VPC Overview
kr-central-1 kr-central-2KakaoCloud's Virtual Private Cloud (VPC) provides a logically isolated virtual network space, enabling flexible operation of resources within the virtual network environment. You can configure your own VPC, create subnets, group resources, and flexibly configure the network by subdividing IP addresses as needed. Additionally, you can use security group and Access Control List (ACL) to control network traffic and utilize additional security features.
Purpose and use cases
Replacing on-premises physical network environment
VPC replaces on-premises networks. In on-premises environments, network equipment such as routers and switches, as well as servers, need to be directly configured and installed. This process involves a significant amount of time, from ordering equipment to installation and circuit leasing. Moreover, making changes to the initially configured network requires considerable manpower and time. VPC addresses these inconveniences.
With VPC, you can easily create and control networks based on network virtualization technology. Within seconds, through a few clicks and keystrokes on the console, you can set up an environment equivalent to physically configuring network equipment in an on-premises environment.
Utilizing public and private subnets
Depending on the purpose, the network can be divided into multiple subnets. Typically, it can be divided into a public subnet, where servers that need to be exposed to the outside, such as web servers, are deployed, and a private subnet, where servers that need to have minimal external connections, such as databases, are deployed. This is similar to configuring a Demilitarized Zone (DMZ) and Private Zone in an on-premises environment.
Configuring multi/hybrid cloud environments
You can seamlessly connect your network with external networks as if they were one network. Hybrid configurations with on-premises environments via VPN or dedicated lines, collocation-based hybrid configurations where on-premises environments are relocated to Internet Data Centers (IDCs), and multi-cloud configurations with other clouds are all easily achievable.
Features
Logically isolated environment
- It allows for the free configuration of the network without external interference, as if owning a private IDC (Internet Data Center).
- Servers deployed in the network offer a completely separated environment unless explicitly exposed by connecting a public IP or connected via dedicated lines, VPN, etc.
Providing environment where virtual servers can be deployed
- It is used as an environment where virtual servers such as instances of Virtual Machines and worker nodes of Kubernetes Engine can be deployed.
- Servers deployed in the network are allocated private IP addresses unique to the network, allowing communication with other servers or network components within the network.
Controlling traffic through routing
- Routing allows traffic control for servers deployed in each subnet.
- Control traffic within the network, send to the public network, or transmit to on-premises environments via VPN or dedicated lines.
Achieving network security based on security group
- Enhancing server security in the network using Security Groups.
- Operating as a whitelist, allowing traffic only for input policies.
- Providing stateful mode, allowing responses without specific settings for allowed policies.
Accessing via external internet network
- Providing public IPs with unique IP addresses.
- Providing direct access to resources in use via public IPs from the external internet network.
Utilizing global standard IaC (Infrastructure as a Code) tools
- BNS of KakaoCloud aims for global standards, allowing you to control all resources directly via API.
- You can define VPC network resources in code using IaC tools like Terraform.
VPC IP CIDR block
KakaoCloud VPC supports IPv4 addresses. When creating a VPC, you must specify the IPv4 address range of the VPC in the Classless Inter-Domain Routing (CIDR) block format. Allowed block sizes range from a /16 netmask (65,536 IP addresses) to a /24 netmask (256 IP addresses). When creating a VPC, specify a CIDR block within the private IP address range according to RFC 1918. For a details of IP addresses, refer to the IP address range.
When setting the CIDR block for VPC, the following rules apply:
- Allowed block sizes are /16 to /24 netmasks.
- Only one CIDR block can be set for a VPC.
- You cannot increase or decrease the size of the set CIDR block.
| RFC 1918 Range | Example of CIDR Block |
|---|---|
| 10.0.0.0 - 10.255.255.255 (10.0.0.0/8) | 10.0.0.0/16 |
| 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) | 172.31.0.0/16 |
| 192.168.0.0 - 192.168.255.255 (192.168.0.0/16) | 192.168.0.0/24 |
The following Route Table shows the local path of the VPC:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
Reserved IP addresses
The first four IP addresses and the last IP address in the VPC's CIDR block are reserved. For example, if the VPC's CIDR block is 10.0.0.0/24, the following five IP addresses are reserved. Reserved addresses cannot be assigned to resources like BCS instances.
| Reserved IP Address | Description |
|---|---|
| 10.0.0.0 | Network address |
| 10.0.0.1 | Address reserved by KakaoCloud for default gateway purposes |
| 10.0.0.2 | Address reserved by KakaoCloud for future use |
| 10.0.0.3 | Address reserved by KakaoCloud for future use |
| 10.0.0.255 | Network broadcast address |
Default VPC
All VPCs created in KakaoCloud are initialized in a default VPC state. Upon the creation of a VPC, a primary subnet is established alongside an internet gateway connection. Simultaneously, a main route table is configured to route all traffic through the internet gateway. This ensures that when an instance is deployed within the primary subnet of an Availability Zone and associated with a public IP address, it is immediately capable of accessing the internet.
-
VPC: When connecting to other on-premises environments or VPCs, ensure that the VPC CIDR blocks do not overlap. Communication between overlapping VPC CIDR blocks can be difficult, so carefully set up the IPv4 CIDR blocks.
-
Availability Zone (AZ): Select the AZ where you want to create the subnet. AZs are physically isolated and consist of one or more data centers, offering capabilities for operating production applications and databases with higher availability, fault tolerance, and scalability than a single data center. Splitting applications across different AZs allows for service continuity even in case of power outages, lightning, tornadoes, earthquakes, etc.
-
퍼블릭 서브넷: Refers to a subnet with a route in the connected route table pointing to the internet gateway. This allows BCS instances running in the subnet to access the internet publicly.
-
Private subnet: Refers to a subnet without a route in the connected route table pointing to the internet gateway. Use a private subnet to protect backend resources that do not need public internet access.
-
Subnet CIDR Block: Set the CIDR block for public and private subnets.
IAM-based role management
VPC's role management follows IAM role-based access control (RBAC).
- Only Project Admin can create/manage VPC, subnet, route table.
- Each user role may or may not provide create/view/configure/delete functionalities. If you do not have permission for a feature, related buttons or screens will not be provided.
VPC
Project Admin can create and manage VPCs, while Project Members and Project Readers can only view route tables.
| Permissions by Role | Project Admin | Project Member | Project Reader |
|---|---|---|---|
| Create VPC | ✓ | ||
| View VPC | ✓ | ✓ | ✓ |
| Configure VPC | ✓ | ||
| Delete VPC | ✓ |
Subnet
Project Admin can create and manage subnets, while Project Members and Project Readers can only view subnets.
| Permissions by Role | Project Admin | Project Member | Project Reader |
|---|---|---|---|
| Create subnet | ✓ | ||
| View subnet | ✓ | ✓ | ✓ |
| Configure subnet | ✓ | ||
| Delete subnet | ✓ |
Route table
Project Admin can create and manage route table, while Project Members and Project Readers can only view route tables.
| Permissions by Role | Project Admin | Project Member | Project Reader |
|---|---|---|---|
| Create route table | ✓ | ||
| View route table | ✓ | ✓ | ✓ |
| Configure route table | ✓ | ||
| Delete route table | ✓ |
Security group
Project Admin and Members can create and manage security groups.
| Permissions by Role | Project Admin | Project Member | Project Reader |
|---|---|---|---|
| Create security group | ✓ | ✓ | |
| View Security Group | ✓ | ✓ | ✓ |
| Change security group policy | ✓ | ✓ | |
| Copy security group | ✓ | ✓ | |
| Delete security group | ✓ | ✓ |
Public IP
Project Members and Project Readers cannot access the public IP list. If they have access rights to a resource connected to a public IP, they can view the connected public IP on the resource's detail page. Only Project Admin has access and control.
| Permissions by Role | Project Admin | Project Member | Project Reader |
|---|---|---|---|
| Create public IP | ✓ | ||
| View public IP | ✓ | ||
| Associate public IP | ✓ | ||
| Disassociate public IP | ✓ | ||
| Delete public IP | ✓ |
Access rights to the network and resources within the project can be managed by adding or removing project members or administrators. For a details of managing project members, please refer to Manage project-level roles.
Getting started
Detailed guides on using the VPC service are provided in the How-to Guides. If you are new to KakaoCloud, refer to Getting started with KakaoCloud.