Handout 2.pdf
Document Details
Uploaded by HandsDownShofar
STI College
Tags
Full Transcript
IT2314 Network Cloud Services Virtual Private Cloud A Virtual Private Cloud (VPC) is a logically isolated virtual network. Within your own VPC, you can create subnets, configure route tables, a...
IT2314 Network Cloud Services Virtual Private Cloud A Virtual Private Cloud (VPC) is a logically isolated virtual network. Within your own VPC, you can create subnets, configure route tables, assign EIPs and bandwidths, and configure security groups to manage access control. VPC is the basis of HUAWEI CLOUD networks. VPC provides secure and isolated networks based on specifying IP addresses, and configuring network ACLs and security groups. tunneling technology. You can customize your own VPCs, including dividing subnets, configuring route tables, Advantages of VPC: Flexible configuration: You can customize VPCs, divide subnets as required, and configure DHCP and route tables. ECSs can be deployed across AZs. Security and reliability: VPCs are logically isolated from each other. By default, different VPCs cannot communicate with each other. Network ACLs protect subnets, and security groups protect ECSs. Seamless connectivity: By default, a VPC cannot communicate with the Internet. You can use EIP, ELB, NAT Gateway, VPN, and Direct Connect to enable access to or from the Internet. By default, two VPCs in the same region cannot communicate with each other. You can create a VPC peering connection to enable them to communicate with each other using private IP addresses. High-speed access: Up to 21 dynamic BGP connections are established to multiple carriers. Dynamic BGP provides automatic failover in real time and chooses the optimal path when a network connection fails. VPC Architecture 04 Handout 1 *Property of STI Page 1 of 4 [email protected] IT2314 Each VPC consists of a private CIDR block, route tables, and at least one subnet. When you create a VPC, you need to specify the private CIDR block for the VPC. The VPC service supports CIDR blocks 10.0.0.0/8-24, 172.16.0.0/12-24, and 192.168.0.0/16-24. Cloud resources, such as cloud servers and databases, must be deployed in subnets, so you need to divide your VPC into one or more subnets. When you create a VPC, the system automatically generates a default route table for the VPC. The route table ensures that all subnets in the VPC can communicate with each other. If the routes in the default route table cannot meet application requirements (for example, a cloud server without an EIP bound needs to access the Internet), you can create a custom route table. Security groups and network ACLs: Security groups and network ACLs ensure the security of cloud resources deployed in a VPC. A security group acts as a virtual firewall to provide access rules for instances that have the same security requirements and are mutually trusted in a VPC. A network ACL can be associated with subnets that have the same access control requirements. You can add inbound and outbound rules to precisely control inbound and outbound traffic at the subnet level. HUAWEI CLOUD provides multiple VPC connectivity options to meet diverse requirements. A VPC peering connection allows two VPCs in the same region to communicate with each other using private IP addresses. An EIP or a NAT gateway allows cloud servers in a VPC to communicate with the Internet. VPN, Cloud Connect, Direct Connect, or Layer 2 Connection Gateway (L2CG) can connect your on- premises data center to VPCs. Application Scenarios Dedicated Networks on Cloud Each VPC represents a private network and is logically isolated from other VPCs. You can deploy your service systems in a private network on the cloud. If you have multiple service systems, for example, a production system and a test system, you can keep them isolated by deploying them in two different VPCs. To enable two VPCs in the same region to communicate with each other, you can create a VPC peering connection between them. Web Application/Website Hosting You can host web applications and websites in a VPC and use the VPC as a regular network. With EIPs or NAT gateways, you can connect ECSs running your web applications to the Internet. You can then use load balancers provided by the ELB service to evenly distribute traffic across multiple ECSs. Web Application Access Control You can create a VPC and multiple security groups to associate web servers and database servers with different security groups and configure different access control rules for security groups. You can launch web servers in a publicly accessible subnet and also run database servers in subnets that are not publicly accessible. In this way, you can ensure high security. Hybrid Cloud Deployment If you have an on-premises data center and you do not want to migrate all of your business to the cloud, you can build a hybrid cloud. That way, you can keep core data in your own data center. 04 Handout 1 *Property of STI Page 2 of 4 [email protected] IT2314 VPC Concepts An elastic network interface is a virtual network card. You can create and configure network interfaces and attach them to your instances (ECSs and BMSs) to create flexible and high availability network configurations. An IP address group is a collection of IP addresses that use the same security group rules. You can use an IP address group to manage IP addresses that have the same security requirements or whose security requirements change frequently. An IP address group frees you from repeatedly modifying security group rules and simplifies security group rule management. A subnet is a unique CIDR block, a range of IP addresses, in your VPC. All resources in a VPC must be deployed on subnets. Once a subnet has been created, its CIDR block cannot be modified. By default, ECSs in all subnets of the same VPC can communicate with one another, but ECSs in different VPCs cannot. You can create VPC peering connections to enable ECSs in different VPCs to communicate with one another. The Elastic IP (EIP) service enables your cloud resources to communicate with the Internet using static public IP addresses and scalable bandwidths. EIPs can be bound to or unbound from ECSs, BMSs, virtual IP addresses, load balancers, and NAT gateways. Various billing modes are provided to meet diverse service requirements. Each EIP can be used by only one cloud resource at a time. A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet in a VPC must be associated with a route table. A route table can be associated with multiple subnets. However, each subnet can only be associated with one route table. A security group is a collection of access control rules for ECSs that have the same security requirements and are mutually trusted within a VPC. After you create a security group, you can create different access rules for the security group, and the rules will apply to any ECS that the security group contains. A VPC peering connection is a network connection between two VPCs in the same region. It enables you to route traffic between them using private IP addresses. You can create a VPC peering connection between your own VPCs, or between your VPC and a VPC of another account within the same region. However, you cannot create a VPC peering connection between VPCs in different regions. A network ACL allows you to create rules to control traffic in and out of one or more subnets. Similar to security groups, network ACLs control access to subnets, but they add an additional layer of security. Security groups only have allow rules, but network ACLs have both allow and deny rules. You can use network ACLs together with security groups to implement fine-grained and comprehensive access control. A virtual IP address can be shared among multiple ECSs. An ECS can have both private and virtual IP addresses, and you can access the ECS through either IP address. A virtual IP address has the same network access capability as a private IP address. Virtual IP addresses are used for high availability as they make active/standby ECS switchover possible. An L2CG is a virtual tunnel gateway that works with Direct Connect or VPN to establish network communication between cloud and on-premises networks. The gateway allows you to migrate data center or private cloud services to the cloud without changing subnets and IP addresses. 04 Handout 1 *Property of STI Page 3 of 4 [email protected] IT2314 04 Handout 1 *Property of STI Page 4 of 4 [email protected]