Service Function Chain (SFC) scenarios

Prev Next

Available in VPC

You can build the Service Function Chain (hereinafter SFC) using the Virtual Private Cloud (VPC) on NAVER Cloud Platform in various ways depending on the customer.
For the configuration of SFC, Transit VPC, Endpoint Route Table, Service Function Chain, Transit VPC Connect, Inline Load Balancer, Public IP are used.
The usage scenarios are as follows:

Security layer configuration using SFC and security appliances

The scenario for configuring security layers using SFC and security appliances is recommended when applying security appliances with numerous functions to a general system.
SFC_senario_kr.png

The following is the procedure to implement this scenario.

1. Create VPC
2. Create subnet
3. Create server
4. Create Target Group
5. Create Load Balance
6. Create Transit VPC Connect
7. Create Service Function Chain
8. Create and set Endpoint Route Table
9. Create and set Route Table
10. Set public IP connection

1. Create VPC

First, create a VPC from the NAVER Cloud Platform console. You can create it in the VPC environment console i_menu > Services > Networking > VPC.
Create 1 general VPC and 1 transit VPC.

2. Create subnet

Once you've finished creating a VPC, build a subnet in the VPC so that you can practically use the network. Required subnets are as follows:

  • General VPC
    • Public general subnet: bastion server for security appliance access and general server access
    • Private general subnet: server for services
    • Public LB subnet: Load Balancer for services
  • Transit VPC
    • Private general subnet: security appliance MGMT
    • Public SFC subnet: security appliance service NIC
    • Private LB Subnet: Inline Load Balancer

3. Create server

Create a server to be deployed within the created VPC. When creating servers, select the previously created Transit VPC and general VPC, and enter the ACG.
For more information, see Server creation guide.

General server

  1. On the console, go to Compute > Server > Create Server, and select the desired image to create a server.

Security appliance

  1. On the console, go to Compute > Server > Create Server > Select server image, and select the image from the desired vendor under the [3rd party image] tab.
  2. When setting up network interfaces, create 2 additional network interfaces, external and internal, for the service, and assign the network interfaces added to the SFC subnet.
Note

Only the additional network interface of images operating in Inline mode can be allocated to the SFC Subnet. TMS does not operate in Inline mode.

  1. As the recommended storage capacity varies by vendor, contact your vendor to check it.
  2. When using an Inline Load Balancer, you need to open the port for health checks.
  3. You're required to set up self-routing of the security appliance on the 2 additional network interfaces after creation.

4. Create Target Group

Create a target group to be used in the Inline Load Balancer.
Select target type as Transit VPC server, add 2 additional network interfaces added for the service in the security appliance as target.
As SFCs operate in one direction, for two-way communication, create separate target groups for ingress and egress purposes.

For more information about creating target groups, see Target group creation guide.

Target group for Application Load Balancer

  1. On the VPC environment console, go to i_menu > Services > Networking > Load Balancer > Target Group > Create Target Group and select the desired image to create a target group.

Target group for Inline Load Balancer (for ingress)

  1. On the VPC environment console, go to i_menu > Services > Networking > Load Balancer > Target Group > Create Target Group and select Transit VPC Server as the target type and IP as the protocol.
  2. When setting additional targets, set up the external network interface added to the security appliance.

Target group for Inline Load Balancer (for egress)

  1. On the VPC environment console, go to i_menu > Services > Networking > Load Balancer > Target Group > Create Target Group and select Transit VPC Server as the target type and IP as the protocol.
  2. When setting additional targets, set up the internal network interface added to the security appliance.

5. Create Load Balancer

Create an Application Load Balancer to be operated on the general VPC and an Inline Load Balancer to be operated on the transit VPC.
As SFCs operate in one direction, for two-way communication, create separate Inline Load Balancers for ingress and egress purposes. For more information about creating Load Balancers, see Inline Load Balancer guide.

Target group for Application Load Balancer

  1. On the VPC environment console, go to i_menu > Services > Networking > Load Balancer > Create Load Balancer and create an Application Load Balancer.

Target group for Inline Load Balancer (for ingress)

  1. On the VPC environment console, go to i_menu > Services > Networking > Load Balancer > Create Load Balancer and create an Inline Load Balancer.
  2. Add the target group for Inline Load Balancer (for ingress)

Target group for Inline Load Balancer (for egress)

  1. On the VPC environment console, go to i_menu > Services > Networking > Load Balancer > Create Load Balancer and create an Inline Load Balancer.
  2. Add the target group for Inline Load Balancer (for egress)

6. Create Transit VPC Connect

Create a Transit VPC Connect to link the general VPC and Transit VPC.
For more information about creating a transit VPC connect, see Transit VPC connect guide.

7. Create Service Function Chain

Create a Service Function Chain to define network flows within the transit VPC. As SFCs operate in one direction, for two-way communication, create separate SFCs for ingress and egress purposes. For more information about creating SFCs, see Service Function Chain (SFC) creation guide.

Service Function Chain for ingress

  1. Select Transit VPC and Zone

  2. Add the general VPC CIDR range to the destination subnet

  3. Set the chain as follows:

    Order Type Instance Subnet Ingress NIC
    1 LoadBalancer Inline LB for ingress Auto-populated -
    2 TransitVpcConnect TransitVpcConnect created - -

Service Function Chain for egress

  1. Select Transit VPC and Zone

  2. Add the 0.0.0.0/0 range to the destination subnet

  3. Set the chain as follows:

    Order Type Instance Subnet Ingress NIC
    1 LoadBalancer Inline LB for egress Auto-populated -
    2 InternetGateway - - -

8. Create and set Endpoint Route Table

Create and set an Endpoint Route Table that allows setting ingress routes for Internet Gateway and Transit VPC connect. For more information about creating and setting up an Endpoint Route Table, see Endpoint Route Table guide.

Endpoint Route Table for Internet Gateway

  1. Select IGW as the related endpoint type and create.

  2. Set a route table for the Endpoint Route Table created

    Destination Target
    General VPC CIDR range SFC for ingress

  3. Select IGW as the related endpoint setting

Endpoint Route Table for transit VPC connect

  1. Select the transit VPC connect as the related endpoint type and create an Endpoint Route Table

  2. Set a route table for the Endpoint Route Table created

    Destination Target
    0.0.0.0/0 SFC for egress

  3. Select the transit VPC connect as the related endpoint setting

Note

From the next step, the network flow will change to the transit VPC. Check if the service is in normal operation on the general VPC, and continue setting up SFCs.

9. Create and set Route Table

To change the network flow of the general VPC, excluding the bastion server for server access, to the transit VPC, create and set a route table. For more information about creating a route table, see Route table creation guide.

General VPC

  • Public general subnet route table: set all rages (0.0.0.0/0) to IGW, but set only the transit VPC range to the Transit VPC connect

    Destination Target type Target name
    Transit VPC CIDR range TRANSITVPCCONNECT TransitVpcConnect created
    0.0.0.0/0 IGW INTERNET GATEWAY
    General VPC CIDR range LOCAL LOCAL

  • Private general subnet route table: set all ranges (0.0.0.0/0) to the transit VPC connect

    Destination Target type Target name
    0.0.0.0/0 TRANSITVPCCONNECT TransitVpcConnect created
    General VPC CIDR range LOCAL LOCAL

  • Public LB subnet route table: set all ranges (0.0.0.0/0) to the transit VPC connect in the future

| *| Destination| Target type| Target name|
|----------|----------|----------|
| 0.0.0.0/0| TRANSITVPCCONNECT| TransitVpcConnect created|
| General VPC CIDR range| LOCAL| LOCAL|

Transit VPC

  • Private general subnet route table: set only the subnet range for server access on the general VPC to the transit VPC connect

    Destination Target type Target name
    Subnet range for server access on the general VPC TRANSITVPCCONNECT TransitVpcConnect created
    Transit VPC CIDR range LOCAL LOCAL

10. Set public IP connection

Connect the public IP that an Application Load Balancer has to the transit VPC by setting a public IP connection. For more information about how to make a connection, see Transit VPC connection setting guide.

Business Registration Number: 129-86-31394 E-commerce Permit Number:No. 2009-GyeonggiSeongnam-0510
CEO: Kim Yuwon Address: NAVER Green Factory 17th–26th Floors, Buljeong-ro 6, Bundang-gu, Seongnam-si, Gyeonggi-do 13561, Republic of Korea. Customer Support Number: 1544-5876
© NAVER Cloud Corp. All Rights Reserved.