0%

๐Ÿšฆ LabGuide - AWS Transit Gateway

์ž‘์„ฑ์ž : ongja.cloudnet@


AWS Transit Gateway ์ฐธ๊ณ  ๋งํฌ

AWS Transit Gateway ๊ณต์‹ ๋ฌธ์„œ
AWS Transit Gateway ๊ฐœ์š”
Multicast on AWS Transit Gateway
AWS Transit Gateway ๋ชจ๋‹ˆํ„ฐ๋ง ์ค‘์•™ ์ง‘์ค‘ํ™”
AWS Transit Gateway ์š”๊ธˆ

๐Ÿ’ก AWS ์„œ๋น„์Šค ๊ด€๋ จํ•ด์„œ๋Š” ํ•ญ์ƒ ์ตœ์šฐ์„ ์œผ๋กœ โ€˜AWS ์„ค๋ช…์„œโ€™ ๋ฅผ ์ฝ์–ด๋ณด๋Š” ๊ฒƒ์„ ์ถ”์ฒœํ•œ๋‹ค.
ํ•œ๊ธ€ ๋ฒˆ์—ญ์ด ๋งค๋„๋Ÿฝ์ง€ ๋ชปํ•˜๋ฉด English ๋กœ ๋ณ€๊ฒฝ ํ›„ ์ฝ์–ด๋ณด๊ธธ ๋ฐ”๋ž€๋‹ค.



1. AWS Transit Gateway Theory


1.1 AWS Transit Gateway ๋ž€?

  • AWS Transit Gateway๋Š” VPC๋‚˜ On-Premise ๋“ฑ์˜ ๋„คํŠธ์›Œํฌ๋ฅผ ๋‹จ์ผ Gateway์— ์—ฐ๊ฒฐํ•  ์ˆ˜ ์žˆ๋„๋ก ์ง€์›ํ•ด ์ฃผ๋Š” ์„œ๋น„์Šค์ด๋‹ค.
  • AWS Transit Gateway๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์ค‘์•™ ๊ฒŒ์ดํŠธ์›จ์ด์™€ ๋„คํŠธ์›Œํฌ ์ „๋ฐ˜์˜ ๋‹จ์ผ ์—ฐ๊ฒฐ๋งŒ ์ƒ์„ฑํ•˜์—ฌ ๊ด€๋ฆฌํ•˜๋ฉด ๋œ๋‹ค.
  • Hub & Spoke ๋ชจ๋ธ๋กœ ๊ตฌ์„ฑ๋˜๋ฉฐ, ์—ฐ๊ฒฐ ๋œ ๋„คํŠธ์›Œํฌ๋“ค์€ ๋‹ค๋ฅธ ๋„คํŠธ์›Œํฌ์— ์—ฐ๊ฒฐํ•  ํ•„์š” ์—†์ด AWS Transit Gateway์—๋งŒ ์—ฐ๊ฒฐํ•˜๋ฉด ๋˜๋ฏ€๋กœ ๊ด€๋ฆฌ๋ฅผ ํฌ๊ฒŒ ๊ฐ„์†Œํ™”ํ•˜๊ณ  ์šด์˜ ๋น„์šฉ์„ ํฌ๊ฒŒ ์ค„์—ฌ ์ค€๋‹ค.

1.2 AWS Transit Gateway ์ฃผ์š” ๊ธฐ๋Šฅ

  • ๋ผ์šฐํŒ…

    : ๋™์  / ์ •์ ์˜ Layer 3 ๋ผ์šฐํŒ…์„ ์ง€์›ํ•œ๋‹ค.

  • ์—ฃ์ง€ ์—ฐ๊ฒฐ

    : VPN์„ ์‚ฌ์šฉํ•˜์—ฌ AWS Transit Gateway์™€ ์˜จํ”„๋ ˆ๋ฏธ์Šค ๊ฒŒ์ดํŠธ์›จ์ด ๊ฐ„์— VPN ์—ฐ๊ฒฐ์„ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ๋‹ค.

  • VPC ๊ธฐ๋Šฅ ์ƒํ˜ธ ์šด์šฉ์„ฑ

    : VPC์— ์žˆ๋Š” ์ธ์Šคํ„ด์Šค๊ฐ€ AWS Transit Gateway์— ์—ฐ๊ฒฐ๋œ ๋‹ค๋ฅธ Amazon VPC์— ์žˆ๋Š” NAT ๊ฒŒ์ดํŠธ์›จ์ด, Network Load Balancer, AWS PrivateLink ๋ฐ Amazon Elastic File System ๋“ฑ์— ์•ก์„ธ์Šคํ•  ์ˆ˜ ์žˆ๋‹ค.

  • ๋ชจ๋‹ˆํ„ฐ๋ง

    : AWS Transit Gateway๋Š” Amazon CloudWatch ๋ฐ Amazon VPC ํ๋ฆ„ ๋กœ๊ทธ์™€ ๊ฐ™์€ ์„œ๋น„์Šค์—์„œ ์‚ฌ์šฉํ•˜๋Š” ํ†ต๊ณ„์™€ ๋กœ๊ทธ๋ฅผ ์ œ๊ณตํ•œ๋‹ค.

  • ๋ฆฌ์ „ ๊ฐ„ VPC ํ”ผ์–ด๋ง

    : AWS Transit Gateway ๋ฆฌ์ „ ๊ฐ„ VPC ํ”ผ์–ด๋ง์€ AWS ๊ธ€๋กœ๋ฒŒ ๋„คํŠธ์›Œํฌ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ AWS ๋ฆฌ์ „์„ ํ†ตํ•ด ํŠธ๋ž˜ํ”ฝ์„ ๋ผ์šฐํŒ…ํ•  ์ˆ˜ ์žˆ๋„๋ก ์ง€์›ํ•œ๋‹ค.

  • ๋ฉ€ํ‹ฐ์บ์ŠคํŠธ

    : ๊ณ ๊ฐ์ด ํด๋ผ์šฐ๋“œ์—์„œ ๋ฉ€ํ‹ฐ์บ์ŠคํŠธ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ์‰ฝ๊ฒŒ ๊ตฌ์ถ•ํ•˜๊ณ  ์ˆ˜๋ฐฑ ๊ฐœ์˜ ์ˆ˜์‹ ์ž๊นŒ์ง€ ๋ฉ€ํ‹ฐ์บ์ŠคํŠธ ๊ตฌ์„ฑ์„ ์‰ฝ๊ฒŒ ๋ชจ๋‹ˆํ„ฐ๋ง, ๊ด€๋ฆฌ ๋ฐ ํ™•์žฅํ•  ์ˆ˜ ์žˆ๋„๋ก ์ง€์›ํ•œ๋‹ค.

  • ๋ณด์•ˆ

    : AWS Transit Gateway๋Š” Identity and Access Management(IAM)์™€ ํ†ตํ•ฉ๋˜๋ฏ€๋กœ, AWS Transit Gateway์— ๋Œ€ํ•œ ์•ก์„ธ์Šค๋ฅผ ์•ˆ์ „ํ•˜๊ฒŒ ๊ด€๋ฆฌํ•  ์ˆ˜ ์žˆ๋‹ค.

  • ์ง€ํ‘œ

    : ์„ฑ๋Šฅ๊ณผ ์†ก์ˆ˜์‹ ๋œ ๋ฐ”์ดํŠธ, ํŒจํ‚ท, ํ๊ธฐ๋œ ํŒจํ‚ท์„ ๋น„๋กฏํ•œ ํŠธ๋ž˜ํ”ฝ ์ง€ํ‘œ๋ฅผ ํ†ตํ•ด ๊ธ€๋กœ๋ฒŒ ๋„คํŠธ์›Œํฌ๋ฅผ ๋ชจ๋‹ˆํ„ฐ๋งํ•œ๋‹ค.


1.3 Non Transit Gateway vs Transit Gateway

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled.png

๊ทธ๋ฆผ 1.1 Transit Gateway ๋ฏธ์‚ฌ์šฉ / ์‚ฌ์šฉ ๋น„๊ต Diagram

  • ๋‹ค์ˆ˜์˜ VPC ํ™˜๊ฒฝ์ด๋‚˜ On-Premise ํ™˜๊ฒฝ์— ๋Œ€ํ•ด Transit Gateway๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ์•Š๊ณ , VPC Peering๊ณผ VPN, Direct Connect๋ฅผ ํ†ตํ•œ ๊ฐœ๋ณ„ ์—ฐ๊ฒฐ์ด ์ด๋ฃจ์–ด์ ธ ๋ณต์žกํ•œ ์ž‘์—… ํ™˜๊ฒฝ

  • Transit Gateway๋ฅผ ์ค‘์‹ฌ์œผ๋กœ ์—ฐ๊ฒฐ๋งŒ ํ•˜๋ฉด ๋˜์–ด, ์ค‘์•™ ์ง‘์ค‘ํ˜• ๊ฐ„๋žตํ•œ ์ž‘์—… ํ™˜๊ฒฝ

๐Ÿ’ก Transit Gateway๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ๋ณต์žกํ•œ AWS ๋„คํŠธ์›Œํฌ ์•„ํ‚คํ…์ฒ˜๋ฅผ ๊ฐ„์†Œํ™” ๊ฐ€๋Šฅํ•˜์—ฌ ๊ด€๋ฆฌ ๋ฐ ์šด์šฉ ํšจ์œจ์ด ๋ณด์žฅ๋˜๋ฉฐ, ํ–ฅ์ƒ๋œ ๋ณด์•ˆ๊ณผ ๋ฉ€ํ‹ฐ์บ์ŠคํŠธ๋ฅผ ํ™œ์šฉํ•˜์—ฌ ์œ ์šฉํ•œ ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•˜๋‹ค.


1.4 AWS Transit Gateway Key Words

  • Transit Gateway - VPC๋“ค์˜ ์ ‘์ ์ด ๋˜๋Š” ์ค‘์•™ ์ง‘์ค‘ํ˜• ๋‹จ์ผ Gateway๋กœ Hub & Spoke ํ™˜๊ฒฝ์—์„œ Hub ์—ญํ• 

  • Transit Gateway Attachment - VPC๋ฅผ ์—ฐ๊ฒฐํ•˜๋Š” ๋ฐฉ์‹ (ํ˜„์žฌ ๋ฒ„์ „์œผ๋กœ 3๊ฐ€์ง€ ๋ฐฉ์‹ ์ง€์›)

    • VPC Attachment : TGW์™€ ๋™์ผ Region ๋‚ด VPC๋ฅผ ์ง์ ‘์ ์œผ๋กœ ์—ฐ๊ฒฐ (๋‹ค๋ฅธ ๊ณ„์ •์— ์ƒ์„ฑํ•œ VPC๋„ ์—ฐ๊ฒฐ ๊ฐ€๋Šฅ)

    • VPN Attachment : TGW์™€ VPN๋ฅผ ์—ฐ๊ฒฐ (Site to Site VPN)

    • TGW Peering : TGW์™€ ๋‹ค๋ฅธ Region์˜ TGW ๊ฐ„ ์—ฐ๊ฒฐ (Inter Region TGW Peering)

  • Transit Gateway Routing Table - TGW์—์„œ ๊ด€๋ฆฌํ•˜๋Š” ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ”

  • Transit Gateway Sharing - TGW๋ฅผ ๊ณต์œ ํ•˜์—ฌ ๋‹ค๋ฅธ AWS ๊ณ„์ •์—๊ฒŒ ์ „๋‹ฌํ•˜์—ฌ ์—ฐ๊ฒฐ ๊ฐ€๋Šฅ (Resource Access Manager ํ™œ์šฉ)

  • Transit Gateway Multicast - TGW๋ฅผ ํ†ตํ•ด Multicast ํŠธ๋ž˜ํ”ฝ์„ ์ „๋‹ฌ

    • Multicast Domain : Multicast ํŠธ๋ž˜ํ”ฝ์„ ์ฒ˜๋ฆฌํ•  TGW ์ง€์ •

    • Multicast Associate : Multicast ํŠธ๋ž˜ํ”ฝ์„ ์ฒ˜๋ฆฌํ•  TGW Attachment ์ง€์ •

    • Multicast Group Source : Multicast Sender ๋Œ€์ƒ ์ง€์ •

    • Multicast Group Member : Multicast Reciever ๋Œ€์ƒ ์ง€์ •

  • Transit Gateway Network Manager - ๋…ผ๋ฆฌ์  ๋‹ค์ด์–ด๊ทธ๋žจ ๋˜๋Š” ์ง€๋ฆฌ์  ๋งต์œผ๋กœ ์ค‘์•™ ๋Œ€์‹œ ๋ณด๋“œ์—์„œ ๊ธ€๋กœ๋ฒŒ ๋„คํŠธ์›Œํฌ๋ฅผ ์‹œ๊ฐํ™”



2. AWS Transit Gateway Lab Preview


2.1 Lab Topology

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%201.png

๊ทธ๋ฆผ 2.1 AWS Transit Gateway Lab Topology

โ‘  TGW Intra Region VPC Attachment - ๋ฒ„์ง€๋‹ˆ์•„์— MAIN SITE ๊ตฌ์ถ• (๋™์ผ ๋ฆฌ์ „ ๋‚ด VPC์™€ TGW๋ฅผ ์ƒ์„ฑํ•˜์—ฌ ์—ฐ๊ฒฐ)

โ‘ก Multicast on TGW - ๋ฒ„์ง€๋‹ˆ์•„ MAIN SITE์—์„œ Multicast ํ†ต์‹  ํ…Œ์ŠคํŠธ

โ‘ข TGW Multi Account VPC Attachment - ๋‹ค๋ฅธ ๊ณ„์ •์˜ ๋ฒ„์ง€๋‹ˆ์•„์— SUB SITE ๊ตฌ์ถ• ํ›„ Resource Access Manager๋ฅผ ํ†ตํ•ด TGW๋ฅผ ๊ณต์œ ํ•˜๊ณ  ๋‹ค๋ฅธ ๊ณ„์ •์˜ VPC์™€ ์—ฐ๊ฒฐ

โ‘ฃ TGW Inter Region Peering - ์•„์ผ๋žœ๋“œ ์— BRANCH SITE ๊ตฌ์ถ• ํ›„ TGW ๊ฐ„ ํ”ผ์–ด๋ง ์—ฐ๊ฒฐ

โ‘ค TGW VPN Attachment - ์„œ์šธ์— OpenSwan VPN ์„œ๋ฒ„๋ฅผ ์„ค์น˜ ํ›„ TGW์™€ ์—ฐ๊ฒฐ

โ‘ฅ NATGW though TGW - Private Subnet ์ค‘ DEV ํ™˜๊ฒฝ์˜ ๋Œ€์ƒ์œผ๋กœ, TGW๋ฅผ ํ†ตํ•ด ๋ฒ„์ง€๋‹ˆ์•„ MAIN SITE์˜ Egress VPC์— ์กด์žฌํ•˜๋Š” NAT GW๋กœ ์ธํ„ฐ๋„ท ํ†ต์‹ 

โ‘ฆ TGW Network Manager - TGW ๋„คํŠธ์›Œํฌ ๋งค๋‹ˆ์ €๋ฅผ ํ†ตํ•ด ๊ธ€๋กœ๋ฒŒ ๋„คํŠธ์›Œํฌ ์‹œ๊ฐํ™”


2.2 AWS ๊ธฐ๋ณธ ์„ค์ •

  • ๋ณธ ์‹ค์Šต์—์„œ ํ™œ์šฉํ•  AWS Region์€ ๋ฒ„์ง€๋‹ˆ์•„, ์•„์ผ๋žœ๋“œ, ์„œ์šธ ์ด๋‹ค. ํ•ด๋‹น Region์— ๋Œ€ํ•œ EC2-Key Pair๋ฅผ ์ƒ์„ฑ
  • TGW Multi Account VPC Attachment ํ…Œ์ŠคํŠธ๋ฅผ ์œ„ํ•ด ๋ณธ ๊ณ„์ • ์™ธ์— ์„œ๋ธŒ ๊ณ„์ •์ด ํ•„์š”
  • ๋ชจ๋“  Region์— ๋Œ€ํ•œ ๊ธฐ๋ณธ์ ์ธ ์ธํ”„๋ผ๋Š” CloudFormation์— ์˜ํ•ด ์ž๋™ ๊ตฌ์ถ• (๋ชจ๋“  ์ธํ”„๋ผ๊ฐ€ ๊ตฌ์ถ•๋˜๋Š” ๊ฒƒ์€ ์•„๋‹ˆ๋‹ค.)
  • ์ƒ์„ฑ๋œ ๋ชจ๋“  EC2-Instance์˜ IP ์ฃผ์†Œ๋Š” X.X.X.10์œผ๋กœ ๊ณ ์ •ํ•˜์˜€๋‹ค. (์˜ˆ์‹œ: 10.1.1.10, 10.5.1.10 โ€ฆ)

2.3 CloudFormation (Infrastructure as Code)

โคต Download Virginia_TransitGW_Lab_CF.yaml

โคต Download Ireland_TransitGW_Lab_CF.yaml

โคต Download Seoul_TransitGW_Lab_CF.yaml

  • ๋ฒ„์ง€๋‹ˆ์•„, ์•„์ผ๋žœ๋“œ, ์„œ์šธ์— ๋ฐฐํฌํ•  Cloud Formation ํ…œํ”Œ๋ฆฟ์ด๋‹ค.
  • ์ง€๊ธˆ ๋ฐ”๋กœ ๋ฐฐํฌํ•˜์ง€ ์•Š๊ณ , ์‹ค์Šต ๋‹จ๊ณ„ ๋ณ„๋กœ ํ•˜๋‚˜์”ฉ ๋ฐฐํฌํ•  ๊ฒƒ์ด๋‹ˆ ์ผ๋‹จ ๋‹ค์šด๋กœ๋“œ๋งŒ ๋ฐ›์•„ ๋‘์ž.

๐Ÿ’ก ๋ณธ๊ฒฉ์ ์ธ ์‹ค์Šต์— ์•ž์„œ, ๋ฆฌ์†Œ์Šค ๋‹น ์†Œ๋Ÿ‰์˜ ๊ณผ๊ธˆ์ด ๋ถˆ๊ฐ€ํ”ผ ํ•˜๋‹ค.
์ž์„ธํ•œ ์‚ฌํ•ญ์€ Transit Gateway ์š”๊ธˆ ๋งํฌ๋ฅผ ์ฐธ๊ณ  ๋ฐ”๋ž€๋‹ค.



3. AWS Transit Gateway Intra Region VPC Attachment Test

  • ์ด ๋ฒˆ ๋‹จ๊ณ„์˜ ์‹ค์Šต์€ ๋™์ผ ๋ฆฌ์ „์— ์กด์žฌํ•˜๋Š” VPC์™€ TGW ๊ฐ„์˜ ์—ฐ๊ฒฐ์„ ํ…Œ์ŠคํŠธํ•œ๋‹ค. (Intra Region VPC Attachment)
  • ์‹ค์Šต ํ™˜๊ฒฝ: Region - ๋ฒ„์ง€๋‹ˆ์•„ , Account - ๋ณธ AWS ๊ณ„์ •

3.1 ๋ฒ„์ง€๋‹ˆ์•„ CloufFormation ๋ฐฐํฌ

3.1.1) CloudFormation ๋ฐฐํฌ

  • 2.3ํ•ญ์—์„œ ์ œ๊ณตํ•œ Virginia_TransitGW_Lab_CF.yaml ํŒŒ์ผ์„ ๋ฐฐํฌํ•˜์ž.

๐Ÿ’ก ์ฃผ์˜: CF Condition์— ์˜ํ•ด Main Site์™€ Sub Site์˜ ์ƒ์„ฑ ์ธํ”„๋ผ๊ฐ€ ๋‹ค๋ฅด๋‹ค. ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์„ Main์œผ๋กœ ์ง€์ •ํ•˜์ž!

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%202.png

๊ทธ๋ฆผ 3.1 ๋ฒ„์ง€๋‹ˆ์•„ CF ํ…œํ”Œ๋ฆฟ ์ƒ์„ฑ ์ค‘ EnvType ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์„ Main์œผ๋กœ ์ง€์ •

๋ฒ„์ง€๋‹ˆ์•„ CF ์ƒ์„ฑ ์ธํ”„๋ผ
- EC2-Instance 3๊ฐœ
- VPC 2๊ฐœ, Public Subnet 1๊ฐœ, Private Subnet 2๊ฐœ, Routing Table 3๊ฐœ, IGW 1๊ฐœ
- Security Group 2๊ฐœ
  • ์œ„ ์ƒ์„ฑ๋œ ์ธํ”„๋ผ๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์˜ฌ๋ผ์™”๋Š” ์ง€ ํ™•์ธํ•˜์ž.

3.1.2) MAIN-MGT EC2 ์ ‘์†

  • ํ˜„์žฌ ์ ‘์† ๊ฐ€๋Šฅํ•œ Public Subnet์— ์œ„์น˜ํ•œ MAIN-MGT EC2์— SSH ์ ‘์†
1
2
3
4
5
6
7
8
9
10
11
cat <<EOT >> list.txt
google.com
10.1.1.10
10.2.1.10
10.2.2.10
10.3.1.10
10.3.2.10
10.4.1.10
10.5.1.10
10.6.1.10
EOT
  • list.txt ํŒŒ์ผ์„ ์ƒ์„ฑ์„ ์œ„ํ•ด ์œ„ ๊ฐ’์„ ๋ถ™์—ฌ๋„ฃ์ž (๋ณธ ์‹ค์Šต์—์„œ ์ƒ์„ฑ๋  ๋ชจ๋“  EC2 IP์™€ ๊ตฌ๊ธ€์ฃผ์†Œ)
1
2
3
4
5
6
7
8
9
10
11
12
[root@MAIN-MGT ec2-user]# vi pingall.sh
#!/bin/bash
cat list.txt | while read output
do
ping -c 1 -W 1 "$output" > /dev/null
if [ $? -eq 0 ]; then
echo "node $output is up"
else
echo "node $output is down"
fi
done
[root@MAIN-MGT ec2-user]# chmod +x pingall.sh
  • vi pingall.sh ๋กœ ์ง„์ž…ํ•˜์—ฌ ์œ„์™€ ๊ฐ™์ด ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ƒ์„ฑํ•œ๋‹ค.
  • chmod +x pingall.sh ๋กœ ์Šคํฌ๋ฆฝํŠธ ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•œ๋‹ค.
1
2
3
4
5
6
7
8
9
10
11
[root@MAIN-MGT ec2-user]# ./pingall.sh
node google.com is up
node 10.1.1.10 is up
node 10.2.1.10 is down
node 10.2.2.10 is down
node 10.3.1.10 is down
node 10.3.2.10 is down
node 10.4.1.10 is down
node 10.5.1.10 is down
node 10.6.1.10 is down
[root@MAIN-MGT ec2-user]#
  • ./pingall.sh ๋กœ ์ „์ฒด ํƒ€๊ฒŸ์— ๋Œ€ํ•œ Ping ํ…Œ์ŠคํŠธ๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค.
  • ํ˜„์žฌ ์ž๊ธฐ ์ž์‹ ๊ณผ ์™ธ๋ถ€ ์ธํ„ฐ๋„ท๋งŒ ๊ฐ€๋Šฅํ•˜๋‹ค.

3.2 Transit Gatewaay ์ƒ์„ฑ

  • VPC โ€”> Transit Gateway โ€”> Create Transit Gateway

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%203.png
๊ทธ๋ฆผ 3.2 Create Transit Gateway

  • Name Tag ๊ธฐ์ž…ํ•˜๊ณ , Multicast support enable์„ ๋ฐ˜๋“œ์‹œ ์ฒดํฌ ํ•˜์ž! (4์žฅ Multicast on TGW ์‹ค์Šต ๋•Œ ํ•„์š”ํ•˜๋‹ค. ์ถ”ํ›„ ์ˆ˜์ •์ด ๋˜์ง€ ์•Š์•„ ๋ฏธ๋ฆฌ ํ™œ์„ฑํ™”)
  • 1~2๋ถ„ ์ •๋„ ๋Œ€๊ธฐํ•˜๋ฉด, ์ƒํƒœ๊ฐ€ available ๋กœ ๋ณ€๊ฒฝ ๋œ๋‹ค.

3.3 Transit Gateway Attachment ์ƒ์„ฑ

  • VPC โ€”> Transit Gateway Attachment โ€”> Create Transit Gateway Attachment (๐Ÿ˜“ ๊ตณ์ด ํ•œ๊ธ€ ๋ฒˆ์—ญ์„ ํ•ด๋†”์„œ Attachment๋ฅผ ์ฒจ๋ถ€ํŒŒ์ผ๋กœ ํ‘œํ˜„ํ•จ;)

    • Transit Gateway ID ์ง€์ •

    • Attachment Type : VPC

    • Attachment Name Tag : MAIN-VPC01-ATT

    • VPC ID : VPC01 โ€”> AZ & Subnet ์ง€์ •


    • ์ƒ๋™

    • Attachment Name Tag : MAIN-VPC02-ATT

    • VPC ID : VPC02 โ€”> AZ & Subnet ์ง€์ •

  • Transit Gateway Attachment ๋ฅผ 2๊ฐœ ์ƒ์„ฑ ํ•œ๋‹ค. (1~2๋ถ„ ์ •๋„ ๋Œ€๊ธฐ)

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%204.png
๊ทธ๋ฆผ 3.3 TGW Attachment ์ •๋ณด ํ™•์ธ

  • ์ƒ์„ฑ๋œ 2๊ฐœ์˜ TGW Attachment๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. (Resource Type: VPC, State: available)

3.4 Routing Table ์„ค์ •

  • CloudFormation์— ์˜ํ•ด ์ƒ์„ฑ๋œ 3๊ฐœ์˜ ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ”์— ๊ฒฝ๋กœ๋ฅผ ์ถ”๊ฐ€ํ•œ๋‹ค.

    • ๋ผ์šฐํŒ… ํŽธ์ง‘ โ€”> ๋ผ์šฐํŒ… ์ถ”๊ฐ€ โ€”> 10.0.0.0/8 ๋Œ€์—ญ, tgw-xxxx ํƒ€๊ฒŸ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%205.png

๊ทธ๋ฆผ 3.4 ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ” ํŽธ์ง‘ (10.0.0.0/8 ๋Œ€์—ญ์„ TGW๋กœ ์ „๋‹ฌํ•˜๋Š” ๊ฒฝ๋กœ ์ถ”๊ฐ€)

  • ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ” 3๊ฐœ ๋ชจ๋‘ ๋ผ์šฐํŒ… ์ •์ฑ… ์ถ”๊ฐ€

3.5 Verify

1
2
3
4
5
6
7
8
9
10
11
[root@MAIN-MGT ec2-user]# ./pingall.sh
node google.com is up
node 10.1.1.10 is up
node 10.2.1.10 is up
node 10.2.2.10 is up
node 10.3.1.10 is down
node 10.3.2.10 is down
node 10.4.1.10 is down
node 10.5.1.10 is down
node 10.6.1.10 is down
[root@MAIN-MGT ec2-user]#
  • MAIN-MGT EC2์— ์ ‘์†ํ•˜์—ฌ pingall.sh ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ˆ˜ํ–‰ํ•œ๋‹ค.
  • ๋ฒ„์ง€๋‹ˆ์•„ MAIN์— ์กด์žฌํ•˜๋Š” EC2 ๋ผ๋ฆฌ ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•˜๋‹ค.
3์žฅ ํ˜„์žฌ๊นŒ์ง€ ์™„๋ฃŒ๋œ ๊ตฌ์„ฑ๋„ ํ™•์ธ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%206.png



4. Multicast on Transit Gateway Test

  • ์ด ๋ฒˆ ๋‹จ๊ณ„์˜ ์‹ค์Šต์€ TGW์„ ํ†ตํ•ด Multicast ํ†ต์‹ ์„ ํ…Œ์ŠคํŠธํ•œ๋‹ค. (Multicast on Transit Gateway)
  • MAIN-MGT ์ธ์Šคํ„ด์Šค๋ฅผ Multicast Sender๋กœ ํ•˜๊ณ , MAIN-TEST์™€ MAIN-DEV ์ธ์Šคํ„ด์Šค๋ฅผ Multicast Receiver๋กœ ํ•œ๋‹ค.
  • Multicast ํŠธ๋ž˜ํ”ฝ์˜ UDP ํฌํŠธ ๋ฒˆํ˜ธ์— ๋Œ€ํ•ด Security Group์—์„œ ํ—ˆ์šฉํ•ด์•ผ ํ•œ๋‹ค. (CF๋กœ ๋ฏธ๋ฆฌ ์„ค์ •ํ•ด ๋†ˆ)
  • ์‹ค์Šต ํ™˜๊ฒฝ: Region - ๋ฒ„์ง€๋‹ˆ์•„ , Account - ๋ณธ AWS ๊ณ„์ •

Multicast on transit gateways

์ฐธ๊ณ  ๋งํฌ : Multicast on transit gateway

Multicast ์‹ค์Šต์— ์•ž์„œ ๊ณ ๋ ค ์‚ฌํ•ญ

  • ํ˜„์žฌ Multicast ๋ผ์šฐํŒ… ๊ธฐ๋Šฅ์€ ๋ฒ„์ง€๋‹ˆ์•„ ๋ฆฌ์ „์—์„œ๋งŒ ์ง€์›ํ•˜๊ณ  ์žˆ๋‹ค.
  • ํ•ด๋‹น ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด TGW๋ฅผ ์ƒ์„ฑํ•  ๋•Œ Multicast Support๋ฅผ ํ™œ์„ฑํ•ด์•ผ ํ•œ๋‹ค. (์ด๋ฏธ ํ™œ์„ฑํ™” ํ•จ)
  • IGMP๋Š” ๋ฏธ์ง€์›์œผ๋กœ TGW์—์„œ Multicast Domain๊ณผ Sender / Receiver๋ฅผ ๊ด€๋ฆฌํ•˜์—ฌ ๋ผ์šฐํŒ… ๋œ๋‹ค.
  • EC2 ์ธ์Šคํ„ด์Šค ํƒ€์ž…์ด Nitro ์—ฌ์•ผ Sender๊ฐ€ ๋  ์ˆ˜ ์žˆ๊ณ , Non Nitro๊ฐ€ Receicer๊ฐ€ ๋  ์ˆ˜ ์žˆ์ง€๋งŒ Source/Destination Check๋ฅผ ๋น„ํ™œ์„ฑํ™”ํ•ด์•ผ ๋™์ž‘ํ•œ๋‹ค.
  • ๋ณธ ์‹ค์Šต์—์„œ CloudFormation์œผ๋กœ ์ƒ์„ฑํ•œ EC2 ์ธ์Šคํ„ด์Šค ํƒ€์ž…์€ Nitro ํƒ€์ž…์œผ๋กœ ์ง€์ •ํ•˜์˜€๋‹ค.

4.1 Multicast ๋ผ์šฐํŒ… ์„ค์ • ์ „์— ํ…Œ์ŠคํŠธ

4.1.1) MAIN-MGT ์ธ์Šคํ„ด์Šค์— ์ ‘์† (Sender)

1
2
3
4
5
6
7
8
[root@MAIN-MGT ec2-user]# omping -m 239.1.1.1 -p 10000 10.1.1.10
10.1.1.10 : waiting for response msg
10.1.1.10 : joined (S,G) = (*, 239.1.1.1), pinging
10.1.1.10 : unicast, seq=1, size=69 bytes, dist=0, time=0.016ms
10.1.1.10 : multicast, seq=1, size=69 bytes, dist=0, time=0.021ms
10.1.1.10 : unicast, seq=2, size=69 bytes, dist=0, time=0.041ms
10.1.1.10 : multicast, seq=2, size=69 bytes, dist=0, time=0.046ms
10.1.1.10 : unicast, seq=3, size=69 bytes, dist=0, time=0.050ms
  • omping -m 239.1.1.1 -p 10000 10.1.1.10 ๋ช…๋ น์–ด๋กœ Multicast ํŠธ๋ž˜ํ”ฝ์„ ๋ฐœ์ƒ ์‹œํ‚จ๋‹ค.
  • Multicast IP ๋Œ€์—ญ : 239.1.1.1 , Port ๋ฒˆํ˜ธ : UDP 10000

4.1.2) MAIN-TEST, MAIN-DEV ์ธ์Šคํ„ด์Šค์— ์ ‘์† (Receiver)

  • MAIN-TEST, MAIN-DEV์€ Private Subnet์— ์œ„์น˜ํ•˜์—ฌ ๋‹ค์ด๋ ‰ํŠธ๋กœ SSH ์ ‘๊ทผ์ด ๋ถˆ๊ฐ€ํ•˜๋‹ค.
  • MAIN-MGT์— ์ ‘๊ทผ ํ›„ ssh root@10.2.1.10๊ณผ ssh root@10.2.2.10 ๋ช…๋ น์–ด๋กœ ๊ฑฐ์ณ์„œ ์ ‘๊ทผํ•œ๋‹ค.
  • Key-Pair ์—†์ด Root ๊ณ„์ •์œผ๋กœ ์ ‘๊ทผํ•˜๋ฉฐ, ํŒจ์Šค์›Œ๋“œ๋Š” qwe123 ์ด๋‹ค.
1
2
3
4
5
6
7
8
[ec2-user@MAIN-MGT ~]$ ssh root@10.2.1.10
:
password:
:
[root@MAIN-TEST ~]#
[root@MAIN-TEST ~]# tcpdump ip dst 239.1.1.1 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
  • tcpdump ip dst 239.1.1.1 -nn ๋ช…๋ น์–ด๋กœ ๋ชฉ์ ์ง€ IP๊ฐ€ 239.1.1.1์ธ ํŒจํ‚ท์„ ์žก์•„ ์ถœ๋ ฅํ•œ๋‹ค.

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%207.png

๊ทธ๋ฆผ 4.1 Multicast ๋ผ์šฐํŒ… ์„ค์ • ์ „ ํ…Œ์ŠคํŠธ

  • ์ขŒ์ธก Multicast Sender์—์„œ 239.1.1.1 ํŠธ๋ž˜ํ”ฝ์„ ๋ฐœ์ƒํ•˜๊ณ  ์žˆ์ง€๋งŒ, ์šฐ์ธก Multicast Receiver๋“ค๋กœ ์ธ์ž…๋˜์ง€ ์•Š๋Š”๋‹ค.

4.2 Transit Gateway Multicast ์„ค์ •

4.2.1) Create Transit Gateway Multicast Domain

  • VPC โ€”> Transit Gateway Multicast โ€”> Create Transit Gateway Multicast Domain

    • Transit Gateway ID ์ง€์ •

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%208.png
๊ทธ๋ฆผ 4.2 Transit Gateway Multicast Domain ํ™•์ธ

4.2.2) Create Association

  • VPC โ€”> Transit Gateway Multicast โ€”> ์ž‘์—… โ€”> Create Association

    • Choose attachment to associate : MAIN-VPC01-ATT

    • Choose Subnets to associate : Subnet ์„ ํƒ


    • Choose attachment to associate : MAIN-VPC02-ATT

    • Choose Subnets to associate : Subnet ์„ ํƒ

  • 3์žฅ์—์„œ ์ƒ์„ฑํ•œ 2๊ฐœ์˜ TGW Attachment๋ฅผ ์„ ํƒํ•œ ํ›„ Subnet์„ ์ง€์ •ํ•œ๋‹ค. (TGW-VPC01-ATT, TGW-VPC02-ATT)

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%209.png

๊ทธ๋ฆผ 4.3 TGW Multicast Domain์˜ Assoiciate ์ •๋ณด & ์ง€์ •๋œ Subnet ํ™•์ธ

4.2.3) Add group sources

  • VPC โ€”> Transit Gateway Multicast โ€”> ์ž‘์—… โ€”> Add group sources

    • Group IP Address : 239.1.1.1

    • Choose network interfaces : MAIN-MGT ์ง€์ •

  • EC2 ์ธ์Šคํ„ด์Šค MAIN-MGT ์ง€์ •์„ ํ•  ๋•Œ ๊ตฌ๋ถ„์ด ํž˜๋“ค๋‹ค. (์„ค์ • ์ „์— MAIN-MGT์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ํ™•์ธ ํ›„ ์ง€์ •ํ•˜์ž)

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2010.png

๊ทธ๋ฆผ 4.4 Group Source ํ™•์ธ

  • Groups ํƒญ์— ์ง„์ž…ํ•˜๋ฉด ๋Œ€์ƒ ๋ณ„ Source์™€ Member ํ™•์ธ์ด ๊ฐ€๋Šฅํ•˜๋‹ค. (MAIN-MGT๋ฅผ source ๋กœ ์ง€์ •)

4.2.4) Add group members

  • VPC โ€”> Transit Gateway Multicast โ€”> ์ž‘์—… โ€”> Add group members

    • Group IP Address : 239.1.1.1

    • Choose network interfaces : MAIN-TEST์™€ MAIN-DEV ์ง€์ •

  • ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ ๋Œ€์ƒ ๊ตฌ๋ถ„์ด ํž˜๋“ค์–ด ๋ฏธ๋ฆฌ ํ™•์ธ ํ›„ 2๊ฐœ์˜ ๋Œ€์ƒ ์ง€์ •ํ•œ๋‹ค.

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2011.png

๊ทธ๋ฆผ 4.5 Group Member ํ™•์ธ

  • MAIN-TEST์™€ MAIN-DEV๋ฅผ member ๋กœ ์ง€์ •

4.3 Verify

  • 4.1.2ํ•ญ๊ณผ ๊ฐ™์ด ํ…Œ์ŠคํŠธ๋ฅผ ํ•ด๋ณธ๋‹ค.

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2012.png

๊ทธ๋ฆผ 4.6 Multicast on Transit Gateway ํ…Œ์ŠคํŠธ ๊ฒฐ๊ณผ

  • MAIN-MGT (Multicast Sender)์—์„œ ๋ฐœ์ƒํ•˜๋Š” 239.1.1.1 Multicast ํŠธ๋ž˜ํ”ฝ์€ MAIN-TEST์™€ MAIN-DEV (Multicast Receiver)๋กœ ์ธ์ž…๋œ๋‹ค.
  • ์ฆ‰, TGW๊ฐ€ Multicast Group์„ ๊ด€๋ฆฌํ•˜์—ฌ ๋ผ์šฐํŒ…ํ•˜์—ฌ Source ์ •๋ณด๋ฅผ Member์—๊ฒŒ ์ „๋‹ฌํ•ด ์ค€๋‹ค.
  • TGW์—์„œ Multicast ์„ค์ •์„ ํ•˜๋ฉด ๋ฐ”๋กœ ์ ์šฉ๋˜์ง€ ์•Š๊ณ  1~2๋ถ„์ •๋„ ๋Œ€๊ธฐ ์‹œ๊ฐ„์ด ํ•„์š”ํ•˜๋‹ค.

๐Ÿ’ก ํ˜„์žฌ Transit Gateway ์ƒ์—์„œ ๋™์ž‘ํ•˜๋Š” Multicast๋Š” ๋ฏธ์™„์„ฑ ์„œ๋น„์Šค์ด๋ฉฐ, ๋ฒ„์ง€๋‹ˆ์•„ ๋ฆฌ์ „์—๋งŒ ๋™์ž‘ํ•˜๋Š” ์ œ์•ฝ์ด ์žˆ๋‹ค. ํ–ฅํ›„ ๋‹ค๋ฅธ ๋ฆฌ์ „๊นŒ์ง€ ์„œ๋น„์Šค๊ฐ€ ๋™์ž‘ํ•˜๊ฑฐ๋‚˜ ๊ธฐ๋Šฅ์ด ์ถ”๊ฐ€๋˜๋ฉด, ์ถ”๊ฐ€์ ์ธ ์‹ค์Šต์„ ์ง„ํ–‰ํ•  ์˜ˆ์ •์ด๋‹ค.
๊ทธ๋ฆฌ๊ณ , ํ˜„์žฌ ์‹ค์Šต ์ƒ Multicast ๋™์ž‘์€ ๊ฐ•์ œ๋กœ ํŠธ๋ž˜ํ”ฝ์„ ์ธ์ž…ํ•˜๋Š” ํ˜•ํƒœ์˜ ์‹ค์Šต์ด๋ผ ์ถ”ํ›„ ๊ธฐํšŒ๊ฐ€ ๋˜๋ฉด ์‹ค์ œ Multicast Stram์„ ํ†ตํ•ด ์‹ค์Šต์„ ์ง„ํ–‰ํ•ด ๋ณด๋„๋ก ํ•˜๊ฒ ๋‹ค.



5. AWS Transit Gateway Multi Account VPC Attachment Test

  • ์ด ๋ฒˆ ๋‹จ๊ณ„์˜ ์‹ค์Šต์€ TGW์„ ์ •๋ณด๋ฅผ ๋‹ค๋ฅธ ๊ณ„์ •์œผ๋กœ ๊ณต์œ ํ•˜์—ฌ VPC ์—ฐ๊ฒฐ์„ ํ…Œ์ŠคํŠธํ•œ๋‹ค. (Multi Account VPC Attachment)
  • ์ด ๋ฒˆ ๋‹จ๊ณ„์—์„œ๋Š” ์„œ๋ธŒ AWS ๊ณ„์ •์ด ํ•„์š”ํ•˜๋‹ค. (๋ฒ„์ง€๋‹ˆ์•„ ๋ฆฌ์ „์—์„œ ํ…Œ์ŠคํŠธํ•˜๋ฉฐ, CF ๋ฐฐํฌ ์ „์— Key-Pair๋ฅผ ๋ฏธ๋ฆฌ ์ƒ์„ฑํ•ด ๋‘์ž)
  • ๋™์ผํ•œ ๋ธŒ๋ผ์šฐ์ €์—์„œ ๋กœ๊ทธ์ธ ์‹œ ๊ธฐ์กด ๊ณ„์ •์€ ๋กœ๊ทธ์•„์›ƒ์ด ๋œ๋‹ค. ๋‹ค๋ฅธ ๋ธŒ๋ผ์šฐ์ € ์ถ”๊ฐ€ํ•˜์—ฌ ์‹ค์Šตํ•˜๋ฉด ๋ณธ ๊ณ„์ •๊ณผ ์„œ๋ธŒ ๊ณ„์ •์„ ๊ฐ™์ด ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค.
  • ์‹ค์Šต ํ™˜๊ฒฝ: Region - ๋ฒ„์ง€๋‹ˆ์•„ , Account - ๋ณธ AWS ๊ณ„์ • + ์„œ๋ธŒ AWS ๊ณ„์ •

AWS Transit Gateway ์ถœ์‹œ - VPC ๋„คํŠธ์›Œํฌ ์•„ํ‚คํ…์ฒ˜ ๋‹จ์ˆœํ™” ๊ฐ€๋Šฅ (์„œ์šธ ๋ฆฌ์ „ ํฌํ•จ) | Amazon Web Services

์ฐธ๊ณ  ๋งํฌ : Resource Access Manager๋ฅผ ํ™œ์šฉํ•˜์—ฌ Multi Account VPC Attachment


5.1 ๋ฒ„์ง€๋‹ˆ์•„ CloufFormation ๋ฐฐํฌ (์„œ๋ธŒ ๊ณ„์ •)

5.1.1) CloudFormation ๋ฐฐํฌ

  • 2.3ํ•ญ์—์„œ ์ œ๊ณตํ•œ Virginia_TransitGW_Lab_CF.yaml ํŒŒ์ผ์„ ๋ฐฐํฌํ•˜์ž.

๐Ÿ’ก ์ฃผ์˜: CF Condition์— ์˜ํ•ด Main Site์™€ Sub Site์˜ ์ƒ์„ฑ ์ธํ”„๋ผ๊ฐ€ ๋‹ค๋ฅด๋‹ค. ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์„ Sub๋กœ ์ง€์ •ํ•˜์ž!

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2013.png

๊ทธ๋ฆผ 5.1 ์„œ๋ธŒ ๊ณ„์ •์—์„œ ๋ฒ„์ง€๋‹ˆ์•„ CF ํ…œํ”Œ๋ฆฟ ์ƒ์„ฑ ์ค‘ EnvType ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์„ Sub๋กœ ์ง€์ •

  • ์„œ๋ธŒ ๊ณ„์ •์œผ๋กœ ๋กœ๊ทธ์ธ ํ›„ ๋ฒ„์ง€๋‹ˆ์•„์—์„œ CloudFormation ํ…œํ”Œ๋ฆฟ์„ ์‹คํ–‰ํ•œ๋‹ค.
  • EnvType์€ Sub๋กœ ์ง€์ •ํ•˜์ž!!
๋ฒ„์ง€๋‹ˆ์•„ CF ์ƒ์„ฑ ์ธํ”„๋ผ (์„œ๋ธŒ ๊ณ„์ •)
- EC2-Instance 2๊ฐœ
- VPC 1๊ฐœ, Private Subnet 2๊ฐœ, Routing Table 2๊ฐœ
- Security Group 1๊ฐœ
  • ์œ„ ์ƒ์„ฑ๋œ ์ธํ”„๋ผ๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์˜ฌ๋ผ์™”๋Š” ์ง€ ํ™•์ธํ•˜์ž

5.2 Resource Access Manager๋ฅผ ํ™œ์šฉํ•˜์—ฌ TGW ๊ณต์œ  (๋ณธ ๊ณ„์ • & ์„œ๋ธŒ ๊ณ„์ •)

5.2.1) Resource Access Manager ๋ฆฌ์†Œ์Šค ๊ณต์œ  ์ƒ์„ฑ (๋ณธ ๊ณ„์ •)

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2014.png

๊ทธ๋ฆผ 5.2 ๋ณธ ๊ณ„์ •์—์„œ Resource Access Manager ์ง„์ž…

  • Resource Access Manager โ€”> ๋ฆฌ์†Œ์Šค ๊ณต์œ  ์ƒ์„ฑ

    • ์ด๋ฆ„ : CloudNeta-TGW-Sharing

    • ๋ฆฌ์†Œ์Šค ์œ ํ˜• ์„ ํƒ : ์ „์†ก ๊ฒŒ์ดํŠธ์›จ์ด โ€”> MAIN SITE์— ์ƒ์„ฑํ•œ TGW ์ง€์ •

    • ํ”„๋ฆฐ์‹œํŽ„ AWS ๊ณ„์ • ๋ฒˆํ˜ธ โ€”> ์„œ๋ธŒ AWS ๊ณ„์ • ๋ฒˆํ˜ธ ์ž…๋ ฅ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2015.png

๊ทธ๋ฆผ 5.3 ์„œ๋ธŒ ๊ณ„์ •์—์„œ ๋‚ด ๋ณด์•ˆ ์ž๊ฒฉ ์ฆ๋ช…์— ์ง„์ž…ํ•˜์—ฌ AWS ๊ณ„์ • ID ํ™•์ธ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2016.png

๊ทธ๋ฆผ 5.4 ๋ฆฌ์†Œ์Šค ๊ณต์œ  ์„ค์ • ํ™”๋ฉด

5.2.2) Resource Access Manager ๋ฆฌ์†Œ์Šค ๊ณต์œ  ์ˆ˜๋ฝ (์„œ๋ธŒ ๊ณ„์ •)

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2017.png

๊ทธ๋ฆผ 5.5 ์„œ๋ธŒ ๊ณ„์ •์—์„œ RAM์— ์ง„์ž…ํ•˜์—ฌ ๋ฆฌ์†Œ์Šค ๊ณต์œ  ์ดˆ๋Œ€ ํ™•์ธ

  • ๋ณธ ๊ณ„์ •์—์„œ ๊ณต์œ ํ•œ TGW๋ฅผ ์„ ํƒ ํ›„ ๋ฆฌ์†Œ์Šค ๊ณต์œ  ์ˆ˜๋ฝ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2018.png

๊ทธ๋ฆผ 5.6 ์„œ๋ธŒ ๊ณ„์ •์—์„œ ๊ณต์œ  ๋ฆฌ์†Œ์Šค ํ™•์ธ

  • ๊ณต์œ  ๋ฆฌ์†Œ์Šค ๋ฉ”๋‰ด๋กœ ์ ‘๊ทผํ•˜์—ฌ ๊ณต์œ ๋œ TGW ์ •๋ณด ํ™•์ธ

5.2.3) Multi Account VPC Attachment (๋ณธ ๊ณ„์ • / ์„œ๋ธŒ ๊ณ„์ •)

  • VPC โ€”> Transit Gateway๋กœ ์ง„์ž…ํ•˜๋ฉด ๊ณต์œ  ๋ฐ›์€ TGW ์ •๋ณด ํ™•์ธ (์„œ๋ธŒ ๊ณ„์ •)

  • VPC โ€”> Transit Gateway Attachment (์„œ๋ธŒ ๊ณ„์ •)

    • Transit Gateway ID : ์ง€์ •

    • Attachment Type : VPC

    • Attachment Name Tag : SUB-VPC03-ATT

    • VPC ID : MAIN-A โ€”> AZ & Subnet ์ง€์ •

  • VPC โ€”> Transit Gateway Attachment โ€”> ์ž‘์—… โ€”> Accept (๋ณธ ๊ณ„์ •)

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2019.png

๊ทธ๋ฆผ 5.7 ์„œ๋ธŒ ๊ณ„์ •์—์„œ TGW Attachment ์ƒํƒœ ํ™•์ธ

  • ์„œ๋ธŒ ๊ณ„์ •์—์„œ TGW VPC Attachment๋ฅผ ์ˆ˜ํ–‰ํ•ด๋„ ๋ฐ”๋กœ ์—ฐ๊ฒฐ์ด ๋˜์ง€ ์•Š๊ณ  pending acceptance ์ƒํƒœ์ด๋‹ค.
  • ๋ณธ ๊ณ„์ •์— ์ง„์ž…ํ•˜์—ฌ Accept ํ•ด์ค€๋‹ค. (1~2๋ถ„ ํ›„ ์„ฑ๊ณต)

5.3 Routing Table ์„ค์ • (์„œ๋ธŒ ๊ณ„์ •)

  • CloudFormation์— ์˜ํ•ด ์ƒ์„ฑ๋œ 2๊ฐœ์˜ ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ”์— ๊ฒฝ๋กœ๋ฅผ ์ถ”๊ฐ€ํ•œ๋‹ค.

    • ๋ผ์šฐํŒ… ํŽธ์ง‘ โ€”> ๋ผ์šฐํŒ… ์ถ”๊ฐ€ โ€”> 10.0.0.0/8 ๋Œ€์—ญ, tgw-xxxx ํƒ€๊ฒŸ

5.4 Verify

1
2
3
4
5
6
7
8
9
10
11
[root@MAIN-MGT ec2-user]# ./pingall.sh
node google.com is up
node 10.1.1.10 is up
node 10.2.1.10 is up
node 10.2.2.10 is up
node 10.3.1.10 is up
node 10.3.2.10 is up
node 10.4.1.10 is down
node 10.5.1.10 is down
node 10.6.1.10 is down
[root@MAIN-MGT ec2-user]#
  • MAIN-MGT EC2์— ์ ‘์†ํ•˜์—ฌ pingall.sh ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ˆ˜ํ–‰ํ•œ๋‹ค.
  • ๋ฒ„์ง€๋‹ˆ์•„ MAIN๊ณผ SUB SITE์— ์กด์žฌํ•˜๋Š” EC2 ๋ผ๋ฆฌ ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•˜๋‹ค.
5์žฅ ํ˜„์žฌ๊นŒ์ง€ ์™„๋ฃŒ๋œ ๊ตฌ์„ฑ๋„ ํ™•์ธ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2020.png



6. AWS Transit Gateway Inter Region Peering Test

  • ์ด ๋ฒˆ ๋‹จ๊ณ„์˜ ์‹ค์Šต์€ MAIN SITE TGW์™€ ๋‹ค๋ฅธ ๋ฆฌ์ „์— ์žˆ๋Š” BRANCH SITE TGW๋ฅผ ์—ฐ๊ฒฐํ•˜์—ฌ ํ…Œ์ŠคํŠธํ•œ๋‹ค. (Inter Region Peering TGW Attachment)
  • ์ฐธ๊ณ ๋กœ Inter-Regional-Peering์€ ๋ฒ„์ง€๋‹ˆ์•„, ์˜คํ•˜์ด์˜ค, ์˜ค๋ ˆ๊ณค, ์•„์ผ๋žœ๋“œ, ํ”„๋ž‘ํฌํ‘ธ๋ฅดํŠธ ๋ฆฌ์ „ ์—์„œ๋งŒ ์ง€์›ํ•œ๋‹ค.
  • ์‹ค์Šต ํ™˜๊ฒฝ: Region - ์•„์ผ๋žœ๋“œ , Account - ๋ณธ AWS ๊ณ„์ •

AWS Transit Gateway Adds Multicast and Inter-Regional Peering | Amazon Web Services

์ฐธ๊ณ  ๋งํฌ : AWS Transit Gateway Adds Multicast & Inter Regional Peering


6.1 ์•„์ผ๋žœ๋“œ CloufFormation ๋ฐฐํฌ

6.1.1) CloudFormation ๋ฐฐํฌ

  • 2.3ํ•ญ์—์„œ ์ œ๊ณตํ•œ Ireland_TransitGW_Lab_CF.yaml ํŒŒ์ผ์„ ๋ฐฐํฌํ•˜์ž.
์•„์ผ๋žœ๋“œ CF ์ƒ์„ฑ ์ธํ”„๋ผ
- EC2-Instance 2๊ฐœ
- VPC 2๊ฐœ, Public Subnet 1๊ฐœ, Private Subnet 1๊ฐœ, Routing Table 2๊ฐœ, IGW 1๊ฐœ
- Security Group 2๊ฐœ
- Transit Gateway 1๊ฐœ, Transit Gateway Attachment 2๊ฐœ
  • ์œ„ ์ƒ์„ฑ๋œ ์ธํ”„๋ผ๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์˜ฌ๋ผ์™”๋Š” ์ง€ ํ™•์ธํ•˜์ž
  • ์•„์ผ๋žœ๋“œ์—์„œ ์‚ฌ์šฉํ•  ์ธํ”„๋ผ๋ฅผ CloudFormation์—์„œ ๋ชจ๋‘ ์ •์˜ํ•˜์˜€๋‹ค. (TGW๊นŒ์ง€ ํฌํ•จ)
  • Routing Table ์ถ”๊ฐ€๋Š” ์ •์˜ํ•˜์ง€ ์•Š์•„ ์ˆ˜๋™์œผ๋กœ ์ž‘์—… (๐ŸคขTGW ์ƒ์„ฑ ๋ฐ Attachment ๋˜๋Š” ๋”œ๋ ˆ์ด๊ฐ€ ๋ฐœ์ƒํ•˜์—ฌ ๊ฒฝ๋กœ ์„ค์ •์„ ๋ชปํ•˜๊ณ  ํƒ€์ž„ ์•„์›ƒ)

6.2 Inter Region Peering ์„ค์ •

6.2.1) TGW Attachment - Inter Region Peering

  • VPC โ€”> Transit Gateway Attachment โ€”> Create Transit Gateway Attachment (์•„์ผ๋žœ๋“œ)

    • Transit Gateway ID : BRC-TGW ๋Œ€์ƒ ์ง€์ •

    • Attachment Type : Peering

    • Attachment Name Tag : MAIN-TGW-ATT

    • Region : N. Virginia

    • Transit Gateway (accepter) : MAIN-TGW ๋Œ€์ƒ ์ง€์ • (๋ฒ„์ง€๋‹ˆ์•„์— ์ง‘์ž…ํ•˜์—ฌ TGW ID๋ฅผ ํ™•์ธ ํ›„ ์ง์ ‘ ์ž…๋ ฅํ•ด์•ผ ํ•œ๋‹ค)

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2021.png

๊ทธ๋ฆผ 6.1 ์•„์ผ๋žœ๋“œ ๋ฆฌ์ „์—์„œ Inter Region Peering ์„ค์ •

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2022.png

๊ทธ๋ฆผ 6.2 Transit Gateway Attachment Inter Region Peering ์€ ๋ฐ”๋กœ ์ ์šฉ์ด ๋˜์ง€ ์•Š์Œ (๋ฒ„์ง€๋‹ˆ์•„์—์„œ ์ˆ˜๋ฝ)

  • VPC โ€”> Transit Gateway Attachment โ€”> ๋Œ€์ƒ ์ง€์ • โ€”> ์ž‘์—… โ€”> Accept (๋ฒ„์ง€๋‹ˆ์•„)

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2023.png

๊ทธ๋ฆผ 6.3 Transit Gateway Attachment Inter Region Peering ํ™•์ธ

  • Inter Region Peering Attachment ๋œ ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค. (๊ตฌ๋ถ„์„ ์œ„ํ•ด BRC-TGW-ATT๋กœ Tagํ•จ)

6.3 Routing Table ์„ค์ •

6.3.1) BRANCH SITE VPC์˜ Routing Table ์„ค์ •

  • CloudFormation์— ์˜ํ•ด ์ƒ์„ฑ๋œ 2๊ฐœ์˜ ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ”์— ๊ฒฝ๋กœ๋ฅผ ์ถ”๊ฐ€ํ•œ๋‹ค.

    • ๋ผ์šฐํŒ… ํŽธ์ง‘ โ€”> ๋ผ์šฐํŒ… ์ถ”๊ฐ€ โ€”> 10.0.0.0/8 ๋Œ€์—ญ, tgw-xxxx ํƒ€๊ฒŸ

6.3.2) MAIN-TGW์˜ Routing Table ์„ค์ •

  • VPC โ€”> Transit Gateway Routing Table โ€”> ๋Œ€์ƒ ์„ ํƒ โ€”> Route ํƒญ โ€”> Create Route

    • 10.0.0.0/8 ๋Œ€์—ญ, BRANCH-TGW ํƒ€๊ฒŸ (tgw-xxxx)

6.3.3) BRANCH-TGW์˜ Routing Table ์„ค์ •

  • VPC โ€”> Transit Gateway Routing Table โ€”> ๋Œ€์ƒ ์„ ํƒ โ€”> Route ํƒญ โ€”> Create Route

    • 10.0.0.0/8 ๋Œ€์—ญ, MAIN-TGW ํƒ€๊ฒŸ (tgw-xxxx)

6.4 Verify

1
2
3
4
5
6
7
8
9
10
11
[ec2-user@MAIN-MGT ~]$ ./pingall.sh
node google.com is up
node 10.1.1.10 is up
node 10.2.1.10 is up
node 10.2.2.10 is up
node 10.3.1.10 is up
node 10.3.2.10 is up
node 10.4.1.10 is up
node 10.5.1.10 is up
node 10.6.1.10 is down
[ec2-user@MAIN-MGT ~]$
  • MAIN-MGT EC2์— ์ ‘์†ํ•˜์—ฌ pingall.sh ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ˆ˜ํ–‰ํ•œ๋‹ค.
  • ๋ฒ„์ง€๋‹ˆ์•„ MAIN / SUB / BRANCH SITE์— ์กด์žฌํ•˜๋Š” EC2 ๋ผ๋ฆฌ ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•˜๋‹ค.
6์žฅ ํ˜„์žฌ๊นŒ์ง€ ์™„๋ฃŒ๋œ ๊ตฌ์„ฑ๋„ ํ™•์ธ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2024.png



7. AWS Transit Gateway VPN Attachment

  • ์ด ๋ฒˆ ๋‹จ๊ณ„์˜ ์‹ค์Šต์€ MAIN SITE TGW์™€ ๋‹ค๋ฅธ ๋ฆฌ์ „์— ์žˆ๋Š” Site-to-Site VPN์„ ์—ฐ๊ฒฐํ•˜๋Š” ํ…Œ์ŠคํŠธ๋ฅผ ํ•œ๋‹ค. (AWS Transit Gateway VPN Attachment)
  • ์„œ์šธ ๋ฆฌ์ „์— VPC๋ฅผ ์ƒ์„ฑํ•˜์—ฌ VPN ์„œ๋ฒ„๋ฅผ ๋ฐฐ์น˜ํ•˜๋Š”๋ฐ, ๊ฐ€์ƒ์œผ๋กœ On-Premise ํ™˜๊ฒฝ์ด๋ผ ๊ฐ€์ •ํ•˜์—ฌ ํ…Œ์ŠคํŠธ ํ•œ๋‹ค.
  • ์‹ค์Šต ํ™˜๊ฒฝ: Region - ๋ฒ„์ง€๋‹ˆ์•„, ์„œ์šธ , Account - ๋ณธ AWS ๊ณ„์ •

7.1 ์„œ์šธ CloufFormation ๋ฐฐํฌ

7.1.1) CloudFormation ๋ฐฐํฌ

  • 2.3ํ•ญ์—์„œ ์ œ๊ณตํ•œ Seoul_TransitGW_Lab_CF.yaml ํŒŒ์ผ์„ ๋ฐฐํฌํ•˜์ž.

  • ์„œ์šธ CF ์ƒ์„ฑ ์ธํ”„๋ผ

    • EC2-Instance 1๊ฐœ

    • VPC 1๊ฐœ, Public Subnet 1๊ฐœ, Routing Table 1๊ฐœ, IGW 1๊ฐœ

    • Security Group 1๊ฐœ

  • ์œ„ ์ƒ์„ฑ๋œ ์ธํ”„๋ผ๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์˜ฌ๋ผ์™”๋Š” ์ง€ ํ™•์ธํ•˜์ž.


7.2 AWS Site to Site VPN ์„ค์ •

7.2.1) Custom Gateway ์ƒ์„ฑ

  • VPC โ€”> VPN โ€”> ๊ณ ๊ฐ ๊ฒŒ์ดํŠธ์›จ์ด โ€”> ๊ณ ๊ฐ ๊ฒŒ์ดํŠธ์›จ์ด ์ƒ์„ฑ (๋ฒ„์ง€๋‹ˆ์•„)

    • ์ด๋ฆ„ : CloudNeta-CGW

    • ๋ผ์šฐํŒ… : ์ •์ 

    • IP ์ฃผ์†Œ : ์„œ์šธ์— ์œ„์น˜ํ•œ EC2 Public IP ์ฃผ์†Œ

7.2.2) TGW VPN Attachment

  • VPC โ€”> Transit Gateway Attachment โ€”> ์‚ฌ์ดํŠธ ๊ฐ„ VPN ์—ฐ๊ฒฐ โ€”> VPN ์—ฐ๊ฒฐ ์ƒ์„ฑ (๋ฒ„์ง€๋‹ˆ์•„)

    • Transit Gateway ID : MAIN-TGW ์„ ํƒ

    • Attachment Type : VPN


    • ๊ณ ๊ฐ ๊ฒŒ์ดํŠธ์›จ์ด : Existing

    • Customer Gateway ID : ์ƒ์„ฑํ•œ CGW ์„ ํƒ


    • ๋ผ์šฐํŒ… ์˜ต์…˜ : ์ •์ 

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2025.png

7.2.3) VPN ๊ตฌ์„ฑ ๋‹ค์šด๋กœ๋“œ

  • VPC โ€”> VPN โ€”> ์‚ฌ์ดํŠธ ๊ฐ„ VPN์— ์ ‘๊ทผํ•œ๋‹ค
  • ์ผ์ • ์‹œ๊ฐ„์ด ์ง€๋‚˜๋ฉด Site to Site VPN ์—ฐ๊ฒฐ ์ƒํƒœ๋Š” ์‚ฌ์šฉ ๊ฐ€๋Šฅ ์ƒํƒœ๋กœ ์ „ํ™˜๋œ๋‹ค.
  • AWS์—์„œ๋Š” ์—ฐ๊ฒฐ ํ•  ์ƒ๋Œ€๋ฐฉ VPN ์„œ๋ฒ„์— ๋Œ€ํ•œ ๊ตฌ์„ฑ ์ •๋ณด๋ฅผ ์นœ์ ˆํžˆ ์ œ๊ณตํ•˜๊ณ  ์žˆ๋‹ค.
  • ๊ตฌ์„ฑ ๋‹ค์šด๋กœ๋“œ โ€”> ๊ณต๊ธ‰์—…์ฒด : Openswan ์„ ํƒ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2026.png


7.3 OpenSwan VPN ์„œ๋ฒ„ ์„ค์ •

  • ์„œ์šธ์— ์ƒ์„ฑํ•œ EC2-Instance์— SSH ์ ‘์†์„ ํ•œ๋‹ค.

7.3.1) aws-vpn.conf ์ƒ์„ฑ ๋ฐ ์ž…๋ ฅ

1
2
3
[ec2-user@OPM-VPN ~]$ sudo su
[root@OPM-VPN ec2-user]#
[root@OPM-VPN ec2-user]# vi /etc/ipsec.d/aws-vpn.conf
  • vi ํŽธ์ง‘๊ธฐ ๋ชจ๋“œ๋กœ /etc/ipsec.d/aws-vpn.conf ํŒŒ์ผ์„ ์ƒ์„ฑํ•˜์—ฌ ์ ‘๊ทผํ•œ๋‹ค.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
vi /etc/ipsec.d/aws-vpn.conf
--------------------------------------------------------------------------
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=54.180.131.143
right=34.231.125.200
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
~~auth=esp~~ ์‚ญ์ œ
keyingtries=%forever
keyexchange=ike
leftsubnet=<LOCAL NETWORK> 10.6.0.0/16 ์œผ๋กœ ์ž…๋ ฅ
rightsubnet=<REMOTE NETWORK> 10.0.0.0/8 ์œผ๋กœ ์ž…๋ ฅ
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
  • ํ•ด๋‹น ์ฝ”๋“œ ์ •๋ณด๋Š” 7.2.3ํ•ญ์—์„œ ๋‹ค์šด ๋ฐ›์€ TXT ํŒŒ์ผ์—์„œ 4ํ•ญ์˜ ๋‚ด์šฉ์„ ์‚ฌ์šฉํ•œ๋‹ค. (โ˜ข ์œ„ ์ฝ”๋“œ ๊ฐ’์„ ๋„ฃ์œผ๋ผ๋Š” ๊ฒƒ์ด ์•„๋‹ˆ๋ผ ๊ฐ์ž ๋‹ค์šด๋ฐ›์€ TXT ํŒŒ์ผ์„ ์ฐธ์กฐํ•ด์„œ ์„ค์ •)

  • ์ฝ”๋“œ ๋‚ด์šฉ ์ค‘ ์ˆ˜์ •์ด ํ•„์š”ํ•œ ์‚ฌํ•ญ

    • LOCAL NETWORK๋Š” VPC-OPM์˜ ๋Œ€์—ญ์œผ๋กœ 10.6.0.0/16 ์ž…๋ ฅํ•œ๋‹ค.

    • REMOTE NETWORK๋Š” AWS ๋Œ€์—ญ์œผ๋กœ 10.0.0.0/8 ์ž…๋ ฅํ•œ๋‹ค.

    • auto=esp ์‚ญ์ œ

    • ๋‚˜๋จธ์ง€๋Š” ์žˆ๋Š” ๊ทธ๋Œ€๋กœ ์‚ฌ์šฉ

7.3.2) aws-vpn.secrets ์ƒ์„ฑ

1
[root@OPM-VPN ec2-user]# vi /etc/ipsec.d/aws-vpn.secrets
  • vi ํŽธ์ง‘๊ธฐ ๋ชจ๋“œ๋กœ /etc/ipsec.d/aws-vpn.secrets ํŒŒ์ผ์„ ์ƒ์„ฑํ•˜์—ฌ ์ ‘๊ทผํ•œ๋‹ค.
1
2
3
vi /etc/ipsec.d/aws-vpn.conf
--------------------------------------------------------------------------
54.180.131.143 34.231.125.200: PSK "DWJ2n0smRq6gDlMUuIweGa45m8c_RvZ3"
  • ํ•ด๋‹น ์ฝ”๋“œ ์ •๋ณด๋Š” 7.2.3ํ•ญ์—์„œ ๋‹ค์šด ๋ฐ›์€ TXT ํŒŒ์ผ์—์„œ 5ํ•ญ์˜ ๋‚ด์šฉ์„ ์‚ฌ์šฉํ•œ๋‹ค. (โ˜ข ์œ„ ์ฝ”๋“œ ๊ฐ’์„ ๋„ฃ์œผ๋ผ๋Š” ๊ฒƒ์ด ์•„๋‹ˆ๋ผ ๊ฐ์ž ๋‹ค์šด๋ฐ›์€ TXT ํŒŒ์ผ์„ ์ฐธ์กฐํ•ด์„œ ์„ค์ •)

7.3.3) OpenSwan VPN ์„œ๋ฒ„ ์‹œ์ž‘

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@OPM-VPN ec2-user]# chkconfig ipsec on
:
[root@OPM-VPN ec2-user]# service ipsec start
:
[root@OPM-VPN ec2-user]# service ipsec status
Redirecting to /bin/systemctl status ipsec.service
โ— ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-05-08 07:49:18 UTC; 10s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 4718 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)
:
  • OpenSwan์˜ ์ƒํƒœ๊ฐ€ Active ์ž„์„ ํ™•์ธ ํ•œ๋‹ค.

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2027.png

  • ๋ฒ„์ง€๋‹ˆ์•„ Site to Site VPN ์ƒํƒœ๋ฅผ ๋ณด๋ฉด Tunnel 1์ด ์ž‘๋™ ์ƒํƒœ๋กœ ์˜ฌ๋ผ์™”๋‹ค.

7.4 TGW ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ” ์„ค์ •

  • Transit Gateway ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ”์—์„œ On-Premise ๋Œ€์—ญ์— ๋Œ€ํ•œ ๋ผ์šฐํŒ…์„ ์žก์•„์•ผ ํ•œ๋‹ค.

  • VPC โ€”> Transit Gateway ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ” โ€”> TGW ๋Œ€์ƒ ์ง€์ • โ€”> Route ํƒญ โ€”> Create Route

    • CIDR : 10.6.0.0/16

    • Choose Attachment : ์œ„์— ์ƒ์„ฑํ•œ VPN Attachment ์ง€์ •

      LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2028.png


7.5 Verify

1
2
3
4
5
6
7
8
9
10
11
[root@MAIN-MGT ec2-user]# ./pingall.sh
node google.com is up
node 10.1.1.10 is up
node 10.2.1.10 is up
node 10.2.2.10 is up
node 10.3.1.10 is up
node 10.3.2.10 is up
node 10.4.1.10 is up
node 10.5.1.10 is up
node 10.6.1.10 is up
[root@MAIN-MGT ec2-user]#
  • MAIN-MGT EC2์— ์ ‘์†ํ•˜์—ฌ pingall.sh ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ˆ˜ํ–‰ํ•œ๋‹ค.
  • ๋“œ๋””์–ด ๋ชจ๋“  ๊ตฌ๊ฐ„์œผ๋กœ ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•˜๋‹ค.
7์žฅ ํ˜„์žฌ๊นŒ์ง€ ์™„๋ฃŒ๋œ ๊ตฌ์„ฑ๋„ ํ™•์ธ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2029.png



8. NAT Gateway through AWS Transit Gateway

  • ์ด ๋ฒˆ ๋‹จ๊ณ„์˜ ์‹ค์Šต์€ Private Subnet์— ์กด์žฌํ•˜๋Š” ์ธ์Šคํ„ด์Šค๋ฅผ TGW๋ฅผ ํ†ตํ•ด MAIN SITE์˜ Egress VPC์— ์กด์žฌํ•˜๋Š” NAT GW๋ฅผ ํ†ตํ•ด ์™ธ๋ถ€ ์ธํ„ฐ๋„ท ํ†ต์‹ ์„ ํ…Œ์ŠคํŠธํ•œ๋‹ค.
  • ๋ณธ ์‹ค์Šต์—์„œ Private Subnet์€ ํฌ๊ฒŒ TEST ํ™˜๊ฒฝ๊ณผ DEV ํ™˜๊ฒฝ์œผ๋กœ ๊ตฌ๋ถ„ํ•  ์ˆ˜ ์žˆ๋‹ค. ์ด ์ค‘์— DEV ํ™˜๊ฒฝ๋งŒ NAT GW๋ฅผ ํ†ตํ•ด ์™ธ๋ถ€ ์ธํ„ฐ๋„ท ํ†ต์‹ ์„ํ•˜๊ณ , TEST ํ™˜๊ฒฝ์€ ํ์‡„๋ง ์„ฑ๊ฒฉ์œผ๋กœ ์™ธ๋ถ€ ์ธํ„ฐ๋„ท ํ†ต์‹ ์„ ํ•˜์ง€ ์•Š๋„๋ก ํ•˜๋Š” ์ปจ์…‰์ด๋‹ค.
  • ์‹ค์Šต ํ™˜๊ฒฝ: Region - ๋ฒ„์ง€๋‹ˆ์•„ , Account - ๋ณธ AWS ๊ณ„์ • + ์„œ๋ธŒ AWS ๊ณ„์ •

8.1 ๋ฒ„์ง€๋‹ˆ์•„ CloufFormation ๋ฐฐํฌ

8.1.1) CloudFormation ๋ฐฐํฌ

  • 2.3ํ•ญ์—์„œ ์ œ๊ณตํ•œ Virginia_TransitGW_Lab_CF.yaml ํŒŒ์ผ์„ ๋ฐฐํฌํ•˜์ž.

๐Ÿ’ก ์ฃผ์˜: CF Condition์— ์˜ํ•ด ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์„ Nat๋กœ ์ง€์ •ํ•˜์ž!

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2030.png
๊ทธ๋ฆผ 8.1 NAT ์šฉ๋„์˜ CloudFormation ์ƒ์„ฑ (EnvType์„ Nat๋กœ ์ง€์ •)

๋ฒ„์ง€๋‹ˆ์•„ CF ์ƒ์„ฑ ์ธํ”„๋ผ (NAT)
- NAT Gateway 1๊ฐœ

- VPC 1๊ฐœ, Public Subnet 1๊ฐœ, Private Subnet 1๊ฐœ, Routing Table 2๊ฐœ, IGW 1๊ฐœ
  • ์œ„ ์ƒ์„ฑ๋œ ์ธํ”„๋ผ๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์˜ฌ๋ผ์™”๋Š” ์ง€ ํ™•์ธํ•˜์ž.

8.2 TGW Attachment

  • VPC โ€”> Transit Gateway Attachment โ€”> Create Transit Gateway Attachment

    • Transit Gateway ID ์ง€์ •

    • Attachment Type : VPC

    • Attachment Name Tag : MAIN-VPCEG-ATT

    • VPC ID : VPC01 โ€”> AZ & Subnet ์ง€์ •


8.3 Routing Table ์„ค์ •

8.3.1) DEV ํ™˜๊ฒฝ์˜ ๋ผ์šฐํŒ… ์„ค์ •

  • DEV ํ™˜๊ฒฝ์€ MAIN-DEV์™€ SUB-DEV 2๊ตฐ๋ฐ๋งŒ ์„ค์ • ์ด๋‹ค.

  • VPC โ€”> ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ” โ€”> ๋Œ€์ƒ ์ง€์ • (๋ณธ ๊ณ„์ •, ์„œ๋ธŒ๊ณ„์ • ๋ชจ๋‘ ์„ค์ •)

    • ๋ผ์šฐํŒ… ํŽธ์ง‘ โ€”> ๋ผ์šฐํŒ… ์ถ”๊ฐ€ โ€”> 0.0.0.0/0 ๋Œ€์—ญ, TGW ํƒ€๊ฒŸ(tgw-xxxx)

8.3.2) TGW์˜ ๋ผ์šฐํŒ…์„ค์ •

  • VPC โ€”> Transit Gateway ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ” โ€”> ๋Œ€์ƒ ์ง€์ • โ€”> Route ํƒญ โ€”> Create Route

    • 0.0.0.0/0 ๋Œ€์—ญ, MAIN-VPCEG-ATT ๋Œ€์ƒ ์ง€์ •

8.3.3) VPCEG์˜ Private์™€ Public ๋ผ์šฐํŒ… ์„ค์ • (2 ๊ตฐ๋ฐ ์„ค์ •)

  • VPC โ€”> ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ” โ€”> ๋Œ€์ƒ ์ง€์ •

    • ๋ผ์šฐํŒ… ํŽธ์ง‘ โ€”> ๋ผ์šฐํŒ… ์ถ”๊ฐ€ โ€”> 10.0.0.0/8 ๋Œ€์—ญ, TGW ํƒ€๊ฒŸ(tgw-xxxx)

8.3 Verify

  • MAIN-TEST, MAIN-DEV, SUB-TEST, SUB-DEV์— SSH๋กœ ์ ‘๊ทผํ•˜์—ฌ pingall.sh ์ˆ˜ํ–‰ (root๊ณ„์ • ์•”ํ˜ธ: qwe123)

8.3.1) MAIN-TEST ํ…Œ์ŠคํŠธ

  • View Result

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    [root@MAIN-TEST ~]# ./pingall.sh
    node google.com is down
    node 10.1.1.10 is up
    node 10.2.1.10 is up
    node 10.2.2.10 is up
    node 10.3.1.10 is up
    node 10.3.2.10 is up
    node 10.4.1.10 is up
    node 10.5.1.10 is up
    node 10.6.1.10 is up
    [root@MAIN-TEST ~]#
    • ๋‚ด๋ถ€ ์ธํ”„๋ผ์™€๋Š”ํ†ต์‹ ๋˜์ง€๋งŒ ์™ธ๋ถ€ ์ธํ„ฐ๋„ท ํ†ต์‹ ์€ ๋ถˆ๊ฐ€ํ•˜๋‹ค.

8.3.2) MAIN-DEV ํ…Œ์ŠคํŠธ

  • View Result

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    [root@MAIN-DEV ~]# ./pingall.sh
    node google.com is up
    node 10.1.1.10 is up
    node 10.2.1.10 is up
    node 10.2.2.10 is up
    node 10.3.1.10 is up
    node 10.3.2.10 is up
    node 10.4.1.10 is up
    node 10.5.1.10 is up
    node 10.6.1.10 is up
    [root@MAIN-DEV ~]#
    • ๋ชจ๋“  ์˜์—ญ์œผ๋กœ ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•˜๋‹ค.

8.3.3) SUB-TEST ํ…Œ์ŠคํŠธ

  • View Result

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    [root@SUB-TEST ~]# ./pingall.sh
    node google.com is down
    node 10.1.1.10 is up
    node 10.2.1.10 is up
    node 10.2.2.10 is up
    node 10.3.1.10 is up
    node 10.3.2.10 is up
    node 10.4.1.10 is up
    node 10.5.1.10 is up
    node 10.6.1.10 is up
    [root@SUB-TEST ~]#
    • ๋‚ด๋ถ€ ์ธํ”„๋ผ์™€๋Š”ํ†ต์‹ ๋˜์ง€๋งŒ ์™ธ๋ถ€ ์ธํ„ฐ๋„ท ํ†ต์‹ ์€ ๋ถˆ๊ฐ€ํ•˜๋‹ค.

8.3.4) SUB-DEV ํ…Œ์ŠคํŠธ

  • View Result

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    [root@SUB-DEV ~]# ./pingall.sh
    node google.com is up
    node 10.1.1.10 is up
    node 10.2.1.10 is up
    node 10.2.2.10 is up
    node 10.3.1.10 is up
    node 10.3.2.10 is up
    node 10.4.1.10 is up
    node 10.5.1.10 is up
    node 10.6.1.10 is up
    [root@SUB-DEV ~]#
    • ๋ชจ๋“  ์˜์—ญ์œผ๋กœ ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•˜๋‹ค.
8์žฅ ํ˜„์žฌ๊นŒ์ง€ ์™„๋ฃŒ๋œ ๊ตฌ์„ฑ๋„ ํ™•์ธ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2031.png



9. AWS Transit Gateway Network Manager

  • ์ด ๋ฒˆ ๋‹จ๊ณ„์˜ ์‹ค์Šต์€ TGW Network Manager ๊ธฐ๋Šฅ์„ ํ†ตํ•ด ๊ฐ€์‹œ์„ฑ ์žˆ๊ฒŒ Global Network๋ฅผ ๋ชจ๋‹ˆํ„ฐ๋งํ•œ๋‹ค.

9.1 Create Global Network

  • VPC โ€”> Transit Gateway โ€”> ๋„คํŠธ์›Œํฌ ๊ด€๋ฆฌ์ž โ€”> Create a Global Network

    • ์ด๋ฆ„ : CloudNeta-GN

9.2 Transit Gateway ๋“ฑ๋ก

  • ๋„คํŠธ์›Œํฌ ๊ด€๋ฆฌ์ž ๋ฐ์‹œ๋ณด๋“œ์—์„œ ์ „์†ก ๊ฒŒ์ดํŠธ์›จ์ด ์ถ”๊ฐ€ํ•œ๋‹ค.

    • CloudNeta-MAIN-TGW

    • BRC-TGW

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2032.png

๊ทธ๋ฆผ 9.1 TGW Global Network ๋„คํŠธ์›Œํฌ ๊ด€๋ฆฌ์ž์—์„œ Transit Gateway ๋“ฑ๋ก


9.3 Verify

9.3.1) ์ง€๋ฆฌ์  ์ •๋ณด

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2033.png

๊ทธ๋ฆผ 9.2 TGW์˜ ์ง€๋ฆฌ์  ์œ„์น˜ ํ‘œํ˜„

9.3.2) ํ† ํด๋กœ์ง€

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2034.png

๊ทธ๋ฆผ 9.3 Global Network ์—ฐ๊ฒฐ ํ† ํด๋กœ์ง€ ํ™•์ธ

9.3.4) ๋ชจ๋‹ˆํ„ฐ๋ง

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2035.png

๊ทธ๋ฆผ 9.4 Global Network ๋ชจ๋‹ˆํ„ฐ๋ง ์ •๋ณด

9.3.5) Route Analyzer

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2036.png

๊ทธ๋ฆผ 9.5 ๊ฒฝ๋กœ ๋ถ„์„๊ธฐ (Route Analyzer) ์ •๋ณด ์ž…๋ ฅ

LabGuide%20AWS%20Transit%20Gateway%20efff213e58a546c5bc56273e4425244a/Untitled%2037.png
๊ทธ๋ฆผ 9.6 ๊ฒฝ๋กœ ๋ถ„์„๊ธฐ ๊ฒฐ๊ณผ ํ™•์ธ

AWS Transit Gateway ๋„คํŠธ์›Œํฌ ๊ด€๋ฆฌ์ž Route Analyzer ๋ฐœํ‘œ

์ฐธ๊ณ  ๋งํฌ : AWS TGW ๋„คํŠธ์›Œํฌ ๊ด€๋ฆฌ Route Analyzer ๋ฐœํ‘œ



10. Delete Resources

01) TGW ๋„คํŠธ์›Œํฌ ๋งค๋‹ˆ์ € ์ „์†ก ๊ฒŒ์ดํŠธ์›จ์ด ๋“ฑ๋ก ์ทจ์†Œ

02) ๊ธ€๋กœ๋ฒŒ ๋„คํŠธ์›Œํฌ ์‚ญ์ œ

03) ์„œ์šธ CloudFormation ์Šคํƒ ์‚ญ์ œ

04) ์•„์ด๋žœ๋“œ TGW Attachment์—์„œ TGW Peering ๋Œ€์ƒ ์‚ญ์ œ

05) ์•„์ผ๋žœ๋“œ CloudFormation ์Šคํƒ ์‚ญ์ œ

06) ์„œ๋ธŒ ๊ณ„์ • Resource Access Manager์—์„œ ๋ฆฌ์†Œ์Šค ๊ณต์œ  ๋‚˜๊ฐ€๊ธฐ

07) ๋ฉ”์ธ ๊ณ„์ • Resource Access Manager์—์„œ ๋ฆฌ์†Œ์Šค ์‚ญ์ œ

08) ์„œ๋ธŒ ๊ณ„์ • TGW Attachment์—์„œ VPC Attachment ๋Œ€์ƒ ์‚ญ์ œ

09) ์„œ๋ธŒ ๊ณ„์ • ๋ฒ„์ง€๋‹ˆ์•„ CloudFormation ์Šคํƒ ์‚ญ์ œ

10) ๋ฒ„์ง€๋‹ˆ์•„ ์‚ฌ์ดํŠธ ๊ฐ„ VPN ์—ฐ๊ฒฐ ์‚ญ์ œ ํ›„ ๊ณ ๊ฐ ๊ฒŒ์ดํŠธ์›จ์ด ์‚ญ์ œ

11) ๋ฒ„์ง€๋‹ˆ์•„ TGW Multicast Domain ์‚ญ์ œ (์šฐ์„  Delete Association ํ›„ ์‚ญ์ œ)

12) ๋ฒ„์ง€๋‹ˆ์•„ TGW Attachment ๋Œ€์ƒ ๋ชจ๋‘ ์‚ญ์ œ

13) ๋ฒ„์ง€๋‹ˆ์•„ Trasit Gateway ์‚ญ์ œ

14) ๋ฒ„์ง€๋‹ˆ์•„ NAT CloudFormation ์Šคํƒ ์‚ญ์ œ

15) ๋ฒ„์ง€๋‹ˆ์•„ MAIN CloudFormation ์Šคํƒ ์‚ญ์ œ

๐Ÿ”” CloudFormation ์Šคํƒ์„ ์‚ญ์ œ ์‹œ ์ผ์ • ์‹œ๊ฐ„์ด ์†Œ์š”๋˜๋Š”๋ฐ, ๋„ˆ๋ฌด ์‹œ๊ฐ„์ด ์˜ค๋ž˜ ๊ฑธ๋ฆฐ๋‹ค๋ฉด ์ˆ˜๋™์œผ๋กœ ๊ด€๋ จ ์ธํ”„๋ผ๋ฅผ ์‚ญ์ œํ•ด์•ผ ํ•œ๋‹ค.
๋ฐ˜๋“œ์‹œ, ์‹ค์Šต์„ ์œ„ํ•ด ์ƒ์„ฑํ•œ ๋ฆฌ์†Œ์Šค๋Š” ์‚ญ์ œํ•œ๋‹ค.


Welcome to my other publishing channels