네이버 17탄-2.테라폼-네트워크2
<1> 아키텍터 구성 이해하기 (이론)
<2> pub1, pri1, server1,natgw 생성되는 코드
<3> pub1, pri1,natgw 생성되는 코드
<4> 이름 game 으로 변경하기
<5> 서비스용 IP 블럭으로 변경하기
<6> cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 2, 0) 설정하기
<7> 데이터 센터 이중화를 위한 서브넷과 라우팅테이블
<8> NACL , ASG 는 별도로 추가 작업해야 한다.
<1> 아키텍터 구성 이해하기 (이론)
https://www.ncloud.com/intro/architecture
<2> pub1, pri1, server1,natgw 생성되는 코드
cd /root/terraform-provider-ncloud-main/examples/vpc/scenario02
tf파일 4개
ls
main.tf security.tf variables.tf versions.tf
생성되는 리소스
vpc
pub1
pri1
server1
natgw
more *.tf
[root@sssssss scenario02]# more *.tf
::::::::::::::
main.tf
::::::::::::::
# VPC > User scenario > Scenario 2. Public and Private Subnet
# https://docs.ncloud.com/ko/networking/vpc/vpc_userscenario2.html
provider "ncloud" {
support_vpc = true
region = "KR"
access_key = var.access_key
secret_key = var.secret_key
}
resource "ncloud_login_key" "key_scn_02" {
key_name = var.name_scn02
}
# VPC
resource "ncloud_vpc" "vpc_scn_02" {
name = var.name_scn02
ipv4_cidr_block = "10.0.0.0/16"
}
# Subnet
resource "ncloud_subnet" "subnet_scn_02_public" {
name = "${var.name_scn02}-public"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 0)
// "10.0.0.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_public.id
subnet_type = "PUBLIC"
// PUBLIC(Public)
}
resource "ncloud_subnet" "subnet_scn_02_private" {
name = "${var.name_scn02}-private"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 1)
// "10.0.1.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_private.id
subnet_type = "PRIVATE"
// PRIVATE(Private)
}
resource "ncloud_subnet" "subnet_scn_02_public_natgw" {
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 2)
// "10.0.2.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_public.id
subnet_type = "PUBLIC"
usage_type = "NATGW"
}
# Network ACL
resource "ncloud_network_acl" "network_acl_02_public" {
vpc_no = ncloud_vpc.vpc_scn_02.id
name = "${var.name_scn02}-public"
}
resource "ncloud_network_acl" "network_acl_02_private" {
vpc_no = ncloud_vpc.vpc_scn_02.id
name = "${var.name_scn02}-private"
}
# Server
resource "ncloud_server" "server_scn_02_public" {
subnet_no = ncloud_subnet.subnet_scn_02_public.id
name = "${var.name_scn02}-public"
server_image_product_code = "SW.VSVR.OS.LNX64.CNTOS.0703.B050"
login_key_name = ncloud_login_key.key_scn_02.key_name
//server_product_code = "SVR.VSVR.STAND.C002.M008.NET.SSD.B050.G002"
}
resource "ncloud_server" "server_scn_02_private" {
subnet_no = ncloud_subnet.subnet_scn_02_private.id
name = "${var.name_scn02}-private"
server_image_product_code = "SW.VSVR.OS.LNX64.CNTOS.0703.B050"
login_key_name = ncloud_login_key.key_scn_02.key_name
//server_product_code = "SVR.VSVR.STAND.C002.M008.NET.SSD.B050.G002"
}
# Public IP
resource "ncloud_public_ip" "public_ip_scn_02" {
server_instance_no = ncloud_server.server_scn_02_public.id
description = "for ${var.name_scn02}"
}
# NAT Gateway
resource "ncloud_nat_gateway" "nat_gateway_scn_02" {
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet_no = ncloud_subnet.subnet_scn_02_public_natgw.id
zone = "KR-2"
name = var.name_scn02
}
# Route Table
resource "ncloud_route" "route_scn_02_nat" {
route_table_no = ncloud_vpc.vpc_scn_02.default_private_route_table_no
destination_cidr_block = "0.0.0.0/0"
target_type = "NATGW"
// NATGW (NAT Gateway) | VPCPEERING (VPC Peering) | VGW (Virtual Private Gateway).
target_name = ncloud_nat_gateway.nat_gateway_scn_02.name
target_no = ncloud_nat_gateway.nat_gateway_scn_02.id
}
data "ncloud_root_password" "scn_02_root_password" {
server_instance_no = ncloud_server.server_scn_02_public.id
private_key = ncloud_login_key.key_scn_02.private_key
}
resource "null_resource" "ls-al" {
connection {
type = "ssh"
host = ncloud_public_ip.public_ip_scn_02.public_ip
user = "root"
port = "22"
password = data.ncloud_root_password.scn_02_root_password.root_password
}
provisioner "remote-exec" {
inline = [
"ls -al",
]
}
depends_on = [
ncloud_public_ip.public_ip_scn_02,
ncloud_server.server_scn_02_public
]
}
# You can add ACG rules remove comment If you want
/*
locals {
default_acg_rules_inbound = [
["TCP", "0.0.0.0/0", "80"],
["TCP", "0.0.0.0/0", "443"],
["TCP", "${var.client_ip}/32", "22"],
["TCP", "${var.client_ip}/32", "3389"],
]
default_acg_rules_outbound = [
["TCP", "0.0.0.0/0", "1-65535"],
["UDP", "0.0.0.0/0", "1-65534"],
["ICMP", "0.0.0.0/0", null]
]
}
resource "ncloud_access_control_group" "acg_scn_02" {
description = "for acc test"
vpc_no = ncloud_vpc.vpc_scn_02.id
}
resource "ncloud_access_control_group_rule" "acg_rule_scn_02" {
access_control_group_no = ncloud_access_control_group.acg_scn_02.id
dynamic "inbound" {
for_each = local.default_acg_rules_inbound
content {
protocol = inbound.value[0]
ip_block = inbound.value[1]
port_range = inbound.value[2]
}
}
dynamic "outbound" {
for_each = local.default_acg_rules_outbound
content {
protocol = outbound.value[0]
ip_block = outbound.value[1]
port_range = outbound.value[2]
}
}
}
*/
::::::::::::::
security.tf
::::::::::::::
# Network ACL Rule
locals {
public_subnet_inbound = [
[1, "TCP", "0.0.0.0/0", "80", "ALLOW"],
[2, "TCP", "0.0.0.0/0", "443", "ALLOW"],
[3, "TCP", "${var.client_ip}/32", "22", "ALLOW"],
[4, "TCP", "${var.client_ip}/32", "3389", "ALLOW"],
[5, "TCP", "0.0.0.0/0", "32768-65535", "ALLOW"],
[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],
[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],
[199, "ICMP", "0.0.0.0/0", null, "DROP"],
]
public_subnet_outbound = [
[1, "TCP", "0.0.0.0/0", "80", "ALLOW"],
[2, "TCP", "0.0.0.0/0", "443", "ALLOW"],
[3, "TCP", "0.0.0.0/0", "9001-65535", "ALLOW"],
[4, "TCP", "${ncloud_server.server_scn_02_private.network_interface[0].private_ip}/32", "8080", "ALLOW"],
// Allow 8080 port to private server
[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],
[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],
[199, "ICMP", "0.0.0.0/0", null, "DROP"]
]
}
resource "ncloud_network_acl_rule" "network_acl_02_rule_public" {
network_acl_no = ncloud_network_acl.network_acl_02_public.id
dynamic "inbound" {
for_each = local.public_subnet_inbound
content {
priority = inbound.value[0]
protocol = inbound.value[1]
ip_block = inbound.value[2]
port_range = inbound.value[3]
rule_action = inbound.value[4]
}
}
dynamic "outbound" {
for_each = local.public_subnet_outbound
content {
priority = outbound.value[0]
protocol = outbound.value[1]
ip_block = outbound.value[2]
port_range = outbound.value[3]
rule_action = outbound.value[4]
}
}
}
locals {
private_subnet_inbound = [
[1, "TCP", "${ncloud_server.server_scn_02_public.network_interface[0].private_ip}/32", "8080", "ALLOW"],
// Allow 8080 port from public server
[2, "TCP", "0.0.0.0/0", "32768-65535", "ALLOW"],
[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],
[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],
[199, "ICMP", "0.0.0.0/0", null, "DROP"],
]
private_subnet_outbound = [
[1, "TCP", "${ncloud_server.server_scn_02_public.network_interface[0].private_ip}/32", "32768-65535", "ALLOW"],
// Allow 32768-65535 port to public server
[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],
[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],
[199, "ICMP", "0.0.0.0/0", null, "DROP"]
]
}
resource "ncloud_network_acl_rule" "network_acl_02_private" {
network_acl_no = ncloud_network_acl.network_acl_02_private.id
dynamic "inbound" {
for_each = local.private_subnet_inbound
content {
priority = inbound.value[0]
protocol = inbound.value[1]
ip_block = inbound.value[2]
port_range = inbound.value[3]
rule_action = inbound.value[4]
}
}
dynamic "outbound" {
for_each = local.private_subnet_outbound
content {
priority = outbound.value[0]
protocol = outbound.value[1]
ip_block = outbound.value[2]
port_range = outbound.value[3]
rule_action = outbound.value[4]
}
}
}
::::::::::::::
variables.tf
::::::::::::::
variable name_scn02 {
default = "tf-scn02"
}
variable client_ip {
default = "YOUR_CLIENT_IP"
}
variable access_key {
default = "YOUR_ACCESS_KEY"
}
variable secret_key {
default = "YOUR_SECRET_KEY"
}
::::::::::::::
versions.tf
::::::::::::::
terraform {
required_providers {
ncloud = {
source = "navercloudplatform/ncloud"
}
}
required_version = ">= 0.13"
}
[root@sssssss scenario02]#
terraform init
terraform plan
terraform apply -auto-approve
<3> pub1, pri1,natgw 생성되는 코드
1
코드에서 서버 부분 삭제
2
nacl , natgw , subnet 을 main에서 분리 #복잡도가 증가할때 관리를 쉽게 하기 위해서.
[root@sssssss scenario02]# ls
1 main.tf nacl.tf natgw.tf security.tf subnet.tf terraform.tfstate terraform.tfstate.backup variables.tf versions.tf
terraform init
terraform plan
terraform apply -auto-approve
terraform destroy --auto-approve
<4> 이름 game 으로 변경
1
vpc , 서브넷 이름 변경 ?
[root@sssssss scenario02]# more variables.tf
variable name_scn02 {
default = "game2"
}
2
natgw 서브넷 이름 변경?
[root@sssssss scenario02]# more subnet.tf
resource "ncloud_subnet" "subnet_scn_02_public_natgw" {
name = "${var.name_scn02}-nat1"
vpc_no = ncloud_vpc.vpc_scn_02.id
3
natgw 이름 변경 ?
[root@sssssss scenario02]# more natgw.tf
/*# Public IP
resource "ncloud_public_ip" "public_ip_scn_02" {
server_instance_no = ncloud_server.server_scn_02_public.id
description = "for ${var.name_scn02}"
}
*/
# NAT Gateway
resource "ncloud_nat_gateway" "nat_gateway_scn_02" {
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet_no = ncloud_subnet.subnet_scn_02_public_natgw.id
zone = "KR-2"
# name = var.name_scn02
name = "${var.name_scn02}-nat1"
}
3
생성 결과
natgw 서브넷
nat 게이트웨이 생성
프라이빗 라우팅 테이블
퍼블릭 라우팅 테이블 = NAT서브넷 포함
<5> 서비스용 IP 블럭으로 변경하기
실무에서는 private ip 블럭을 주로 사용한다.
실무에 맞게 ip를 변경해보자.
변경전
변경후 (실무용)
vpc도 10.0.0.0/20 으로 변경하자.
치
[root@sssssss scenario02]# ls
1 2 main.tf nacl.tf natgw.tf subnet.tf terraform.tfstate terraform.tfstate.backup variables.tf versions.tf
terraform init
terraform plan
[root@sssssss scenario02]# more subnet.tf
# Subnet
#pri1
resource "ncloud_subnet" "subnet_scn_02_private" {
name = "${var.name_scn02}-pri1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 2, 0)
// "10.0.0.0/22"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_private.id
subnet_type = "PRIVATE"
// PRIVATE(Private)
}
#pub1
resource "ncloud_subnet" "subnet_scn_02_public" {
name = "${var.name_scn02}-pub1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 4, 8)
// "10.0.8.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_public.id
subnet_type = "PUBLIC"
// PUBLIC(Public)
}
#db1
resource "ncloud_subnet" "subnet_scn_02_db1" {
name = "${var.name_scn02}-db1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 4, 10)
// "10.0.10.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_private.id
subnet_type = "PRIVATE"
// PUBLIC(Public)
}
#natgw1
resource "ncloud_subnet" "subnet_scn_02_public_natgw" {
name = "${var.name_scn02}-nat1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 5,24)
// "10.0.12.0/25"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_public.id
subnet_type = "PUBLIC"
usage_type = "NATGW"
}
#lb1
resource "ncloud_subnet" "subnet_scn_02_lb1" {
name = "${var.name_scn02}-lb1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 5,28)
// "10.0.14.0/25"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_private.id
subnet_type = "PRIVATE"
usage_type = "LOADB"
// PRIVATE(Private)
}
[root@sssssss scenario02]#
terraform apply -auto-approve
참고 사이트
cidr subnet
https://developer.hashicorp.com/terraform/language/functions/cidrsubnet
https://blog.naver.com/n_cloudplatform/222189643849
<6> cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 2, 0) 설정하기
1
10.0.0.0/20
원하는것
10.0.0.0/24
서브넷은
/20 + 4 = 24 라 4가 필요!!!
4, 0
IP는
서브넷만 변경되고 IP는 변경되지 않으므로 0이다.
2
10.0.0.0/20
원하는것
10.0.4.0/24
서브넷은
24가 되어야하므로 4
4, 4
IP는 네트워크 비트에서 얼만큼 가야하는지 계산 그냥 4.
결국 C-Class는 4만 더하면 된다.
3
10.0.0.0/20
원하는것
10.0.4.0/25
서브넷은
5를 더해야 하므로 5
5, ?
IP는 ?
네트워크 서브넷이
255.255.255.128
1111111.11111111.11111111.1000 0000
10.0.4.0을 이진수로 변경한다.
https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion
0000 1010.0000 0000.0000 0100.0000 0000
네트워크비트는 1자리 더 있다.
원래IP
10.0.0.0
0000 1010. 0000 0000. 0000 0000.0000 0000
내가 만들 IP
0000 1010.0000 0000.0000 0100.0000 0000
1111 1111.1111 1111.1111 1111.1000 0000
서브넷 마스크
1111111.11111111.11111111.000000000
4
lb1 ?
10.0.0.0/20
원하는것
10.0.14.0/25
서브넷은
5를 더해야 하므로 5
5, ?
IP는 ?
네트워크 서브넷이
255.255.255.128
1111111.11111111.11111111.1000 0000
10.0.14.0을 이진수로 변경한다.
https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion
0000 1010.0000 0000.0000 1110.0000 0000
네트워크비트는 1자리 더 있다.
https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion
에서 이진수를 11100 으로 하면
십진수 28이 나온다.
결론
5.28
5
nat1
10.0.0.0/20
원하는것
10.0.12.0/25
서브넷은
5를 더해야 하므로 5
5, ?
IP는 ?
네트워크 서브넷이
255.255.255.128
1111111.11111111.11111111.1000 0000
10.0.12.0을 이진수로 변경한다.
https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion
0000 1010.0000 0000.0000 1100.0000 0000
네트워크비트는 1자리 더 있다.
https://www.digikey.kr/ko/resources/conversion-calculators/conversion-calculator-number-conversion
에서 이진수를 11000 으로 하면
십진수 24이 나온다.
결론
5.25
.vpc_scn_02.ipv4_cidr_block, 5, 25)
<7> 데이터 센터 이중화를 위한 서브넷과 라우팅테이블
[root@sssssss scenario02]# more rt.tf
# Route Table
#PRIVATE1
resource "ncloud_route_table_association" "route_scn_02_private1" {
route_table_no = ncloud_vpc.vpc_scn_02.default_private_route_table_no
subnet_no = ncloud_subnet.subnet_scn_02_private1.id
}
#PUB1
resource "ncloud_route_table_association" "route_scn_02_public1" {
route_table_no = ncloud_vpc.vpc_scn_02.default_public_route_table_no
subnet_no = ncloud_subnet.subnet_scn_02_public1.id
}
#db1
resource "ncloud_route_table_association" "route_scn_02_db1" {
route_table_no = ncloud_vpc.vpc_scn_02.default_private_route_table_no
subnet_no = ncloud_subnet.subnet_scn_02_db1.id
}
#NAT1
resource "ncloud_route" "route_scn_02_nat1" {
route_table_no = ncloud_vpc.vpc_scn_02.default_private_route_table_no
destination_cidr_block = "0.0.0.0/0"
target_type = "NATGW"
target_name = ncloud_nat_gateway.nat_gateway_scn_02.name
target_no = ncloud_nat_gateway.nat_gateway_scn_02.id
}
[root@sssssss scenario02]# more subnet.tf
# Subnet
#pri1
resource "ncloud_subnet" "subnet_scn_02_private1" {
name = "${var.name_scn02}-pri1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 2, 0)
// "10.0.0.0/22"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_private.id
subnet_type = "PRIVATE"
// PRIVATE(Private)
}
#pub1
resource "ncloud_subnet" "subnet_scn_02_public1" {
name = "${var.name_scn02}-pub1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 4, 8)
// "10.0.8.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_public.id
subnet_type = "PUBLIC"
// PUBLIC(Public)
}
#db1
resource "ncloud_subnet" "subnet_scn_02_db1" {
name = "${var.name_scn02}-db1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 4, 10)
// "10.0.10.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_private.id
subnet_type = "PRIVATE"
// PUBLIC(Public)
}
#natgw1
resource "ncloud_subnet" "subnet_scn_02_public_natgw1" {
name = "${var.name_scn02}-nat1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 5,24)
// "10.0.12.0/25"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_public.id
subnet_type = "PUBLIC"
usage_type = "NATGW"
}
#lb1
resource "ncloud_subnet" "subnet_scn_02_lb1" {
name = "${var.name_scn02}-lb1"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 5,28)
// "10.0.14.0/25"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_private.id
subnet_type = "PRIVATE"
usage_type = "LOADB"
// PRIVATE(Private)
}
[root@sssssss scenario02]#
[root@sssssss scenario02]#
전체 설정 1
<8> NACL , ASG 는 별도로 추가 작업해야 한다.
위 <5>까지는 네트워크 IP 블럭만 정리한것이다.
NACL,ASG은 별도로 추가 정리해야 한다.
삭제
terraform destroy --auto-approve
다음
https://brunch.co.kr/@topasvga/3600
감사합니다.
