> type familiar in the chat box
3583.76 -> and if you need a little bit if you need
3585.76 -> more
3586.4 -> let us know that you need some
3588.64 -> basic ip in the chat box and then i'll
3590.48 -> give it to you i want to know that we
3591.52 -> give you what you need but don't bore
3592.88 -> you
3597.119 -> always confuse cloud higher refresher
3599.04 -> would be nice let's do a refresher early
3601.76 -> bird gets the worm they're the ones that
3603.359 -> are first to do it so let's get there
3606.88 -> let's talk about ip addressing
3610.72 -> because
3611.599 -> this is kind of
3612.839 -> important everybody
3615.68 -> in the entire world
3617.28 -> every device
3618.559 -> needs a unique address
3621.2 -> we're going to be quick on this but
3622.24 -> everybody needs a unique address so
3625.119 -> i want to send data to pr in canada if
3628.16 -> let's say i want to send a mail to his
3629.599 -> physical address if i don't have
3631.359 -> pierre's address i can't send it to him
3634.079 -> if pierre and his buddy have the same
3635.92 -> address
3636.88 -> i can't send it to them because i won't
3639.04 -> the mail won't know where to go so every
3641.599 -> computer or every device that's out
3643.28 -> there needs to have an address and it
3645.44 -> must be unique if it's not unique the
3648.16 -> mail will never get to you your data
3649.839 -> will not get to there
3651.52 -> so
3653.76 -> we're going to have the concept of so
3655.44 -> let's talk about it so every device has
3658.319 -> to have a unique address
3660.559 -> now when we're dealing with ip
3661.76 -> addressing
3663.04 -> we have a problem
3665.28 -> a big problem
3667.92 -> the problem that we have is going to be
3669.359 -> as follows
3673.599 -> we don't have enough ip addresses
3676.319 -> so like it all
3677.92 -> like literally speaking we don't have
3679.2 -> enough ip addresses because we don't
3681.359 -> have enough ip addresses
3683.2 -> the internet engineering task force told
3685.599 -> us which ip addresses to use inside of
3688.319 -> our network
3689.359 -> so inside of our systems
3694.079 -> we're going to be using ip addressing
3695.839 -> from the private address space the
3698.319 -> internet engineering task force told us
3700.559 -> to use these addresses so we're going to
3702.72 -> be using the addresses that were given
3704.559 -> to us by the
3705.76 -> engineering task force
3707.44 -> which means that nearly every
3709.68 -> organization in the entire world
3712.48 -> is going to be using
3714.319 -> the same
3716.24 -> ip addressing scheme
3718.4 -> so
3719.359 -> we're going to have some challenges if
3721.92 -> your business is using the 10.8 address
3724.24 -> space
3725.119 -> and another business is using a 10
3727.039 -> address space and the business buys the
3729.28 -> other business they can't talk to each
3731.2 -> other
3732 -> when you're on the cloud and you want to
3734.4 -> peer vpc pairing to somebody else that's
3736.48 -> using the same ip addresses we have a
3738.799 -> problem so
3740.799 -> we're going to talk about these
3741.76 -> addresses and then later in the course
3743.76 -> we're going to talk about how to fix
3745.039 -> these massive problems caused by the
3747.2 -> internet or engineering's task force
3749.52 -> fix to the broken number of ip addresses
3751.92 -> see it's always a matter of something to
3753.52 -> fix something else
3754.88 -> so understand that the private ip
3756.799 -> addresses that we're going to use are
3758.16 -> the 10.0.08 address base the
3763.24 -> 172.16.0.0.12 address space and the
3765.119 -> 192.168.0.0.16.
3768.319 -> all
3770.16 -> private addresses for the most part will
3771.839 -> be on there
3773.359 -> i'm also going to talk for about 10
3775.359 -> seconds and i don't ever want to talk
3776.799 -> about this again because it's history
3778.72 -> i'm going to talk about ip address
3780.559 -> classes
3782.64 -> when i was a kid and i started moving in
3785.44 -> networking they had been phasing away
3787.92 -> iep address classes and that was a long
3790 -> time ago what happened is we used to
3793.359 -> have these class a addresses that were a
3795.2 -> slash eight with the subnet mask and i
3797.599 -> don't know how
3798.88 -> uh there were class a with the subnet
3801.039 -> mask and then we had a class b which
3802.4 -> were slash 16s and then we had a class c
3804.799 -> and a million and one years ago
3806.48 -> everybody used these addresses
3810.079 -> the problem was
3811.76 -> is and and i'll i'll have other things
3814.48 -> that i'll show it to you later
3817.039 -> if
3818 -> we stuck this ip address on an ethernet
3820.88 -> port
3822 -> and we couldn't put more than 250 hosts
3823.92 -> in a subnet
3826.16 -> just because we'd have 16 million
3827.599 -> addresses we'd literally use them all up
3829.28 -> on a single subnet so we had to break
3831.76 -> these giant things down and that was
3834.64 -> something called subnetting we can
3836.64 -> subnet down we can supernet up we call
3838.88 -> that classless inter-domain routing
3841.44 -> basically what cider means because
3843.68 -> you'll see cider on your exams is we no
3846.4 -> longer stick to the class a which you
3848.799 -> can see here class b class c or class d
3851.599 -> which means we subnet or change the
3852.96 -> subnet mask by borrowing host bits and
3854.48 -> network bits that's it all we needed to
3856.799 -> say right then and there in a minute and
3858.079 -> one so just to let you know what that
3865.44 -> so we don't use classful addresses we
3867.68 -> haven't in about two decades so i don't
3869.44 -> think we need to talk about too much
3871.52 -> now let's talk about subnetting for a
3874.4 -> second we're gonna briefly go over it
3876.96 -> now
3877.839 -> if
3878.88 -> you guys are completely unfamiliar with
3880.559 -> subnetting you guys let us know we'll do
3884.079 -> a subnet workshop maybe next week or the
3885.92 -> week after that if you guys desire that
3888.319 -> um i'm going to continue the remaining
3890.799 -> three or four slides from subnetting and
3892.88 -> then we'll ask you if you need it and if
3894.48 -> you need it we'll let you will ask you
3896.24 -> and if you want we will get a subnet
3897.839 -> workshop schedule because i want to make
3899.2 -> sure you're good um but you know there's
3901.28 -> only so many we can do while we're going
3902.88 -> through a course like this so
3905.52 -> why do we subnet basically speaking
3907.92 -> because i told you we're going to lose
3909.359 -> 16 million addresses for a single subnet
3912.319 -> we would chop it into multiple subnets
3915.119 -> so
3917.2 -> what are we doing subnetting is going to
3918.88 -> optimize our ip address space what is
3921.44 -> subnetting really look like from a
3922.88 -> practical perspective
3925.28 -> and it looks like you guys want a subnet
3926.88 -> class i'll go make a subnet class
3928.24 -> anything we can do to give you guys a
3929.44 -> good experience and help you guys learn
3930.799 -> is fine
3932 -> so let's say over here we've got this
3933.599 -> class c address if we want to use it
3935.2 -> this 192 168 1.0 24.
3939.359 -> if i needed to break that down into
3941.68 -> multiple smaller addresses i can create
3944.24 -> a network that has a 192 168 1.0 28 and
3948.319 -> a 192 168 1.16 28 and then a 192 168
3952.96 -> 1.32 628 and then i could do a 192 168
3957.039 -> 1.48
3958.72 -> etc etc etc so what subnetting is it's
3961.28 -> taking one big network and breaking it
3964.079 -> down so
3965.92 -> basically speaking that's it
3969.28 -> now let's go back over here and i'll i
3972.079 -> made a little chart that i want you to
3973.68 -> know because it changes everything on
3976.079 -> the cloud
3978.88 -> please keep this in mind
3981.28 -> so when you're with aws the smallest
3983.44 -> subnet you can use is a slash 28 which
3986.079 -> typically speaking would give you 14
3988.64 -> usable addresses
3990.96 -> two to the fourth minus two but
3994.96 -> um
3996.4 -> aw and and the reason was to happen is
3998.64 -> we get 16 addresses but what happens is
4001.28 -> the 192 168 1.0 is used for the router
4005.2 -> and in this case the broadcast address
4007.2 -> ooh don't know what happened there of
4011.16 -> 192.168.1.15 would be there
4015.359 -> so so now i'm going to ask this you know
4017.599 -> is everybody familiar with this on the
4019.599 -> subnet piece if not it looks like a
4021.359 -> bunch of people we need a sub subnet
4024.16 -> thing so if uh
4026.96 -> if the go so with aws
4029.44 -> they're gonna use five addresses per
4031.44 -> subnet so keep this in mind aws reserves
4034.64 -> the first four addresses and the last
4037.039 -> address why am i saying this why am i
4039.599 -> really concerned about you knowing that
4041.039 -> aws uses five addresses per subnet
4044.64 -> here's the reason
4046.88 -> if you have a slash 28
4051.039 -> and you lose five addresses which means
4054.16 -> you really only have 11 servers
4056.559 -> and if you've got a couple of web
4058.079 -> servers and you've got a couple of app
4060.559 -> servers and you've got two load
4062.079 -> balancers and something auto skills
4064.64 -> you're going to run out of ip addresses
4066.88 -> and if you run out of ip addresses auto
4069.359 -> scaling stops
4072.64 -> so
4073.359 -> if you run out of ip addresses auto
4076.079 -> scaling stops so i'm gonna give you some
4078.96 -> guidance
4080.079 -> the smallest subnet you should ever use
4082.4 -> for a lan segment is a slash 24
4085.44 -> don't use bigger than a slash 23 and
4087.68 -> don't use smaller than a slash 24. even
4090.559 -> if you think you need 10 servers
4092.88 -> give yourself room for 253 you never
4096.56 -> know when you need them and their
4097.679 -> private ip addresses and they're free
4099.12 -> and they don't cost you anything so
4101.359 -> give yourself a slash 24 for a subnet
4105.279 -> and slash 30 for wins
4107.6 -> but otherwise you know slash 24 for our
4109.44 -> land slash 30 for win
4112.159 -> no bigger than a slash 23 for the land
4114.319 -> ever because you're gonna get too many
4115.92 -> broadcasts
4118.799 -> now
4119.759 -> if subnetting
4122.4 -> subnetting is taking one subnet and
4124.56 -> breaking it down
4128 -> we can also do the exact opposite
4130.96 -> something called super netting so if i
4134.08 -> want to take subnet one subnet two
4136.56 -> subnet three subnet four and subnet five
4139.359 -> and make them look like a single subnet
4141.92 -> i can do that
4143.359 -> so why
4144.719 -> would i want to
4146.4 -> supernet so
4149.759 -> when you're dealing with you know aws
4152.799 -> you can only send them a certain number
4155.199 -> of routes so let's say i connect my
4157.679 -> router to three different internet
4159.04 -> service providers because i want to be i
4161.44 -> want to connect create some really good
4162.96 -> internet connections i run bgp to
4165.279 -> internet service provider one two and
4167.279 -> three my router takes in about eight
4169.52 -> hundred thousand routes from each
4170.799 -> internet service provider got about two
4172.96 -> and a half million routes in the
4174.08 -> rounding information base and you know
4176.48 -> eight hundred thousand going to my
4177.6 -> routing table that's a normal internet
4179.199 -> router
4181.12 -> taking an 800 000 routes
4183.279 -> when i send to aws they can't take more
4185.52 -> than 100 routes
4188 -> pretty common to have a have an
4189.679 -> organization with 200 000 employees
4191.359 -> that's got 40 000 subnets 40 000 routes
4194.88 -> aws can't take more than a hundred
4197.679 -> which is nothing a hundred
4199.76 -> so what do you have to do you're going
4201.12 -> to have to be able to take your routes
4203.76 -> and make a bunch of little routes look
4206.4 -> like a couple of big routes to take the
4208.96 -> load to work around the limitations of
4211.12 -> the cloud provider
4213.12 -> look it's not that the cloud providers
4214.64 -> aren't great at what they do
4216.56 -> think about this if i connect to the
4218.64 -> internet service provider i take in 800
4220.56 -> 000 routes no big deal from 100 service
4222.48 -> providers that's 8 million routes look
4224.56 -> at azure look at aws look at google look
4227.36 -> at 5 million customers that all have 40
4229.6 -> 000 routes it's not going to work so
4232.08 -> they have to make these trade-offs to
4234.32 -> make cloud computing possible
4236.32 -> remember they're renting you access to
4238.239 -> their data center so they can't break
4239.76 -> themselves either so supernetting is the
4242.96 -> exact opposite of subnetting
4245.76 -> network architects like me
4248 -> use super knitting every single day
4252.96 -> we take roots we summarize roots and we
4255.6 -> make the routing more elegant and this
4257.84 -> by the way the way you set up your ip
4260.56 -> addresses and if you guys want we can do
4263.679 -> towards the end of the week we can do an
4265.36 -> ip addressing workshop and show you how
4267.44 -> to set up your addressing for the cloud
4269.52 -> it's way way way above what you cover on
4272.159 -> the aws advanced networking but it's
4274.4 -> absolutely essential to actually be a
4276.32 -> cloud infrastructure architecture so if
4277.679 -> you guys want that we'll happily do it
4279.36 -> but i want you to understand that super
4280.96 -> netting is you take multiple subnets and
4282.4 -> you aggregate them together
4286.32 -> so let's look at what it normally would
4288 -> look like so this is what route
4289.92 -> summarization is let's say we've got all
4292.4 -> these contiguous subnets 192 168.0.0
4296.4 -> 1.0 2.0 and 3.0 these are all in our
4300.4 -> data center
4303.199 -> now aws only gets us 100 routes which is
4306.56 -> kind of nothing
4308.239 -> one two this is four routes right over
4310.56 -> here but if i take all these and create
4313.84 -> a summary address or an aggregate route
4316.719 -> of 192.168.0.0.22
4321.04 -> all i need is to send that route to aws
4324.96 -> aws can reach that it can hit my router
4327.6 -> and once it gets to my router my router
4329.199 -> knows oh send it over here versus send
4331.12 -> it over here so super netting or route
4334.08 -> summarization is really used
4337.04 -> to influence your traffic traffic
4339.12 -> engineer your traffic and remove routes
4341.12 -> from the routing table
4342.4 -> to promote scalability performance and
4344.8 -> availability i hope that makes sense to
4346.48 -> you guys
4349.04 -> and if you need us we'll do a breakout
4351.199 -> session where we whiteboard it and
4352.48 -> design all this stuff together whatever
4354.159 -> you guys need to be good to get it
4356.56 -> completely because i want you guys all
4357.92 -> rock solid
4362.08 -> so now let's talk about ip addresses for
4364.88 -> a second
4367.6 -> we've been normally using ipv4 addresses
4370 -> ipv4 addresses have been around forever
4375.28 -> and
4376.239 -> it's a 32-bit binary address so if you
4378.88 -> want to know the available addresses you
4380.719 -> can do 2 to the 32nd minus 2. that tells
4383.36 -> us pretty much exactly every possible ip
4385.36 -> address that we have it's a good number
4387.04 -> of addresses a couple billion but it's
4388.64 -> not that many now ipv6 is a newer form
4391.76 -> of ip addressing newer isn't like only
4393.6 -> 30 years old
4394.96 -> um but we don't use it but it's getting
4397.52 -> used by mostly mobile phones at some
4399.12 -> point we'll be adopting it later to
4400.48 -> other things so let's look at this so
4402.88 -> far so
4404.719 -> it's a 128-bit hexameter decimal address
4407.76 -> which means one
4409.12 -> two three four five six seven eight nine
4412.88 -> nine a
4414.239 -> b
4414.96 -> c
4415.679 -> d
4416.32 -> e
4417.12 -> f so 15 or 16 times 1
4420.96 -> 16 to the 128th power that is your
4423.04 -> number of ip addresses a lot so
4425.76 -> infinitely infinitely infinitely more
4428 -> scalable than ipv4
4430.88 -> typically mobile phones
4433.04 -> all interfaces in aws are given an ipv6
4436.64 -> address and there is no concept of
4438.8 -> private addresses because we don't have
4441.04 -> a problem running out of addresses
4448.159 -> so
4449.679 -> here we go i think we've covered this
4451.92 -> now i want to start moving into the
4454.64 -> virtual private cloud
4457.28 -> so before we do
4458.88 -> um just want to make sure we're all
4460.96 -> level set on the addresses um we're all
4463.44 -> going to we're moving on to the vpc
4465.84 -> looks like you guys want a subnet thing
4468.159 -> you guys asked for a subnet thing chris
4470.32 -> from my team heard it he is going to
4472.719 -> find a time to do a subnet workshop in
4474.56 -> the next few weeks everybody will be
4476.719 -> invited
4477.76 -> so
4480.4 -> um
4481.76 -> we got uh one very simple question i
4484 -> think we should answer how do you
4485.6 -> differentiate a public ip address versus
4487.52 -> a private ip address a private ip
4490.239 -> address will always
4492.48 -> be from the from the rfc 1918 address
4495.28 -> space it will always be something in the
4497.44 -> range of the 10.0.0.8
4500.8 -> the 17216.0.0.12
4504.239 -> or the 192.168.0.0.16.
4507.92 -> all private addresses are inside of that
4509.92 -> range if it's not inside of that range
4512.08 -> it's not a private address
4514.239 -> but it's a great question they're
4515.199 -> definition
4518.32 -> okay everyone let's talk about the vpc
4521.199 -> this is the fun this is the cloud stuff
4523.44 -> this is where we're touching the cloud
4524.719 -> networking and tonight we're going to
4526.64 -> have lots of fun with the vpc we're
4529.04 -> going to be configuring stuff and
4530.4 -> designing stuff and we're going to have
4531.6 -> a big big big party so please join us we
4534 -> love playing
4535.199 -> so
4536.159 -> what is part of the vpc realistically
4538.56 -> speaking we're going to be talking about
4539.84 -> routing and routing tables
4542.4 -> internet gateways
4543.92 -> we'll talk about egress only internet
4545.6 -> gateways we'll talk about nat gateways
4548.88 -> we'll talk about elastic ip addresses
4551.6 -> we'll talk about vpc endpoints
4554.159 -> we'll talk about vpc peering
4556.56 -> network access control lists
4558.96 -> and security groups okay it just hit me
4562.48 -> um
4567.44 -> so it hit me how many of you
4570.239 -> really know bgp
4571.92 -> so
4572.96 -> if you know bgp in the chat box type i
4576.08 -> know bgp
4578.08 -> if you don't know bgp and we're gonna
4580.4 -> need it for all the routing let me know
4582.159 -> and i'll do a quick bgp brief or for a
4584.64 -> quick bgp brief and then we'll go into
4586.96 -> it so i want to know what you need
4588.159 -> because you gotta know bgp there's no
4590.64 -> way to do any of this cloud networking
4592.08 -> without it so if you want me to cover
4594.48 -> bgp before we do this i will if you
4597.28 -> don't want me to let me know so just let
4598.96 -> me know
4602.32 -> it's looking like most people have said
4603.92 -> they don't know bgp and you're here to
4605.52 -> learn
4606.32 -> i will do some bgp realize it's going to
4608.96 -> take us about 45 minutes to get back to
4610.96 -> this stuff but
4612.4 -> um
4613.36 -> i've got one person that knows bgp
4615.84 -> uh two people that know bgp
4619.28 -> three please cover don't know don't know
4621.6 -> cover
4622.4 -> okay we're gonna have some fun with bgp
4624.48 -> let's talk about bgp
4626.64 -> or the border gateway protocol which is
4628.719 -> one of my absolute favorite
4631.84 -> favorite protocols i've got well over
4634.88 -> ten 000 hours of experience in bgp
4638.08 -> and let's talk about it the first thing
4641.12 -> that i want you to all know
4644.239 -> is in your vpc yeah aqua i would assume
4646.96 -> you do with your background
4648.64 -> um fantastic so um inside of your inside
4653.52 -> of your data center you're gonna have a
4655.679 -> routing table the routing table is the
4658.64 -> map that teaches you how to go from
4660.32 -> point a to point b
4663.04 -> that's the map
4664.96 -> so
4666.56 -> if you've not seen this it's going to
4668.96 -> look something like this in your cloud
4671.28 -> provider it's go you're going to have a
4673.199 -> table and it's going to be a funny
4674.56 -> looking table and inside of here i want
4676.8 -> you to see this i've drawn a manual
4678.8 -> mounting table i've got a 170 216.1.0
4684.08 -> i've got a 170 216 and the target is
4686.88 -> where you're going to send your traffic
4688.32 -> to reach that
4690.56 -> i've got a 192 168.1.0
4693.6 -> 24 and a
4695.48 -> 0.0.0 which is a default route that
4697.6 -> points to my internet gateway
4700 -> i want you to look at this
4702.8 -> really really important
4704.56 -> see this 172 16.0.0.16
4709.52 -> and this 190 i'm sorry this
4711.28 -> 192.168.0.06.0.0.16
4715.92 -> and the 192.168.1.0.24
4723.56 -> contains the 192.168.1.0.24
4728.56 -> it contains it
4731.44 -> but look very carefully
4733.6 -> you can see that the aggregate or the
4736.159 -> slash 16 points to one interface
4739.12 -> oops
4740.159 -> and you can see that this slash 24
4742.32 -> points to another interface
4745.28 -> the virtual router in the vpc or the
4747.92 -> router in the data center it doesn't
4749.6 -> matter we'll say traffic destined to
4751.84 -> this
4752.8 -> 24 goes here traffic destined for
4756.239 -> anything that doesn't match this in this
4757.92 -> range go here so what routers do is they
4760.64 -> look for the most specific route
4764.48 -> the most specific route that's where
4767.6 -> they go the most specific route so when
4770.96 -> we're tuning things
4773.6 -> we're going to talk about tuning things
4775.28 -> next and we're going to have to put our
4777.199 -> propeller hats on because bgp is the
4778.96 -> most complicated routing protocol of all
4781.12 -> of them it's the one that 99 of all
4783.52 -> network engineers don't even know so
4785.52 -> we're gonna have to put our thinking
4786.48 -> caps on but i want you to understand
4788.239 -> this so
4789.28 -> let's do a brief bgp overview so
4793.679 -> why do organizations use dynamic routing
4796.8 -> protocols i want to make it very clear
4799.84 -> when you connect to the cloud you're
4801.84 -> going to have two options option one is
4804.719 -> you gotta if let's say you have a vpn
4807.12 -> you could put static routes you manually
4808.96 -> put a static route here's what a static
4810.4 -> relatives and if you want to go to your
4812.4 -> friend's house that lives two thousand
4814.08 -> miles away you go to your computer your
4816.8 -> computer you print out directions
4819.36 -> and you leave your house
4821.28 -> now somewhere along the line are roads
4823.199 -> blocked you're stuck you don't know how
4825.36 -> to reroute around it you only know how
4827.36 -> to go left here for 100 miles go
4829.76 -> straight and that's your dynamic it's an
4831.6 -> old-fashioned map
4833.679 -> by comparison
4835.12 -> what if
4836.32 -> you had a gps in your car that could see
4838.96 -> the roads closed and recalculating
4840.8 -> recalculating re-routing
4842.719 -> that's what dynamic routing protocols do
4844.88 -> so organizations have two kinds of
4846.96 -> routing protocols that they use
4849.36 -> organizations have what's called
4850.96 -> interior gateway protocols and exterior
4853.84 -> gateway protocols so let's look at it
4856.8 -> inside of the aws network amazon
4859.36 -> themselves
4860.56 -> they're running an interior gateway
4862.239 -> protocol i can tell you it's either ospf
4865.199 -> or its intermediate systems to
4866.639 -> intermediate systems that is their igp
4869.6 -> for their organization for all their
4871.44 -> data centers
4873.52 -> now
4874.96 -> that's what they use internally interior
4877.679 -> gateway protocols are used inside of
4879.52 -> organizations to find the fastest
4881.44 -> routing to get your data from point a to
4883.679 -> point b that's what interior gateway
4885.36 -> protocols do
4888.159 -> now by comparison
4889.84 -> interior gateway protocols are used for
4892.08 -> an entity
4894.08 -> exterior gateway protocols are used to
4896.8 -> connect to entities so if you have aws
4900.08 -> on the right side of the screen and your
4902.159 -> data center on the left
4904 -> you're going to be running an interior
4905.28 -> gateway protocol for all your stuff in
4906.8 -> your data center to talk to each other
4909.92 -> aws inside of their cloud is going to be
4912.08 -> running their ospf to make sure their
4915.199 -> network is up and running
4917.12 -> but you don't connect aws with ospf our
4920.4 -> intermediate systems intermediate
4921.679 -> systems you connect to them with the
4923.04 -> regards to bgp
4924.719 -> bgp is an exterior gateway protocol
4927.28 -> which is used to connect you to external
4929.12 -> entities so this is what it's going to
4931.04 -> look like you'll have your data center
4933.04 -> they'll have their data center and
4934.4 -> you'll bgp to connect to aws
4937.199 -> that's why we're covering bgp here it is
4939.28 -> the most critical routing protocol
4942.8 -> when it comes to cloud computing and the
4944.719 -> reality is and the saddest part of this
4946.639 -> is there's probably a thousand people in
4948.159 -> the whole world that know bgp and
4949.92 -> they're all network people and for the
4951.76 -> most part almost nobody knows it i want
4953.84 -> you to know it is really important
4955.679 -> things so
4957.12 -> bgp is an exterior gateway protocol
4960.639 -> why do we use it
4962.719 -> to connect to external entities
4965.28 -> as i mentioned routers build the map of
4966.96 -> the network and they use routing
4968.48 -> protocols to build the map of the
4969.76 -> network to get to this destination go
4972.56 -> out the right arm to get to this
4973.76 -> destination go out the left arm to get
4975.76 -> to this destination go downhill uphill
4978.159 -> sideways routers have a bunch of ports
4980.32 -> on them and that's how they know to send
4981.679 -> their stuff based upon the map of the
4983.679 -> network
4984.84 -> so routing pros do it inside of
4987.44 -> organizations we use interior gateway
4988.96 -> protocols ospf eigrp intermediate
4991.6 -> systems intermediate systems in between
4993.92 -> organizations we use an exterior gateway
4995.679 -> product called most notably bgp
4999.04 -> bgp is used for the following reasons
5002.4 -> it scales like you can imagine three
5005.52 -> quarters of a million route 10 people we
5007.52 -> use bgp bgp allows for extreme tuning
5013.36 -> if you read the book internet routing
5015.04 -> architectures by bassam halabi and i
5016.88 -> encourage everybody to do so
5018.88 -> there's about 400 pages of different
5020.639 -> ways you can tune your training your
5022.88 -> your date your your traffic to go to the
5024.96 -> right place about 400 pages of different
5027.28 -> ways to tune your traffic and that's
5028.56 -> just get it scratching the surface so
5030.639 -> highly scalable highly tunable lots of
5033.76 -> traffic engineering now when you're
5035.84 -> using bgp i need you to remember this
5039.6 -> it's unicast
5041.679 -> every other routing protocol almost for
5043.36 -> the most part identifies each other with
5045.28 -> hellos that are multicast bgp is unicast
5049.199 -> which means sent directly from one user
5051.6 -> to another unicast not one to many one
5054.88 -> to one now test question here
5057.84 -> ding ding ding you're going to see on an
5059.04 -> exam
5060.639 -> tcp
5062 -> our bgp uses tcp port 179
5065.84 -> tcp based port 179
5068.719 -> yes you will see that on an exam why do
5070.88 -> i care
5072.159 -> not for an exam because you're going to
5074.08 -> be dealing with firewalls
5076 -> and you may have to allow tcp port 179
5079.44 -> through your firewall if not your own
5081.92 -> network will break so bgp uses tcp port
5084.96 -> 179 know it know it know it it is
5088.239 -> essential to know this
5093.84 -> so
5094.56 -> let's talk about how it works
5097.76 -> so bgp
5099.199 -> and all these protocols are algorithms
5102.48 -> and let's work through the algorithm
5105.12 -> now this sounds like surgical torture
5107.6 -> algorithm work and you know what
5110 -> it's a little ugly but when you know the
5113.84 -> algorithm
5115.04 -> and you know how to tune the algorithm
5118 -> wow what kind of cool stuff you can do
5120.8 -> when you can tune the algorithm so we're
5123.12 -> going to talk about bgp we have to talk
5124.96 -> about the finite state machine and the
5126.8 -> four messages and then we tune in
5128.56 -> traffic engineer that's where the magic
5130.4 -> happens and
5132.56 -> so let's talk about the four messages
5134.56 -> there's going to be an update an open
5136.4 -> message a keep a live message an update
5138.56 -> message and a notification message so
5141.36 -> let's go talk about the open message and
5143.44 -> what it is
5144.8 -> so let's say you've got two routers
5146.719 -> remember tcp port 179 so what's the best
5150.4 -> thing they do
5151.92 -> tcp port 179
5154.08 -> you signed an open message the open
5156.4 -> message says hello neighbor
5158.4 -> i'd like to form a relationship i'd like
5161.04 -> to start exchanging information in that
5164 -> open message they talk about their bgp
5165.84 -> version 3 4 what have you they identify
5168.8 -> your a 10ms system number which is what
5170.639 -> identifies you on the network and they
5173.28 -> come up with they exchange their
5174.719 -> parameters such as like their hold
5176.159 -> timers and their bgp identifiers open
5178.48 -> says hello sir hello ma'am please form a
5181.04 -> relationship with me i'd like to start a
5182.719 -> conversation in exchange routes that's
5184.639 -> what the open message is
5186.96 -> then there's something called a keep
5188.4 -> alive i don't know how many of you guys
5190.56 -> are familiar with health checks
5192.96 -> when it comes to dns and load balancers
5195.04 -> if you're not by the end of the week
5196.48 -> you're going to be an expert
5198.32 -> so
5199.12 -> a keep alive is like a health check
5201.44 -> basically you've got one router sending
5202.96 -> a message to another router are you
5204.4 -> there
5205.199 -> are you there
5206.32 -> are you there and this guy says i'm here
5209.199 -> i'm here i'm here this guy says are you
5211.679 -> there this one doesn't respond this guy
5213.92 -> says are you there doesn't respond
5216.4 -> are you there it assumes the bgp
5218.32 -> neighbor is dead it tears it down
5220.88 -> kind of simple
5222.48 -> just like where do we see something like
5224.32 -> this why do we where do we see something
5226.48 -> so simple like this
5228.159 -> we see it with a load balancer we see it
5230.56 -> with dns health checks they're
5232 -> everywhere where do you think these
5233.199 -> health checks came from that we're using
5234.719 -> 50 years of 30 and 40 years later with
5236.719 -> us from the networking so open hello
5239.44 -> let's have a conversation
5241.84 -> keep alive
5243.12 -> i'm here are you there are you there so
5244.88 -> let's keep going on let's work through
5246.48 -> this an update information okay
5250.239 -> i've got my neighbor relationship we
5251.84 -> shook hands we're friends i say i'm
5254.08 -> alive they're alive that's the keep
5256.08 -> alive is not icmp sm7 uh it's part of
5258.639 -> the bgp protocol it is a bgp open
5260.639 -> message which is tcp based i'm saying
5262.88 -> it's an it's a keep a lot message with
5264.159 -> ccp based so now
5267.199 -> i've learned a new route
5269.12 -> hmm
5270.48 -> i want to tell my my bgp neighbor i sent
5273.199 -> an update message or
5274.96 -> a route went away i withdraw the route
5277.44 -> so an update message basically says
5281.28 -> pull her out do a route or information
5284 -> about the route
5285.36 -> now the last kind of message is a
5286.96 -> notification message so if an open
5289.199 -> message is hello let's have a
5290.32 -> conversation and i keep live as things
5292.4 -> are good and an update is when you want
5295.12 -> to remove something or add something all
5297.679 -> those things are good
5299.199 -> and notification message is not a good
5301.28 -> thing a notification message is when
5303.199 -> your wife calls you to yell at you
5304.48 -> because she's mad at you for doing
5305.52 -> something stupid
5306.719 -> so a notification message basically says
5309.36 -> there's a problem here
5311.04 -> this is we're going to tear down the
5312.239 -> connection there hasn't been an error
5313.6 -> that's detected so notification not so
5315.92 -> good open let's let's form a
5317.679 -> relationship keep alive i'm alive you
5319.44 -> alive let's continue our dance
5322 -> update something changed notification we
5324.8 -> got a problem houston we have a problem
5327.04 -> so now let's talk about how these guys
5329.84 -> form their neighbor relationship
5332.639 -> now this and next the attributes are
5336.32 -> going to which i know are a little heavy
5338.08 -> i got my geek hat on i got both
5339.76 -> propellers spinning really fast but we
5341.52 -> got to know this and it's part of the
5342.8 -> architect's job so
5344.719 -> there's going to be a couple phases we
5346.4 -> need to talk about about the neighbor
5347.76 -> relationship so
5349.76 -> talk about the idle phase the connect
5351.84 -> phase the active phase the open sent
5354.239 -> phase the open confirm phase and the
5356.719 -> established phase and for all of you got
5358.32 -> much deeper bgp training on this
5360.96 -> youtube channel if you need and if you
5362.32 -> guys want more i'm always happy to play
5363.679 -> mr bgp
5365.76 -> so
5366.8 -> when you first
5368.48 -> turn bgp on the routers are in what's
5371.36 -> called an idle state they're looking for
5373.36 -> a tcp connection
5376.48 -> and if the two routers form that tcp
5378.4 -> connection like we talked about before
5380.48 -> when the open message is sent
5382.4 -> the bgp speaker transitions to open sent
5385.44 -> this means everything is good
5388.239 -> oh wait what if that doesn't happen what
5391.44 -> happens if we try
5393.04 -> to uh connect and and all of a sudden we
5395.28 -> send that open message and it doesn't go
5397.28 -> through to the neighbor we transition to
5399.28 -> an active place active is a bad place
5401.6 -> active basically means we're going to
5402.88 -> try and re-establish a connection i'm
5404.719 -> going to get out of this as fast as i
5406 -> can everyone but i want you to be you
5407.679 -> guys to be able to get it
5410.88 -> then assuming go from open to open
5413.199 -> senate everything is good
5415.36 -> the
5416.159 -> far and router will say i got your open
5418.4 -> message
5419.44 -> now i'm going to send you a keep live to
5420.96 -> know that i'm here so you know that i
5422.159 -> exist
5423.199 -> and then once the keep alive gets sent
5425.36 -> it transitions to something called open
5427.199 -> confirm when we hit open confirm
5430.08 -> realistically speaking this means that a
5432.159 -> message was sent and received between
5434.239 -> the bgp neighbors when that occurred
5437.04 -> both bgpp speakers come up and they
5438.96 -> reach a state called established
5441.04 -> established means the handshake's been
5442.639 -> completed router ones now a bgb peer
5445.36 -> they're now good buddies they're great
5447.52 -> buddies they're exchanging routes and
5449.36 -> everything is good we want to see
5452 -> established
5454.08 -> so let's briefly briefly talk about
5455.92 -> attributes then we'll get into the fun
5457.44 -> part which is the architectural tuning
5459.04 -> of it and then we'll go back to the aws
5461.28 -> vpc but at least we gave you guys some
5464.56 -> networking fundamentals which i think
5466.56 -> are really really important so let's
5468.4 -> talk about the bgp attributes and what
5470.4 -> they are there's going to be an
5472.08 -> attribute called the origin
5475.12 -> the origin is just how you learned about
5476.56 -> the route
5477.679 -> did you learn about it because it was
5479.199 -> inside of your interior gateway protocol
5481.12 -> which would be the best did you learn
5482.8 -> about it through bgp where did you learn
5484.88 -> about it you don't know how you learned
5486.08 -> about it which is called then complete
5489.199 -> so the next thing is regards to the path
5491.76 -> i'm going to get out of this really fast
5493.12 -> guys bear with me for five minutes to
5495.12 -> get through the bgp so we can tune it
5498.239 -> so how do we learn the routes every time
5501.04 -> the routes go through an autonomous
5502.48 -> system or a company what happens is they
5504.159 -> get prepended or they add it they add it
5508.4 -> so what will happen is we'll work
5510.159 -> through this the path will show how far
5512.08 -> away it is
5513.44 -> then we'll talk about the next hop which
5515.199 -> is where you go from
5516.88 -> from one router to the next
5518.96 -> and we'll work our way through this then
5520.56 -> there's a parameter called weight
5523.04 -> the higher the weight the more preferred
5525.52 -> the path is
5527.679 -> so let's talk about the path selection
5529.199 -> process then we're done then we're going
5530.719 -> to just talk about how to tune it so i
5533.199 -> need you to all understand this
5535.44 -> this is the perfect interview question i
5537.92 -> ask this to everyone
5540 -> and if somebody doesn't know this i
5541.76 -> can't hire them ever
5543.84 -> everybody i deal with is so the path is
5546.639 -> prefer the path with the highest weight
5549.679 -> next prefer the path with the highest
5552.08 -> local preference if the local
5554.159 -> preferences are the same prefer the path
5556.159 -> that was originated locally on the
5557.84 -> router
5559.28 -> if the r if the origination of the
5561.28 -> routes and the local preferences are the
5563.04 -> same take the path with the shortest af
5564.96 -> path if the as passer the same take the
5567.6 -> one with the shortest origin code
5570.48 -> then
5571.44 -> if the origin codes are the same prefer
5573.36 -> the path with the lowest med
5575.28 -> and then prefer ebgp routes over ib gpu
5578.08 -> routes and then it gets really stupid so
5579.92 -> i don't even want to go there so let's
5581.6 -> walk through a couple of situations and
5584.239 -> let's just kind of walk through so we
5586 -> can look at it and then let's get into
5587.6 -> some of this some of the aws more
5589.679 -> specific stuff
5591.84 -> let's take this particular environment
5594 -> let's see you've got an organization
5596.159 -> and a date on the right and you've got a
5598.4 -> data center i've got to make sure that
5599.92 -> we give you guys
5601.44 -> access to the actual subnets i don't
5603.04 -> know how i'm going to do this so now
5607.199 -> okay let's do this bear with me
5609.199 -> make the make the image smaller
5612 -> make the image smaller excellent idea
5613.52 -> yeah so click yeah
5617.44 -> okay excellent can you guys oh that's
5619.76 -> perfect
5623.04 -> thank you
5624.639 -> so let's go into this environment
5627.199 -> note i have two links between
5632 -> aws
5634.32 -> and the data center
5636.32 -> two connections
5638.48 -> now i've got options
5640.96 -> and the reason we're talking about this
5642.719 -> and we're going to talk about it more
5644.159 -> later but the reason we're talking about
5646.159 -> this is as follows
5648 -> if the if this connection
5650.239 -> and this connection are what's called
5651.92 -> the same cost
5653.52 -> meaning
5654.48 -> in the routing world
5656.719 -> it's the same distance to go from here
5659.36 -> to here as it is to here to here and in
5661.76 -> most cases they're going to be what will
5664.08 -> happen is you could send your data from
5666.56 -> the data center over the top link
5669.52 -> and your data could come back on the
5671.199 -> bottom link so what could happen is you
5673.28 -> could be you could be leaving the top
5675.92 -> going to across the top link for your
5677.92 -> data set and half your data can be
5679.44 -> coming back on the bottom link
5681.52 -> now let's be fair if i send you data to
5684.719 -> your house on the highway and it comes
5686.639 -> back the same highway it's great
5690 -> but if i send you some data and some of
5692.4 -> it takes a turnpike and some of it takes
5694.08 -> i-95
5695.679 -> the problem is your traffic is going to
5697.36 -> get back at two different periods of
5698.96 -> time so
5700.4 -> realistically speaking anytime you're
5702.239 -> going to have two direct connections to
5703.92 -> aws
5705.36 -> or any kind of redundant connections
5707.28 -> you're going to have to do something
5708.639 -> about it if you don't do something about
5711.199 -> it
5713.119 -> you will have a problem so if you just
5715.52 -> get two direct connections from aws
5717.76 -> expect problems unless you deal with the
5720.239 -> bgp side of it which is why i feel like
5722.639 -> you can't ignore bgp in an aws advanced
5724.719 -> network course you will have problems
5726.4 -> what will happen is let's say your
5728.159 -> traffic will go out the top link and
5729.84 -> then come back to bottom line
5732 -> so i want you to understand the nature
5733.84 -> of the problem
5735.119 -> nobody
5736.239 -> buys both of these links the top link in
5738 -> the bottom link from the same service
5739.28 -> provider because it would be crazy if
5741.199 -> you put all your links in the aw in if
5743.6 -> you put all your links in 18t and a t
5746.56 -> has an outage both links go but if your
5749.119 -> top link is with ada with 18 your bottom
5751.679 -> link is in verizon if one of your
5753.52 -> routers dies or one of your internet
5754.88 -> service providers dies you're still in
5756.48 -> good shape it doesn't matter so what
5758.56 -> organizations are all going to do
5760.719 -> is they're going to have a connection
5762.08 -> and they're going to have a backup
5763.199 -> connection but they can't have their
5765.52 -> data going on one link and coming back
5768 -> so you've got two options for traffic
5770 -> engineering
5771.6 -> option one is to block one of the links
5773.92 -> and the and it'll only come in on backup
5776.32 -> you can do that by making one link look
5778.719 -> ugly
5779.679 -> option two is you can intentionally load
5782.08 -> sure you can intentionally send one
5784.4 -> subnet on the top and one subnet on the
5787.679 -> bottom
5789.28 -> and if either link will go away
5792.08 -> then what you would actually do
5794.719 -> realistically speaking like if the top
5797.04 -> link were to go away you can send the
5799.119 -> traffic on the bottom link
5801.84 -> so what i would do and this is what i've
5803.84 -> done here is if you can see very
5805.199 -> carefully on the top link i've sent a
5807.6 -> specific route to the 172.16.0.06
5812.719 -> and on the bottom link i sent a specific
5814.8 -> route to 170 to
5817.239 -> 17.0.0 16. i've pre-programmed that now
5821.679 -> if the bottom link goes away don't worry
5823.76 -> i've got the top link in the top link in
5825.36 -> the bottom link now i also put this
5827.679 -> aggregate route or this summary route of
5829.6 -> the 17216.0.0.15
5835.119 -> that by the way
5837.36 -> enables me to have reachability should
5839.28 -> one of the links go so the easiest way
5842.08 -> to load share without getting out of
5843.76 -> order packets are to do as follows
5846.239 -> send specific routes on one link more
5849.199 -> specific route another specific route on
5851.04 -> a different link send a summary route
5853.199 -> and that way one you're load sharing
5855.52 -> across both and you don't get out of
5856.96 -> order packets that's the easiest and
5859.36 -> most elegant way to do this but it's not
5861.679 -> the only way to do this
5865.199 -> the next option that you have
5867.52 -> is if you wanted to influence the
5870.639 -> direction that you're sending your
5872 -> traffic and mind you you have to do this
5873.679 -> in both directions in an outbound i'm
5875.679 -> just showing you one direction to make
5877.04 -> it easy so it doesn't look ugly what you
5879.44 -> can see here is on the top link we've
5881.52 -> made 172 16
5884.239 -> more preferred and on the bottom link
5887.04 -> we've made 172 17 more preferred and
5890.48 -> i'll and the way we did it is as follows
5893.76 -> what we did ultimately did over here
5897.6 -> is
5898.4 -> prefer the path with the highest weight
5901.6 -> so note i took 172 16.0.0
5905.52 -> and raised the weight to 35 000.
5909.119 -> i then took 170 to
5911.32 -> 17.0.0 on the bottom link and raised
5914.239 -> that weight to 17 000. so then what i
5917.52 -> did is i took those subnets that i
5919.36 -> didn't want to be used and i chan and i
5922.08 -> reduced their weight or gave them the
5923.679 -> default weight so if you can see what i
5925.679 -> did here i made the weight higher from
5927.44 -> one subnet on the top link i made the
5929.84 -> weight higher for a different subnet on
5931.679 -> the bottom link and in the process of
5934.08 -> doing all of this
5936.159 -> i'm load sharing without getting out of
5938.56 -> order packets
5941.92 -> again this is what every internet
5943.84 -> service provider does this is what
5945.84 -> network architects like me do
5947.76 -> all day every day every time we've got
5949.92 -> multiple direct connections to a cloud
5951.52 -> provider this is what we do
5955.199 -> now
5956.32 -> remember we said prefer the past with
5958.48 -> the largest weight prepare the path with
5960.719 -> the largest local preference so option
5963.119 -> here again
5964.48 -> we raise the local preference from 100
5966.56 -> to 200 to our specific route over here
5969.119 -> we then raised the local preference for
5971.28 -> a more specific route over here and then
5973.6 -> we keep the default for something else
5975.52 -> and now we again load sharing without
5977.28 -> out of brackets let's do it another way
5979.679 -> prepending the as path
5982.639 -> if you'll recall i told you every time
5984.96 -> you traverse an autonomous system
5987.199 -> it adds so let's look at this top link
5990.08 -> we've so let's assume
5992.159 -> um this path of this autonomous system
5994.56 -> that we're talking about
5996.32 -> is six four five two three so if it
5999.28 -> learns the route 172 16
6001.92 -> it's learning the path via six four five
6004 -> two three but look what i did to 172 17
6007.28 -> to make it look ugly
6008.96 -> i added an additional six four five two
6011.6 -> three path that's called prepending or
6013.92 -> as path prepending what did i do there i
6016.8 -> just did it why did i do it
6019.679 -> i want this route to be more attractive
6021.92 -> than this route so that's why i did that
6024.56 -> this route again will be more attractive
6026.159 -> because it's the shortest path and like
6028.159 -> i said we could have tuned the med too
6030.32 -> of course we could have tuned the med
6031.6 -> prefer the path with the lowest med
6034.56 -> i want this route to be preferred i gave
6036.4 -> it a lower mat i want this route to be
6037.92 -> preferred i gave it a lower mid
6041.04 -> that's why we're using bgp everybody
6045.199 -> that's why we use bgp so we use bgp for
6049.36 -> the following reasons
6051.28 -> it's tunable
6052.96 -> it scales
6055.04 -> so
6056.639 -> when do you use bgp with aws now that
6059.84 -> we're getting into the fun part of the
6062.08 -> vpc
6063.36 -> anytime you have a direct connection
6065.28 -> you're using vb bgp
6067.36 -> anytime you're using cloud hub you're
6069.28 -> using bgp
6070.96 -> anytime you want to do dynamic routing
6073.679 -> you're using bgp so the real thing is
6075.52 -> when are using bgp in the cloud
6077.04 -> computing environment
6078.4 -> everywhere
6079.92 -> so you know if we have to we'll do more
6081.84 -> bgp training for you guys at some point
6084.08 -> but bgp training is everywhere so
6089.04 -> when you're dealing with aws it's got a
6091.199 -> very limited bgp implementation but it
6093.44 -> does support the key things weight local
6096.48 -> preference af path specificity of
6098.48 -> routing information so you can use it
6100.8 -> exactly like what we talked about
6103.28 -> okay everybody let's talk about some aws
6105.6 -> stuff let's start with an internet
6107.84 -> gateway
6109.52 -> we got into the aws stuff now the fun
6112.08 -> stuff but when did you do those
6113.84 -> fundamentals so let's talk about
6115.92 -> internet gateways everybody type
6118.239 -> internet gateways in the chat box we'll
6120.32 -> talk about internet gateway so what is
6122.719 -> an internet gateway
6125.76 -> an internet
6127.199 -> gateway
6128.48 -> right now is simply a router that
6130.4 -> connects to the internet
6134.32 -> that's it
6135.36 -> an internet gateway is a router that
6137.6 -> connects to the internet
6139.44 -> if
6140.4 -> you want to connect to the internet
6142.96 -> you need an internet gateway that's it
6145.92 -> in a data center when you connect to the
6147.52 -> internet you have a router that you buy
6149.679 -> a wan connection to the internet
6151.679 -> what do you do in the cloud you get an
6153.119 -> internet gateway and it is a virtual
6155.76 -> router with a virtual connection to the
6157.92 -> internet that's it
6159.679 -> now when you're dealing with the aws
6161.44 -> internet gateway they like to say that
6164.08 -> there's no bandwidth or performance
6165.76 -> constraints
6168.48 -> so they're going to tell you that its
6170.08 -> scales it scales its skills
6172.8 -> just remember it this way you get an
6174.8 -> internet gateway it's a router that
6177.52 -> connects your vpc to the internet don't
6180.08 -> make it so complicated so while we're at
6182.639 -> it let's talk a little bit more about
6184 -> internet gateways here's what you do how
6186.4 -> you set it up the internet gateway is
6188.08 -> created in the following matter
6191.679 -> you attach an internet gateway to your
6193.76 -> vpc
6195.119 -> you put a default route on your systems
6198.159 -> that says send all unknown or
6200.84 -> 0.0.0.0 0 traffic to the internet
6203.92 -> gateway
6205.28 -> you put a public address on your
6207.119 -> internet gateway because remember it's
6208.88 -> gonna be on the internet so it must have
6210.639 -> a publicly facing address
6212.88 -> and that's it
6214.08 -> you're on the internet now okay this is
6216.719 -> real internet access
6218.56 -> if i connect me to the internet and i'm
6221.119 -> now on the internet i'm here on the
6223.199 -> internet what's gonna happen to me i'm
6225.04 -> gonna get hacked
6226.719 -> so the second your systems are on the
6228.56 -> internet they will be hacked internet
6231.6 -> gateway gets you straight to the
6233.119 -> internet
6234.719 -> now if you're on the internet
6236.639 -> you're gonna need firewalls and ids ips
6239.04 -> systems and the whole gamut
6241.28 -> to protect you
6243.04 -> so please understand that you you know
6245.76 -> that you need that to protect you so
6248.08 -> we're going to have to talk about
6249.28 -> security when we do these kind of things
6253.119 -> so let's realistically look at what this
6254.8 -> concept of an internet gateway really is
6257.679 -> so in this particular environment and
6259.679 -> let's say we've got to move this stuff
6261.119 -> over
6262.48 -> what we have here is we've got an
6263.92 -> internet gateway that's connected to the
6265.36 -> internet
6267.36 -> the internet gateway is really a router
6269.44 -> we're separating the router because
6270.8 -> we're using the logical
6273.04 -> vpc router and what you can see is your
6275.679 -> instances that basically have a network
6277.44 -> load balancer that has an external
6279.679 -> ip address which is on the same subnet
6281.92 -> as the internet gateway so basically
6284.32 -> that's how your systems will be
6285.52 -> reachable from the internet internet
6287.28 -> gateway will be here you'll have a load
6289.36 -> balancer that'll front end your servers
6291.04 -> and the external end of the edge of the
6292.8 -> load balancer will have a public-facing
6295.199 -> ip address
6298 -> that is an internet gateway
6302.639 -> are we ready to keep going or do i need
6304.48 -> to stop take some questions for 10
6306.08 -> minutes before we cover the rest uh you
6307.84 -> guys tell me if you're good to go from
6309.76 -> internet gateways to egress on the
6311.119 -> internet gateways
6312.8 -> let me know if you guys need to ask some
6314.4 -> questions let me know i can't tell um
6316.88 -> because we're on youtube so
6318.96 -> instead of zoom so i can't see your
6320.88 -> faces so i don't know but if you can
6322.239 -> even stop for questions great otherwise
6324.159 -> we'll go for about five or ten minutes
6325.52 -> more
6332.48 -> abigail you got some questions ask some
6334.08 -> qu let's see what everybody says
6339.28 -> i'm going to keep going until uh until
6341.76 -> we get some responses and then chris is
6343.36 -> going to tell me what to do
6344.88 -> so
6347.199 -> let's
6348.32 -> actually we're starting to get some real
6349.6 -> questions
6350.639 -> um
6354.159 -> let's do some questions some of these
6355.36 -> questions are starting to feel pretty
6356.56 -> real
6357.36 -> dimitri
6358.96 -> it is clear how traffic rooted inside
6360.8 -> the vpc how to find the
6369.199 -> dimitri
6370.4 -> it is clear how routed traffic and i'm
6372.56 -> not really sure i understand the
6373.84 -> question um how does the traffic find
6376.32 -> your vpc the me3 well ideally traffic
6379.76 -> would not find your vpc
6382 -> at all all the systems on your vpc would
6384.719 -> be private and connected internally to
6386.88 -> you and your systems nobody should find
6388.96 -> it what should happen is on your data
6391.36 -> center side you've got a router that's
6393.28 -> plugged into the
6394.48 -> it's got a direct connection for example
6396 -> to aws between bgp you exchange routes
6399.04 -> and all the systems inside of your data
6400.8 -> center know exactly how to reach in the
6402.239 -> cloud because you've exchanged bgp with
6404.639 -> the cloud provider the cloud provider
6406.08 -> has routes back to your data center
6407.92 -> that's the way it should work in a
6410.08 -> normal world now
6412.48 -> how will it find your websites for
6414.32 -> example that's easy your dns provider
6417.6 -> will point to your external facing
6420.08 -> website or your load balancer your
6421.6 -> content delivery network so that's how
6423.84 -> traffic outside is going to find you
6426.32 -> inside your vpc your traffic's going to
6428.08 -> know exactly what to do because it has a
6429.84 -> virtual router
6432.48 -> and the virtual router will build a
6434 -> routing table that's how your traffic
6435.44 -> inside your vpc works
6444.719 -> pierre does a network load balancer face
6446.719 -> the internet before the router
6448.96 -> um you've got the router
6451.36 -> behind the router you've got the front
6453.36 -> edge of the network load balancer
6455.52 -> and then behind that you've got the
6457.199 -> server's pair
6463.76 -> what is the maximum internet bandwidth
6465.36 -> supported by aws you'd have to call them
6467.36 -> it changes constantly and just because
6469.44 -> they have a standard bandwidth that can
6471.6 -> then change after you request specialty
6473.6 -> services above so you got to call them
6480.159 -> okay i didn't see chris pop anymore up
6482.56 -> there so
6483.92 -> let's go back to the egress only
6485.6 -> internet gateway so i had previously
6488.08 -> talked about internet gateways which
6491.04 -> provided real
6493.04 -> internet connectivity and what i mean by
6495.28 -> real is i'm reachable from the internet
6497.44 -> and i can go to the internet reachable
6499.44 -> from the internet go to the internet
6501.44 -> that's real internet access to me
6503.52 -> bi-directional go to the internet come
6506 -> back from the internet go to the
6507.28 -> internet come back in the internet
6510.08 -> so
6512.639 -> but what if
6514.48 -> i wanted egress only so let's talk about
6516.8 -> egress owning that
6519.84 -> i'm right now sitting inside of my house
6522 -> behind my firewall
6524.719 -> i don't need anybody to reach anything
6527.04 -> inside of my house for any reason
6528.719 -> whatsoever
6530.08 -> none
6531.04 -> well
6532.639 -> some people have to reach my dmz to get
6534.32 -> into some of my clouds to play around
6535.84 -> but
6537.52 -> nobody
6538.56 -> needs otherwise to get behind my
6540.32 -> firewall in my house no one so i'm
6542.56 -> firewalled off right now but
6545.04 -> inside of my subnet where i'm sitting
6547.679 -> i've got 924 core servers the little
6550.159 -> geek in me comes out every once in a
6551.6 -> while and i like to experiment i've got
6553.76 -> my system which is a 32 core thread
6555.679 -> ripper system that i'm using right now
6558.08 -> i don't want anybody accessing my
6559.52 -> systems
6560.639 -> i've got video encoders i've got cameras
6563.28 -> and they're all sitting behind the
6564.8 -> firewall
6566.719 -> many of these devices i'm talking about
6569.36 -> may need to be patched for
6570.56 -> vulnerabilities
6572.4 -> i'm in a thing that's streaming video
6575.679 -> so guess what
6576.96 -> i've got my trader comes back to the
6579.119 -> internet i've got to send video to
6581.04 -> youtube i got to be able to see things
6583.199 -> so i need to be able to go to the
6584.639 -> internet let my traffic come back to me
6586.88 -> but i don't want to be reachable
6588.8 -> so that's what's called egress only
6591.04 -> internet access
6592.719 -> meaning i can reach the internet to pull
6594.8 -> stuff and come back to me but i'm not
6596.56 -> reachable from the internet so
6599.44 -> this is really something special so this
6602.4 -> gives you security and internet
6605.119 -> connectivity at the same time the good
6606.719 -> stuff so an egress only internet gateway
6609.28 -> that's what it is now
6611.52 -> in the context of aws
6614 -> an egress only internet gateway only
6615.92 -> works for ipv6
6618 -> a nat gateway which is also an egress on
6620.639 -> the internet gateway has a different
6621.92 -> name egress only means out
6625.04 -> and back
6626.4 -> so when aws and egress only internet
6628.56 -> gateway according to their terminology
6630.4 -> is only for ipv6 remember all ipv6
6634.08 -> addresses are public there's no concept
6636.239 -> of private addresses the egress only
6638.4 -> internet gateway lets my ipv6 traffic
6640.4 -> out to the internet and return but it
6642.4 -> does not allow anyone to reach into me
6646.639 -> that is called an egress only internet
6649.119 -> gateway
6651.04 -> now
6652.88 -> let's say we're using ipv4
6656.8 -> we want to go out to the internet to
6658.8 -> update the operating system on our
6660.719 -> systems
6661.76 -> guess what we have a couple ways we can
6663.599 -> do that
6664.719 -> we could use
6666.08 -> a nat gateway which is something we'll
6667.76 -> talk about and we could use something
6669.76 -> else that's not a not gateway we could
6672 -> use something else that's called a not
6674.4 -> instance
6675.52 -> so let's talk about the two options
6677.44 -> first we're going to begin with not
6678.56 -> instances now when i talk about not
6680.719 -> instances
6685.84 -> what we're really talking about
6688.48 -> is a system in ec2 instance a computer
6692.719 -> that's going to translate one address
6695.76 -> to another address that's what nat does
6698.56 -> it translates one address to another
6700.239 -> address now not to me could go from one
6702.96 -> company to another company
6704.96 -> that does not have to be to go to the
6707.04 -> internet that is translation of one
6709.04 -> interest to another and that's it that's
6710.48 -> what that means
6712.159 -> but
6713.36 -> and that instance in aws is used within
6716.56 -> is used to give people egress only
6719.36 -> internet access so what happens is you
6721.599 -> set up an ad instance and i'll
6722.88 -> graphically show you what it is
6724.639 -> and then you point the not instance to
6726.32 -> the net gateway and what happens is that
6728.88 -> that instance enables egress only
6731.199 -> internet access to the hosts that are
6733.119 -> using that instance while the net
6735.679 -> gateway i'm sorry while the internet
6737.84 -> gateway provides true internet access to
6739.679 -> the net instance so let's see what this
6741.84 -> looks like architecturally speaking
6744.719 -> you've got the internet
6746.4 -> behind the internet you've got your
6747.599 -> internet gateway which is your internet
6748.96 -> router you've got your not instance
6751.76 -> and you've got your private subnet so
6754.159 -> all these servers that are behind the
6755.76 -> nod instance they can go to the internet
6757.92 -> to update their operating system but
6759.36 -> they won't be reachable from the
6760.8 -> internet because it's egress only
6765.36 -> let's talk about one more kind of nat
6767.76 -> with aws and we'll call this a nat
6770.639 -> gateway
6772 -> that's in that gateway well and that
6774.48 -> gateway is a fully managed knot service
6776.32 -> so we just looked at in that instance
6778.48 -> where you needed an internet gateway and
6780.159 -> then in that instance
6782 -> and that gateway is kind of this
6783.44 -> all-in-one kind of concept it's a fully
6785.76 -> managed not service it's high
6787.28 -> availability meaning it's not going to
6789.28 -> go fall apart because it's a logical
6791.119 -> device but you need one per azig per
6794.239 -> availability zone
6796.159 -> what you do is
6797.44 -> you create you they create a net gateway
6799.44 -> in a public subnet it has an elastic ip
6801.92 -> address and you give everything a
6803.119 -> default route to the not gateway and
6804.88 -> then everybody goes to the internet and
6806.4 -> everything works great
6808 -> let's look at this situation over here
6809.679 -> it's really kind of cool
6811.84 -> we've got our servers and a private
6813.44 -> subnet they're not hackable they're not
6815.52 -> reachable from the internet but they can
6816.96 -> go out to the internet update their
6818.48 -> operating system and be done
6822 -> that's what a net gateway does
6826.48 -> so
6828.08 -> now let's keep well so before we go over
6830.08 -> let's do these nat things one more time
6832.719 -> egress only internet gateway ipv6
6836.32 -> go out
6837.679 -> and return but not reachable
6839.84 -> not instance plus not get plus internet
6842.239 -> gateway
6843.44 -> egress only ipv4 traffic go out allow
6847.28 -> your return traffic back nothing else
6851.28 -> okay so next on the list
6855.599 -> nat gateway
6857.119 -> single device has an internet gateway
6859.52 -> and basically in that instance on a
6860.96 -> single device allows you traffic out to
6862.56 -> the internet and comes back
6864.32 -> now you know the three so
6866.56 -> let's talk about ethernet cards and
6868.719 -> network interfaces
6870.719 -> every computer that we need has to get
6873.199 -> plugged onto the network if we don't
6874.8 -> plug it on the network you can't use it
6876.719 -> it's not reachable
6878.159 -> so what does every computer need it
6880.239 -> needs a network card or a network
6881.92 -> interface
6883.04 -> so
6884.56 -> when we're dealing
6886.48 -> with um
6890.32 -> networking and we're dealing with
6891.76 -> servers they're going to have a network
6893.36 -> card
6894.239 -> um realistically speaking
6896.639 -> inside of our systems now when we're
6898.4 -> normally dealing we're dealing with a
6899.679 -> physical ethernet card when we're
6901.44 -> dealing with the cloud we're dealing
6902.8 -> with virtualized everything
6905.8 -> virtualized everything which means your
6908.56 -> network cards are going to be
6909.44 -> virtualized and they're going to be
6910.48 -> called an elastic network interface now
6916.239 -> an elastic network interface is a
6918.239 -> virtual interface remember there is no
6920.159 -> such thing as physical in the cloud it's
6922.4 -> not like i can stick a firewall in
6924 -> rocket it's not like it can stick a
6925.199 -> physical router in there it's all
6927.36 -> virtualized stuff at the cloud provider
6930 -> so
6930.8 -> when you start your system it's got one
6932.8 -> it's going to be called eth0 that's
6934.8 -> going to be your default you know
6936.239 -> elastic network interface but there are
6938.96 -> times
6941.199 -> where you need to put multiple network
6942.88 -> cards in the server maybe you want to
6944.56 -> put a server in two different
6946.239 -> environments there's lots of reasons you
6948.56 -> could do it there's some kind of really
6950.32 -> horrible monster scary dangerous press
6952.96 -> practice first thing that you'd never
6954.639 -> want to do a security violation called
6956.239 -> the bastion host or a jump host where
6959.119 -> you leave this widely exposed system on
6961.84 -> the internet and you've got another
6963.199 -> network card and you can use it as a
6964.56 -> back door in your internet i would
6966.159 -> strongly recommend against that but
6967.599 -> that's a perfect example of why people
6969.199 -> will do this and if you guys want we can
6971.52 -> have a session one day and talk about
6973.04 -> all the good reasons you would never do
6974.32 -> a bashing and host in real life from a
6976.4 -> security perspective because you could
6977.84 -> talk about that for hours why that's
6979.28 -> such a bad idea but a bastion host would
6981.44 -> be a perfect example of a multiple home
6983.36 -> server
6984.96 -> another example of a dual home server is
6987.52 -> you've got
6988.56 -> finance users that are on it and
6990.48 -> somebody else and you don't want them to
6991.679 -> go through a switch you could put
6992.719 -> multiple network cards so for speed
6994.8 -> sometimes servers have multiple network
6996.32 -> cards aws calls and network card and
6998.4 -> elastic network interface
7002.4 -> now if an elastic network interface is a
7005.44 -> network card we need to put a public ip
7008.719 -> address on anything that needs to be
7010 -> reachable so somehow the people at aws
7012.96 -> love the word elastic so they decided
7015.28 -> that they would call a public ip address
7017.92 -> an elastic ip address so
7020.8 -> what is an elastic ip address it is a
7023.28 -> public ip address
7026.32 -> that you borrow from aws
7029.52 -> a public ip address that you borrow from
7031.679 -> aws
7033.44 -> you keep it
7034.8 -> as long as you need it
7038.56 -> and then
7039.679 -> when you're done with it you return it
7042.239 -> so with aws you get to wrench or borrow
7045.599 -> their ip addresses and they're called
7047.199 -> elastic ip addresses elastic network
7049.599 -> interface network card elastic ip
7052.239 -> address public address
7054.48 -> so
7055.199 -> let's look at this
7058.8 -> let's look at this environment one more
7060.32 -> time
7061.199 -> we've got the internet we've got our
7063.04 -> internet gateway we've got our virtual
7065.199 -> router that maintains the routing table
7067.36 -> of your vpc
7069.04 -> we've got your elastic ip address which
7071.28 -> is the front end which is probably
7072.719 -> sitting on a network load balancer in
7074.239 -> front of your web servers and poof
7077.04 -> everything's on the internet everything
7079.36 -> is working awesome everything's working
7082.8 -> awesome so
7084.159 -> the next content that we're going to get
7085.76 -> into are vpc endpoints which are one of
7088.4 -> my coolest things what a great way to
7090.96 -> securely connect to a bunch of endpoint
7093.04 -> services really cool stuff lots lots
7096.56 -> lots and lots of fun so while we're at
7099.28 -> it everybody let's see if there's any
7101.28 -> questions it looked like a bunch of
7102.48 -> questions were coming in some of them
7103.679 -> look like they really needed to be
7104.8 -> addressed some of them may cause me to
7106.719 -> do some additional workshops if you guys
7108.32 -> desire so chris want to bring in some of
7110.639 -> these questions i don't want anybody to
7112.159 -> have anything other than a great
7113.199 -> experience
7116.88 -> she shared azure does not have the
7118.4 -> concept of an internet gateway and a
7119.84 -> route table well there is a concept of a
7121.28 -> route table
7122.48 -> um but not but it's more hidden from you
7125.04 -> you have the traffic open on azure
7127.04 -> virtual network why is microsoft kept it
7128.8 -> like
7129.84 -> it's not exactly open on azure when you
7132.48 -> really look at what you have to do with
7134.08 -> the azure in your vnet what basically
7136.56 -> happens is everything's basically
7138.08 -> connected to the internet if it's got a
7140.239 -> public ip address in it they've done all
7142.719 -> of the work for you to make it a lot a
7145.28 -> lot a lot easier on you
7150.08 -> a lot easier on you so it's just that
7153.84 -> when would you use an ad instance on a
7155.599 -> not gateway
7156.88 -> i can't think of any use case why you
7158.8 -> would use an ad instance in today's
7160.32 -> world given that the not gateway uses it
7163.44 -> realistically speaking
7165.44 -> anytime you've got systems that need to
7166.96 -> connect to the internet you're going to
7168.08 -> use a not gateway which is pretty much
7170.56 -> 100 of the time on a kit if you've got a
7172.88 -> server that needs to be updated so that
7175.28 -> it doesn't have security vulnerabilities
7176.719 -> you will need a net gateway so basically
7178.96 -> any use cases every time you ever
7180.719 -> connect to the cloud you're going to
7182.239 -> need to make sure your servers can be
7183.679 -> updated
7184.48 -> and you're going to need a not gateway
7185.84 -> but in that instance you're probably
7186.96 -> never going to use
7193.92 -> and as a nat gateway a physical device
7195.92 -> like in net routers and switches no
7198.159 -> these are logical devices like routers
7200.48 -> and switches
7202 -> um so realistically speaking that's the
7204.56 -> there there are logical devices so
7207.52 -> think about it this way they built aws
7210 -> built a really cool router that doesn't
7213.199 -> go anywhere
7214.639 -> so
7215.76 -> you know it's not like if it's going to
7217.199 -> crash like a physical router it's a
7219.44 -> logical device so you know when we're
7221.76 -> dealing with some of these cool things
7223.119 -> in the cloud you know having these
7224.8 -> devices being logical isn't necessarily
7227.04 -> a bad thing it's a really great thing so
7229.44 -> high availability logical devices we
7231.44 -> love that
7234.4 -> chris if you want to bring in the next
7235.44 -> question
7240 -> can sherman
7241.92 -> may you turn the tables what questions
7243.44 -> do you have for us you're open for a
7244.88 -> quiz right now to celebrate the cerebral
7246.88 -> juices i can't really ask you guys any
7249.199 -> questions
7250.239 -> um it's not like you it you you can
7252.48 -> respond to the questions i mean i'm more
7254.719 -> than happy to to try and ask some ques
7256.639 -> actually i can try and ask some
7257.92 -> questions and see if you guys get it
7260.08 -> okay the first one
7262 -> where does this subnet start 192 168.1.2
7267.28 -> 30. where is the zero where is the
7269.92 -> broadcast address and which two
7271.44 -> addresses are usable somebody can type
7273.28 -> it into the chat box
7285.599 -> yeah actually i don't think this is
7286.639 -> going to work yeah
7288.4 -> wait no people respond i'll bring up the
7290.239 -> next question for you
7294.719 -> apostolic
7297.52 -> i have a feeling you understand what i'm
7298.88 -> saying with that aws has millions of
7301.599 -> users
7302.639 -> absolutely they have millions of users
7304.8 -> and that's why with their excellent
7307.04 -> capabilities they have to be smart about
7309.04 -> how many users they take and how many
7310.8 -> routes they take because it would be
7312.56 -> impractical for anybody to not be smart
7314.88 -> the way they do it so if aws gives
7317.28 -> multiple ip addresses to their users
7319.04 -> wouldn't they run out of public
7320.08 -> addresses they've got a fair number of
7321.92 -> public addresses when you're one of the
7323.36 -> world's largest internet service
7324.719 -> providers you can get a fair number of
7326.88 -> addresses
7328.08 -> and they also have ipv6 addresses but
7330.56 -> you have to be fair
7331.84 -> aws they're extremely smart and they're
7335.4 -> extremely good at knowing how to
7337.44 -> judiciously use their addresses
7339.92 -> extremely capable so i may make jokes
7342.88 -> about you know marketing terms because
7344.56 -> it makes it hard for students to learn
7346.159 -> them every cloud provider one uses
7348.8 -> elastic one sticks cloud in front of
7350.56 -> everything but they're exceptionally
7352.8 -> good at what they use and they have
7354 -> millions of users but they do have
7355.44 -> addresses
7356.639 -> so
7359.44 -> all right here's some answers to the
7361.36 -> question
7365.28 -> okay so
7367.04 -> well
7368.88 -> and kit is right but he missed the uh he
7371.199 -> missed the router one which was the dot
7373.04 -> zero
7374.239 -> um the first and the fourth the first
7377.199 -> address is actually used for this subnet
7380 -> the last address is actually used for
7382 -> the broadcast 100 percent completely
7384.4 -> agree
7385.28 -> and the dot one and dot two would
7386.56 -> actually be used for networking good job
7388 -> genie
7389.84 -> yeah all right i'm going to pop a couple
7392 -> more questions up on here excellent
7398.719 -> what is the nent's difference between a
7400.4 -> not gateway and an odd instance
7402.8 -> then that instance is an older device
7404.639 -> that's typically not used and then that
7406.48 -> instance requires an internet connection
7409.199 -> where the nat gateway basically does not
7412.239 -> and it's connected to the internet i got
7413.84 -> to give aws a handle on that on that
7415.92 -> eight that not gateway it is a very
7418.639 -> simple
7419.599 -> elegant solution just out of that
7421.199 -> gateway connect to the internet for
7422.56 -> egress only traffic very intelligent
7425.04 -> very elegant
7426.639 -> very simple to use
7430.88 -> how strong is the ec2 anti-d does
7434.96 -> well it depends on what your needs are
7437.76 -> when we start getting into these really
7439.679 -> complicated architectures and really
7441.92 -> complicated security environments you
7443.52 -> have to look at whether you're going to
7444.719 -> be using these cloud native services or
7446.96 -> whether you're going to use marketplace
7448.239 -> services
7449.52 -> in many environments we can get away
7451.76 -> with some of the things like the waff
7453.44 -> and the shield they're pretty awesome in
7455.52 -> other environments we're going to have
7456.8 -> to use things like shield advanced and
7458.8 -> then we're going to go to the
7460 -> marketplace and we're going to be using
7461.44 -> gateway load balancers and network load
7463.199 -> balance just to load balance across next
7464.88 -> generation firewalls maybe some ids ips
7467.76 -> systems so
7469.04 -> it's all based upon what you need delo
7472.32 -> sometimes the cloud native services are
7474.159 -> enough sometimes we need to bring in
7476 -> some enterprise services sometimes we
7478.159 -> can hybridize them
7479.92 -> sometimes we'll use a
7481.52 -> like an elastic load balancer to front
7483.44 -> end some f5 load balancers there's all
7485.52 -> kinds of cool stuff that we're going to
7486.8 -> do and talk about delo all of them are
7489.119 -> appropriate it's just a use case so
7493.04 -> when it comes to me i typically deal
7495.119 -> with in organizations that are dealing
7496.8 -> with big big massive architectures and
7500.159 -> for me typically the ddos prevention
7502.159 -> that i'm dealing with is about six or
7503.92 -> seven layers we're dealing with you know
7506.32 -> something like a a shield on a content
7509.199 -> delivery network which is awesome and
7510.8 -> typically some gateway load balancers
7512.56 -> some enterprise-grade firewalls from the
7514.159 -> marketplace some ids systems some
7516.239 -> network acls some security groups
7518.96 -> then we'll be dealing with some
7520 -> host-based firewalls and unless
7521.84 -> disabling unnecessary services so it's
7523.76 -> going to be a lot of it so realistically
7526.079 -> speaking it's going to be based upon the
7527.599 -> requirements of the solution the
7529.04 -> technical requirements will determine
7530.48 -> which service we choose
7533.119 -> all right and i'm going to bring a
7534.48 -> couple of more questions in and then
7536 -> we're going to get back to that
7537.92 -> sounds good
7544.96 -> abraham is an internet gateway similar
7547.199 -> to a router
7548.48 -> abraham an internet gateway is exactly
7551.44 -> similar to a virtualized router with a
7553.84 -> connection to the internet that's doing
7555.76 -> not exactly the same
7558.159 -> great question and that shows some good
7560.239 -> understanding
7561.28 -> and that was actually the last one so
7564.239 -> okay so let's talk about some more aws
7567.04 -> fun stuff
7569.28 -> let's start talking about endpoints
7572.8 -> and you know their work on endpoints is
7574.48 -> really cool stuff so
7576.48 -> you know when we talk about things i
7578.56 -> want to before we get into endpoints i
7580.239 -> want to talk about performance
7582.719 -> and i want to talk about like aws
7584.88 -> network performance or azure network
7586.56 -> performance or google network
7587.92 -> performance compared to internet
7589.44 -> performance
7591.52 -> on the internet you've got a bunch of
7593.92 -> internet service providers that are
7595.28 -> glued to each other towards with bgp
7598.96 -> glued to each other
7600.56 -> now that's the way the internet works
7603.04 -> but here's the thing
7604.8 -> remember i showed you the routing and i
7606.079 -> said it was like a hot potato you go
7607.36 -> from router to router to router to
7608.8 -> router to router to hot potato you
7610.079 -> understand your data well
7612.159 -> that's the way the internet works there
7613.52 -> are no guarantees
7616.239 -> across the internet now if amazon owned
7619.04 -> the whole internet amazon could control
7621.679 -> the network
7622.88 -> but they control their network traffic
7625.36 -> on the internet is best effort there's
7627.599 -> no guarantees traffic on the aws
7630.079 -> environment by comparison is guaranteed
7632.48 -> they manage the network they run the
7634.32 -> network they optimize the network they
7636 -> need qos they can do it they control
7638.32 -> their network so let's start looking at
7640.639 -> the performance of these kind of cool
7642.32 -> things
7643.199 -> so aws manages the network so let's say
7647.04 -> you want to connect to an external
7648.639 -> service like s3
7651.84 -> if you can do it over the aws network
7654.96 -> you can get there better faster and
7657.36 -> cheaper than if you had to go to the
7659.119 -> internet so we're going to talk about
7661.199 -> endpoints as a means to securely
7664.159 -> connect to another service or
7666.079 -> organization
7667.76 -> in
7668.8 -> um what do you call it in the aws
7671.04 -> environment leveraging the aws high
7673.92 -> performance network instead of using the
7676.719 -> internet which is insecure
7678.719 -> and also has no guarantees
7681.599 -> so
7682.4 -> realistically speaking that's what these
7684.32 -> endpoints are and these end plans are
7686.56 -> awesome
7687.679 -> so i want to walk you through what it
7688.96 -> looks like let's pretend we do it with
7690.8 -> or without the end point
7694.159 -> so over here
7695.599 -> we've got our vpc
7697.679 -> we've got aws s3 great object storage
7700.8 -> environment that we can talk about
7704.239 -> so between our vpc and our object
7706.56 -> storage we have two options
7709.119 -> we could go out the internet over an
7711.92 -> internet gateway send our data across
7714.56 -> the internet and then bring our data
7717.119 -> back into s3
7718.96 -> now that's an option now why isn't this
7721.52 -> a good option first we're now going to
7723.76 -> ride the internet which has got poor
7725.199 -> performance compared to aws's high
7727.04 -> performance network and we got to go pay
7730.4 -> to send our data to the internet across
7733.04 -> only to come back in so now we have less
7735.28 -> security and we have to pay for it and
7737.679 -> we have lower performance because we're
7738.96 -> writing the internet by comparison
7741.679 -> what if we could just take the aws
7743.76 -> private network directly there and
7745.92 -> basically create like a fake wire like a
7748.079 -> logical wire call it an endpoint do it
7750.079 -> securely on the aws network and have all
7753.28 -> the advantages of aws control of the
7756.079 -> network their performance now we're
7758.4 -> dealing with something pretty good
7761.36 -> so look at that
7762.719 -> now we're taking advantage of the aws
7764.88 -> network which they control
7767.599 -> and they've got rock-solid network
7769.199 -> engineers
7770.32 -> and rock-solid connections and they've
7772.079 -> got some of the biggest baddest routers
7774.079 -> and switches in the world some that they
7776.159 -> had a custom build because the service
7777.84 -> providers don't even make on that
7779.199 -> performance so think about the benefit
7781.36 -> of being on one of these networks
7783.52 -> you're not on the public internet you're
7785.199 -> writing a secure network at greater
7787.76 -> performance at a lower cost that's why
7789.599 -> we love endpoints around here
7796.159 -> so when we talk about endpoints we're
7798 -> dealing with two kinds of endpoints the
7800.56 -> gateway endpoint and the interface
7803.04 -> endpoints so let's talk about what these
7804.719 -> endpoints are and when they are used
7808.56 -> gateway endpoints
7810.239 -> are basically speaking
7812.32 -> high speed high security access to aws
7815.76 -> services and i love the way they work
7818.079 -> because they make sense to me they place
7819.44 -> a route on the routing table
7821.52 -> you're a ccie with 25 years networking
7823.28 -> experience you like routes and routing
7824.639 -> tables so that's the way it works so
7826.639 -> let's think about an amazon s3 endpoint
7829.04 -> basically it's going to give you private
7830.639 -> access to s3 from your vpc across the
7833.04 -> high performance network basically
7834.96 -> speaking you're going to create an
7836.32 -> endpoint and from a prefix list
7839.04 -> basically the preflix looks we'll have a
7841.28 -> naming convention like a pl dash
7843.119 -> whatever whatever whatever and you'll
7844.88 -> see it in a routing table i'll show you
7846.159 -> in a minute
7847.84 -> so you're going to route in a routing
7849.84 -> table for s3
7852.159 -> and
7853.52 -> what's that going to look like
7856.56 -> you're basically going to have your data
7858 -> center which is going to have a router
7860.719 -> let's say you've got a vpn to aws
7864.239 -> in your aws environment you're going to
7866.32 -> have a shared service you'll have a load
7868.079 -> balancer set up with some proxy farms
7870.56 -> with a vpc endpoint going to your bucket
7873.599 -> so
7874.56 -> realistically speaking let me walk you
7876.159 -> guys through this one more time i may
7878.159 -> not have been sharing my screen when i
7879.599 -> did this
7880.96 -> oops didn't mean to do that so what's
7882.639 -> going to happen over here is you've got
7884.159 -> your data center connected via vpn to
7886.8 -> aws
7889.44 -> oops let me just try to figure out and
7890.88 -> make this smaller
7894 -> so you've got your users you've got your
7896 -> vpn
7898 -> and what you can see is you've got a
7900 -> a i would call it an endpoint that's
7902 -> going to connect to the bucket it's
7903.44 -> going to put it to the routing table
7904.96 -> inside of your vpc
7906.96 -> and that's how your systems are going to
7908.4 -> reach it
7913.44 -> so let's talk a little bit about
7914.88 -> securing it
7916.48 -> now this is one of those situations
7920 -> where
7923.28 -> routing security is kind of the best
7925.04 -> because the gateway endpoint
7928.239 -> uses routing
7930.56 -> we've got a little bit more creativity
7932.88 -> so
7934.079 -> if you limit routing to the subnets that
7936.8 -> need it
7937.92 -> people that don't need it won't be able
7939.44 -> to reach it so you know when we start
7941.679 -> talking about security we've got i am
7944.079 -> which is when somebody knocks on your
7945.599 -> door and says i'd like to come in am i
7948.239 -> allowed
7949.44 -> the answer is yes i authentic you are
7951.44 -> who you say you are you're allowed and
7952.88 -> you're allowed to sit on the sofa and
7954.48 -> i've tracked you that's your iam but
7957.119 -> with networking if you don't have a
7958.56 -> route to you can't hack it in the first
7960.159 -> place thank you so much ilbra if you
7962.4 -> don't have a route you can't reach it if
7963.92 -> you can't reach it you can't hack it
7966.84 -> so with gateway endpoints you can
7969.679 -> actually limit the routing information
7971.36 -> and by limiting the routing information
7973.36 -> you can do something that's really
7974.96 -> exciting and really cool you can
7976.96 -> literally speaking make it unhackable so
7980.239 -> kind of love that
7984.159 -> so we talked a little bit about gateway
7986 -> endpoints now
7987.52 -> there's another kind of endpoint called
7989.44 -> an interface endpoint
7991.28 -> now the interface endpoint is when you
7993.119 -> use to connect to other aws servers such
7995.84 -> as the systems manager
7998.88 -> kinesis your load balancer apis now
8001.679 -> again this is some pretty cool stuff
8003.84 -> because this enables you to connect to
8005.84 -> external services that are hosted by aws
8008.8 -> partners or customers i kind of love
8011.36 -> this so think about it this way if
8013.36 -> you've got to connect to a large number
8015.119 -> of people the interface endpoints may be
8017.36 -> your best option and we're going to talk
8019.44 -> a lot about vpc pairing i love vpc
8022.4 -> pairing when we talk about vpc peering
8025.599 -> what we're really talking about is
8027.599 -> connecting organizations and there's
8029.36 -> some limitations as to why so these
8032.159 -> interface endpoints and the private link
8033.92 -> service may actually be one of the
8036.639 -> coolest things which we'll talk about
8038.8 -> so
8042.32 -> interface endpoints are going to connect
8044.079 -> to these services so they're going to be
8045.599 -> local to your vpc
8047.36 -> and effectively what's going to happen
8048.96 -> is the interface endpoint is going to
8051.36 -> create an elastic network interface on
8053.44 -> both sides of your connections because
8054.719 -> it's got to be on the same subnet to
8056.079 -> communicate and when you create these
8058.239 -> interface endpoints and these elastic
8060.639 -> network interfaces on the same sub that
8062.32 -> are created you're in good shape now
8064.239 -> when you create the endpoint aws makes
8066.159 -> it even easier for you they do so much
8067.76 -> of the work for you which is why you
8069.599 -> know the cloud feels so easy compared to
8071.28 -> the network and the data center
8073.199 -> so
8074.639 -> what they actually do is they give the
8076.159 -> endpoint a dns specific name to make it
8078.159 -> even easier to connect to it so let's
8081.04 -> look at it when you're using
8083.679 -> the interface endpoint you're creating
8085.52 -> something called private link which is
8087.76 -> sort of like a private wire between
8089.84 -> these kind of information
8093.44 -> so
8094.56 -> with regards to the virtual so so it's
8096.719 -> kind of like a virtual private line over
8098.4 -> the aws network and it's going to
8100.48 -> restrict traffic between the vpc and the
8102.8 -> aws customer or partner organization
8107.36 -> so let's look at what this actually
8108.8 -> would look like let's say for example
8111.76 -> you've got a vpc that's serving somebody
8114.719 -> else
8115.599 -> you've got uh
8117.04 -> basically your customer over here on the
8118.88 -> left and you created maybe a shared
8121.119 -> services vpc or something like this you
8123.84 -> take some load a network load balancer
8125.84 -> in front of your servers with private
8128 -> link what you've actually done here
8130.4 -> is you created the ability for the two
8132.719 -> entities to talk to each other
8135.04 -> now
8136.639 -> that's what we're talking about now one
8138 -> of the things that's really really cool
8139.92 -> with private link
8142.56 -> and this was really smart on aws to
8144.96 -> think about is because everybody for the
8147.52 -> most part is using the same rfc 1918
8150.4 -> address spaces to 10.0.08
8153.84 -> the 17216 slash 12 the 192.168.0.0.16
8161.119 -> private link automatically uses net
8165.52 -> private link automatically uses not
8168.96 -> so
8171.52 -> that's one of the things to keep in mind
8178.239 -> so
8179.04 -> private link is different than vpc
8180.8 -> peering and we're going to talk a lot
8182.159 -> more about vpc pairing but vpc pairing
8184.32 -> and private link in certain cases do the
8186.159 -> same
8187.92 -> but they're not the same
8190 -> and let's say i've got two entities i've
8192.639 -> got a vpc in new york our company and a
8195.28 -> vpc in san francisco if i do vpc pairing
8198.319 -> between new york and san francisco
8200.559 -> all information is exchanged between new
8202.96 -> york and san francisco
8204.639 -> and guess what if it's my company in new
8207.359 -> york and my company in san francisco
8209.2 -> when we peer i want us to exchange
8211.359 -> everything
8212.479 -> but
8213.519 -> what if
8215.599 -> what if i am an auto manufacturer
8218.639 -> and i need spark plugs from somebody and
8221.76 -> i need tires from somebody
8223.84 -> and i need brakes from somebody else and
8225.92 -> i need metal from somebody else and
8227.519 -> paint from somebody else and
8230.08 -> i don't know and well i don't know hoses
8232 -> from somebody else and belts from
8234.24 -> somebody else
8235.599 -> and let's just call them wheels from
8237.76 -> somebody else i don't know
8239.439 -> so
8240.88 -> the wheel manufacturer
8242.88 -> doesn't need to talk to the brake
8244.479 -> manufacturer who doesn't need to talk to
8246.479 -> the spark plug manufacturer
8248.479 -> so and quite frankly
8250.88 -> i they may not need to know anything
8252.639 -> from me whatsoever
8254.8 -> at all i may just need to know the
8256.559 -> status of them so with private link i
8259.359 -> can connect to all these external
8261.04 -> entities in a very very very secure sort
8264.8 -> of environment
8266.24 -> private link is only one service vpc
8269.599 -> pairing is everything so
8272.96 -> how do you know what to do and what to
8274.24 -> do i promise you we'll talk about it
8277.84 -> private link is for a specific service
8280.96 -> private link is when you've got a
8282.24 -> million and one connections
8284.16 -> you're not al you can't don't have the
8286.08 -> ability to do too many vpc peering
8288.639 -> connections i mean vpc pairing gives you
8291.359 -> 125 connections
8293.519 -> you know there's going to be customers
8294.639 -> that you're going to have a thousand
8295.599 -> plus vpcs for and it's going to be
8297.2 -> nothing so you're going to have to do
8299.04 -> some creativity things in order to get
8300.96 -> these things to work based upon what
8302.319 -> you're working on
8303.439 -> if you're a new cloud architecture
8305.04 -> solution architect you're probably not
8306.479 -> going to run into these limitations but
8308.399 -> if you're someone like me that's been
8309.519 -> around or working on the network you're
8310.8 -> going to run into this 125 epc pairing
8312.88 -> sessions isn't that many
8314.559 -> especially if you have to fully mess
8316.16 -> your vpc peers so private link is going
8318.479 -> to scale scale scale more
8322.24 -> so much more
8324.479 -> so that's kind of one of those things
8326.16 -> that you that you can use and that's why
8328.719 -> so private link scales better than vpc
8330.88 -> pairing private link is for a single
8332.88 -> service vpc pairing shares everything
8334.719 -> private links
8335.92 -> vpc peering does not work with
8337.599 -> overlapping ip addresses
8340.479 -> company a buyer's company b chances are
8343.84 -> they're all using overlapping addresses
8345.439 -> so private link works vpc pairing does
8347.84 -> not work with overlapping addresses
8349.359 -> you'd have to change the addresses so
8351.28 -> private link scales for the limitation
8353.2 -> of your performance with private link is
8355.2 -> pretty much the match throughput of your
8358.08 -> servers and your load balancer
8361.679 -> private link is unidirectional you set
8363.76 -> it up in one direction and the other if
8365.84 -> you want it in both ways vpc pairing is
8368.16 -> communication that's bidlateral
8371.439 -> so that's kind of i kind of workshop so
8374.24 -> when we're dealing with
8376.08 -> hub and spoke environments
8378.639 -> and we're dealing with private link it
8380.479 -> brings us to the concept of a shared
8382.8 -> services bgp
8385.12 -> and uh realistically speaking um it
8387.439 -> looks like some people have some
8388.24 -> questions which i promise i'll answer so
8390.479 -> we can make sure we get you the right
8391.76 -> the kind of answers that are going to go
8393.2 -> cloud higher when the time comes so
8396.56 -> shared services vpc let's say for
8398.72 -> example that you're or have an
8400.96 -> organization that needs to provide
8402.56 -> information to a tremendous number of
8405.12 -> people
8406.56 -> you can create this concept of a shared
8408.399 -> services vpc which is kind of like a
8410.88 -> service provider vpc
8413.04 -> i'll show you what it's going to look
8414.24 -> like
8420 -> oops didn't mean to do i'm sorry this is
8421.84 -> not one group so anyway what you can see
8423.92 -> here is we've got a vpc at the top
8427.52 -> this vpc at the top has a service
8430.479 -> that we want other users to use so what
8433.28 -> we can do is we can set up a private
8435.68 -> link service and our shared service we
8438.16 -> create a straight vpc we've got our ver
8440.96 -> some some very fast network load
8443.28 -> balancers for example and we're using
8445.68 -> them to front end a bunch of servers and
8447.439 -> that becomes a service for everyone else
8450.24 -> so this is a shared services vpc this is
8453.04 -> the way you would set it up using the
8454.56 -> private link service
8458.24 -> this is how you get your communications
8459.92 -> now we're going to cover vpc peering and
8462.96 -> then i'm going to answer some of those
8464.08 -> vpc pairing questions because it looked
8466.399 -> like a lot of vpc pairing questions came
8468.56 -> out it looked like
8470.8 -> there were some people really needed
8471.92 -> some help on some of those answers so i
8473.359 -> want to make sure we answer them really
8474.88 -> good to make sure that you walk away
8476.8 -> from this and truly learn for the day so
8479.359 -> let's talk about some vpc pairing
8482.72 -> vpc pairing is how you connect multiple
8484.72 -> vpcs again i do not view the vpc as a
8488.08 -> virtual private network i view it as a
8489.6 -> virtual private data center because in
8492.24 -> the vpc you put your servers you put
8494.56 -> your storage you put all kinds of good
8496.319 -> good good stuff
8498 -> so
8499.439 -> vpc pairing is a method to connect your
8501.359 -> vpcs over the network
8503.12 -> vpc connect peering is non-transitive
8506.56 -> and i'm going to show you what that
8507.92 -> means non-transitive
8510.479 -> communication uses the private ip
8512.08 -> address space and anytime you're dealing
8513.68 -> with inner region traffic it's going to
8515.12 -> be encrypted so
8516.88 -> secure way to deal with your traffic so
8519.28 -> how does it work
8521.6 -> what i was meant by non-transitive let's
8523.76 -> say my head
8525.28 -> is so let's say my left hand is router a
8528.72 -> i my head is router b and my right hand
8531.52 -> is router c and a transitive environment
8534.72 -> a tells b who tells c and c tells b who
8538.8 -> tells a about each other's or else if c
8541.04 -> knows a's routes they can talk to each
8543.04 -> other life is good
8545.12 -> if a tells b a's routes and c tells b
8550.399 -> c's routes but b doesn't tell ac's
8553.359 -> routes and b doesn't tell c a's routes
8556.56 -> nobody can talk to each other so what
8558.64 -> transitive routing means everybody has
8561.04 -> knowledge to everyone's information
8562.96 -> non-transitive routing you don't pass
8564.479 -> the routing information if you don't
8566 -> have a route to something what do we
8567.28 -> talk about before with the gateway
8568.56 -> interface
8569.6 -> you can't reach it so
8572.319 -> here's non-transitive routing
8575.2 -> left hand tells me about a route i don't
8577.359 -> tell the right hand right hand and left
8579.12 -> hand can talk to each other transit of
8581.04 -> routing left hand tells me about a route
8583.2 -> i tell my right hand about a route right
8585.12 -> hand tells me about a route i tell my
8586.8 -> left hand everybody's out everybody's
8588.319 -> routing information and we're all
8589.68 -> talking to each other
8592.96 -> all talking to each other
8595.439 -> so now you know what is transitive
8597.359 -> versus non-trans
8599.52 -> so when we start talking about
8601.12 -> transitive routing and non-transitive
8603.359 -> routing
8604.479 -> guess what we start talking about bgp
8607.12 -> route reflectors from about 30 years ago
8608.96 -> because it creates a problem a massive
8611.92 -> problem and i'm going to tell you why
8613.2 -> aws chose to go non-transitive which was
8616.319 -> probably the right decision for 99 of
8619.28 -> the customers and that one percent that
8621.68 -> need to go transitive they gave you a
8623.439 -> very good solution that we took from the
8624.96 -> bgp world so let's look at vpc pairing a
8628 -> little more carefully
8630.24 -> at the easiest and most essential state
8633.68 -> which you've got going on is simply as
8635.92 -> follows
8637.439 -> you've got a vpc over here you've got a
8639.439 -> vpc over here
8641.12 -> you connect your vpcs
8645.12 -> and then
8646.319 -> they can talk to each other that is it
8649.28 -> simple
8650.399 -> elegant completely functional
8656.399 -> now
8658.319 -> here's where it gets ugly
8660.96 -> vpc
8662.399 -> peering is not transitive
8664.96 -> let's go back here this this is a
8666.96 -> nightmare done for a right reason
8670.16 -> for good reasons aws made this decision
8672.96 -> but it can be a nightmare for you if you
8675.04 -> don't know how to deal with it
8677.12 -> let's go back to non-transitive
8679.84 -> a
8680.56 -> tells b and b doesn't tell c
8683.52 -> which means c can't reach a
8685.92 -> now if a told b and b told c and c told
8688.88 -> b and b told a everything's perfect
8691.6 -> but
8692.479 -> we're not doing that so if we want this
8694.88 -> to work
8696.479 -> and we want everybody to be able to talk
8698 -> to everybody
8699.2 -> we have two options
8702.319 -> if everybody needs to talk to everybody
8704.88 -> just like in internal bgp we're going to
8706.96 -> need to fully mesh our vpc peers
8709.84 -> this is ugly
8712.56 -> ugly
8713.68 -> because the when you have to do full
8715.52 -> mesh or everybody talks to everybody
8717.68 -> there's a formula for this this formula
8719.6 -> is ugly it's called n times n minus 1
8722.319 -> divided by two
8724 -> so if you've got three vpcs that need to
8726.319 -> appear it's elegant three times three
8728.8 -> minus one is two the so three times two
8731.6 -> is six divided by two is three three
8733.68 -> connections three vpc pairs simple right
8737.28 -> 10 connections 10 times 10 minus 1
8741.28 -> divided by 2. 10 rooters
8744.08 -> or vpcs
8745.84 -> 45 connections 100 of them 100 times 99
8752 -> minus 1. you get the point it doesn't
8754.08 -> scale so
8756.319 -> but this is what fully mesh is going to
8758 -> look like
8760.479 -> b tells its routes to c c tells us
8762.96 -> routes to a a tells a where else to be
8765.84 -> everybody has a connection to everybody
8767.52 -> and everybody can talk to everybody
8769.84 -> this is how it would work
8772.72 -> if everybody needs to talk to everybody
8774.72 -> you're gonna have to fully mesh them or
8776.24 -> you're gonna have to use one of two
8777.439 -> options which we'll talk about in a
8778.72 -> minute
8780.64 -> now let's go back
8782.24 -> sometimes your vpcs don't need to talk
8784.96 -> to each other sometimes you don't want
8787.2 -> them to talk to each other
8788.88 -> so let's look in this environment let's
8790.56 -> say we're now the car manufacturer
8792.88 -> we're vpca
8794.96 -> we connect to the tire people vpcb and
8797.84 -> the steering wheel people vpcc and the
8800.24 -> brake pedal people vpc-d
8802.399 -> and the tire people of epce
8804.72 -> and the leather people vpcf and the
8806.72 -> c-pill people vpcg do any of those
8809.28 -> people need to talk to each other no
8812.08 -> do me as a car manufacturer do i need to
8814.319 -> know where i'm getting my steering
8815.52 -> wheels brake pedals and leather i sure
8817.84 -> do so i can do this hub and spoke
8821.359 -> now
8822.56 -> what if
8824.319 -> all these people needed to talk to each
8826.24 -> other
8827.84 -> what if
8829.359 -> how could we fix this
8831.359 -> well
8832.8 -> in bgp
8834.72 -> we've got a solution for this
8836.96 -> and we've got a 30 year old solution for
8838.8 -> this in bgp
8840.319 -> and guess what when we're dealing with
8842.319 -> vpc peering vpc pairing vgp pairing you
8846.479 -> now know why i wanted to do a little vp
8848.56 -> bgp for you guys because it's bgp
8850.88 -> everywhere and when i say learn the
8853.439 -> network and learn the data center and
8855.2 -> you'll always know what to do because
8857.28 -> everything that we see on the cloud is
8858.8 -> an old network and data center
8860 -> technology
8861.2 -> i'm talking about it right now and this
8863.439 -> is why net learning the network makes
8865.12 -> you better for everything
8867.68 -> so aws has two
8870 -> solutions to this non-transitive routing
8872.16 -> problem one is called transit gateway
8874.72 -> and another is called cloudhub now
8877.359 -> functionally they're nearly identical
8880 -> basically what both of these services do
8882 -> they act like a bgp route reflector and
8884.88 -> they enable me to take in a route and
8887.04 -> then send the route to someone else so
8889.12 -> it basically says we've chosen to allow
8891.6 -> transitive routing
8894.08 -> in bgp we have something called the
8895.6 -> route reflector so aws has a service
8898.24 -> called cloudhub i think this is a very
8900.88 -> elegant service
8902.319 -> it is a route reflector it's not new
8905.04 -> technology and because it's not new
8906.72 -> technology and because it's proven
8908.88 -> technology that we've used for decades
8910.72 -> it actually works so what do we love
8913.04 -> about this so here's what you can see
8914.399 -> what we do
8915.359 -> in this environment is we've got and if
8917.439 -> you're using vpns
8919.439 -> you're using cloud hubs
8921.92 -> vpns you're using cloudhub if you're
8924.08 -> using direct connections you could use
8925.92 -> transit gateway you can use transit
8928.08 -> gateway with just vpns but but cloudhub
8930.319 -> is just for vpns so just keep that in
8932.88 -> mind
8934.64 -> so here we've turned on cloudhub we've
8936.72 -> got a new york a london and a san
8938.319 -> francisco location
8939.92 -> new york sends routes and you know what
8942.16 -> happens after new york sends routes to
8944.08 -> the to the cloud guess who gets to see
8946.319 -> them
8947.2 -> everybody gets to see them london gets
8949.84 -> to see them san francisco gets to see
8951.76 -> them everybody's route so everybody's
8953.359 -> reachable this is non-transitive reality
8956.56 -> san francisco can reach london london
8958.64 -> can reach new york
8960.479 -> the data center can reach everybody this
8962.16 -> is non-transit of routing had it been
8964.319 -> transit gateway it would have been the
8966.319 -> same thing it just wouldn't be vpns so
8969.12 -> we're going to get to some network a
8970.8 -> access list and we're going to get to
8972.24 -> some curated security groups but it
8974.08 -> looked like i saw lots of questions
8975.76 -> popping in there with the vpcs and vpc
8978.16 -> pairing and addressing and
8980.399 -> it looked like some of the questions
8981.6 -> needed a little bit of help so chris if
8983.12 -> you can walk through the questions
8987.04 -> jazz can you create an endpoint from
8989.2 -> your on-premise server to s3
8991.76 -> or other service so basically you create
8993.6 -> an endpoint from your vpc to s3 and then
8997.12 -> you can share that information jazz
8999.28 -> going back to your data center over your
9000.88 -> direct connection or your vpn
9008 -> can we connect two internet gateways to
9010.08 -> a single vpc
9011.68 -> i don't know why you would the internet
9014.16 -> gateway is a logical device which means
9016.88 -> that it's not physically there which
9018.319 -> means it's high availability and it
9019.68 -> wouldn't go away
9020.96 -> so no you would not connect two internet
9022.56 -> gateways now there might be a time if
9024.88 -> you run into performance limitations and
9026.72 -> again this is where you're going to work
9028.08 -> with aws
9030.08 -> everything has a limitation
9032.399 -> everything even things that have no
9034.08 -> limitations have limitations
9036.16 -> so this is where if you're
9038.24 -> in an environment with like an aws
9041.12 -> environment if you have an extreme
9042.88 -> customer that might need you know
9044.319 -> terabits of internet connectivity you
9046.56 -> might want to talk to them they may need
9048.479 -> some kind of a creative solution where
9050 -> they use a couple of network load
9051.28 -> balancers to load balance between gate
9053.12 -> internet gateways
9054.72 -> i've not had to do that with a customer
9056.72 -> so
9057.68 -> but you know typically speaking i do a
9059.6 -> lot more hybrid and multi-cloud stuff so
9061.76 -> i'm always using multiple internet
9063.28 -> gateways but you know realistically
9065.12 -> speaking i've not had the need to
9067.2 -> because they're high availability now if
9068.8 -> you ran into a performance limitation
9070.399 -> and again i would consult aws on that
9073.04 -> then i'd walk to them to see if he
9075.04 -> needed to use like a network load
9076.319 -> balance or a gateway load balancer to go
9078.56 -> to multiple internet gateways but i've
9080.24 -> never needed to do so i've had to deal
9082.479 -> with hundreds and hundreds and hundreds
9083.84 -> of vpcs but this is not something that
9085.92 -> i've had to do
9088.479 -> chris you want to bring in the next one
9095.359 -> vpc pairing can span region and inner
9097.28 -> region traffic is encrypted absolutely
9099.12 -> tailor-made media
9104.08 -> all right now some of these uh you came
9106.319 -> in before you got it into your content
9108.56 -> so this one i think you answered uh okay
9111.28 -> i know it came in before you got to this
9113.2 -> but so you may want to spend just a
9114.96 -> second on it sure and that's a great
9116.96 -> question plus bellwinder always has
9118.479 -> super smart questions yeah but
9121.2 -> you answered it right after she posted
9122.96 -> it so without realizing so so
9126.72 -> interesting battle winner here's the
9128 -> thing private link is for a very
9129.84 -> specific service
9131.68 -> so
9132.64 -> you want to host one thing vpc pairing
9135.68 -> is for everything plus with vpc pairing
9139.439 -> you have to have non-overlapping ip
9141.52 -> address space and aws was really smart
9144.64 -> with the private link service and they
9146.08 -> figured you'd probably run into problems
9148.16 -> so they gave you the private link which
9149.76 -> does not automatically so you don't have
9151.52 -> a problem with overlapping ip addresses
9156.479 -> of course you can bring the next one
9158.399 -> um can transit gateway work with
9160.399 -> overlapping cider ranges
9163.359 -> do you mean overlapping ips will transit
9165.359 -> gateway well
9167.28 -> nothing is going to ever work with
9168.72 -> overlapping ip addresses
9170.96 -> so the question is are your sighter
9173.2 -> ranges overlapping but not your ip
9175.76 -> addresses meaning it's quite possible
9177.68 -> that you've got a ten slash eight on one
9179.76 -> side and a ten slash eight on another
9182.08 -> side but inside of your ten slash eight
9184.56 -> you're using a 10.1 and a 10.2 and a
9186.64 -> 10.3 and a 10.4.0 on the left side and
9189.68 -> you're using
9191.16 -> 10.0.1 and dot zero and 10.0.2.0 and
9194.64 -> tends to zero to 3.0 then you don't have
9196.8 -> over uplay overlapping address space you
9199.359 -> just have overlapping of
9201.2 -> overlapping cider ranges in which case
9203.6 -> you won't be able to send a single route
9205.76 -> mr joshie you're going to have to send
9208 -> more specific routes you could make it
9209.84 -> work but that would be really bad ip
9211.52 -> addressing really bad ip addressing will
9213.68 -> ultimately mess up your routing long
9215.28 -> term can you make it work the answer is
9217.12 -> yes have i seen it work the answer is
9218.72 -> yes should you make it work the answer
9220.399 -> is absolutely not
9222.08 -> so do good ipad dressing scheme ahead of
9224.64 -> time if you don't nothing will work
9226.56 -> properly
9235.6 -> um
9236.56 -> savini's fun world something in a public
9239.04 -> so that is reachable from the private
9240.479 -> subnet because you have a router a
9242.08 -> router is how you route between subnets
9243.92 -> so realistically speaking when you leave
9245.84 -> your computer and you go to the internet
9247.28 -> it uses a router um when you uh
9251.12 -> you've got your service in a private
9252.479 -> subnet you've got remember the route
9254.24 -> there's a router and a routing cable
9255.84 -> that sits inside of your vc and your vpc
9258.56 -> has a default route that points um your
9261.04 -> unknown traffic to the to the nat
9263.04 -> gateway so it's going to happen because
9264.479 -> you have a route to it the route is the
9266.24 -> key
9270.96 -> i seen how does private link overcome
9273.2 -> the issues of
9274.479 -> overlapping ip addresses private link
9276.64 -> uses not a seam not or network address
9279.12 -> translation translates one address into
9281.04 -> another address private link puts a very
9283.28 -> smart they put an elastic network
9284.72 -> interface on both sides they're on the
9286.479 -> same subnet and not as done between the
9288.399 -> addresses so they use not and that's
9290.399 -> exactly what nat was used for it seemed
9292.08 -> to translate one set of addresses to
9293.439 -> another set of addresses
9297.12 -> chris you want to bring in the next one
9308.08 -> well
9309.04 -> lion lord we don't have an option to use
9310.88 -> anything other than transit gateway with
9312.64 -> direct connect we can't use cloud hub
9314.479 -> because it's only for vpn so lion alert
9316.72 -> we have two options with it
9318.479 -> with a direct connect if we're trying to
9319.92 -> use vpc pairing we can fully mesh them
9323.12 -> or we could use transit gateway
9325.52 -> but the only reason you're using the
9326.72 -> transit gateway is for vpc peering
9329.68 -> now
9331.92 -> and you're only doing it if you're
9333.04 -> running direct connections to your
9334.319 -> various vpcs the direct connect
9336.56 -> typically speaking is just to connect
9338.16 -> your data center to the cloud so i'm not
9340.64 -> sure if i completely answered your
9341.92 -> question if i did great if not let me
9343.76 -> know otherwise
9347.6 -> leonard lash what is the difference
9349.439 -> between an emi and an interface end
9351.52 -> plane gateway and endpoint connects you
9354.08 -> to s3 interface endpoint connects you to
9357.2 -> certain aws services
9359.68 -> when you use when you create an internet
9361.6 -> face endpoint it creates a network
9364.399 -> interface inside of your subnet so that
9367.12 -> you can connect to the interface so the
9368.88 -> interface endpoint creates an elastic
9370.56 -> network interface
9372.56 -> what is an elastic network interface
9375.2 -> um any it's really just a network card
9377.52 -> you will need an elastic network
9378.96 -> interface to connect to a network
9380.399 -> because if you don't have access to the
9381.92 -> network you won't be able to use it
9383.84 -> so hope i answered your question there
9387.359 -> when do you require an elastic network
9388.88 -> interface anytime you want to connect to
9390.64 -> the network so shaving is fun world
9392.64 -> imagine you have a computer in your
9394.08 -> house and you want to get to the
9395.92 -> internet but you don't have wireless and
9397.76 -> you don't have a network card that you
9398.96 -> can plug in
9400.24 -> you couldn't get to the internet what do
9401.84 -> you do on your computer you enable your
9403.359 -> wireless which is a network interface or
9405.2 -> you enable your ethernet card which is a
9407.28 -> network interface so you can't do
9409.52 -> anything without a network interface
9411.52 -> you'll never be able to reach anything
9413.2 -> every server that you have comes with an
9414.96 -> elastic network interface every private
9417.12 -> link service has an elastic network
9418.64 -> interface you can't access anything
9420.24 -> without an elastic network interface so
9422.319 -> that's how you attach the network it's
9424.08 -> like the ethernet card that's sitting
9425.52 -> inside of your systems
9427.6 -> chris you want to bring in the next one
9431.92 -> will private link work across regions i
9433.84 -> believe so
9442.319 -> ronald nozo the reason aws is able to
9444.56 -> provide so many ips is they're one of
9446.08 -> the world's largest internet service
9447.359 -> providers so they've got a pretty good
9449.2 -> block of them
9450.399 -> so they were able to get a whole lot
9453.6 -> and
9455.28 -> realistically speaking we'll be using
9457.12 -> ipv4 addresses for a long time we were
9459.92 -> we were ending ipv4 when i started
9462 -> working in networking in 1996 and we're
9464.24 -> not ending ipv4 anytime soon i assume
9466.88 -> we'll be using them for the next 20
9468.08 -> years or so
9471.84 -> louise
9473.04 -> i know you said the ig is a router what
9475.2 -> can be referred to
9476.399 -> um
9477.84 -> it can't be referred to as a switch
9479.359 -> lease
9480.399 -> a switch is a layer 2 devices a router
9483.04 -> is a layer 3 device
9484.96 -> technically a switch can have a router
9486.96 -> module in there be considered a layer 3
9488.72 -> switch
9489.6 -> but when you're dealing with the
9490.64 -> internet gateway it must be a router a
9492.319 -> switch doesn't have routing routing
9493.92 -> abilities a true switch so it is always
9496 -> a router
9499.76 -> yolanda is cloudhub also used to run vpn
9503.04 -> vpn connections to your various vpcs
9507.359 -> um that is why cloudhub is used cloudhub
9509.439 -> is used so you can run
9511.12 -> um vpn connections to your vpcs in a vpc
9514.24 -> peering environment
9515.76 -> and actually have transitive routing
9517.2 -> that's exactly what it's used for
9518.319 -> yolanda
9520.72 -> chris
9525.04 -> damn thanks i didn't know that i have
9527.52 -> asked a lot of people and no one knew
9528.8 -> this question thanks well you're welcome
9530.08 -> i'm so happy we're able to help you
9533.12 -> that was uh in response to the router
9534.96 -> and switch confusion you know so many
9536.96 -> people because when they're
9540.319 -> get confused on that topic
9542.64 -> so yeah that's a really good point i'm
9544.56 -> going to have to do a
9546.56 -> maybe a networking workshop one day
9548.16 -> where we talk about routers and switches
9550.16 -> and vlans and we really spend some time
9551.92 -> on it maybe we can figure some routers
9553.52 -> and switches and vlans i don't know
9555.28 -> maybe i'll even do a free ccna cast
9556.96 -> we'll think about it
9558.16 -> yeah so that was the last question um
9560.56 -> i'm gonna let you uh
9563.52 -> let you do your thing
9565.2 -> okay very cool so
9567.28 -> um if you're having a good time if you
9568.64 -> can please put a like down it really
9570.319 -> really really helps us from the
9571.68 -> algorithm perspective everything's an
9573.84 -> algorithm in today's world and anytime
9576.08 -> anybody is able to basically help us and
9577.84 -> say something nice it really helps us
9579.2 -> from an algorithm perspective so if you
9581.28 -> guys don't mind hitting a like button or
9582.8 -> sharing with others we can appreciate
9584.24 -> that now let's talk about some access
9586.319 -> control lists
9587.76 -> and also if you're having a good time if
9589.359 -> you can put
9590.88 -> cloud cloudhired um
9593.359 -> very good chance we'll do a ccna
9595.76 -> but my team's working on a couple of
9597.439 -> really really cool free classes out
9599.04 -> there that i'm pretty impressed and
9600.16 -> proud of them for so
9603.28 -> i know i got some people on my team
9605.6 -> got somebody i like to call him mr bond
9607.52 -> because he reminds me of james bond he's
9609.2 -> working on something really really great
9610.64 -> for the cloud engineering community so
9612.64 -> we're going to have some other cool fun
9613.84 -> stuff to be coming very very soon so
9616.16 -> let's go back and talk about no oh and
9618.479 -> my i'm being i'm reminded from my from
9621.04 -> from chris
9622.24 -> um
9623.2 -> that at 5 p.m we're going to have imran
9626 -> come imran the dual ccie the aviatrix
9628.8 -> multi-cloud professional network
9630.16 -> engineer finishing a third ccie while
9633.04 -> he's at it just because two isn't enough
9635.359 -> um he's been around and doing everything
9637.279 -> and he's gonna come in and we're gonna
9638.56 -> set up some vpc pairing and all kinds of
9641.2 -> cool vpcs and endpoints and we're gonna
9643.6 -> walk you through it and get really hands
9645.2 -> dirty really hands-on so it's gonna be
9646.96 -> great time so
9649.359 -> part of our commitment to making you
9650.72 -> guys the best in the world is giving you
9652.24 -> everything we can so we're going to do
9654 -> so so let's talk about network acls
9657.68 -> i love access control lists been using
9660.319 -> them forever they break everything and
9662.319 -> they lock things down and if you're
9664 -> smart you don't break anything but you
9665.439 -> got to be careful with your your access
9667.12 -> control list
9668.56 -> network access control list they're
9670.8 -> really just an access control list
9673.439 -> in the cloud so on routers for years
9676 -> we've been using
9678.56 -> access control lists on the routers what
9680.8 -> do we put access control lists on the
9682.64 -> routers for we do it to keep unwanted
9685.279 -> traffic out of subnets
9687.84 -> access controllers enable us to allow
9690.24 -> traffic or disallow traffic based upon a
9692.56 -> configured policy
9694.16 -> so
9694.96 -> like a firewall what do you think the
9696.64 -> fault policy is deny all traffic
9700.8 -> deny all traffic
9702.88 -> so
9704.96 -> when you create a network acl
9707.92 -> you're going to set up a rule and the
9709.52 -> rule is going to be a whole lot like a
9710.96 -> firewall rule you'll specify the spores
9713.68 -> source and destination address
9715.76 -> the protocol and the port number do all
9718.399 -> of you remember when we walked through
9719.84 -> the header and we talked about the
9721.68 -> sports and destination address the
9723.92 -> protocol tcp udp icmp and the port
9726.8 -> number like portport 4443 for https or
9730 -> port 80 for web that's where all this
9731.84 -> stuff is coming from it's in the header
9733.52 -> of the packet the access control list
9735.84 -> the firewalls are all looking at the
9737.6 -> header and the packets so this is really
9739.2 -> fun stuff
9740.399 -> so
9742.399 -> that's what we do now i want to talk
9744.72 -> about the concept of stateful and
9747.439 -> stateless before we talk about the
9749.279 -> access control list i got to tell you
9751.76 -> 90 of the people that i interview get
9753.52 -> this wrong
9754.8 -> i ask this to lots of people on
9757.12 -> interviews if someone doesn't know
9758.56 -> stateful i can't hire them because
9760.88 -> they're not going to know how to do a
9762 -> lot of things so let's talk about
9763.52 -> stateful versus stateless
9766.72 -> they are different politic thank you so
9768.64 -> much
9770.72 -> so stateful means as follows i watch
9774.479 -> so i've got a cat cindy she goes outside
9776.96 -> here's what she looks like
9780.08 -> and then she sees a bug and she jumps up
9782.64 -> and she catches it she's on she's
9785.52 -> staring she's paying attention she's
9787.84 -> stateful
9789.84 -> what is a firewall a firewall is as
9793.279 -> follows she's like my cat cindy that's
9795.2 -> paying attention to everything i'm
9797.2 -> behind the firewall let's say this phone
9799.279 -> is my firewall i want to go to the
9801.52 -> internet
9802.479 -> i go from behind the firewall through
9804.72 -> the firewall i go to
9806 -> www.gocloudcareers.com
9809.68 -> i pierce through my iphone firewall my
9812.24 -> traffic goes to the internet
9814.319 -> it hits the
9815.56 -> gocloudcareers.com website and then the
9818.64 -> go call careers website stops and it
9820.56 -> comes to the firewall and it says i'm
9822.399 -> sending mike gibbs back his request to
9824.96 -> the website the firewall says i know
9827.439 -> mike gibbs i watched his traffic
9830 -> traverse the firewall so it's going back
9832.479 -> to mike gibbs because mike gibbs asked
9834.72 -> for it he's allowed i breached my
9837.359 -> firewall and it comes back
9839.2 -> how does the firewall know it watch what
9841.2 -> i did it's like my cat cindy she's out
9843.439 -> there she's staring around for stuff
9845.359 -> that's moving and when she finds it she
9846.88 -> gets it
9848.319 -> that's what a firewall does a firewall
9850.72 -> blocks all incoming traffic it lets my
9853.68 -> traffic go through the firewall and then
9856.96 -> when the traffic comes back to the
9858.24 -> firewall it says that's mike's traffic
9860.56 -> he went to this site let it come back
9862.72 -> now the hacker tries to get into my
9864.479 -> network and he's like hits the firewall
9866.479 -> and it can't get in and the firewall is
9868.8 -> saying you didn't initiate the traffic
9870.56 -> you're not from inside you're not
9871.68 -> allowed in so when we're dealing with
9873.68 -> firewalls we're dealing with stateful
9877.04 -> because the firewall knows it's dateful
9879.6 -> we don't need to create a rule back that
9881.359 -> says allow mike's traffic back because
9883.2 -> the firewall watched my traffic go out
9885.6 -> and it knows to allow it to come back
9889.12 -> so stateful
9891.6 -> that's what that meant so network access
9893.76 -> control lists are stateless
9896.72 -> and because network access control lists
9898.72 -> are stateless meaning they're not
9900.24 -> tracking anything you're going to have
9902.08 -> to pre you're going to have to design
9903.359 -> them bilaterally inbound and outbound so
9906.64 -> just so you know
9908.72 -> now network access control lists
9914.399 -> are processed in order an order matters
9918.24 -> so i'm going to show you a good way to
9920.319 -> do it and i'm going to show you a
9921.76 -> terrible way to do it i'm going to start
9924 -> with the terrible way so that you
9926.399 -> understand the right way now normally i
9928.24 -> would never show you the wrong way but
9929.6 -> i'm going to show you the wrong way
9930.72 -> right now
9931.92 -> so
9933.359 -> let's let's show you the ridiculous way
9935.6 -> let's create a set of rules inbound and
9937.279 -> outbound rule one block everything throw
9939.6 -> it all away rule two allow web traffic
9943.68 -> anybody see a problem with this
9945.52 -> rule one trash
9948 -> rule two allow
9950.88 -> what happened packet came in hit the
9953.52 -> network acl that said deny all traffic
9955.92 -> it's all blocked it's thrown away in the
9957.439 -> trash no more traffic goes
9960.64 -> no more traffic goes
9963.04 -> because it's blocked
9965.279 -> so
9967.04 -> don't do that
9968.56 -> permit what you want and allow the
9971.04 -> implicit deny to take over so let's do
9973.76 -> this the right way let's recreate this
9976.88 -> now we're just going to allow tcp port
9979.76 -> 80
9980.64 -> and that's it
9982.16 -> let the auto deny do it let's just allow
9984.08 -> what we need
9986.399 -> now after 25 years experience i'm going
9988.88 -> to give you some special secret tips
9990.479 -> here to keep you the implicit deny is
9993.04 -> there we don't have to write it it's
9994.88 -> just there all firewalls have an
9996.88 -> implicit deny so all we really need to
9998.319 -> do for the most part is just do our
9999.439 -> permit statements and everything else is
10000.8 -> blocked so let's go think about this so
10003.92 -> let's do this
10005.279 -> that's all we have to do now i'm going
10007.279 -> to give you some real guidance
10009.92 -> don't go rule 110
10011.68 -> don't go rule 111 don't go rule 112 113
10015.359 -> 114 give yourself some space
10018.88 -> i'm saying i mean it really give
10020.56 -> yourself some space because no matter
10022.8 -> what you think you have you're going to
10024.16 -> create new rules so let's say we want to
10026.319 -> allow tcp port 80
10030.479 -> in for a web server
10032.399 -> and then let's say six months later
10034.56 -> we've got one user in china that's
10037.04 -> trying to hack us and what just want to
10038.56 -> do an access control is to block one
10040.24 -> user we can
10042.56 -> but if we have no space we can't so
10044.88 -> maybe 110 120 130 140 note what i wrote
10049.2 -> here is only rule allow in and rule
10052.64 -> allowed out
10055.359 -> so let me show you this um real quickly
10057.92 -> here
10058.8 -> to put it into context
10061.6 -> when it comes to security
10063.84 -> it's not a network access control it's
10065.84 -> not an acl it's not laugh it's not
10068.08 -> chilled it's all of it
10069.84 -> and then some
10071.2 -> all of it
10073.12 -> so it's not an either or it's all of it
10076.08 -> but let's look at what we're talking
10077.68 -> about
10080.8 -> we're going to have our internet gateway
10082 -> which connects us to the internet
10084.56 -> a virtual router
10086.16 -> and a network acl protecting the subnet
10090.16 -> so that's it network acl protects the
10092.64 -> subnet
10093.92 -> now behind the network acl we're going
10096.16 -> to have like a host-based firewall that
10097.68 -> protects the server and that's going to
10099.52 -> be a security group but everybody say it
10101.279 -> with me even if you're home network
10103.2 -> access list protects the subnet security
10106.479 -> group protects the host everybody with
10108.16 -> me network access list protect the
10110.24 -> subnet security group protects the host
10112.88 -> i don't want anybody to forget this test
10115.2 -> question network access says protest the
10117.12 -> sub protects the subnet security group
10119.76 -> protects the server or service so keep
10122.8 -> that in your mind so now you know what
10125.12 -> is a network access control list
10129.359 -> so let's talk about security groups
10131.84 -> security group is just like a network
10133.68 -> access control list but instead of being
10135.279 -> applied to the subnet it's applied to
10137.68 -> the server now the good news the cool
10140.64 -> stuff about the security groups is
10142.24 -> they're kind of a stateful firewall
10144.56 -> so that means you've got it here's your
10146.96 -> server you've got your security group on
10148.56 -> the way into the server
10150.319 -> all you have to do is allow in
10152.56 -> your rules because when your traffic
10154.399 -> comes into the server the firewall is
10156.64 -> stateful so it's going to say okay allow
10158.479 -> in and allow out so your security groups
10161.6 -> are stateful
10163.68 -> so
10165.12 -> you only need to allow them in one
10167.04 -> direction stateful doesn't mean you only
10169.52 -> need to allow in one direction stateful
10171.84 -> means track the state of the connection
10174.399 -> but the net effect of tracking the state
10176.479 -> of the connection is you only have to
10178.319 -> allow it in a single connection which
10180.08 -> makes it really really great so that's
10182.56 -> how we're using these things so let's
10184.16 -> walk a little bit
10186.319 -> when it comes to high security
10187.52 -> environments you're going to use it all
10189.52 -> all but all of it all of it so
10191.76 -> security groups allow support allowance
10194 -> only because remember you got an
10195.04 -> implicit deny it's a firewall allow this
10197.359 -> in block everything else
10199.359 -> all not allowed traffic guess what
10200.88 -> denied
10202.319 -> all rules
10203.6 -> are evaluated here so
10206.56 -> when you're dealing for example with the
10209.92 -> the the security group it's going to
10211.6 -> look at all rules when you're looking
10212.8 -> with an acl as soon as you hit that deny
10215.04 -> it was just trashed so you know keep
10217.279 -> these things just keep that in the back
10219.12 -> of your mind let's look at it
10220.72 -> architecturally speaking one time i'm
10222.24 -> going to go back to a picture it's going
10223.279 -> to look a lot like the last picture but
10224.8 -> not exactly and here's the reason
10227.92 -> here we've got our same internet gateway
10229.76 -> we've got our network acos protecting
10231.359 -> the subnet we've got our security groups
10233.359 -> now highlighted in blue
10235.68 -> the server
10238 -> now
10238.96 -> let's talk about
10240.8 -> the
10241.84 -> the dirty little secret of security
10244.24 -> the second you start putting in your
10245.84 -> firewalls your ids ips systems your
10248.96 -> access control lists your security
10251.359 -> groups your host-based firewalls your
10253.52 -> malware protection your you start
10255.92 -> disabling unnecessary services you're
10257.76 -> going to do a lot
10259.04 -> when you start getting into these
10261.12 -> environments
10263.2 -> what ultimately happens you will break
10265.279 -> things
10266.16 -> it's just a matter of when
10267.76 -> now how do you debug these things you're
10270.399 -> using packet sniffers or protocol
10272.399 -> analyzers
10273.84 -> but
10274.64 -> aws gives you some very useful tools
10278.88 -> one of my favorite aws tools to use are
10281.52 -> something called vpc flow logs
10286.319 -> now there's all kinds of great cloud
10287.92 -> watch things like aws gives you some
10289.52 -> great monitoring things but i'm a
10290.72 -> network person
10292.479 -> what a network people like me look at
10294.08 -> we're used to looking at cisco netflow
10297.439 -> cisco netflow tells us a lot about the
10299.359 -> traffic that's going through our systems
10301.12 -> so many network architects were looking
10302.64 -> at netflow aws created their own version
10305.279 -> of netflow they called it a vpc flow
10307.04 -> logs this is awesome you can find the
10309.279 -> data that's coming into your network
10310.72 -> through your network it's kind of great
10312.56 -> so
10314.16 -> your flow log data can be put in the
10315.76 -> cloud watch you can stick it in s3 this
10318.88 -> is
10319.72 -> incredibly useful when you're diagnosing
10322.08 -> connection problems it can help you find
10324.479 -> overly restrictive security group rules
10327.2 -> it can help you monitor traffic that's
10328.96 -> reaching your systems it can determine
10331.12 -> what's blocking what's allowing this
10332.72 -> just really cool stuff totally totally
10334.72 -> totally love vpc flow logs they feel
10337.359 -> just like netflow
10340.16 -> so
10341.12 -> basically what happens you you create a
10343.279 -> you set up your flow log
10345.439 -> and
10348.8 -> it basically you tell it the type of
10350.479 -> traffic to capture whether it's accepted
10352.24 -> traffic or rejected traffic or all that
10354.72 -> traffic then you tell it where you want
10356.64 -> to push
10357.84 -> your flow log data
10359.84 -> and then you can see it so i'm actually
10362.24 -> going to share with you a picture that i
10364.319 -> took from aws you can see the source
10367.359 -> because it is their photo you can see
10369.439 -> where we got it i recommend you go read
10371.279 -> that article it's a good one and that's
10372.88 -> why i left the article name there and
10375.04 -> that's why i used an aws graphic with
10377.12 -> the name because i wanted everybody to
10378.24 -> be able to go there it's a great thing
10380 -> so if you look on this flow log graphic
10381.84 -> you can see very clearly
10384.319 -> you find the account
10386.16 -> the source destination address the
10388.24 -> protocols and port numbers and we can
10390.56 -> see okay rejected being blocked say for
10392.72 -> example by
10394.08 -> by something being allowed so we can
10395.68 -> find out you know if we've got an overly
10397.2 -> restrictive access control list
10399.52 -> so these are one of the things that i
10401.04 -> like so
10402.16 -> you know next what we have tomorrow
10404.319 -> which is going to be some really neat
10406.16 -> we're going to get into some meat about
10408.399 -> uh vpns and and direct connections and
10411.84 -> we're going to talk about all the
10413.12 -> architectural pieces and the routing
10415.6 -> pieces and we're going to have some real
10417.84 -> depth and we're going to have lots of
10419.6 -> fun
10420.96 -> we will at some point probably do some
10422.56 -> security if you guys want and maybe
10424.479 -> we'll do a whiteboard session where we
10426.24 -> map you through how do you really lock
10428 -> down an enterprise we may do one with
10430.479 -> regards to how do we do it with cloud
10431.84 -> native tools which will work for a good
10433.76 -> number of customers and then maybe we
10435.92 -> talk about how would you secure like a
10437.68 -> high security environment again using
10440 -> some of the tools that we're going to
10441.04 -> get from the marketplace so there'll be
10443.12 -> lots of things that we can do
10444.8 -> so a couple of thoughts
10446.64 -> for those of you that have joined late
10449.52 -> don't worry you're going to be able to
10451.359 -> watch this on youtube you can start the
10453.68 -> beginning of the video
10455.76 -> tomorrow we can again come where you can
10458.72 -> so you can catch up tonight and then go
10460.399 -> tomorrow i'm going to answer some
10461.92 -> questions in a second but i want to
10463.279 -> remind everyone at 5 00 p.m imran takur
10466.399 -> is coming between imran and i will have
10469.04 -> three csies and we're going to do some
10471.68 -> vpc peering
10473.439 -> we'll set up some vpc endpoints we're
10475.439 -> just going to have some fun we're going
10476.56 -> to demo how to do all this really cool
10478.56 -> stuff so that'll happen at least once
10481.279 -> maybe two or three times this week we're
10482.72 -> going to give you some surprise cloud
10484.479 -> infrastructure engineering work in
10486.08 -> addition to just the cloud architecture
10487.6 -> work because i want you to have it all
10488.96 -> so chris if you want to bring in some
10490.64 -> questions let's finish the day off with
10492 -> some questions
10495.52 -> all right any questions that we didn't
10497.84 -> answer or more questions i'd rather
10500 -> spend 20 minutes answering your
10501.439 -> questions or whatever it takes i want to
10503.12 -> try and do what i can do or even if it's
10505.439 -> to help out
10506.56 -> question how much network traffic flows
10508.56 -> from servers in an auto scaling group to
10510.319 -> an application load balancer
10512.319 -> um how much network traffic
10517.52 -> watch the base that's totally dependent
10518.96 -> upon your servers you can have servers
10521.6 -> with 100 gig network cards that are that
10523.359 -> are running at 100 100 gigs each server
10526 -> and you could have hundreds of those
10527.2 -> servers in a high power environment or
10529.439 -> realistically speaking you could have
10530.88 -> less than than a mega traffic so it's
10533.6 -> totally based upon the application
10535.6 -> traffic that you have
10537.12 -> and uh that that's going to be based
10539.2 -> upon your application there's
10540.479 -> realistically nothing that i can give
10542 -> you to guide you that's the question is
10543.359 -> why you have to ask the customer
10545.84 -> what is your traffic pattern how many
10547.68 -> users do you have where are your users
10549.359 -> how many million hits do you get per day
10551.2 -> per second per week per month only your
10553.92 -> what's the average web page size or your
10556.399 -> what is on your web page is it static is
10558.72 -> it photos is it videos you know
10561.84 -> um it could be anything
10564.399 -> so the next question's not uh
10566.8 -> specifically related to this but i
10568.399 -> thought it was a very important one
10573.04 -> vikram nanda how many years experience
10574.8 -> to become a cloud architect
10576.72 -> you know it's a pretty interesting
10577.92 -> question vikram
10579.279 -> and i'm going to give you the honest
10580.56 -> answer it's not how many years
10582.56 -> experience you have experience doesn't
10584.319 -> matter what matters is competency
10587.04 -> so
10589.2 -> let's say you have two people let's say
10590.96 -> you've got a 14 year old that broke into
10592.64 -> the pentagon or a 50 year old with 25
10595.52 -> years experience in security that can't
10597.6 -> do penetration testing wouldn't know
10599.12 -> what a firewall is
10600.88 -> and doesn't know what an ids is but
10602.64 -> they've been working there and they've
10603.76 -> got five certifications
10605.92 -> vikram you're going to hire the 14 year
10607.359 -> old that broke into the pentagon
10609.279 -> so vikram i've got to tell you in the
10610.96 -> last you know six months i think i've
10612.8 -> gotten about 100 people hired as cloud
10615.52 -> architects and i'd say 30 or 40 of them
10617.68 -> have never worked in tech in their
10619.12 -> entire life
10620.399 -> and it didn't matter so it's not how
10622.72 -> many years of experience are required to
10626 -> to be a cloud architect it's are you
10628.399 -> capable and competent so here's what's
10630.399 -> going to have to happen
10632.08 -> first and foremost you're going to need
10633.76 -> a couple of things
10636 -> you have to be confident what does
10638.16 -> competent mean it means extreme
10639.84 -> knowledge of the network and the data
10641.6 -> center knowledge of routing knowledge of
10643.76 -> switching and i'll give you the full
10645.04 -> answer you need to have about three to
10647.68 -> five thousand pages of routing knowledge
10650.16 -> specifically from the books internet
10651.68 -> routing architectures routing from basam
10654.319 -> halabi routing tctip volumes 1 and 2
10656.72 -> from jeff doyle as well as the stevens
10659.279 -> book on tcpip i would say you need about
10662 -> 500 pages of that on top of that
10664.64 -> i would also say you need to learn qos
10667.2 -> you need to learn
10669.439 -> vpn technologies ipsec technologies all
10672.24 -> kinds of direct connections all kinds of
10673.84 -> ether channel port channel leak
10675.439 -> aggregation groups to say that that then
10677.52 -> you need to have deep knowledge of
10679.359 -> firewalls ids ips systems vpn
10682.319 -> concentrators load balancers
10684.64 -> all of this stuff you gotta have that
10687.439 -> and i'm gonna tell you we're talking
10689.04 -> about 75 000 pages of reading to have
10691.12 -> the competency when i take people um
10693.76 -> we're dealing with about 500 hours of
10695.52 -> training then what we have to do is as
10697.6 -> follows that's 50 now most of the cloud
10700.479 -> architect job is not so technical
10703.279 -> everybody has it in their head that it's
10704.72 -> technical and all my people that get
10706.24 -> hired i have to make them i have to
10708.16 -> basically tell them not such a technical
10710.24 -> job so the next thing that needs to be
10712.399 -> there is you must have extremely good
10714.8 -> executive presence exceptional
10717.04 -> communication skills high levels of
10719.439 -> executive presence the ability to write
10721.92 -> the ability to sell so when you get
10724.08 -> these interviews here's what you need to
10725.68 -> do next what you need to do
10727.6 -> is you need to have experience that
10729.359 -> matters
10730.72 -> so for example i have my students vpn
10733.68 -> into a data center and i have them build
10736.56 -> everything my students build a cloud
10738.24 -> from scratch every cloud architect
10740.479 -> should know how to build aws from
10742.64 -> scratch and if you don't don't apply for
10744.56 -> a job you don't have the competency you
10747.04 -> should know how to build a firewall you
10748.96 -> should know how to build a vpn
10750.24 -> concentrator you should build an active
10751.92 -> directory server you should know how to
10753.68 -> federate that active directory server
10755.279 -> with that whole cloud that you built
10756.56 -> yourself you should work with server
10758.399 -> virtualization work with containers and
10760.08 -> all that should be on your resume then
10762.16 -> vikram the key is to skip hr now i got
10765.52 -> to tell you a lot of my students get
10766.88 -> hired by aws one was with me for three
10769.12 -> weeks they just got hired and never
10770.399 -> worked in tech in his entire life but he
10772.56 -> took a technical account manager role
10774.56 -> and another one recently was with me for
10776.16 -> three weeks and he was a network person
10777.68 -> who instantly went there but he had good
10779.279 -> networking background
10780.84 -> so regardless of the cloud providers and
10783.359 -> i've got students that are working in
10784.72 -> all of them it's the competency now i
10787.52 -> got to tell you when somebody brings you
10789.2 -> in for an interview
10791.279 -> they assume you can do the job and all
10794 -> these people azure brings people in with
10795.76 -> no experience for an interview google
10797.439 -> brings people in with no experience for
10798.72 -> an interview and aws brings new people
10801.2 -> in for an interview and if the new
10802.88 -> person does a great job on that
10804.479 -> interview they get hired
10806.24 -> now if the new person goes on that
10807.76 -> interview and is terrible doesn't have
10810.399 -> the competency do you know what they say
10812.24 -> i'm sorry you don't have no experience
10814.56 -> experience is a proxy for we don't think
10816.72 -> you're competent that's when people say
10818.72 -> come back when you have more experience
10820.24 -> now hr is another story
10822.88 -> you have to under and then we'll talk
10824.08 -> about how do you skip hr
10825.84 -> you have to understand hr's problem
10829.12 -> hr are good people they're highly
10831.12 -> educated people a low performance
10833.12 -> company like a cable company will get 3
10835.76 -> 000 applications for a single job
10838.72 -> a good company like a google or an aws
10842.56 -> or a cisco they might get five to ten
10844.399 -> thousand applications
10846.08 -> for a single one
10848.56 -> so because of that they put all these
10850.8 -> roadblocks and by the time they
10852.479 -> interview someone they're not
10853.6 -> necessarily the right person it goes to
10856.08 -> the hiring manager the hiring manager
10857.6 -> interviews these people and they're like
10859.84 -> i can't hire these people they're a jack
10861.279 -> of all trades in master or none
10863.6 -> so what most organizations do is they
10865.439 -> hire an executive recruiter vikram nando
10868.08 -> on friday i will have some executive
10870 -> recruiters on my channel we use
10872.16 -> executive recruiters we have now 300
10874.08 -> executive recruiters we use for the
10875.52 -> students in our cloud architecture
10876.88 -> development program the executive
10878.96 -> recruiter will have you meet directly
10880.72 -> with the hiring manager skip atar and
10883.279 -> then it's up to the hiring manager and
10885.2 -> when that hiring manager asks you a
10886.8 -> series of questions it's up to you to
10889.279 -> answer those questions properly
10891.439 -> your executive presence your
10892.88 -> communication skills your emotional
10894.399 -> intelligence your competency will work
10896.64 -> and then we've got to talk about the
10897.76 -> competency i'm going to tell you this
10899.04 -> what's covered in the aws certified
10900.72 -> solution architect professional is about
10902.8 -> 8 to 10 of what you need that other
10906 -> 90 to 92 percent needs to be taught and
10909.04 -> if you don't have that again so it's not
10911.04 -> the years of experience because someone
10913.2 -> could have been a software developer for
10914.64 -> 20 years and that's not related but
10916.96 -> someone could have been a network a
10918.319 -> network engineer for two years and it's
10920 -> highly related so anybody can do it i've
10922.8 -> got nurses that have done it recently
10924.56 -> i've got people from sales that have
10925.84 -> done it recently
10927.279 -> anybody can do it it's not your
10928.64 -> experience it's how hard you're willing
10930.08 -> to work you got to be willing to do that
10932 -> work it's about 500 hours for me to
10933.84 -> train someone with no experience to get
10935.2 -> them hired as a cloud architect
10937.2 -> and 500 hours a lot
10940.08 -> can you use a network acl for a private
10942.08 -> subway instead of having to use the
10943.76 -> egress
10946 -> i'm not really sure what you mean now
10947.439 -> you can use network acls on all subnets
10949.76 -> um so you're not you're going to use an
10952 -> access control s on all subnets anywhere
10954.16 -> all the time anytime you want to protect
10955.84 -> your subnet so i'm not necessarily sure
10957.279 -> what you mean it's not just to connect
10959.12 -> out external networks
10964.88 -> do i use the aws network access analyzer
10967.6 -> not at all i use tools that i've been
10969.84 -> familiar with forever and a day we use
10972.24 -> protocol analyzers
10974.399 -> i use routing tables and routers and
10976.16 -> switches and i ask questions but to be
10977.76 -> fair
10978.399 -> i'm not a club engineer i'm an architect
10980.64 -> so you know i'm not exactly getting
10982.319 -> hands-on as an architect i do it as an
10984.24 -> engineer but now i there there's very
10986.56 -> good strong industrial tools that i use
10988.319 -> for most of these things um and they uh
10990.72 -> they are things that network architects
10992.24 -> and engineer use they're not coming from
10993.52 -> the cloud provider
11000.56 -> sm7 do you set what traffic to allow in
11003.68 -> and out of the host with the security
11004.96 -> group yes
11007.04 -> if so what's the point of having
11008.96 -> specific traffic
11010.72 -> okay so defense in depth so one is none
11014.96 -> two is one and three is greater than two
11016.72 -> so here's the way you lock down systems
11018.399 -> essence seven
11020.319 -> first thing you do let's see
11021.68 -> appropriately let's say you've got a
11023.439 -> content delivery network let's say we're
11024.96 -> using cloudfront to lock our systems
11026.88 -> down we'll use shield for ddos
11028.72 -> protection now behind that sm7 we're
11031.68 -> going to put a firewall around us let's
11033.6 -> pretend we're in the castle
11036.08 -> let's say we put a 300 foot wall up to
11039.04 -> keep people out that's the firewall why
11040.8 -> do we do that because we don't want to
11042 -> get anybody in
11043.52 -> now sm-7 let's say we've got somebody
11045.92 -> that rolls over the firewall
11048.56 -> behind the firewall on the castle they
11050.319 -> have a moat
11051.52 -> and it's filled with alligators and
11053.52 -> sharks and dangerous animals why
11056.479 -> if anybody breaches the firewall they
11058.96 -> fall into the moat and they get eaten by
11061.04 -> sharks and alligators
11062.88 -> and let's say you've got someone they're
11065.2 -> like a navy seal they get over the fire
11067.76 -> well they swim through the moat they
11069.2 -> don't get eaten by the alligators or the
11071.359 -> sharks
11072.8 -> so you put a couple of lions back there
11075.2 -> and the lions you know are there to eat
11077.04 -> them the lions the moat the the
11079.84 -> the ty the sharks consider them to be
11082.08 -> your intrusion detection intrusion
11083.6 -> prevention system
11085.2 -> now behind that
11086.88 -> because this guy that got in or a girl
11088.56 -> it's bad they want to harm you
11090.479 -> then you use a network access control
11092.399 -> list
11093.279 -> but guess what this guy beats the
11094.8 -> network access controller so guess what
11096.72 -> now you use a security group and the
11098.72 -> security group is going to block them
11100.88 -> but this person's smart they get past
11102.64 -> your security group so inside of your
11104.399 -> server guess what else you've done
11106.08 -> you've put a second host-based firewall
11108.24 -> in that server you've disabled all the
11110.479 -> unnecessary services and tcp parts you
11113.439 -> put some anti-malware protection and
11115.359 -> it's still not enough somebody's
11116.96 -> knocking at the front door or your
11118.24 -> server so that's where your iem comes in
11120.72 -> sm7 are you allowed in no you're blocked
11123.84 -> so why are we doing this we're doing
11125.52 -> layers layers layers layers
11128.319 -> you know we're going to use a lot more
11129.6 -> layers than that sm7 to lock down the
11131.359 -> system it's going to take us layer after
11133.04 -> layer
11134.56 -> why do you use multiple layers why do
11136.16 -> you use multiple layers to dress with a
11137.6 -> cold to trap the heat in why do you use
11139.6 -> multiple layers for security because
11141.6 -> people will keep breaching everything
11143.12 -> that you do and you want to make sure
11144.8 -> they can't break in that's why you're
11146.16 -> using multiple layers sm7 and there's a
11148.479 -> lot more layers that i haven't even
11149.84 -> talked about that we would add so think
11151.68 -> it's not just a security group or
11152.88 -> network acl it might be 15 times more
11154.8 -> than that that we need just to create an
11156.64 -> appropriately secure environment
11159.12 -> but great question
11167.68 -> how does the network acl protect the
11169.52 -> subnet well it's basically like a
11171.52 -> firewall rule that says this traffic is
11173.6 -> not allowed in
11177.2 -> so if you've got a subnet and you've got
11179.439 -> and you basically only allow traffic to
11182 -> one server and you only allow a port 443
11185.439 -> um realistically speaking um what's the
11188.16 -> word i'm looking for
11190.56 -> uh
11192.08 -> you would just block it or keep it out
11193.439 -> of there so i hope i answered your
11194.399 -> question
11197.12 -> sm7 thanks mike you've said this time
11198.64 -> and time but you're getting getting now
11199.92 -> as long as you got it that's okay i just
11201.52 -> wanted you to get it however that takes
11203.2 -> it doesn't matter
11205.359 -> i'm just thrilled you got it
11207.2 -> okay chris let's see what else we have
11208.8 -> here is there any others because it
11210.56 -> looked like i saw somebody asking
11214 -> the next couple of ones are not so much
11216.08 -> content as a career so okay i saved them
11220.56 -> um
11221.68 -> and not really sure
11224.08 -> exactly on the this one but i'm gonna
11225.76 -> put them up back to back because they're
11226.88 -> from the same person
11228.84 -> sure because i asked for clarification
11231.76 -> and the second one is what i got so
11239.04 -> okay so let me answer both of those
11241.439 -> things
11243.439 -> so you want to go back to the first one
11245.6 -> certification so
11247.68 -> people look at me and my perspective of
11249.52 -> certification i want to make it really
11251.68 -> clear i actually like certifications
11254.88 -> now i want to be really clear
11257.68 -> what i mean by liking certification
11261.439 -> certifications can show
11263.68 -> that you've gone through the effort to
11265.68 -> learn the name of a vendor service and
11267.68 -> how to configure them
11269.279 -> and when you lack experience adding some
11271.92 -> certifications to your resume is
11274.439 -> amazing
11276.319 -> amazing
11279.04 -> because it can help get you an interview
11281.359 -> but i want to be really clear what is
11283.279 -> tested on a certification
11285.279 -> the name of the service and how to
11286.96 -> configure that service that is what is
11288.56 -> on certifications
11290.88 -> and if you are a junior cloud engineer
11293.279 -> and what you do is you configure s3
11295.12 -> buckets that certification is really
11297.84 -> helpful
11299.12 -> but here's the problem
11301.439 -> as architects
11303.2 -> we don't configure anything
11305.439 -> we design so knowing the name of the
11307.359 -> service and how to configure it is
11308.72 -> completely worthless for us the
11310.319 -> architects now still the certification
11312.64 -> is good because it helps us get the
11314.08 -> interview but it won't get us hired
11316 -> because it's not relevant to what we
11318.08 -> actually do what we actually do as
11321.6 -> architects is design and there's really
11324.72 -> no design in there
11326.8 -> now the other problem with the
11328.399 -> certification is they don't explain what
11330.88 -> it is so the certifications are
11333.2 -> phenomenal if you've been a network
11334.88 -> engineer for the last 10 years
11338.24 -> and you know what is a firewall and you
11340.56 -> know bgp and you know ospf and
11343.439 -> intermediate systems intermediate
11344.8 -> systems and software-defined networking
11346.88 -> and rsvp signaling and vlans and 802.12
11350.16 -> tagging and not
11351.439 -> you don't need any of this
11353.68 -> then you pick up one of these books like
11356.08 -> i love this it's a nice book for the
11357.6 -> azure expert um
11361.12 -> we're always reading everybody's content
11362.8 -> to see what we like what we don't like
11364.239 -> in fact i got to tell you the only
11365.68 -> content i've ever seen that was any good
11367.279 -> was produced by the cybex books or the
11369.12 -> cisco press books the rest of the
11370.72 -> content out there is a little on the
11371.92 -> fluffy side but i do like these kind of
11374 -> kind of books cisco press book the the
11375.92 -> cybex book i found to be pretty good as
11378 -> well so
11379.84 -> you still need to get certified now
11381.359 -> here's where certification hurts people
11384.16 -> if the certification is in your field it
11386.56 -> makes you look great so mr chatter or
11389.68 -> chattery we've got a certified solution
11391.68 -> architect professional and a cisco
11393.76 -> certified internet expert now we've got
11396.08 -> the brand of a cloud network architect
11398.72 -> looks good expert network thing good
11401.6 -> cloud thing we look solid so that
11404.239 -> certifications are worth it
11406.479 -> now you want to be an architect and you
11408.399 -> study sess ups which is maintenance
11410.399 -> devops which is automation
11413.279 -> application development alexa you've got
11416.399 -> now 10 of these certifications and
11418.16 -> they're all in 10 other careers now
11420.479 -> these certifications make you look
11422 -> confused and unfocused and unattractive
11425.439 -> to the employer
11426.72 -> so getting the wrong certifications will
11429.04 -> hurt your salary and hurt your job and
11432.479 -> hurt your employability so it's not that
11435.279 -> certifications are worth it are not
11437.439 -> worth it it's getting the certifications
11439.84 -> that build your brand
11442 -> so
11443.2 -> when i do cloud security
11444.96 -> here's what you do
11446.359 -> cissp and the certified solution
11448.479 -> architect professional note i didn't say
11450.56 -> the aws advanced security not that i
11452.72 -> don't love the aws advanced security but
11454.8 -> it's not big enough i need you to get
11457.2 -> the big stuff i need you to know how
11459.359 -> everybody does it and that way when you
11461.359 -> work on aws and azure and google because
11463.6 -> as a cloud architect you're going to
11464.72 -> work on all of them you're going to know
11466.479 -> the underlying so it's not that i don't
11468.96 -> love aws starts i do
11471.12 -> i love google search i love azure search
11473.12 -> i love all of them
11474.88 -> but i want you to know what a network
11476.96 -> load balancer is for real
11481.12 -> separate the elastic load balancer from
11484.319 -> the cloud load balancer and really learn
11486.64 -> what is a network load balance term what
11488.319 -> is an application load balancer and that
11490.56 -> way when you're in your hybrid cloud and
11492.16 -> you have an f5 load balancer you'll know
11493.92 -> what to do when you're in aws which is
11496.239 -> incredibly good cloud you'll know what
11498.399 -> to do and when you connect to the azure
11500.479 -> cloud as well you'll still know what to
11502.08 -> do because let's face it a single
11504.16 -> service provider is a single point of
11506 -> failure and you're going to use multiple
11507.359 -> service providers so
11509.2 -> it's not that the certification isn't
11510.88 -> great it's that i need you to be
11512.64 -> competent first so get just enough
11515.359 -> certifications now
11517.2 -> here's the last part of this
11520.16 -> here's what i need you to understand
11522.399 -> certification on average can raise your
11524.319 -> salary approximately ten thousand
11525.92 -> dollars a year
11527.439 -> soft skills training for an architect
11529.359 -> can raise their salary about fifty
11530.88 -> thousand a year on average and emotional
11533.359 -> intelligence training can raise
11534.64 -> someone's salary on average thirty
11536.319 -> thousand dollars per year when you look
11537.6 -> at statistics
11539.04 -> so
11539.92 -> if you do the extra certifications and
11541.84 -> you can have a ten thousand dollar
11543.12 -> impact over your career over thirty
11544.88 -> years that's three hundred thousand but
11546.72 -> by focusing on those higher skills those
11549.04 -> more enterprise the architect skills
11550.64 -> that are worth more you can add an
11552.319 -> additional 2.4 million to your career so
11554.96 -> it's not that i don't love
11556.08 -> certifications it's that i want to build
11557.92 -> you the best career and as a career
11560.399 -> coach who's focused on getting people
11562 -> hired and promoted and paid more
11564.16 -> i place my efforts on the things that
11566.08 -> maximize the return on the time that's
11568.16 -> spent by my client so certifications yes
11570.96 -> you should definitely definitely
11572.239 -> definitely have the aws certified
11573.84 -> solution architect professional if
11575.6 -> you're going to work on aws that's kind
11577.04 -> of my kind of my version of the minimum
11578.96 -> certification but then get something
11580.8 -> else
11582.319 -> in the industry you want to become great
11583.76 -> at it so i hope i answered your first
11585.279 -> question now chris was there a second
11586.64 -> question
11590.399 -> it was it was just a clarifier you could
11593.279 -> you got it
11599.92 -> can i explain the ephemeral parts
11603.76 -> not elegantly in the short period of
11605.359 -> time what he's actually referring to is
11608.479 -> you know you may hit a web server at
11610 -> port 80 and it may start answering um at
11613.279 -> a certain number of ports but when
11615.439 -> you're dealing with an access control
11617.04 -> list you don't necessarily have to worry
11618.88 -> about the destination port as much as
11620.399 -> the source porting you know what the
11621.6 -> source port is you don't necessarily
11623.04 -> have to worry too many things about
11624.319 -> ephemeral ports unless you're dealing
11626.16 -> with a poorly designed application
11627.68 -> that's going to use a million and one
11628.8 -> ports and you don't know what they are
11630.319 -> in which case then you're going to have
11631.76 -> to open up a lot more ports on your
11633.279 -> access control lists
11635.359 -> realistically speaking so
11637.84 -> kind of work with that so i guess i'm
11639.6 -> kind of thinking uh
11641.04 -> mind opening talk wonderful greatly
11642.56 -> appreciated wonderful i want to give you
11644.479 -> guys everything that you need genie it's
11647.2 -> always incredibly good to see you um
11649.52 -> thank you so much
11652.319 -> okay so i want to let everybody know
11653.92 -> that at 5 00 p.m i know we're we're
11656.479 -> flooding you with free content this week
11658.239 -> but you know we like to give free and we
11659.84 -> like to watch you people get hired we
11661.68 -> like to hear you guys doing great in
11663.04 -> your lives and your careers in every way
11664.64 -> it makes us super excited
11666.319 -> so at 5 pm imran is going to come back
11668.88 -> and we're going to have some fun we're
11670.16 -> going to geek it out we're going to do
11671.76 -> some configuration we're going to have
11673.12 -> some lots and lots and lots of fun so
11675.359 -> it's going to be fun one day we may even
11677.6 -> bring in some cisco routers this week
11679.279 -> and do some bgp configuration i'll see
11681.12 -> what we can do so hit that like button
11683.92 -> tell others to subscribe and i hope to
11685.6 -> see you all back at 5 pm tonight
11687.6 -> everybody i can't wait to see you all
11692 -> see you tomorrow see you tonight
11693.359 -> depending upon which time zone you are
11695.12 -> we're just happy to see you so much
11699.359 -> so if you're having a good time can you
11701.279 -> type aws advanced networking course in
11704.399 -> the window
11706.72 -> and i'll see you all tomorrow
11713.6 -> thank you all so much
11716.56 -> thanks jaws
11721.279 -> david i'm so thankful you joined us
11726.319 -> i'm so happy you were here pal wonder
11728.319 -> i'm always good to see you
11732.399 -> i'm gonna come on screen because they
11734.08 -> keep saying mike and chris so i'm like
11736 -> i'm gonna come get my recognition
11738.08 -> so chris so everybody that's here you
11740.239 -> know chris let's thank you chris is my
11742.239 -> chief operating officer chris works
11744.8 -> really hard to make sure my students are
11746.479 -> successful i wouldn't even know where to
11748.479 -> be if chris didn't even tell me where to
11750 -> be there he had to send me a text
11751.6 -> message hey mike did you actually stop
11753.84 -> your class on time so you can eat before
11755.76 -> you can be here so we got to thank
11758.239 -> no no i didn't send a message i'd sent a
11760.8 -> message to the entire class to make sure
11762.64 -> that you stopped
11764.399 -> so that they could get you started
11766.16 -> that's true a seam obviously that'll
11768.479 -> help you class the aws advanced
11770.16 -> networking exam it's a relatively easy
11772.16 -> exam but i strongly recommend a practice
11774.319 -> test but it's a pretty simple exam
11777.12 -> yeah
11778.64 -> so yeah so we'll be back at uh five
11780.88 -> o'clock so
11782.56 -> an hour and 43 minutes from now
11785.68 -> aqua great seeing you i see you magda's
11787.84 -> here i've seen some of the names i the
11789.68 -> ones that i've seen i've said hello to
11791.12 -> but uh there's been a lot so wow it's so
11793.76 -> good to see you guys here yeah lots of
11795.92 -> comments i'm trying to make sure i get
11797.439 -> them all on here before we close out
11800.319 -> i like to make sure even if it's just a
11802.64 -> split second that everybody gets up i
11805.04 -> like you know honestly there we go chris
11806.96 -> is the man i like that i like that one
11809.439 -> too i think you did great
11813.92 -> all right
11816.08 -> i just keep i'm wrath i'm happy to see
11817.76 -> you with phil davis that's the name i'm
11819.12 -> happy to see yeah share the glory there
11821.439 -> we go
11823.76 -> elijah oh it's good seeing you there
11826.08 -> aaron your name alonzo i haven't spoken
11828.08 -> to you since yesterday so it's been a
11830.08 -> long time we got to come up with a
11831.76 -> costume for me now chris the superhero i
11834.72 -> think we can do that although i'm
11836.88 -> thinking cindy needs a linkedin page
11838.479 -> we're gonna have to do that someday soon
11840.239 -> yes i i agree
11844.72 -> yeah all right
11847.12 -> all right well uh
11849.04 -> central time pacific time so five
11850.88 -> o'clock eastern time so four o'clock uh
11853.439 -> central three o'clock uh mountain
11856.56 -> two o'clock pacific and whatever time
11858.96 -> arizona decides it wants to use
11861.92 -> yeah i never know what time it is over
11863.439 -> there a couple time zones in mountain
11865.279 -> time some places actually are on pacific
11867.76 -> time somewhere on mountain but it's only
11869.12 -> during daylight savings time
11871.12 -> yeah i don't even know when daylight
11873.12 -> savings time is on or off or what it is
11875.68 -> i just know
11877.2 -> yeah
11878.88 -> i just go where i'm told yep
11881.68 -> all right
11883.359 -> i finally got
11884.88 -> finally got caught up bye everybody see
11888.08 -> you any of those uh see you all tomorrow
11890.16 -> or tonight if you want the bonus round
11892 -> take care everyone it's been such an
11893.439 -> honor
Source: https://www.youtube.com/watch?v=ujPJuF_GZso