개발/AWS
[EKS] 환경 구축하기1 - VPC 생성
피클s
2022. 1. 6. 13:53
EKS에서 사용할 VPC를 구성합니다.
1. 키페어 생성 (EC2 > 키 페어 > 키 페어 생성)
Bastion용 EC2인스턴스에 접속하기 위한 키페어 입니다.
2. Yaml 파일 생성
AWS공식 문서의 Public and Private VPC를 수정하였습니다.
변경사항
- Public / Private Subnet 2개 -> 3개
- Nat Gateway -> Nat Instance
- EKS용 Bastion Instance 추가
생성되는 리소스는 아래와 같습니다.
- VPC
- Public Subnet 2개
- Private Subnet 2개
- NATGateway 2개
- Bastion용 EC2 인스턴스 1개
- eksctl을 위한 권한설정 Role/Policy
- Internet Gateway
- RouteTable
- Security Group
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Amazon EKS VPC - Private and Public subnets'
Parameters:
AmiId:
Description: EC2 AMI ID
Type: String
Default: ami-014009fa4a1467d53
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. Linked to AWS Parameter
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
VpcBlock:
Type: String
Default: 172.32.0.0/16
Description: The CIDR range for the VPC. This should be a valid private (RFC 1918) CIDR range.
PublicSubnet01Block:
Type: String
Default: 172.32.0.0/18
Description: CidrBlock for public subnet 01 within the VPC
PublicSubnet02Block:
Type: String
Default: 172.32.64.0/18
Description: CidrBlock for public subnet 02 within the VPC
PrivateSubnet01Block:
Type: String
Default: 172.32.64.0/18
Description: CidrBlock for private subnet 01 within the VPC
PrivateSubnet02Block:
Type: String
Default: 172.32.128.0/18
Description: CidrBlock for private subnet 02 within the VPC
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "Worker Network Configuration"
Parameters:
- VpcBlock
- PublicSubnet01Block
- PublicSubnet02Block
- PrivateSubnet01Block
- PrivateSubnet02Block
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcBlock
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-VPC'
InternetGateway:
Type: "AWS::EC2::InternetGateway"
VPCGatewayAttachment:
Type: "AWS::EC2::VPCGatewayAttachment"
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public Subnets
- Key: Network
Value: Public
PrivateRouteTable01:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Private Subnet AZ1
- Key: Network
Value: Private01
PrivateRouteTable02:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Private Subnet AZ2
- Key: Network
Value: Private02
PublicRoute:
DependsOn: VPCGatewayAttachment
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PrivateRoute01:
DependsOn:
- VPCGatewayAttachment
- NatGateway01
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable01
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway01
PrivateRoute02:
DependsOn:
- VPCGatewayAttachment
- NatGateway02
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable02
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway02
NatGatewayEIP1:
DependsOn:
- VPCGatewayAttachment
Type: 'AWS::EC2::EIP'
Properties:
Domain: vpc
NatGatewayEIP2:
DependsOn:
- VPCGatewayAttachment
Type: 'AWS::EC2::EIP'
Properties:
Domain: vpc
NatGateway01:
DependsOn:
- NatGatewayEIP1
- PublicSubnet01
- VPCGatewayAttachment
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt 'NatGatewayEIP1.AllocationId'
SubnetId: !Ref PublicSubnet01
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-NatGatewayAZ1'
NatGateway02:
DependsOn:
- NatGatewayEIP2
- PublicSubnet02
- VPCGatewayAttachment
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt 'NatGatewayEIP2.AllocationId'
SubnetId: !Ref PublicSubnet02
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-NatGatewayAZ2'
PublicSubnet01:
Type: AWS::EC2::Subnet
Metadata:
Comment: Subnet 01
Properties:
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- '0'
- Fn::GetAZs:
Ref: AWS::Region
CidrBlock:
Ref: PublicSubnet01Block
VpcId:
Ref: VPC
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-PublicSubnet01"
- Key: kubernetes.io/role/elb
Value: 1
PublicSubnet02:
Type: AWS::EC2::Subnet
Metadata:
Comment: Subnet 02
Properties:
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- '1'
- Fn::GetAZs:
Ref: AWS::Region
CidrBlock:
Ref: PublicSubnet02Block
VpcId:
Ref: VPC
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-PublicSubnet02"
- Key: kubernetes.io/role/elb
Value: 1
PrivateSubnet01:
Type: AWS::EC2::Subnet
Metadata:
Comment: Private Subnet 01
Properties:
AvailabilityZone:
Fn::Select:
- '0'
- Fn::GetAZs:
Ref: AWS::Region
CidrBlock:
Ref: PrivateSubnet01Block
VpcId:
Ref: VPC
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-PrivateSubnet01"
- Key: kubernetes.io/role/internal-elb
Value: 1
PrivateSubnet02:
Type: AWS::EC2::Subnet
Metadata:
Comment: Private Subnet 02
Properties:
AvailabilityZone:
Fn::Select:
- '1'
- Fn::GetAZs:
Ref: AWS::Region
CidrBlock:
Ref: PrivateSubnet02Block
VpcId:
Ref: VPC
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-PrivateSubnet02"
- Key: kubernetes.io/role/internal-elb
Value: 1
PublicSubnet01RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet01
RouteTableId: !Ref PublicRouteTable
PublicSubnet02RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet02
RouteTableId: !Ref PublicRouteTable
PrivateSubnet01RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet01
RouteTableId: !Ref PrivateRouteTable01
PrivateSubnet02RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet02
RouteTableId: !Ref PrivateRouteTable02
ControlPlaneSecurityGroup:
DependsOn:
- EKSWorkerStationSG
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Cluster communication with worker nodes
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
SourceSecurityGroupId: !Ref EKSWorkerStationSG
Tags:
- Key: Name
Value: !Sub ${AWS::StackName} Control Plane Security Group
EKSWorkerStationSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
ClusterWorkerStation:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.micro
ImageId: !Ref AmiId
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: EKS-Worker-Station
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref PublicSubnet01
GroupSet:
- !Ref EKSWorkerStationSG
AssociatePublicIpAddress: true
IamInstanceProfile: !Ref EKSWorkerStationInstanceProfile
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
sudo yum update -y
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
curl -o kubectl https://amazon-eks.s3-us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/linux/amd64/kubectl
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
EKSWorkerStationInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: eks-worker-station-instance-profile
Path: /
Roles:
- !Ref EKSWorkerStationInstanceRole
EKSWorkerStationInstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-worker-station-instance-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: /
EKSWorkerStationInstancePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: EksctlPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- cloudformation:*
Resource:
- "*"
- Effect: Allow
Action:
- ec2:*
Resource:
- "*"
- Effect: Allow
Action:
- elasticloadbalancing:*
Resource:
- "*"
- Effect: Allow
Action:
- cloudwatch:*
Resource:
- "*"
- Effect: Allow
Action:
- autoscaling:*
Resource:
- "*"
- Effect: Allow
Action:
- eks:*
Resource:
- "*"
- Effect: Allow
Action:
- ssm:GetParameter
- ssm:GetParameters
Resource:
- "arn:aws:ssm:*:*:parameter/aws/*"
- "arn:aws:ssm:*::parameter/aws/*"
- Effect: Allow
Action:
- kms:CreateGrant
- kms:DescribeKey
Resource:
- "*"
- Effect: Allow
Action:
- logs:PutRetentionPolicy
Resource:
- "*"
- Effect: Allow
Action:
- "iam:CreateInstanceProfile"
- "iam:DeleteInstanceProfile"
- "iam:GetInstanceProfile"
- "iam:RemoveRoleFromInstanceProfile"
- "iam:GetRole"
- "iam:CreateRole"
- "iam:DeleteRole"
- "iam:AttachRolePolicy"
- "iam:PutRolePolicy"
- "iam:ListInstanceProfiles"
- "iam:AddRoleToInstanceProfile"
- "iam:ListInstanceProfilesForRole"
- "iam:PassRole"
- "iam:DetachRolePolicy"
- "iam:DeleteRolePolicy"
- "iam:GetRolePolicy"
- "iam:GetOpenIDConnectProvider"
- "iam:CreateOpenIDConnectProvider"
- "iam:DeleteOpenIDConnectProvider"
- "iam:ListAttachedRolePolicies"
- "iam:TagRole"
Resource:
- "arn:aws:iam::*:instance-profile/eksctl-*"
- "arn:aws:iam::*:role/eksctl-*"
- "arn:aws:iam::*:oidc-provider/*"
- "arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
- "arn:aws:iam::*:role/eksctl-managed-*"
- "arn:aws:iam::*:role/EKS-*"
- "arn:aws:iam::*:role/eks-*"
- Effect: Allow
Action:
- "iam:GetRole"
Resource:
- "arn:aws:iam::*:role/*"
- Effect: Allow
Action:
- iam:CreateServiceLinkedRole
Resource:
- "*"
Condition:
StringEquals:
iam:AWSServiceName:
- "autoscaling.amazonaws.com"
- "ec2scheduled.amazonaws.com"
- "elasticloadbalancing.amazonaws.com"
- "spot.amazonaws.com"
- "spotfleet.amazonaws.com"
- "transitgateway.amazonaws.com"
- "eks.amazonaws.com"
- "eks-nodegroup.amazonaws.com"
- "eks-fargate.amazonaws.com"
Roles:
- !Ref EKSWorkerStationInstanceRole
3. CloudFormation 등록 ( CloudFormation > 스택 > 스택 생성 )
앞서 준비한 Yaml파일을 업로드하고 다음
스택명과 파라미터를 선택하고 다음을 눌러줍니다.
설정들을 확인하고 스택 생성을 누릅니다.
4. 결과확인
EC2 > 인스턴스
의도한대로 EC2 인스턴스가 생성되었습니다.
VPC > 서브넷
서브넷 또한 잘 생성되었습니다.
