Service Function Chain (SFC) scenarios

Available in VPC

You can build the Service Function Chain (hereinafter SFC) using the Virtual Private Cloud (VPC) on the NAVER Cloud Platform in various ways depending on the customer.
For the configuration of SFC, Transit VPC, Endpoint Route Table, Service Function Chain, Transit VPC Connect, Inline Load Balancer, Public IP are used.
The usage scenarios are as follows:

Security layer configuration using SFC and security appliances

The security layer configuration scenario using SFC and security appliances is recommended when applying security appliances with multiple functions to a general system.

The procedure to implement this scenario is as follows:

1. Create VPC
2. Create subnet
3. Create Server
4. Create target group
5. Create Load Balance
6. Create transit VPC connect
7. Create Service Function Chain
8. Create and set up Endpoint Route Table
9. Create and set up route table
10. Set up public IP connection

1. Create VPC

First, create a VPC on the NAVER Cloud Platform console. You can create a VPC in the Services > Networking > VPC menu.
Create one general VPC and one transit VPC.

2. Create subnet

Once you've finished creating a VPC, build a subnet in the VPC so that you can practically use the network. Required subnets are as follows:

• General VPC
  • Public general subnet: bastion server for security appliance access and general server access
  • Private general subnet: server for services
  • Public LB subnet: Load Balancer for services
• Transit VPC
  • Private general subnet: security appliance MGMT
  • Public SFC subnet: security appliance service NIC
  • Private LB Subnet: Inline Load Balancer

3. Create Server

Create a server to be deployed within the created VPC. When creating a server, select the transit VPC and general VPC previously generated, and enter the ACG.
For more information, see Server creation guide.

General server

1. On the console, in Compute > Server > Create Server, select the desired image, and then create a server.

Security appliance

1. On the console, go to Compute > Server > Create Server > Select server image, and select the image from the desired vendor under the [3rd party image] tab.
2. When setting up network interfaces, create 2 additional network interfaces, external and internal, for the service, and assign the network interfaces added to the SFC subnet.
3. The recommended storage capacity varies by vendor, so contact your vendor to check it.
4. When using an Inline Load Balancer, you need to open the port for health checks.
5. You're required to set up self-routing of the security appliance on the 2 additional network interfaces after creation.

4. Create target group

Create a target group to be used in the Inline Load Balancer.
Select Target type as Transit VPC server, add 2 additional network interfaces added for the service in the security appliance as target.
Because SFCs operate in one direction, for two-way communication, create separate target groups for ingress and egress purposes.

For more information about creating target groups, see Target group creation guide.

Target group for Application Load Balancer

1. On the console, in Networking > Load Balancer > Target Group > Create Target Group, select the desired image, and then create a target group.

Target group for Inline Load Balancer (for ingress)

1. On the console, in Networking > Load Balancer > Target Group > Create Target Group, select Transit VPC Server as the Target type and IP as the protocol.
2. When setting additional targets, set up the external network interface added to the security appliance.

Target group for Inline Load Balancer (for egress)

1. On the console, in Networking > Load Balancer > Target Group > Create Target Group, select Transit VPC Server as the Target type and IP as the protocol.
2. When setting additional targets, set up the external network interface added to the security appliance.

5. Create Load Balancer

Create an Application Load Balancer to be operated on the general VPC and an Inline Load Balancer to be operated on the transit VPC.
Because SFCs operate in one direction, for two-way communication, create separate Inline Load Balancers for ingress and egress purposes. For more information about creating Load Balancers, see Inline Load Balancer guide.

Target group for Application Load Balancer

1. On the console, in Networking > Load Balancer > Create Load Balancer, create an Application Load Balancer.

Target group for Inline Load Balancer (for ingress)

1. On the console, in Networking > Load Balancer > Create Load Balancer, create an Inline Load Balancer.
2. Add the target group for Inline Load Balancer (for ingress)

Target group for Inline Load Balancer (for egress)

1. On the console, in Networking > Load Balancer > Create Load Balancer, create an Inline Load Balancer.
2. Add the target group for Inline Load Balancer (for egress)

6. Create transit VPC connect

Create a transit VPC connect to connect the general VPC and the transit VPC.
For more information about creating a transit VPC connect, see Transit VPC connect guide.

7. Create Service Function Chain

Create a Service Function Chain to define network flows within the transit VPC. Because SFCs operate in one direction, for two-way communication, create separate SFCs for ingress and egress purposes. For more information about creating SFCs, see Service Function Chain (SFC) creation guide.

Service Function Chain for ingress

1. Select the transit VPC and the zone

2. Add the general VPC CIDR range to the destination subnet

3. Set the chain as follows:

   Order	Type	Instance	Subnet	Ingress NIC
   1	LoadBalancer	Inline LB for ingress	Auto-populated	-
   2	TransitVpcConnect	TransitVpcConnect created	-	-

Service Function Chain for egress

1. Select the transit VPC and the zone

2. Add the 0.0.0.0/0 range to the destination subnet

3. Set the chain as follows:

   Order	Type	Instance	Subnet	Ingress NIC
   1	LoadBalancer	Inline LB for egress	Auto-populated	-
   2	InternetGateway	-	-	-

8. Create and set Endpoint Route Table

Create and set an Endpoint Route Table that allows setting ingress routes for Internet Gateway and Transit VPC connect. For more information about creating and setting up an Endpoint Route Table, see Endpoint Route Table guide.

Endpoint Route Table for Internet Gateway

1. Select IGW as the related endpoint type and create an Endpoint Route Table

2. Set a route table for the Endpoint Route Table created

   Destination	Target
   General VPC CIDR range	SFC for ingress

3. Select IGW as the related endpoint setting

Endpoint Route Table for transit VPC connect

1. Select the transit VPC connect as the related endpoint type and create an Endpoint Route Table

2. Set a route table for the Endpoint Route Table created

   Destination	Target
   0.0.0.0/0	SFC for egress

3. Select the transit VPC connect as the related endpoint setting

9. Create and set route table

To change the network flow of the general VPC, excluding the bastion server for server access, to the transit VPC, create and set a route table. For more information about creating a route table, see Route table creation guide.

General VPC

• Public general subnet route table: set all rages (0.0.0.0/0) to IGW, but set only the transit VPC range to the Transit VPC connect

  Destination	Target type	Target name
  Transit VPC CIDR range	TRANSITVPCCONNECT	TransitVpcConnect created
  0.0.0.0/0	IGW	INTERNET GATEWAY
  General VPC CIDR range	LOCAL	LOCAL

• Private general subnet route table: set all ranges (0.0.0.0/0) to the transit VPC connect

  Destination	Target type	Target name
  0.0.0.0/0	TRANSITVPCCONNECT	TransitVpcConnect created
  General VPC CIDR range	LOCAL	LOCAL

• Public LB subnet route table: set all ranges (0.0.0.0/0) to the transit VPC connect in the future

  Destination	Target type	Target name
  0.0.0.0/0	TRANSITVPCCONNECT	TransitVpcConnect created
  General VPC CIDR range	LOCAL	LOCAL

Transit VPC

• Private general subnet route table: set only the subnet range for server access on the general VPC to the transit VPC connect

  Destination	Target type	Target name
  Subnet range for server access on the general VPC	TRANSITVPCCONNECT	TransitVpcConnect created
  Transit VPC CIDR range	LOCAL	LOCAL

10. Set public IP connection

Connect the public IP that an Application Load Balancer has to the transit VPC by setting a public IP connection. For more information about how to make a connection, see Transit VPC connection setting guide.