AWS VPC PrivateLink를 이용한 네트워크 구성 전략 (Network Architecture using AWS PrivateLink) - 당근 SRE 밋업 1회

Transcript

1. Byungjin Park · posquit0.com · posquit0 Copyright © 2021 All

   Rights Reserved. Network Architecture using AWS VPC PrivateLink AWS VPC PrivateLinkܳ ੉ਊೠ ֎౟ਕ௼ ҳࢿ ੹ۚ ߅ ߽૓ (Byungjin Park) · ௿۽٘ (Claud) · Site Reliability Engineer @ ׼Ӕಕ੉ ׼Ӕ SRE ޿স 1ഥ Aug 26, 2021

2. speaker ߊ಴੗ ࣗѐ Byungjin Park · posquit0.com · posquit0 Copyright

   © 2021 All Rights Reserved. ߅߽૓ / @posquit0 / ௿۽٘ (Claud) (അ) Site Reliability Engineer @ ׼Ӕಕ੉ (੹) Director of Infrastructure Division @ ஠ࢎ௏ܻই (੹) Software Architect @ ১פযझ 
 (੹) Co-founder & Software Engineer @ ஠೒ۖ Ҵઁ೧ఊ؀ഥ DEFCON CTF ࠄࢶ 6ഥ ૓୹ ೞद௏೐ ೠҴ ࢎਊ੗ ݽ੐ ਍৔ ೠҴ੄ য়೑ࣗझ ઺ GitHub 10,000ѐ ੉࢚੄ झఋܳ ߉਷ ೐۽ં౟

3. Byungjin Park · posquit0.com · posquit0 Copyright © 2021 All

   Rights Reserved. intro

4. intro Byungjin Park · posquit0.com · posquit0 Copyright © 2021

   All Rights Reserved. ׼Ӕಕ੉ ׼Ӕ݃௄੄ ઱ਃ ࢎਊ੗ੋ ૑৉઱޹җ ز֎࢚ӂ੄ ࠛಞೣਸ ೧ѾೞҊ੗ ೧ਃ. ׼Ӕ݃௄ ೒ۖಬ ղ ׼Ӕݠפܳ ഝਊೠ рಞ ࣠Ә ઁҕ ز֎࢚ӂীࢲ ׼Ӕಕ੉ рಞѾઁ ઁҕ ׼Ӕಕ੉ח ׼Ӕ݃௄җ ߹ب ߨੋਵ۽ ੹੗Әਲ਼ ۄ੉ࣃझ ஂٙ ੺ରܳ ૓೯ ઺ী ੓যਃ. ੹੗Әਲ਼ ࢲ࠺झ ਍৔ী AWS ௿ۄ਋٘ܳ ࢎਊೞӝਤೠ ୶о ੺ର ૓೯઺ ੹੗Әਲ਼хةӏ੿ ߂ Әਲ਼ӂ ௿ۄ਋٘ ࢲ࠺झ ੉ਊ о੉٘ ١੄ ஹ೒ۄ੉঱झ ળࣻ ೙ਃ

5. intro Byungjin Park · posquit0.com · posquit0 Copyright © 2021

   All Rights Reserved. ੹੗Әਲ਼স੄ ֎౟ਕ௼ ࠁউ ݎ ܻ࠙ Client VPN MFA In-transit Encryption ݎ ো҅ mTLS Site-to-Site VPN Auditing ੹ਊࢶ োѾ Firewall ৻ࠗ ੋఠ֔ ాઁ

6. intro Byungjin Park · posquit0.com · posquit0 Copyright © 2021

   All Rights Reserved. ੹੗Әਲ਼স੄ ֎౟ਕ௼ ࠁউ ݎ ܻ࠙ Client VPN MFA In-transit Encryption ݎ ো҅ mTLS Site-to-Site VPN Auditing ੹ਊࢶ োѾ Firewall ৻ࠗ ੋఠ֔ ాઁ

7. intro Byungjin Park · posquit0.com · posquit0 Copyright © 2021

   All Rights Reserved. AWS VPC ࢚੄ ݎ ো҅ ޙઁ ݾ੸ী ٮۄ ܻ࠙ ػ ৈ۞ VPCܳ যڌѱ োѾೡ ࣻ ੓ਸө? ѐߊ੗о VPC੄ Private ৔৉ী ੽Ӕೡ ࣻ ੓ب۾ ઁҕೞ۰ݶ? AWS VPCীࢲ ੋఠ֔ਸ ాೞ૑ ঋҊ S3, ECR, KMS ١੄ ࢲ࠺झܳ ഐ୹ೡ ࣻ হਸө? ࢎޖप ֎౟ਕ௼৬ AWS VPCܳ উ੹ೞѱ োѾೞҊ र਷ؘ? ؀৻ӝҙҗ दझమ ো҅ܳ ೧ঠೞחؘ যڌѱ ೞ૑?

8. intro Byungjin Park · posquit0.com · posquit0 Copyright © 2021

   All Rights Reserved. AWS VPC ࢚੄ ݎ ো҅ ޙઁ ݾ੸ী ٮۄ ܻ࠙ ػ ৈ۞ VPCܳ যڌѱ োѾೡ ࣻ ੓ਸө? ѐߊ੗о VPC੄ Private ৔৉ী ੽Ӕೡ ࣻ ੓ب۾ ઁҕೞ۰ݶ? AWS VPCীࢲ ੋఠ֔ਸ ాೞ૑ ঋҊ S3, ECR, KMS ١੄ ࢲ࠺झܳ ഐ୹ೡ ࣻ হਸө? ࢎޖप ֎౟ਕ௼৬ AWS VPCܳ উ੹ೞѱ োѾೞҊ र਷ؘ? ؀৻ӝҙҗ दझమ ো҅ܳ ೧ঠೞחؘ যڌѱ ೞ૑? AWS PrivateLink !!

9. intro Byungjin Park · posquit0.com · posquit0 Copyright © 2021

   All Rights Reserved. ؀৻ӝҙ दझమ ো҅ ߑߨ AWS VPC <=> AWS VPC ࢚ടੋ ҃਋ AWS VPC <=> ৡ೐ۨ޷झ ࢚ടੋ ҃਋ AWS VPC Peering / AWS PrivateLink / AWS Site-to-Site VPN / AWS Transit Gateway Software VPN AWS Direct Connect / AWS Site-to-Site VPN / AWS Transit Gateway Software VPN

10. Byungjin Park · posquit0.com · posquit0 Copyright © 2021 All

    Rights Reserved. concept

11. concept Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. AWS PrivateLink A highly available, scalable technology that enables you to privately connect your VPC to 
 supported AWS services, services hosted by other AWS accounts (VPC endpoint services), 
 and supported AWS Marketplace partner services. AWS VPC৬ ؀࢚ ࢲ࠺झ р উ੹ೠ োѾਸ ਤೠ ӝࣿ Ҋоਊࢿ (High Availability) ߂ ഛ੢ࢿ (Scalability) ઁҕ ૑ਗೞח ؀࢚ ࢲ࠺झ - AWS ࢲ࠺झ (S3, ECR, KMS ١) - ׮ܲ AWS ҅੿ ࢚ীࢲ ઁҕೞח ࢲ࠺झ (VPC Endpoint Service) - AWS ݃௄೒ۨ੉झ ࢚੄ ౵౟ց ࢲ࠺झ

12. concept Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. PrivateLink ҳࢿਃࣗ AWS PrivateLink Endpoint Endpoint Service Interface Endpoint Gateway Endpoint Gateway Load Balancer Endpoint (ࢲ࠺झ ࣗ࠺੗) (ࢲ࠺झ ઁҕ੗)

13. concept Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ѱ੉౟ਝ੉ ূ٘ನੋ౟ (Gateway Endpoint) ۄ਋౴ ӏ஗ਸ ాೠ AWS ࢲ࠺झী ࢎࢸ ੽Ӕ AWS Managed Pre fi x Listܳ ੉ਊೞৈ ۄ਋౴ ӏ஗ ҙܻ ೧׼ ۄ਋౴ ӏ஗੉ ੸ਊػ ࢲ࠳֔ী݅ PrivateLink ੸ਊ AWS S3 / DynamoDB ࢲ࠺झ݅ ૑ਗ Ӓ৻ ࢲ࠺झח ੉ਊࠛо ܻࣗझ ੿଼ਸ ా೧ ࣁ޻ೠ ੽Ӕઁয оמ ূ٘ನੋ౟ ੿଼ / S3 ߡఉ ੿଼ ١ ഝਊ оמ

14. concept Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ੋఠಕ੉झ ূ٘ನੋ౟ (Interface Endpoint) ֎౟ਕ௼ ੋఠಕ੉झܳ ా೧ ࢎࢸ IP ࠗৈ ؀࢚ ࢲ࠺झী ؀ೠ ENIܳ ਗೞח ࢲ࠳֔ী ࢤࢿ (Multi-AZ ૑ਗ) ׮নೠ ؀࢚ ࢲ࠺झী ؀೧ ੉ਊ оמ 90ѐ ੉࢚੄ AWS ࢲ࠺झ ૑ਗ ূ٘ನੋ౟ ࢲ࠺झܳ ా೧ ׮ܲ AWS ҅੿ ࢲ࠺झ োѾ ૑ਗ AWS ݃௄೒ۨ੉झ ࢲ࠺झ ૑ਗ ࠁউӒܛҗ NACLਸ ా೧ ࣁ޻ೠ ੽Ӕઁয оמ ENI੄ ࠁউӒܛ ߂ ೧׼ ࢲ࠳֔੄ NACLਸ ా೧ IP ੽Ӕઁয ূ٘ನੋ౟ ܻࣗझ ੿଼਷ ౠ੿ AWS ࢲ࠺झٜ݅ ૑ਗ ূ٘ನੋ౟ بݫੋ ߂ ࢎࢸ بݫੋ ૑ਗ AZ ߹ بݫੋ ߂ ࢲ࠺झ بݫੋ ӝࠄ ઁҕ / ࢎࢸ بݫੋ (ࢶఖ)

15. concept Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ূ٘ನੋ౟ ࢲ࠺झ (Endpoint Service)

16. concept Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ূ٘ನੋ౟ ࢲ࠺झ (Endpoint Service) ׮ܲ AWS ҅੿ীѱ ࢲ࠺झ ઁҕ ݾ੸ ࢲ࠺झ ઁҕ੗(Service Provider) 
 : ֎౟ਕ௼ ۽٘ߖ۠ࢲ(NLB) ഑਷ ѱ੉౟ਝ੉ ۽٘ߖ۠ࢲ(GWLB)ী ؀ೞৈ ূ٘ನੋ౟ ࢲ࠺झ ࢤࢿ ࢲ࠺झ ࣗ࠺੗(Service Consumer) / Principal 
 : ੋఠಕ੉झ ূ٘ನੋ౟ ഑਷ ѱ੉౟ਝ੉ ۽٘ߖ۠ࢲ ূ٘ನੋ౟ ࢤࢿ ࢎࢸ بݫੋ ઁҕ оמ ࢲ࠺झ ࣗ࠺੗о PrivateDNS ӝמਸ ഝࢿചೡ ҃਋ ೧׼ ࢎࢸ بݫੋਸ ૕੄ оמ بݫੋ ࣗਬӂ ੋૐ ೙ਃ *.company.com җ э਷ ৬ੌ٘஠٘ بݫੋ ೲਊ

17. Byungjin Park · posquit0.com · posquit0 Copyright © 2021 All

    Rights Reserved. problem solving

18. problem solving Byungjin Park · posquit0.com · posquit0 Copyright ©

    2021 All Rights Reserved. য়੉݃௄ (৘द) AWSীࢲ EC2 ӝ߈ਵ۽ ࢲ࠺झ ਍৔઺ ࢲ࠺झ ਕ௼۽٘ח Private ࢲ࠳֔ীࢲ ਍৔ VPC ৻ࠗ੄ AWS ࢲ࠺झ(KMS, ECR, Secrets Manager) ੉ਊ઺

19. problem solving Byungjin Park · posquit0.com · posquit0 Copyright ©

    2021 All Rights Reserved. 1. VPC ࢚ীࢲ AWS ࢲ࠺झ ాन ޙઁ “ੋఠ֔ ݎਸ ాೞ૑ ঋҊ AWS ࢲ࠺झ৬ ాन೧ঠ ೤פ׮.”

20. problem solving Byungjin Park · posquit0.com · posquit0 Copyright ©

    2021 All Rights Reserved. 1. VPC ࢚ীࢲ AWS ࢲ࠺झ ాन ޙઁ ੋఠಕ੉झ ূ٘ನੋ౟ ࢤࢿ - AWS ࢲ࠺झ৬੄ ాन੉ NAT GWܳ Ѣ஖૑ ঋҊ ࢎࢸ IP۽ ాन - ѱ੉౟ਝ੉ ূ٘ನੋ౟ח S3, DynamoDBী ؀೧ࢲ݅ ҳࢿ оמ - ূ٘ನੋ౟ ࢤࢿ द PrivateDNS ӝמ ഝࢿച - PrivateDNSܳ ഝࢿചೞ૑ ঋਵݶ п ࢲ࠺झ(KMS, ECR ١)৬ ాन द 
 ূ٘ನੋ౟ URL ૑੿ ೙ਃ $ aws secretsmanager list-secrets —endpoint-url https://vpce-xx.secretsmanager.us-west-2.vpce.amazonaws.com

21. problem solving Byungjin Park · posquit0.com · posquit0 Copyright ©

    2021 All Rights Reserved. 1. VPC ࢚ীࢲ AWS ࢲ࠺झ ాन ޙઁ PrivateLink ੸ਊ ੹ PrivateLink ੸ਊ റ

22. problem solving Byungjin Park · posquit0.com · posquit0 Copyright ©

    2021 All Rights Reserved. 1. VPC ࢚ীࢲ AWS ࢲ࠺झ ాन ޙઁ

23. problem solving Byungjin Park · posquit0.com · posquit0 Copyright ©

    2021 All Rights Reserved. 2. AWSܳ ੉ਊೞח ؀৻ӝҙҗ दझమ ো҅ “؀৻ӝҙ੄ APIܳ ੉ਊೞҊ੗ ೤פ׮. ೧׼ APIח ޹хೠ ؘ੉ఠо য়оӝ ٸޙী ࠁউ੉ ೙ਃ೤פ׮. 
 ݅ড ੉Ҕب AWS ࢚ী ࢲ࠺झܳ ਍৔઺੉ۄݶ?”

24. problem solving Byungjin Park · posquit0.com · posquit0 Copyright ©

    2021 All Rights Reserved. 2. AWSܳ ੉ਊೞח ؀৻ӝҙҗ दझమ ো҅ (VPC Peering) VPC ੿ࠁ ֢୹ ࢲ࠳֔ ױਤ੄ োѾ ਬز IP ജ҃ীࢲ ੽Ӕઁযо ө׮۽਑ 
 ۄ਋౟ ప੉࠶ / NACL ҙܻ ੉ग

25. problem solving Byungjin Park · posquit0.com · posquit0 Copyright ©

    2021 All Rights Reserved. 2. AWSܳ ੉ਊೞח ؀৻ӝҙҗ दझమ ো҅ (PrivateLink) VPC ੿ࠁ ֢୹ೞ૑ ঋ਺ ࢤࢿػ ENI੄ ࠁউӒܛਸ ా೧ ੽Ӕઁয ۄ਋౟ ప੉࠶ / NACL ҙܻ ੉ग হ਺

26. Byungjin Park · posquit0.com · posquit0 Copyright © 2021 All

    Rights Reserved. troubleshooting

27. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. NLB Multi-AZ ੉ग ࢲ࠺झ ઁҕ੗ AWS az1 / az2 / az3 оਊ৔৉ ࢎਊ పझ౟ਊ ਕ௼۽٘ܳ ASG۽ 1؀ ҳࢿೞ৓ਵա az3ী ߓನؽ ࢲ࠺झ ࣗ࠺੗ AWS az1 / az2 оਊ৔৉ ࢎਊ PrivateLink ࢲ࠺झ ઁҕ੗о NLB੄ 
 Cross-zone Load Balancing ӝמਸ ࠺ഝࢿചೠ ҃਋ ࢲ࠺झ ઁҕ੗੄ az3 ਕ௼۽٘ী ౟ې೗੉ ੹׳غ૑ ঋই 
 Empty reply from server য়ܨ ߊࢤ => নஏ੄ AZܳ ࢎ੹ী ੜ Ҋ۰ೞѢա, ௼۽झ ઓ ӝמ ഝࢿച ೙ਃ

28. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. NLB Multi-AZ ੉ग

29. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৈ۞ VPC ਍৔ द ੉ग “ৈ۞ VPCо ೧׼ ࢲ࠺झী ੽Ӕ೧ঠ ೠ׮ݶ?”

30. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৈ۞ VPC ਍৔ द ੉ग “VPC Peeringਵ۽ ೧Ѿೡ ࣻ ੓૑ ঋਸө?”

31. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৈ۞ VPC ਍৔ द ੉ग VPCী ENIо ࢤࢿغয VPC ࢎࢸ IPܳ ೡ׼ ߉਷ ࢚కۄ ాन оמ But, ੋఠಕ੉झ ূ٘ನੋ౟о ઁҕೞח ূ٘ನੋ౟ بݫੋҗ ࢎࢸ بݫੋ਷ ࢎਊ ࠛо “VPC Peeringਵ۽ ೧Ѿೡ ࣻ ੓૑ ঋਸө?”

32. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৈ۞ VPC ਍৔ द ੉ग “Ӓր п VPC݃׮ ઺ࠂਵ۽ ٜ݅ө?”

33. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৈ۞ VPC ਍৔ द ੉ग ૑Ә ׼੢ ޙઁ ೧Ѿ਷ оמ But, ࢜۽਍ VPCо ҅ࣘ ٜ݅য૕ ٸ݃׮ ҙܻ ࠗ׸ / ҙܻನੋ౟о ݆ইઉ ഛ੢ࢿ੉ ڄয૗ “Ӓր п VPC݃׮ ઺ࠂਵ۽ ٜ݅ө?”

34. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৈ۞ VPC ਍৔ द ੉ग “PrivateDNS੄ بݫੋݺਸ Route53 Private Hosted Zoneਸ ੉ਊ೧ ૒੽ ഐझ౴ೠ׮ݶ?”

35. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৈ۞ VPC ਍৔ द ੉ग “PrivateDNS੄ بݫੋݺਸ Route53 Private Hosted Zoneਸ ੉ਊ೧ ૒੽ ഐझ౴ೠ׮ݶ?”

36. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৡ೐ۨ޷झ بݫੋ ૕੄ ੉ग “ৡ೐ۨ޷झ ࢚ীࢲب بݫੋ ੽Ӕ੉ ೙ਃೞ׮ݶ?”

37. troubleshooting Byungjin Park · posquit0.com · posquit0 Copyright © 2021

    All Rights Reserved. ৡ೐ۨ޷झ بݫੋ ૕੄ ੉ग “Route53੄ Inbound Resolverܳ ా೧ DNS ਃ୒ਸ ನਕ٬೧ࠁ੗!”

38. summary ࣁ ઴ ਃড Byungjin Park · posquit0.com · posquit0

    Copyright © 2021 All Rights Reserved. AWS PrivateLinkܳ ࢎਊೞݶ ݎ ো҅ী ੓য উ੹ೞҊ ഛ੢ࢿ ੓ח ֎౟ਕ௼ ҳࢿਸ оઉ т ࣻ ੓যਃ. AWS PrivateLink ࢲ࠺झ ઁҕ੗੄ AZ ҳࢿҗ NLB Cross-zone Load Balancing ২࣌ਸ ઱੄೧ঠ ೧ਃ. PrivateLinkܳ ৈ۞ VPC৬ ৡ೐ۨ޷झী ా೤ ੸ਊೞҊ र׮ݶ Route53 ӝמਸ ഝਊೡ ࣻ ੓যਃ. ݃૑݄ਵ۽…

39. ࣻಣ੸ੋ ࣗా — ૒ә X / ৔য੉ܴ / न܉৬ ୽ج

    / ైݺೠ ੿ࠁ ҕਬ ੗ਯҗ ଼੐ — מز੸ সޖ ࣻ೯ / ੗ਯ੸ ౸ױ ૌѩѱ ࢿ੢ — աࠁ׮ ڪযդ زܐ / ౱ ਕ௼ / ૌѢ਑ ࢎਊ੗ ઺ब ࢎҊ — ࢎਊ੗ о஖ ୭਋ࢶ / ࢎਊ੗৬ ੿ࢲ੸ োѾ recruiting ੄ ୡӝ ੿৘ ݯߡ۽ ೣԋ ೡ ѐߊ੗ܳ ଺ইਃ Byungjin Park · posquit0.com · posquit0 Copyright © 2021 All Rights Reserved. ੗ࣁೠ ղਊ਷ daangn.teamਸ ߑޙ೧઱ࣁਃ! :) Ѿઁ/੿࢑౱ ࢲߡ ѐߊ੗ (Java, Kotlin) ׼Ӕಕ੉ рಞѾઁ ࢲ࠺झ ѐߊ ݠפ౱ ࢲߡ ѐߊ੗ (Java, Kotlin) ׼Ӕݠפ ߂ ਬ੷ ҙܻ ࢲ࠺झ ѐߊ ؘ࠳২झ ূ૑פয(?) 4࠙ӝ ଻ਊ য়೑ ৘੿ ਋ܻח ੉ۧѱ ੌ೧ਃ ഌఖ ߂ ࠂ૑ ੗ਬ۽਍ ോо / ਬো ୹ృӔ ߂ ੤ఖӔޖ / धࢎ ߂ ׮নೠ рध ઁҕ झగ٬ ؘझ௼ or ೲݢ޻۞ ੄੗ ઁҕ / بࢲ ҳݒ ߂ Үਭ࠺ ૑ਗ

40. Byungjin Park · posquit0.com · posquit0 Copyright © 2021 All

    Rights Reserved. End of Document Visit my AMA (https://github.com/posquit0/ama) for any question!