VPC (Virtual Private Cloud)
VPC (Virtual Private Cloud)¶
1. VPC κ°μ¶
1.1 VPCλ?¶
VPCλ ν΄λΌμ°λ λ΄μμ λ Όλ¦¬μ μΌλ‘ 격리λ κ°μ λ€νΈμν¬μ λλ€.
ν΅μ¬ κ°λ : - μ체 IP μ£Όμ λ²μ μ μ - μλΈλ·μΌλ‘ λΆν - λΌμ°ν ν μ΄λΈλ‘ νΈλν½ μ μ΄ - 보μ κ·Έλ£Ή/λ°©νλ²½μΌλ‘ μ κ·Ό ν΅μ
1.2 AWS vs GCP VPC 차촶
| νλͺ© | AWS VPC | GCP VPC |
|---|---|---|
| λ²μ | 리μ λ¨μ | κΈλ‘λ² |
| μλΈλ· λ²μ | κ°μ© μμ (AZ) | 리μ |
| κΈ°λ³Έ VPC | 리μ λΉ 1κ° | νλ‘μ νΈλΉ 1κ° (default) |
| νΌμ΄λ§ | 리μ κ° κ°λ₯ | κΈλ‘λ² μλ |
| IP λ²μ | μμ± μ κ³ μ | μλΈλ· μΆκ° κ°λ₯ |
AWS VPC ꡬ쑰:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VPC (리μ : ap-northeast-2) β
β CIDR: 10.0.0.0/16 β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
β β Subnet-a (AZ-a) β β Subnet-b (AZ-b) β β
β β 10.0.1.0/24 β β 10.0.2.0/24 β β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
GCP VPC ꡬ쑰:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VPC (κΈλ‘λ²) β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
β β Subnet-asia β β Subnet-us β β
β β (asia-northeast3) β β (us-central1) β β
β β 10.0.1.0/24 β β 10.0.2.0/24 β β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. μλΈλ·¶
2.1 νΌλΈλ¦ vs νλΌμ΄λΉ μλΈλ·¶
| μ ν | μΈν°λ· μ κ·Ό | μ©λ |
|---|---|---|
| νΌλΈλ¦ | μ§μ κ°λ₯ | μΉ μλ², Bastion |
| νλΌμ΄λΉ | NAT ν΅ν΄μλ§ | μ ν리μΌμ΄μ , DB |
2.2 AWS μλΈλ· μ챶
# 1. VPC μμ±
aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=MyVPC}]'
# 2. νΌλΈλ¦ μλΈλ· μμ±
aws ec2 create-subnet \
--vpc-id vpc-12345678 \
--cidr-block 10.0.1.0/24 \
--availability-zone ap-northeast-2a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Public-Subnet-1}]'
# 3. νλΌμ΄λΉ μλΈλ· μμ±
aws ec2 create-subnet \
--vpc-id vpc-12345678 \
--cidr-block 10.0.10.0/24 \
--availability-zone ap-northeast-2a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Private-Subnet-1}]'
# 4. νΌλΈλ¦ IP μλ ν λΉ (νΌλΈλ¦ μλΈλ·)
aws ec2 modify-subnet-attribute \
--subnet-id subnet-public \
--map-public-ip-on-launch
2.3 GCP μλΈλ· μ챶
# 1. 컀μ€ν
λͺ¨λ VPC μμ±
gcloud compute networks create my-vpc \
--subnet-mode=custom
# 2. μλΈλ· μμ± (μμΈ)
gcloud compute networks subnets create subnet-asia \
--network=my-vpc \
--region=asia-northeast3 \
--range=10.0.1.0/24
# 3. μλΈλ· μμ± (λ―Έκ΅)
gcloud compute networks subnets create subnet-us \
--network=my-vpc \
--region=us-central1 \
--range=10.0.2.0/24
# 4. νλΌμ΄λΉ Google μ‘μΈμ€ νμ±ν
gcloud compute networks subnets update subnet-asia \
--region=asia-northeast3 \
--enable-private-ip-google-access
3. μΈν°λ· κ²μ΄νΈμ¨μ΄¶
3.1 AWS Internet Gateway¶
# 1. IGW μμ±
aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=MyIGW}]'
# 2. VPCμ μ°κ²°
aws ec2 attach-internet-gateway \
--internet-gateway-id igw-12345678 \
--vpc-id vpc-12345678
# 3. λΌμ°ν
ν
μ΄λΈμ κ²½λ‘ μΆκ°
aws ec2 create-route \
--route-table-id rtb-12345678 \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id igw-12345678
# 4. νΌλΈλ¦ μλΈλ·μ λΌμ°ν
ν
μ΄λΈ μ°κ²°
aws ec2 associate-route-table \
--route-table-id rtb-12345678 \
--subnet-id subnet-public
3.2 GCP μΈν°λ· μ κ·Ό¶
GCPλ λ³λμ μΈν°λ· κ²μ΄νΈμ¨μ΄ μμ΄ μΈλΆ IPκ° μμΌλ©΄ μΈν°λ· μ κ·Όμ΄ κ°λ₯ν©λλ€.
# μΈλΆ IP ν λΉ (μΈμ€ν΄μ€ μμ± μ)
gcloud compute instances create my-instance \
--zone=asia-northeast3-a \
--network=my-vpc \
--subnet=subnet-asia \
--address=EXTERNAL_IP # λλ μλ΅νλ©΄ μμ IP ν λΉ
# μ μ IP μμ½
gcloud compute addresses create my-static-ip \
--region=asia-northeast3
4. NAT Gateway¶
νλΌμ΄λΉ μλΈλ·μ μΈμ€ν΄μ€κ° μΈν°λ·μ μ κ·Όν μ μλλ‘ ν©λλ€.
4.1 AWS NAT Gateway¶
# 1. Elastic IP ν λΉ
aws ec2 allocate-address --domain vpc
# 2. NAT Gateway μμ± (νΌλΈλ¦ μλΈλ·μ)
aws ec2 create-nat-gateway \
--subnet-id subnet-public \
--allocation-id eipalloc-12345678 \
--tag-specifications 'ResourceType=natgateway,Tags=[{Key=Name,Value=MyNAT}]'
# 3. νλΌμ΄λΉ λΌμ°ν
ν
μ΄λΈμ κ²½λ‘ μΆκ°
aws ec2 create-route \
--route-table-id rtb-private \
--destination-cidr-block 0.0.0.0/0 \
--nat-gateway-id nat-12345678
# 4. νλΌμ΄λΉ μλΈλ·μ λΌμ°ν
ν
μ΄λΈ μ°κ²°
aws ec2 associate-route-table \
--route-table-id rtb-private \
--subnet-id subnet-private
4.2 GCP Cloud NAT¶
# 1. Cloud Router μμ±
gcloud compute routers create my-router \
--network=my-vpc \
--region=asia-northeast3
# 2. Cloud NAT μμ±
gcloud compute routers nats create my-nat \
--router=my-router \
--region=asia-northeast3 \
--auto-allocate-nat-external-ips \
--nat-all-subnet-ip-ranges
5. 보μ κ·Έλ£Ή / λ°©νλ²½¶
5.1 AWS Security Groups¶
보μ κ·Έλ£Ήμ μΈμ€ν΄μ€ λ 벨μ μν μ μ₯(stateful) λ°©νλ²½μ λλ€.
# 보μ κ·Έλ£Ή μμ±
aws ec2 create-security-group \
--group-name web-sg \
--description "Web server security group" \
--vpc-id vpc-12345678
# μΈλ°μ΄λ κ·μΉ μΆκ°
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 22 \
--cidr 203.0.113.0/24 # νΉμ IPλ§ νμ©
# λ€λ₯Έ 보μ κ·Έλ£Ήμμ μ€λ νΈλν½ νμ©
aws ec2 authorize-security-group-ingress \
--group-id sg-db \
--protocol tcp \
--port 3306 \
--source-group sg-web
# κ·μΉ μ‘°ν
aws ec2 describe-security-groups --group-ids sg-12345678
5.2 GCP Firewall Rules¶
GCP λ°©νλ²½ κ·μΉμ VPC λ 벨μμ μλνλ©° νκ·Έ λλ μλΉμ€ κ³μ μΌλ‘ λμμ μ§μ ν©λλ€.
# HTTP νΈλν½ νμ© (νκ·Έ κΈ°λ°)
gcloud compute firewall-rules create allow-http \
--network=my-vpc \
--allow=tcp:80,tcp:443 \
--target-tags=http-server \
--source-ranges=0.0.0.0/0
# SSH νμ© (νΉμ IP)
gcloud compute firewall-rules create allow-ssh \
--network=my-vpc \
--allow=tcp:22 \
--target-tags=ssh-server \
--source-ranges=203.0.113.0/24
# λ΄λΆ ν΅μ νμ©
gcloud compute firewall-rules create allow-internal \
--network=my-vpc \
--allow=tcp,udp,icmp \
--source-ranges=10.0.0.0/8
# κ·μΉ λͺ©λ‘ μ‘°ν
gcloud compute firewall-rules list --filter="network:my-vpc"
# κ·μΉ μμ
gcloud compute firewall-rules delete allow-http
5.3 AWS NACL (Network ACL)¶
NACLμ μλΈλ· λ 벨μ μν λΉμ μ₯(stateless) λ°©νλ²½μ λλ€.
# NACL μμ±
aws ec2 create-network-acl \
--vpc-id vpc-12345678 \
--tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=MyNACL}]'
# μΈλ°μ΄λ κ·μΉ μΆκ° (κ·μΉ λ²νΈλ‘ μ°μ μμ)
aws ec2 create-network-acl-entry \
--network-acl-id acl-12345678 \
--ingress \
--rule-number 100 \
--protocol tcp \
--port-range From=80,To=80 \
--cidr-block 0.0.0.0/0 \
--rule-action allow
# μμλ°μ΄λ κ·μΉλ νμ (stateless)
aws ec2 create-network-acl-entry \
--network-acl-id acl-12345678 \
--egress \
--rule-number 100 \
--protocol tcp \
--port-range From=1024,To=65535 \
--cidr-block 0.0.0.0/0 \
--rule-action allow
6. VPC νΌμ΄λ§¶
6.1 AWS VPC Peering¶
# 1. νΌμ΄λ§ μ°κ²° μμ²
aws ec2 create-vpc-peering-connection \
--vpc-id vpc-requester \
--peer-vpc-id vpc-accepter \
--peer-region ap-northeast-1 # λ€λ₯Έ 리μ μΈ κ²½μ°
# 2. νΌμ΄λ§ μ°κ²° μλ½
aws ec2 accept-vpc-peering-connection \
--vpc-peering-connection-id pcx-12345678
# 3. μμͺ½ VPCμ λΌμ°ν
ν
μ΄λΈμ κ²½λ‘ μΆκ°
# Requester VPC
aws ec2 create-route \
--route-table-id rtb-requester \
--destination-cidr-block 10.1.0.0/16 \
--vpc-peering-connection-id pcx-12345678
# Accepter VPC
aws ec2 create-route \
--route-table-id rtb-accepter \
--destination-cidr-block 10.0.0.0/16 \
--vpc-peering-connection-id pcx-12345678
6.2 GCP VPC Peering¶
# 1. 첫 λ²μ§Έ VPCμμ νΌμ΄λ§ μμ±
gcloud compute networks peerings create peer-vpc1-to-vpc2 \
--network=vpc1 \
--peer-network=vpc2
# 2. λ λ²μ§Έ VPCμμ νΌμ΄λ§ μμ± (μμͺ½ νμ)
gcloud compute networks peerings create peer-vpc2-to-vpc1 \
--network=vpc2 \
--peer-network=vpc1
# λΌμ°ν
μ μλμΌλ‘ μΆκ°λ¨
7. νλΌμ΄λΉ μλν¬μΈνΈ¶
μΈν°λ·μ κ±°μΉμ§ μκ³ AWS/GCP μλΉμ€μ μ κ·Όν©λλ€.
7.1 AWS VPC Endpoints¶
Gateway Endpoint (S3, DynamoDB):
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--service-name com.amazonaws.ap-northeast-2.s3 \
--route-table-ids rtb-12345678
Interface Endpoint (λ€λ₯Έ μλΉμ€):
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--service-name com.amazonaws.ap-northeast-2.secretsmanager \
--vpc-endpoint-type Interface \
--subnet-ids subnet-12345678 \
--security-group-ids sg-12345678
7.2 GCP Private Service Connect¶
# Private Google Access νμ±ν
gcloud compute networks subnets update subnet-asia \
--region=asia-northeast3 \
--enable-private-ip-google-access
# Private Service Connect μλν¬μΈνΈ
gcloud compute addresses create psc-endpoint \
--region=asia-northeast3 \
--subnet=subnet-asia \
--purpose=PRIVATE_SERVICE_CONNECT
8. μΌλ°μ μΈ VPC μν€ν 첶
8.1 3ν°μ΄ μν€ν 첶
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VPC (10.0.0.0/16) β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Public Subnets (10.0.1.0/24, 10.0.2.0/24) ββ
β β βββββββββββββββ βββββββββββββββ ββ
β β β ALB β β Bastion β ββ
β β βββββββββββββββ βββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Private Subnets - App (10.0.10.0/24, 10.0.11.0/24) ββ
β β βββββββββββββββ βββββββββββββββ ββ
β β β App-1 β β App-2 β ββ
β β βββββββββββββββ βββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Private Subnets - DB (10.0.20.0/24, 10.0.21.0/24) ββ
β β βββββββββββββββ βββββββββββββββ ββ
β β β DB Primary β β DB Standby β ββ
β β βββββββββββββββ βββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β ββββββββββββββββ ββββββββββββββββ β
β β IGW β β NAT GW β β
β ββββββββββββββββ ββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
8.2 AWS VPC μμ (Terraform)¶
# VPC
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
tags = { Name = "main-vpc" }
}
# Public Subnets
resource "aws_subnet" "public" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index + 1}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = { Name = "public-${count.index + 1}" }
}
# Private Subnets
resource "aws_subnet" "private" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index + 10}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = { Name = "private-${count.index + 1}" }
}
# Internet Gateway
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
}
# NAT Gateway
resource "aws_nat_gateway" "main" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public[0].id
}
9. λ¬Έμ ν΄κ²°¶
9.1 μ°κ²° λ¬Έμ 체ν¬λ¦¬μ€νΈ¶
①보μ κ·Έλ£Ή μΈλ°μ΄λ κ·μΉ νμΈ
β‘ NACL κ·μΉ νμΈ (AWS)
β‘ λ°©νλ²½ κ·μΉ νμΈ (GCP)
β‘ λΌμ°ν
ν
μ΄λΈ νμΈ
β‘ μΈν°λ· κ²μ΄νΈμ¨μ΄ μ°κ²° νμΈ
β‘ NAT κ²μ΄νΈμ¨μ΄ μν νμΈ
β‘ μΈμ€ν΄μ€μ νΌλΈλ¦ IP μλμ§ νμΈ
β‘ VPC νΌμ΄λ§ λΌμ°ν
νμΈ
9.2 λλ²κΉ λͺ λ Ήμ΄¶
AWS:
# VPC Flow Logs νμ±ν
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-12345678 \
--traffic-type ALL \
--log-destination-type cloud-watch-logs \
--log-group-name vpc-flow-logs
# Reachability Analyzer
aws ec2 create-network-insights-path \
--source i-source \
--destination i-destination \
--destination-port 80 \
--protocol tcp
GCP:
# VPC Flow Logs νμ±ν
gcloud compute networks subnets update subnet-asia \
--region=asia-northeast3 \
--enable-flow-logs
# Connectivity Tests
gcloud network-management connectivity-tests create my-test \
--source-instance=projects/PROJECT/zones/ZONE/instances/source \
--destination-instance=projects/PROJECT/zones/ZONE/instances/dest \
--destination-port=80 \
--protocol=TCP
10. λ€μ λ¨κ³¶
- 10_Load_Balancing_CDN.md - λ‘λλ°Έλ°μ±
- 14_Security_Services.md - 보μ μμΈ
μ°Έκ³ μ룶
- AWS VPC Documentation
- GCP VPC Documentation
- AWS VPC Best Practices
- Networking/ - λ€νΈμν¬ κΈ°μ΄ μ΄λ‘