-: Hello and welcome back again.

So in the last video we were discussing

about the basics of interface endpoint.

We also looked into it in a demo perspective.

So in today's video we'll go ahead

and implement interface endpoint and look

into the steps that are involved.

So going to the VPC Management Console,

let's go to the end points here.

Now in case if you have a gateway endpoint still running

you can go ahead and delete it,

so that the unnecessary charge does not come.

However, today for the timing

let's quickly focus on the interface endpoints here.

Now as we're discussing

that there are multiple services that are supported

by the interface endpoint here.

The one that we are interested is EC2

for today's video to keep things a little different

because for the gateway endpoint

we had made use of the S3 service.

So to keep things different,

we'll be making use of the EC2 service.

And the one that we are looking for

is the first one, which is EC2.

Once the service is selected

the next important thing is to select the availability zone

whether interface endpoint would be created.

So basically, this is a network interface

as we are discussing.
So this network interface would be associated with which

of the subnets is something that you can look into.

Just for simplicity, just let's associate it

with all of the subnets.

Let's go bit down.

And here you have the security group.

Let's leave it before

the policy will leave it as default.

Let's go ahead and create the interface endpoint.

All right, so the interface endpoint is created.

Now do note that it takes a little amount

of time for the interface endpoint to be created.

So till that time, let's do one thing,

let's go to the security group.

So there should be one security group that should be

associated with the network interfaces,

and let's go ahead and allow the VpcCidr.

So under the inbound rules here, you currently

only have the source of default list,

quickly change this and allow

the VpcCidr here, which is 172 31 0 0 16.

All right, let's go ahead and save this.

That's great. So approximately after two to three minutes

our interface endpoint is up and running.

Now, within the EC2 instance

let's go ahead and try it out.

So let me go ahead and connect to the public EC2.

Now again, since this interface endpoint is associated

with all of the subnets, it will work perfectly well

So let me quickly go ahead

and connect to the public EC2 instance here

and let's do it from the second tab as well.

All right, let's switch to root

and just verify that tcpdump utility's available.

If you just run the tcpdump command

you should see the packet capture.

Let's do a control C.

All right, perfect.

So now from the first step

we'll go ahead and do a double S EC to describe instances

and the region would be us-east1 call it,

just for simplicity.

So this is a different region

from where that interface endpoint is created.

If you press enter, it is fine

if you are getting unauthorized operation,

that is perfectly fine.

But the primary aim for this part is to verify to

which endpoint this connection is going to.

All right, so if you will quickly do a tcpdump

on the destination port of 443 here.

Let's run the same command yet again.

And you see it is going towards a public endpoint over here.

So now this time, let's run the same command

and just change the region to us-west2

where our EC2 instance and the interface endpoints are

let's run the TCP Packet Capture yet again.

We are getting unauthorized operation,

And now you see the traffic is now directing

to 172, 31 33 dot 225,

so this is nothing but that interface endpoint.

Along with this, you also have the API endpoint

which is EC2 us-west2 dot amazon aws.com.

So this should be directed towards the interface endpoint.

Now for this from my work station, let me go ahead

and do MS lookup just to understand how things are working.

You see it is directing to a public IP over there,

all right? So EC2 us-west2 amazon aws.com

is directing to a public IP.

Now the same thing if we do it from our EC2 instance,

you see it is being directed to our interface endpoint IP.

So there are multiple IP addresses

all for interface endpoints,

and this is where the traffic is redirected to.

So this is a completely private connection

within the VPC itself.

Now from a public EC2, let me also go ahead and connect

to a private EC2 instance ending with the IP of 30 dot 90.

So let's quickly verify.

So the private EC2 IP's 30 dot 90.

Now since this private EC2 IP does not have

a internet route, if we do a AWS EC2,

describe instances, let's specify a region of us-east1.

Now for this specific connection

you will not see any output.

So neither you will see the output,

Primarily because the API call

is not being able to complete here.

However, this time, instead of us-east1,

if you will just do a us-west2,

you will get a access denied message,

primarily because the call was successfully made to the EC2.

But since the instance does not have

a appropriate IAM rule policy,

you are getting a permission denying message.

Great. So I hope with this, you understood

at a high-level overview how the interface endpoint works.

Now, as we were discussing

the interface endpoint basically enables us to

use the security group to restrict the access

to the endpoint.

So let's also try it out so that there is

no confusion that arises at a later stage.

So what we'll do is we'll go ahead and allow only the

IP address of a public EC2 to connect

to the security group associated

with the network interface of the interface endpoint.

So let's do one thing,

let's go to the security group.

Let's modify the security group here.

And within the inbound rule, we'll only allow

instead of the entire Cidr,

we'll only allow the IP address of our public EC2.

All right. So now if you run this specific command,

even this specific message that we were seeing

So let's try it out.

And as expected now you see, you are not able to

see anything, primarily because the traffic is denied

at a security group level.

Now, along with this, the interface endpoint

it supports the access control

both via the security group as well as policy.

So you can go ahead and create a policy based

on which the access decision can also be made.

Great. So I hope that this you understood

the practical aspect of creating an interface endpoint,

and with this we'll conclude today's video.