Cloud Networking — Sieťová architektúra v cloude
Cloud networking je základ každej cloudovej infraštruktúry. Správne navrhnutá sieťová architektúra zabezpečuje izoláciu, bezpečnosť, výkon a spoľahlivosť aplikácií. Či už používate AWS, GCP alebo Azure, koncepty sú univerzálne.
VPC — Virtual Private Cloud
VPC je izolovaná virtuálna sieť v rámci cloud providera. Je to váš vlastný "dátový center" v cloude — s plnou kontrolou nad IP adresami, subnettami, routing tabuľkami a sieťovými bránami.
Vytvorenie VPC (Terraform)
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
tags = {
Name = "production-vpc"
Environment = "production"
}
}
VPC CIDR plánovanie
10.0.0.0/16 = 65,536 IP adries
Rozdelenie:
├── 10.0.0.0/20 — Public subnety (4,096 IPs)
│ ├── 10.0.0.0/24 — Public AZ-a (256 IPs)
│ ├── 10.0.1.0/24 — Public AZ-b
│ └── 10.0.2.0/24 — Public AZ-c
├── 10.0.16.0/20 — Private subnety (aplikácie)
│ ├── 10.0.16.0/24 — Private AZ-a
│ ├── 10.0.17.0/24 — Private AZ-b
│ └── 10.0.18.0/24 — Private AZ-c
├── 10.0.32.0/20 — Database subnety
│ ├── 10.0.32.0/24 — DB AZ-a
│ ├── 10.0.33.0/24 — DB AZ-b
│ └── 10.0.34.0/24 — DB AZ-c
└── 10.0.48.0/20 — Reserved (budúce použitie)
Subnety
Subnet je segmentácia VPC do menších sietí. Subnety sú viazané na konkrétnu Availability Zone (AZ).
Public vs Private subnety
| Aspekt | Public Subnet | Private Subnet |
|---|---|---|
| Internet prístup | Priamy (IGW) | Cez NAT Gateway |
| Verejná IP | Áno (auto-assign) | Nie |
| Použitie | Load balancery, bastiony | Aplikácie, databázy |
| Route table | 0.0.0.0/0 → IGW | 0.0.0.0/0 → NAT GW |
Terraform konfigurácia
# Public subnet
resource "aws_subnet" "public" {
count = 3
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = {
Name = "public-${data.aws_availability_zones.available.names[count.index]}"
Type = "public"
}
}
# Private subnet
resource "aws_subnet" "private" {
count = 3
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index + 16}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "private-${data.aws_availability_zones.available.names[count.index]}"
Type = "private"
}
}
# Internet Gateway
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
}
# NAT Gateway (pre private subnety)
resource "aws_nat_gateway" "main" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public[0].id
}
# Route table pre private subnety
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.main.id
}
}
Security Groups
Security groups sú virtuálne firewally na úrovni inštancie/ENI. Fungujú ako stateful firewall — ak povolíte inbound traffic, response je automaticky povolený.
Príklad: Multi-tier security groups
# ALB Security Group
resource "aws_security_group" "alb" {
name = "alb-sg"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Application Security Group
resource "aws_security_group" "app" {
name = "app-sg"
vpc_id = aws_vpc.main.id
ingress {
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [aws_security_group.alb.id] # Len z ALB
}
}
# Database Security Group
resource "aws_security_group" "db" {
name = "db-sg"
vpc_id = aws_vpc.main.id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.app.id] # Len z app
}
}
Security Groups vs NACLs
| Aspekt | Security Group | NACL |
|---|---|---|
| Úroveň | Inštancia/ENI | Subnet |
| Stav | Stateful | Stateless |
| Pravidlá | Len ALLOW | ALLOW + DENY |
| Poradie | Všetky vyhodnotené | Podľa čísla pravidla |
| Default | Deny all inbound | Allow all |
VPC Peering
VPC Peering umožňuje priame sieťové prepojenie medzi dvoma VPC — aj naprieč účtami a regiónmi.
# VPC Peering medzi production a staging
resource "aws_vpc_peering_connection" "prod_staging" {
vpc_id = aws_vpc.production.id
peer_vpc_id = aws_vpc.staging.id
auto_accept = true
accepter {
allow_remote_vpc_dns_resolution = true
}
requester {
allow_remote_vpc_dns_resolution = true
}
}
# Route v production VPC smerujúca na staging
resource "aws_route" "prod_to_staging" {
route_table_id = aws_route_table.production.id
destination_cidr_block = "10.1.0.0/16" # staging CIDR
vpc_peering_connection_id = aws_vpc_peering_connection.prod_staging.id
}
Obmedzenia VPC Peering
- Nie je tranzitívne — A↔B a B↔C neznamená A↔C
- CIDR sa nesmie prekrývať — obe VPC musia mať unikátne rozsahy
- Full mesh — pri N VPC treba N×(N-1)/2 peering spojení
Transit Gateway
Transit Gateway rieši problém full mesh — centrálny hub pre prepojenie VPC, VPN a Direct Connect.
Bez Transit GW: S Transit GW:
VPC-A ──── VPC-B VPC-A ──┐
│ \ / │ │
│ \ / │ VPC-B ──┤
│ X │ ├── Transit GW ── On-prem
│ / \ │ VPC-C ──┤
│ / \ │ │
VPC-C ──── VPC-D VPC-D ──┘
6 peering spojení 4 attachments
resource "aws_ec2_transit_gateway" "main" {
description = "Central Transit Gateway"
default_route_table_association = "enable"
default_route_table_propagation = "enable"
dns_support = "enable"
tags = {
Name = "main-tgw"
}
}
resource "aws_ec2_transit_gateway_vpc_attachment" "production" {
subnet_ids = aws_subnet.private[*].id
transit_gateway_id = aws_ec2_transit_gateway.main.id
vpc_id = aws_vpc.production.id
}
VPN — Site-to-Site
VPN pripája on-premise sieť ku cloudu cez šifrovaný tunel.
# Customer Gateway (on-prem router)
resource "aws_customer_gateway" "onprem" {
bgp_asn = 65000
ip_address = "203.0.113.1" # Verejná IP on-prem routera
type = "ipsec.1"
}
# VPN Connection
resource "aws_vpn_connection" "main" {
customer_gateway_id = aws_customer_gateway.onprem.id
transit_gateway_id = aws_ec2_transit_gateway.main.id
type = "ipsec.1"
static_routes_only = false # Použiť BGP
tags = {
Name = "onprem-vpn"
}
}
VPN vs Direct Connect
| Aspekt | VPN | Direct Connect |
|---|---|---|
| Pripojenie | Cez internet (IPsec) | Dedikované vlákno |
| Latencia | Variabilná | Konzistentná (< 5ms) |
| Priepustnosť | Až 1.25 Gbps | 1-100 Gbps |
| Cena | Nízka | Vysoká |
| Setup time | Minúty | Týždne-mesiace |
| Redundancia | Jednoduché (2 tunely) | Vyžaduje 2. pripojenie |
DNS v cloude
# Private Hosted Zone
resource "aws_route53_zone" "private" {
name = "internal.example.com"
vpc {
vpc_id = aws_vpc.main.id
}
}
# Service discovery cez DNS
resource "aws_route53_record" "api" {
zone_id = aws_route53_zone.private.id
name = "api.internal.example.com"
type = "A"
alias {
name = aws_lb.api.dns_name
zone_id = aws_lb.api.zone_id
evaluate_target_health = true
}
}
Sieťová architektúra — Best Practice
Internet
│
┌────┴────┐
│ WAF + │
│CloudFront│
└────┬────┘
│
┌────┴────┐
│ ALB │ ← Public subnet
└────┬────┘
│
┌────────┼────────┐
▼ ▼ ▼
┌──────┐ ┌──────┐ ┌──────┐
│App AZ│ │App AZ│ │App AZ│ ← Private subnet
│ -a │ │ -b │ │ -c │
└──┬───┘ └──┬───┘ └──┬───┘
│ │ │
┌──┴───┐ ┌──┴───┐ ┌──┴───┐
│DB AZ │ │DB AZ │ │DB AZ │ ← DB subnet
│ -a │ │ -b │ │ -c │
└──────┘ └──────┘ └──────┘
Best Practices
- Multi-AZ — vždy aspoň 2 AZ pre high availability
- Least privilege — security groups povolujú len potrebný traffic
- Private subnety — aplikácie a databázy nikdy priamo na internete
- CIDR plánovanie — dopredu navrhnúť rozsahy, nechať rezervu
- Transit Gateway — pre 3+ VPC namiesto full mesh peering
- VPC Flow Logs — zapnúť pre audit a troubleshooting
- Infrastructure as Code — všetku sieťovú konfiguráciu v Terraform/Pulumi
Cloud networking je fundament, na ktorom stojí celá infraštruktúra. Správne navrhnutá VPC architektúra s private subnetmi, security groups a Transit Gateway poskytuje bezpečnú, škálovateľnú a udržiavateľnú sieťovú vrstvu pre vaše aplikácie.