AWS PrivateLink 서비스를 활용하여 해결할 수 있는 네트워크 문제들에 대해 살펴봅니다.
Byungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.Network Architecture using AWS VPC PrivateLinkAWS VPC PrivateLinkܳ ਊೠ ֎ਕ ҳࢿ ۚ߅ ߽ (Byungjin Park) · ۽٘ (Claud) · Site Reliability Engineer @ ӔಕӔ SRE স 1ഥAug 26, 2021
View Slide
speakerߊ ࣗѐByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.߅߽ / @posquit0 / ۽٘ (Claud)(അ) Site Reliability Engineer @ Ӕಕ() Director of Infrastructure Division @ ࢎܻই() Software Architect @ ১פযझ () Co-founder & Software Engineer @ ۖҴઁ೧ఊഥ DEFCON CTF ࠄࢶ 6ഥ ೞद ೠҴ ࢎਊ ݽ ೠҴ য়ࣗझ GitHub 10,000ѐ ࢚ झఋܳ ߉ ۽ં
Byungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.intro
introByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ӔಕӔ݃ ਃ ࢎਊੋ җ ز֎࢚ӂ ࠛಞೣਸ ೧ѾೞҊ ೧ਃ.Ӕ݃ ۖಬ ղ Ӕݠפܳ ഝਊೠ рಞ ࣠Ә ઁҕز֎࢚ӂীࢲ Ӕಕ рಞѾઁ ઁҕӔಕח Ӕ݃җ ߹ب ߨੋਵ۽ Әਲ਼ ۄࣃझ ஂٙ ରܳ ೯ ী যਃ.Әਲ਼ ࢲ࠺झ ী AWS ۄ٘ܳ ࢎਊೞӝਤೠ ୶о ର ೯Әਲ਼хةӏ ߂ Әਲ਼ӂ ۄ٘ ࢲ࠺झ ਊ о٘ ١ ஹۄझ ળࣻ ਃ
introByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.Әਲ਼স ֎ਕ ࠁউݎ ܻ࠙Client VPNMFAIn-transit Encryptionݎ ো҅mTLSSite-to-Site VPNAuditingਊࢶ োѾFirewall৻ࠗ ੋఠ֔ ాઁ
introByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.AWS VPC ࢚ ݎ ো҅ ޙઁݾী ٮۄ ܻ࠙ ػ ৈ۞ VPCܳ যڌѱ োѾೡ ࣻ ਸө?ѐߊо VPC Private ী Ӕೡ ࣻ ب۾ ઁҕೞ۰ݶ?AWS VPCীࢲ ੋఠ֔ਸ ాೞ ঋҊ S3, ECR, KMS ١ ࢲ࠺झܳ ഐೡ ࣻ হਸө?ࢎޖप ֎ਕ৬ AWS VPCܳ উೞѱ োѾೞҊ रؘ?৻ӝҙҗ दझమ ো҅ܳ ೧ঠೞחؘ যڌѱ ೞ?
introByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.AWS VPC ࢚ ݎ ো҅ ޙઁݾী ٮۄ ܻ࠙ ػ ৈ۞ VPCܳ যڌѱ োѾೡ ࣻ ਸө?ѐߊо VPC Private ী Ӕೡ ࣻ ب۾ ઁҕೞ۰ݶ?AWS VPCীࢲ ੋఠ֔ਸ ాೞ ঋҊ S3, ECR, KMS ١ ࢲ࠺झܳ ഐೡ ࣻ হਸө?ࢎޖप ֎ਕ৬ AWS VPCܳ উೞѱ োѾೞҊ रؘ?৻ӝҙҗ दझమ ো҅ܳ ೧ঠೞחؘ যڌѱ ೞ?AWS PrivateLink !!
introByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.৻ӝҙ दझమ ো҅ ߑߨAWS VPC <=> AWS VPC ࢚ടੋ ҃AWS VPC <=> ৡۨझ ࢚ടੋ ҃AWS VPC Peering / AWS PrivateLink / AWS Site-to-Site VPN / AWS Transit GatewaySoftware VPNAWS Direct Connect / AWS Site-to-Site VPN / AWS Transit GatewaySoftware VPN
Byungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.concept
conceptByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.AWS PrivateLinkA highly available, scalable technology that enables you to privately connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services.AWS VPC৬ ࢚ ࢲ࠺झ р উೠ োѾਸ ਤೠ ӝࣿҊоਊࢿ (High Availability) ߂ ഛࢿ (Scalability) ઁҕਗೞח ࢚ ࢲ࠺झ- AWS ࢲ࠺झ (S3, ECR, KMS ١)- ܲ AWS ҅ ࢚ীࢲ ઁҕೞח ࢲ࠺झ (VPC Endpoint Service)- AWS ݃ۨझ ࢚ ց ࢲ࠺झ
conceptByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.PrivateLink ҳࢿਃࣗAWS PrivateLinkEndpointEndpoint ServiceInterface EndpointGateway EndpointGateway Load Balancer Endpoint(ࢲ࠺झ ࣗ࠺)(ࢲ࠺झ ઁҕ)
conceptByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ѱਝ ূ٘ನੋ (Gateway Endpoint)ۄ ӏਸ ాೠ AWS ࢲ࠺झী ࢎࢸ ӔAWS Managed Prefix Listܳ ਊೞৈ ۄ ӏ ҙܻ೧ ۄ ӏ ਊػ ࢲ࠳֔ী݅ PrivateLink ਊAWS S3 / DynamoDB ࢲ࠺झ݅ ਗӒ৻ ࢲ࠺झח ਊࠛоܻࣗझ ଼ਸ ా೧ ࣁೠ Ӕઁয оמূ٘ನੋ ଼ / S3 ߡఉ ଼ ١ ഝਊ оמ
conceptByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ੋఠಕझ ূ٘ನੋ (Interface Endpoint)֎ਕ ੋఠಕझܳ ా೧ ࢎࢸ IP ࠗৈ࢚ ࢲ࠺झী ೠ ENIܳ ਗೞח ࢲ࠳֔ী ࢤࢿ (Multi-AZ ਗ)নೠ ࢚ ࢲ࠺झী ೧ ਊ оמ90ѐ ࢚ AWS ࢲ࠺झ ਗূ٘ನੋ ࢲ࠺झܳ ా೧ ܲ AWS ҅ ࢲ࠺झ োѾ ਗAWS ݃ۨझ ࢲ࠺झ ਗࠁউӒܛҗ NACLਸ ా೧ ࣁೠ Ӕઁয оמENI ࠁউӒܛ ߂ ೧ ࢲ࠳֔ NACLਸ ా೧ IP Ӕઁযূ٘ನੋ ܻࣗझ ଼ ౠ AWS ࢲ࠺झٜ݅ ਗূ٘ನੋ بݫੋ ߂ ࢎࢸ بݫੋ ਗAZ ߹ بݫੋ ߂ ࢲ࠺झ بݫੋ ӝࠄ ઁҕ / ࢎࢸ بݫੋ (ࢶఖ)
conceptByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ূ٘ನੋ ࢲ࠺झ (Endpoint Service)
conceptByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ূ٘ನੋ ࢲ࠺झ (Endpoint Service)ܲ AWS ҅ীѱ ࢲ࠺झ ઁҕ ݾࢲ࠺झ ઁҕ(Service Provider) : ֎ਕ ۽٘ߖ۠ࢲ(NLB) ѱਝ ۽٘ߖ۠ࢲ(GWLB)ী ೞৈ ূ٘ನੋ ࢲ࠺झ ࢤࢿࢲ࠺झ ࣗ࠺(Service Consumer) / Principal : ੋఠಕझ ূ٘ನੋ ѱਝ ۽٘ߖ۠ࢲ ূ٘ನੋ ࢤࢿࢎࢸ بݫੋ ઁҕ оמࢲ࠺झ ࣗ࠺о PrivateDNS ӝמਸ ഝࢿചೡ ҃ ೧ ࢎࢸ بݫੋਸ оמبݫੋ ࣗਬӂ ੋૐ ਃ*.company.com җ э ৬ੌ٘٘ بݫੋ ೲਊ
Byungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.problem solving
problem solvingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.য়݃ (द)AWSীࢲ EC2 ӝ߈ਵ۽ ࢲ࠺झ ࢲ࠺झ ਕ۽٘ח Private ࢲ࠳֔ীࢲ VPC ৻ࠗ AWS ࢲ࠺झ(KMS, ECR, Secrets Manager) ਊ
problem solvingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.1. VPC ࢚ীࢲ AWS ࢲ࠺झ ాन ޙઁ“ੋఠ֔ ݎਸ ాೞ ঋҊ AWS ࢲ࠺झ৬ ాन೧ঠ פ.”
problem solvingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.1. VPC ࢚ীࢲ AWS ࢲ࠺झ ాन ޙઁੋఠಕझ ূ٘ನੋ ࢤࢿ- AWS ࢲ࠺झ৬ ాन NAT GWܳ Ѣ ঋҊ ࢎࢸ IP۽ ాन- ѱਝ ূ٘ನੋח S3, DynamoDBী ೧ࢲ݅ ҳࢿ оמ- ূ٘ನੋ ࢤࢿ द PrivateDNS ӝמ ഝࢿച- PrivateDNSܳ ഝࢿചೞ ঋਵݶ п ࢲ࠺झ(KMS, ECR ١)৬ ాन द ূ٘ನੋ URL ਃ$ aws secretsmanager list-secrets —endpoint-url https://vpce-xx.secretsmanager.us-west-2.vpce.amazonaws.com
problem solvingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.1. VPC ࢚ীࢲ AWS ࢲ࠺झ ాन ޙઁPrivateLink ਊ PrivateLink ਊ റ
problem solvingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.1. VPC ࢚ীࢲ AWS ࢲ࠺झ ాन ޙઁ
problem solvingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.2. AWSܳ ਊೞח ৻ӝҙҗ दझమ ো҅“৻ӝҙ APIܳ ਊೞҊ פ. ೧ APIח хೠ ؘఠо য়оӝ ٸޙী ࠁউ ਃפ. ݅ড Ҕب AWS ࢚ী ࢲ࠺झܳ ۄݶ?”
problem solvingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.2. AWSܳ ਊೞח ৻ӝҙҗ दझమ ো҅ (VPC Peering)VPC ࠁ ֢ࢲ࠳֔ ױਤ োѾਬز IP ജ҃ীࢲ Ӕઁযо ө۽ ۄ ప࠶ / NACL ҙܻ ग
problem solvingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.2. AWSܳ ਊೞח ৻ӝҙҗ दझమ ো҅ (PrivateLink)VPC ࠁ ֢ೞ ঋࢤࢿػ ENI ࠁউӒܛਸ ా೧ Ӕઁযۄ ప࠶ / NACL ҙܻ ग হ
Byungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.troubleshooting
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.NLB Multi-AZ गࢲ࠺झ ઁҕ AWSaz1 / az2 / az3 оਊ ࢎਊపझਊ ਕ۽٘ܳ ASG۽ 1 ҳࢿೞਵա az3ী ߓನؽࢲ࠺झ ࣗ࠺ AWSaz1 / az2 оਊ ࢎਊPrivateLink ࢲ࠺झ ઁҕо NLB Cross-zone Load Balancing ӝמਸ ࠺ഝࢿചೠ ҃ࢲ࠺झ ઁҕ az3 ਕ۽٘ী ې ׳غ ঋই Empty reply from server য়ܨ ߊࢤ=> নஏ AZܳ ࢎী ੜ Ҋ۰ೞѢա, ۽झ ઓ ӝמ ഝࢿച ਃ
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.NLB Multi-AZ ग
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ৈ۞ VPC द ग“ৈ۞ VPCо ೧ ࢲ࠺झী Ӕ೧ঠ ೠݶ?”
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ৈ۞ VPC द ग“VPC Peeringਵ۽ ೧Ѿೡ ࣻ ঋਸө?”
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ৈ۞ VPC द गVPCী ENIо ࢤࢿغয VPC ࢎࢸ IPܳ ೡ ߉ ࢚కۄ ాन оמBut, ੋఠಕझ ূ٘ನੋо ઁҕೞח ূ٘ನੋ بݫੋҗ ࢎࢸ بݫੋ ࢎਊ ࠛо“VPC Peeringਵ۽ ೧Ѿೡ ࣻ ঋਸө?”
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ৈ۞ VPC द ग“Ӓր п VPC݃ ࠂਵ۽ ٜ݅ө?”
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ৈ۞ VPC द गӘ ޙઁ ೧Ѿ оמBut, ࢜۽ VPCо ҅ࣘ ٜ݅য ٸ݃ ҙܻ ࠗ / ҙܻನੋо ݆ইઉ ഛࢿ ڄয“Ӓր п VPC݃ ࠂਵ۽ ٜ݅ө?”
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ৈ۞ VPC द ग“PrivateDNS بݫੋݺਸ Route53 Private Hosted Zoneਸ ਊ೧ ഐझೠݶ?”
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ৡۨझ بݫੋ ग“ৡۨझ ࢚ীࢲب بݫੋ Ӕ ਃೞݶ?”
troubleshootingByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ৡۨझ بݫੋ ग“Route53 Inbound Resolverܳ ా೧ DNS ਃਸ ನਕ٬೧ࠁ!”
summaryࣁ ਃডByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.AWS PrivateLinkܳ ࢎਊೞݶ ݎ ো҅ী য উೞҊ ഛࢿ ח ֎ਕ ҳࢿਸ оઉ т ࣻ যਃ.AWS PrivateLink ࢲ࠺झ ઁҕ AZ ҳࢿҗ NLB Cross-zone Load Balancing ২࣌ਸ ೧ঠ ೧ਃ.PrivateLinkܳ ৈ۞ VPC৬ ৡۨझী ా ਊೞҊ रݶ Route53 ӝמਸ ഝਊೡ ࣻ যਃ.݄݃ਵ۽…
ࣻಣੋ ࣗా — ә X / যܴ / न܉৬ ج / ైݺೠ ࠁ ҕਬਯҗ ଼ — מز সޖ ࣻ೯ / ਯ ౸ױૌѩѱ ࢿ — աࠁ ڪযդ زܐ / ਕ / ૌѢࢎਊ ब ࢎҊ — ࢎਊ о ୭ࢶ / ࢎਊ৬ ࢲ োѾrecruiting ୡӝ ݯߡ۽ ೣԋ ೡ ѐߊܳ ইਃByungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.ࣁೠ ղਊ daangn.teamਸ ߑޙ೧ࣁਃ! :)Ѿઁ/ ࢲߡ ѐߊ (Java, Kotlin)Ӕಕ рಞѾઁ ࢲ࠺झ ѐߊݠפ ࢲߡ ѐߊ (Java, Kotlin)Ӕݠפ ߂ ਬ ҙܻ ࢲ࠺झ ѐߊؘ࠳২झ ূפয(?)4࠙ӝ ਊ য় ܻח ۧѱ ੌ೧ਃഌఖ ߂ ࠂਬ۽ ോо / ਬো ృӔ ߂ ఖӔޖ / धࢎ ߂ নೠ рध ઁҕझగ٬ ؘझ or ೲݢ۞ ઁҕ / بࢲ ҳݒ ߂ Үਭ࠺ ਗ
Byungjin Park · posquit0.com · posquit0Copyright © 2021 All Rights Reserved.End of DocumentVisit my AMA (https://github.com/posquit0/ama) for any question!
posquit0
yuuu
okuramasafumi
y0gi
kubode
.png){kind=avatar}
headwaters
ogijun2018
makomakok
sasakendayo
weddingpark
yuya4
hicka04
mski_iksm
kastner
destraynor
maltzj
aarron
speakerdeck
gr2m
jcasabona
addyosmani
garrettdimon
soudai
geoffreycrofte
shlominoach