VPC Overview
KakaoCloud Virtual Private Cloud (VPC) provides a logically isolated virtual network environment. You can operate KakaoCloud resources flexibly within this virtual network. Users can configure their own VPC, create subnets, and group resources, as well as flexibly configure networks by subdividing IP addresses. Additionally, you can control network traffic and enhance security using security groups.
Purpose and Use Cases
Replacing On-premises Physical Network Environment
VPC replaces the network infrastructure of on-premises (on-premise: company-owned data centers or server rooms). When setting up an on-premises network, physical network devices such as routers and switches, as well as servers, need to be configured and installed. This process can take a lot of time, from ordering equipment to securing space and renting lines. Also, modifying the initially configured network requires a significant amount of time and resources. VPC solves these challenges.
With VPC, users can easily create and control networks based on network virtualization technology. You can set up a network environment similar to configuring network equipment on-premises in just a few clicks.
Using Public and Private Subnets
You can divide the network into multiple subnets depending on the use and purpose. For example, web servers that need to be exposed externally can be deployed in a public subnet, while database servers that should be minimally exposed to the outside world can be deployed in a private subnet. This setup is similar to the use of Demilitarized Zones (DMZ) and Private Zones in on-premises environments.
Multi/Hybrid Cloud Setup
You can connect your network with external networks and use them as one unified network. A hybrid setup with an on-premises environment via VPN or dedicated line, co-location-based hybrid setups where on-premises environments are moved to Internet Data Centers (IDCs), and multi-cloud configurations with other clouds are easy to set up.
Features
Logically Isolated Environment
- The virtual network implemented by VPC provides a logically isolated environment.
- It allows users to freely configure the network without external interference, like owning a private IDC (Internet Data Center).
- Servers deployed on the network are fully isolated unless explicitly exposed via public IP or connected via dedicated lines, VPN, etc.
Virtual Server Deployment Environment
- VPC can be used as a deployment environment for virtual servers such as Virtual Machine instances or Kubernetes Engine worker nodes.
- Servers deployed on the network are assigned private IPs within the network and communicate with other servers or network components in the same network.
Traffic Control through Routing Configuration
- Routing settings allow users to control traffic for servers deployed in each subnet.
- It enables users to control traffic within the network, send it to the public network, or route it through VPN and dedicated lines to on-premises environments.
Network Security via Security Groups
- Security groups are used to enhance the security of servers deployed in the network.
- They operate on a whitelist basis, allowing only traffic that matches the input policies.
- For allowed policies, responses are automatically accepted without additional settings, operating in a stateful manner.
External Internet Access
- Provides a public IP address, allowing resources to be accessed through the internet via the public IP.
Global Standard-based IaC (Infrastructure as Code) Tools
- KakaoCloud BNS follows global standards that allow users to control all resources via APIs.
- Users can define VPC network resources as code using IaC tools like Terraform.
VPC IP CIDR Block
KakaoCloud VPC supports IPv4 addresses. When creating a VPC, you must specify the IPv4 address range in Classless Inter-Domain Routing (CIDR) block format. The allowed block size ranges from /16 to /24 netmask. When creating a VPC, you must specify a CIDR block that falls within the private IP address range according to the RFC 1918 specification. For detailed explanations on IP addresses, refer to the IP address range documentation.
- The actual number of IP addresses that can be assigned within a created VPC depends on the number of subnets and the CIDR block size of each subnet.
When setting a CIDR block for a VPC, the following rules apply:
- Allowed block sizes range from /16 to /24 netmask.
- A VPC can only have one CIDR block.
- The CIDR information of an already created VPC cannot be modified.
| RFC 1918 Range | Example CIDR Block |
|---|---|
| 10.0.0.0 - 10.255.255.255 (10.0.0.0/8) | 10.0.0.0/16 |
| 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) | 172.31.0.0/16 |
| 192.168.0.0 - 192.168.255.255 (192.168.0.0/16) | 192.168.0.0/24 |
- It is recommended to specify a CIDR block that falls within the private IP address range according to the RFC 1918 specification when creating a VPC.
The following routing table shows the local route for the VPC:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
Default VPC
Every VPC created in KakaoCloud is initially created as a default VPC. When a VPC is created, a default subnet, connected internet gateway, and a default routing table that sends all traffic to the internet gateway are automatically created. By creating a BCS instance in the default subnet of an availability zone and connecting a public IP, you can immediately access the internet.
- VPC: To connect a VPC to an on-premises environment or other VPCs, the VPC CIDR block must not overlap. Communication between VPCs with overlapping CIDR blocks is not possible, so careful selection of the IPv4 CIDR block is important.
- Availability Zone: You choose the availability zone where the subnet will be created. Availability zones provide higher availability, fault tolerance, and scalability for production applications and databases by being physically isolated in different data centers. By spreading applications across different availability zones, service continuity can be maintained even during power outages, lightning, tornadoes, or earthquakes.
- Public Subnet: A subnet where the routing table is configured to point to the internet gateway. This enables BCS instances in the subnet to publicly access the internet.
- Private Subnet: A subnet where the routing table is not configured to point to the internet gateway. Private subnets protect backend resources that do not need to be publicly accessed over the internet.
- Subnet CIDR Block: The CIDR block for public and private subnets.
IAM-based role management
VPC role management follows IAM (Identity and Access Management) role-based access control (RBAC).
- Only project administrators can create/manage VPCs, subnets, and routing tables.
- Permissions are granted or restricted based on user roles, and certain actions like creation, viewing, configuration, and deletion are either available or unavailable depending on the assigned role.
VPC
Project admins (Admin) can create and manage VPCs, while project members (Member) and project leaders (Reader) can only view routing tables.
| Item | Project Admin (Admin) | Project Member | Project Leader (Reader) |
|---|---|---|---|
| Create VPC | ✓ | ||
| View VPC | ✓ | ✓ | ✓ |
| Configure VPC | ✓ | ||
| Delete VPC | ✓ |
Subnet
Project admins (Admin) can create and manage subnets, while project members (Member) and project leaders (Reader) can only view subnets.
| Item | Project Admin (Admin) | Project Member | Project Leader (Reader) |
|---|---|---|---|
| Create Subnet | ✓ | ||
| View Subnet | ✓ | ✓ | ✓ |
| Configure Subnet | ✓ | ||
| Delete Subnet | ✓ | ||
| Share Subnet | ✓ |
Routing table
Project admins (Admin) can create and manage routing tables, while project members (Member) and project leaders (Reader) can only view routing tables.
| Item | Project Admin (Admin) | Project Member | Project Leader (Reader) |
|---|---|---|---|
| Create Routing Table | ✓ | ||
| View Routing Table | ✓ | ✓ | ✓ |
| Configure Routing Table | ✓ | ||
| Delete Routing Table | ✓ |
Security group
Project admins (Admin) and project members (Member) can create and manage security groups.
| Item | Project Admin (Admin) | Project Member | Project Leader (Reader) |
|---|---|---|---|
| Create Security Group | ✓ | ✓ | |
| View Security Group | ✓ | ✓ | ✓ |
| Modify Security Group | ✓ | ✓ | |
| Copy Security Group | ✓ | ✓ | |
| Delete Security Group | ✓ | ✓ |
Public IP
Project members (Member) and project leaders (Reader) cannot access the public IP list but can see the connected public IP in the resource details if they have the necessary permissions.
| Item | Project Admin (Admin) | Project Member | Project Leader (Reader) |
|---|---|---|---|
| Create Public IP | ✓ | ||
| View Public IP | ✓ | ||
| Associate Public IP | ✓ | ||
| Disassociate Public IP | ✓ | ||
| Delete Public IP | ✓ |
Network interface
Project admins (Admin) and project members (Member) can create and manage network interfaces.
| Item | Project Admin (Admin) | Project Member | Project Leader (Reader) |
|---|---|---|---|
| Create Network Interface | ✓ | ✓ | |
| View Network Interface | ✓ | ✓ | ✓ |
| Delete Network Interface | ✓ | ✓ | |
| Modify Network Interface | ✓ | ✓ |
You can manage access to the network and resources within a project by adding or removing project members or administrators. For more details on managing project roles, refer to the Project Role Management.
Getting Started
For detailed usage guides on VPC, refer to How-to Guides. If you're new to KakaoCloud, please refer to Getting Started with KakaoCloud.