Infrastructure Architecture
Terraform architecture model for MILU2 Stage Infrastructure
Shared vs Stage
Terraform is split into 2 separate configs, each with its own state file:
| Shared | Stage | |
|---|---|---|
| Scope | Global / account-level | Per-region |
| Resources | S3 (4 bucket), IAM role, CloudFront (2) | VPC, Subnets, ALB, NLB, EC2, ECR, ACM, Route53, CloudWatch |
| State file | shared/terraform.tfstate | terraform.tfstate |
| Existing mechanism | Yes — auto skip if exists | Auto-import 31 resource types |
Info
Operational flow: (1) shared runs first (once) — creates global resources. (2) stage runs after (once per region/stage_index).
Network Topology
Overview diagram of network components and traffic flow:
Network Topology (ASCII)
Internet
│
┌─────────┴─────────┐
│ ALB internet-facing│ (443 HTTPS)
└─────────┬─────────┘
│
┌────────────────────┴─────────────────────────┐
│ milu2stage-vpc (172.{34+stage_index}.0.0/16)│
│ ┌──────────────┐ ┌──────────────┐ │
│ │ subnet main │ │ subnet second│ │
│ │ (AZ-1) │ │ (AZ-2) │ │
│ └──────┬───────┘ └──────┬───────┘ │
│ │ ALB internal / NLB │ │
│ │ ASG(API) EC2(Web/DB/Node) │
└─────────┼──────────────────────┼─────────────┘
│ VPC Peering (pcx) │
▼ ▼
milu2-vpc (build, 172.31.0.0/16) — cùng accountCIDR Scheme
All CIDRs (VPC + subnets) are computed automatically from stage_index variable:
| stage_index | VPC CIDR | Subnet main | Subnet second |
|---|---|---|---|
| 0 | 172.34.0.0/16 | 172.34.0.0/24 | 172.34.1.0/24 |
| 1 | 172.35.0.0/16 | 172.35.0.0/24 | 172.35.1.0/24 |
| 2 | 172.36.0.0/16 | 172.36.0.0/24 | 172.36.1.0/24 |
| ... | ... | ... | ... |
Tip
reserved_offsets automatically skips used CIDRs (172.30–33.0.0/16). preflight-check.ps1 suggests available stage_index when VPC Peering is enabled.
VPC Peering
Enables communication between stage VPC and build VPC:
VPC Peering Configuration
# terraform.tfvars
peer_build_vpc_id = "vpc-xxxxxxxxx" # VPC ID of the build VPC
peer_build_vpc_cidr = "172.31.0.0/16" # CIDR of the build VPC
peer_region = "ap-northeast-1" # Region (leave empty if same region)Security Groups
7 Security Groups by role:
| Name | Purpose |
|---|---|
| milu2stage-VN-trusted-ip-sg | Office / trusted IPs |
| MILU2stage-sg | General app SG |
| MILU2-stage-node-game-sg | Node game |
| MILU2-stage-node-world-sg | Node world |
| MILU2-stage-node-chat-sg | Node chat |
| MILU2-stage-node-commu-sg | Node commu |
| milu2stage-db | DB / ICMP |