Building network using NAT instances in multi-availability zones

This document introduces how to deploy a NAT (Network Address Translation) instance of KakaoCloud VM(Virtual Machine) in each availability zone of a multi-availability zone environment.

Basic information

• Estimated time: 40 minutes
• Recommended Operating system: MacOS, Ubuntu
• Region: kr-central-2

About this scenario

In the KakaoCloud VPC environment, you can deploy a NAT instance in each availability zone. Through this configuration, even if a failure occurs in one availability zone, the workloads in other availability zones can continue to communicate with the outside through the NAT instance in their respective zone without interruption. This ensures the smooth operation of the overall cloud system and helps prevent potential service downtime.

This document explains step-by-step how to configure instances in a private subnet to safely communicate with the outside world through a NAT instance in the KakaoCloud VPC environment. The main contents of this scenario are as follows:

• Creating and configuring NAT instance: Create and set up a NAT instance that supports external communication.
• Configuring route table: Create a route table for the private subnet and configure it to route requests to the external Internet to the NAT instance in the corresponding availability zone.
• Setting security group and inbound rules: For security, restrict ports for requests through the NAT instance to ports 80 (HTTP) and 443 (HTTPS).

Scenario architecture

Step-by-step process

Let's configure a NAT instance that supports NAT communication to access the Internet from the private subnet of KakaoCloud VPC.

Step 1. Create VPC and subnet

Create VPC and subnet.

1. Go to KakaoCloud Console > Beyond Networking Service > VPC.

2. Click the [Create VPC] button in the VPC menu, and then create VPC and subnet as follows.

   Category	Item	Settings/Input values
   VPC info	VPC name	tutorial
   	VPC IP CIDR block	10.0.0.0/16
   Availability Zone	Number of AZs	2
   	First availability zone	kr-central-2-a
   	Second availability zone	kr-central-2-b
   Subnet settings	Number of public subnets per AZ	1
   	Number of private subnets per AZ	4
   	kr-central-2-a	Public Subnet IPv4 CIDR block: 10.0.0.0/20 Private Subnet IPv4 CIDR block: 10.0.16.0/20, 10.0.32.0/20, 10.0.48.0/20, 10.0.64.0/20
   	kr-central-2-b	Public Subnet IPv4 CIDR block: 10.0.80.0/20 Private Subnet IPv4 CIDR block: 10.0.96.0/20, 10.0.112.0/20, 10.0.128.0/20, 10.0.144.0/20

3. After checking the diagram generated at the bottom, click the [Create] button.

   • The status of the subnet will change in the order of Pending Create > Pending Update > Active. You can proceed to the next step only when the status is Active.
   • It may take about 5 to 10 minutes to create.

Step 2. Create security group

To strengthen security for VMs running in VPC, create a security group and add inbound and outbound rules as follows.

1. Go to KakaoCloud Console > Beyond Networking Service > VPC.

2. Click the [Create security group] button on the Security Group tab.

3. Enter tutorial-nat-sg in Security group name.

4. Click the [Add] button at the bottom and set the inbound conditions as follows.
   

   Check my Public IP

   You can check my current Public IP by clicking the following button.
   

   Policy description	Protocol	Packet Source	Port Number
   inbound http policy	TCP	10.0.0.0/16	80
   inbound https policy	TCP	10.0.0.0/16	443
   ssh policy	TCP	{User's Public IP}/32	22

5. Set the outbound conditions as follows.
   

   Policy Description	Protocol	Packet Destination	Port Number
   outbound http policy	TCP	0.0.0.0/0	80
   outbound https policy	TCP	0.0.0.0/0	443
   outbound DNS policy	UDP	169.254.169.253/32	53
   outbound DNS policy 2	UDP	10.0.0.2/32	53

6. Click the [Create] button.

Step 3. Create NAT instance

Creating a NAT instance allows instances in the private subnet to securely communicate with the Internet. A NAT instance allows instances in the private subnet to send traffic to the Internet, but blocks direct access from the Internet. This enhances security and allows instances in the private subnet to receive necessary updates and patches.

1. Go to KakaoCloud Console > Beyond Compute Service > Virtual Machine.

2. In the Instance menu, click the [Create instance] button, and then create VM instances in two availability zones as follows.

   Input values ​​by availability zone	kr-central-2-a	kr-central-2-b
   Basic information	- Name: tutorial-nat-instance-a - Quantity: 1	- Name: tutorial-nat-instance-b - Quantity: 1
   Image	Ubuntu 20.04 - 5.4.0-173 ⚠️ Select a generic image, not NVIDIA Image	Ubuntu 20.04 - 5.4.0-173 ⚠️ Select a generic image, not NVIDIA image
   Instance type	t1i.nano	t1i.nano
   Volume	Root Volume: 30	Root Volume: 30
   Key Pair	Select Key Pair	Select Key Pair
   Network	- VPC: tutorial - Subnet: main ᄂ Public subnet in Availability Zone kr-central-2-a - Security Group: tutorial-nat-sg	- VPC: tutorial - Subnet: Select tutorial_{VPC_CODE}_sn_1 format (10.0.80.0/20) ᄂ Public subnet of availability zone kr-central-2-b, select subnet ending with sn_1 - Security Group: tutorial-nat-sg

3. Check all input values ​​and click the [Create] button at the bottom of the console to create a virtual machine.

Step 4. Set NAT instance

Grant public IPs for communication with the Internet to the two NAT instances (tutorial-nat-instance-a and tutorial-nat-instance-b) created in the availability zone and proceed with NAT settings.

① tutorial-nat-instance-a

1. In the Virtual Machine > Instance tab, select the tutorial-nat-instance-a instance created above, and click the [Connect Public IP] button on the right.

2. When the Public IP connection settings pop-up window appears, select Create new public IP and assign automatically in Public IP allocation and click the [OK] button. You can check the connected Public IP in the Network tab.

3. After running the terminal in the local environment, use the cd command to move to the folder where the Key Pair file was downloaded.

• If you created and used the private key file for the first time, it is saved in the Downloads folder by default. (cd ~/Downloads)

4. Move to the folder where the Key Pair file was downloaded and access it with SSH.

SSH access

   chmod 400 {PRIVATE_KEY}.pem # Grand read permission
   ssh -i {PRIVATE_KEY}.pem ubuntu@{NAT_INSTANCE_PUBLIC_IP}

Parameter	Description
{PRIVATE_KEY}	Private key file name
{NAT_INSTANCE_PUBLIC_IP}	Go to Virtual Machine > Instance, click on the tutorial-nat-instance-a instance, and check the details in the Network tab.

5. Configure the NAT instance with the following command. If you need to agree in the middle, type Yes or press Enter.

   • This command automatically configures the NAT instance. Specifically, it automatically identifies and selects available network interfaces, enables IP forwarding, and automatically configures network traffic masquerading for the selected interfaces.
   Configure NAT instance

   sudo apt-get update -y
   
   LINE=$(grep 'net.ipv4.ip_forward=' /etc/sysctl.conf)
   sudo sed -i "s/${LINE}/net.ipv4.ip_forward=1/" /etc/sysctl.conf
   sudo sysctl -p
   
   INTERFACE=$(ip link | awk -F: '$0 !~ "lo|vir|wl|^[^0-9]"{print $2;getline}')
   sudo /sbin/iptables -t nat -A POSTROUTING -o ${INTERFACE} -j MASQUERADE
   sudo apt-get install -y iptables-persistent

6. When the window below pops up, press Enter with Yes selected.

7. The result screen is as follows.

② tutorial-nat-instance-b

Repeat the above steps for tutorial-nat-instance-b, referring to tutorial-nat-instance-a.

Step 5. Change source/destination check setting

By default, an instance checks the source/destination and only receives traffic destined for itself. However, a NAT instance must be able to send and receive traffic even if the source and destination of the traffic are not itself. In this case, you can set the created instance as a NAT instance using the Change source/destination check function of the instance.

1. Go to KakaoCloud Console > Beyond Compute Service > Virtual Machine .

2. In the Instance tab, select the [More] icon of the instance tutorial-nat-instance-a > Change source/destination checks.

3. In the pop-up window, select Stop origin/destination confirmation and click the [Complete] button.

4. For tutorial-nat-instance-b, repeat steps 1 to 3 above, select Stop origin/destination confirmation and click the [Complete] button.

Step 6. Create and configure route table

You can set route rules for requests from within a subnet to a specific destination through a route table. This sets requests going out from a private subnet to NAT through the NAT instance in the availability zone to which the subnet belongs.

1. Go to KakaoCloud Console > Beyond Networking Service > VPC.

2. In the Route Table menu, click the [Create route table] button, and then create a route table in two availability zones as follows.

   Settings by availability zone	kr-central-2-a	kr-central-2-b
   Route Table name	tutorial-priv-a-rt	tutorial-priv-b-rt
   VPC	tutorial	tutorial

3. Click the name of the created route table to access the route table details page.

4. Click the [Add Route] button in the Route tab.

5. Set each availability zone to route requests destined for 0.0.0.0/0 to a NAT instance within the availability zone. You can check the instance ID in the Virtual Machine > Instance tab.

   Settings by route table	tutorial-priv-a-rt	tutorial-priv-b-rt
   Target type	Instance	Instance
   Target instance	{tutorial-nat-instance-a-id}	{tutorial-nat-instance-b-id}
   Destination	0.0.0.0/0	0.0.0.0/0

6. In the Connection tab of each route table, click the [Connection Settings] button, and click the [Connect] button to apply the private subnet corresponding to each availability zone.

   Route Table: tutorial-priv-a-rt

   Establish connection by checking the following information.

   Subnet	IP CIDR block	Route Table
   tutorial_{VPC_ID}_sn_5	10.0.64.0/20	tutorial_{VPC_ID}_private_rt
   tutorial_{VPC_ID}_sn_4	10.0.48.0/20	tutorial_{VPC_ID}_private_rt
   tutorial_{VPC_ID}_sn_3	10.0.32.0/20	tutorial_{VPC_ID}_private_rt
   tutorial_{VPC_ID}_sn_2	10.0.16.0/20	tutorial_{VPC_ID}_private_rt

   Route Table: tutorial-priv-b-rt

   Establish Connection by checking the following information.

   Subnet	IP CIDR Block	Route Table
   tutorial_{VPC_ID}_sn_9	10.0.144.0/20	tutorial_{VPC_ID}_private_rt
   tutorial_{VPC_ID}_sn_8	10.0.128.0/20	tutorial_{VPC_ID}_private_rt
   tutorial_{VPC_ID}_sn_7	10.0.112.0/20	tutorial_{VPC_ID}_private_rt
   tutorial_{VPC_ID}_sn_6	10.0.96.0/20	tutorial_{VPC_ID}_private_rt

Step 7. Check VPC topology

Check if the VPC is properly configured in the Topology tab of the VPC.

VPC topology

Check results

To check the results, create 3 VM instances including the Bastion host in the KakaoCloud Virtual Machine. After that, check whether the Public IP of the VM created in the private subnet and the Public IP of the NAT instance match each other to check the results.

• The Bastion host acts as a gateway to help securely access internal resources from the outside.

Step 1. Create security group for Bastion instance

Create a security group for the Bastion instance as follows and set the inbound policy.

1. Select the Security Group tab from the VPC.

2. Click the [Create security group] button.

3. In the pop-up, enter sg-bastion in the Security Group name.

4. Add all of the following rules to the Inbound rules tab and click the [Create] button.

   Check my Public IP

   You can check my current Public IP by clicking the following button.
   

   Inbound Policy	Protocol	Packet Source	Port Number
   bastion inbound policy 1	TCP	{Your Public IP}/32	10000-10010
   bastion inbound policy 2	TCP	{Your Public IP}/32	81
   bastion ssh policy	TCP	{Your Public IP}/32	22

5. Add the following rules to the Outbound rules tab and click the [Create] button.

   Outbound Policy	Protocol	Packet Destination	Port Number
   bastion outbound policy	ALL	0.0.0.0/0	ALL

Step 2. Create Bastion instance

1. In the Beyond Compute Service > Virtual Machine > Instance tab, click the [Create instance] button and create the necessary Bastion instances from the list below.

   Item	Description
   Basic information	- Name: tutorial-bastion - Quantity: 1
   Image	Ubuntu 20.04 - 5.4.0-173 ⚠️ Select a generic image, not an NVIDIA image
   Instance type	t1i.nano
   Volume	Root Volume: 30
   Key Pair	Use the existing key pair used in the above task
   Network	- VPC: tutorial - Subnet: main - Security Group: sg-bastion (Use the current settings)

Step 3. Create security group for Private instance

1. Go to VPC > Security Group.

2. Click the [Create security group] button.

3. In the pop-up, enter private-vm-sg in the security group name.

4. Add all of the following rules to the Inbound rules tab and click the [Create] button.

   • Traffic coming into the internal host is forwarded through Bastion. You need to check the security group in the KakaoCloud Console to see if the az-a-vm and az-b-vm hosts can receive traffic sent from Bastion. Check if the inbound rules include the following and add it.

   Inbound Policy	Protocol	Packet Source	Port Number
   private-vm inbound policy	TCP	{BASTION_PRIVATE_IP}/32 - Private IP of tutorial-bastion, check in Virtual Machine > Instance tab	22

5. Add the following policy to the Outbound Policy tab and click the [Create] button.

   Outbound Policy	Protocol	Packet Destination	Port Number
   private-vm outbound policy	ALL	0.0.0.0/0	ALL

Step 4. Create instances by availability zone

Click the [Create instance] button in the Beyond Compute Service > Virtual Machine > Instance tab, and create VM instances to be placed in two availability zones as follows.

Settings by availability zone	kr-central-2-a	kr-central-2-b
Basic information	- Name: az-a-vm - Quantity: 1	- Name: az-b-vm - Quantity: 1
Image	Ubuntu 20.04 - 5.4.0-173 ⚠️ Select a generic image, not an NVIDIA image	Ubuntu 20.04 - 5.4.0-173 ⚠️ Select a generic image, not an NVIDIA image
Instance type	t1i.nano	t1i.nano
Volume	Root Volume: 30	Root Volume: 30
Key Pair	Use the existing key pair used in the above task	Use the existing key pair used in the above task
Network	- VPC: tutorial - Subnet: tutorial_{VPC_ID}_sn_2 (10.0.16.0/20)   - Security Group: private-vm-sg	- VPC: tutorial - Subnet: tutorial_{VPC_ID}_sn_6 (10.0.96.0/20) - Security Group: private-vm-sg

Step 5. Attach public IP to Bastion instance

The Bastion host must be accessible from the outside, so set the public IP as follows.

1. In the Virtual Machine > Instance tab, select the tutorial-bastion instance you created above, and click the [Associate public IP] button on the right.

2. When the Public IP Connection Settings pop-up window appears, select Create new public IP and assign it automatically in and click the [OK] button.

   • You can check the associated public IP in the Network tab.

Step 6. Set up Bastion host

1. After running the terminal in the local environment, use the cd command to move to the folder where the key pair file was downloaded.

2. Access SSH by running the following command.

   SSH Access

   chmod 400 ${PRIVATE_KEY}.pem # Grant read permission
   ssh -i ${PRIVATE_KEY}.pem ubuntu@${BASTION_PUBLIC_IP}

   Item	Description
   ${PRIVATE_KEY}	Key File Name
   ${BASTION_PUBLIC_IP}	Click the tutorial-bastion instance created in Virtual Machine > Instance menu, and check it in the Network tab

   info

   If a bad permissions error occurs due to a key pair file permission issue, you can solve the problem by adding the sudo command.

3. To configure the Bastion host using nginx-proxy-manager, connect to the Bastion host via SSH and run the command below to provision it.

   Bastion host configuration

   sudo curl -o /tmp/init-bastion.sh https://raw.githubusercontent.com/kakaoenterprise/kc-handson-config/vm-3tier/init-bastion.sh
   bash /tmp/init-bastion.sh

4. When the above task is completed, nginx-proxy-manager will run. Open a browser in your local user environment and enter the address below to access the management page.

   • HTTP://${BASTION_PUBLIC_IP}:81/login

   • ID: admin@example.com
   • Password: changeme

5. Register streams for each host (az-a-vm, az-b-vm) in Dashboard > Streams. You can check the Private IP of each instance in each availability zone in the Virtual Machine > Instance tab, then click the instance in the Network tab.

   Settings by availability zone	az-a-vm	az-b-vm
   Incoming Port	10000	10001
   Forward Host	az-a-vm's Private IP	az-b-vm's Private IP
   Forward Port	22	22
   Forwarding Protocol	TCP	TCP

6. After moving to the folder where the Key Pair file was downloaded, check if each host can be accessed in the user's local environment. Based on the forwarding information performed above, connect to the internal host mapped to the port.

   Check access by host

   * vm-a
   ssh -i ${PRIVATE_KEY}.pem ubuntu@${BASTION_PUBLIC_IP} -p 10000
   
   * vm-b
   ssh -i ${PRIVATE_KEY}.pem ubuntu@${BASTION_PUBLIC_IP} -p 10001

Step 7. Check if IP matches

By running the command below, you can check the public IP used for external communication. If the IP matches the public IP of the NAT instance, the operation has been successfully completed. You can find the public IP of the NAT instance by going to the Virtual Machine > Instance tab, clicking on tutorial-nat-instance-a / tutorial-nat-instance-b, and checking the Network tab.

Check if IP matches

curl https://ifconfig.me/ip
# Example result: ***.***.***.***