User Guide (Region-Specific)...Sep 20, 2018 · Virtual Private Cloud User Guide (Region-Specific)...

Virtual Private Cloud

User Guide (Region-Specific)

Issue 1

Date 2018-08-15

Contents

1 Product Introduction.....................................................................................................................11.1 Concepts......................................................................................................................................................................... 11.1.1 Virtual Private Cloud................................................................................................................................................... 11.1.2 Subnet.......................................................................................................................................................................... 21.1.3 Elastic IP Address........................................................................................................................................................21.1.4 Route Table..................................................................................................................................................................21.1.5 SNAT........................................................................................................................................................................... 41.1.6 Security Group.............................................................................................................................................................41.1.7 VPN............................................................................................................................................................................. 41.1.8 Remote Gateway..........................................................................................................................................................51.1.9 Remote Subnet.............................................................................................................................................................51.1.10 VPC Peering Connection...........................................................................................................................................51.1.11 Virtual IP Address......................................................................................................................................................51.1.12 Region........................................................................................................................................................................51.1.13 Project........................................................................................................................................................................51.2 Access and Use...............................................................................................................................................................51.2.1 VPC Functions and Application Scenarios................................................................................................................. 61.2.2 Relationships with Other Services...............................................................................................................................71.2.3 Accessing the VPC...................................................................................................................................................... 71.2.4 User Permissions......................................................................................................................................................... 8

2 Getting Started............................................................................................................................... 92.1 Typical Application Scenarios........................................................................................................................................92.2 Configuring the VPC of ECSs That Do Not Need to Access the Internet..................................................................... 92.2.1 Overview..................................................................................................................................................................... 92.2.2 Creating a VPC.......................................................................................................................................................... 112.2.3 Creating a Subnet for the VPC.................................................................................................................................. 122.2.4 Creating a Security Group......................................................................................................................................... 132.2.5 Adding a Security Group Rule.................................................................................................................................. 142.3 Configuring the VPC of ECSs That Access the Internet Using EIPs...........................................................................172.3.1 Overview................................................................................................................................................................... 172.3.2 Creating a VPC..........................................................................................................................................................182.3.3 Creating a Subnet for the VPC.................................................................................................................................. 192.3.4 Assigning an EIP and Binding It to an ECS..............................................................................................................20

Virtual Private CloudUser Guide (Region-Specific) Contents

Issue 1 (2018-08-15) ii

2.3.5 Creating a Security Group......................................................................................................................................... 212.3.6 Adding a Security Group Rule.................................................................................................................................. 222.4 Configuring the VPC of ECSs That Access the Internet Through a VPN................................................................... 252.4.1 Overview................................................................................................................................................................... 252.4.2 Creating a VPC..........................................................................................................................................................262.4.3 Creating a Subnet for the VPC.................................................................................................................................. 272.4.4 Creating a VPN..........................................................................................................................................................282.4.5 Creating a Security Group......................................................................................................................................... 342.4.6 Adding a Security Group Rule.................................................................................................................................. 35

3 VPC and Subnet...........................................................................................................................383.1 Creating a VPC.............................................................................................................................................................383.2 Modifying a VPC..........................................................................................................................................................393.3 Creating a Subnet for the VPC..................................................................................................................................... 393.4 Modifying a Subnet...................................................................................................................................................... 403.5 Deleting a VPC.............................................................................................................................................................413.5.1 Deleting a VPN Connection...................................................................................................................................... 413.5.2 Deleting a Subnet.......................................................................................................................................................413.5.3 Deleting a VPC..........................................................................................................................................................42

4 Security.......................................................................................................................................... 434.1 Overview...................................................................................................................................................................... 434.2 Security Group..............................................................................................................................................................434.2.1 Security Group Overview..........................................................................................................................................444.2.2 Creating a Security Group......................................................................................................................................... 464.2.3 Adding a Security Group Rule.................................................................................................................................. 474.2.4 Deleting a Security Group Rule.................................................................................................................................504.2.5 Deleting a Security Group......................................................................................................................................... 504.2.6 Security Group Configuration Example.................................................................................................................... 504.3 Network ACL............................................................................................................................................................... 534.3.1 Creating a Network ACL...........................................................................................................................................534.3.2 Enabling or Disabling a Network ACL..................................................................................................................... 544.3.3 Associating Subnets with a Network ACL................................................................................................................544.3.4 Adding a Network ACL Rule....................................................................................................................................554.3.5 Enabling or Disabling a Network ACL Rule.............................................................................................................564.3.6 Modifying a Network ACL Rule...............................................................................................................................574.3.7 Changing the Sequence of a Network ACL Rule......................................................................................................594.3.8 Deleting a Network ACL Rule.................................................................................................................................. 594.3.9 Viewing a Network ACL...........................................................................................................................................594.3.10 Modifying a Network ACL..................................................................................................................................... 604.3.11 Deleting a Network ACL.........................................................................................................................................604.3.12 Disassociating a Subnet from a Network ACL....................................................................................................... 61

5 Network Components.................................................................................................................62


Issue 1 (2018-08-15) iii

5.1 Elastic IP Address.........................................................................................................................................................625.1.1 Assigning an EIP and Binding It to an ECS..............................................................................................................625.1.2 Unbinding an EIP from an ECS and Releasing the EIP............................................................................................ 635.2 Custom Route............................................................................................................................................................... 645.2.1 Configuring an SNAT Server.................................................................................................................................... 645.2.2 Adding a Route..........................................................................................................................................................665.2.3 Querying a Route.......................................................................................................................................................675.2.4 Modifying a Route.....................................................................................................................................................675.2.5 Deleting a Route........................................................................................................................................................ 675.3 VPC Peering Connection..............................................................................................................................................685.3.1 VPC Peering Connection Creation Procedure...........................................................................................................685.3.2 VPC Peering Connection Configuration Plans..........................................................................................................695.3.3 Creating a VPC Peering Connection with Another VPC of Your Own.................................................................... 715.3.4 Creating a VPC Peering Connection with a VPC of Another Tenant....................................................................... 745.3.5 Viewing VPC Peering Connections...........................................................................................................................775.3.6 Modifying a VPC Peering Connection......................................................................................................................775.3.7 Deleting a VPC Peering Connection......................................................................................................................... 785.3.8 Viewing Routes Configured for a VPC Peering Connection on the Peering Connection Details Page....................785.3.9 Viewing Routes Configured for a VPC Peering Connection in the VPC Peering Route Table................................ 785.3.10 Deleting a Route on the VPC Peering Connection Details Page.............................................................................795.3.11 Deleting a Route from the VPC Peering Route Table............................................................................................. 795.4 Virtual IP Address.........................................................................................................................................................805.4.1 Overview................................................................................................................................................................... 805.4.2 Assigning a Virtual IP Address..................................................................................................................................825.4.3 Binding a Virtual IP Address to an EIP or ECS........................................................................................................ 835.4.4 Accessing a Virtual IP Address using an EIP............................................................................................................835.4.5 Using a VPN to Access the Virtual IP Address.........................................................................................................845.4.6 Using a Direct Connect Connection to Access the Virtual IP Address..................................................................... 845.4.7 Using a VPC Peering Connection to Access the Virtual IP Address........................................................................ 845.4.8 Disabling Source and Destination Check (HA Load Balancing Cluster Scenario)...................................................845.4.9 Releasing a Virtual IP Address.................................................................................................................................. 84

6 FAQs...............................................................................................................................................866.1 What Is Virtual Private Cloud?.....................................................................................................................................866.2 Which CIDR Blocks Are Available to the VPC Service?............................................................................................ 876.3 Can Subnets Communicate with Each Other?..............................................................................................................876.4 What Subnet CIDR Blocks Are Available?..................................................................................................................876.5 How Many Subnets Can I Create?............................................................................................................................... 876.6 What Is the Bandwidth Size Range?............................................................................................................................ 886.7 What Are EIPs?............................................................................................................................................................ 886.8 How Does an ECS Use an EIP?................................................................................................................................... 886.9 How Many ECSs Can One EIP Be Assigned to?.........................................................................................................886.10 How Can I Access an ECS from Another Security Group After an EIP Is Bound to the ECS?................................88


Issue 1 (2018-08-15) iv

6.11 What Is a Security Group?..........................................................................................................................................896.12 Which Protocols Does a Security Group Support?.................................................................................................... 896.13 What Are the Functions of the Default Security Group Rule?...................................................................................896.14 How Can I Configure Security Group Rules?............................................................................................................ 896.15 Can I Change the Security Group to Which an ECS Belongs?.................................................................................. 906.16 How Many Security Groups Can Each User Have?...................................................................................................906.17 What Is a Resource Quota?........................................................................................................................................ 906.18 How Do I Configure a Remote Device for a VPN?................................................................................................... 906.19 Which Remote VPN Devices Are Supported?........................................................................................................... 926.20 What Are the Reference Standards and Protocols for the IPsec VPN?......................................................................936.21 What Do I Do If VPN Connection Setup Fails?.........................................................................................................936.22 Does a VPN Allow for Communication Between Two VPCs?..................................................................................956.23 How Can I Configure a Security Group for Multi-Channel Protocols?..................................................................... 956.24 Why Cannot I Access Public Websites Through Domain Names or Access Internal Domain Names in the CloudWhen My ECS Has Multiple NICs?...................................................................................................................................966.25 What Is a Route Table?...............................................................................................................................................966.26 Can a Route Table Span Multiple VPCs?...................................................................................................................966.27 How Many Routes Can Be Contained in a Route Table?...........................................................................................976.28 What Are the Limitations of a Route Table?.............................................................................................................. 976.29 Does a Route Table Incur Any Charges?....................................................................................................................976.30 Do the Direct Connect Connections and Custom Routes in the Same VPC Have Routing Priority Competition?...976.31 What Are the Routing Priorities of the VPN and Custom Routes in the Same VPC?............................................... 976.32 What Are the Limitations of VPC Peering?............................................................................................................... 976.33 What Can I Do If VPCs in a VPC Peering Connection Cannot Communicate with Each Other?.............................986.34 How Many VPC Peering Connections Can I Have?.................................................................................................. 996.35 How Many Routes Can Be Added for a VPC?.......................................................................................................... 996.36 What Are the Priorities of the Custom Route and EIP If Both Are Configured for an ECS to Enable the ECS toAccess the Internet?............................................................................................................................................................996.37 Does a Security Group rule Immediately Take Effect for Its Original Traffic After Being Modified?..................... 996.38 What Can I Do If a Subnet Cannot Be Deleted Because It Is Used by Other Resources?.........................................996.39 Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict?.................................... 100

A Change History......................................................................................................................... 101


Issue 1 (2018-08-15) v

1 Product Introduction

1.1 Concepts

1.1.1 Virtual Private CloudThe Virtual Private Cloud (VPC) service enables you to provision logically isolated,configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improvingthe security of resources in the cloud system and simplifying network deployment.

You can create security groups and Virtual Private Networks (VPNs), configure IP addresssegments, and specify bandwidth sizes in your VPC. With a VPC, you can manage andconfigure internal networks and change network configurations, simplifying networkmanagement. You can also enhance ECS security by customizing access rules within a single,or across multiple security groups.

Specifically, a VPC enables you to:

l Have full control over your virtual networks, for example, creating your own network.l Create security groups to improve your network security.l Assign elastic IP addresses (EIPs) for use in a VPC, and bind them to ECSs in your VPC

to connect the ECSs to the Internet.l Connect a VPC to your data center using a VPN for smooth application migration to the

cloud.l Communicate with other VPCs using VPC peering connections.

Virtual Private CloudUser Guide (Region-Specific) 1 Product Introduction

Issue 1 (2018-08-15) 1

Figure 1-1 VPC components

1.1.2 SubnetA subnet is a network that manages ECS network planes. It supports IP address managementand DNS. The IP addresses of all ECSs in a subnet belong to the subnet.

By default, ECSs in all subnets of the same VPC can communicate with one another, whileECSs in different VPCs cannot communicate with one another.

You can create VPC peering connections to enable ECSs in different VPCs to communicatewith one another. For details, see section 1.1.10 VPC Peering Connection.

1.1.3 Elastic IP AddressA public IP address is an IP address that can be used to access the Internet. Private IPaddresses are all IP addresses on the local area network (LAN) of the public cloud and cannotexist on the Internet.

An EIP is a static, public IP address. You can bind an EIP to and unbind an EIP from an ECSin your subnet. An EIP enables an ECS in your VPC to communicate with the Internetthrough a fixed public IP address.

Each EIP can be assigned to only one ECS.

1.1.4 Route TableA route table contains a set of rules that are used to determine where network traffic isdirected. You can add routes to a route table to enable other ECSs in a VPC to access theInternet through the ECS that has a bound EIP.

You can use the route table function configured in standalone or active/standby mode.

l Figure 1-2 shows the route table function configured in standalone mode.


Issue 1 (2018-08-15) 2

Figure 1-2 Route table function configured in standalone mode

In standalone mode, ECSs in a VPC that do not have EIPs bound access the Internetthrough an ECS that has an EIP bound and has the source network address translation(SNAT) function configured.In standalone mode, you can add a route table for the VPC used by ECSs that do nothave EIPs bound to enable these ECSs to access the Internet. The next hop in the routetable is the private IP address of the ECS that has an EIP bound (the private IP address ofthe SNAT server).

l Figure 1-3 shows the route table function configured in active/standby mode.

Figure 1-3 Route table function configured in active/standby mode


Issue 1 (2018-08-15) 3

In active/standby mode, ECSs in a VPC that do not have EIPs bound access the Internetthrough two ECSs that have EIPs bound and have the SNAT function configured.In active/standby mode, you can add a route table for the VPC used by ECSs that do nothave EIPs bound to enable these ECSs to access the Internet. The next hop in the routetable is the virtual IP address of the two ECSs that have EIPs bound.

In both the standalone and active/standby modes, the ECSs that have EIPs bound must havethe SNAT function. For details about the SNAT function, see section 1.1.5 SNAT. For detailsabout how to configure an ECS as the SNAT server, see section 5.2.1 Configuring an SNATServer.

NOTICEl Before using the route table function, you need to deploy the SNAT server. For details, see

section 5.2.1 Configuring an SNAT Server.l The ECS providing SNAT can have only one network interface card (NIC).l The ECS providing SNAT must have the source/destination check function disabled.l In active/standby mode, if the virtual IP address is set to the next hop in a route table, EIPs

bound with virtual IP addresses in the VPC will become invalid.

1.1.5 SNATBesides requiring services provided by the system, some ECSs also need to access theInternet to obtain information or download software. The public cloud system allows users tobind EIPs (public IP addresses) to virtual NICs (ports) of ECSs to enable the ECSs to accessthe Internet. However, assigning a public IP address to each ECS consumes already-limitedIPv4 addresses, incurs additional costs, and may increase the attack surface for a virtualenvironment. Therefore, enabling multiple ECSs to share one public IP address is a preferableand feasible method. This can be done using SNAT.

The public cloud system supports SNAT. A public IP address is assigned to an ECS thatserves as the SNAT router or gateway for other ECSs from the same subnet or VPC.

For details about how to configure SNAT, see section 5.2.1 Configuring an SNAT Server.

1.1.6 Security GroupA security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC. After a security group is created,you can create different access rules for the security group to protect the ECSs that are addedto this security group. The default security group rule allows all outgoing data packets. ECSsin a security group can access each other without the need to add rules.

1.1.7 VPNA VPN establishes an encrypted communication tunnel between a remote user and a VPC,enabling the remote user to use service resources in the VPC through the VPN.

By default, ECSs in a VPC cannot communicate with your data center or private network. Toenable communication between them, use a VPN.


Issue 1 (2018-08-15) 4

1.1.8 Remote GatewayA remote gateway is the public IP address of the physical device on the peer side in an IPsecVPN tunnel. The remote gateway of each IPsec VPN must be unique.

1.1.9 Remote SubnetA remote subnet is the destination network reachable through the tunnel. All IP packets sentto the network are transmitted through the IPsec VPN tunnel. You can configure more thanone remote subnet. The remote subnet of a VPN cannot be a subnet in the VPC where thatVPN was created.

1.1.10 VPC Peering ConnectionA VPC peering connection is a networking connection between two VPCs that enables you toroute traffic between them using private IP addresses. ECSs in either VPC can communicatewith each other just as if they were in the same VPC. You can create a VPC peeringconnection between your own VPCs, or between your VPC and another tenant's VPC withinthe same region. You cannot create a VPC peering connection between VPCs in differentregions.

For details, see section 5.3 VPC Peering Connection.

1.1.11 Virtual IP AddressA virtual IP address is a private IP address. A virtual IP address can be bound to multipleECSs deployed in active/standby mode. You can bind a virtual IP address with an EIP so thatyou can access the ECSs that have the same virtual IP address bound from the Internet,improving fault tolerance capabilities.

1.1.12 RegionA region is a geographical area where you can run your VPC service.

Each region comprises one or more AZs and is completely isolated from other regions. AZs inthe same region can communicate with one another through an internal network, while thosein different regions cannot communicate with one another through an internal network.

The public cloud system is hosted in multiple locations worldwide, such as in North America,Europe, and Asia. The VPC service hence can be provided in different locations. You cancreate VPCs in locations that meet your requirements. For example, you can create VPCs todesign applications in a region that is closer to your customers or that can meet legal or otherspecific requirements.

1.1.13 ProjectProjects are used to group and isolate OpenStack resources, including computing, storage, andnetwork resources. A project can be a department or a project team. Multiple projects can becreated for one account.

1.2 Access and Use


Issue 1 (2018-08-15) 5

1.2.1 VPC Functions and Application Scenarios

Functions

A VPC provides the following functions:

l Private network customizationYou can customize private subnets in your VPC and deploy applications and otherservices in the subnets accordingly.

l Flexible security policy configurationYou can use security groups to divide ECSs in a VPC into different security zones andthen configure different access control rules for each security zone.An inbound security group rule enables external access to ECSs in a security group, andan outbound security group rule enables ECSs in a security group to access externalnetworks. If a security group has no access rules after an ECS is added to the securitygroup, the communication between the ECS and the external network is blocked. Thedefault inbound rule enables an ECS to be accessed by other ECSs in the same securitygroup, and the default outbound rule enables ECSs in the security group to accessexternal networks. Security groups cannot resolve the problems caused by network faultsor incorrect network configuration. For example, when two ECSs cannot communicatewith each other due to the network configuration, they still cannot communicate witheach other even if you configure a security group rule to allow the communicationbetween them.

l EIP bindingYou can assign an independent EIP in your VPC. The EIP can be bound to or unboundfrom an ECS as required. The binding and unbinding operations take effect immediatelyafter the operations are performed.

l VPN accessBy default, ECSs in a VPC cannot communicate with your data center or privatenetwork. To enable communication between them, use a VPN.A VPN connects your data center or private network to a VPC, enabling you to migrateyour applications to the cloud.

Application Scenariosl Hosting universal web applications

You can host web applications and websites in a VPC and use the VPC as a commonnetwork. You can also create a subnet in the VPC, add ECSs to the subnet, and thenassign EIPs to the ECSs to enable the ECSs to communicate with the Internet for runningweb applications on the ECSs. The VPN gateway is used to establish a VPN channelbetween the web applications and the service system in the cloud, ensuring high-speedinterconnection between the website and the service system.

l Hosting security-demanding servicesYou can place multi-tier web applications into different security groups, and configureaccess control rules for each security group as required. In a VPC, you can add the webservers and database servers to different security groups. The subnet to which the webservers belong allows access from the Internet, but the subnet to which the databasesbelong allows only internal access. This method ensures database server security,meeting high security requirements.


Issue 1 (2018-08-15) 6

l Extending your corporate network into the cloud

You can connect a VPC to your private cloud using a VPN. With the VPN between theVPC and your traditional data center, you can easily use the ECSs and block storageresources. Applications can be migrated to the cloud and additional web servers can bedeployed to increase the computing capacity on a network. In this way, a hybrid cloud isbuilt, which reduces IT O&M costs and protects enterprise core data from being leaked.VPCs can be created across AZs, thereby ensuring high availability of e-commercesystems.

1.2.2 Relationships with Other Servicesl ECS

EIPs can be bound to required ECSs provided by the ECSs service.

l ELB

ELB uses the EIP and bandwidth provided by the VPC service.

l Cloud Eye

After the VPC service becomes available to you, you can use Cloud Eye to view statusof monitored objects of the service without requiring additional plug-ins to be installed.

Table 1-1 VPC metrics

Metric Description ValueRange

MonitoredObject

UpstreamBandwidth(Deprecated)

Outbound network rate of themonitored object

≥ 0 bytes/s Bandwidth or EIP

DownstreamBandwidth(Deprecated)

Inbound network rate of themonitored object

≥ 0 bytes/s Bandwidth or EIP

UpstreamBandwidth

Outbound network rate of themonitored object

≥ 0 bits/s Bandwidth or EIP

DownstreamBandwidth

Inbound network rate of themonitored object

≥ 0 bits/s Bandwidth or EIP

1.2.3 Accessing the VPCWeb-based service management platforms, including the management console and HTTPS-based application programming interface (API), are provided for you to access the VPCservice. The detailed methods for accessing the VPC service are as follows:

l API

If you need to integrate the VPC service provided by the public cloud system into athird-party system for secondary development, you can use the API to access the VPCservice. For details, see the Virtual Private Cloud API Reference.

l Management console


Issue 1 (2018-08-15) 7

You can log in to the management console to perform other required operations on theVPC service. You can access the VPC service by logging in to the management consoleand selecting Virtual Private Cloud from the console homepage.

1.2.4 User PermissionsThe public cloud system provides two types of user permissions by default: user managementand resource management. User management refers to the management of users, user groups,and user group rights. Resource management refers to the control operations that can beperformed by users on cloud service resources.


Issue 1 (2018-08-15) 8

2 Getting Started

2.1 Typical Application ScenariosA VPC provides an isolated virtual network for ECSs. You can configure and manage thenetwork as required.

l If your ECSs do not need to access the Internet, for example, the ECSs functioning as thedatabase or server nodes for deploying a website, you can configure a VPC for the ECSsby following the instructions described in section 2.2 Configuring the VPC of ECSsThat Do Not Need to Access the Internet.

l If your ECSs need to access the Internet, you can configure EIPs for them. For example,the ECSs functioning as the service nodes for deploying a website need to be accessedby users over the Internet. Then, you can configure the VPC of these ECSs by followingthe instructions provided in section 2.3 Configuring the VPC of ECSs That Access theInternet Using EIPs.

l If you need to access ECSs in a VPC over the Internet to perform maintenanceoperations, you can configure a VPN. For example, a website administrator needs to usea VPN to access ECSs functioning as service nodes in the VPC over the Internet. Then,you can configure the VPC of these ECSs by following the instructions provided insection 2.4 Configuring the VPC of ECSs That Access the Internet Through a VPN.

2.2 Configuring the VPC of ECSs That Do Not Need toAccess the Internet

2.2.1 OverviewIf your ECSs do not need to access the Internet, for example, the ECSs functioning as thedatabase nodes or server nodes for deploying a website, you can follow the procedure shownin Figure 2-1 to configure a VPC for the ECSs.

Virtual Private CloudUser Guide (Region-Specific) 2 Getting Started

Issue 1 (2018-08-15) 9

Figure 2-1 Configuring the network

Table 2-1 describes the different tasks in the procedure for configuring the network.

Table 2-1 Configuration process description

Task Description

Create a VPC. This task is mandatory.You must configure required parameters to create aVPC. The created VPC comes with a default subnetyou specified.After the VPC is created, you can create other requirednetwork resources in the VPC based on your servicerequirements.

Create another subnet for theVPC.

This task is optional.If you need another subnet in addition to the defaultone, you can create a subnet in the VPC.The new subnet is used to assign IP addresses to NICsadded to the ECS.


Issue 1 (2018-08-15) 10

Task Description

Create a security group. This task is mandatory.You can create a security group and add ECSs in theVPC to the security group to improve ECS accesssecurity.After a security group is created, it has a default rule,which allows all outgoing data packets. ECSs in asecurity group can access each other without the needto add rules. If the default rule meets your servicerequirements, you do not need to add rules to thesecurity group.

Add a security group rule. This task is optional.After a security group is created, it has a default rule,which allows all outgoing data packets. ECSs in asecurity group can access each other without the needto add rules. If the default rule does not meet yourservice requirements, you can add a security grouprule.

2.2.2 Creating a VPC

ScenariosA VPC provides an isolated virtual network for ECSs. You can configure and manage thenetwork as required.

To use a VPC, first create it by following the procedure provided in this section. Then, createsubnets, security groups, and VPNs, and assign EIPs by following the procedure provided insubsequent sections based on your actual network requirements.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. On the Dashboard page, click Create VPC.

On the Create VPC page, set parameters as prompted.

Table 2-2 Parameter description

Parameter Description Example Value

Name Specifies the VPC name. VPC-001


Issue 1 (2018-08-15) 11


VPC CIDR Specifies the Classless Inter-Domain Routing(CIDR) block for the VPC. The CIDR block ofa subnet can be the same as the CIDR blockfor the VPC (for a single subnet in the VPC) ora subset (for multiple subnets in the VPC).The following CIDR blocks are supported:10.0.0.0/8–24172.16.0.0/12–24192.168.0.0/16–24

192.168.0.0/16

Name Specifies the subnet name. Subnet-001

CIDR Specifies the CIDR block for the subnet. Thisvalue must be within the VPC CIDR range.

192.168.0.0/24

Gateway Specifies the gateway address of the subnet. 192.168.0.1

4. The external DNS server address is used by default. If you need to change the DNS

server address, click Show Advanced Settings and configure the DNS server addresses.You must ensure that the configured DNS server addresses are available.

5. Click Create Now.

2.2.3 Creating a Subnet for the VPC

Scenarios

A subnet is automatically created by default when you create a VPC. If required, you cancreate another subnet in the VPC.

The created subnet is configured with the DHCP protocol by default. After an ECS using thisVPC starts, the ECS automatically obtains an IP address using the DHCP protocol.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC for which a subnet is to be created

and click the VPC name.5. On the displayed Subnet tab, click Create Subnet.6. In the Create Subnet area, set parameters as prompted.



Name Specifies the subnet name. Subnet


Issue 1 (2018-08-15) 12



192.168.0.0/24



server address, select Custom for DNS Settings and configure the DNS serveraddresses. You must ensure that the configured DNS server addresses are available.

8. Click OK.

2.2.4 Creating a Security Group

ScenariosA security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC.

To improve ECS access security, you can create a security group and add ECSs in the VPC tothe security group.

By default, a tenant can create a maximum of 100 security groups.

After a security group is created, it comes with default security group rules even if you do notspecify a rule.

l Outbound rule: allows all outgoing data packets (outbound traffic).l Inbound rule: allows communication among ECSs within the security group and discards

all incoming data packets (inbound traffic).

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Security Group.4. On the Security Group page, click Create Security Group.5. In the Create Security Group area, set the parameters as prompted. Table 2-4 lists the

parameters to be configured.


Issue 1 (2018-08-15) 13



Name Specifies the securitygroup name. Thisparameter is mandatory.The security group namecan contain a maximum of64 characters, which mayconsist of letters, digits,underscores (_), hyphens(-), and periods (.). Thename cannot containspaces.NOTE

You can change the securitygroup name after a securitygroup is created. It isrecommended that you usedifferent names for differentsecurity groups.

sg-34d6

Description Provides supplementaryinformation about thesecurity group. Thisparameter is optional.The security groupdescription can contain amaximum of 255characters and cannotcontain angle brackets (<)or (>).

N/A

6. Click OK.

2.2.5 Adding a Security Group Rule

Scenarios

The default security group rule allows all outgoing data packets. ECSs in a security group canaccess each other without the need to add rules. After a security group is created, you cancreate different access rules for the security group to protect the ECSs that are added to thissecurity group.

By default, a tenant can create a maximum of 500 security group rules. An excessive numberof security group rules increase network latency of the first packet. It is recommended thatyou add a maximum of 50 rules for each security group.

To access ECSs in a security group from external resources, create an inbound rule for thesecurity group, for example:l To access a remote Windows ECS using MSTSC, add an inbound rule in which Protocol

is set to TCP and Port Range is set to 3389.


Issue 1 (2018-08-15) 14

l To access a remote Linux ECS using SSH, add an inbound rule in which Protocol is setto TCP and Port Range is set to 22.

l Set Source to the IP address segment containing the IP address of the serveraccommodating the target ECS.

Allocate ECSs that have different Internet access policies to different security groups.

NOTE

The default source IP address 0.0.0.0/0 indicates that all IP addresses can access ECSs in the securitygroup.

Procedure1. Log in to the management console.

2. On the console homepage, under Network, click Virtual Private Cloud.

3. In the navigation pane on the left, click Security Group.

4. On the Security Group page, locate the target security group and click Manage Rule inthe Operation column to switch to the page for managing inbound and outbound rules.

5. On the Inbound tab, click Add Rule. In the displayed dialog box, set requiredparameters to add an inbound rule.

You can click + to add more inbound rules.

Table 2-5 Inbound rule parameter description

Parameter

Description ExampleValue

Protocol/Application

Specifies the network protocol for which the security grouprule takes effect. The value can be TCP, UDP, ICMP, or All.

TCP

PortRange/ICMPType

Specifies the port or port range for which the security grouprule takes effect. The value ranges from 1 to 65535.

22 or 22-30

Source

Specifies the source of the security group rule. The value canbe an IP address or a security group.For example:xxx.xxx.xxx.xxx/32 (IPv4 address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0default


Issue 1 (2018-08-15) 15

Parameter


Description

Provides supplementary information about the security group.This parameter is optional.The security group description can contain a maximum of 255characters and cannot contain angle brackets (<) or (>).

N/A

6. On the Outbound tab, click Add Rule. In the displayed dialog box, set required

parameters to add an outbound rule.You can click + to add more outbound rules.

Table 2-6 Outbound rule parameter description

Parameter




TCP

PortRange/ICMPType


22 or 22-30

Destination

Specifies the destination of the security group rule. The valuecan be an IP address or a security group.For example:xxx.xxx.xxx.xxx/32 (IPv4 address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0default

Description


N/A


Issue 1 (2018-08-15) 16

2.3 Configuring the VPC of ECSs That Access the InternetUsing EIPs

2.3.1 OverviewIf your ECSs need to access the Internet, for example, the ECSs functioning as the servicenodes for deploying a website, you can follow the procedure shown in Figure 2-2 to bindEIPs to the ECSs.




Issue 1 (2018-08-15) 17


Task Description




Assign an EIP and bind it to anECS.

This task is mandatory.You can assign an EIP and bind it to an ECS to enablethe ECS to access the Internet.







Issue 1 (2018-08-15) 18







192.168.0.0/16



192.168.0.0/24






Scenarios



Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.


Issue 1 (2018-08-15) 19

4. On the Virtual Private Cloud page, locate the VPC for which a subnet is to be createdand click the VPC name.

5. On the displayed Subnet tab, click Create Subnet.6. In the Create Subnet area, set parameters as prompted.





192.168.0.0/24


7. The external DNS server address is used by default. If you need to change the DNSserver address, select Custom for DNS Settings and configure the DNS serveraddresses. You must ensure that the configured DNS server addresses are available.

8. Click OK.

2.3.4 Assigning an EIP and Binding It to an ECS

Scenarios

You can assign an EIP and bind it to an ECS to enable the ECS to access the Internet.

Procedure

Assign an EIP.

1. Log in to the management console.


3. In the navigation pane on the left, click Elastic IP.

4. On the Elastic IP page, click Assign EIP.

5. Set the parameters as prompted.



Bandwidth Name Specifies the name of thebandwidth.

bandwidth

Bandwidth Size Specifies the size of the bandwidth. 100

Quantity Specifies the number of EIPs to beassigned.

1


Issue 1 (2018-08-15) 20

NOTE

Only outbound bandwidth is limited.

6. Click Assign Now.7. Click Submit.

Bind an EIP.

8. On the Elastic IP page, locate the row that contains the target EIP, and click Bind.9. On the Bind IP Address page, select the required ECS and NIC.10. Click OK in the displayed dialog box.


ScenariosA security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC.






Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Security Group.4. On the Security Group page, click Create Security Group.5. In the Create Security Group area, set the parameters as prompted. Table 2-11 lists the



Issue 1 (2018-08-15) 21





sg-34d6


N/A

6. Click OK.


Scenarios






Issue 1 (2018-08-15) 22




NOTE









Parameter




TCP

PortRange/ICMPType


22 or 22-30

Source


0.0.0.0/0default


Issue 1 (2018-08-15) 23

Parameter


Description


N/A




Parameter




TCP

PortRange/ICMPType


22 or 22-30

Destination


0.0.0.0/0default

Description


N/A


Issue 1 (2018-08-15) 24

2.4 Configuring the VPC of ECSs That Access the InternetThrough a VPN

2.4.1 OverviewIf you need to access ECSs in a VPC over the Internet to perform maintenance operations onthe ECSs, you can follow the procedure shown in Figure 2-3 to configure a VPN. Forexample, you can configure a VPN to enable a website administrator to access ECSsfunctioning as service nodes in the VPC over the Internet.




Issue 1 (2018-08-15) 25


Task Description




Create a VPN. This task is mandatory.You can create a VPN to set up a secure and isolatedcommunications tunnel between your data center andcloud services.






Issue 1 (2018-08-15) 26




3. On the Dashboard page, click Create VPC.






192.168.0.0/16



192.168.0.0/24


4. The external DNS server address is used by default. If you need to change the DNSserver address, click Show Advanced Settings and configure the DNS server addresses.You must ensure that the configured DNS server addresses are available.



Scenarios




Issue 1 (2018-08-15) 27

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC for which a subnet is to be created

and click the VPC name.5. On the displayed Subnet tab, click Create Subnet.6. In the Create Subnet area, set parameters as prompted.





192.168.0.0/24



server address, select Custom for DNS Settings and configure the DNS serveraddresses. You must ensure that the configured DNS server addresses are available.

8. Click OK.

2.4.4 Creating a VPN

OverviewBy default, ECSs in a VPC cannot communicate with your data center or private network. Toenable communication between them, use a VPN. To use a VPN, you must first create one inyour VPC and update the security group rules.

Description of a Simple IPsec VPN Intranet TopologyIn the example shown in Figure 2-4, you have created a VPC that has two subnets,192.168.1.0/24 and 192.168.2.0/24, on the cloud. You also have two subnets, 192.168.3.0/24and 192.168.4.0/24 on your router deployed in your data center. In this case, you can create aVPN to connect the VPC subnets to the data center subnets.


Issue 1 (2018-08-15) 28

Figure 2-4 IPsec VPN

Currently, the site-to-site VPN and hub-spoke VPN are supported. In addition to creating aVPN in your VPC, you also need to set up a VPN in your data center to establish the VPNconnection.

You must ensure that the VPN in your VPC and that in your data center use the same IKE andIPsec policy configurations. Before creating a VPN, familiarize yourself with the protocolsdescribed in Table 2-17 and ensure that your device meets the requirements and configurationconstraints of the involved protocols.

Table 2-17 Involved protocols

RFC Description Constraint

RFC 2409 Defines the IKE protocol, which negotiatesand verifies key information to safeguardVPN connections.

l Use the PSK to reach anIKE peer agreement.

l Use the main mode andaggressive mode fornegotiation.

RFC 4301 Defines the IPsec architecture, the securityservices that IPsec offers, and thecollaboration between components.

Set up a VPN connectionusing the IPsec tunnel.

Scenarios

Perform the following procedure to create a VPN connection that sets up a secure, isolatedcommunication tunnel between your data center and cloud services. A VPN gateway is anegress gateway in your VPC for establishing an IPsec VPN connection. It is used to establisha secure, reliable, and encrypted communications channel between your VPC and externaldata center. A VPN connection is an encrypted communications channel established betweenthe VPN gateway in your VPC and that in an external data center. Currently, only IPsec VPNconnections are supported. You must first create a VPN gateway and then a VPN connection.Multiple VPN connections can be created for a VPN gateway.


Issue 1 (2018-08-15) 29

Apply for a VPN Gateway.1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Virtual Private Network > VPN Gateways.4. On the VPN Gateway page, click Create VPN Gateway.5. Set the parameters as prompted and click Apply Now.

Table 2-18 VPN gateway parameter description

Category Parameter Description Example Value

Basicinformation

Region A region is a geographical areawhere you can run your VPCservice. Each region comprises oneor more AZs and is completelyisolated from other regions. AZs inthe same region can communicatewith one another through aninternal network, while those indifferent regions cannotcommunicate with one anotherthrough an internal network. Youcan use the region selector in theupper left corner of the current pageto change the region.

N/A

VPC Specifies the name of the VPC towhich the VPN has access.

vpc-001

Name Specifies the name of the VPNgateway.

vpngw-001

Type Specifies the VPN type. IPsec isselected by default.

IPsec

Bandwidth Specifies the bandwidth size (inMbit/s) of the local VPN gateway.When you use a VPN, if thenetwork traffic exceeds the VPNbandwidth, network congestionoccurs and the VPN connection isinterrupted. Plan sufficientbandwidth in advance to avoid theVPN connection interruptionfailure.You can configure alarm rules onCloud Eye to monitor thebandwidth.

100

Reliability In the current environment, onlyActive-active is supported.

Active-active


Issue 1 (2018-08-15) 30

6. Confirm the information and click Submit.

NOTE

After a VPN gateway is created, its status in the VPN gateway list is Creating. If a VPN connectionuses this VPN gateway, the VPN gateway status changes to Normal.

Apply for a VPN Connection.1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Virtual Private Network > VPN

Connections.4. On the VPN Connection page, click Create VPN Connection.5. Set the parameters as prompted and click Apply Now.

Table 2-19 VPN connection parameter description


Basicinformation

Region A region is a geographical areawhere you can run your VPCservice. Each region comprisesone or more AZs and iscompletely isolated from otherregions. AZs in the same regioncan communicate with one anotherthrough an internal network, whilethose in different regions cannotcommunicate with one anotherthrough an internal network. Youcan use the region selector in theupper left corner of the currentpage to change the region.

N/A

VPNGateway

Specifies the name of the VPNgateway used by the VPNconnection.

vpcgw-001

Name Specifies the VPN connectionname.

vpn-001

PSK Specifies the pre-shared key. Thevalue is a string of 6 to 128characters. This parameter valuemust be the same for the VPN inthe VPC and that in the datacenter.

Test@123

Confirm PSK Specifies the confirm pre-sharedkey.

Test@123


Issue 1 (2018-08-15) 31


Local Subnets Specifies the VPC subnets thatneed to communicate with yourdata center or private network.You can set the local subnet usingeither of the following methods:l Select existing subnets.l Manually specify one or more

CIDR blocks.

192.168.1.0/24192.168.2.0/24

RemoteGateway

Specifies the public IP address ofthe VPN in your data center or onthe private network. This IPaddress is used for communicatingwith the VPN in the VPC. Inactive-active mode, you can entertwo remote gateway addresses.

N/A

RemoteSubnets

Specifies the subnets of your datacenter or private network forcommunicating with the VPC. Theremote and local subnets cannothave overlapping or matchingCIDR blocks. The remote subnetCIDR block cannot overlap withCIDR blocks involved in existingVPC peering connections createdfor the local VPC.

192.168.3.0/24192.168.4.0/24

AdvancedSettings

l Default configurationl Existing configuration: uses

existing IKE and IPsecpolicies.

l Custom configuration: usescustom IKE and IPsec policies.For details about the policies,see Table 2-20 and Table 2-21.

Customconfiguration

Table 2-20 IKE policy

RFC Description ExampleValue

Authentication Algorithm Specifies the authentication hashalgorithm. The value can be sha1,sha2-256, sha2-384, sha2-512, or md5.

sha1


Issue 1 (2018-08-15) 32


Encryption Algorithm Specifies the encryption algorithm. Thevalue can be aes-128, aes-192, aes-256, or3des. The 3des algorithm is notrecommended because it is risky.

aes-128

DH Algorithm Specifies the Diffie-Hellman keyexchange algorithm. The value can begroup2, group5, or group14.

group5

Version Specifies the version of the IKE protocol.The value can be v1 or v2.

v1

Lifecycle (s) Specifies the lifetime of the SA, inseconds.The SA will be renegotiated if its lifetimeexpires.

86,400

Negotiation Mode If the IKE policy version is v1, thenegotiation mode can be configured. Thevalue can be main or aggressive.The default value is main.

main

Table 2-21 IPsec policy



sha1

Encryption Algorithm Specifies the encryption algorithm. Thevalue can be aes-128, aes-192, aes-256,or 3des. The 3des algorithm is notrecommended because it is risky.

aes-128


group5

Transfer Protocol Specifies the security protocol used forIPsec to transmit and encapsulate userdata. The value can be ah, esp, or ah-esp.

esp


3600


Issue 1 (2018-08-15) 33

NOTE

The IKE policy specifies the encryption and authentication algorithms to use in the negotiationphase of an IPsec tunnel. The IPsec policy specifies the protocol, encryption algorithm, andauthentication algorithm to use in the data transmission phase of an IPsec tunnel. These parametersmust be the same between the VPN connection in your VPC and that in your data center. If theyare different, the VPN tunnel cannot be set up.

6. Click Submit.

After the IPsec VPN is created, a public network egress IP address is assigned to theIPsec VPN. The IP address is the local gateway address of a created VPN connection onthe network console. When configuring the peer tunnel in your data center, you must setthe remote gateway address to this IP address.

7. Due to the symmetry of the tunnel, you also need to configure the IPsec VPN on yourrouter or firewall in the data center.

– For details about the VPN configuration, see section 6.18 How Do I Configure aRemote Device for a VPN?.

– For a list of protocols supported by VPN connections, see section 6.20 What Arethe Reference Standards and Protocols for the IPsec VPN?.

– For a list of supported VPN devices, see section 6.19 Which Remote VPN DevicesAre Supported?.


Scenarios

A security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC.




l Outbound rule: allows all outgoing data packets (outbound traffic).

l Inbound rule: allows communication among ECSs within the security group and discardsall incoming data packets (inbound traffic).




4. On the Security Group page, click Create Security Group.

5. In the Create Security Group area, set the parameters as prompted. Table 2-22 lists theparameters to be configured.


Issue 1 (2018-08-15) 34





sg-34d6


N/A

6. Click OK.


Scenarios






Issue 1 (2018-08-15) 35




NOTE









Parameter




TCP

PortRange/ICMPType


22 or 22-30

Source


0.0.0.0/0default


Issue 1 (2018-08-15) 36

Parameter


Description


N/A




Parameter




TCP

PortRange/ICMPType


22 or 22-30

Destination


0.0.0.0/0default

Description


N/A


Issue 1 (2018-08-15) 37

3 VPC and Subnet

3.1 Creating a VPC

Scenarios

A VPC provides an isolated virtual network for ECSs. You can configure and manage thenetwork as required.








192.168.0.0/16

Virtual Private CloudUser Guide (Region-Specific) 3 VPC and Subnet

Issue 1 (2018-08-15) 38




192.168.0.0/24





3.2 Modifying a VPC

Scenarios

If the VPC CIDR conflicts with the subnet of a VPN created in the VPC, you can modify theVPC to change the VPC address range.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the row that contains the VPC to be modified

and click Modify in the Operation column.5. In the displayed dialog box, modify parameters as prompted. You can change the VPC

name and VPC CIDR block.6. Click OK.

3.3 Creating a Subnet for the VPC

Scenarios



Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.


Issue 1 (2018-08-15) 39

4. On the Virtual Private Cloud page, locate the VPC for which a subnet is to be createdand click the VPC name.

5. On the displayed Subnet tab, click Create Subnet.6. In the Create Subnet area, set parameters as prompted.





192.168.0.0/24


7. The external DNS server address is used by default. If you need to change the DNSserver address, select Custom for DNS Settings and configure the DNS serveraddresses. You must ensure that the configured DNS server addresses are available.

8. Click OK.

3.4 Modifying a Subnet

Scenarios

If the DNS server address configured for a subnet during subnet creation needs to bemodified, you can modify the subnet.



3. In the navigation pane on the left, click Virtual Private Cloud.

4. On the Virtual Private Cloud page, locate the VPC for which a subnet is to be modifiedand click the VPC name.

5. In the subnet list, locate the target subnet and click Modify. Modify the parameters asprompted.




DNS Server Address 1 Specifies the IP address of DNSserver 1. You can leave it blank. Bydefault, the external DNS serveraddress is used.

N/A


Issue 1 (2018-08-15) 40


DNS Server Address 2 Specifies the IP address of DNSserver 2. You can leave it blank. Bydefault, the external DNS serveraddress is used.

N/A

6. Click OK.

3.5 Deleting a VPC

3.5.1 Deleting a VPN Connection

Scenarios

You can delete a VPN connection to release network resources if it is no longer required.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Virtual Private Network > VPN

Connections.4. On the VPN Connection page, locate the target VPN connection and click Delete.5. Click OK in the displayed dialog box.

3.5.2 Deleting a Subnet

Scenarios

You can delete a subnet to release network resources if the subnet is no longer required.

A subnet cannot be deleted if it is being used by an ECS, VPN, or private IP address. Todelete a subnet in these cases, you must first delete the ECS, VPN, or private IP address.

Prerequisites

The following resources using the subnet have been deleted:

l ECSl BMSl CCE clusterl RDS instancel MRS clusterl Elastic load balancerl VPN


Issue 1 (2018-08-15) 41

l Private IP addressl Custom route

Check and delete related resources on the management console.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC from which a subnet is to be deleted

and click the VPC name.5. On the Subnet page, locate the target subnet and click Delete.6. Click OK in the displayed dialog box.

3.5.3 Deleting a VPC

ScenariosYou can delete a VPC to release network resources if the VPC is no longer required.

A VPC cannot be deleted if it contains VPNs, VPC peering connections, or subnets. To deletethe VPC, you must first delete the resources.

l For details about how to delete a subnet, see section 3.5.2 Deleting a Subnet.l For details about how to delete a VPN, see section 3.5.1 Deleting a VPN Connection.l For details about how to delete a VPC peering connection, see section 5.3.7 Deleting a

VPC Peering Connection.

Impact on the SystemIf EIPs exist, the last VPC cannot be deleted.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the row that contains the VPC to be deleted

and click Delete in the Operation column.5. Click OK in the displayed dialog box.


Issue 1 (2018-08-15) 42

4 Security

4.1 OverviewNetwork ACLs and security groups are provided to improve VPC security. Table 4-1describes the differences between network ACLs and security groups.

Table 4-1 Differences between security groups and network ACLs

Security Group Network ACL

Operates at the ECS level (first layer ofdefense).

Operates at the subnet level (secondlayer of defense).

Only supports allow rules. Supports allow rules, deny rules, andreject rules.

If multiple security group rules conflict, theoverlapping elements of these rules take effect.

If multiple firewall rules conflict, therule with the smallest index value takeseffect.

By default, you must select a security groupwhen creating an ECS. The selected securitygroup takes effect for that ECS.

You cannot select a network ACL whencreating a subnet. You must create anetwork ACL, associate subnets withthe network ACL, add inbound andoutbound network rules, and enable thenetwork ACL. Then, the network ACLtakes effect for the associated subnetsand ECSs in the subnets.

Only supports packet filtering based on the 3-tuple (protocol, port, and peer IP address).

Only supports packet filtering based onthe 5-tuple (protocol, source port,destination port, source IP address, anddestination IP address).

4.2 Security Group

Virtual Private CloudUser Guide (Region-Specific) 4 Security

Issue 1 (2018-08-15) 43

4.2.1 Security Group Overview

Security GroupA security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC. After a security group is created,you can create different access rules for the security group to protect the ECSs that are addedto this security group. The default security group rule allows all outgoing data packets. ECSsin a security group can access each other without the need to add rules.

The system creates a security group for each tenant by default. The tenant can also createcustom security groups by themselves.


Security Group RuleYou can add rules for a security group to control access from and to ECSs in the securitygroup. A rule applies either to inbound or outbound traffic.

l Inbound rule: allows a specific IP address, CIDR block, or security group to access aspecified port or port range used by ECSs in a security groups through a specific networkprotocol.

l Outbound rule: allows ECSs in a security group to access a specified port or port rangeused by a specific IP address, CIDR block, or security group through a specific networkprotocol.



is set to TCP and Port Range is set to 3389.l To access a remote Linux ECS using SSH, add an inbound rule in which Protocol is set

to TCP and Port Range is set to 22.l Set Source to the IP address segment containing the IP address of the server

accommodating the target ECS.


NOTE



The protocol used by a security group can be set to TCP, UDP, ICMP, or ANY. ANYindicates that the security group takes effect for all protocols. If the TCP or UDP protocol isselected, configure ports 1 to 65535 for the protocols to access the security group. If theICMP protocol is selected, you can set the ICMP protocol type. The default value is ANY.


Issue 1 (2018-08-15) 44

Default Security Group and Security Group RuleThe system creates a security group for each tenant by default. The tenant can also createcustom security groups by themselves.

The system automatically adds two security group rules for a default or custom securitygroup. The rules are as follows:



The default security group allows only access to all ICMP ports and TCP ports 22 and 3389.

l ICMP: transmits control messages between IP hosts and routers.l TCP port 22: enables remote access to Linux OSs over SSH.l TCP port 3389: enables remote access to Windows desktops.

The default security group and security group rule must allow communication among ECSswithin a security group and prevent the ECSs from being accessed by unauthorized users andbeing attacked, thereby ensuring the security of ECSs in the security group. Therefore, thedefault security group rules allow all outbound traffic and restrict inbound traffic. Therefore,the default security group rules allow all outbound traffic and restrict inbound traffic.

You can delete the default security group rules and give only the minimum and essentialpermissions to ECSs. However, security group rules use the whitelist mechanism. After thedefault security group rules are deleted, ECS access failures may occur. You must exercisecaution when deleting the default security group rules.

For example, after the default outbound security group rule is deleted, all data packets sentfrom ECSs in the security group for external access will be discarded. To ensure normalnetwork communication, you need to manually add the following outbound rules:

l Add an outbound rule with the TCP protocol, port 80, and destination IP address169.254.169.254/32 to allow the ECS metadata packets.

l Add other outbound rules with the required protocols and ports and destination IPaddress segment 100.XX.0.0/16 to allow data packets from network segments reservedfor other public services, such as Relational Database Service (RDS).

l Add another outbound rule with the required protocol, port, and destination to allow datapackets from the CIDR block of a specific network segment, for example, data packetsfor accessing another security group.

Similarly, after the default inbound rules are deleted, you also need to required inbound rulesbased on your service requirements to enable network communication.

Security Group Constraintsl After a security group is created, IP address verification, MAC address verification, and

DHCP snooping are automatically enabled for ECSs in the security group to preventspoofing attacks initiated by malicious ECSs on other ECSs or the DHCP server. AfterIP and MAC address verification is enabled, the security group allows only outgoingdata packets from the ECS private IP addresses and MAC addresses that areautomatically assigned in the VPC. Outgoing data packets from other IP addresses areautomatically discarded.

l In some special scenarios, for example, if an ECS functions as the SNAT server or usesIP addresses other than the private IP addresses assigned in the VPC (such as virtual IP


Issue 1 (2018-08-15) 45

addresses), you must configure the Allowed-Address-Pair parameter to allow accessfrom and to these IP and MAC addresses, thereby ensuing normal ECS communication.– If an ECS functions as the SNAT server, disable IP and MAC address verification

and allow access from and to all IP addresses. You can switch to the page showingdetails about the ECS functioning as the SNAT server, click the NIC tab, anddisable the source/destination check function to disable IP and MAC addressverification. For details about how to configure the SNAT server, see section 5.2.1Configuring an SNAT Server.

– When an ECS uses a virtual IP address, you must allow access from and to thevirtual IP address. You can call the required API to configure the Allowed-Address-Pair parameter.For details about how to configure the parameter, see the allowed_address_pairsparameter in section Port > Creating a Port or Port > Updating a Port in the Virtual Private Cloud API Reference.If the CIDR block prefix in the allowed_address_pairs parameter is a small value,the security group with this rule configured will become invalid. For example, ifboth CIDR blocks 128.0.0.0/1 and 0.0.0.0/1 are configured for the Allowed-Address-Pair parameter, access from and to all IP addresses is allowed and thesecurity group will become invalid.

l When creating a private network load balancer, you need to select a desired securitygroup. Do not delete the default security group rules or ensure that the followingrequirements are met:– Outbound rule: allows only data packets to the selected security group to pass or

data packets from the peer load balancer to pass.– Inbound rule: allows only data packets from the selected security group to pass or

data packets from the peer load balancer to pass.


Scenarios

A security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC.






Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Security Group.


Issue 1 (2018-08-15) 46

4. On the Security Group page, click Create Security Group.5. In the Create Security Group area, set the parameters as prompted. Table 4-2 lists the






sg-34d6


N/A

6. Click OK.


Scenarios




Issue 1 (2018-08-15) 47


is set to TCP and Port Range is set to 3389.l To access a remote Linux ECS using SSH, add an inbound rule in which Protocol is set

to TCP and Port Range is set to 22.l Set Source to the IP address segment containing the IP address of the server

accommodating the target ECS.


NOTE


Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Security Group.4. On the Security Group page, locate the target security group and click Manage Rule in

the Operation column to switch to the page for managing inbound and outbound rules.5. On the Inbound tab, click Add Rule. In the displayed dialog box, set required

parameters to add an inbound rule.You can click + to add more inbound rules.


Parameter




TCP

PortRange/ICMPType


22 or 22-30


Issue 1 (2018-08-15) 48

Parameter


Source


0.0.0.0/0default

Description


N/A




Parameter




TCP

PortRange/ICMPType


22 or 22-30

Destination


0.0.0.0/0default


Issue 1 (2018-08-15) 49

Parameter


Description


N/A

4.2.4 Deleting a Security Group Rule

Scenarios

If the source IP addresses of an inbound or outbound security group rule need to be changed,you can first delete the security group rule and add a new one.




4. On the Security Group page, click the security group name.

5. If you do not need a security group rule, locate the row that contains the target rule, andclick Delete.

6. Click OK in the displayed dialog box.

4.2.5 Deleting a Security Group

Scenarios

You can delete a security group to release resources if the security group is no longerrequired.




4. On the Security Group page, locate the target security group, and click Delete.


4.2.6 Security Group Configuration ExampleConfigure security groups based on actual network environment requirements. This sectiondescribes common security group configurations for your reference.


Issue 1 (2018-08-15) 50

Example One: ECSs in Different Security Groups Need to Communicate withEach Other Through an Internal Network.

l Scenario:Resources on an ECS in a security group need to be copied to another ECS in anothersecurity group. The two ECSs are under the same account and in the same region. Then,you can enable internal network communication between the two ECSs and copyresources.

l Security Group Configuration:In the same region and under the same account, ECSs in the same security group cancommunicate with one another by default, and no configuration is required. However,ECSs in different security groups cannot communicate with each other by default. Youmust add security group rules to enable the ECSs to communicate with one anotherthrough an internal network.To enable the communication, you can add an inbound rule to each security groupcontaining the ECSs to allow access from ECSs in the other security group. The securitygroup rule is as follows.

Protocol TransferDirection

Port Range/ICMPProtocol Type

Source

Protocol to be usedfor internal networkcommunication.Supported values areTCP, UDP, ICMP,and ANY.

Inbound Port number range orICMP protocol type

IPv4 address, IPv4CIDR block, oranother security groupID

NOTE

The source can be an IPv4 address, IPv4 CIDR block, or security group ID. If you want to set thesource to a specific IP address, the subnet mask must be 32.

Example Two: Only Specified IP Addresses Can Remotely Access ECSs in aSecurity Group.

l Scenario:To prevent ECSs from being attacked, you can change the port number for remote loginand configure security group rules that allow only specified IP addresses to remotelyaccess the ECSs.

l Security Group Configuration:To allow IP address 192.168.20.2 to remotely access Linux ECSs in a security groupover the TCP protocol and port 22, you can configure the following security group rule.


Issue 1 (2018-08-15) 51


Port Range Source

TCP Inbound 22 IPv4 address, IPv4CIDR block, oranother security groupIDFor example,192.168.20.2

Example Three: Any Public IP Address Can Remotely Access ECSs in a SecurityGroup.

l Scenario:

Any public IP address can access ECSs in a security group.

l Security Group Configuration:

To allow any public IP address to access Linux ECSs in a security group over the TCPprotocol, you can configure the following security group rule.


Port Range Source

TCP Inbound 22 0.0.0.0/0

To allow any public IP address to access Windows ECSs in a security group over theTCP protocol, you can configure the following security group rule.


Port Range Source

TCP Inbound 3389 0.0.0.0/0

Example Four: Any Public IP Addresses Can Access ECSs in a Security Groupover the HTTP or HTTPS Protocol.

l Scenario:

After websites are deployed on ECSs in a security group, you must enable users to useany public IP addresses to access the ECSs over the HTTP or HTTPS protocol.

l Security Group Configuration:

To enable any public IP address to access ECSs in a security group over the HTTP orHTTPS protocol, you need to configure the following two security group rules.


Port Range Source

TCP Inbound 80 (HTTP) 0.0.0.0/0


Issue 1 (2018-08-15) 52


Port Range Source

TCP Inbound 443 (HTTPS) 0.0.0.0/0

4.3 Network ACL

4.3.1 Creating a Network ACL

Scenarios

A network access control list (ACL) is an optional layer of security and provides statefulaccess control services. Based on inbound and outbound rules, the network ACL determineswhether data packets are allowed in or out of any associated subnet. You can create a customnetwork ACL. By default, a newly created network ACL is disabled. It does not have subnetsassociated with it nor does it have any inbound or outbound rules. Each user can create amaximum of 200 network ACLs by default.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Network ACL.4. In the right pane displayed, click Create Network ACL.5. In the displayed Create Network ACL area, enter network ACL information as

prompted. Table 4-5 lists the parameters to be configured.



Name Specifies the network ACL name. Thisparameter is mandatory.The network ACL name contains amaximum of 64 characters, which mayconsist of letters, digits, underscores (_), andhyphens (-). The name cannot containspaces.

fw-34d6

Description Provides supplementary information aboutthe network ACL. This parameter isoptional.The network ACL description can contain amaximum of 128 characters and cannotcontain angle brackets (<) or (>).

N/A

6. Click OK.


Issue 1 (2018-08-15) 53

The network ACL is created.

4.3.2 Enabling or Disabling a Network ACL

Scenarios

After a network ACL is created, enable it based on your network security requirements. Youcan also disable an enabled network ACL when required. Before enabling or disabling anetwork ACL, ensure that subnets have been associated with the network ACL and thatinbound and outbound rules have been added to the network ACL.

A network ACL is in the Inactive state if no subnets are associated with the network ACL. Ifyou enable a network ACL in the Inactive state, the network ACL does not take effect for anysubnet.

A network ACL is in the Normal state if subnets are associated with the network ACL. If youenable a network ACL in the Normal state, the network ACL has the following default rules:l Allows broadcast packets with a destination of 255.255.255.255/32.l Allows multicast packets with a destination of 224.0.0.0/24.l Allows metadata packets with a destination of 169.254.169.254/32 and with TCP port

80.l Allows packets from the CIDR blocks that are reserved for public services. For example,

allows packets with a destination of 100.125.0.0/16.l Denies all other packets by default.

After the network ACL is enabled, network ACL rules take precedence over security grouprules.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Network ACL.4. Locate the required network ACL in the right pane, and click Enable or Disable in the

Operation column.5. Click OK in the displayed dialog box.

The network ACL is enabled or disabled.

4.3.3 Associating Subnets with a Network ACL

Scenarios

On the page showing network ACL details, associate desired subnets with a network ACL.After a network ACL is associated with a subnet, the network ACL denies all traffic to andfrom the subnet until you add rules to allow traffic.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.


Issue 1 (2018-08-15) 54

3. In the navigation pane on the left, click Network ACL.

4. Locate the target network ACL in the right pane, and click the network ACL name toswitch to the page showing details of that particular network ACL.

5. On the displayed page, click the Subnet Association tab.

6. On the Subnet Association page, click Associate.

7. On the displayed page, select the subnets to be associated with the network ACL, andclick OK.

The selected subnets are associated with the network ACL.

NOTE

Subnets that have already been associated with network ACLs will not be displayed on the page for youto select. One-click subnet association and disassociation are not currently supported. Furthermore, asubnet can only be associated with one network ACL. If you want to reassociate a subnet that hasalready been associated with another network ACL, you must first disassociate the subnet from theoriginal network ACL.

4.3.4 Adding a Network ACL Rule

Scenarios

Add an inbound or outbound network ACL rule based on your network security requirements.



3. In the navigation pane on the left, click Network ACL.

4. Locate the target network ACL in the right pane, and click the network ACL name toswitch to the page showing details of that particular network ACL.

5. On the displayed page, click the Inbound tab.

6. Click Add Rule. In the displayed dialog box, configure parameters as prompted. Table4-6 lists the parameters to be configured.



Action Specifies the action in the network ACL rule.This parameter is mandatory. You can select avalue from the drop-down list. The value can bePermit, Deny, or Reject.

Permit

Protocol Specifies the protocol supported by the networkACL. This parameter is mandatory. You canselect a value from the drop-down list. The valuecan be TCP, UDP, ICMP, or ANY. If ICMP orANY is selected, you do not need to specify portinformation.

ANY


Issue 1 (2018-08-15) 55


Source Specifies the source IP address from which thetraffic is permitted.The default value is 0.0.0.0/0, which indicatesthat traffic from all IP addresses is permitted.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0

Source PortRange

Specifies the source port number or port numberrange.You must specify this parameter if TCP or UDPis selected for Protocol.The value ranges from 0 to 65535. For a portnumber range, enter two port numbers connectedby a hyphen (-), for example 1-100. The rangecannot start with 0.

22 or 22-30

Destination Specifies the destination IP address to which thetraffic is permitted.The default value is 0.0.0.0/0, which indicatesthat traffic to all IP addresses is permitted.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0

DestinationPort Range

Specifies the destination port number or portnumber range.You must specify this parameter if TCP or UDPis selected for Protocol.The value ranges from 0 to 65535. For a portnumber range, enter two port numbers connectedby a hyphen (-), for example 1-100. The rangecannot start with 0.

22 or 22-30

7. Click OK.

The network ACL rule is added. The procedure for adding an outbound rule is the sameas that for adding an inbound rule.

4.3.5 Enabling or Disabling a Network ACL Rule

Scenarios

Enable or disable an inbound or outbound network ACL rule based on your network securityrequirements.


Issue 1 (2018-08-15) 56

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Network ACL.4. Locate the target network ACL in the right pane, and click the network ACL name to

switch to the page showing details of that particular network ACL.5. On the displayed page, click the Inbound tab.6. In the displayed Inbound area, locate the target rule and click Enable or Disable in the

Operation column.7. Click OK in the displayed dialog box.

The rule is enabled or disabled. The procedure for enabling or disabling an outboundnetwork ACL rule is the same as that for enabling or disabling an inbound network ACLrule.

4.3.6 Modifying a Network ACL Rule

Scenarios

Modify an inbound or outbound network ACL rule based on your network securityrequirements.


switch to the page showing details of that particular network ACL.5. On the displayed page, click the Inbound tab.6. On the displayed Inbound page, locate the target network ACL rule and click Modify in

the Operation column. In the displayed dialog box, configure parameters as prompted.Table 4-7 lists the parameters to be configured.



Action Specifies the action in the network ACL rule.This parameter is mandatory. You can select avalue from the drop-down list. The value can bePermit, Deny, or Reject.

Permit

Protocol Specifies the protocol supported by the networkACL. This parameter is mandatory. You canselect a value from the drop-down list. The valuecan be TCP, UDP, ICMP, or ANY. If ICMP orANY is selected, you do not need to specify portinformation.

ANY


Issue 1 (2018-08-15) 57


Source Specifies the source IP address from which thetraffic is permitted.The default value is 0.0.0.0/0, which indicatesthat traffic from all IP addresses is permitted.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0

Source PortRange

Specifies the source port number or port numberrange.You must specify this parameter if TCP or UDPis selected for Protocol.The value ranges from 0 to 65535. For a portnumber range, enter two port numbers connectedby a hyphen (-), for example 1-100. The rangecannot start with 0.

22 or 22-30

Destination Specifies the destination IP address to which thetraffic is permitted.The default value is 0.0.0.0/0, which indicatesthat traffic to all IP addresses is permitted.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0

DestinationPort Range

Specifies the destination port number or portnumber range.You must specify this parameter if TCP or UDPis selected for Protocol.The value ranges from 0 to 65535. For a portnumber range, enter two port numbers connectedby a hyphen (-), for example 1-100. The rangecannot start with 0.

22 or 22-30

7. Click OK.

The network ACL rule is modified. The procedure for modifying an outbound networkACL rule is the same as that for modifying an inbound rule.


Issue 1 (2018-08-15) 58

4.3.7 Changing the Sequence of a Network ACL Rule

Scenarios

If multiple network ACL rules conflict, the rules in the front take precedence. If you need arule to take effect before or after a specific rule, you can insert that rule before or after thespecific rule.


switch to the page showing details of that particular network ACL.5. On the displayed page, click the Inbound tab.6. On the Inbound page, locate the target network ACL rule, click More in the Operation

column, and select Insert Above or Insert Below.7. In the displayed dialog box, configure required parameters and click OK.

The network ACL rule is inserted. The procedure for inserting an outbound networkACL rule is the same as that for inserting an inbound network ACL rule.

4.3.8 Deleting a Network ACL Rule

Scenarios

Delete an inbound or outbound network ACL rule based on your network securityrequirements.


switch to the page showing details of that particular network ACL.5. On the displayed page, click the Inbound tab.6. On the Inbound page, locate the target network ACL rule, click Delete in the Operation

column.7. Click OK in the displayed dialog box.

The network ACL rule is deleted.

4.3.9 Viewing a Network ACL

Scenarios

View details about a network ACL.


Issue 1 (2018-08-15) 59


switch to the page showing details of that particular network ACL.5. On the displayed page, click the Subnet Association, Inbound, and Outbound tabs one

by one to view details about subnet associations, inbound network ACL rules, andoutbound network ACL rules.

4.3.10 Modifying a Network ACL

ScenariosModify the name and description of a network ACL.


switch to the page showing details of that particular network ACL.

5. On the displayed page, click on the right of Name and edit the network ACL name.6. Click √ to save the new network ACL name.

7. Click on the right of Description and edit the network ACL description.8. Click √ to save the new network ACL description.

4.3.11 Deleting a Network ACL

ScenariosDelete a network ACL when it is no longer required.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Network ACL.4. Locate the target network ACL in the right pane and click Delete in the Operation


The network ACL is deleted.

NOTE

After a network ACL is deleted, associated subnets are disassociated and added rules are deletedfrom the network ACL.


Issue 1 (2018-08-15) 60

4.3.12 Disassociating a Subnet from a Network ACL

ScenariosDisassociate a subnet from a network ACL when necessary.


switch to the page showing details of that particular network ACL.5. On the displayed page, click the Subnet Association tab.6. On the Subnet Association page, locate the target network ACL and click Disassociate

in the Operation column.7. Click OK in the displayed dialog box.

The subnet is disassociated from the network ACL.


Issue 1 (2018-08-15) 61

5 Network Components

5.1 Elastic IP Address

5.1.1 Assigning an EIP and Binding It to an ECS

ScenariosYou can assign an EIP and bind it to an ECS to enable the ECS to access the Internet.

ProcedureAssign an EIP.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Elastic IP.4. On the Elastic IP page, click Assign EIP.5. Set the parameters as prompted.



Bandwidth Name Specifies the name of thebandwidth.

bandwidth

Bandwidth Size Specifies the size of the bandwidth. 100

Quantity Specifies the number of EIPs to beassigned.

1

NOTE

Only outbound bandwidth is limited.

Virtual Private CloudUser Guide (Region-Specific) 5 Network Components

Issue 1 (2018-08-15) 62

6. Click Assign Now.7. Click Submit.

Bind an EIP.

8. On the Elastic IP page, locate the row that contains the target EIP, and click Bind.9. On the Bind IP Address page, select the required ECS and NIC.10. Click OK in the displayed dialog box.

5.1.2 Unbinding an EIP from an ECS and Releasing the EIP

Scenarios

If you no longer need the EIP, unbind it from the ECS and release the EIP to avoid wastingnetwork resources.

l EIPs assigned and bound to ECSs in the ELB service are displayed in the EIP list of theVPC service, but you cannot unbind these EIPs from ECSs.

l Only unbound EIPs can be released. To release bound EIPs, you must first unbind them.

Procedure

Unbind an EIP.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Elastic IP.4. On the Elastic IP page, locate the row that contains the target EIP, and click Unbind.5. Click OK in the displayed dialog box.

Release an EIP.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Elastic IP.4. On the Elastic IP page, locate the row that contains the target EIP, and click Release.5. Click OK in the displayed dialog box.

Unbind multiple EIPs at a time.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Elastic IP.4. On the Elastic IP page, select the EIPs to be unbound.5. Click Unbind above the EIP list.6. Click OK in the displayed dialog box.

Release multiple EIPs at a time.



Issue 1 (2018-08-15) 63

2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Elastic IP.4. On the Elastic IP page, select the EIPs to be released.5. Click Release above the EIP list.6. Click OK in the displayed dialog box.

5.2 Custom RouteA custom route is a user-defined rule added to a VPC.

The route enables ECSs (without bound EIPs) in a VPC to access the Internet.

5.2.1 Configuring an SNAT Server

Scenarios

To use the route table function provided by the VPC service, you need to configure SNAT onan ECS to enable other ECSs that do not have EIPs bound in a VPC to access the Internetthrough this ECS.

The configured SNAT function takes effect for all subnets in a VPC.

Prerequisitesl You have obtained the ECS where SNAT is to be deployed.l The ECS where SNAT is to be deployed runs the Linux OS.l The ECS where SNAT is to be deployed has only one network interface card (NIC)

configured.

Procedure1. Log in to the management console.2. On the console homepage, under Computing, click Elastic Cloud Server.3. On the displayed page, locate the target ECS in the ECS list and click the ECS name to

switch to the page showing ECS details.4. On the displayed ECS details page, click the NICs tab.5. Click the NIC IP address. In the displayed area showing the NIC details, disable the

source/destination check function.By default, the source/destination check function is enabled. When this function isenabled, the system checks whether source IP addresses contained in the packets sent byECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs tosend the packets. This mechanism prevents packet spoofing, thereby improving systemsecurity. If SNAT is used, the SNAT server needs to forward packets. This mechanismprevents the packet sender from receiving returned packets. Therefore, you need todisable the source/destination check function for SNAT servers.

6. Follow the procedure provided in section 5.1.1 Assigning an EIP and Binding It to anECS to bind an EIP to the private IP address of the ECS.


Issue 1 (2018-08-15) 64

NOTICEDo not bind a virtual IP address to the EIP.

7. On the ECS console, use the remote login function to log in to the ECS on which SNATis to be configured.

8. Run the following command and enter the password of user root to switch to user root:

su - root

9. Run the following command to check whether the ECS can successfully connect to theInternet:

NOTE

Before running the command, you must disable the response iptables rule on the ECS whereSNAT is deployed and enable the security group rules.

ping www.google.com

The ECS can access the Internet if the following information is displayed:[root@localhost ~]# ping www.google.comPING www.a.shifen.com (xxx.xxx.xxx.xxx) 56(84) bytes of data.64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms

10. Run the following command to check whether IP forwarding of the Linux OS is enabled:

cat /proc/sys/net/ipv4/ip_forward

In the command output, 1 indicates enabled, and 0 indicates disabled. The default valueis 0.

– If IP forwarding in Linux is enabled, go to step 13.

– If IP forwarding in Linux is disabled, perform step 11 to enable IP forwarding inLinux.

Many OSs support packet routing. Before forwarding packets, OSs change source IPaddresses in the packets to OS IP addresses. Therefore, the forwarded packets containthe IP address of the public sender so that the response packets can be sent back in thesame path to the initial packet sender. This method is called SNAT. The OSs need tokeep track of the packets in which the IP addresses have been changed to ensure that thedestination IP addresses in the packets can be rewritten and that packets can beforwarded to the initial packet sender. To achieve these purposes, you need to enable theIP forwarding function and configure SNAT rules.

11. Use the vi editor to open the /etc/sysctl.conf file, change the value ofnet.ipv4.ip_forward to 1, enter :wq to save the change and exit.

12. Run the following command to make the change take effect:

sysctl -p /etc/sysctl.conf

13. Configure SNAT.

Run the following command to enable all ECSs on the network segment (for example,192.168.1.0/24) to access the Internet using the SNAT function:

iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ip

Figure 5-1 shows the example command.


Issue 1 (2018-08-15) 65

Figure 5-1 Configuring SNAT

14. Run the following command to check whether the operation is successful:iptables -t nat --listThe operation is successful if the information shown in Figure 5-2 (for example,192.168.1.0/24) is displayed.

Figure 5-2 Verifying configuration

Add a route. For details, see section 5.2.2 Adding a Route.The destination is 0.0.0.0/0, and the next hop is the private IP address of the ECS wherethe SNAT function is deployed. For example, the next hop is 192.168.1.4.

5.2.2 Adding a Route

ScenariosWhen ECSs in a VPC need to access the Internet, add a route to enable the ECSs to access theInternet through the ECS that has an EIP bound.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC to which a route is to be added and

click the VPC name.5. On the Route Table tab, click Add Route.6. Set route information on the displayed page.

– Destination: indicates the destination network segment. The value can be a networksegment of subnets in the VPC. The default value is 0.0.0.0/0. The destination ofeach route must be unique.

– Next Hop: indicates the IP address of the next hop. Set it to a private IP address ora virtual IP address in a VPC.


Issue 1 (2018-08-15) 66

NOTE

If Next Hop is set to a virtual IP address, the virtual IP addresses in the VPC cannot have EIPsbound. Otherwise, the route will not take effect.

7. Click OK.

5.2.3 Querying a Route

Scenarios

Query a route that has been added.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC to which the route to be queried

belongs and click the VPC name.5. View information about a single route or all routes in the route list.

5.2.4 Modifying a Route

Scenarios

Modify a route.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC to which the route to be modified

belongs and click the VPC name.5. Click the Route Table tab. On the displayed page, locate the row that contains the route

to be modified, and click Modify in the Operation column. Modify route information inthe displayed dialog box.

6. Click OK.

5.2.5 Deleting a Route

Scenarios

Delete a route if it is no longer required.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.


Issue 1 (2018-08-15) 67

3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC to which the route to be deleted

belongs and click the VPC name.5. Click the Route Table tab. On the displayed page, locate the row that contains the route

to be deleted, and click Delete in the Operation column.6. Click OK in the displayed dialog box.

5.3 VPC Peering Connection

5.3.1 VPC Peering Connection Creation ProcedureA VPC peering connection is a networking connection between two VPCs that enables you toroute traffic between them using private IP addresses. ECSs in either VPC can communicatewith each other just as if they were in the same VPC. You can create a VPC peeringconnection between your own VPCs, or between your VPC and another tenant's VPC withinthe same region. You cannot create a VPC peering connection between VPCs in differentregions.

l Procedure for creating a VPC peering connection with another VPC of your own

If you create a VPC peering connection between two VPCs of your own, the systemautomatically accepts the connection by default. You need to create routes for the localand peer VPCs to enable communication between the two VPCs.

l Procedure for creating a VPC peering connection with a VPC of another tenant


Issue 1 (2018-08-15) 68

If you create a VPC peering connection between your VPC and another tenant's VPC,the VPC peering connection will be in the Awaiting acceptance state. After the peertenant accepts the connection, the connection status changes to Accepted. The local andpeer tenants must configure the routes required by the VPC peering connection to enablecommunication between the two VPCs.If the local and peer VPCs have overlapping CIDR blocks, the routes added for the VPCpeering connection may be invalid. Before creating a VPC peering connection betweentwo VPCs that have overlapping CIDR blocks, ensure that no subnets in the two VPCshave overlapping CIDR blocks. In this case, the created VPC peering connection enablescommunication between two subnets in the two VPCs.You can run the ping command to check whether the two VPCs can communicate witheach other.

5.3.2 VPC Peering Connection Configuration PlansTo enable two VPCs to communicate with each other, you can create a VPC peeringconnection between the two VPCs. If the two VPCs have non-overlapping CIDR blocks, youcan configure routes that point to entire VPCs for the VPC peering connection. If the twoVPCs have overlapping CIDR blocks, you can only configure routes that point to specificsubnets of the VPCs for the VPC peering connection.

l Configurations with Routes to Entire VPCs– Configurations with routes to entire VPCs include the following situations: two

VPCs peered together and multiple VPCs peered together.– No matter in which configuration, if you need to configure routes that point to

entire VPCs in a VPC peering connection, none of the VPCs involved in theconnection can have overlapping CIDR blocks. Otherwise, the VPC peeringconnection does not take effect because the routes are unreachable.

– The destination address of the route that points to an entire VPC is the CIDR blockof the peer VPC, and the next hop is the VPC peering connection ID.


Issue 1 (2018-08-15) 69

l Configurations with Routes to Specific SubnetsIf VPCs in a VPC peering connection have overlapping CIDR blocks, the peeringconnection can only be created to enable communication between subnets in the VPCs.If subnets in the VPCs of a VPC peering connection have overlapping network segments,the peering connection does not take effect. To create a VPC peering connection, ensurethat the VPCs involved do not contain overlapping subnets.For example, VPC1 and VPC2 have matching CIDR blocks, but the subnets in the twoVPCs do not overlap. Then, a VPC peering connection can be created between twosubnets that do not overlap with each other in the two VPCs. The route table is used tocontrol the specific subnets for which the VPC peering connection is created. Figure 5-3shows a VPC peering connection created between two subnets. Routes are required toenable communication between Subnet A in VPC1 and Subnet X in VPC2 in the figure.

Figure 5-3 VPC peering connection

Figure 5-4 shows the routes configured for the VPC peering connection between SubnetA and Subnet X. After the routes are configured, Subnet A and Subnet X are peered witheach other and can communicate with each other.

Figure 5-4 VPC peering connection route table

If two VPCs have overlapping subnets, the VPC peering connection created between thetwo subnets does not take effect, and the subnets cannot communicate with each other.


Issue 1 (2018-08-15) 70

As shown in Figure 5-5, Subnet B and Subnet Y have matching network segments.Therefore, a VPC peering connection cannot be created between Subnet A and Subnet Y.

Figure 5-5 Invalid VPC peering connection

If VPC1 is peered with multiple VPCs, for example, VPC2, VPC3, and VPC4, thesubnet CIDR blocks of VPC1 cannot overlap with those of VPC2, VPC3, and VPC4. IfVPC2, VPC3, and VPC4 have overlapping subnets, a VPC peering connection can becreated between only one of these overlapping subnets and a subnet of VPC1. If a VPCpeering connection is created between a subnet and the other N subnets, none of thesubnets can have overlapping CIDR blocks.

5.3.3 Creating a VPC Peering Connection with Another VPC ofYour Own

Scenarios

To create a VPC peering connection, first create a request to peer with another VPC. You canrequest a VPC peering connection with another VPC of your own in the same region. Thesystem automatically accepts the request.

Prerequisites

Two VPCs in the same region have been created.

Procedure

Create a VPC peering connection.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. In the right pane displayed, click Create VPC Peering Connection.5. Configure parameters as prompted. You must select Current Tenant for Tenant. Table

5-2 lists the parameters to be configured.


Issue 1 (2018-08-15) 71



Name Specifies the name of theVPC peering connection.The name contains amaximum of 64characters, which consistof letters, digits, hyphens(-), and underscores (_).

peering-001

Local VPC Specifies the local VPC.You can select one fromthe drop-down list.

vpc_002(0a396cff-8bc1-4509-98b9-267cae5ac460)

Local VPC CIDR Block Specifies the CIDR blockfor the local VPC.

192.168.10.0/24

Tenant Specifies the tenant of theVPC to peer with.l Current Tenant: The

VPC peeringconnection will becreated between yourlocal VPC and a VPCof your own in thesame region.

l Other Tenant: TheVPC peeringconnection will becreated between yourlocal VPC and a VPCof another tenant in thesame region.

Current Tenant

Project Name Specifies the project name.The project name of thecurrent project is used bydefault.

aaa

Peer VPC Specifies the peer VPC.You can select one fromthe drop-down list if theVPC peering connection iscreated between two VPCsof your own.

vpc_fab1(65d062b3-40fa-4204-8181-3538f527d2ab)


Issue 1 (2018-08-15) 72


Peer VPC CIDR Block Specifies the CIDR blockfor the peer VPC.The local and peer VPCscannot have matching oroverlapping CIDR blocks.Otherwise, the routesadded for the VPC peeringconnection may not takeeffect.

192.168.2.0/24

6. Click OK.

Add routes for a VPC peering connection.

If you request a VPC peering connection with a VPC of your own, the system automaticallyaccepts the request. To enable communication between the two VPCs, you need to add routesfor the VPC peering connection.

1. On the console homepage, under Network, click Virtual Private Cloud.2. In the navigation pane on the left, click VPC Peering.

3. Locate the target VPC peering connection in the connection list.4. Click the name of the VPC peering connection to switch to the page showing details

about the connection.5. On the displayed page, click the Local Routes tab.6. In the displayed Local Routes area, click Add Local Route. In the displayed dialog box,

add a local route. Table 5-3 lists the parameters to be configured.

Table 5-3 Route parameter description


Destination Specifies the destinationaddress. Set it to the peerVPC or subnet CIDRblock.

192.168.10.0/24

Next Hop Specifies the next hopaddress. The default valueis the VPC peeringconnection ID. Keep thedefault value.

65d062b3-40fa-4204-550a

7. Click OK to switch to the page showing the VPC peering connection details.8. On the displayed page, click the Peer Route tab.9. In the displayed Peer Route area, click Add Peer Route and add a route.10. Click OK in the displayed dialog box.

After a VPC peering connection is created, the two VPCs can communicate with eachother through private IP addresses. You can run the ping command to check whether the


Issue 1 (2018-08-15) 73

two VPCs can communicate with each other. If two VPCs cannot communicate witheach other, check the configuration by following the instructions provided in section 6.33What Can I Do If VPCs in a VPC Peering Connection Cannot Communicate withEach Other?.

5.3.4 Creating a VPC Peering Connection with a VPC of AnotherTenant

ScenariosThe VPC service also allows you to create a VPC peering connection with a VPC of anothertenant. The two VPCs must be in the same region. If you request a VPC peering connectionwith a VPC of another tenant in the same region, the peer tenant must accept the request toactivate the connection.

ProcedureCreate a VPC peering connection.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. In the right pane displayed, click Create VPC Peering Connection.5. Configure parameters as prompted. You must select Other Tenant for Tenant. Table

5-4 lists the parameters to be configured.



Name Specifies the name of theVPC peering connection.The name contains amaximum of 64characters, which consistof letters, digits, hyphens(-), and underscores (_).

peering-001

Local VPC Specifies the local VPC.You can select one fromthe drop-down list.

0a396cff-8bc1-4509-98b9-267cae5ac460

Local VPC CIDR Block Specifies the CIDR blockfor the local VPC.

192.168.10.0/24


Issue 1 (2018-08-15) 74


Tenant Specifies the tenant of theVPC to peer with.l Current Tenant: The

VPC peeringconnection will becreated between yourlocal VPC and a VPCof your own in thesame region.

l Other Tenant: TheVPC peeringconnection will becreated between yourlocal VPC and a VPCof another tenant in thesame region.

N/A

Peer Domain Name This parameter is availableonly when Other Tenantis selected.For details about how toobtain a domain name, seesection How to Obtain aDomain Name.

N/A

Peer VPC ID This parameter is availableonly when Other Tenantis selected.Specifies the ID of thepeer VPC.

65d062b3-40fa-4204-8181-3538f527d2ab

6. Click OK.

Accept a VPC peering connection.

To request a VPC peering connection with a VPC of another tenant, the peer tenant mustaccept the request to activate the connection.

1. The peer tenant logs in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. Locate the target VPC peering connection in the connection list.5. Locate the row that contains the target VPC peering connection in the connection list,

and click Accept Request in the Operation column.6. Click OK in the displayed dialog box.

Refuse a VPC peering connection.

The peer tenant can reject any received VPC peering connection request. After a VPC peeringconnection request is rejected, the connection will not be established. You must delete the


Issue 1 (2018-08-15) 75

rejected VPC peering connection request before creating a new VPC peering connectionbetween the same VPCs as those in the rejected request.

1. The peer tenant logs in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. In the right pane displayed, locate the target VPC peering connection in the connection

list.5. Click Reject Request in the Operation column.6. Click OK in the displayed dialog box.

Add routes for a VPC peering connection.

If you request a VPC peering connection with a VPC of another tenant, the peer tenant mustaccept the request. To enable communication between the two VPCs, you need to add routesfor the VPC peering connection. The local tenant can add only the local route because thelocal tenant does not have the required permission to perform operations on the peer VPC.The peer tenant must add the peer route. The procedure for adding a local route and a peerroute is the same.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.

4. Locate the target VPC peering connection in the connection list.5. Click the name of the VPC peering connection to switch to the page showing details

about the connection.6. On the displayed page, click the Local Routes tab.7. In the displayed Local Routes area, click Add Local Route. In the displayed dialog box,

add a local route. Table 5-5 lists the parameters to be configured.

Table 5-5 Route parameter description


Destination Specifies the destinationaddress. Set it to the peerVPC or subnet CIDRblock.

192.168.10.0/24

Next Hop Specifies the next hopaddress. The default valueis the VPC peeringconnection ID. Keep thedefault value.

65d062b3-40fa-4204-550a

8. Click OK.

The routes are added for the VPC peering connection.

After a VPC peering connection is created, the two VPCs can communicate with each otherthrough private IP addresses. You can run the ping command to check whether the two VPCscan communicate with each other. If two VPCs cannot communicate with each other, check


Issue 1 (2018-08-15) 76

the configuration by following the instructions provided in section 6.33 What Can I Do IfVPCs in a VPC Peering Connection Cannot Communicate with Each Other?.

How to Obtain a Domain Name1. Log in to the management console.

2. Click the username in the upper right corner. In the displayed area, select MyCredential.

3. In the Account Information area, obtain the domain name of the user.

5.3.5 Viewing VPC Peering Connections

Scenarios

Both the local and peer tenants can view information about the VPC peering connections inthe Awaiting acceptance and Accepted states.



3. In the navigation pane on the left, click VPC Peering.

4. In the displayed right pane, view the VPC peering connections. You can find the requiredVPC peering connections by connection status or name.

5. Click the VPC peering connection name. On the displayed page, view detailedinformation about the VPC peering connection.

5.3.6 Modifying a VPC Peering Connection

Scenarios

Both the local and peer tenants can modify a VPC peering connection in any state. Currentlyonly the name of a VPC peering connection can be changed.



3. In the navigation pane on the left, click VPC Peering.

4. In the displayed right pane, view the VPC peering connections. You can find the requiredVPC peering connections by connection status or name.

5. Locate the target VPC peering connection and click More in the Operation column.

6. Click Modify. In the displayed dialog box, modify information about the VPC peeringconnection.



Issue 1 (2018-08-15) 77

5.3.7 Deleting a VPC Peering Connection

Scenarios

Both the local and peer tenants can delete a VPC peering connection in any state. After a VPCpeering connection is deleted, routes configured for the connection will be automaticallydeleted.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. In the displayed right pane, view the VPC peering connections. You can find the required

VPC peering connections by connection status or name.5. Locate the target VPC peering connection and click More in the Operation column.6. Click Delete to delete the VPC peering connection.7. Click OK in the displayed dialog box.

5.3.8 Viewing Routes Configured for a VPC Peering Connectionon the Peering Connection Details Page

Scenarios

After routes are added for a VPC peering connection, both the local and peer tenants can viewinformation about the routes on the page showing details about the VPC peering connection.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. Locate the target VPC peering connection in the connection list.5. Click the name of the VPC peering connection to switch to the page showing details

about the connection.6. On the displayed page, click the Local Route tab and view information about the local

route added for the VPC peering connection.7. On the page showing details about the VPC peering connection, click the Peer Route tab

and view information about the peer route added for the VPC peering connection.

5.3.9 Viewing Routes Configured for a VPC Peering Connectionin the VPC Peering Route Table

Scenarios

After routes are added for a VPC peering connection, both the local and peer tenants can viewinformation about the routes in the VPC peering route table.


Issue 1 (2018-08-15) 78

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. Locate the target VPC peering connection in the connection list and click the connection

name.5. On the displayed page showing details about the connection, view routes added to the

connection.

5.3.10 Deleting a Route on the VPC Peering Connection DetailsPage

Scenarios

After routes are added for a VPC peering connection, both the local and peer tenants candelete the routes on the page showing details about the peering connection.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. Locate the target VPC peering connection in the connection list.5. Click the name of the VPC peering connection to switch to the page showing details

about the connection.6. On the displayed page, click the Local Route tab and view information about the local

route added for the VPC peering connection.7. On the Local Route page, locate the target local route, and click Delete in the

Operation column.8. Click OK in the displayed dialog box.9. On the page showing details about the VPC peering connection, click the Peer Route tab

and view information about the peer route added for the VPC peering connection.10. On the Peer Route page, locate the target peer route, and click Delete in the Operation


5.3.11 Deleting a Route from the VPC Peering Route Table

Scenarios

After routes are added for a VPC peering connection, both the local and peer tenants candelete the routes from the VPC peering route table.



Issue 1 (2018-08-15) 79

2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click VPC Peering.4. Locate the target VPC peering connection in the connection list and click the connection

name.5. Locate the row that contains the target route, and click Delete in the Operation column.6. Click OK in the displayed dialog box.

5.4 Virtual IP Address

5.4.1 Overview

What Is a Virtual IP Address?

A virtual IP address is an IP address that is not allocated to an actual NIC of an ECS. An ECScan have both private and virtual IP addresses. You can access the ECS through any IPaddress. A virtual IP address has the same network access capabilities as a private IP address,including layer 2 and layer 3 communication between VPCs, peering connections betweenVPCs, and Internet access through EIPs, VPN connections, and Direct Connect connections.

Networking

Virtual IP addresses are used for active and standby switchover of ECSs to achieve highavailability. If the active ECS is faulty and cannot provide services, the virtual IP address isdynamically switched to the standby ECS to provide services. This section describes twotypical networking modes.

l Networking mode 1: HA modeScenario example: If you want to improve service high availability and avoid singlepoints of failure, you can use ECSs that are deployed to work in the active/standby modeor one active and multiple standby modes. These ECSs use the same virtual IP address.If the active ECS is faulty, the standby ECS takes over services from the active ECS andcontinues to provide services.

Figure 5-6 Networking diagram of the HA mode


Issue 1 (2018-08-15) 80

– Bind two ECSs in the same subnet to the same virtual IP address.

– Configure Keepalived for the two ECSs to work in the active/standby mode. Fordetails about Keepalived configurations, see the common configuration methods inthe industry.

l Networking mode 2: HA load balancing cluster (direct routing mode)

Scenario example: If you want to build a high-availability load balancing cluster, useKeepalived and make LVS nodes work as direct routers.

Figure 5-7 HA load balancing cluster

– Bind two ECSs to the same virtual IP address.

– Configure the two ECSs to be LVS nodes working as direct routers and configureKeepalived for the two LVS nodes to work in the active/standby mode. The twoECSs function as dispatchers to evenly forward requests to backend servers.

– Configure other two ECSs as backend servers.

– Disable the source/destination check for the two servers.

For details about the configurations, see the common configuration methods in theindustry.

Application Scenariosl Scenario one: Use an EIP to access the virtual IP address.

Binding an EIP to a virtual IP address is recommended to ensure high availability andprovide services through the Internet.

l Scenario two: Use VPN, Direct Connect, or peering connections to access the virtual IPaddress.

To obtain high availability and access to the Internet, VPN ensures security while DirectConnect ensures stable network performance. VPCs in the same region can communicatewith each other using peering connections.


Issue 1 (2018-08-15) 81

Important Notesl Virtual IP addresses are not recommended when multiple NICs in the same subnet are

configured on the ECS. Otherwise, route conflicts occur on the ECS and virtual IPaddress communication is abnormal.

l The IP forwarding function must be disabled on the standby ECS. Perform the followingoperations to confirm whether the IP forwarding function is disabled on the standbyECS:

a. Log in to standby ECS and run the following command to check whether the IPforwarding function is enabled:cat /proc/sys/net/ipv4/ip_forwardIn the command output, 1 indicates enabled, and 0 indicates disabled. The defaultvalue is 0.n If the command output is 1, perform b and c to disable the IP forwarding

function.n If the command output is 0, no further action is required.

b. Use the vi editor to open the /etc/sysctl.conf file, change the value ofnet.ipv4.ip_forward to 0, enter :wq to save the change and exit. You can also runthe sed command to modify the configuration. A command example is as follows:sed -i '/net.ipv4.ip_forward/s/1/0/g' /etc/sysctl.conf

c. Run the following command to make the change take effect:sysctl -p /etc/sysctl.conf

l The virtual IP address can use only the default security group, which cannot be changedto a custom security group.

5.4.2 Assigning a Virtual IP Address

Scenarios

When an ECS requires a virtual IP address or a virtual IP address needs to be reserved, youcan assign a virtual IP address from the subnet.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC containing the subnet where a

virtual IP address is to be assigned, and click the VPC name.5. On the Subnet tab, click the name of the subnet where a virtual IP address is to be

assigned.6. Click the Virtual IP Address tab and click Assign Virtual IP Address.7. Select the virtual IP address assignment mode.

– Automatic Assignment: The system automatically assigns an IP address.– Manual Assignment: You can specify an IP address.

8. Select Manual Assignment and enter a virtual IP address.


Issue 1 (2018-08-15) 82

9. Click OK.

You can then query the assigned virtual IP address in the IP address list.

5.4.3 Binding a Virtual IP Address to an EIP or ECS

Scenarios

You can bind a virtual IP address to an EIP so that you can access the ECSs that have thesame virtual IP address bound from the Internet, improving fault tolerance capabilities.




4. On the Virtual Private Cloud page, locate the VPC containing the virtual IP addressand click the VPC name.

5. On the Subnet tab, click the name of the subnet to which the virtual IP address belongs.

6. Click the Virtual IP Addresses tab, locate the row that contains the virtual IP address tobe bound to an EIP or ECS, and click Bind to EIP or Bind to Server in the Operationcolumn.

7. Select the desired EIP, or ECS and its NIC.

NOTE

l If the ECS has multiple NICs, bind the virtual IP address to the primary NIC of the ECS.

l Multiple virtual IP addresses can be bound to an ECS NIC.

8. Click OK.

5.4.4 Accessing a Virtual IP Address using an EIP

Prerequisitesl You have configured the ECS networking based on Networking and ensure that the ECS

has been bound with a virtual IP address.

l An EIP has been assigned.



3. In the navigation pane on the left, click Elastic IP.

4. Locate the row that contains the EIP to be bound to the virtual IP address, and click Bindin the Operation column.

5. Select the target virtual IP address and click OK.


Issue 1 (2018-08-15) 83

5.4.5 Using a VPN to Access the Virtual IP Address

Procedure1. Configure the ECS networking based on Networking.

2. Create a VPN.

The created VPN can access the virtual IP address of the ECS.

5.4.6 Using a Direct Connect Connection to Access the Virtual IPAddress


2. Create a Direct Connect connection.

The created Direct Connect connection can access the virtual IP address of the ECS.

5.4.7 Using a VPC Peering Connection to Access the Virtual IPAddress


2. Create a VPC peering connection.

The created VPC peering connection can be used to access the virtual IP address of the ECS.

5.4.8 Disabling Source and Destination Check (HA LoadBalancing Cluster Scenario)


2. Under Computing, click Elastic Cloud Server.

3. In the ECS list, click the name of the target ECS.

4. On the displayed ECS details page, click the NICs tab.

5. Check that Source/Destination Check is disabled.

5.4.9 Releasing a Virtual IP Address

Scenarios

If you no longer need the virtual IP address or reserved virtual IP address, you can release it toavoid wasting resources.

A virtual IP address that has been bound to an ECS cannot be released.


Issue 1 (2018-08-15) 84

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Virtual Private Cloud.4. On the Virtual Private Cloud page, locate the VPC containing the subnet from which a

virtual IP address is to be released, and click the VPC name.5. On the Subnet tab, click the name of the subnet from which a virtual IP address is to be

released.6. Click the Virtual IP Address tab, locate the row that contains the virtual IP address to

be released, click More in the Operation column, and select Release.7. Click OK in the displayed dialog box.


Issue 1 (2018-08-15) 85

6 FAQs

6.1 What Is Virtual Private Cloud?The Virtual Private Cloud (VPC) service enables you to provision logically isolated,configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improvingthe security of resources in the cloud system and simplifying network deployment.

You can create security groups and Virtual Private Networks (VPNs), configure IP addresssegments, and specify bandwidth sizes in your VPC. With a VPC, you can manage andconfigure internal networks and change network configurations, simplifying networkmanagement. You can also enhance ECS security by customizing access rules within a single,or across multiple security groups.

l Have full control over your virtual networks, for example, creating your own network.l Create security groups to improve your network security.l Assign elastic IP addresses (EIPs) for use in a VPC, and bind them to ECSs in your VPC

to connect the ECSs to the Internet.l Connect a VPC to your data center using a VPN for smooth application migration to the

cloud.l Communicate with other VPCs using VPC peering connections.

Virtual Private CloudUser Guide (Region-Specific) 6 FAQs

Issue 1 (2018-08-15) 86

Figure 6-1 VPC components

6.2 Which CIDR Blocks Are Available to the VPC Service?The VPC service supports the following CIDR blocks:

l 10.0.0.0/8–24

l 172.16.0.0/12–24

l 192.168.0.0/16–24

6.3 Can Subnets Communicate with Each Other?Subnets belong to VPCs. Subnets in the same VPC can communicate with each other. Subnetsin different VPCs cannot communicate with each other by default. However, you can createVPC peering connections to enable subnets in different VPCs to communicate with eachother.

6.4 What Subnet CIDR Blocks Are Available?The subnet CIDR blocks must be included in the VPC CIDR blocks. The VPC CIDR blocksare 10.0.0.0/8–24, 172.16.0.0/12–24, and 192.168.0.0/16–24. The subnet CIDR blocksmust be within these CIDR blocks, and the subnet masks of the subnets must range from 16 to28.

6.5 How Many Subnets Can I Create?By default, one tenant can create a maximum of 100 subnets. If the number of subnets doesnot meet your service requirements, submit a work order to increase the quota.


Issue 1 (2018-08-15) 87

6.6 What Is the Bandwidth Size Range?The bandwidth size ranges from 1 Mbit/s to 1000 Mbit/s.

6.7 What Are EIPs?A public IP address is an IP address that can be used to access the Internet. Private IPaddresses are all IP addresses on the local area network (LAN) of the public cloud and cannotexist on the Internet.

An EIP is a static, public IP address. You can bind an EIP to and unbind an EIP from an ECSin your subnet. An EIP enables an ECS in your VPC to communicate with the Internetthrough a fixed public IP address.

Each EIP can be assigned to only one ECS.

6.8 How Does an ECS Use an EIP?An EIP is a public IP address that can be dynamically bound to the private IP address of anyrouted network in a VPC. Before starting an ECS, you can assign a private IP address and apublic IP address to the ECS. The public IP address is assigned from the public IP addresspool of the VPC and is mapped to the private IP address using Network Address Translation(NAT). After the EIP is released, you can no longer use the public IP address.

6.9 How Many ECSs Can One EIP Be Assigned to?Each EIP can be assigned to only one ECS.

6.10 How Can I Access an ECS from Another SecurityGroup After an EIP Is Bound to the ECS?

Each ECS is automatically added to a security group after being created to ensure its security.The security group denies access traffic from the Internet by default. To allow external accessto ECSs in the security group, add an inbound rule to the security group.

You can set Protocol to TCP, UDP, ICMP, or ANY as required.

l If the ECS needs to be accessible over the Internet and the IP address used to access theECS over the Internet has been configured on the ECS, or the ECS does not need to beaccessible over the Internet, set Source IP Address to the IP address segment containingthe IP address that is allowed to access the ECS over the Internet.

l If the ECS needs to be accessible over the Internet and the IP address used to access theECS over the Internet has not been configured on the ECS, it is recommended that youretain the default setting 0.0.0.0/0 for Source, and then set Port Range to improvenetwork security.

l Allocate ECSs that have different Internet access policies to different security groups.


Issue 1 (2018-08-15) 88

NOTE

The default source IP address 0.0.0.0/0 indicates that all IP addresses can access ECSs in thesecurity group.

6.11 What Is a Security Group?A security group implements access control for ECSs within a security group and betweendifferent security groups. After a security group is created, you can create different accessrules for the security group to protect the ECSs that are added to this security group.

6.12 Which Protocols Does a Security Group Support?The protocol used by a security group can be set to TCP, UDP, ICMP, or ANY. ANYindicates that the security group takes effect for all protocols. If the TCP or UDP protocol isselected, configure ports 1 to 65535 for the protocols to access the security group. If theICMP protocol is selected, you can set the ICMP protocol type. The default value is ANY.

6.13 What Are the Functions of the Default Security GroupRule?

An inbound security group rule enables external access to ECSs in a security group, and anoutbound security group rule enables ECSs in a security group to access external networks. Ifa security group has no access rules after an ECS is added to the security group, thecommunication between the ECS and the external network is blocked. The default inboundrule enables an ECS to be accessed by other ECSs in the same security group, and the defaultoutbound rule enables ECSs in the security group to access external networks. Securitygroups cannot resolve the problems caused by network faults or incorrect networkconfiguration. For example, when two ECSs cannot communicate with each other due to thenetwork configuration, they still cannot communicate with each other even if you configure asecurity group rule to allow the communication between them.

6.14 How Can I Configure Security Group Rules?Security group rules consist of inbound and outbound rules.

When adding an inbound rule, you can set the source to a security group or CIDR block. Ifyou want to set the source to a security group, you can only select a security group from thesame VPC as the destination security group.

When adding an outbound rule, you can set the destination to a security group or CIDR block.If you want to set the destination to a security group, you can only select a security groupfrom the same VPC as the source security group.

ECSs in security groups in different VPCs cannot communicate with one another. To allowthem to communicate, bind EIPs to them and configure security group rules.


Issue 1 (2018-08-15) 89

6.15 Can I Change the Security Group to Which an ECSBelongs?

Yes. Log in to the ECS console, switch to the page showing ECS details, and change thesecurity group to which the ECS belongs.

6.16 How Many Security Groups Can Each User Have?Each user can have a maximum of 100 security groups and 5000 security group rules.

When creating an ECS, you can select multiple security groups (no more than five isrecommended).

6.17 What Is a Resource Quota?Quotas are used to limit the number of resources available to users. If the existing resourcequota cannot meet your service requirements, you can submit a work order to increase yourquota. Once your application is approved, your quota will be updated and a notification willbe sent to you.

6.18 How Do I Configure a Remote Device for a VPN?Due to the symmetry of the tunnel, the VPN parameters configured in the cloud must be thesame as those configured in your own data center. If they are different, a VPN connectioncannot be established.

To set up a VPN connection, you also need to configure the IPsec VPN on the router orfirewall in your own data center. The configuration method may vary depending on yournetwork device in use. For details, see the configuration guide of your network device.

This section describes how to configure the IPsec VPN connection on a Huawei USG6600series V100R001C30SPC300 firewall for your reference.

In this example, the subnets of the data center are 192.168.3.0/24 and 192.168.4.0/24, thesubnets of the VPC are 192.168.1.0/24 and 192.168.2.0/24, and the public IP address of theIPsec tunnel egress in the VPC is X.X.X.X, which can be obtained from the local gatewayparameters of the IPsec VPN connection in the VPC.

Procedure1. Log in to the command-line interface (CLI) of the firewall.2. Check firewall version information.

display version 17:20:502017/03/09Huawei Versatile Security Platform SoftwareSoftware Version: USG6600 V100R001C30SPC300(VRP (R) Software, Version 5.30)Copyright (C) 2014-2016 Huawei Technologies Co., Ltd..

3. Create an access control list (ACL) and bind it to the target VPN instance.acl number 3065 vpn-instance vpn64rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255


Issue 1 (2018-08-15) 90

rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255q

4. Create an IKE proposal.ike proposal 64 dh group5 authentication-algorithm sha1 integrity-algorithm hmac-sha2-256 sa duration 3600 q

5. Create an IKE peer and reference the created IKE proposal. The peer IP address isX.X.X.X.ike peer vpnikepeer_64pre-shared-key ******** (******** specifies the pre-shared key.)ike-proposal 64undo version 2remote-address vpn-instance vpn64 X.X.X.Xsa binding vpn-instance vpn64q

6. Create an IPsec protocol.ipsec proposal ipsecpro64encapsulation-mode tunnelesp authentication-algorithm sha1q

7. Create an IPsec policy and reference the IKE policy and IPsec proposal.ipsec policy vpnipsec64 1 isakmpsecurity acl 3065pfs dh-group5ike-peer vpnikepeer_64proposal ipsecpro64local-address xx.xx.xx.xxq

8. Apply the IPsec policy to the subinterface.interface GigabitEthernet0/0/2.64ipsec policy vpnipsec64q

9. Test the connectivity.After you perform the preceding operations, you can test the connectivity between yourECSs in the cloud and the hosts in your data center. For details, see the following figure.


Issue 1 (2018-08-15) 91

6.19 Which Remote VPN Devices Are Supported?Most devices that meet IPsec VPN standard and reference protocol requirements can be usedas the remote VPN devices, for example, Cisco ASA firewalls, Huawei USG6xxxx seriesfirewalls, USG9xxxx series firewalls, Hillstone firewalls, and Cisco ISR routers. Table 6-1lists the supported Huawei USG6xxxx and USG9xxxx firewalls.

Table 6-1 Huawei VPN devices

Supported RemoteVPN Device

Description

Huawei USG6000 series USG6320/6310/6510-SJJUSG6306/6308/6330/6350/6360/6370/6380/6390/6507/6530/6550/6570:2048USG6620/6630/6650/6660/6670/6680

Huawei USG9000 series USG9520/USG9560/USG9580

Other devices that meet the requirements in the reference protocols described in section 6.20What Are the Reference Standards and Protocols for the IPsec VPN? can also bedeployed. However, some devices may fail to add because of inconsistent protocolimplementation methods of these devices. If the connection setup fails, rectify the fault byfollowing the instructions provided in section 6.21 What Do I Do If VPN Connection SetupFails? or contact customer service.


Issue 1 (2018-08-15) 92

6.20 What Are the Reference Standards and Protocols forthe IPsec VPN?

The following standards and protocols are associated with the IPsec VPN:

l RFC 4301: Security Architecture for the Internet Protocoll RFC 2403: The Use of HMAC-MD5-96 within ESP and AHl RFC 2409: The Internet Key Exchange (IKE)l RFC 2857: The Use of HMAC-RIPEMD-160-96 within ESP and AHl RFC 3566: The AES-XCBC-MAC-96 Algorithm and its use with IPsecl RFC 3625: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key

Exchange (IKE)l RFC 3664: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange

Protocol (IKE)l RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE)

Peersl RFC 3748: Extensible Authentication Protocol (EAP)l RFC 3947: Negotiation of NAT-Traversal in the IKEl RFC 4109: Algorithms for Internet Key Exchange version 1 (IKEv1)l RFC 3948: UDP Encapsulation of IPsec ESP Packetsl RFC 4305: Cryptographic Algorithm Implementation Requirements for Encapsulating

Security Payload (ESP) and Authentication Header (AH)l RFC 4306: Internet Key Exchange (IKEv2) Protocoll RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2

(IKEv2)l RFC 4322: Opportunistic Encryption using the Internet Key Exchange (IKE)l RFC 4359: The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload

(ESP) and Authentication Header (AH)l RFC 4434: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange

Protocol (IKE)l RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2)l RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2)

6.21 What Do I Do If VPN Connection Setup Fails?1. Check whether the parameters are consistent between the cloud VPN and the peer VPN.


Issue 1 (2018-08-15) 93

Table 6-2 Basic parameters

Parameter Description ExampleValue

PSK Specifies the pre-shared key. The value is astring of 6 to 128 characters. This parametervalue must be the same for the VPN in theVPC and that in the data center.

Test@123

Table 6-3 IKE policy



sha1

Encryption Algorithm Specifies the encryption algorithm. Thevalue can be aes-128, aes-192, aes-256, or3des. The 3des algorithm is notrecommended because it is risky.

aes-128


group5

Version Specifies the version of the IKE protocol.The value can be v1 or v2.

v1


86,400

Negotiation Mode If the IKE policy version is v1, thenegotiation mode can be configured. Thevalue can be main or aggressive.The default value is main.

main

Table 6-4 IPsec policy



sha1


Issue 1 (2018-08-15) 94


Encryption Algorithm Specifies the encryption algorithm. Thevalue can be aes-128, aes-192, aes-256,or 3des. The 3des algorithm is notrecommended because it is risky.

aes-128


group5

Transfer Protocol Specifies the security protocol used forIPsec to transmit and encapsulate userdata. The value can be ah, esp, or ah-esp.

esp


3600

2. Check whether the ACL configurations are correct.

If the subnets of your data center are 192.168.3.0/24 and 192.168.4.0/24, and the VPC subnetsare 192.168.1.0/24 and 192.168.2.0/24, configure the ACL rules for each data center subnet topermit the communication with the VPC subnets. The following provides an example of ACLconfigurations:

rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

6.22 Does a VPN Allow for Communication Between TwoVPCs?

If the two VPCs are in the same region, you can use a VPC peering connection to enablecommunication between them.

If the two VPCs are in different regions, you can use a VPN to enable communicationbetween the VPCs. The CIDR blocks of the two VPCs are the local and remote subnets,respectively.

6.23 How Can I Configure a Security Group for Multi-Channel Protocols?

ECS Configuration

The TFTP daemon determines whether the configuration file specifies the port range. If youuse the TFTP configuration file that allows the data channel ports to be configurable, it is abest practice to configure a small range of ports that are not listened on.


Issue 1 (2018-08-15) 95

Security Group ConfigurationYou can configure both port 69 and the data channel ports used by TFTP for the securitygroup. In RFC1350, the TFTP protocol specifies that ports available to data channels rangefrom 0 to 65535. However, not all these ports are used by the TFTP daemon processes ofdifferent applications. Therefore, you can configure a small range of ports for the TFTPdaemon.

The following figure provides an example of the security group rule configuration if the portsused by data channels range from 60001 to 60100.

6.24 Why Cannot I Access Public Websites ThroughDomain Names or Access Internal Domain Names in theCloud When My ECS Has Multiple NICs?

When an ECS has more than one NIC, if different DNS server addresses are configured forthe subnets used by the NICs, the ECS cannot access public websites or internal domainnames in the cloud.

You can rectify this fault by configuring the same DNS server address for the subnets used bythe same ECS. You can perform the following steps to modify DNS server addresses ofsubnets in a VPC:

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Subnet.4. In the right pane displayed, view the DNS server addresses of each subnet.5. Click Modify in the right corner of each subnet and modify the DNS server address in

the displayed dialog box.6. Click OK.

6.25 What Is a Route Table?A route table contains a set of rules that are used to determine where network traffic isdirected. You can add routes to a route table to enable other ECSs in a VPC to access theInternet through the ECS that has a bound EIP.

6.26 Can a Route Table Span Multiple VPCs?No.


Issue 1 (2018-08-15) 96

6.27 How Many Routes Can Be Contained in a RouteTable?

Currently, a route table can contain 100 routes.

6.28 What Are the Limitations of a Route Table?l The ECS providing SNAT can have only one NIC.l The ECS providing SNAT must have the Unbind IP from MAC function enabled.l The destination of each route in a route table must be unique. The next hop must be a

private IP address or a virtual IP address in the VPC. Otherwise, the route table will nottake effect.

l If a virtual IP address is set to the next hop in a route table, EIPs bound with the virtualIP address in the VPC will become invalid.

6.29 Does a Route Table Incur Any Charges?The route table function itself is free of charge. However, you are charged for the ECSs andbandwidth used together with the route table function.

6.30 Do the Direct Connect Connections and CustomRoutes in the Same VPC Have Routing PriorityCompetition?

No. Direct Connect connections and custom routes are used in different scenarios. Therefore,there is no routing priority competition between them.

6.31 What Are the Routing Priorities of the VPN andCustom Routes in the Same VPC?

The routing priority of custom routes and that of VPNs are the same.

6.32 What Are the Limitations of VPC Peering?l VPC peering connections created between VPCs that have overlapping subnet CIDR

blocks may not take effect.l You cannot have more than one VPC peering connection between the same two VPCs at

the same time.l You cannot create a VPC peering connection between VPCs in different regions.l VPC peering does not support transitive peering relationships. In a VPC peering

connection, your VPC does not have access to any other VPCs that the peer VPC may bepeered with. For example, VPC A is peered with VPC B, VPC B is peered with VPC C,


Issue 1 (2018-08-15) 97

but VPC A and VPC C are not peered, you cannot use VPC B as a transit point forpeering between VPC A and VPC C.

l You cannot use the EIPs, VPNs, or Direct Connect connections in a VPC of a VPCpeering connection to access resources in the other VPC. For example, VPC A is peeredwith VPC B, VPC B has EIPs that can be used to access the Internet, you cannot useEIPs in VPC B to access the Internet from VPC A.

l To request a VPC peering connection with a VPC of another tenant, the peer tenant mustaccept the request to activate the connection. If you request a VPC peering connectionwith a VPC of your own, the system automatically accepts the request to activate theconnection.

l After a VPC peering connection is established, the local and peer tenants must add routesin the local and peer VPCs to enable communication between the two VPCs.

l VPC A is peered with both VPC B and VPC C. If VPC B and VPC C have overlappingCIDR blocks, routes with the same destinations cannot be added in VPC A.

l To ensure security, do not accept VPC peering connections from unknown tenants.l Either owner of a VPC in a peering connection can delete the VPC peering connection at

any time. If a VPC peering connection is deleted by one of its owners, all informationabout this connection will be automatically deleted immediately, including routes addedfor the VPC peering connection.

l Currently, the route table of a VPC takes effect for all subnets in the VPC. You cannotadd a route table dedicated for a specific subnet. The route preference is as follows:direct route > VPC peering connection route > custom route.

l If two VPCs in a VPC peering connection have overlapping CIDR blocks, the peeringconnection can only enable communication between two subnets in the two VPCs. Ifsubnets in the two VPCs in a VPC peering connection have overlapping CIDR blocks,the peering connection does not take effect. To create a VPC peering connection, ensurethat the two VPCs involved do not contain overlapping subnets.

l You cannot delete a VPC for which VPC peering connection routes have beenconfigured.

6.33 What Can I Do If VPCs in a VPC Peering ConnectionCannot Communicate with Each Other?

1. Check whether a VPC peering connection has been successfully created for the twoVPCs. Confirm the IDs of the VPCs in the VPC peering connection.

2. Check whether routes that point to the CIDR block (or portion of the CIDR block) of theother VPC have been configured.

3. Check whether routes configured for the VPC peering connection are correct. If VPCs ina VPC peering connections have overlapping CIDR blocks, you can only add routes toenable communication between two subnets in the two VPCs.

4. Check whether the VPCs in the VPC peering connection contain overlapping subnets.5. Check whether required security group rules have been configured for the ECSs that

need to communicate with each other and whether restriction rules have been added tothe iptables or firewall used by the ECSs.

6. If a message indicating that this route already exists is displayed when you add routes fora VPC peering connection, check whether the route's destination IP addresses of theVPN and VPC peering connection already exist.


Issue 1 (2018-08-15) 98

7. If the route's destination IP addresses of a VPC peering connection overlap with those ofa VPN, the route may be invalid.

8. If VPCs in a VPC peering connection cannot communicate with each other after all thesepossible faults have been rectified, contact customer service.

6.34 How Many VPC Peering Connections Can I Have?A tenant can have a maximum of 50 VPC peering connections in one region. Accepted VPCpeering connections consume the quota of both owners of a VPC peering connection. A VPCpeering connection consumes the quota of only the requester (tenant of the local VPC).

6.35 How Many Routes Can Be Added for a VPC?By default, a maximum of 100 routes can be added for a VPC. The routes include those addedfor Direct Connect connections, custom routes, and VPC peering connections.

6.36 What Are the Priorities of the Custom Route and EIPIf Both Are Configured for an ECS to Enable the ECS toAccess the Internet?

The priority of an EIP is higher than that of a custom route.

6.37 Does a Security Group rule Immediately Take Effectfor Its Original Traffic After Being Modified?

No. After a security group rule is modified, the new rule may not immediately take effect forits original traffic. Users need to interrupt the original traffic for about 120 seconds for thenew rule to take effect for the traffic.

6.38 What Can I Do If a Subnet Cannot Be DeletedBecause It Is Used by Other Resources?

The VPC service allows you to create private, isolated virtual network environments. In aVPC, you can manage private IP address segments, subnets, route tables, and networkgateways. ECSs, BMSs, databases, and some other applications use secure networks createdin VPCs.

Subnets in a VPC cannot be deleted if the subnets are used by the following resources:

l ECS

l BMS

l CCE cluster

l RDS instance

l MRS cluster


Issue 1 (2018-08-15) 99

l Elastic load balancerl VPNl Private IP addressl Custom route

Check whether the subnet is used by the preceding resources. If yes, delete all resources in thesubnet and delete the subnet.

6.39 Which Security Group Rule Has Priority WhenMultiple Security Group Rules Conflict?

Security group rules use the whitelist mechanism. If multiple security group rules conflict, theunion of these rules takes effect.


Issue 1 (2018-08-15) 100

A Change History

Release Date What's New

2018-08-15 This issue is the first official release.

Virtual Private CloudUser Guide (Region-Specific) A Change History

Issue 1 (2018-08-15) 101

User Guide (Region-Specific)...Sep 20, 2018 · Virtual Private Cloud User Guide (Region-Specific)...

Documents

Transcript of User Guide (Region-Specific)...Sep 20, 2018 · Virtual Private Cloud User Guide (Region-Specific)...