brunch

You can make anything
by writing

C.S.Lewis

by Master Seo Jan 06. 2024

네이버 17탄-2.테라폼-네트워크2

<1> 아키텍터 구성 이해하기 (이론)

<2>  pub1, pri1, server1,natgw 생성되는 코드

<3> pub1, pri1,natgw 생성되는 코드

<4> 이름 game 으로 변경하기

<5> 서비스용 IP 블럭으로 변경하기

<6> cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 2, 0) 설정하기

<7> 데이터 센터 이중화를 위한 서브넷과 라우팅테이블

<8> NACL , ASG 는 별도로 추가 작업해야 한다.




<1> 아키텍터 구성 이해하기 (이론)


https://www.ncloud.com/intro/architecture




<2> pub1, pri1, server1,natgw 생성되는 코드


cd /root/terraform-provider-ncloud-main/examples/vpc/scenario02



tf파일 4개

ls

main.tf  security.tf  variables.tf  versions.tf



생성되는 리소스

vpc

pub1

pri1

server1

natgw


more *.tf


[root@sssssss scenario02]# more *.tf

::::::::::::::

main.tf

::::::::::::::

# VPC > User scenario > Scenario 2. Public and Private Subnet

# https://docs.ncloud.com/ko/networking/vpc/vpc_userscenario2.html

provider "ncloud" {

  support_vpc = true

  region      = "KR"

  access_key  = var.access_key

  secret_key  = var.secret_key

}

resource "ncloud_login_key" "key_scn_02" {

  key_name = var.name_scn02

}

# VPC

resource "ncloud_vpc" "vpc_scn_02" {

  name            = var.name_scn02

  ipv4_cidr_block = "10.0.0.0/16"

}

# Subnet

resource "ncloud_subnet" "subnet_scn_02_public" {

  name           = "${var.name_scn02}-public"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 0)

  // "10.0.0.0/24"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_public.id

  subnet_type    = "PUBLIC"

  // PUBLIC(Public)

}

resource "ncloud_subnet" "subnet_scn_02_private" {

  name           = "${var.name_scn02}-private"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 1)

  // "10.0.1.0/24"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_private.id

  subnet_type    = "PRIVATE"

  // PRIVATE(Private)

}

resource "ncloud_subnet" "subnet_scn_02_public_natgw" {

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 2)

  // "10.0.2.0/24"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_public.id

  subnet_type    = "PUBLIC"

  usage_type     = "NATGW"

}

# Network ACL

resource "ncloud_network_acl" "network_acl_02_public" {

  vpc_no = ncloud_vpc.vpc_scn_02.id

  name   = "${var.name_scn02}-public"

}

resource "ncloud_network_acl" "network_acl_02_private" {

  vpc_no = ncloud_vpc.vpc_scn_02.id

  name   = "${var.name_scn02}-private"

}

# Server

resource "ncloud_server" "server_scn_02_public" {

  subnet_no                 = ncloud_subnet.subnet_scn_02_public.id

  name                      = "${var.name_scn02}-public"

  server_image_product_code = "SW.VSVR.OS.LNX64.CNTOS.0703.B050"

  login_key_name            = ncloud_login_key.key_scn_02.key_name

  //server_product_code       = "SVR.VSVR.STAND.C002.M008.NET.SSD.B050.G002"

}

resource "ncloud_server" "server_scn_02_private" {

  subnet_no                 = ncloud_subnet.subnet_scn_02_private.id

  name                      = "${var.name_scn02}-private"

  server_image_product_code = "SW.VSVR.OS.LNX64.CNTOS.0703.B050"

  login_key_name            = ncloud_login_key.key_scn_02.key_name

  //server_product_code       = "SVR.VSVR.STAND.C002.M008.NET.SSD.B050.G002"

}

# Public IP

resource "ncloud_public_ip" "public_ip_scn_02" {

  server_instance_no = ncloud_server.server_scn_02_public.id

  description        = "for ${var.name_scn02}"

}

# NAT Gateway

resource "ncloud_nat_gateway" "nat_gateway_scn_02" {

  vpc_no    = ncloud_vpc.vpc_scn_02.id

  subnet_no = ncloud_subnet.subnet_scn_02_public_natgw.id

  zone      = "KR-2"

  name      = var.name_scn02

}

# Route Table

resource "ncloud_route" "route_scn_02_nat" {

  route_table_no         = ncloud_vpc.vpc_scn_02.default_private_route_table_no

  destination_cidr_block = "0.0.0.0/0"

  target_type            = "NATGW"

  // NATGW (NAT Gateway) | VPCPEERING (VPC Peering) | VGW (Virtual Private Gateway).

  target_name            = ncloud_nat_gateway.nat_gateway_scn_02.name

  target_no              = ncloud_nat_gateway.nat_gateway_scn_02.id

}

data "ncloud_root_password" "scn_02_root_password" {

  server_instance_no = ncloud_server.server_scn_02_public.id

  private_key        = ncloud_login_key.key_scn_02.private_key

}

resource "null_resource" "ls-al" {

  connection {

    type     = "ssh"

    host     = ncloud_public_ip.public_ip_scn_02.public_ip

    user     = "root"

    port     = "22"

    password = data.ncloud_root_password.scn_02_root_password.root_password

  }

  provisioner "remote-exec" {

    inline = [

      "ls -al",

    ]

  }

  depends_on = [

    ncloud_public_ip.public_ip_scn_02,

    ncloud_server.server_scn_02_public

  ]

}

# You can add ACG rules remove comment If you want

/*

locals {

  default_acg_rules_inbound = [

    ["TCP", "0.0.0.0/0", "80"],

    ["TCP", "0.0.0.0/0", "443"],

    ["TCP", "${var.client_ip}/32", "22"],

    ["TCP", "${var.client_ip}/32", "3389"],

  ]

  default_acg_rules_outbound = [

    ["TCP", "0.0.0.0/0", "1-65535"],

    ["UDP", "0.0.0.0/0", "1-65534"],

    ["ICMP", "0.0.0.0/0", null]

  ]

}

resource "ncloud_access_control_group" "acg_scn_02" {

  description = "for acc test"

  vpc_no      = ncloud_vpc.vpc_scn_02.id

}

resource "ncloud_access_control_group_rule" "acg_rule_scn_02" {

  access_control_group_no = ncloud_access_control_group.acg_scn_02.id

  dynamic "inbound" {

    for_each = local.default_acg_rules_inbound

    content {

      protocol    = inbound.value[0]

      ip_block    = inbound.value[1]

      port_range  = inbound.value[2]

    }

  }

  dynamic "outbound" {

    for_each = local.default_acg_rules_outbound

    content {

      protocol    = outbound.value[0]

      ip_block    = outbound.value[1]

      port_range  = outbound.value[2]

    }

  }

}

*/

::::::::::::::

security.tf

::::::::::::::

# Network ACL Rule

locals {

  public_subnet_inbound = [

    [1, "TCP", "0.0.0.0/0", "80", "ALLOW"],

    [2, "TCP", "0.0.0.0/0", "443", "ALLOW"],

    [3, "TCP", "${var.client_ip}/32", "22", "ALLOW"],

    [4, "TCP", "${var.client_ip}/32", "3389", "ALLOW"],

    [5, "TCP", "0.0.0.0/0", "32768-65535", "ALLOW"],

    [197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],

    [198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],

    [199, "ICMP", "0.0.0.0/0", null, "DROP"],

  ]

  public_subnet_outbound = [

    [1, "TCP", "0.0.0.0/0", "80", "ALLOW"],

    [2, "TCP", "0.0.0.0/0", "443", "ALLOW"],

    [3, "TCP", "0.0.0.0/0", "9001-65535", "ALLOW"],

    [4, "TCP", "${ncloud_server.server_scn_02_private.network_interface[0].private_ip}/32", "8080", "ALLOW"],

    // Allow 8080 port to private server

    [197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],

    [198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],

    [199, "ICMP", "0.0.0.0/0", null, "DROP"]

  ]

}

resource "ncloud_network_acl_rule" "network_acl_02_rule_public" {

  network_acl_no = ncloud_network_acl.network_acl_02_public.id

  dynamic "inbound" {

    for_each = local.public_subnet_inbound

    content {

      priority    = inbound.value[0]

      protocol    = inbound.value[1]

      ip_block    = inbound.value[2]

      port_range  = inbound.value[3]

      rule_action = inbound.value[4]

    }

  }

  dynamic "outbound" {

    for_each = local.public_subnet_outbound

    content {

      priority    = outbound.value[0]

      protocol    = outbound.value[1]

      ip_block    = outbound.value[2]

      port_range  = outbound.value[3]

      rule_action = outbound.value[4]

    }

  }

}

locals {

  private_subnet_inbound = [

    [1, "TCP", "${ncloud_server.server_scn_02_public.network_interface[0].private_ip}/32", "8080", "ALLOW"],

    // Allow 8080 port from public server

    [2, "TCP", "0.0.0.0/0", "32768-65535", "ALLOW"],

    [197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],

    [198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],

    [199, "ICMP", "0.0.0.0/0", null, "DROP"],

  ]

  private_subnet_outbound = [

    [1, "TCP", "${ncloud_server.server_scn_02_public.network_interface[0].private_ip}/32", "32768-65535", "ALLOW"],

    // Allow 32768-65535 port to public server

    [197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],

    [198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],

    [199, "ICMP", "0.0.0.0/0", null, "DROP"]

  ]

}

resource "ncloud_network_acl_rule" "network_acl_02_private" {

  network_acl_no = ncloud_network_acl.network_acl_02_private.id

  dynamic "inbound" {

    for_each = local.private_subnet_inbound

    content {

      priority    = inbound.value[0]

      protocol    = inbound.value[1]

      ip_block    = inbound.value[2]

      port_range  = inbound.value[3]

      rule_action = inbound.value[4]

    }

  }

  dynamic "outbound" {

    for_each = local.private_subnet_outbound

    content {

      priority    = outbound.value[0]

      protocol    = outbound.value[1]

      ip_block    = outbound.value[2]

      port_range  = outbound.value[3]

      rule_action = outbound.value[4]

    }

  }

}

::::::::::::::

variables.tf

::::::::::::::

variable name_scn02 {

  default = "tf-scn02"

}

variable client_ip {

  default = "YOUR_CLIENT_IP"

}

variable access_key {

  default = "YOUR_ACCESS_KEY"

}

variable secret_key {

  default = "YOUR_SECRET_KEY"

}

::::::::::::::

versions.tf

::::::::::::::

terraform {

  required_providers {

    ncloud = {

      source = "navercloudplatform/ncloud"

    }

  }

  required_version = ">= 0.13"

}

[root@sssssss scenario02]#





terraform init

terraform plan

terraform apply -auto-approve




<3> pub1, pri1,natgw 생성되는 코드



1

코드에서 서버 부분 삭제



2

nacl , natgw , subnet 을 main에서 분리  #복잡도가 증가할때 관리를 쉽게 하기 위해서.



[root@sssssss scenario02]# ls

1  main.tf  nacl.tf  natgw.tf  security.tf  subnet.tf  terraform.tfstate  terraform.tfstate.backup  variables.tf  versions.tf




terraform init

terraform plan

terraform apply -auto-approve

terraform destroy --auto-approve




<4> 이름 game 으로 변경



1

vpc , 서브넷 이름 변경 ?


[root@sssssss scenario02]# more variables.tf

variable name_scn02 {

  default = "game2"

}



2

natgw 서브넷 이름 변경?


[root@sssssss scenario02]# more subnet.tf

resource "ncloud_subnet" "subnet_scn_02_public_natgw" {

  name           = "${var.name_scn02}-nat1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id




3

natgw 이름 변경 ?


[root@sssssss scenario02]# more natgw.tf

/*# Public IP

resource "ncloud_public_ip" "public_ip_scn_02" {

  server_instance_no = ncloud_server.server_scn_02_public.id

  description        = "for ${var.name_scn02}"

}

*/

# NAT Gateway

resource "ncloud_nat_gateway" "nat_gateway_scn_02" {

  vpc_no    = ncloud_vpc.vpc_scn_02.id

  subnet_no = ncloud_subnet.subnet_scn_02_public_natgw.id

  zone      = "KR-2"

#  name      = var.name_scn02

  name           = "${var.name_scn02}-nat1"

}





생성 결과





natgw 서브넷



nat 게이트웨이 생성



프라이빗 라우팅 테이블



퍼블릭 라우팅 테이블 = NAT서브넷 포함




<5> 서비스용 IP 블럭으로 변경하기


실무에서는 private ip 블럭을 주로 사용한다.

실무에 맞게 ip를 변경해보자.


변경전


변경후 (실무용)

vpc도 10.0.0.0/20 으로 변경하자.



[root@sssssss scenario02]# ls

1  2  main.tf  nacl.tf  natgw.tf  subnet.tf  terraform.tfstate  terraform.tfstate.backup  variables.tf  versions.tf




terraform init

terraform plan





[root@sssssss scenario02]# more subnet.tf

# Subnet

#pri1

resource "ncloud_subnet" "subnet_scn_02_private" {

  name           = "${var.name_scn02}-pri1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 2, 0)

  // "10.0.0.0/22"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_private.id

  subnet_type    = "PRIVATE"

  // PRIVATE(Private)

}

#pub1

resource "ncloud_subnet" "subnet_scn_02_public" {

  name           = "${var.name_scn02}-pub1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 4, 8)

  // "10.0.8.0/24"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_public.id

  subnet_type    = "PUBLIC"

  // PUBLIC(Public)

}

#db1

resource "ncloud_subnet" "subnet_scn_02_db1" {

  name           = "${var.name_scn02}-db1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 4, 10)

  // "10.0.10.0/24"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_private.id

  subnet_type    = "PRIVATE"

  // PUBLIC(Public)

}

#natgw1

resource "ncloud_subnet" "subnet_scn_02_public_natgw" {

  name           = "${var.name_scn02}-nat1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 5,24)

  // "10.0.12.0/25"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_public.id

  subnet_type    = "PUBLIC"

  usage_type     = "NATGW"

}

#lb1

resource "ncloud_subnet" "subnet_scn_02_lb1" {

  name           = "${var.name_scn02}-lb1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 5,28)

  // "10.0.14.0/25"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_private.id

  subnet_type    = "PRIVATE"

  usage_type    = "LOADB"

  // PRIVATE(Private)

}

[root@sssssss scenario02]#






terraform apply -auto-approve




참고 사이트


cidr subnet

https://developer.hashicorp.com/terraform/language/functions/cidrsubnet



https://registry.terraform.io/providers/NaverCloudPlatform/ncloud/latest/docs/data-sources/subnets#subnet



https://blog.naver.com/n_cloudplatform/222189643849




<6> cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 2, 0) 설정하기




1

10.0.0.0/20

원하는것


10.0.0.0/24

서브넷은

/20 + 4 = 24 라 4가 필요!!!

4, 0


IP는

서브넷만 변경되고 IP는 변경되지 않으므로 0이다.



2

10.0.0.0/20


원하는것

10.0.4.0/24


서브넷은

24가 되어야하므로 4

4, 4 


IP는  네트워크 비트에서 얼만큼 가야하는지 계산 그냥 4.

결국 C-Class는 4만 더하면 된다.



3

10.0.0.0/20


원하는것

10.0.4.0/25


서브넷은

5를 더해야 하므로 5

5, ?



IP는 ?

네트워크 서브넷이

255.255.255.128

1111111.11111111.11111111.1000 0000

10.0.4.0을 이진수로 변경한다.

https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion

0000 1010.0000 0000.0000 0100.0000 0000


네트워크비트는 1자리 더 있다.


원래IP

10.0.0.0

0000 1010. 0000 0000. 0000 0000.0000 0000

내가 만들 IP

0000 1010.0000 0000.0000 0100.0000 0000

1111 1111.1111 1111.1111 1111.1000 0000

서브넷 마스크

1111111.11111111.11111111.000000000



4

lb1 ?

10.0.0.0/20


원하는것

10.0.14.0/25


서브넷은

5를 더해야 하므로 5

5, ?



IP는 ?

네트워크 서브넷이

255.255.255.128

1111111.11111111.11111111.1000 0000


10.0.14.0을 이진수로 변경한다.

https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion

0000 1010.0000 0000.0000 1110.0000 0000


네트워크비트는 1자리 더 있다.

https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion

에서 이진수를 11100 으로 하면 


십진수 28이 나온다.


결론

5.28



5

nat1 

10.0.0.0/20


원하는것

10.0.12.0/25


서브넷은

5를 더해야 하므로 5

5, ?



IP는 ?

네트워크 서브넷이

255.255.255.128

1111111.11111111.11111111.1000 0000

10.0.12.0을 이진수로 변경한다.

https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion

0000 1010.0000 0000.0000 1100.0000 0000

네트워크비트는 1자리 더 있다.

https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion

에서 이진수를 11000 으로 하면 

십진수 24이 나온다.


결론

5.25

.vpc_scn_02.ipv4_cidr_block, 5, 25)





<7> 데이터 센터 이중화를 위한 서브넷과 라우팅테이블



[root@sssssss scenario02]# more rt.tf

# Route Table

#PRIVATE1

resource "ncloud_route_table_association" "route_scn_02_private1" {

    route_table_no        = ncloud_vpc.vpc_scn_02.default_private_route_table_no

    subnet_no             = ncloud_subnet.subnet_scn_02_private1.id

}

#PUB1

resource "ncloud_route_table_association" "route_scn_02_public1" {

    route_table_no        = ncloud_vpc.vpc_scn_02.default_public_route_table_no

    subnet_no             = ncloud_subnet.subnet_scn_02_public1.id

}

#db1

resource "ncloud_route_table_association" "route_scn_02_db1" {

    route_table_no        = ncloud_vpc.vpc_scn_02.default_private_route_table_no

    subnet_no             = ncloud_subnet.subnet_scn_02_db1.id

}

#NAT1

resource "ncloud_route" "route_scn_02_nat1" {

  route_table_no         = ncloud_vpc.vpc_scn_02.default_private_route_table_no

  destination_cidr_block = "0.0.0.0/0"

  target_type            = "NATGW"

  target_name            = ncloud_nat_gateway.nat_gateway_scn_02.name

  target_no              = ncloud_nat_gateway.nat_gateway_scn_02.id

}

[root@sssssss scenario02]# more subnet.tf

# Subnet

#pri1

resource "ncloud_subnet" "subnet_scn_02_private1" {

  name           = "${var.name_scn02}-pri1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 2, 0)

  // "10.0.0.0/22"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_private.id

  subnet_type    = "PRIVATE"

  // PRIVATE(Private)

}

#pub1

resource "ncloud_subnet" "subnet_scn_02_public1" {

  name           = "${var.name_scn02}-pub1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 4, 8)

  // "10.0.8.0/24"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_public.id

  subnet_type    = "PUBLIC"

  // PUBLIC(Public)

}

#db1

resource "ncloud_subnet" "subnet_scn_02_db1" {

  name           = "${var.name_scn02}-db1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 4, 10)

  // "10.0.10.0/24"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_private.id

  subnet_type    = "PRIVATE"

  // PUBLIC(Public)

}

#natgw1

resource "ncloud_subnet" "subnet_scn_02_public_natgw1" {

  name           = "${var.name_scn02}-nat1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 5,24)

  // "10.0.12.0/25"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_public.id

  subnet_type    = "PUBLIC"

  usage_type     = "NATGW"

}

#lb1

resource "ncloud_subnet" "subnet_scn_02_lb1" {

  name           = "${var.name_scn02}-lb1"

  vpc_no         = ncloud_vpc.vpc_scn_02.id

  subnet         = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 5,28)

  // "10.0.14.0/25"

  zone           = "KR-2"

  network_acl_no = ncloud_network_acl.network_acl_02_private.id

  subnet_type    = "PRIVATE"

  usage_type    = "LOADB"

  // PRIVATE(Private)

}

[root@sssssss scenario02]#

[root@sssssss scenario02]#





전체 설정 1




<8> NACL , ASG 는 별도로 추가 작업해야 한다.


위 <5>까지는 네트워크 IP 블럭만 정리한것이다.

NACL,ASG은 별도로 추가 정리해야 한다.


삭제

terraform destroy --auto-approve





다음 

https://brunch.co.kr/@topasvga/3600



감사합니다.

브런치는 최신 브라우저에 최적화 되어있습니다. IE chrome safari