Network Engineer Certification
I prepare for being certified as Network Engineer. This means you have to digest a lot of complicated topics... or you make it fun by using analogies. I bet I will teach you BGP, Interconnects and VPN in the next 10 minutes so that you won't forget it or you get your money back.
Let's start like this: Imagine the internet is the highway network connecting towns (datacenters). Then, the cars are network packets driving over it.
|If highways are the internet, network|
packets are cars
The cars deliver pizza. There are routes where you can drive fast and there are slow routes. Some have four lanes, others are just narrow alleys. That's latency and bandwidth aka throughput. Now I tell you, if I want a pizza, I want it in 10 minutes. Having 5 pizzas after 50 minutes just isn't the same experience although throughput would be the same.
If your car is longer than 10 meters, then, it will get stuck here. So the pizza will never arrive, neither will an accident message :(
- more cars to travel
- faster and with
- more privacy - neither the police nor gangsters drive on your highway, you can have private car plates (IP addresses)
- more secrecy - you can just build a wall around the highway (encryption)
Cool analogy, right? In the certification exam, when they talk about interconnects, you will know what to say about interconnects.
Now, what is a VPN (virtual private network)? A VPN uses the public highway routes, but uses car transporters with a canopy so you cannot see the cars from the outside:
|Car transporters can hide cars, and the |
number plates do not have to be official
You can have one ore more car transporters. Obviously, the cars don't need to have official number plates (IP addresses) either. They can have private car plates (192.168.0.7 or whatever). For the certification you have to know that a VPN:
- is secure. Transmitted packets cannot be inspected from third parties because they are encrypted. This means privacy. It is analog to the canopy hiding the cars inside the car transporter.
- can use private IP addresses. Analog to the car plates that do not need to be official.
- can use several tunnels (car transporters)
- does not have a lower latency or higher bandwidth than the underlying public highway... err, internet connection
Next topic, every highway system needs signposts:
In our analogy, cities are datacenters, or, more exactly, IP address ranges with names like 10.0.0.1/32. Our cities frequently get deleted or moved or extended or shrinked or they get new suburbs (subnetworks). Or highways get deleted. So we need a service to re-label the signposts. This signpost labelling service is called BGP (border gateway protocol). It says things like "Munich? If your car plate ends in 7, go this way, otherwise, go this way. By doing that, it can load balance the traffic between nodes.
|A "signpost" shown by the command route.|
We can make it more complicated ;)
Now, a VPC (virtual private cloud) is what used to be called a "network" in the on-premise days. Compare it to a town's streetmap. The town has suburbs (subnetworks) which are part of the streetmap. A VPC is a "town" (network) in the cloud.
VPC peering is dynamic routing, that you allow the BGP (signpost labelling service) to extend over two towns ("peered" towns or networks). Typically you have an on-premise datacenter and want to peer it with a VPC in the cloud.
A VPC includes firewall rules like "only red cars are allowed to drive to the house with the address 10.18.7.77". And of course a security concept who is allowed to change what rules. If you want to extend this to another VPC, you create a shared VPC.
Now our pizza bakery has local storage places in every bigger city. They are called proxies and are part of the content delivery network CDN. The pizza stored there is pre-orderable (static) pizza.
What's Cloud NAT
I used to work for BASF, and they have the world's largest chemical compound. 7.11km² of chemical factories. In that compound, you could drive with their own cars. Perfectly normal cars, but... you guessed it, they did not have official car plates. Now imagine your boss gets hungry and wants a pizza. They send you in the internal car to gate. Then, you cannot get outside because of your car plate, so, you get into a taxi (with official car plates) and drive to the restaurant to get the pizza, right? And when you return, someone has noted your internal car's internal car plate and your taxi's external one. And hands you back the key to your internal car, so you can bring the pizza back to the factory where it has been requested. Now that's NAT (network address translation) - you don't have an external IP address, but you can access the internet nevertheless.