NetTechMidterm_#2.pdf

Full Transcript

IT2314

Network Cloud Services
Virtual Private Cloud
A Virtual Private Cloud (VPC) is a logically isolated virtual network. Within your own VPC, you can create
subnets, configure route tables, assign EIPs and bandwidths, and configure security groups to manage access
control. VPC is the basis of HUAWEI CLOUD networks. VPC provides secure and isolated networks based on
tunneling technology. You can customize your own VPCs, including dividing subnets, configuring route tables,
specifying IP addresses, and configuring network ACLs and security groups.

Advantages of VPC:
Flexible configuration: You can customize VPCs, divide subnets as required, and configure DHCP and
route tables. ECSs can be deployed across AZs.
Security and reliability: VPCs are logically isolated from each other. By default, different VPCs cannot
communicate with each other. Network ACLs protect subnets, and security groups protect ECSs.
Seamless connectivity: By default, a VPC cannot communicate with the Internet. You can use EIP, ELB,
NAT Gateway, VPN, and Direct Connect to enable access to or from the Internet. By default, two VPCs
in the same region cannot communicate with each other. You can create a VPC peering connection to
enable them to communicate with each other using private IP addresses.
High-speed access: Up to 21 dynamic BGP connections are established to multiple carriers. Dynamic
BGP provides automatic failover in real time and chooses the optimal path when a network connection
fails.

VPC Architecture

04 Handout 1 *Property of STI
 [email protected] Page 1 of 9
 IT2314

Each VPC consists of a private CIDR block, route tables, and at least one subnet.
When you create a VPC, you need to specify the private CIDR block for the VPC. The VPC service
supports CIDR blocks 10.0.0.0/8-24, 172.16.0.0/12-24, and 192.168.0.0/16-24.
Cloud resources, such as cloud servers and databases, must be deployed in subnets, so you need to
divide your VPC into one or more subnets.
When you create a VPC, the system automatically generates a default route table for the VPC. The
route table ensures that all subnets in the VPC can communicate with each other. If the routes in the
default route table cannot meet application requirements (for example, a cloud server without an EIP
bound needs to access the Internet), you can create a custom route table.
Security groups and network ACLs:
Security groups and network ACLs ensure the security of cloud resources deployed in a VPC. A security
group acts as a virtual firewall to provide access rules for instances that have the same security
requirements and are mutually trusted in a VPC. A network ACL can be associated with subnets that
have the same access control requirements. You can add inbound and outbound rules to precisely
control inbound and outbound traffic at the subnet level.
HUAWEI CLOUD provides multiple VPC connectivity options to meet diverse requirements.
A VPC peering connection allows two VPCs in the same region to communicate with each other using
private IP addresses.
An EIP or a NAT gateway allows cloud servers in a VPC to communicate with the Internet.
VPN, Cloud Connect, Direct Connect, or Layer 2 Connection Gateway (L2CG) can connect your on-
premises data center to VPCs.

Application Scenarios
Dedicated Networks on Cloud
Each VPC represents a private network and is logically isolated from other VPCs. You can deploy your service
systems in a private network on the cloud. If you have multiple service systems, for example, a production
system and a test system, you can keep them isolated by deploying them in two different VPCs. To enable two
VPCs in the same region to communicate with each other, you can create a VPC peering connection between
them.

Web Application/Website Hosting
You can host web applications and websites in a VPC and use the VPC as a regular network. With EIPs or NAT
gateways, you can connect ECSs running your web applications to the Internet. You can then use load
balancers provided by the ELB service to evenly distribute traffic across multiple ECSs.

Web Application Access Control
You can create a VPC and multiple security groups to associate web servers and database servers with different
security groups and configure different access control rules for security groups. You can launch web servers in
a publicly accessible subnet and also run database servers in subnets that are not publicly accessible. In this
way, you can ensure high security.

Hybrid Cloud Deployment
If you have an on-premises data center and you do not want to migrate all of your business to the cloud, you
can build a hybrid cloud. That way, you can keep core data in your own data center.

04 Handout 1 *Property of STI
 [email protected] Page 2 of 9
 IT2314

VPC Concepts
An elastic network interface is a virtual network card. You can create and configure network interfaces
and attach them to your instances (ECSs and BMSs) to create flexible and high availability network
configurations.
An IP address group is a collection of IP addresses that use the same security group rules. You can use
an IP address group to manage IP addresses that have the same security requirements or whose
security requirements change frequently. An IP address group frees you from repeatedly modifying
security group rules and simplifies security group rule management.
A subnet is a unique CIDR block, a range of IP addresses, in your VPC. All resources in a VPC must be
deployed on subnets. Once a subnet has been created, its CIDR block cannot be modified. By default,
ECSs in all subnets of the same VPC can communicate with one another, but ECSs in different VPCs
cannot. You can create VPC peering connections to enable ECSs in different VPCs to communicate with
one another.
The Elastic IP (EIP) service enables your cloud resources to communicate with the Internet using static
public IP addresses and scalable bandwidths. EIPs can be bound to or unbound from ECSs, BMSs,
virtual IP addresses, load balancers, and NAT gateways. Various billing modes are provided to meet
diverse service requirements. Each EIP can be used by only one cloud resource at a time.
A route table contains a set of routes that are used to determine where network traffic from your
subnets in a VPC is directed. Each subnet in a VPC must be associated with a route table. A route table
can be associated with multiple subnets. However, each subnet can only be associated with one route
table.
A security group is a collection of access control rules for ECSs that have the same security
requirements and are mutually trusted within a VPC. After you create a security group, you can create
different access rules for the security group, and the rules will apply to any ECS that the security group
contains.
A VPC peering connection is a network connection between two VPCs in the same region. It enables
you to route traffic between them using private IP addresses. You can create a VPC peering connection
between your own VPCs, or between your VPC and a VPC of another account within the same region.
However, you cannot create a VPC peering connection between VPCs in different regions.
A network ACL allows you to create rules to control traffic in and out of one or more subnets. Similar
to security groups, network ACLs control access to subnets, but they add an additional layer of
security. Security groups only have allow rules, but network ACLs have both allow and deny rules. You
can use network ACLs together with security groups to implement fine-grained and comprehensive
access control.
A virtual IP address can be shared among multiple ECSs. An ECS can have both private and virtual IP
addresses, and you can access the ECS through either IP address. A virtual IP address has the same
network access capability as a private IP address. Virtual IP addresses are used for high availability as
they make active/standby ECS switchover possible.
An L2CG is a virtual tunnel gateway that works with Direct Connect or VPN to establish network
communication between cloud and on-premises networks. The gateway allows you to migrate data
center or private cloud services to the cloud without changing subnets and IP addresses.

04 Handout 1 *Property of STI
 [email protected] Page 3 of 9
 IT2314

Elastic Load Balance
Elastic Load Balance (ELB) automatically distributes incoming traffic across multiple backend servers based on
the listening rules you configure. ELB expands the service capabilities of your applications and improves their
availability by eliminating single points of failure (SPOFs).

Advantages of ELB
Robust performance: ELB can establish up to 100 million concurrent connections so that your
applications can handle a massive volume of concurrent requests.
High availability: ELB is deployed in clusters and ensures that your services run uninterrupted. If
servers in one AZ are unhealthy, ELB automatically routes traffic to healthy servers in other AZs.
Excellent scalability: ELB automatically scales in line with spikes in incoming traffic to ensure that your
applications always stay online. It works with Auto Scaling to flexibly adjust the number of servers and
intelligently distribute incoming traffic across them.
Ease-of-use: A diverse set of protocols and algorithms enable you to customize traffic routing policies
to your needs while keeping deployments simple.

ELB Architecture

ELB consists of load balancers, listeners, and backend server groups.
A load balancer is an instance that distributes incoming traffic across backend servers in one or more
availability zones (AZs).
A listener uses the protocol and port you specify to check for requests from clients and route the
requests to associated backend servers based on the listening rules you define. You can add one or
more listeners to a load balancer.
A backend server group uses the protocol and port you specify to receive the requests from the load
balancer and route them to one or more backend servers. You need to add at least one backend server
to a backend server group. You can set a weight for each backend server so that the load balancer can
route requests based on their performance. You can also configure health checks for a backend server

04 Handout 1 *Property of STI
 [email protected] Page 4 of 9
 IT2314

group to check the health of backend servers in the group. If a backend server is unhealthy, the load
balancer stops routing new requests to this server until it recovers.

Application Scenarios
Heavy-Traffic Applications
For an application with heavy traffic, such as a large web portal or mobile app store, ELB evenly distributes
incoming traffic to multiple backend servers, balancing the load while ensuring stable performance. Sticky
sessions ensure that requests from one client are always forwarded to the same backend server.

Applications with Different Traffic
For an application that has predictable peaks and troughs in traffic volumes, ELB works with AS to add or
remove backend servers to keep up with changing demands. One example is flash sales, during which there
are predictable traffic spikes that only last a short while. ELB can work with AS to run only the required number
of backend servers needed to handle the load of your application.

Eliminating SPOFs
A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working.
SPOFs are undesirable in any system with a goal of high availability or reliability, such as a business system,
software application, or other industrial system. ELB routinely performs health checks on backend servers. If
any backend server is unhealthy, ELB will not route requests to this server until it recovers. This makes ELB a
good choice for running applications that require high reliability.

Cross-AZ Load Balancing
When you choose whether to deploy resources in the same AZ, consider your requirements for disaster
recovery and network latency.
For high disaster recovery capabilities, deploy resources in different AZs but in the same region.
For lower latency, deploy resources in the same AZ.
If you deploy resources in different AZs, you can use ELB to distribute traffic across AZs for real-time disaster
recovery.

ELB Concepts
A load balancer distributes incoming traffic across multiple backend servers. Load balancers can work
on both public and private networks. Each load balancer on a public network has an EIP bound to it
and routes requests from clients to backend servers over the Internet. Load balancers on a private
network work within a VPC and route requests to backend servers in the same VPC as the clients.
A listener listens to requests from clients and routes the requests to backend servers based on the
settings that you configure when you add the listener.
A backend server group contains at least one backend server to process client requests forwarded by
a load balancer. When you add a listener to a load balancer, you specify a backend server group to
receive requests from the load balancer using the port and protocol you specify for the backend server
group and the load balancing algorithm you select. ELB supports the following load balancing
algorithms.
Health Check: ELB periodically sends heartbeat messages to associated backend servers to check their
health and ensure that traffic is distributed only to healthy servers. This can improve the availability
of your applications. If a backend server is unhealthy, the load balancer stops routing traffic to it. The
load balancer will resume routing requests to the backend server after it recovers.

04 Handout 1 *Property of STI
 [email protected] Page 5 of 9
 IT2314

Virtual Private Network
Virtual Private Network (VPN) allows you to establish an encrypted, Internet-based communications tunnel
between your on-premises data center and a VPC, so you can access resources in the VPC remotely. VPN
tunnels support three protocols: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP),
and Internet Protocol Security (IPsec).

VPN Advantages
Data security: Huawei hardware uses IKE and IPsec to encrypt data to provide carrier-class reliability
and ensure a stable VPN connection.
Seamless scale-out: With VPN, you can connect your on-premises data center to your VPC and quickly
extend services from the data center to the cloud, forming a hybrid cloud.
Low-cost connection: Encrypted IPsec connections over the Internet provide a cost-effective
alternative to Direct Connect connections.
Ease-of-use: You can create an easy-to-use VPN connection by specifying parameters on the VPN
console and configuring VPN device in your on-premises data center.

VPN Networking
A VPN consists of a VPN gateway and one or more VPN connections.
A VPN gateway provides an Internet egress for a VPC and works together with the gateway in your on-
premises data center.
A VPN connection is an encrypted connection that links the VPN gateway to the remote gateway to
enable communications between a VPC and your on-premises data center, quickly establishing a
secure hybrid cloud.
Site-to-Site VPN Connection: You can set up a VPN to connect your on-premises data center to a VPC,
effectively creating a hybrid cloud.
Hub-and-Spoke VPN Connection: You can also set up a VPN to connect multiple on-premises data
centers to a VPC, also creating a hybrid cloud.
Internet Protocol Security (IPsec) VPN uses a secure network protocol suite that authenticates and
encrypts data packets to provide secure encrypted communications between different networks. The
VPN service uses an IPsec VPN.

NAT Gateway
The NAT Gateway service provides network address translation (NAT) service for servers in a VPC and enables
servers to share an EIP to access the Internet. NAT gateways can be either public or private. NAT Gateway
provides both source NAT (SNAT) and destination NAT (DNAT) for your resources in a VPC and allows servers
in your VPC to access or provide services accessible from the Internet. A private NAT gateway provides NAT
service for servers in a VPC, so that multiple servers can share a private IP address to access or provide services
accessible from an on-premises data center or other VPCs.

NAT Gateway Advantages
Flexibility: A NAT gateway can be deployed flexibly across subnets and AZs. A fault in a single AZ does
not affect the service continuity of a NAT gateway. The type and EIP of a NAT gateway can be changed
at any time.
Ease of use: NAT gateway configuration is simple, the O&M is easy, and they can be provisioned
quickly. One provisioned, they are stable and reliable.

04 Handout 1 *Property of STI
 [email protected] Page 6 of 9
 IT2314

Cost-effectiveness: When you send data through a private IP address or your applications provide
services accessible from the Internet using a NAT gateway, the NAT gateway translates the private IP
address to a public IP address. NAT Gateway helps you save money on EIPs and bandwidth.

NAT Gateway Architecture (Public NAT Gateway)

Public NAT gateways support SNAT and DNAT.
Source Network Address Translation (SNAT) translates private IP addresses into EIPs, allowing servers
in a VPC to share an EIP to access the Internet in a secure and efficient way.
Destination Network Address Translation (DNAT) enables servers in a VPC to share an EIP to provide
services accessible from the Internet through IP address mapping or port mapping.

NAT Gateway Architecture (Private NAT Gateway)

04 Handout 1 *Property of STI
 [email protected] Page 7 of 9
 IT2314

A private NAT gateway provides NAT service for servers in a VPC, so that multiple servers can share a private
IP address to access or provide services accessible from an on-premises data center or other VPCs.
Transit subnet: A transit subnet functions as a transit network. You can assign a transit IP
address in the transit subnet so that servers in a VPC can share the transit IP address to access
your on-premises data centers or other VPCs.
Transit VPC: A transit VPC is the VPC to which the transit subnet belongs.

To ensure security compliance, an enterprise may require that all its branches and departments map their IP
addresses to the same IP address for internal communications. To accomplish this, the enterprise can use a
private NAT gateway to enable these communications without changing the original network after migrating
workloads to the cloud.

Other Services
Domain Name Service (DNS) provides highly available and scalable authoritative DNS services that translate
domain names into IP addresses required for network connection, reliably directing end users to your
applications. DNS provides highly available and scalable authoritative DNS services that translate domain
names (such as www.example.com) into IP addresses (such as 192.1.2.3) required for network connection,
allowing users to visit your website or web application using your domain name.

DNS Resolution Services
Public domain name resolution: DNS translates domain names like www.example.com to public IP
addresses like 1.2.3.4, so that users can access your website or web application over the Internet by
entering your domain name in the address box of their browser.
Private domain name resolution: DNS translates domain names like ecs.com to private IP addresses
like 192.168.1.1 that are used in associated VPCs. With private domain names, your ECSs can
communicate with each other within the VPCs without having to connect to the Internet. You can also
access cloud services, such as OBS and SMN, over a private network.
Reverse resolution: DNS obtains a domain name based on an IP address. Reverse resolution, or
reverse DNS lookup, is typically used to affirm the credibility of email servers. After a recipient server
receives an email, it checks whether the IP address and domain name of the sender server are
trustworthy and determines whether the email is spam. If the recipient server cannot obtain the
domain name mapped to the IP address of the sender server, it concludes that the email was sent by
a malicious host and rejects it. It is necessary to configure pointer records (PTR) to point the IP
addresses of your email servers to domain names. If no PTR records are configured, the recipient
server will treat emails from the email server as spam or malicious and discard them. If you want to
build an email server, it is necessary to configure a PTR record to map the email server's IP address to
your domain name.
Intelligent resolution: DNS allows you to configure resolution lines. With these resolution lines, you
can specify the DNS server that returns different resolution results for the same domain name based
on the networks or geographic locations of visitors' IP addresses. For example, if the visitor is a China
Unicom user, the DNS server will return an IP address of China Unicom. With this function, you can
improve DNS resolution efficiency and speed up cross-network access. You can also create more fine-
grained resolution lines based on source IP addresses.

04 Handout 1 *Property of STI
 [email protected] Page 8 of 9
 IT2314

Domain Name Format and DNS Hierarchy
DNS allows you to create next-level subdomains within a zone, for example, abc.example.com in example.com
and abc.example.com.cn in example.com.cn.
A valid domain name meets the following requirements:
A domain name is segmented using periods (.) into multiple labels.
A label can contain supported language-specific characters, letters, digits, and hyphens (-) and cannot
start or end with a hyphen.
A label cannot exceed 63 characters.
The total length of a domain name, including the period at the end, cannot exceed 254 characters.

A domain name is divided into the following levels based on its structure:
Root domain:. (a dot)
Top-level domain: for example,.com,.net,.org, and.cn
Second-level domain: subdomain names of the top-level domain names, such as example.com,
example.net, and example.org
Third-level domain: subdomain names of the second-level domain names, such as abc.example.com,
abc.example.net, and abc.example.org

Other Network Services
VPC Endpoint (VPCEP) enables you to access HUAWEI CLOUD services or your own private services
securely. It provides flexible networking without having to use EIPs.
Direct Connect allows you to establish a dedicated network connection that features high speed, low
latency, stability, and security between your on-premises data center and the cloud. Direct Connect
allows you to maximize legacy IT facilities and leverage cloud services to build a flexible, scalable
hybrid cloud computing environment.
Cloud Connect allows you to connect the VPCs to build a globally connected cloud network with
enterprise-grade scalability and communication capabilities.

04 Handout 1 *Property of STI
 [email protected] Page 9 of 9