Virtual Private Cloud (VPC) scenario
- Print
- PDF
Virtual Private Cloud (VPC) scenario
- Print
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Available in VPC
You can build Virtual Private Cloud (VPC) on NAVER Cloud Platform in a variety of ways, depending on your network environment. Major usage scenarios are as follows.
- Creation of single public subnet
- Creation of public subnet and private subnet
- Creation of public subnet and private subnet for on-premise connection
- Inter-VPC private network (peering) configuration
Creation of single public subnet
The creation of a single public subnet scenario is recommended if you'd like to run public web applications on a single tier, such as blogs or simple websites. The configuration is as follows.
The following is the procedure to implement this scenario.
1. Create VPC
2. Create public subnet
3. Set network ACL
4. Set route table
5. Create server
1. Create VPC
First of all, create a VPC on the NAVER Cloud Platform console. You can create it on the console's Services > Networking > VPC menu. The IPv4 CIDR block size of a VPC is /16 (e.g., 10.0.0.0/16), and 65,536 IPs can be used.
You can refer to the following guide:
2. Create public subnet
Once you've created the VPC, build a subnet within the VPC so the network can actually be used. You can set up a public subnet for internet communication. Up to 256 IPs can be used (/24), and each server placed in this space can have one public IP connected. (1:1 NAT)
You can refer to the following guide:
3. Set network ACL
Once you've created the subnet, set network Access Control List (ACL) for security, which controls inbound and outbound traffic for the subnet.
You can refer to the following guide:
In this scenario, the following settings are recommended for network ACL.
- Inbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | 0.0.0.0/0 | 80 | Allow | Inbound HTTP traffic allowed |
| 2 | TCP | 0.0.0.0/0 | 443 | Allow | Inbound HTTPS traffic allowed |
| 3 | TCP | Connector IP | 22 | Allow | Inbound SSH traffic via internet gateway from connector IP allowed |
| 4 | TCP | Connector IP | 3389 | Allow | Inbound RDP traffic via internet gateway from connector IP allowed |
| 5 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Inbound return traffic against requests from subnets allowed (the input value is an example.) |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
- Outbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | 0.0.0.0/0 | 80 | Allow | Outbound HTTP traffic allowed |
| 2 | TCP | 0.0.0.0/0 | 443 | Allow | Outbound HTTPS traffic allowed |
| 3 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Outbound response to client on internet allowed (the input value is an example.) |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
Note
It's recommended to apply the same settings to the Access Control Group (ACG) which controls inbound/outbound server traffic as the network ACL. ACG can be configured in the console's Services > Compute > Server > ACG. For more details, refer to ACG settings guide.
4. Set route table
Once you've completed configuring the network ACL, configure a route table which sets the network path. In this scenario, the route table is automatically configured as follows, so the server can communicate with other instances in the VPC or the internet.
| Destination | Target type | Target name |
|---|---|---|
| 0.0.0.0/0 | IGW | INTERNET GATEWAY |
| 10.0.0.0/16 | LOCAL | LOCAL |
You can refer to the following guide:
5. Create server
Once you've completed setting the route table, create a server to place in the VPC created. Select the VPC and subnet previously created when creating the server, and then enter the ACG mentioned above. Once the server has been created, connect to the server, and create a web server. Check if the HTTP communication works.
You can refer to the following guide:
Creation of public subnet and private subnet
The creation of public subnet and private subnet scenario is recommended if you'd like to run public web applications while blocking public access to private servers (e.g., DB). The configuration is as follows.
The following is the procedure to implement this scenario.
1. Create VPC
2. Create public subnet and private subnet
3. Set network ACL
4. Set public subnet route table
5. Create NAT Gateway
6. Set private subnet route table
7. Create servers
1. Create VPC
First of all, create a VPC on the NAVER Cloud Platform console. You can create it on the console's Services > Networking > VPC menu. The IPv4 CIDR block size of a VPC is /16 (e.g., 10.0.0.0/16), and up to 65,535 IPs can be used.
You can refer to the following guide:
2. Creation of public subnet and private subnet
Once you've created the VPC, build a subnet within the VPC so the network can actually be used. Subnet can be divided into two main categories, public subnet and private subnet.
- Public subnet: Up to 256 IPs can be used by setting the subnet's CIDR to 10.0.0/24. Each server placed in this space can have one public IP connected. (1:1 NAT)
- Private subnet: Up to 256 IPs can be used by setting the subnet's CIDR to 10.0.0/24. Servers placed in this space don't receive traffic from the internet. If you add a NAT Gateway to it, then sending and receiving traffic via the internet become available.
You can refer to the following guide:
3. Set network ACL
Once you've created the subnet, set network Access Control List (ACL) for security, which controls inbound and outbound traffic for the subnet.
You can refer to the following guide:
In this scenario, the following settings are recommended for network ACL.
- Public Subnet: Inbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | 0.0.0.0/0 | 80 | Allow | Inbound HTTP traffic allowed |
| 2 | TCP | 0.0.0.0/0 | 443 | Allow | Inbound HTTPS traffic allowed |
| 3 | TCP | Connector IP | 22 | Allow | Inbound SSH traffic via internet gateway from connector IP allowed |
| 4 | TCP | Connector IP | 3389 | Allow | Inbound RDP traffic via internet gateway from connector IP allowed |
| 5 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Inbound return traffic against requests from subnets allowed (the input value is an example.) |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
- Public Subnet: Outbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | 0.0.0.0/0 | 80 | Allow | Outbound HTTP traffic allowed |
| 2 | TCP | 0.0.0.0/0 | 443 | Allow | Outbound HTTPS traffic allowed |
| 3 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Outbound response to client on internet allowed (the input value is an example.) |
| 4 | TCP | Private server's private IP | Private server port (e.g., DB) | Allow | Traffic to communicate with private server allowed |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
- Private Subnet: Inbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | Public subnet server's private IP | Private server port (e.g., DB) | Allow | Traffic to communicate with public server allowed |
| 2 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Inbound return traffic against requests sent via the internet (the input value is an example.) |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
- Private Subnet: Outbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | Public subnet server's private IP | 32768-65535 | Allow | Outbound response from public server to private server allowed (the input value is an example.) |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
Note
It's recommended to apply the same settings to the Access Control Group (ACG) which controls inbound/outbound server traffic as the network ACL. ACG can be configured in the console's Services > Compute > Server > ACG. For more details, refer to ACG settings guide.
4. Set public subnet route table
Once you've completed configuring the network ACL, configure a route table which sets the network path. In this scenario, the public subnet route table is automatically configured as follows, so the server can communicate with other instances in the VPC or the internet.
| Destination | Target type | Target name |
|---|---|---|
| 0.0.0.0/0 | IGW | INTERNET GATEWAY |
| 10.0.0.0/16 | LOCAL | LOCAL |
You can refer to the following guide:
5. Create NAT Gateway
Create a NAT Gateway to connect servers in a private subnet to the internet.
You can refer to the following guide:
6. Set private subnet route table
Only local items are automatically configured for the private subnet route table, so you have to set the NAT Gateway's network path separately. If communication with the entire internet site is required, then you can enter 0.0.0.0/0 as the destination and configure as follows.
| Destination | Target type | Target name |
|---|---|---|
| 0.0.0.0/0 | NATGW | The NAT Gateway name set |
| 10.0.0.0/16 | LOCAL | LOCAL |
You can refer to the following guide:
7. Create server
Once you've completed setting the route table, create a server to place in the VPC created. Select the VPC and subnet previously created when creating the server, and then enter the ACG mentioned above. Once the server has been created, connect to the server, and create a web server. Check if the HTTP communication works.
You can refer to the following guide:
Creation of public subnet and private subnet for on-premise connection
The creation of public subnet and private subnet for on-premise connection scenario is recommended if you'd like to run public web applications while communicating with the customer's business place. The configuration is as follows.
The following is the procedure to implement this scenario.
1. Create VPC
2. Create public subnet and private subnet
3. Set network ACL
4. Set public subnet route table
5. Create Virtual Private Gateway
6. Create IPsec VPN
7. Set private subnet route table
8. Create server
1. Create VPC
First of all, create a VPC on the NAVER Cloud Platform console. You can create it on the console's Services > Networking > VPC menu. The IPv4 CIDR block size of a VPC is /16 (e.g., 10.0.0.0/16), and 65,536 IPs can be used.
You can refer to the following guide:
2. Creation of public subnet and private subnet
Once you've created the VPC, build a subnet within the VPC so the network can actually be used. Subnet can be divided into two main categories, public subnet and private subnet.
- Public subnet: Up to 256 IPs can be used by setting the subnet's CIDR to 10.0.0/24. Each server placed in this space can have one public IP connected. (1:1 NAT)
- Private subnet: Up to 256 IPs can be used by setting the subnet's CIDR to 10.0.0/24. Servers placed in this space don't receive traffic from the internet. If you add a NAT Gateway to it, then sending and receiving traffic via the internet become available.
You can refer to the following guide:
3. Set network ACL
Once you've created the subnet, set network Access Control List (ACL) for security, which controls inbound and outbound traffic for the subnet.
You can refer to the following guide:
In this scenario, the following settings are recommended for network ACL.
- Public Subnet: Inbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | 0.0.0.0/0 | 80 | Allow | Inbound HTTP traffic allowed |
| 2 | TCP | 0.0.0.0/0 | 443 | Allow | Inbound HTTPS traffic allowed |
| 3 | TCP | Connector IP | 22 | Allow | Inbound SSH traffic via internet gateway from connector IP allowed |
| 4 | TCP | Connector IP | 3389 | Allow | Inbound RDP traffic via internet gateway from connector IP allowed |
| 5 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Inbound return traffic against requests from subnets allowed (the input value is an example.) |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
- Public Subnet: Outbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | 0.0.0.0/0 | 80 | Allow | Outbound HTTP traffic allowed |
| 2 | TCP | 0.0.0.0/0 | 443 | Allow | Outbound HTTPS traffic allowed |
| 3 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Outbound response to client on internet allowed (the input value is an example.) |
| 4 | TCP | Private server's private IP | Private server port (e.g., DB) | Allow | Traffic to communicate with private server allowed |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
- Private Subnet: Inbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | Public subnet server's private IP | Private server port (e.g., DB) | Allow | Traffic to communicate with public server allowed |
| 2 | TCP | Customer server's private IP | Customer server port | Allow | Traffic to communicate with customer's on-premise server allowed |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
- Private Subnet: Outbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | Public subnet server's private IP | 32768-65535 | Allow | Outbound response from public server to private server allowed (the input value is an example.) |
| 2 | TCP | Customer server's private IP | Customer server port | Allow | Traffic to communicate with customer's on-premise server allowed |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
Note
It's recommended to apply the same settings to the Access Control Group (ACG) which controls inbound/outbound server traffic as the network ACL. ACG can be configured in the console's Services > Compute > Server > ACG. For more details, refer to ACG settings guide.
4. Set public subnet route table
Once you've completed configuring the network ACL, configure a route table which sets the network path. In this scenario, the public subnet route table is automatically configured as follows, so the server can communicate with other instances in the VPC or the internet.
| Destination | Target type | Target name |
|---|---|---|
| 0.0.0.0/0 | IGW | INTERNET GATEWAY |
| 10.0.0.0/16 | LOCAL | LOCAL |
You can refer to the following guide:
5. Create Virtual Private Gateway
Create a Virtual Private Gateway to connect servers in a private subnet to customer's on-premise server.
You can refer to the following guide:
6. Create IPsec VPN
To create a managed IPsec VPN, fill in a subscription request form and submit it via the sales representative in charge or customer inquiry. (the process planned to be automated later)
The subscription request form can be downloaded from the portal's Support > Library.
Proceed with the following steps once you receive the confirmation the subscription has started.
(Currently, the subscription is started manually after receiving the form. We plan to launch the automated product soon.)
7. Set private subnet route table
Only local items are automatically configured for the private subnet route table, so you have to set the Virtual Private Gateway's network path separately. You can use the customer's on-premise server as the destination and configure as follows.
| Destination | Target type | Target name |
|---|---|---|
| Customer server's private IP | VGW | The Virtual Private Gateway name set |
| 10.0.0.0/16 | LOCAL | LOCAL |
You can refer to the following guide:
8. Create server
Once you've completed setting the route table, create a server to place in the VPC created. Select the VPC and subnet previously created when creating the server, and then enter the ACG mentioned above. Once the server has been created, connect to the server, and create a web server. Check if the HTTP communication works.
You can refer to the following guide:
Inter-VPC private network (peering) configuration
This is recommended if you would like to set up a private communication channel between two different VPCs. Essentially, communication is possible via public IPs. However a private network is built for security and stability.
This scenario is based on a situation where a connection is to be set up between VPC A with Subnets A and B, and VPC B with Subnets C and D. The configuration is as follows.
The following is the procedure to implement this scenario.
1. Create VPC
2. Create subnet
3. Set network ACL
4. Create VPC peering
5. Set route table
6. Create server
Caution
When configuring network ACL and route table, the configuration method may slightly vary including how you enter the IP range information for the VPC on the other side.
1. Create VPC
First of all, create two VPCs on the NAVER Cloud Platform console. You can create it on the console's Services > Networking > VPC menu. The IPv4 CIDR block size of each VPC is /16 (e.g., 10.0.0.0/16), and 65,536 IPs can be used.
You can refer to the following guide:
2. Create subnet
Once you've created the VPC, build a subnet within the VPC so the network can actually be used. Subnet can be divided into two main categories, public subnet and private subnet.
Public subnet: Up to 256 IPs can be used by setting the subnet's CIDR to 10.0.0/24. Each server placed in this space can have one public IP connected. (1:1 NAT)
Private subnet: Up to 256 IPs can be used by setting the subnet's CIDR to 10.0.0/24. Servers placed in this space don't receive traffic from the internet. If you add a NAT Gateway to it, then sending and receiving traffic via the internet become available.
3. Set network ACL
Set network Access Control List (ACL) to control inbound and outbound traffic for the subnet. The subnet in the VPC that will request peering needs to set network ACL to allow traffic to the VPC on the other side.
You can refer to the following guide:
In this scenario, the following settings are recommended for network ACL.
- Inbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | 172.16.0.0/16 | 1-65535 | Allow | Inbound communication for the peering VPC's IP range allowed (the input value is an example.) |
| 2 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Inbound return traffic against requests from subnets allowed (the input value is an example.) |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
- Outbound
| Priority | Protocol | Access source | Port | Allow/Deny | Description |
|---|---|---|---|---|---|
| 1 | TCP | 172.16.0.0/16 | 1-65535 | Allow | Outbound communication for the peering VPC's IP range allowed (the input value is an example.) |
| 2 | TCP | 0.0.0.0/0 | 32768-65535 | Allow | Outbound response to client on internet allowed (the input value is an example.) |
| 197 | TCP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 198 | UDP | 0.0.0.0/0 | 1-65535 | Deny | Deny all traffic except for the rules above |
| 199 | ICMP | 0.0.0.0/0 | - | Deny | Deny all traffic except for the rules above |
Note
It's recommended to apply the same settings to the Access Control Group (ACG) which controls inbound/outbound server traffic as the network ACL. ACG can be configured in the console's Services > Compute > Server > ACG. For more details, refer to ACG settings guide.
4. Create VPC peering
Once you've set up the network ACL, request inter-VPC communication through the VPC peering menu. It's an one-way communication, so the requesting VPC and accepting VPC need to be specified. The accepting VPC can be another VPC in your account, or a VPC in another account. If you'd like the communication to be two-way, then create two networks by specifying the requesting VPC and accepting VPC in reverse.
You can refer to the following guide:
5. Set route table
After creating the VPC peering, configure a route table which sets the network path. The subnet in the VPC that requested peering needs to set routing to the VPC on the other side. If Subnet A (public subnet) in VPC A requested peering to VPC B's Subnet C, then the route table can be configured as follows.
| Destination | Target type | Target name |
|---|---|---|
| VPC B's IP range | VPCPEERING | The name of VPC peering set |
| 0.0.0.0/0 | IGW | INTERNET GATEWAY |
| 10.0.0.0/16 | LOCAL | LOCAL |
You can refer to the following guide:
6. Create server
Once you've completed setting the route table, create a server in each of the two VPCs created. Select the VPC and subnet previously created when creating the server, and then enter the ACG mentioned above. Once the server has been created, connect to the server, and create a web server. Check if the HTTP communication works.
You can refer to the following guide:
Was this article helpful?