After learning about the different types of database engines you need to know for the AWS Certified Database – Specialty exam, it's time to start learning AWS specifics, starting with AWS infrastructure. It's important you know the basics of how AWS works, and the key components involved as they do come up in the AWS Certified Database – Specialty exam both as direct questions specifically about how to configure the cloud infrastructure ready to host a database, and also indirectly in terms of troubleshooting or access issues, which can be infrastructure-related.

Infrastructure refers to underlying services that support your database. Even the simplest of database deployments require servers, networking, firewalls, security controls, and storage. In this chapter, we are going to explore how AWS implements these components and how you can configure and build your own. We will have a mixture of theory, explaining...

You will require an AWS Account with root access. Everything we will do in this chapter will be available as Free Tier, which means you can run all the example code without spending any money as long as your account has only been opened within the last 12 months. You will also require AWS command-line interface (CLI) access. The AWS guide (https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) explains the steps required but we will summarize them here:

1. Open an AWS account if you have not already done so.
2. Download the latest version of the AWS CLI from here: https://docs.aws.amazon.com/cli/latest/userguide/welcome-versions.html#welcome-versions-v2.
3. Create an admin user: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html.
4. Create an access key for your administration user: https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html#getting-started_create-admin-group...

A VPC is a part of the AWS cloud infrastructure that is logically isolated for your sole use. You can think of it as your own virtual data center running in AWS.

Logically means that the underlying servers and networking components that you use may be shared with other customers, similar to how you can run virtual machines on-premises. For example, you will not have your own network connections or physical servers, but you will have complete control over your virtual network configuration and server deployments.

Isolated means a VPC is fully controlled by you, and only you and others to whom you grant access. Within the VPC, the only objects that exist are ones that you deploy.

Before we get hands-on with the AWS Console, it's important to understand some of the terms AWS uses to describe its infrastructure. The highest level of AWS infrastructure is called a Region. A region is a collection of data centers that are located geographically...

One of the most critical areas within a VPC is networking. The network settings control which systems can talk to others, whether a server can connect to the internet or not, and greatly enhance the security of your systems by limiting access to only the parts that a user requires. The first area of a VPC network we will learn about is subnets.

Subnets

Subnets are used to logically divide your VPC network into smaller chunks that you can then control separately. When you first create a VPC, you are required to give it a network IP range (called classless inter-domain routing (CIDR)), such as 192.168.0.1/16 (this would give you 65,634 IP addresses). You can then create subnets to split this very large IP range into different segments. Subnets are typically split into private and public subnets. A private subnet will not allow traffic from the internet to reach it so is a useful place to put things such as a database that will only talk to the application and not...

Identity and access management (IAM) is a service that controls users, roles, and access mechanisms for all your AWS services. Security groups secure services at the VPC resource or instance level; IAM secures services at the account level.

IAM has three main areas, called identities:

• Users: A user is a person who needs to access your AWS services. You can grant a user permission to control what they can and cannot access.
• Groups: A group is a collection of users who will have the same permissions. This is often used to make administration easier.
• Roles: A role is used to define a set of permissions and who can use it. However, it is not assigned directly to a person or a service, but rather a service or person can utilize it when needed. Roles are temporary and, therefore, offer greater protection than granting permanent permissions via groups or users.

To define the access controls, which you will then give...

In the Virtual Private Cloud overview section, we learned what a typical VPC looks like with private and public subnets and two AZs. We are now going to build this VPC using both the AWS Console and the AWS Command-Line Interface (awscli). If you have not yet created an AWS Account or configured awscli, please follow the steps in the Technical requirements section of this chapter before continuing.

Using the AWS Console

We are going to deploy a VPC using the AWS Console first. The tasks you will complete are as follows:

• Creating the VPC
• Creating the subnets
• Creating the gateways
• Editing the route tables

Now navigate to the AWS Console: console.aws.com.

Creating the VPC

Follow the given steps to create the VPC:

1. Log in to the AWS Console using the account you created earlier (or using an existing one) and check your region at the top right of the console home page. We will be using eu-west-2 during this lab, but you are free...

In this chapter, we learned about how the AWS infrastructure is organized into regions and availability zones and how a VPC gives you an area of AWS infrastructure that is yours to control and configure. We also learned about the different components of a VPC, such as subnets, gateways, and route tables, and we finished by creating VPCs using the AWS Console and awscli.

VPCs are the starting point for any deployments you make within AWS and knowing how they work is critical to be able to successfully deploy, configure, and maintain databases on AWS. Also, during the AWS Certified Database – Specialty exam, your knowledge of VPCs will be tested with questions about troubleshooting access or security problems caused by placing a database into a public subnet.

In the next chapter, we will learn about AWS RDS, and the knowledge we've gained during this chapter about VPCs will be reused in the rest of this book.

• AWS infrastructure consists of regions and availability zones.
• A VPC is an area of AWS infrastructure that you can control and configure. You deploy this VPC in a region and across AZs.
• Within the VPC are subnets, internet gateways, route tables, and security groups that control security, access, and routes to the internet.
• Subnets can be private where there is no direct access to them or their contents from outside the VPC, or public where they can be accessed directly from the internet and have public IP addresses.
• Security groups are logical groups to help define access routes between different components within a VPC. They can be used to limit access to databases from application servers only and to limit access only via using specific ports.

To check your knowledge from this chapter, here are five questions that you should now be able to answer. Remember the exam techniques from Chapter 1, AWS Certified Database – Specialty Exam Overview, and remove the clearly incorrect answers first to help you:

1. A user has deployed a database in a private subnet in their VPC. They have created an internet gateway and a NAT gateway. The database is unable to connect to the internet to check for updates. What is the most likely reason?
   1. An internet gateway with a private IP was used.
   2. The user needs to allow outbound traffic in the security group for port 80 to allow internet updates.
   3. A private subnet can never connect to the internet.
   4. The route tables are updated to point all external traffic to the gateways.
2. A user has created a VPC with a single public subnet. The user has created a security group for that VPC. Which of the following statements is true when a security group is created?
   1. It can connect to...

During this chapter, we have covered a wide range of VPC and networking topics. In the AWS Certified Database – Specialty exam, you will only be expected to know the VPC networking and configuration topics covered in this chapter. However, for a deeper understanding of VPCs, security groups, and subnets, the following books and courses are recommended:

• AWS MasterClass: Networking And Virtual Private Cloud: https://www.packtpub.com/product/aws-masterclass-networking-and-virtual-private-cloud-vpc-video/9781789344981
• Practical AWS Networking: https://www.packtpub.com/product/practical-aws-networking/9781788398299
• AWS Networking Cookbook: https://www.packtpub.com/product/aws-networking-cookbook/9781787123243