AWS ENI - Query from Viewers -- 005

Hi guys, 

I have got following doubts from one of our viewers on this video -- 

So by adding multiple ENI to AN INSTANCE 

1. Still its a single point of failure, Where in if the instance fails, all the attached ENI also fails right? 

ANS: Yes, if instance fails all the ENIs attached to that instance would not be of any use. Mutiple ENIs do not increase Availability or Bandwidth of the machine. Rather, they are there for the isolation purpose.

2. Normally in an ON-PREM INFRA, we used to have muti NIC for the webserver not to have a single point of failure in case of one NIC CARD fails? Where as in AWS its a virtual world and I assume its a managed service right? we don't have to worry about the Primary failing at all ? 

ANS: On AWS, we handle that scenario via Auto-scaling Group. So that if a machine becomes unreachable, another instance takes its place. 

3. Why should we disable the SOURCE/DESTINATION CHECK FLAG for the ENI? I think we disable the "SOURCE/DESTINATION" only when we create a NAT INSTANCE, that's right? 

ANS: That's correct. Other than NAT, you do not have to disable it. 

4. The primary ENI can't be detached, Becoz that's the one which makes the instance to have a public and/or private IP right? 

ANS: Not so. It is more of a restriction from AWS implementation perspective. In future, they might start allowing it (as you can detach ROOT EBS volume for a stopped machine).

5. So the best use case for multi eni would be, Where in a. In a single large instance with multi ENI, that one instance can be part of both private and public subnet b. Having said that, I can have web server facing the internet in the public ENI and the database also in the same instance in the private ENI and configure the security group accordingly. 

ANS: Sorry, Incorrect! When you create ENI, you can see that its scope is a Subnet (same way scope of an EC2 is also Subnet). Hence, an EC2 and an ENI would be there only in one subnet (not two). 

You can use multi ENI to give 2 different IPs to 2 different user groups. E.g. On an EC2 open port 8080 on IP1 and port 22 on IP2. Also, attach different security groups in above ENIs. Hence, the users would never know they are accessing the same machine. 

 6. So with multiNIC, I can have multiple websites on the same server, with each Nic attached to one website?

ANS: You can have multiple websites on one machine even without multi-NIC. Different webservers (like IIS) support the same. 

Read More

What is VPC? Learn from scratch

VPC (Virtual Private Cloud) is an isolated area carved out on AWS for yourself. You control the size of this area and the Private IP used in this area. You also control the behavior of different sections of this VPC (which are called Subnets). 

If you don't have time to read, just watch this compiled video playlist.

A subnet could be Public or Private in nature. You can launch instances (EC2, RDS, Redshift etc.) by choosing a subnet and this decides the Private IP of the instance. In addition to this, the network-level behavior also gets decided based on subnet (in case of Public Subnet instance would be reachable from internet e.g. Web servers; in case of Private subnet, instance would not be reachable from internet e.g. DB servers). All the instances in a VPC can talk to each other using Private IP. 

With a new AWS account, you get a default VPC in every region. You should use this only for initial practice and quick instance launches. For any customer POC / implementation do not use Default VPC; rather create a new VPC based on customer (or project) requirements. Watch this video to learn VPC creation from scratch --

Based on the above video you can create a new VPC. While creating VPC and subnets, take care of their sizing as these cannot be modified once created (VPC / subnet needs to be deleted and re-created, there is no modification/extension). Talk to your customer and understand how many resources need to be placed in Public and Private subnets and size them accordingly.

The instances launched in Private subnet would not be reachable from Internet directly. In case, you need to change something on Private Instances, you will have to make use of Bastion Host (or Jumpbox). Bastion Host is just a small machine (Windows/Linux) which is launched in Public subnet (and given a public IP). We can first login (via RDP/SSH) to this machine and then connect to machines in Private Subnets via their Private IP. You can learn the same with a demo video here ---

A VPC exists at region level, a subnet exists at AZ level. Following entities exist with in a VPC:

• Security Group (VPC level across subnets in that VPC) (learn SG here)
• NACL (VPC level across subnets in that VPC)
• ENI (at a subnet level) (learn ENI here)

At minimum, you should have your subnets in 2 different AZ to ensure high-availability. With in a VPC:- 

1. A Security Group can be attached to multiple instances 
2. An instance can have multiple Security Groups attached to it
3. A subnet can have only one NACL attached to it
4. An NACL can be attached to multiple subnets

Every VPC is an isolated network and 2 VPCs cannot talk to each other (except via Public network). If you want to enable communication between 2 VPCs over Amazon Private network, use option of VPC Peering ---

Happy Learning AWS. Please do share this post with your friends :) 

Read More

AWS Practical Exercises -- 001

Following exercises are given in order to test your skills and understanding. We will try to setup an environment and cover things along with. 

1. In Oregon, create a VPC with CIDR 10.0.0.0/24
2. Divide this VPC into 6 subnets across 2 AZ (e.g. a, b)
3. Make 2 subnets as Public (namely 1-a, 1-b)
4. Make 2 subnets as Private with outbound internet (namely 2-a, 2-b) 
5. Make 2 subnets as Private with no outbound internet (namely 3-a, 3-b)
6. Create a Public Classic ELB in 1-a and 1-b. It should accept traffic on port 80 from ANYWHERE. Create health checks for the instances in 2-a and 2-b.
7. Create 2 Linux/Windows instances in 2-a and 2-b with web-server installed (Apache/IIS). These instances should accept traffic on port 80 only from ELB. Register these instances with the ELB.
8. Create a multi-AZ MySQL RDS in 3-a and 3-b. This DB should accept traffic only on port 3306 from instances in 2-a and 2-b.
9. Create a Jumpbox / Bastion host in 1-a or 1-b and verify the above connectivity.
10. Ensure that Security Groups and NACLs are created properly. 

RESOURCES for help:

• https://www.youtube.com/watch?v=tD9vDv0uyI8
• https://www.youtube.com/watch?v=9bXm82AjWWg
• https://www.youtube.com/watch?v=k5yvD4ykPcI
• https://www.youtube.com/watch?v=iZibF-P4Utc
• https://www.youtube.com/watch?v=txTPrM5proQ 

Read More