AWS VPC μΈνλΌ ν΅ν© κ΅¬μ± - 25λ 05μ
- 1 Disclaimer
- 2 VPC
- 3 Subnets
- 4 RDS Subnet groups
- 5 ElastiCache Subnet groups
- 6 Internet gateways
- 7 NAT gateways
- 8 Route tables
- 9 Security Group
- 10 Identity and Access Management (IAM)
- 11 EC2 Instance
- 12 RDS Instance
- 12.1 MySQL
- 12.2 Aurora MySQL
- 13 Amazon ElastiCache
- 14 Application load balancer
- 15 Network load balancer
- 16 S3 (Optional)
- 16.1 S3 λ²ν· μμ±
- 17 Gateway VPC Endpoint (Optional)
Disclaimer
μ΄ λ¬Έμλ High Availability μ€μ μ ν¬ν¨νμ¬, Reference Architecture λ₯Ό λ 립μ μΌλ‘ μλ‘ κ΅¬μ±νλ κ³Όμ μ μμμ μΌλ‘ μ 곡νλ λ¬Έμμ λλ€. μ΄ λ¬Έμμμ μ μνλ VPC μμ±, Security Group μμ± λ°©μ λ± μ€μ λ΄μ©μ μ°Έμ‘°μ©μΌλ‘ μ μνλ κ²μ λλ€.
μ€μ μ€μΉ νκ²½μμλ μλ‘μ΄ VPC, Subnets κ° μλλΌ, κΈ°μ‘΄ VPC, Subnets λ΄μ QueryPie λ₯Ό μ€μΉνλ κ²μ΄ μ μ ν κ°λ₯μ±μ΄ λμ΅λλ€.
μ€μ μ€μΉ νκ²½μμλ ν΄λΉ νκ²½μ νΉμ±μ κ³ λ €νμ¬, μμ€ν μ ꡬμ±νμκΈ° λ°λλλ€.
VPC
AZ μ μ νμ Subnet μ κ΅¬μ± μ ν λΉλ©λλ€.
VPC λ νλμ 리μ (e.g. ap-northeast-2) κΈ°μ€μΌλ‘ 볡μμ AZ λ₯Ό κ±ΈμΉ ννλ‘ κ΅¬μ±ν μ μμ΅λλ€.
λ Όλ¦¬μ μΌλ‘ 격리λ κ°μ λ€νΈμν¬λ₯Ό μμ±ν©λλ€.
μμ± κ²½λ‘: VPC dashboard β Virtual private cloud β Your VPCs β Create VPC
VPC Settings
Resources to create: VPC only
Name tag: μλ³ κ°λ₯ν VPC μ΄λ¦ μ§μ
IPv4 CIDR block: IPv4 CIDR manual input
IPv4 CIDR: VPC μ ν λΉν IP block λ²μλ₯Ό μ§μ
IPv6 CIDR block: No IPv6 CIDR block
Tenancy: Default
Create VPC ν΄λ¦
VPC μμ± μ main route table μ΄ μλμΌλ‘ μμ±λ©λλ€.
Subnets
VPC μμ νλμ AZ λ₯Ό μ§μ νμ¬ Subnet λμμ μμ±ν©λλ€.
Subnet μ μμ± λ°©λ²λ‘ μ λ°λΌ Private Subnet / Public SubnetμΌλ‘ λλ©λλ€.
μμ± κ²½λ‘: VPC dashboard β Virtual private cloud β Subnets β Create subnet
VPC
VPC ID: Subnet μ μμ±ν VPC λ₯Ό μ ν
Subnet settings
Subnet name: μλ³ κ°λ₯ν Subnet μ΄λ¦ μ§μ
Availability Zone: ν΄λΉ 리μ μ 맡νν AZ μ ν
IPv4 VPC CIDR block: (VPC μ ν λΉν CIDR block μ΄ μ¬λ¬κ°μΈ κ²½μ°) CIDR block μ μ ν
IPv4 subnet CIDR block: Subnet μ ν λΉν IP block μ§μ
νμ μ Add new subnet μ ν΄λ¦νμ¬ νμν λ§νΌμ Subnetμ μΆκ° μ μν©λλ€.
μ μκ° λλλ©΄ Create subnet μ ν΄λ¦ ν©λλ€.
Private subnet κ³Ό Public subnet μ κ°κ° μμ±ν©λλ€.
Subnet μμ± μ main Network ACL μ΄ μλμΌλ‘ μμ±λ©λλ€.
Route table μ main route table μ΄ μλμΌλ‘ ν λΉλ©λλ€.
RDS Subnet groups
Amazon RDS μμ± μ μμΉν Subnet groupμ μμ±ν©λλ€.
Subnet groupμ μ¬μ μ μμ±ν VPC (Private) Subnet μμ, RDS λ₯Ό ν λΉν μμμ κ·Έλ£Ήνν©λλ€.
RDSλ₯Ό Multi-AZ DB clustersλ‘ κ΅¬μ± μμλ, 3κ°μ μλ‘ λ€λ₯Έ AZ μ μμΉν 3κ°μ Subnet μ μμ±νμ¬μΌ ν©λλ€.
μμ± κ²½λ‘: Amazon RDS β Subnet groups β Create DB subnet group
Subnet group details
Name: μλ³ κ°λ₯ν Subnet group μ΄λ¦ μ§μ
Description: μμ± μ©λλ₯Ό κ°λ΅νκ² μμ±
VPC: μμμ μμ±ν VPC μ ν
Add subnets
Availability Zones: Private subnet μ΄ μ‘΄μ¬νλ AZ μ ν
Subnets: Private subnet κΈ°μ€μΌλ‘ 2κ° μ΄μ μ ν (Multi-AZ DB clusters μ κ²½μ° 3κ° μ΄μ)
Create ν΄λ¦
ElastiCache Subnet groups
μμ± κ²½λ‘: Amazon ElastiCache β Configurations β Subnet groups β Create subnet group
Amazon ElastiCache μμ± μ μμΉν Subnet groupμ μμ±ν©λλ€.
Subnet groupμ μ¬μ μ μμ±ν VPC (Private) Subnet μμ, ElastiCache λ₯Ό ν λΉν μμμ κ·Έλ£Ήνν©λλ€.
Subnet group settings
Name: μλ³ κ°λ₯ν Subnet group μ΄λ¦ μ§μ
VPC ID: μμμ μμ±ν VPC μ ν
Selected subnets: Private subnet κΈ°μ€μΌλ‘ 2κ° μ΄μ μ ν
Create ν΄λ¦
Internet gateways
Public Subnet μμ μΈλΆμ μλ°©ν₯ ν΅μ μ΄ κ°λ₯νλλ‘ κ²μ΄νΈμ¨μ΄λ₯Ό μμ± λ° ν λΉ ν©λλ€.
Internet gateway μμ±
μμ± κ²½λ‘: VPC dashboard β Virtual private cloud β Internet gateways β Create internet gateway
Internet gateway settings
Name: μλ³ κ°λ₯ν igw μ΄λ¦ μ§μ
Create internet gateway ν΄λ¦
Internet gateway VPC ν λΉ
ν λΉ κ²½λ‘: VPC dashboard β Virtual private cloud β Internet gateways β μμ±ν igw μ ν β Actions β Attatch to VPC
VPC
Available VPCs: μμ±ν VPC ν λΉ
Attach Internet gateway ν΄λ¦
NAT gateways
Private Subnet μμ μΈλΆλ‘λΆν° μ λ°μ΄νΈ μ 보 λ±μ λ°μ μ μλ NATκ²μ΄νΈμ¨μ΄λ₯Ό μμ± ν©λλ€.
NATκ²μ΄νΈμ¨μ΄λ Public Subnetμ μμ±λλ©°, κ°μ©ν Public Subnet μ λ§νΌ μμ±ν©λλ€.
μμ± κ²½λ‘: VPC dashboard β Virtual private cloud β NAT gateways β Create NAT gateway
NAT gateway settings
Name: μλ³ κ°λ₯ν NAT gateway μ΄λ¦ μ§μ
Subnet: Private Subnet μ μ€μΉ λ μμ μΈ EC2 μ ν΅μ ν Public Subnet μ μ§μ
Connectivity type: Public
Elastic IP allocation ID:
Allocate Elastic IPν΄λ¦ (Elastic IP λ μμ± ν, μλΉμ€ ν λΉνμ§ μμΌλ©΄ λ³λ λΉμ©μ΄ λ°μν©λλ€.)Additional settings:
N/A
Create NAT gateway ν΄λ¦
Route tables
Subnet μ Route table κ΄λ¦¬ν©λλ€.
μ¬κΈ°μλ κΈ°μ‘΄ main route table μ ν΄μ νκ³ κ° Subnet μ©λμ λ§λ Route tableμ μμ±νκ³ ν λΉν©λλ€.
Public route table λ° Private route table μμ±
μμ± κ²½λ‘: VPC dashboard β Virtual private cloud β Route tables β Create route table
Route table settings
Name: μλ³ κ°λ₯ν Route table μ΄λ¦ μ§μ
VPC: Route table μ μμ±ν VPC μ§μ
Create route table ν΄λ¦
Private μ μ© Route table κ³Ό Public μ μ© Route table μ κ°κ° μμ±ν©λλ€.
Route table μ Subnet ν λΉ
μ κ· μμ±ν Route table μ subnet μ ν λΉν©λλ€.
Private route table μλ Private subnet μ, Public route table μλ Public subnet μ κ°κ° ν λΉν©λλ€.
ν λΉ κ²½λ‘: VPC dashboard β Virtual private cloud β Route tables β μμ±ν route table μ ν β Actions β Edit subnet associations
Available subnets
Route table μ local connection μΌλ‘ 맡νν Subnet μ§μ
Save associations ν΄λ¦
Public Route table μ Default Gateway ν λΉ
μ κ· μμ±ν Public Route table μ μΈν°λ· κ΅¬κ° ν΅μ μ ν μ μλλ‘ Default Gateway λ₯Ό ν λΉν©λλ€.
ν λΉ κ²½λ‘: VPC dashboard β Virtual private cloud β Route tables β μμ±ν route table μ ν β Actions β Edit routes
Add route ν΄λ¦
Destination: 0.0.0.0/0
Target: Internet Gateway β μμ±ν igw μ ν
Save Changes ν΄λ¦
Private Route table μ NAT Gateway ν λΉ
μΈμ€ν΄μ€κ° μ κ· μμ±ν Private Route table μ μ΄μ©νμ¬ μ λ°μ΄νΈ λ±μ μνν μ μλλ‘ NAT gateway λ₯Ό ν λΉν©λλ€.
ν λΉ κ²½λ‘: VPC dashboard β Virtual private cloud β Route tables β μμ±ν route table μ ν β Actions β Edit routes
Add route ν΄λ¦
Destination: 0.0.0.0/0
Target: NAT Gateway β μμ±ν NAT gateway μ ν
Save Changes ν΄λ¦
Security Group
μμ± κ²½λ‘: VPC dashboard β Security β Security groups β Create security group
Basic details
Security group name: μλ³ κ°λ₯ν Security group μ΄λ¦ μ§μ
Description: μμ± μ©λλ₯Ό κ°λ΅νκ² μμ±
VPC: Security group μ μμ± ν VPCλ₯Ό μ§μ
Inbound rules
Add ruleν΄λ¦ νμ¬ Inbound rule μ μμ±νλ€ (μμ κ²½μ° ALL DENY λ‘ λμ)μ€μ μ 보λ μλ κ° Instance μ νλ³ Detailsλ₯Ό μ°Έμ‘°νμ¬ μμ±ν©λλ€.
Outbound rules
μΌλ°μ μΌλ‘λ λ³λ μ§μ νμ§ μμλ λ©λλ€.
Create security group ν΄λ¦
Application load balancer
Inbound
Type | Protocol | Port range | Source | Description |
|---|---|---|---|---|
HTTPS | TCP | 443 | μ¬μ©μ μ μ λμ | μ¬μ©μμ QueryPie μΉ μ μ |
HTTP | TCP | 80 | μ¬μ©μ μ μ λμ | (Optional) μ¬μ©μμ QueryPie μΉ μ μ |
HTTPS | TCP | 443 | Windows Server λμ | Windows Server Agent Health Check, API Calls |
HTTP | TCP | 80 | Windows Server λμ | (Optional) Windows Server Agent Health Check, API Calls |
Outbound
Type | Protocol | Port range | Destination | Description |
|---|---|---|---|---|
HTTP | TCP | 80 | QueryPie EC2 instances | Target Group Health Check |
Network load balancer
Inbound
Type | Protocol | Port range | Source | Description |
|---|---|---|---|---|
Custom TCP | TCP | 9000 | μ¬μ©μ μ μ λμ | (DAC, SAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 6443 | μ¬μ©μ μ μ λμ | (KAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 7447 | μ¬μ©μ μ μ λμ | (WAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 40000-40100 | μ¬μ©μ μ μ λμ | (DAC Only) Accessing QueryPie Agent Proxy for SaaS |
Outbound
Type | Protocol | Port range | Destination | Description |
|---|---|---|---|---|
HTTP | TCP | 80 | QueryPie EC2 instances | Target Group Health Check |
Custom TCP | TCP | 9000 | QueryPie EC2 instances | (DAC, SAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 6443 | QueryPie EC2 instances | (KAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 7447 | QueryPie EC2 instances | (WAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 40000-40100 | QueryPie EC2 instances | (DAC Only) Accessing QueryPie Agent Proxy for SaaS |
QueryPie EC2 instances
Inbound
Type | Protocol | Port range | Source | Description |
|---|---|---|---|---|
SSH | TCP | 22 | Bastion Hosts | (Optional) EC2 μ μ΄ |
HTTP | TCP | 80 | Application Load balancer | QueryPie μΉ μ μ / Load balancer Health Check |
HTTP | TCP | 80 | Network Load balancer | Load balancer Health Check |
Custom TCP | TCP | 9000 | Network Load balancer | (DAC, SAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 6443 | Network Load balancer | (KAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 7447 | Network Load balancer | (WAC) Accessing QueryPie Agent Proxy for General Users |
Custom TCP | TCP | 40000-40100 | Network Load balancer | (DAC Only) Accessing QueryPie Agent Proxy for SaaS |
Outbound
Type | Protocol | Port range | Destination | Description |
|---|---|---|---|---|
HTTPS | TCP | 443 | 0.0.0.0/0 | External Communications (e.g. Okta, Slack, WAC External Domains) |
HTTP | TCP | 80 | 0.0.0.0/0 | External Communications (e.g. WAC External Domains) |
MySQL/Aurora | TCP | 3306 | RDS | QueryPie MySQL |
Custom TCP | TCP | 6379 | ElastiCache | QueryPie Redis |
(Optional) Bastion host instances
Inbound
Type | Protocol | Port range | Source | Description |
|---|---|---|---|---|
SSH | TCP | 22 | μ¬μ©μ μ μ λμ | Private Subnet μ EC2 instances μ μ΄ |
Outbound
Type | Protocol | Port range | Destination | Description |
|---|---|---|---|---|
All Traffic | ALL | ALL | 0.0.0.0/0 | Β |
RDS
Inbound
Type | Protocol | Port range | Source | Description |
|---|---|---|---|---|
MySQL/Aurora | TCP | 3306 | QueryPie EC2 instances | QueryPie Database |
Outbound: N/A
Type | Protocol | Port range | Destination | Description |
|---|---|---|---|---|
- | - |