- Print
- PDF
Service Function Chain (SFC) scenarios
- Print
- PDF
Available in VPC
You can build the Service Function Chain (hereinafter SFC) using the Virtual Private Cloud (VPC) on the NAVER Cloud Platform in various ways depending on the customer.
For the configuration of SFC, Transit VPC, Endpoint Route Table, Service Function Chain, Transit VPC Connect, Inline Load Balancer, Public IP are used.
The usage scenarios are as follows:
Security layer configuration using SFC and security appliances
The security layer configuration scenario using SFC and security appliances is recommended when applying security appliances with multiple functions to a general system.
The procedure to implement this scenario is as follows:
1. Create VPC
2. Create subnet
3. Create Server
4. Create target group
5. Create Load Balance
6. Create transit VPC connect
7. Create Service Function Chain
8. Create and set up Endpoint Route Table
9. Create and set up route table
10. Set up public IP connection
1. Create VPC
First, create a VPC on the NAVER Cloud Platform console. You can create a VPC in the Services > Networking > VPC menu.
Create one general VPC and one transit VPC.
2. Create subnet
Once you've finished creating a VPC, build a subnet in the VPC so that you can practically use the network. Required subnets are as follows:
- General VPC
- Public general subnet: bastion server for security appliance access and general server access
- Private general subnet: server for services
- Public LB subnet: Load Balancer for services
- Transit VPC
- Private general subnet: security appliance MGMT
- Public SFC subnet: security appliance service NIC
- Private LB Subnet: Inline Load Balancer
3. Create Server
Create a server to be deployed within the created VPC. When creating a server, select the transit VPC and general VPC previously generated, and enter the ACG.
For more information, see Server creation guide.
General server
- On the console, in Compute > Server > Create Server, select the desired image, and then create a server.
Security appliance
- On the console, go to Compute > Server > Create Server > Select server image, and select the image from the desired vendor under the [3rd party image] tab.
- When setting up network interfaces, create 2 additional network interfaces, external and internal, for the service, and assign the network interfaces added to the SFC subnet.
- The recommended storage capacity varies by vendor, so contact your vendor to check it.
- When using an Inline Load Balancer, you need to open the port for health checks.
- You're required to set up self-routing of the security appliance on the 2 additional network interfaces after creation.
4. Create target group
Create a target group to be used in the Inline Load Balancer.
Select Target type as Transit VPC server, add 2 additional network interfaces added for the service in the security appliance as target.
Because SFCs operate in one direction, for two-way communication, create separate target groups for ingress and egress purposes.
For more information about creating target groups, see Target group creation guide.
Target group for Application Load Balancer
- On the console, in Networking > Load Balancer > Target Group > Create Target Group, select the desired image, and then create a target group.
Target group for Inline Load Balancer (for ingress)
- On the console, in Networking > Load Balancer > Target Group > Create Target Group, select Transit VPC Server as the Target type and IP as the protocol.
- When setting additional targets, set up the external network interface added to the security appliance.
Target group for Inline Load Balancer (for egress)
- On the console, in Networking > Load Balancer > Target Group > Create Target Group, select Transit VPC Server as the Target type and IP as the protocol.
- When setting additional targets, set up the external network interface added to the security appliance.
5. Create Load Balancer
Create an Application Load Balancer to be operated on the general VPC and an Inline Load Balancer to be operated on the transit VPC.
Because SFCs operate in one direction, for two-way communication, create separate Inline Load Balancers for ingress and egress purposes. For more information about creating Load Balancers, see Inline Load Balancer guide.
Target group for Application Load Balancer
- On the console, in Networking > Load Balancer > Create Load Balancer, create an Application Load Balancer.
Target group for Inline Load Balancer (for ingress)
- On the console, in Networking > Load Balancer > Create Load Balancer, create an Inline Load Balancer.
- Add the target group for Inline Load Balancer (for ingress)
Target group for Inline Load Balancer (for egress)
- On the console, in Networking > Load Balancer > Create Load Balancer, create an Inline Load Balancer.
- Add the target group for Inline Load Balancer (for egress)
6. Create transit VPC connect
Create a transit VPC connect to connect the general VPC and the transit VPC.
For more information about creating a transit VPC connect, see Transit VPC connect guide.
7. Create Service Function Chain
Create a Service Function Chain to define network flows within the transit VPC. Because SFCs operate in one direction, for two-way communication, create separate SFCs for ingress and egress purposes. For more information about creating SFCs, see Service Function Chain (SFC) creation guide.
Service Function Chain for ingress
Select the transit VPC and the zone
Add the general VPC CIDR range to the destination subnet
Set the chain as follows:
Order Type Instance Subnet Ingress NIC 1 LoadBalancer Inline LB for ingress Auto-populated - 2 TransitVpcConnect TransitVpcConnect created - -
Service Function Chain for egress
Select the transit VPC and the zone
Add the 0.0.0.0/0 range to the destination subnet
Set the chain as follows:
Order Type Instance Subnet Ingress NIC 1 LoadBalancer Inline LB for egress Auto-populated - 2 InternetGateway - - -
8. Create and set Endpoint Route Table
Create and set an Endpoint Route Table that allows setting ingress routes for Internet Gateway and Transit VPC connect. For more information about creating and setting up an Endpoint Route Table, see Endpoint Route Table guide.
Endpoint Route Table for Internet Gateway
Select IGW as the related endpoint type and create an Endpoint Route Table
Set a route table for the Endpoint Route Table created
Destination Target General VPC CIDR range SFC for ingress Select IGW as the related endpoint setting
Endpoint Route Table for transit VPC connect
Select the transit VPC connect as the related endpoint type and create an Endpoint Route Table
Set a route table for the Endpoint Route Table created
Destination Target 0.0.0.0/0 SFC for egress Select the transit VPC connect as the related endpoint setting
From the next step, the network flow will change to the transit VPC. Check if the service is in normal operation on the general VPC, and continue setting up SFCs.
9. Create and set route table
To change the network flow of the general VPC, excluding the bastion server for server access, to the transit VPC, create and set a route table. For more information about creating a route table, see Route table creation guide.
General VPC
Public general subnet route table: set all rages (0.0.0.0/0) to IGW, but set only the transit VPC range to the Transit VPC connect
Destination Target type Target name Transit VPC CIDR range TRANSITVPCCONNECT TransitVpcConnect created 0.0.0.0/0 IGW INTERNET GATEWAY General VPC CIDR range LOCAL LOCAL Private general subnet route table: set all ranges (0.0.0.0/0) to the transit VPC connect
Destination Target type Target name 0.0.0.0/0 TRANSITVPCCONNECT TransitVpcConnect created General VPC CIDR range LOCAL LOCAL Public LB subnet route table: set all ranges (0.0.0.0/0) to the transit VPC connect in the future
Destination Target type Target name 0.0.0.0/0 TRANSITVPCCONNECT TransitVpcConnect created General VPC CIDR range LOCAL LOCAL
Transit VPC
Private general subnet route table: set only the subnet range for server access on the general VPC to the transit VPC connect
Destination Target type Target name Subnet range for server access on the general VPC TRANSITVPCCONNECT TransitVpcConnect created Transit VPC CIDR range LOCAL LOCAL
10. Set public IP connection
Connect the public IP that an Application Load Balancer has to the transit VPC by setting a public IP connection. For more information about how to make a connection, see Transit VPC connection setting guide.