16
Virtual Private Cloud Product Overview Issue 19 Date 2018-07-30 HUAWEI TECHNOLOGIES CO., LTD.
Virtual Private Cloud
Product Overview
Issue 19
Date 2018-07-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.Address: Huawei Industrial Base
Bantian, LonggangShenzhen 518129People's Republic of China
Website: http://www.huawei.com
Email: [email protected]
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. i
Contents
1 What Is Virtual Private Cloud?...................................................................................................1
2 Product Advantages...................................................................................................................... 3
3 Application Scenarios...................................................................................................................4
4 Accessing the Internet.................................................................................................................. 5
5 VPC Resource Quotas...................................................................................................................7
6 Related Services............................................................................................................................. 8
7 User Permissions........................................................................................................................... 9
8 Basic Concepts..............................................................................................................................108.1 Subnet........................................................................................................................................................................... 108.2 Elastic IP Address.........................................................................................................................................................108.3 Route Table...................................................................................................................................................................108.4 Bandwidth.....................................................................................................................................................................128.5 Security Group..............................................................................................................................................................128.6 VPN.............................................................................................................................................................................. 128.7 Remote Gateway...........................................................................................................................................................128.8 Remote Subnet..............................................................................................................................................................128.9 VPC Peering Connection..............................................................................................................................................128.10 Network ACL............................................................................................................................................................. 138.11 Virtual IP Address.......................................................................................................................................................138.12 Region.........................................................................................................................................................................138.13 Project.........................................................................................................................................................................13
Virtual Private CloudProduct Overview Contents
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. ii
1 What Is Virtual Private Cloud?
The Virtual Private Cloud (VPC) service enables you to provision logically isolated,configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improvingthe security of resources in the cloud system and simplifying network deployment.
You can create security groups and VPNs, configure IP address ranges, and specify bandwidthsizes in your VPC. A VPC facilitates internal network management and configuration, andallows you to implement secure and quick network changes. You can also customize the ECSaccess rules within a security group and between security groups to improve ECS security.
Figure 1-1 VPC components
Accessing the VPC
Web-based service management platforms, including the management console and HTTPS-based application programming interface (API), are provided for you to access the VPCservice. The detailed methods for accessing the VPC service are as follows:l API
If you need to integrate the VPC service provided by the public cloud system into athird-party system for secondary development, you can use the API to access the VPCservice. For details, see the Virtual Private Cloud API Reference.
l Management console
Virtual Private CloudProduct Overview 1 What Is Virtual Private Cloud?
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 1
You can log in to the management console to perform other required operations on theVPC service. You can access the VPC service by logging in to the management consoleand selecting Virtual Private Cloud from the console homepage.
Virtual Private CloudProduct Overview 1 What Is Virtual Private Cloud?
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 2
2 Product Advantages
l Flexible configurationYou can create VPCs, add subnets, specify IP address ranges, and configure DHCP androute tables. You can create ECSs that are in different availability zones (AZs), in thesame VPC.
l Secure and reliableA VPC is completely and logically isolated from other VPCs using the tunnelingtechnology. By default, different VPCs cannot communicate with each other. Networkaccess control lists (ACLs) are provided to protect subnets, and security groups areprovided to protect ECSs. The network ACLs and security groups add additional layersof security to your VPC, making your network more secure.
l InterconnectionBy default, a VPC cannot access the Internet. You can leverage elastic IP addresses(EIPs), Elastic Load Balance (ELB) functions, NAT gateways, Virtual Private Network(VPN) connections, and Direct Connect connections to enable access to the Internet.By default, two VPCs cannot communicate with each other. You can create a VPCpeering connection to enable the two VPCs to communicate with each other usingprivate IP addresses.Multiple connectivity options are provided to meet enterprises' diverse servicerequirements for the cloud, to allow you to deploy enterprise applications with ease, andto lower enterprise IT operation and maintenance (O&M) costs.
l High-speed accessDynamic BGP is used to provide access to various carrier networks. For example,dynamic BGP connections to about 21 carrier networks are provided in China. Thedynamic BGP connections enable real-time failover based on the preset routingprotocols, ensuring high network stability, low network latency, and smooth access toservices on the cloud.
Virtual Private CloudProduct Overview 2 Product Advantages
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 3
3 Application Scenarios
l Hosting universal web applicationsYou can host web applications and websites in a VPC and use the VPC as a commonnetwork. You can use EIPs to connect ECSs to the Internet for running web applicationsdeployed on the ECSs. The VPN gateway is used to establish a VPN channel betweenthe web applications and the service system on the cloud, ensuring high-speedinterconnection between the website and the service system.
l Hosting security-demanding servicesYou can create a VPC and security groups to host multi-tier web applications in differentsecurity zones. you can associate web servers and database servers with differentsecurity groups and configure different access control rules for security groups. You canlaunch web servers in a publicly accessible subnet and database servers in non-publicallyaccessible subnets to ensure high security and meet requirements of security-demandingscenarios.
l Extending your corporate network into the cloudYou can connect a VPC to your private cloud using a VPN connection. With a VPNconnection between the VPC and your traditional data center, you can easily use theECSs and block storage resources. Applications can be migrated to the cloud andadditional web servers can be deployed to increase the computing capacity on a network.In this way, a hybrid cloud is built, which reduces IT O&M costs and protects enterprisecore data from being leaked. A VPC can span multiple AZs, thereby ensuring highavailability of e-commerce systems.
Virtual Private CloudProduct Overview 3 Application Scenarios
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 4
4 Accessing the Internet
To meet your Internet connectivity requirements in different scenarios, the public cloudsystem provides EIPs, load balancers, NAT gateways, VPN connections, and Direct Connectconnections based on the VPC service to help you quickly move your business to the cloudwithout requiring complex deployment.
Use EIPs to Enable a Small Number of ECSs to Access the Internet
When only a few ECSs need to access the Internet, you can bind the EIPs to the ECSs. Then,the ECSs can connect to the Internet. You can dynamically unbind the EIPs from the ECSsand bind the EIPs to NAT gateways and load balancers to enable them to access the Internet.EIP management is easy. Different EIPs can use the same shared bandwidth, reducing yourbandwidth costs.
Use NAT Gateways to Enable a Large Number of ECSs to Access the Internet
When a large number of ECSs need to access the Internet, the public cloud system providesNetwork Address Translation (NAT) gateways for the ECSs. With NAT gateways, you do notneed to assign an EIP to each ECS, which reduces management costs incurred by an excessivenumber of EIPs. A NAT gateway offers both the source network address translation (SNAT)and destination network address translation (DNAT) functions. SNAT allows multiple ECSsin the same VPC to share one or more EIPs to access the Internet. The SNAT function reducesmanagement costs and prevents the EIPs of ECSs from being exposed to the Internet. SNATsupports a maximum of 1 million concurrent connections and 30,000 new connections. DNATcan implement port-level data forwarding. It maps EIP ports to ECS ports to enable the ECSsin a VPC to share the same EIP and bandwidth to provide Internet-accessible services.
Use ELB to Connect to the Internet If There Are a Large Number of HighlyConcurrent Requests
In high-concurrency scenarios, such as e-commerce, you can use load balancers provided bythe ELB service to evenly distribute access traffic across multiple ECSs, allowing a largenumber of users to concurrently access your business system or application. ELB is deployedin cluster mode and provides fault tolerance for your applications by automatically balancingtraffic across multiple availability zones (AZs). You can also take advantage of deepintegration with the Auto Scaling (AS) service, which enables automatic scaling based onservice traffic and ensures service stability and reliability.
Virtual Private CloudProduct Overview 4 Accessing the Internet
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 5
Use VPN or Direct Connect to Extend Your Self-Hosted IDC into the Cloud overthe Internet
For customers with self-hosted IDC equipment rooms, not all businesses of the customers willbe migrated to the cloud because the customers want to reuse their legacy devices and requiresmooth business evolution. Then, you can use VPN or Direct Connect to interconnect yourVPC and on-premises IDC. A VPN connection routes traffic through the Internet, whichallows you to use a private network with the price of the public network. A Direct Connectconnection is a dedicated, private network connection that provides you with more efficientdata transmission and more consistent network experience than Internet-based connections.
Virtual Private CloudProduct Overview 4 Accessing the Internet
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 6
5 VPC Resource Quotas
Table 5-1 lists the quotas for VPC resources per region for your public cloud account.
Table 5-1 VPC resource quotas
Resource DefaultQuota
How to Increase Quota
VPCs per region 5 Submit a service ticket.
Subnets per region 100 Submit a service ticket.
EIPs per region 20 Submit a service ticket.
Security groups per region 100 Submit a service ticket.
Rules per security group 50 Submit a service ticket.
Security group rules per region 5000 Submit a service ticket.
Routes per route table 100 This quota cannot be increased.
Routes per VPC 100 This quota cannot be increased.
VPC peering connections perregion
50 This quota cannot be increased.
Network ACLs per region 200 Submit a service ticket.
Rules per network ACL 20 Submit a service ticket.
NOTE
For details about how to submit a service ticket, see Submitting a Service Ticket.
Virtual Private CloudProduct Overview 5 VPC Resource Quotas
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 7
6 Related Services
l ECSA VPC provides an isolated virtual network for ECSs. You can configure and managethe network as required. The VPC service provides multiple connectivity options forECSs to access the Internet. You can also customize the ECS access rules within asecurity group and between security groups to improve ECS security.
l ELBELB uses the EIP and bandwidth provided by the VPC service.
l Cloud EyeAfter the VPC service becomes available to you, you can use Cloud Eye to view statusof monitored objects of the service without requiring additional plug-ins to be installed.
l CTSWith Cloud Trace Service (CTS), you can record operations performed on the VPCresources for further query, audit, and backtrack purposes.
Virtual Private CloudProduct Overview 6 Related Services
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 8
7 User Permissions
The public cloud system provides two types of user permissions by default: user managementand resource management. User management refers to the management of users, user groups,and user group rights. Resource management refers to the control operations that can beperformed by users on cloud service resources.
Virtual Private CloudProduct Overview 7 User Permissions
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 9
8 Basic Concepts
8.1 SubnetA subnet is a network that manages ECS network planes. It supports IP address managementand DNS. The IP addresses of all ECSs in a subnet belong to the subnet.
By default, ECSs in all subnets of the same VPC can communicate with one another, whileECSs in different VPCs cannot communicate with one another.
You can create VPC peering connections to enable ECSs in different VPCs to communicatewith one another. For details, see section 8.9 VPC Peering Connection.
8.2 Elastic IP AddressA public IP address is an IP address that can be directly accessed over the Internet. A privateIP address is an IP address on a local area network (LAN) in the public cloud system andcannot be routed through the Internet.
An EIP is a static, public IP address. You can bind an EIP to an ECS in your subnet to enablethe ECS in your VPC to communicate with the Internet through a fixed public IP address.
Each EIP can be used by only one ECS at a time.
8.3 Route TableA route table contains a set of rules that are used to determine where network traffic isdirected. You can add routes to a route table to enable other ECSs in a VPC to access theInternet through the ECS that has a bound EIP.
You can use the route table function configured in standalone or active/standby mode.
l Figure 8-1 shows the route table function configured in standalone mode.
Virtual Private CloudProduct Overview 8 Basic Concepts
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 10
Figure 8-1 Route table function configured in standalone mode
In standalone mode, ECSs in a VPC that do not have EIPs bound access the Internetthrough an ECS that has an EIP bound and has the source network address translation(SNAT) function configured.In standalone mode, you can create a route table for the VPC used by ECSs that do nothave EIPs bound to enable these ECSs to access the Internet. The next hop in the routetable is the private IP address of the ECS that has an EIP bound (the private IP address ofthe SNAT server).
l Figure 8-2 shows the route table function configured in active/standby mode.
Figure 8-2 Route table function configured in active/standby mode
Virtual Private CloudProduct Overview 8 Basic Concepts
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 11
In active/standby mode, ECSs in a VPC that do not have EIPs bound access the Internetthrough two ECSs that have EIPs bound and have the SNAT function configured.In active/standby mode, you can add a route table for the VPC used by ECSs that do nothave EIPs bound to enable these ECSs to access the Internet. The next hop in the routetable is the virtual IP address of the two ECSs that have EIPs bound.
8.4 BandwidthYou can allocate bandwidth when assigning an EIP so that the ECS bound with the EIP canuse the bandwidth to access the Internet.
The bandwidth displays network resource usage and can be used for service metering.
8.5 Security GroupA security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC. After a security group is created,you can create different access rules for the security group to protect the ECSs that are addedto this security group. The default security group rule allows all outgoing data packets. ECSsin a security group can access each other without the need to add rules.
8.6 VPNA VPN establishes an encrypted communication tunnel between a user and a VPC, enablingthe user to use resources in the VPC.
By default, ECSs in a VPC cannot communicate with your data center or private network. Toenable communication between them, use a VPN.
8.7 Remote GatewayA remote gateway is the public IP address of the physical device on the peer side in an IPsecVPN tunnel. The remote gateway of each IPsec VPN must be unique.
8.8 Remote SubnetA remote subnet is the destination network reachable through the tunnel. All IP packets sentto the network are transmitted through the IPsec VPN tunnel. You can configure more thanone remote subnet. The remote subnet of a VPN connection cannot be a subnet in the VPCwhere that VPN connection was created.
8.9 VPC Peering ConnectionA VPC peering connection is a networking connection between two VPCs that enables you toroute traffic between them using private IP addresses. ECSs in either VPC can communicatewith each other just as if they were in the same VPC. You can create a VPC peeringconnection between your own VPCs, or between your VPC and another tenant's VPC withinthe same region. You cannot create a VPC peering connection between VPCs in differentregions.
Virtual Private CloudProduct Overview 8 Basic Concepts
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 12
8.10 Network ACLA network access control list (ACL) is an optional layer of security and provides statefulaccess control services. Based on inbound and outbound rules, the network ACL determineswhether data packets are allowed in or out of any associated subnet.
NOTE
Currently, the network ACL function is available only to East China, North China, South China, andHong Kong regions.
8.11 Virtual IP AddressA virtual IP address is a private IP address. It can be bound to multiple ECSs deployed inactive/standby mode. You can also bind a virtual IP address with an EIP so that you canaccess the ECSs that have the same virtual IP address bound from the Internet, improvingfault tolerance capabilities.
8.12 RegionA region is a geographical area where you can run your VPC service.
Each region comprises one or more AZs and is completely isolated from other regions. AZs inthe same region can communicate with one another through an internal network, while thosein different regions cannot communicate with one another through an internal network.
The public cloud system is hosted in multiple locations worldwide, such as in North America,Europe, and Asia. The VPC service hence can be provided in different locations. You cancreate VPCs in locations that meet your requirements. For example, you can create VPCs todesign applications in a region that is closer to your customers or that can meet legal or otherspecific requirements.
8.13 ProjectProjects are used to group and isolate OpenStack resources, including computing, storage, andnetwork resources. A project can be a department or a project team. Multiple projects can becreated for one account.
Virtual Private CloudProduct Overview 8 Basic Concepts
Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 13
