VPC (Virtual Private Cloud)
VPC (Virtual Private Cloud)¶
1. VPC Overview¶
1.1 What is VPC?¶
VPC is a logically isolated virtual network within the cloud.
Core Concepts: - Define your own IP address range - Divide into subnets - Control traffic with routing tables - Access control with security groups/firewalls
1.2 AWS vs GCP VPC Differences¶
| Category | AWS VPC | GCP VPC |
|---|---|---|
| Scope | Regional | Global |
| Subnet Scope | Availability Zone (AZ) | Regional |
| Default VPC | 1 per region | 1 per project (default) |
| Peering | Cross-region possible | Global automatic |
| IP Range | Fixed at creation | Subnets can be added |
AWS VPC Structure:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VPC (Region: ap-northeast-2) β
β CIDR: 10.0.0.0/16 β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
β β Subnet-a (AZ-a) β β Subnet-b (AZ-b) β β
β β 10.0.1.0/24 β β 10.0.2.0/24 β β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
GCP VPC Structure:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VPC (Global) β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
β β Subnet-asia β β Subnet-us β β
β β (asia-northeast3) β β (us-central1) β β
β β 10.0.1.0/24 β β 10.0.2.0/24 β β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Subnets¶
2.1 Public vs Private Subnets¶
| Type | Internet Access | Use Case |
|---|---|---|
| Public | Direct access | Web servers, Bastion |
| Private | Only through NAT | Applications, Databases |
2.2 AWS Subnet Creation¶
# 1. VPC μμ±
aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=MyVPC}]'
# 2. νΌλΈλ¦ μλΈλ· μμ±
aws ec2 create-subnet \
--vpc-id vpc-12345678 \
--cidr-block 10.0.1.0/24 \
--availability-zone ap-northeast-2a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Public-Subnet-1}]'
# 3. νλΌμ΄λΉ μλΈλ· μμ±
aws ec2 create-subnet \
--vpc-id vpc-12345678 \
--cidr-block 10.0.10.0/24 \
--availability-zone ap-northeast-2a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Private-Subnet-1}]'
# 4. νΌλΈλ¦ IP μλ ν λΉ (νΌλΈλ¦ μλΈλ·)
aws ec2 modify-subnet-attribute \
--subnet-id subnet-public \
--map-public-ip-on-launch
2.3 GCP Subnet Creation¶
# 1. 컀μ€ν
λͺ¨λ VPC μμ±
gcloud compute networks create my-vpc \
--subnet-mode=custom
# 2. μλΈλ· μμ± (μμΈ)
gcloud compute networks subnets create subnet-asia \
--network=my-vpc \
--region=asia-northeast3 \
--range=10.0.1.0/24
# 3. μλΈλ· μμ± (λ―Έκ΅)
gcloud compute networks subnets create subnet-us \
--network=my-vpc \
--region=us-central1 \
--range=10.0.2.0/24
# 4. νλΌμ΄λΉ Google μ‘μΈμ€ νμ±ν
gcloud compute networks subnets update subnet-asia \
--region=asia-northeast3 \
--enable-private-ip-google-access
3. Internet Gateway¶
3.1 AWS Internet Gateway¶
# 1. IGW μμ±
aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=MyIGW}]'
# 2. VPCμ μ°κ²°
aws ec2 attach-internet-gateway \
--internet-gateway-id igw-12345678 \
--vpc-id vpc-12345678
# 3. λΌμ°ν
ν
μ΄λΈμ κ²½λ‘ μΆκ°
aws ec2 create-route \
--route-table-id rtb-12345678 \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id igw-12345678
# 4. νΌλΈλ¦ μλΈλ·μ λΌμ°ν
ν
μ΄λΈ μ°κ²°
aws ec2 associate-route-table \
--route-table-id rtb-12345678 \
--subnet-id subnet-public
3.2 GCP Internet Access¶
GCP allows internet access without a separate internet gateway if an external IP is present.
# μΈλΆ IP ν λΉ (μΈμ€ν΄μ€ μμ± μ)
gcloud compute instances create my-instance \
--zone=asia-northeast3-a \
--network=my-vpc \
--subnet=subnet-asia \
--address=EXTERNAL_IP # λλ μλ΅νλ©΄ μμ IP ν λΉ
# μ μ IP μμ½
gcloud compute addresses create my-static-ip \
--region=asia-northeast3
4. NAT Gateway¶
Allows instances in private subnets to access the internet.
4.1 AWS NAT Gateway¶
# 1. Elastic IP ν λΉ
aws ec2 allocate-address --domain vpc
# 2. NAT Gateway μμ± (νΌλΈλ¦ μλΈλ·μ)
aws ec2 create-nat-gateway \
--subnet-id subnet-public \
--allocation-id eipalloc-12345678 \
--tag-specifications 'ResourceType=natgateway,Tags=[{Key=Name,Value=MyNAT}]'
# 3. νλΌμ΄λΉ λΌμ°ν
ν
μ΄λΈμ κ²½λ‘ μΆκ°
aws ec2 create-route \
--route-table-id rtb-private \
--destination-cidr-block 0.0.0.0/0 \
--nat-gateway-id nat-12345678
# 4. νλΌμ΄λΉ μλΈλ·μ λΌμ°ν
ν
μ΄λΈ μ°κ²°
aws ec2 associate-route-table \
--route-table-id rtb-private \
--subnet-id subnet-private
4.2 GCP Cloud NAT¶
# 1. Cloud Router μμ±
gcloud compute routers create my-router \
--network=my-vpc \
--region=asia-northeast3
# 2. Cloud NAT μμ±
gcloud compute routers nats create my-nat \
--router=my-router \
--region=asia-northeast3 \
--auto-allocate-nat-external-ips \
--nat-all-subnet-ip-ranges
5. Security Groups / Firewalls¶
5.1 AWS Security Groups¶
Security groups are instance-level stateful firewalls.
# 보μ κ·Έλ£Ή μμ±
aws ec2 create-security-group \
--group-name web-sg \
--description "Web server security group" \
--vpc-id vpc-12345678
# μΈλ°μ΄λ κ·μΉ μΆκ°
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 22 \
--cidr 203.0.113.0/24 # νΉμ IPλ§ νμ©
# λ€λ₯Έ 보μ κ·Έλ£Ήμμ μ€λ νΈλν½ νμ©
aws ec2 authorize-security-group-ingress \
--group-id sg-db \
--protocol tcp \
--port 3306 \
--source-group sg-web
# κ·μΉ μ‘°ν
aws ec2 describe-security-groups --group-ids sg-12345678
5.2 GCP Firewall Rules¶
GCP firewall rules operate at the VPC level and target resources using tags or service accounts.
# HTTP νΈλν½ νμ© (νκ·Έ κΈ°λ°)
gcloud compute firewall-rules create allow-http \
--network=my-vpc \
--allow=tcp:80,tcp:443 \
--target-tags=http-server \
--source-ranges=0.0.0.0/0
# SSH νμ© (νΉμ IP)
gcloud compute firewall-rules create allow-ssh \
--network=my-vpc \
--allow=tcp:22 \
--target-tags=ssh-server \
--source-ranges=203.0.113.0/24
# λ΄λΆ ν΅μ νμ©
gcloud compute firewall-rules create allow-internal \
--network=my-vpc \
--allow=tcp,udp,icmp \
--source-ranges=10.0.0.0/8
# κ·μΉ λͺ©λ‘ μ‘°ν
gcloud compute firewall-rules list --filter="network:my-vpc"
# κ·μΉ μμ
gcloud compute firewall-rules delete allow-http
5.3 AWS NACL (Network ACL)¶
NACL is a subnet-level stateless firewall.
# NACL μμ±
aws ec2 create-network-acl \
--vpc-id vpc-12345678 \
--tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=MyNACL}]'
# μΈλ°μ΄λ κ·μΉ μΆκ° (κ·μΉ λ²νΈλ‘ μ°μ μμ)
aws ec2 create-network-acl-entry \
--network-acl-id acl-12345678 \
--ingress \
--rule-number 100 \
--protocol tcp \
--port-range From=80,To=80 \
--cidr-block 0.0.0.0/0 \
--rule-action allow
# μμλ°μ΄λ κ·μΉλ νμ (stateless)
aws ec2 create-network-acl-entry \
--network-acl-id acl-12345678 \
--egress \
--rule-number 100 \
--protocol tcp \
--port-range From=1024,To=65535 \
--cidr-block 0.0.0.0/0 \
--rule-action allow
6. VPC Peering¶
6.1 AWS VPC Peering¶
# 1. νΌμ΄λ§ μ°κ²° μμ²
aws ec2 create-vpc-peering-connection \
--vpc-id vpc-requester \
--peer-vpc-id vpc-accepter \
--peer-region ap-northeast-1 # λ€λ₯Έ 리μ μΈ κ²½μ°
# 2. νΌμ΄λ§ μ°κ²° μλ½
aws ec2 accept-vpc-peering-connection \
--vpc-peering-connection-id pcx-12345678
# 3. μμͺ½ VPCμ λΌμ°ν
ν
μ΄λΈμ κ²½λ‘ μΆκ°
# Requester VPC
aws ec2 create-route \
--route-table-id rtb-requester \
--destination-cidr-block 10.1.0.0/16 \
--vpc-peering-connection-id pcx-12345678
# Accepter VPC
aws ec2 create-route \
--route-table-id rtb-accepter \
--destination-cidr-block 10.0.0.0/16 \
--vpc-peering-connection-id pcx-12345678
6.2 GCP VPC Peering¶
# 1. 첫 λ²μ§Έ VPCμμ νΌμ΄λ§ μμ±
gcloud compute networks peerings create peer-vpc1-to-vpc2 \
--network=vpc1 \
--peer-network=vpc2
# 2. λ λ²μ§Έ VPCμμ νΌμ΄λ§ μμ± (μμͺ½ νμ)
gcloud compute networks peerings create peer-vpc2-to-vpc1 \
--network=vpc2 \
--peer-network=vpc1
# λΌμ°ν
μ μλμΌλ‘ μΆκ°λ¨
7. Private Endpoints¶
Access AWS/GCP services without going through the internet.
7.1 AWS VPC Endpoints¶
Gateway Endpoint (S3, DynamoDB):
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--service-name com.amazonaws.ap-northeast-2.s3 \
--route-table-ids rtb-12345678
Interface Endpoint (Other Services):
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--service-name com.amazonaws.ap-northeast-2.secretsmanager \
--vpc-endpoint-type Interface \
--subnet-ids subnet-12345678 \
--security-group-ids sg-12345678
7.2 GCP Private Service Connect¶
# Private Google Access νμ±ν
gcloud compute networks subnets update subnet-asia \
--region=asia-northeast3 \
--enable-private-ip-google-access
# Private Service Connect μλν¬μΈνΈ
gcloud compute addresses create psc-endpoint \
--region=asia-northeast3 \
--subnet=subnet-asia \
--purpose=PRIVATE_SERVICE_CONNECT
8. Common VPC Architectures¶
8.1 3-Tier Architecture¶
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VPC (10.0.0.0/16) β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Public Subnets (10.0.1.0/24, 10.0.2.0/24) ββ
β β βββββββββββββββ βββββββββββββββ ββ
β β β ALB β β Bastion β ββ
β β βββββββββββββββ βββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Private Subnets - App (10.0.10.0/24, 10.0.11.0/24) ββ
β β βββββββββββββββ βββββββββββββββ ββ
β β β App-1 β β App-2 β ββ
β β βββββββββββββββ βββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Private Subnets - DB (10.0.20.0/24, 10.0.21.0/24) ββ
β β βββββββββββββββ βββββββββββββββ ββ
β β β DB Primary β β DB Standby β ββ
β β βββββββββββββββ βββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β ββββββββββββββββ ββββββββββββββββ β
β β IGW β β NAT GW β β
β ββββββββββββββββ ββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
8.2 AWS VPC Example (Terraform)¶
# VPC
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
tags = { Name = "main-vpc" }
}
# Public Subnets
resource "aws_subnet" "public" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index + 1}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = { Name = "public-${count.index + 1}" }
}
# Private Subnets
resource "aws_subnet" "private" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index + 10}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = { Name = "private-${count.index + 1}" }
}
# Internet Gateway
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
}
# NAT Gateway
resource "aws_nat_gateway" "main" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public[0].id
}
9. Troubleshooting¶
9.1 Connection Issue Checklist¶
β‘ Check security group inbound rules
β‘ Check NACL rules (AWS)
β‘ Check firewall rules (GCP)
β‘ Check routing tables
β‘ Verify internet gateway attachment
β‘ Check NAT gateway status
β‘ Verify instance has public IP
β‘ Check VPC peering routing
9.2 Debugging Commands¶
AWS:
# VPC Flow Logs νμ±ν
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-12345678 \
--traffic-type ALL \
--log-destination-type cloud-watch-logs \
--log-group-name vpc-flow-logs
# Reachability Analyzer
aws ec2 create-network-insights-path \
--source i-source \
--destination i-destination \
--destination-port 80 \
--protocol tcp
GCP:
# VPC Flow Logs νμ±ν
gcloud compute networks subnets update subnet-asia \
--region=asia-northeast3 \
--enable-flow-logs
# Connectivity Tests
gcloud network-management connectivity-tests create my-test \
--source-instance=projects/PROJECT/zones/ZONE/instances/source \
--destination-instance=projects/PROJECT/zones/ZONE/instances/dest \
--destination-port=80 \
--protocol=TCP
10. Next Steps¶
- 10_Load_Balancing_CDN.md - Load Balancing
- 14_Security_Services.md - Security Details
References¶
- AWS VPC Documentation
- GCP VPC Documentation
- AWS VPC Best Practices
- Networking/ - Networking Fundamentals