before diving deep into AWS networking it is important to understand fundamentals of Ip networking in general so in this video I'm going to give you brief overview of important concepts of Ip networking it's not going to be very deep it's more of a refresher if you're interested to learn more there are plenty resources out there that will teach you this concept in much more details all right let's get started okay so in this example I have client C with an IP address 101 1 100 and it wants to communicate with HTTP server with an IP
address 10121 100 and since this is HTTP we want to send packets on Port 80 all right so let's first understand what is an IP address so an IP address is 32bit unique identifier on an IP network now it can be represented as binary form we also came up with human friendly notation which is this doed decimal form so let's take look into that a little bit more so in this case we can split 32bit address into groups of 8 Bits they're also called octets so we split 32-bit number into four octets of 8 Bits
And then what we can do is we can convert every octet into decimal form and put a dot 10 in decimal can be represented as 0000 00 0 10 10 in binary we can consequently do it for the rest of Oats this number at the top is binary number it's representation of this IP address common thing that you will see in AP networks is this net mask represented in/ notation so net mask is a number from 0 to 32 which can also be represented as 32bit binary number with the number of leading ones and then
ending with the number of zeros so this number from 0 to 32 represents how many leading ones there should be in the binary number in this case there is/ 24 so this means 24 leading ones three octads out of four and then the last octet is all zeros so there is another concept called Network address so this is how different hosts on an IP network can understand if they on the same network or not in order to get network address we need to apply logical end operation if we do this we will receive this number
we can also now convert it back to do a decimal format and this is what will receive if we end 1011 100 with net mask 255 255 2550 we will end up with a network address 1011 0 if you take another IP address so in this case of a destination which is 101 12100 end it with the same mask we can calculate a new network address so in this case it's 10120 and we can compare those two so in this case 101 1 0 and 10120 are actually different network addresses so that's how client C
actually knows that HTTP server s is not on the same network as a client why is it important let's jump into the next diagram usually between Two Hosts there isise a bunch of networking infrastructure so there are switches there are routers there are firewalls they all perform different function so for this example I'm going to focus only on routers client sees connected to router 1 server s is connected to router 2 so they are directly connected they are also connected through this V router as well in order for client or pretty much any IP host
to make a decision of where to send a packet we consult what is called rooting table and the rooting table exists even on the client so in this case on the client C it will have an entry for its directly connected Network 10111 0/24 which is on the interface in Z and it will have default root 00 /0 going to 10111 which is an IP address of router one over here how does it know which entry to use so this is where longest perect much come into play so if you want to send a packet
to let's say 101100 or 10112 200 which would be on the same network as client C it knows that it is on this interface zero it can look up and see that the best match the longest match in the rooting table is this one so it will use this entry it's important to understand that even 0000 /0 also covers that IP address but because this one has longest prefix match longest mask here and it covers that IP address that's why that is being selected so if you want to send packets 2 10 1 one 200
it will use the second entry even though the first one also matches if you have the destination of the interface you'll use a protocol called ARP or address resolution protocol get some additional information we'll cover that in just a second in this case we want to send traffic to 10 12100 so it will actually match only this entry because the second entry doesn't match at all and in order to do this efficiently there are some data structures for example there is three data structure which is Patricia 3 which allows to do this look up efficiently
we know that we will send packet to our one so what will happen on router one how does it know where to send it next so when router one will receive this packet it has its own routing table if you don't do anything it will only have entries for directly connected Network so in this case 10110 10120 /30 1012 04/30 and their respective interfaces now every router will need to know about both source and destination Network because very often we send packets in One Direction request for example and then we send a response back so
we need to understand where to send that response packet so that's why routers will need to know about both source and destination so in this case it actually knows about the source network via this entry but it actually doesn't have an entry for our server so where do we send this packet we can see here on the diagram we can send it here we can send it here where should we send it so that's where rooting protocols come into play and there are two main methods so one of them is called Static rooting which means
that we will go to Every router along the way and will statically configure all these rooting details so for example I can go here to router one and say well if I want to get to network 10120 /24 I need to send it to my neighboring router which is 10 12 0.2 then I will have to do very similar thing on router 2 and on BR pretty much on every router so as you can imagine it's not very scalable it involves a bunch of manual configuration there is another problem what happens if this Ling goes
down how do we rear root traffic so then we'll have to reconfigure the static roots or use some other techniques so that's not very scalable in order to solve this there is dynamic rooting and there are a bunch of different protocols one of the most well-known is called ospf which uses the extra shortest pass three algorithm in order to find the best way towards destination so the main function of router is actually find the best path towards destination using a routing protocol like OPF routers can exchange information about the network they know with each other
and this way they can figure out what is the best way towards destination there are other routing protocols like re Erp and even bgp after we do this router 2 for example knows about 101 120.0 sl24 it's directly connected Network and then using static routing or dynamic routing it will know about the source Network which will be via 10 12 let's say 0.1 which is its neighboring router so every router along the way will know how to send this packet so let's trace it again so client with an IP address 101100 wants to send packet
to 10.1 12100 on every hop we will consult a routing table our destination is here this is longest graic match entry so we'll send it to 10111 which is here then this router will look up IP address of the destination again which is 1012 100 the longest pric match for this entry is this so we send it to R2 so we'll send it here and then router 2 knows about that Network as directly connected it can send this packet directly to server GP server on the right will send 101100 as a destination IP address it
has its own default gateway so it will send this packet to router 2 on router 2 we'll look up this destination IP in this routing table we'll find the longest prefix match here so it will send it to 10 1201 which is this one and then router one knows about that IP address here as it directly connected Network so it will be like this okay cool so now that we covered the basics of rooting let's look at the packet let's say we want to send an HTTP packet and it is post don't forget to subscribe
the client will create this HTTP packet we have a body here which has action subcribe we set an HTTP header which has post to/ Channel then we need to encapsulate this packet so there is this tcpip model where there are different layers which provide different capabilities so there is application layer this in this case will be shtp packet we will add an additional TCP header on top of it the idea behind TCP protocol is that it will make sure that we have reliable communication between hosts so in this case we know the destination port number
which is 80 for HTTP The Source Port the client will choose send random in this case let's say this one 45324 TCP is considered to be layer 4 Protocol on the layer three we have nap protocol or Internet Protocol which Bruns pretty much everywhere the main identifiers on the IP layer are IP addresses which in this case we already know so it's we have source and IP address but then we come here to this layer two header which is ethernet and the identifiers on the ethernet layer are actually Mac addresses but here is where we
have a problem client will know its own Mark address it's assigned to network interface of every device by the vender when we create this packet we need to provide a destination Mark address of the next h so you can see that in IP header we have actually an IP address of the destination but in the destination Mark address on Layer Two is actually Mac address of R1 so it's Mac address of this gigabit zero interface of router 1 but how do you know this there is this protocol called ARP or address resolution protocol when we
are on the same network an IP address of this next hop is this one 10111 and our source is this one we know that we are on the same network because we did our binary math we can use this protocol in order to understand what is the mark address of the destination and it's pretty simple we will send a broadcast frame to all hosts on the same network saying who is 10111 and then router one will see this AR packet and say this is my IP address so then it will respond back with ar reply
indicating its Mark address so by using this R protocol every device on the same network can understand what it's layer to address so that's how this Mark address is populated so we send this full packet here to router one so what does it do we knows that we need to send it to r two what routers do is mar rewrite so they will change this Source Mark address to router 1 gab 1 interface cuz it's over here and then according to its routing table we need to send it to 10202 we'll look up its MA
address using our protocol and we will put it in the packet so it will be Mac R2 gbit 1 and H by hope every router will keep replacing this layer two information but it's important to understand that from layer three and higher from this IP header this full packet is intact so only this layer two information is changed on hob by hop basis okay so then this packet arrives here and then what will happen is we will change TCP header we will reverse this information so whatever the port was there we will reverse the IP
addresses and we will put our source Mark and we will put as destination Mark Mark address of the gigabit zero of router 2 and then we again repeat the process step by step let's discuss the differences between two transport layer protocols TCP and UDP UDP is very simple and lightweight protocol it doesn't established connection it barely has any features there is no guaranteed delivery of the packets there is no gestion control no sending rate adjustment and because of the lack of the features the header is also very simple it's only 4 by long it contains
only source and destination Port lengths of the data and the check sum in comparison TCP is much more advanced protocol it establishes connection it provides features like reliable communication it has built-in flow control congestion avoidance it's also considered to be fair if there are multiple TCP connections going through the link it will give equal opportunity to different connections to get portion of it in comparison UDP just sends packets it really doesn't care about anyone else UDP is one of the most selfish protocols out there now all of these features are actually very complex to implement
and it led to a lot of different optimizations and many different implementations as well and from my perspective TCP is one of the most complex networking protocols out there it's definitely top one in my list with top two being bgp and it takes a lot of time and effort to understand it I also think it's very important to understand it at least on some basic level regardless if you're a network engineer or an application developer mainly because TCP is the most widely used protocol out there now if you want to learn more check out Chris
Greer's content on YouTube he has tons of great content about TCP all right let's try to deconstruct this beast called TCP so let's say we have client and a server and here you can see an exchange of packets over time let's start with DCP 3-way handshake when one site wants to communicate with another side by TCP it sends the first TCP packet with sin flock set sin packet contains a lot of negotiated parameters so things like window and window scale TCP maximum segment size or MSS supported options Etc so you should think about Sy packet
not only as a first packet to initiate a connection but also as a way to declare what kind of capabilities are there on one site when another site sees this packet it will send its own sin packet in response containing its own capabilities but besides setting sin flag it will also set act flag or acknowledgement both SC and a are set in the flax field of DCP header when the initiator receives the packet with both sin and act flx set it will send an empty packet with acknowledgement flx set those three packets conclude TCP connection
initiation and are called TCP 3-way handshake now we spent on this three-way handshake one road trip time we don't necessarily count this a because right after the initiator sends this act it can also start sending the data in some implementations we can even send data inside of this act message itself this important to think about TCP in terms of roundt trip times because in TCP every often we need to send acknowledgements back to another site to let them know that we receive the data let's cover briefly MSS or maximum segment size typical EET frame can
carry 1,00 bytes of payload now IP header takes 20 bytes and then TCP header usually takes also 20 bytes so we have 1460 bytes left this number indicates what is the maximum number of bytes we can send in a single packet there could be some encapsulations along the way going on between two sides there could be some VN tunnel and things like this which consume some bites for additional headers in those cases the intermediary routers can actually look in the TCP sin packet and adjust MSS value so this MSS value is set in the scene
packet by both client and the server but intermediary routers can adjust this value and this often happens if there are things like VPN tunnels which require additional headers so those router can actually decrease this value even further they can set it to Let's say 440 or 420 now for this example we will imagine that every packet that we sent is 1,000 bytes just for Simplicity okay let's now try to understand sequence and acknowledgement numbers in TCP using those numbers TCP can guarantee reliable delivery of the packets so in our example the client is sending a
big file towards the server we can think about it as a stream of B so TCP sequence number is a sequence number of bite in a TCP stream you will not reset it between different packets we'll keep incrementing this so in this case if I'm sending a TCP packet and I start with sequence number one and it is of the length 1,000 so I'm sending bites from 1 to 1,000 and then the next bite that I'm going to send will be 1,1 acknowledgement number is is the sequence number that is expected of the next bite
so let's say we received 1,000 bytes acknowledgement number will say the next bite that I expect from you should have a sequence number 1001 so this is where this acknowledgement number comes from let's talk here about congestion window it's also abbreviated as CW n d for this toy example we it to one MSS value to 1,000 bytes in reality most of the clients right now set it to 10x MSS so if your MSS is 1460 it will set it to around 15 kiloby of data what is congestion window congestion window is a number of outstanding
bytes for which we didn't receive an acknowledgement yet those are B bites that can be in Flight that are not yet acknowledged so the bigger the window is the more btes we can send before we actually receive an acknowledgement if the window is small then we will not be able to send data very fast because for every let's say th000 bytes we will be waiting for acknowledgement and we will not be able to proceed further so congestion window is what actually allows us to adjust the sending crate to the available pandis of the link for
this toy example I set it to 1 MSS value TCP algorithm has two parts the first one is called slow start the second part is called congestion avoidance slow in slow start is actually misleading because during slow start it will actually be exponential increase of the congestion window the idea here is the following if I sent a packet with a sequence number one 1,000 byte of lengths and they were successfully received here and the acknowledgement was sent Expecting The Next Bite which is1 when I received this acknowledgement I can double my congestion window size our
window size is now 2 MSS or 2000 bytes we can send in Rapid succession two packets 1,000 BYT each in total having 2,000 bytes in flight without acknowledgement sequence number of the first one is 1,1 sequence number of the second one is 2001 when the server receives those two packets it will send an acknowledgement back with a sequence number of the next expected bite which is 3,1 because the last bite which was received had the number 3,000 when the client receives this acknowledgement it can again increase its Windows size exponentially from 2 MSS value we
now jump to four which is 4,000 bytes in this example it also had slow start threshold set that to the same value of 4,000 bytes in real system this slow start threshold is actually pretty high to allow rapid increase of descending rate as a result TCP will now transition to the next phase which is called congestion avoidance it is also often referred as a IMD additive increase multiplicative decrease because we will now increase our window size linearly instead of exponentially but we will now decrease it by by a factor of two so now that Windows
size is 4,000 bytes we can send four packets in Rapid succession of size 1,000 bytes each so four packets we sequence number 3,001 4,01 5,1 and 6,000 one 4,000 bytes total in flight without acknowledgement yet once the server receives all of those packets it will send the acknowledgement for the next expected bite which is 7 ,1 when the client receives this acknowledgement it will increase its Windows size linearly instead of exponentially so it will go to Five MSS value instead of eight so window size of 5,000 bytes allow us to send five packets in Rapid
succession let's say again server receives all of them successfully and it will send acknowledgement number for the next expected bite which is 12,01 let's say our client receives this acknowledgement success f it will now again increase its Windows size linearly so from 5 MSS to 6 MSS which allows to send 6,000 bytes without receiving an acknowledgement so we send the six packets one of them will experience loss so this packet with sequence number 15,1 will not actually get to the server let's take a step back and actually understand what is packet loss why does it
happen so it's actually pretty rare for loss to have happen because of physical problem with the link most often than not the packet loss occur because there is congestion somewhere so there is some link somewhere where some router wants to send more packets that that link allows those packets will be queued on the router because cues are not finite the excess of packets will be dropped so that's often the case okay so what will happen if the server will not receive this packet with sequence number 15,1 but it will receive the other two 16,1 and
17,1 so in this case server will send an acknowledgement for the next expected bite which it didn't receive the server didn't receive the bite 15,1 so this is the number which will be sent in acknowledgement hey I am still expecting from you the packet 15,1 because it will receive other packets the server might also send this acknowledgement packet several times in a row in this case it will send four of them so the original one and then three more duplicates and one of TCP optimization is when three duplicate acknowledgements are received the Windows size will
be decreased by a factor of two so from 6 MSS to 3 MSS so that's why it's multiplicative decrease it will immediately retransmit lost packet as well as the ones after so it will resend this packet 15,000 16,000 17,1 you might ask why do we have to resend 16,1 and 17,1 that's yet another optimization that appeared later called selective acknowledgement as part of the acknowledgement one side of the TCP connection can inform that it actually received packets from 16,1 till 18,000 but in original spec that wasn't the case so if a particular our packet is
lost we have to retransmit not only lost packets but packets after that as well because TCP guarantees in order delivery okay so let's say in this case all those three packets were successfully sent the server sends an acknowledgement Visa next expected bite which is 18,1 and in this case client doesn't have any more data so it can send packet with fin flag set the server can reply with acknowledgement and also Finn if it wants to close connection as well and then the client will have to finalize the connection with its own AR there are several
variations of this connection termination one situation when the connection can be half closed so only one side closes the connection and then later another side will close it another variation is where both sides close it at the same time that's TCP in nutshell there are many different implementations those are just a small fraction the original was Tahoe Rano was very popular for a really long time there is Vegas cubic I think cubic right now is default on most of Linux operating systems there are some other implementations as well if I remember correctly one of the
optimizations in TCP arino for example was when three duplicate acknowledgements are received the window size is being HED and then we immediately retransmit loss packet there are many many more other optimizations there are things like sliding windows there is adjustment for the expected band that's what's happening cubic there is adjustment for expected roundtrip time which was done in Google implementation called bbr there is many many more things okay so what's the takeaway here well TCP is one of the most popular protocols out there you need to know at least some fundamentals about it if there
are a lot of round trips and there is also High latency this will decrease your max maximum throughput we have to wait for those acknowledgement and the higher latencies the longer we have to wait which means the longer we cannot send more data another thing I wanted to mention is even though UDP doesn't have any reability mechanism built in you can still build reliable protocol on top of UTP by implementing this on the application layer let's talk very briefly about TCP TLS and HTTP so very similar picture but now we actually want to send HTTP
post for example from client to server and we also want to use TLS so how will that look like first we will establish our TCP 3-way handshake which will take one round trip time we can discard this TCP act because right after we send it we can immediately send the next packet in TLS 1.2 we need to spend two round trips there are four packets so client hello then server replies with its own certificate and server hello then there is key exchange and then change Cipher speack packets four packets in total which means three round
trip times if you have high latency it will take time and only after this we can send our HTTP data there are a lot of resources wasted on this so there were many attempts to reduce this number of round trip times and do something smarter if possible you want to avoid as many round trips as you can so one of the optimizations was TS 1.3 which changed this from four packet exchange to two packet exchange we still needed to spend time on TCP 3way handshake though I want to point out that you really need to
think about your round trip times so if you can use things like TLS 1.3 definitely do it if you can bundle a bunch of operations in one so let say you are talking to some API or database please don't send a bunch of individual requests bundle them together if it's possible to put stuff in a single request please do it because otherwise you will spend a lot of time on round trips if you can reuse connection also do it because you'll spend more round trips unnecessarily when your source and destination is very close to each
other so let's say on land or local area network where your latency will be less than 1 millisecond a lot of these issues can be masked if Between Two Hosts there is van or wide area network the latency there can be unpredictable might be 5 millisecond it might be 60 millisecond it might be even higher if you can put your source and destination very close to each other and there is a lot of exchange going on you should probably do that anyway let's go back to discussing HTTP in HTTP 1.0 you couldn't really reuse TCP
connection so for every new request you had to make a new TCP connection so you want to get your JavaScript create a new TCP connection you want to get get your CSS create another TCP connection now at some point what browser started doing is actually do multiple TCP Connections in parallel to the same destination so you would open multiple connections and request data in parallel now it's also important to understand that different connections will fight for resources between each other then in HTTP 1.1 there was this attempt to have persistent connection but there wasn't really
true multiplexing building so you couldn't prioritize some things over and another so if let's say you requested a big image and it takes a long time to load while you could at the same time request process your G until that image will finish delivering your short G will not get processed there was a lot of implementation problems with how this protocol should actually work those persistent connections didn't really solve anything so people still were relying on creating multiple Connections in parallel and browsers allowed to do that though they limit it I think up to six
simultaneous connections or so then http2 also known as Speedy came along and it came back with a lot of different optimizations data compression reusing the same TCP connection but allowing to Multiplex data so while you request an image you can say hey can you also send me this JavaScript and it's really important can you get it to me right now because I need to render my page so there were a lot of optimizations in HTTP 2.0 but it still suffered some problems caused by TCP and TLS TCP is implemented in kernel and even though you
could do this multiplexing if you experience some packet loss the kernel would not give the stream to your application causing head of line blocking so if the packet was lost you couldn't really start processing the next received bytes the second big problem was related to TLS there was head of line blocking also in L due to Cipher blockchaining or CBC mode being used where in order to decrypt the next block we actually needed previous block to be fully decrypted and if you again you experience pocket loss you cannot actually do that another interesting thing is
that since http2 uses a single TCP connection TCP algorithm aim IMD hurts it even more than if you were to use multiple TCP connections so there was this new protocol quick invented to eliminate a lot of problems of TCP and TLS especially regarding head of line blocking Vick uses UDP underneath not TCP real ability is built into the protocol on the application layer itself it combines a lot of ideas from http2 but is also free from problems created by TCP and TLS it has also additional optimizations it still tries to to be fair so a
single stream doesn't consume all bandis of the link at the same time it has even more optimizations than TCP has there also interesting ideas like if you already presented a certificate to me yesterday why should I request the certificate again and many many other things I would strongly encourage you to watch this reinvent talk where the creator of quick protocol explains this in much more details it's really fascinating talk let's go back to our packet exchange between client and server and zoom in on this segment between client and the router now here we have a
bunch of clients and our router and between those we have Layer Two infrastructure one of the most common protocols use there is called EET though there are also other layer to protocols for example Wi-Fi but here we will focus only on the ethernet on Layer Two we also have possibility to segment traffic into different broadcast domains using technology called Vin and the standard for it is called do1 q and the idea behind that is clients from one Von cannot send frames to clients in another Von if any client would send a broadcast message only other
clients in the same Von would receive this broadcast message and clients in other Vons would not in this case I have client B d and e in Von 20 and client a and client C are in V 10 so if client C were to send a broadcast frame it would reach clients D and it would reach client e but it would not reach client a andc so on switch generally you have two types of interfaces access or trunk word towards client will be in Access V so in this case we would configure here access V
20 and between switch one and switch two we would put trunk or maybe between switch and router we will also put a trunk if client B will send any frame let's say broadcast frame it will not have this number 20 when switch one will send this Frame towards switch two it will add this additional header it's called Von header or one Q header is V 20 it so when switch two receives it it actually knows that frame belongs to V 20 so it can send it only to clients in the same Von so in this
case it would be client e and also to router one if it's a broadcast frame we already discussed ARP protocol and when we sent a broadcast frame we put as a destination Mark address all FS by the way Mac is a 48 bit number and it's often represented as three groups of four hexadecimal numbers so let's say client B sends an R request asking for an IP address of client e so destination Mark will be all fs and in this case Mark address of Cent V will be obes what will switch one do with it
so the usual behavior of a switch when it sees a broadcast frame is to flood it on all interfaces in the same VLAN or trunk allowing that Von as well so in this case it will be sent to switch one and it will be sent to two Trunks and then switch two will flood it also to all ports in the same Von like this what about link between switch 2 and switch 3 what would happen if switch two would also flood this Frame to switch three our trunk and switch 3 would also flood this Frame
to switch to well those switches would again replicate this frame on all interfaces where that Von is allowed so client e would receive FR multiple times but then switch 3 would also send it to switch one and you can see that then switches will keep replicating these frames causing what is known as a broadcast storm so why doesn't happen well that's where another protocol comes into play called spinning tree and layer two switches will participate in spinning tree protocol when they boot up with the purpose of creating a spinning tree once this algorithm runs one
Link in this triangle for example between switch two and switch 3 will be blocked essentially breaking this Loop so this way when client B sends a broadcast frame to switch one switch one will send it to switch 2 switch 2 will flood it to client e to flood it to router 1 but it will not send it to switch 3 because that link is blocked switch one also will send it to switch 3 and then switch 3 will also flood it to Clan d spining three ensures that there are no Loops that broadcast storm cannot
happen there are multiple variations of this protocol there is per villan spinning tree there is rapid spinning tree there is multiple spinning tree but this is outside of the scope of this video what else will happen on switch one when it receives the frame from client B with Mac address all pce well switches have mac address table which is created on per Von basis so for example there is mach address table for V 20 so the ma address all be on the port gigabit 0 one there is also MA address stable for v120 on switch
2 so when the broadcast frame from client B will be received there we will also write down on which Port we saw this Mark address so in this case we saw it on the port gigabit 02 so then the client e will receive this broadcast frame and it's ARP request for this IP address 10.1.2 30 so client e will respond with its own Mark address in this case e e e e e destined to MAC address all piece and when this will happen switch 2 will also write down its MA address this case maybe it
was here on the port gab 01 and it will look in the destination Mark address of that frame it will be destined to all bmach and it knows on which Port that leaves so it will send it on gab 02 back to switch one and then switch one will also add all is to its Mark address table on let's say Port 02 here as well it will look in the destination Mark address of this Frame which is destined for all B Mark address it has it in its Mark address table on the 4 gab 01
so then this Frame will be sent back to client B very often between switch and router the strong though it's not obligatory and when that happens usually on router we would configure sub interfaces to allow to send frames tacked on the same link okay I hope this gave you some perspective on how Layer Two forwarding Works let's take a look at this picture where several clients are connected to switch and there is a router the question is this how does client know its own IP address very often on servers we configure IP addresses statically but
on clients very often we use some kind of automation I mechanism to get an IP address and there is this protocol called Dynamic host configuration protocol or thtp and there is a special process called Dora four packets that allow us to configure an IP address on a client so when the client machine boots up and it has DHCP configured on that interface it will send a broadcast message that will reach every host on this network so it will go like this saying hey I would like to get an automatic IP address can I can I
get an IP address if there is a ghtp server and in this case it's separate device than R1 and it has actually ghtp configured and it has this configuration with pull with net mask with default gateway and in DNS IP address DCP server keeps track of all clients that requested its IP addresses and you will get an available IP address from this pool range and we'll send this information back to the client in the offer message so first message was discover hey I need an IP address gcp server replies this offer it will actually reply
also broadcast and then client will like okay great it will send an gcp request confirming that hey I would like to use this IP address that you offered and then gcp server can acknowledge it with acknowledgement message and this finishes DCP configuration and client now knows its IP address default gateway and TNS IP address or the main name server so let's try to understand how DNS works okay so in this next scenario our client 10111 100 wants to understand the IP address of AWS amazon.com which is over here so we need to resolve AWS amazon.com
to this IP address 18244 so how do we do that we just learn that the client will have an IP address of DNS server from DHCP server or statically configured so it knows the IP address of the DNS server so there different types of Records in the DNS DNS it's a the database which has a mappings of the main names to IP addresses and vice versa and some extra information so one of the main records is a record which contains exactly that so it will have an A entry for let's AWS amazon.com will be mapped
to an IP address now when the client wants to get an IP address so it will send this DNS a record request to the DNS server when this DNS server will receive this query it will try to get it from authoritative source so the first thing that this DNS server will do will reach out to the root name server and there are 12 of them and there are 12 well-known IP addresses those are usually in the software directly in this case there is this aroot service.net with this IP address DNS server will know about this
IP address already cuz this is one of those 12 wellknown IP addresses so it will ask a root name server hey what is the authoritative name server for and the root name server will reply with a the main name for com name server in this case it's AG gtld servers.net also called tldd name server top level domain name server it will reply with both the main record as well as IP address in the additional section so this is what's called glue record but let's not go into that details it will reply with post AG gtld
D service.net and IP address of that name server so then in a server B query TLD name server hey give me the authoritative name server for amazon.com and again the tldd name server will reply with post the main name of the name server for amazon.com which is ns1 Amazon ds.com as well as IP address in the additional section and then lastly DS server will query that authoritative name server saying hey could you please give me a record for AWS amazon.com and then the authoritative server will give you an IP address now once we have this
IP address over here we will reply to original client with this IP address so now the client using this process will know that AWS Amazon as a mapping to this public IP address also here have Linux server and using D command you can look in these details so if I dig with trace an additional option for the same thing I will see a number of DNS queries so in this case this whole DNS resolution will be done by your own machine we are having an entri for our root servers then we will query for. and
we will get htld and and in the additional section we'll receive an IP addresses and lastly we query for name servers for amazon.com which is this one and in the additional section we'll also have an IP address by the way with quad a records we have IPv6 addresses and then lastly you'll query amazon.com name server to get an IP address for AWS amazon.com in this case it replies with C name which just can think of as like an alternative name and if I let's say just do dick at the very end you will receive an
IP address Okay cool so this is DNS DNS is actually quite complex topic on its own and it's really important you understand DNS regardless if you're on premises or on AWS or even if you're application developer because there are many many problems associated with DNS that can happen in your environment all right so let's cover the next part as I already mentioned two different hosts on IP network need to have different IP addresses I also mentioned that an IP address is 32-bit number which means the maximum number of IP addresses is around 4 billion it
was very clear from the beginning that we will exhaust all available IP space so there were several ideas in order how to slow down this IP exhaustion problem one of them having some IP space reserved for special use another one is is Network address translation or not which allowed to convert many IP addresses into one now here I have only several of those reserved ranges and those you will also see on AWS so that's why I wanted to cover those the most well-known IP range is RFC 1918 IP range is reserved for private use those
are 108 11716 012 and 192 168 0/16 another range that was originally reserved for Carrier grade nut but it can also be used for some other purposes it's also not routed on the internet so this is 16410 and lastly there is link local IP range which is 169 25416 which should be only significant on a link this range is also used by some services on AWS inside of a VPC now all of those I ranges are not about it on the public internet and especially those first three those are very popular private IP ranges that
are used within your own networks and within your own organization it's very likely if you're watching this at home or at work your computer or your phone has an IP address from one of these three ranges let's first understand how we can route on the internet with public IPS and then we will take a look at Network add translation so first how does the internet work the rooting protocol that is being used on the Internet is called bgp or border Gateway protocol it's highly scalable routing protocol and it was invented because other routing protocols which
are already mentioned that are mostly used internally within the organizations like OPF they couldn't work on internet scale there are many routers on the internet which exchange public IP addresses and unlike your own private organization internet is always in flux there are some links going down there are some new prefixes being advertised from new places and we need a roing protocol which could support this constant turn and bgp does that and the whole internet runs using this routing protocol now because we are now talking about this huge internet scale with thousands and thousands of routers
and public IP ranges and on this scale we needed to think about not any individual routers that our traffic passes through but actually the whole organizations that the traffic goes through that's where this term autonomous system was invented I looked up definition of that and it didn't really help me explain this term better you can think of autonomous system as of network boundary of an organization which has its own set of Ip prefixes and its own rooting policy now there is autonomous system number this is an identifier of autonomous system of your organization on on
the public internet which is assigned to you by a central entity let's say we have this company amme which has ASN 456 assigned to it now within this organization we use some private IP space in this case 10.1.0 0/16 to assign IP addresses to all of Ip hosts to client to servers to routers Etc now this organization also owns an IP space 2091 65200 /24 which it advertises to neighboring service providers isp1 and isp2 those isps have their own as numbers assigned to them in this case 100 200 there is also here an Amazon Network
which for this example has ASN 7224 now Amazon owns many IP addresses but for this example let's say it owns an IP range 18244 128.0 sl23 inside of this range range we have an IP address for that HTTP server AWS amazon.com which we resolved using DNS before Amazon will advertise its own range to its neighbors to ISP 1 router 5 and to ISP 2 router 9 and then Acme organization since it owns 209 range it will also advertise this to router 5 and router 9 bgp as a rooting protocol has many different attributes that can
influence what pass we will select after we advertised our bgp prefixes to neighbors isp1 and SP2 will advertise these prefixes to their own peers and to each other in this case and to Amazon eventually these prefixes will propagate from Amazon to amme and from amme to Amazon this is how it will look like so there is pgp routing table it has this prefix from Amazon and it can go via router 9 and go via this router or it can go via this router one additional attribute here will be a s pass the idea behind the
pass is every time the bgp advertisement passes some autonomous system it will add this number to the list so in this case this advertisement was originated from as number 7224 then it went to router 9 which is as 200 and then it arrived to company Acme and then through router 5 have something similar but then it originates from 72 to 4 and then it goes through as number 100 Amazon will see something similar in this case this bgp advertisement was originated by ASN 756 and then from router 5 it will add as number 100 and
router 9 will add as number 200 bgp uses what's called bestp pass selection algorithm to compare different attributes in specific order and select the bestp pass and I will very briefly cover only two so the first one is called local preference now local preference is almost at the top of the bgp P pass selection algorithm and it's a number where the higher number is better and using this higher number we can prefer one root over another and usually we use local preference to select exit point for our own network so from London Edge perspective if
on an incoming bgp advertisement so on this bgp advertisement coming to London Edge this London Edge router will set that local preference coming from router 5 is 200 and the local preference for a route coming from router 9 is 100 then 200 will win so this way we can prefer router five is our exit Point local preference is often used for outbound now what if company amme really wanted to make sure that inbound the traffic prefers coming via router 9 so that's where we can manipulate this ASP pass attribute and in terms of ASP pass
we compare the lengths how many of as is with RSE and what London Edge can do when it does this bgp advertisement if you want to make router 9 preferred as a inbound towards other routers we can increase as pass lengths by putting our number several time by default we will add our ASN number only once but we can add actually add it multiple times and this is called as pass prepending towards router 5 we can append our as number three times and towards router 9 you'll only do it once like a normal way of
operation so this way when Amazon will receive this prefix from router 5 it will have this longer as pass and from router 9 it will have shorter as Pass unless we change something else it should prefer router 9 as an exit point however asass is much lower in the algorithm than let's say local preference so in this case Amazon Network could technically apply local preference to still prefer router 5 regardless of as+ lengths now there is this another technique called Community string some arbitrary number assigned to a bgp advertisement and there are some well-known Community
strings they also custom one and the idea is very similar how you use TXS in other places so for example you can have a tag which has environment production or environment development but in bgp what you can say is if you sent to me a community string let's say one column one I can predefine my own set of Community Values that means something to me and then will do something on my network automatically now many service providers have their own set of defined Community strings which means something to them you as a service provider can
say if you send me this community value 1 column 1 my router will apply local preference 1,000 and then if you send me another tag value let's say 1 column 2 I will apply local preference 500 so this way you can send a tag to me to influence how I send traffic to you so it's very powerful technique the reason I mention a little bit more of these details about bgp is because if you will want to connect to your own premises network using Technologies like AWS side to side VPN or direct connect those will
be the mechanisms that you can use to impact outbound and inbound traffic as the end result of this bgp advertisement London Edge will install a route towards 18441 128. 023 while let's say router 5 and then Amazon router will install route 20965 2000.0 24 in its routing table via some neighbor as well okay great now the Border router in amme company will know about Amazon prefixes and Amazon border rter will know about amme company prefixes that's great okay but how do we actually root from our client which has an IP address 10111 100 to this
Amazon web server which appears on the internet with this public IP address but actually it will have some other private IP address that we don't even know about let's say in this case 1011 one okay so we want to communicate from this client to this server on the internet we must communicate with public IP addresses both client and a server have private IP addresses so what do we do now we actually want to connect to this public IP address we will use a local routing table and default gateway to send this traffic to router 1
Now using some mechanism this border router London Edge can actually propagate this route from Amazon it learned through its own network so router one will know that it needs to send it to London Edge and then we discussed let's say London Edge will want to use router 5 as next destination okay but what do we do about this IP address because this IP address will appear as a source IP in the IP header so that's where many to one knot comes into play and it's also known as pot or port address translation the idea behind
pot is that you can take many IP addresses and translate it into one in this case we'll translate all of our private IP range into the single public IP address 2091 16500 100 we will also have to keep track of every flow so that for return packets we can actually translate it back to our host so in this case let's say the source Port that was selected by the client was Port 45234 this border router will add Source IP and Source port and it will translate it to this public IP that it owns and some
other Port that it has free and what will happen is we'll actually change Source IP address in the IP header of this packet so now we have a public IP address so we can actually send it to router 5 then router 5 can send it to this router and then maybe it can even send to this another router okay how do we translate this public IP address to this private IP address 10111 well that's where another type of not comes into play which is one to one notot and compared to the previous one this one
will be stateless so in this case we'll configure on any router that will will translate 182 44129 231 to an IP address 10111 we don't have to keep track of connection because this is one to one whenever we see one IP address we can convert it to another we will change destination IP in the header to this private IP now and then this packet will arrive on the server now the server can reply as a source IP address it will be 10111 as a destination IP address it will be this IP address when this packet
arrives on this router over here it will again look that it will have this one to one not translation and it will convert it back to 18244 29231 so this packet can now trse the internet so it can go here so this packet can go here it can come back to this l London Edge device and in this London Edge device we keep track of this connection we know that there is some return traffic coming to this AP address and this port we should translate it back to this IP and this port so that's what
that router will do we will change the destination IP address now to private IP address and now it can Traverse our net so things you need to remember is that one to one n is stateless but p is stateful and routers need to keep track of Connections in order to do that now in my next video you will see how these Concepts directly translate to abstractions provided in the Amazon VPC now there is one other topic that I want to explain very briefly and this is VPN or virtual private Network the idea behind VPN is
to create an overlay Network on top of some existing underlay Network and extend it to remote Network or host now VPN doesn't implicitly mean that must be encrypted but using something like ipvpn we can actually encrypt traffic on this overlay there are two main types of encrypted VPN that are commonly used one of them is called side to side VPN the idea behind side to side VPN is to connect two remote networks to each other and another common type of encrypted VPN is called Remote Access VPN this type of VPN allows a particular host to
connect to network in Secure manner so for example if you use something like Cisco Connect or openvpn client you can VPN in into some remote Network and appear like you are part of it okay so very briefly let me show to you how this could work now let's say this company amme actually has a remote location in Frankfurt over here the main office in London is connected to the internet and that remote location also is connected to the internet on top of insecure underlay internet infrastructure establish a secure communication between London Ed and frankurt Edge
then the tunnel can appear as yet another interface on a router we can run some routing protocol on top of it and then as a result London Edge will learn about a route to the remote location let's say this one and then Frankfurt Edge shouter will learn about our head office IP space Also VI tunnel let's also take a look at the bucket exchange for ipac VPN so in this case I have have router 1 and router 2 in order to establish side to side aepc VPN usually a protocol called Ike or Internet K ex
change is used and there are two versions of it iq1 and iq2 in iq1 you will also sometimes hear the protocol called Isa camp and in Ike version one it's broken down into two phases phase one and phase two phase one can be done in main mode which has six packets and aggressive mode which has three packets and then in Phase 2 there are three packet exchange which are called quick mode the idea of phase one is to establish a secure management Channel first and then on top of that management Channel we will establish phase
two security Association or SAA which would be tunnels allowing us to send encrypted data now for all of these nine packets there will be used source and destination Port UTP 500 packs 5 and six of main mod will already be encrypted as well as all packets of quick mod and after we are done with all of this and after Phase 2 saay came up we can start encrypting our data and we will encapsulate our packets into protocol called ESP so this is not TCP or UDP this is yet another protocol if you have our data
so let's say our original packet is this we have an IP header TCP header and then also TCP data so it will be HTTP header let's say and HTTP data we add an ESP header and ESP trailer we also have ESP authentication and then we will add a new IP header where Source IP will now be router 1 IP and destination will be router 2 IP all of this will be encrypted so we will actually not be able to see those IP addresses or the data at all so this way we can securely send packets
even via insecure communication channnel like internet sometimes between router 1 and router 2 there is net or network address translation this knot can be identified using the feature called not traversal both sides need to support it the fact that not is being used will be identified in packets three and four and what will happen from this mm5 packet is we will transition to using UDP 4500 we will use UDP p4500 not only for mm5 and mm6 messages but also quick mode and even ESP encrypted packets so we will take ESP packet we will add an
additional UDP header so ESP packets will be encapsulated and this is done because not devices cannot work with ESP directly this is actually quite important in the cloud if you put a Virtual Router on AWS public IPS are not assigned directly on the instances and there is not being used so that communication will actually use UDP 500 and UDP 4500 when I pack VPN without not in the middle we'll use UDP 500 for Phase 1 and Phase 2 but then there will be plain ESP used for the data so remember that if not t is
used then set the fp500 plus ESP you'll be using UDP 500 and UDP 4500 so you need to make sure that your firewall allows that traffic there are many advancements in iq2 it's considered to be much more secure and there is only four packet exchange to establish aays there are two messages called iay need request and response and then there is ik O request and response after that we can send our encrypted data if possible always use iq2 it's much more secure protocol with many advancements all right that was VPN that was quite a lot
I think I covered everything I wanted but honestly I don't know how I did was it too long and I bored you with so many details or maybe vice versa you really wanted me to cover these topics in much more details than I did let me know what you think in the comments thank you and until the next time