๐Ÿ“‚ AWS

[AWS] VPC Lattice๋ž€?

dhyuck 2023. 3. 20. 22:56
๋ฐ˜์‘ํ˜•

VPC Lattice ๋“ฑ์žฅ ๋ฐฐ๊ฒฝ

  • ์ตœ๊ทผ ๋น„์šฉ์„ ์ ˆ๊ฐํ•˜๊ณ  ํ”„๋กœ๊ทธ๋žจ์„ ๋น ๋ฅด๊ฒŒ ํ™•์žฅํ• ์ˆ˜ ์žˆ๋Š” ์„œ๋น„์Šค ์ง€ํ–ฅ ์•„ํ‚คํ…์ฒ˜๊ฐ€ ๋Œ€์ค‘ํ™”๋˜๊ณ  ์žˆ์œผ๋ฉฐ,
  • ์„œ๋น„์Šค ์ง€ํ–ฅ ์•„ํ‚คํ…์ฒ˜๋ฅผ ๊ตฌํ˜„ํ•˜๋Š” ๊ฐ€์žฅ ํšจ๊ณผ์ ์ธ ๋ฐฉ๋ฒ•์€ ๋‹ค์ค‘ Account์™€ ๋‹ค์ค‘ VPC์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.
  • ๋‹ค์ค‘ Account์™€ ๋‹ค์ค‘ VPC ์ „๋žต์—์„œ Account์™€ VPC๊ฐ€ ์„œ๋น„์Šค ๊ฐ„์˜ ๊ฒฝ๊ณ„(Boundary)๋ผ๊ณ  ์ƒ๊ฐํ• ์ˆ˜ ์žˆ์ง€๋งŒ ์ธ์ฆ์„ ๊ณ ํ•˜๋ ค๋ฉด์„œ ์ ์ ˆํ•œ ๊ฒฝ๊ณ„๋ฅผ ๊ตฌ์ถ•ํ•˜๊ธฐ๋Š” ์–ด๋ ต์Šต๋‹ˆ๋‹ค.
  • ๊ทธ๋ ‡๊ธฐ ๋•Œ๋ฌธ์— ์ผ๋ฐ˜์ ์ธ ๋„คํŠธ์›Œํฌ ๋ณต์žก์„ฑ๊ณผ๋Š” ๋˜ ๋‹ค๋ฅธ ๋„คํŠธ์›Œํฌ ๋ณต์žก์„ฑ์„ ๋ถˆ๋Ÿฌ์ผ์œผํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • VPC ํ”ผ์–ด๋ง, TGW, ํ”„๋ผ์ด๋น— ๋งํฌ, SG, NACL ๋“ฑ์„ ์‚ฌ์šฉํ•˜์—ฌ ํ˜„๋Œ€ํ™” ๋œ ์•„ํ‚คํ…์ฒ˜๋ฅผ ๊ตฌ์ถ•ํ•  ์ˆ˜ ์žˆ์ง€๋งŒ,
  • ๋‹จ์ผ ์‹คํŒจ์ง€์ ์ด ๋˜๊ฑฐ๋‚˜ IP ๊ธฐ๋ฐ˜์˜ ํ†ต์ œ๋งŒ์œผ๋กœ๋Š” ์ค‘์žฅ๊ธฐ์ ์œผ๋กœ ์ธ์ฆ๋˜๊ณ  ์ธ๊ฐ€๋œ ์„œ๋น„์Šค๊ฐ€ ์—ฐ๊ฒฐ์ด ๋˜์–ด์žˆ๋Š”์ง€ ๋ณด์žฅํ•˜๊ธฐ ์–ด๋ ต์Šต๋‹ˆ๋‹ค.
  • ๋˜ํ•œ, ์ด๋Ÿฌํ•œ ๋ณต์žกํ•œ ํ†ต์‹ ์€ ๋ชจ๋‹ˆํ„ฐ๋ง์ด ์–ด๋ ต์Šต๋‹ˆ๋‹ค.

VPC Lattice

  • lattice๋Š” ๊ฒฉ์ž๋ผ๋Š” ๋œป์œผ๋กœ VPC์™€ ๊ด€๋ จ๋œ ๋„คํŠธ์›Œํฌ, ๋ณด์•ˆ, ๋ชจ๋‹ˆํ„ฐ๋ง์˜ ํ‹€์„ ์ œ๊ณตํ•œ๋‹ค๋Š” ์˜๋ฏธ
  • ์„œ๋น„์Šค ๊ฐ„ ํ†ต์‹ ์„ ๋” ์‰ฝ๊ฒŒ ์—ฐ๊ฒฐํ•˜๊ณ  ์•ˆ์ „ํ•˜๊ฒŒ ๋ชจ๋‹ˆํ„ฐ๋งํ•˜๋Š” ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ๊ณ„์ธต ๋„คํŠธ์›Œํ‚น ์„œ๋น„์Šค
  • ์ธ์Šคํ„ด์Šค, ์ปจํ…Œ์ด๋„ˆ, ์„œ๋ฒ„๋ฆฌ์Šค์— ๊ด€๊ณ„ ์—†์ด ์ผ๊ด€๋œ ๋ฐฉ์‹์œผ๋กœ ๋‹ค์ค‘ Account์™€ ๋‹ค์ค‘ VPC ๊ฐ„์˜ ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ๊ณ„์ธต ๋กœ๋“œ๋ฐธ๋Ÿฐ์‹ฑ์„ ์ œ๊ณต

4๊ฐ€์ง€ ์ฃผ์š” ์ปดํฌ๋„ŒํŠธ

  • ์„œ๋น„์Šค(Service)
    • A unit of application running on instances, containers, and serverless and consisting of listeners, rules, and target groups
    • ์ธ์Šคํ„ด์Šค๋‚˜ ์ปจํ…Œ์ด๋„ˆ, ์„œ๋ฒ„๋ฆฌ์Šค์—์„œ ๋™์ž‘ํ•˜๋Š” ์‘์šฉํ”„๋กœ๊ทธ๋žจ ๋‹จ์œ„
    • ๋ฆฌ์Šค๋„ˆ, ๋ฆฌ์Šค๋„ˆ ๊ทœ์น™, ํƒ€๊ฒŸ ๊ทธ๋ฃน์œผ๋กœ ๊ตฌ์„ฑ๋˜๋ฉฐ ALB์™€ ๋น„์Šทํ•˜๋‚˜ ALB๋Š” ์•„๋‹™๋‹ˆ๋‹ค.
    • ๋ฆฌ์Šค๋„ˆ : ์„œ๋น„์Šค๊ฐ€ ์ˆ˜์‹  ๋Œ€๊ธฐํ•˜๋Š” ํฌํŠธ
    • ๋ฆฌ์Šค๋„ˆ ๊ทœ์น™ : ๊ฒฝ๋กœ, ํ—ค๋”, ๋ฉ”์„œ๋“œ ๊ธฐ๋ฐ˜ ๋ผ์šฐํŒ…์„ ์ง€์›ํ•˜๋Š” ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ๋ ˆ์ด์–ด์˜ ํ”„๋ก์‹œ
    • ํƒ€๊ฒŸ ๊ทธ๋ฃน : ํƒ€๊ฒŸ์„ ๊ทธ๋ฃนํ™” ํ•œ ๊ฒƒ ์œผ๋กœ ํƒ€๊ฒŸ์€ ASG ๊ทธ๋ฃน์˜ IP ์ฃผ์†Œ ๋˜๋Š” Pod๋“ฑ์ด ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • ์„œ๋น„์Šค ๋„คํŠธ์›Œํฌ(Service Network)
    • A logical boundary that is used to automatically implement service discovery and connectivity and apply common access and observability policies to a collection of services
    • ๋…ผ๋ฆฌ์  ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ๊ณ„์ธต ๋„คํŠธ์›Œํฌ๋กœ ์„œ๋น„์Šค์™€ VPC๋ฅผ ์—ฐ๊ฒฐ
    • ์„œ๋น„์Šค ๋””์Šค์ปค๋ฒ„๋ฆฌ์™€ ์„œ๋น„์Šค ์—ฐ๊ฒฐ์„ ์ž๋™์œผ๋กœ ๊ตฌํ˜„ํ•˜๊ณ  ์„œ๋น„์Šค๋“ค์— ๊ณตํ†ต ์ •์ฑ…๊ณผ ๊ด€์ฐฐ ๊ฐ€๋Šฅ์„ฑ(observability) ์ •์ฑ…๋ฅผ ๋ถ€์—ฌ
  • ์ธ์ฆ ์ •์ฑ…(Auth Policy)
    • IAM resource policy that can be associated with a Service Network and individual Services to support request level authentication and context specific authorization
    • ์„œ๋น„์Šค ๋„คํŠธ์›Œํฌ์™€ ์„œ๋น„์Šค์— ์ ์šฉ ๊ฐ€๋Šฅํ•œ IAM ์ •์ฑ…
  • ์„œ๋น„์Šค ๋””๋ ‰ํ„ฐ๋ฆฌ(Service Directory)
    • A centralized view of the services that you own or that have been shared with you through AWS Resource Access Manager (AWS RAM)
    • ๋ชจ๋“  ์„œ๋น„์Šค์˜ ์ค‘์•™ ์ง‘์ค‘์‹ ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ๋กœ, ์ƒ์„ฑํ•œ ์„œ๋น„์Šค๋‚˜ ๊ณต์œ ๋ฐ›์€ ์„œ๋น„์Šค์˜ account ๋ ˆ๋ฒจ์˜ view์ž…๋‹ˆ๋‹ค.
    • ์„œ๋น„์Šค ๋””๋ ‰ํ„ฐ๋ฆฌ๋Š” RAM๊ณผ ํ†ตํ•ฉ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

Lattice ํŠน์ง•

  • Admin์ด ํ•ด์•ผํ•˜๋Š” ์ผ
  • Service owner๊ฐ€ ํ•ด์•ผํ•˜๋Š” ์ผ
  • ๊ฐ VPC๋Š” 1๊ฐœ์˜ ์„œ๋น„์Šค ๋„คํŠธ์›Œํฌ์™€ ์—ฐ๊ฒฐํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • ๊ฐ ์„œ๋น„์Šค๋Š” ์—ฌ๋Ÿฌ ๊ฐœ์˜ ์„œ๋น„์Šค ๋„คํŠธ์›Œํฌ์™€ ์—ฐ๊ฒฐํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • ํƒ€๊ฒŸ ๊ทธ๋ฃน ์ง€ํ‘œ, ์„œ๋น„์Šค ์ง€ํ‘œ, ์„œ๋น„์Šค ์•ก์„ธ์Šค ๋กœ๊ทธ, ์„œ๋น„์Šค ๋„คํŠธ์›Œํฌ ์•ก์„ธ์Šค ๋กœ๊ทธ์˜ ๋ชจ๋‹ˆํ„ฐ๋ง์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ CloudTrail๊ณผ๋„ ํ†ตํ•ฉ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • ์‹œํ๋ฆฌํ‹ฐ ๊ทธ๋ฃน์„ ํ†ตํ•ด ์„œ๋น„์Šค ๋„คํŠธ์›Œํฌ๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” VPC ๋ฆฌ์†Œ์Šค๋ฅผ ์ œํ•œ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. (๋„คํŠธ์›Œํฌ ๋ ˆ์ด์–ด์˜ ๋ณด์•ˆ)
  • ์ธ์ฆ ์ •์ฑ…์„ ํ†ตํ•ด ์ ‘๊ทผ ๊ฐ€๋Šฅํ•œ ์„œ๋น„์Šค ๋„คํŠธ์›Œํฌ์™€ ์„œ๋น„์Šค๋ฅผ ์ œํ•œ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. (์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ๋ ˆ์ด์–ด์˜ ๋ณด์•ˆ)

์ฐธ๊ณ  ์ž๋ฃŒ

AWS re:Invent 2022 - [NEW] Introducing Amazon VPC Lattice: Simplifying app networking (NET215)

AWS re:Invent 2022 - Advanced VPC design and new Amazon VPC capabilities (NET302)

๋ฐ˜์‘ํ˜•