In this episode we discussed all-things VPC!
From the very basics of structure and best practices, deep down to wiring the internals, hacks tips and lots of other stuff.
Things we mentioned:
boom oh my ready I am ready and action no pop no pop no pop actually okay hello everyone and welcome to the 18 episode of DevOps topics where we write topics we like this important okay and where we write down topic with a typo well not a time but and no parent betting ever you need to write things with a typo lift yeah and and today's topic for the 18th episode is VPC which stands for the child private cloud and of course you're in the surprise now without the style but you know we need to tell the acronyms you know I love the word acronym so only we should change it into an English lesson rather than a DevOps podcast I might do like a sidekick or audience like a sidekick sidekick you'll be my sidekick in the sidekick I can do that okay so today's topic is VPC so email what is the first thing that comes up to your mind when I say VPC except for the child private cloud okay I have a lot to say so your job is to just stop me from talking I think okay regards to VPC okay I will clap when I want you to stop yeah say the safe work the safe work okay they fall in the clipping okay VPC we both let's give a background we both work on AWS any kind of terminology any kind of concept we talk about can be easily transferable or translateable to other clouds what we're going to say here everyone has especially Azure GCP same like AWS I'm sure that digital ocean and others will probably work the same but I know for a fact that Azure and GCP do so just like a small FYI VPC is your way to encapsulate great word encapsulate network resources what it says on AWS is like you said virtual private cloud back in the old days I used to have a way to deploy stuff that are not part of my network you could for example pick an EC2 which is an instance and just start a server in the cloud without having to mention where it's running that those days are gone it used to be called easy to classic I think and today you don't have easy to classic anymore you just have an easy to that has to sit sit sorry as part of virtual private cloud if you don't configure one AWS will provision one for you that's one thing I think you and I need to discuss whether you're using that or not I'm immediately saying no don't use the default VPC for a reason we'll talk about in a sec create your own two main reasons one you may probably especially if you're building a production robust network you want to segment it in a certain way the other is you need to know what's going on in your VPC and I'll say why why in a sec that's the basics okay why would we need a virtual private network this is a way to create our own network simple as that and define IP ranges define where we want it to sit when I say where we want it to sit a VPC has to sit on a certain region AWS has like whatever 20 plus something regions which are different locations in the world each region is divided into what we call AZs availability zones it can be from one to two three up to six or seven in the big ones maybe Virginia is the biggest one in the world in any case you can decide those so a VPC is segmented into subnets subnets are parts of your network and they're different segmentations you can break them down into different IP ranges and you can define them in certain ways these subnets yes subnet I'll sub network of your network boom just saying you know do something years to discover that okay that's great okay so your subnet works are ways to separate it the main two types of subnets on AWS are private and public very easy what makes a subnet private or public on AWS when you create a subnet you need to route it to somewhere if you don't add anything to a routing table then every request that's coming out of the subnet will be rerouted into the subnet so you can only communicated communicate sorry within things that in your subnet for example I have two servers in a certain subnet there's no connection to anywhere in the world they can speak between them if you try to download something from the internet maybe run peeping stall or NPM install it would not work two ways to make a subnet communicate with the internet one connected to an internet gateway that would allow you to communicate with the internet back and forth back and forth I mean you can route requests starting from your internal servers and you can communicate from the outside world if you have an IP attached to a server I can reach out from the outside world given that the firewall as in security group is open and let's me communicate for example I want to go to HTTP I can talk to the server if it's on the public network if I put my server in a private network I can either not connect it to anything or like we said before maybe I want to run peeping stall I can attach a not gateway not is a do you remember what it is in what it stands for network network other translation I said never know that so not basically is your way to run a protocol that's called DHCP and that's a way to get requests from the other outside world or wherever and translate that into an internal network it does it takes an incoming public request and translate it into internal IP range and what that lets us do is a one way filter that lets us communicate outside if I want to run peeping stall again I'm running outside to the world installing something from the internet but if something wants to communicate with me and initiate a connection it doesn't know who I am because there's one public IP or a few doesn't matter but it doesn't know my specific address under that thing your router in your house serves the same purpose by the way it's also a modern but also a router it takes a public access IP and translate it into many devices that's it was that enough we can go a lot further and deeper as you probably know but that's the basics of whatever pieces okay so I want to even take it like okay I want to take what you just said and lower it to the home level just like you started with the local thingy so for example just to give you examples to the listeners viewers anyone in the crowd you know the crowd so anyone who listens that if you're at home and you are connected to the internet let's say you're viewing us now or listening now so you are connected to the internet so what happens is as almost stated like there is like your home is sort of like a virtual private well not cloud but network you're in your own network and your gateway outside is as I mentioned the router now in some homes you have multiple routers but you only have usually you know in a home a single point of access to the internet which is provided by your internet service provider by your ISP which you pay for each month so every month you pay to ISP in each country it's different let's take I don't know United States for example maybe Timobile or Verizon or AT&T or you know I just said I think mobile companies but I think they also provide in you know Internet services to local homes and do that router there's also a modem right or some component that lets you access the outside network right and this is sort of what's happening in the cloud so as almost said like your computer is like a machine which is in AWS is an EC2 right so if we take if you start compelling so let's say my laptop which is connected to the home network is an EC2 is a virtual machine but it's a read machine and the router is almost said an internet gateway so at home you usually don't have you know network access like not gateway right usually you don't have that component it's only in the cloud for its purposes for going outside with a single IP and to protect private resources blah blah blah but at home the router is enough and you can access the outside though the outside world cannot really access you because you got all of those rules and whatever so in case you're not really aware of what's going on like what's the cloud and now you can know that according to your house you can always compare like think of it like at my house I have my subnet which is you know you can always compare which is you know usually at home you will use a you know 192.168.168 yeah exactly those number or maybe exactly like 10-0 and those private subnet numbers so we also use them in the cloud right so that's the same thing so I want to know what you said exactly and take it to the next level so this is all use yeah in the cloud we more often than not especially in production we want high availability. I said something about having different aces and different subnets a subnet spends across an aces meaning I can put two or three different availability zones. But that gives me especially about what you said at my home I'm paying an ISP right if I fail to pay or the ISP fails or the infrastructure fails and disconnected from the internet. But when I have a backend server in my production account I can't I can't live with the fact that only one connection this kind of everything depends on this one connection I want high availability in order to do that I might want to consider or you should consider spending across multiple aces at least two. And this way I have a load balancer on top of that I think you mentioned that before a load balancer can actually spend across multiple subnets across multiple availability zones and it can have we call it a little legs or foods it can have one foot here and one foot there and it can take requests from the outside and route them between those two. They can have two different instances but they serve the same purpose one sits on one availability zone the other is on the other both are connected independently to the network and then if one fails the other can start taking requests all of the requests instead of this one. There are ways to even leverage that in the DNS level and always send health checks seeing that the actual backend server is valid the load balancer does that on its own so. You work all that hard especially on AWS a will be that's what it does you give a certain type of health check for what is an a will be on a. And they will be is an application load balancer and what is the difference between you say ald what's the difference between ald and our nlb maybe okay and lb is a network load balancer they so why would I use like when do I use this when you use that. Okay let's get into that a load balancer basically what it does is distributing the load that's coming in from the outside across multiple servers that's the the essence of it. In AWS we used to have a classic load balancer I think that's kind of deprecated we have main two others is there are there more main two right. There's only one thing yeah right network more often the not is used for like we said network traffic more on the TCP level that would be layer for in the scheme three okay. So that operates on that on that level and for that reason it's very very fast much more than an application load balancer that's not a slow load balancer but it serves. It's purpose in a it's called it a native a more native network way application load balancer on the other hand works on the seven six so we're higher. Seven seven yeah yeah somewhere. It works on all in seven by the way something like that I think that okay like this one is really that the other one is for seven. So usually the protocols that it works in our HTTP HTTPS and it has features that serve more an application rather than a network traffic that can be SSL termination health checks to HTTP endpoints which is what I said just now you can actually make it sample and HTTP endpoints on the servers and understand where there's something is up or down and then decide where to route. So it has a lot of more features for example if you deploy that on top of a target group on an ECS cluster or wherever you use a target group. You can define rules that tell the load balancer where to route a certain request maybe i'm going to slash application or slash health or slash debug or slash something and based on that it can take the request and route it somewhere else. Or can the sub domain level maybe I'm requesting app one dot my company dot com that would be one endpoint and app to dot my company dot com that would go someplace else and A will be sorry can do all of that for you. Okay, so that can sit on top of the applications listening and serving two availability zones for high availability and route the traffic between them that's it. So I need the cut off like okay so I'm new to a W I heard about the concepts of color balancer because I heard the DevOps topics 18 episode so I heard about it and then I went to AWS you're navigated I went to the EC2 VPC whatever load balancer and then I had the choice of collecting like I have my application I have as almost said I spread my EC2's over two availability zones I'm trying to create a load balancer and then I'm like wait which one I should choose application or balancer or network load balancer and I quit I'm not sure which one should I choose. Well how would you say the cut off maybe what like what's the main reason for to choose this one over the other one so it's a good question it's depend it depends on what you're served if for example like I said you're running on top of. And a fleet of EC2 instances or an ECS cluster that's serving a web application that's working in either port 80 or port 443 but they're accepting HTTP access from the internet you need an application load balancer to be able to work on that level and serve the requests. For another example you are serving VPC endpoint and we'll we didn't talk about VPC endpoints but we will in a second but you're serving something else and network access gate that takes incoming TCP requests and need to route them somewhere on the network. It can be all kinds of packets any type of of TCP access right any kind of port in the world you can think of I can route that through a network load balancer especially if that thing is going to be. A single point of failure that needs to be very available very robust and needs to operate across a lot of more requests and is operating on the TCP level that would be an network load balancer I hope that answers. Okay I'll give my two cents I think they are to sense about it like like a very very simple decision for me okay I think usually I'm like okay I'll take this one but for me it's like okay I need a static IP address so if I need to serve my application with the static IP address because God knows why maybe I need to be whiteness it somewhere maybe my users are hospitals and hospitals only whiteness specific range of IP addresses so maybe application needs to be served as you know with a static IP address so I'll take a network load balancer just to give one example. If my application like if I don't care about static IP address it's for example so I'll probably have more benefits of the application of balance because it also includes the if I need it not sure if I do like if I can use the where application firewall because I'm on the seventh layer so I have what right what. If you use the where application firewall having said that or having that said if you're using maybe cloud file which provides a proxy to your DNS records so maybe you don't need the WAF because everything is already protected in cloud you can add the network I don't know like you can also protect your your network load balancer with that you know right with cloud so it really depends on what you use just saying my would mention WAF and it's worth getting into WAF but in a little bit I want to finish a few topics before but yes definitely should shoot so what else you want to talk about. So before I'm going into VPC and points with some mention I just want to finish the idea of having something in the VPC although it sounds like we are done. So we talked about having the public option the private option with not and the complete private option with no access at all. To think about that first if you need to start locating things things by things I mean easy to instances databases load balancers you need to decide where to deploy them. And application load balancer for example or any type of let's go for application load balancers probably is accepting requests from the internet and it's need it needs to route them within the network to provide that subnets so you would locate your application load balancer it can also be engine X or any type of proxy that needs to be accessible from the world in the public zone. So in public subnets that are connected to an internet gateway your application back in servers regardless of whether that's Kubernetes node or ECS or just EC2 anything that's a backend. Needs to sit in your private subnets more often than not with an at gateway because it needs to be able to access the outside world you don't want things to come into it on their own make sense. And lastly if you have things that don't need any type of access which means they don't need to access the world that you don't want the world to access them the only thing you want accessing them is your backend application any idea for a type of resource that answers to that. Like the VPC you're like you're referring to the VPC endpoint as real something. You're you're thinking like an ups and gender I'm trying to. Yeah, you're going you're going ahead. No, I'm in databases. The only thing they need to communicate with I think like nine out of 10 times that would be your backend application it needs to query something from the database and respond. Really inbound connection. No, exactly that's it only inbound it needs to come in from the VPC stay in the VPC and sort of you know because databases do need updates but if you use a manage database. There are a lot of you definitely there are a lot of caveats if your database is managed on an EC2 and you're running by the way I hope you're not messaging in and trying to update the database. I hope you have some kind of rotation mechanism maybe within auto scaling group something like that and user data that's installing it. But yes, if you need to install the patches and it needs to access the world it needs to be in a nut. If that's not the case please put it in a private subnet with no access to anything other than the backend servers and the way you do that is you locate security groups on top of everything and you can decide for the security group what it allows in and what it allows out. Usually the out we don't we don't care about it all that much although you can and you should. But we care about what comes in the database should only allow the port for the database. For example 637 I wouldn't try to remember parts now but you need to access the specific port for the specific database. Same goes for the application which probably listens on a special port 80 80 5000 4000 doesn't remember what. And your load balancer needs to accept for for three for HTTPS if you wanted to listen for a 80 and then route it to for for three never mind. Just make sure it's protected make sure the traffic is encrypted open the only the ports you need in the security groups and that is a complete answer to a question I ask in interviews and I never get the right answer. So that's all so all you gotta do is tell them listen to this episode and that's it yeah that's why I wanted to do it. But you gave like a full architecture of full blown application you know that's like a big thing correct okay okay so I think so I have a gut feeling that you got like tons of things you want to talk about so I feel like I'm I'm giving you the mic this time to to say what you want to discuss about because I feel you have a lot to say about this topic. Let's you want to start shooting questions like I always know one more thing which we talked I think we mentioned something so it's important we go ahead and talk about do you want to talk about VPC endpoints shoot. All right VPC endpoints that's it let's move on to the game. VPC endpoints important concept on AWS that let's you do basically a main thing and then the other the main thing is that you can route things internally what do I mean by that the most simple example is. Okay so you can provide internal traffic away to go without going okay I want to query something from an S3 bucket my application is working with with an S3 bucket instead of each time I want to access the bucket. I need to access the world through an at gateway for example go to the internet then back to S3 then fetch the thing then go back and download it I can use a VPC endpoint for S3. Doing that I get multiple things first of all I don't have to use a nut not gateway not only it costs money it means you're less secure because your request is re routed through the board. If I'm going through a VPC endpoint everything is going through AWS so it's called the AWS backbone and you're already on AWS so the routing is shorter because it sits already on their infra. I say for because their infra is more isolated protected than what not and it's faster of course. But one caveat VPC endpoint also costs money so you always need to find the sweet spot between what am I doing what am I optimizing for is it's paid is it costs is it security so. Just keep that in mind and what you also can do is create custom VPC endpoints so for example if you're a security company. And you're serving customers a lot of customers wouldn't want the agents or not agents or whatever is scanning their account to bring back and forth requests over the internet even if they're encrypted even if I don't know what. A lot of them will ask you to route it through AWS because maybe your customers are already there you can create a custom VPC endpoint and have the entire communication use the or leverage the AWS network instead of using the internet and that's safer and faster. That's it. Next you mentioned maybe Mongo Atlas is using it you know because I know that Mongo Atlas provide like if you're on AWS and that's provide you like. A lot of these last take all of these yes you have the options so they probably use something like a custom VPC endpoint so you communicate with them maybe just a guess because what you just said. Yes okay so by the way you remember I told you about the VPC endpoint and ECL it can also save you a lot of money instead of going through that gateway as you said because. Night gateway and also VPC endpoint you pay both you pay for two things one till our second for traffic traffic yeah and traffic security cost even more than our depends on the usage. Very much so okay so any other topic you want to talk about Omar. I think that covers it for the most of it we can talk a little bit about stuff that are global okay VPC endpoint is a global thing on a VPC another type of global thing is. Knuckles network access control list I didn't win the competition of acronyms but I got one. So this is correct me if I'm wrong by by describing it but this is kind of your way to have a global security group on top of your entire network so a nickel can actually is more of a firewall so you can put a firewall on your VPC attach it to your VPC and then decide globally what comes in and what not. Well I can block all SSH access everything that comes into port 22 is going to be blocked for now on I can also block it on the IP level or just the IP level I don't remember but can put rules to define that as certain CIDR block will never be able to access your network. Maybe as means to block a DDoS attack maybe as means to block just certain countries that you don't have anything to do with. These are knuckles anything you wanted to add. Let's say so security groups are usually more applicative you can also. Okay so security groups are for allowing usually but not usually but security groups are for allowing because they are blocked by default. And knuckles you need to allow and block on both ends. Thank you told me something about one being stateless and one being state fully. Yeah we had an episode about it. So usually like when I think of security groups I'm like okay this is more applicative like which maybe subnet or maybe which secure the other security group I want to allow. All right I think the last thing that we touched on and just didn't expand and it doesn't really have to do with VPCs but we touched about. And it's funny because I had an interview last week and I didn't mention it but the interviewee brought up the WAF. So we started barking like what? Yeah exactly how'd you know? No that's me I know. Sorry I just I wanted to know and WAF is important but it's also important to understand what it does. So WAF is a web application firewall so it's kind of like a normal firewall that can block an IP or a port but this is more of a rule engine. So I think AWS have their own certain rule set, surely Cloudflare do and that's your way of blocking weird access request let's call them. So what hackers will normally do if they want to attack you specifically or just scan they will try to inject weird request with all kinds of weird characters and null point I forgot null by whatever they'll try to inject stuff and make certain requests to see if you respond to some of them. Maybe just generic requests maybe they're expecting an engine X answer and they want to try and hack this engine X and they'll try send all type of requests from with all types of strings onto your system. And a WAF can just stop that for you with the default set of rules and if you know something's dangerous on your own you know your application you know your API gateway. You can add your own rules and have them blocked on that level and then the requests never gets to your infrastructure. So you don't have to first of all you offload stuff because you don't have to deal with them on the application level and second of all you stay protected. Cool. I want to give a simple example of WAF and then we move to the corner of the week so I'll just give a very very very like very short use case. So assuming your company has a VPN okay so a VPN usually has static IP address so everyone in a company may be in the office has one IP address or from home. So usually you have like a set of IP addresses which you can say okay these these are safe addresses right. And assuming your application is behind a load balancer which is behind the application firewall. Cool. So in the application firewall WAF WAF WAF you can add a rule which says let's say I once only employees to access the path in my application which is a slash by the. Okay, according to path so what I can do is add a rule which says slash private enable access only to the set of IP addresses of the VPN or office or whatever. So this way my application is protected no matter what happens. It's like a very simple use case usually this is the best way I think to realize that WAF can be as simple as that. Pretty stuff you can also use what you said which is I think that you have a cloud formation template for that one. I know that the cloud formation of secure automations you know which is a big thing again. SQL in secret injections and stuff like that. Yeah, so putting that aside if you just want to block access to your application and make it available only to specific things maybe slash back end slash whatever you can do it with the WAF which is very. Even for the poor yes. I mean it's very very simple you create like a set of IP addresses you add it and then you don't think we don't even need to. To redefine the rule if you want to add more IP addresses more remove them you just use the same set. I mean by the way SQL injection is the best example for WAF because if you read any type of manifest for SQL injection all the tests look more or less the same with question mark and and try to use the. The one quote the single quote and then try to add like a hash or something they there's a set of most likely SQL injection strings that would work and WAF will just block them out of the way that it will remove all of them. Yeah, so weird traffic like maybe bursts of traffic from a weird place so it can automatically do stuff. Okay ready for the corner of the week. Let's do that. Okay. Like how it sounds. What is going on. Yeah. Yeah. Okay. So going over the week. Oh man. What was your experience or technology technology to discover or story of task or anything you want to show that happened to you this week last week or last year. Okay. Apparently if you're considering to build a Kubernetes cluster or maybe you're already running one but you are thinking about your ingress ingress controller. If you've researched this filled a little bit you probably know there are tons of them. We can just think of four or five out of the of the top of my hand for sure. There is apparently a docs of public Google sheets. I think document that you can find online. I'll add the description in the show notes and that has pretty much all of them. And they're segmented into all kinds of it measure features like which portal protocols are supported features routing options all types of stuff in this huge huge. A sheets document that's very public and then tons of readers like hundreds of people are connected every second to read it. So I'll add that and it's really cool if you're considering a replacement or a new one. So that's for you. Wow. Cool. So before I move to mine you said you can just shoot just shoot three you know just so we have the audience like what you said in this controller. So just shoot the three ones that you all familiar and I'm sure. Yeah. Those are the exact ones. Yeah. Yeah. And also traffic like to say traffic because I think they're French. Really. I think so. Yeah. That explains a lot of things. Okay. Right. Yeah. I couldn't I you know are you now complicated. I cannot unhear this and now I have to say it like that even in my head. Yeah. Yeah. Exactly. Okay. Okay. I okay moving to me to me moving to me moving to me moving to me moving to me moving to me over to you. Good English. Good English. Okay. So so my experience this week was and I think you like it. I developed something with Nest JS and the front end was V it with V it right. No idea how I said with react which is weird but okay because I like view JS or view if you know it. And the database is MongoDB sometime in the architecture there there for this week. Okay. MongoDB and I also did all the authentication with Cognito like AWS Cognito. So the whole application is Nest JS for backend. Database again with MongoDB front end was very V it with React and authentication with Cognito. Why am I saying that because I was able to develop everything locally. So nothing in the cloud so I got docal compose running local stack which is running AWS locally with Cognito and in that same docal compose file, you know I I got MongoDB. I also I'm also running MongoDB express which is the graphical user interface to see your MongoDB. You have other tools for that you got compass you get many other things and I stopped putting that aside. We also talked about it last week. I'm developing natively on my machine on my like you like. With you know Nest JS and V it and they are running locally on my machine nothing container right. And I'm I still haven't created the infrastructure in the cloud I still haven't created it in for watching it also right now I'm only developing everything locally and testing everything locally and everything locally. Once I start moving to the cloud. Oh you know write a docal file and then I'll do the trick. I wonder if you'll try to deploy compose on to ECS. No no no no I I wanted to do it like one time ago but then I realized. It's so and also I'm using MongoDB Atlas. Yeah you know so so I won't need that I think like right. Yeah so it was very fun and I and I realized that Nest JS and Mongoose if you know Mongoose yeah. Okay so Mongoose that VRM like for those who don't know is the ORM for MongoDB. I think it's in their docs isn't it. Well it isn't it coming with Nest JS but they talk about yeah so they got type all M and and Mongoose which is type. Yeah so they are the ORM that you can talk with a database which is very nice I mean the whole ecosystem that I just talked about the whole. Of course you through everything security with helmet and yeah it's perfect. Yeah it was very very very nice so I'm really enjoying the development process especially because everything is on my machine so everything is like super fast. Okay so this was Max doing this week and it's probably going to be for the next few weeks. Amazing yeah that's it on my end in the real thumbnail. No that's it I think we can wrap up. It's going to be I think the longest episode ever. Okay working right over there. Yeah so see you next week. See you. Bye bye.