Service Overview - HUAWEI CLOUD€¦ · solutions, see 3 Application Scenarios. VPC Peering allows two VPCs in the same region to communicate with each other using private IP addresses

Virtual Private Cloud

Service Overview

Issue 39

Date 2020-03-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: https://www.huawei.com

Email: [email protected]

Issue 39 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. i

https://www.huawei.com

mailto:[email protected]

Contents

1 What Is Virtual Private Cloud?.............................................................................................1

2 Product Advantages................................................................................................................ 4

3 Application Scenarios............................................................................................................. 7

4 Functions................................................................................................................................. 13

5 Usage Restrictions.................................................................................................................19

6 VPC and Other Services....................................................................................................... 22

7 Billing....................................................................................................................................... 24

8 Permissions Management................................................................................................... 29

9 Basic Concepts........................................................................................................................339.1 Subnet....................................................................................................................................................................................... 339.2 Elastic IP Address.................................................................................................................................................................. 339.3 Route Table............................................................................................................................................................................. 349.4 Security Group....................................................................................................................................................................... 389.5 VPC Peering Connection..................................................................................................................................................... 399.6 Network ACL.......................................................................................................................................................................... 409.7 Virtual IP Address..................................................................................................................................................................439.8 Layer 2 Connection Gateway............................................................................................................................................ 459.9 Region and AZ....................................................................................................................................................................... 45

Virtual Private CloudService Overview Contents

Issue 39 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. ii

1 What Is Virtual Private Cloud?

OverviewThe Virtual Private Cloud (VPC) service enables you to provision logically isolated,configurable, and manageable virtual networks for cloud servers, cloud containers,and cloud databases, improving cloud service security and simplifying networkdeployment.

You can create security groups and VPNs, configure IP address ranges, and specifybandwidth sizes in your VPC. With a VPC, you can configure and manage thenetworks within the VPC, making changes to these networks as needed, quicklyand securely. You can also define rules for communication between ECSs in thesame security group or in different security groups.

VPC uses network virtualization technologies, such as link redundancy, distributedgateway clusters, and multi-AZ deployment, to ensure network security, stability,and availability.

Product ArchitectureThe product architecture consists of the VPC components, security features, andVPC connectivity options.

Virtual Private CloudService Overview 1 What Is Virtual Private Cloud?

Issue 39 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 1

Figure 1-1 Architecture

VPC components

Each VPC consists of a private CIDR block, route tables, and at least one subnet.

● Private CIDR block: When creating a VPC, you need to specify the private CIDRblock used by the VPC. The VPC service supports the following CIDR blocks:10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 –192.168.255.255

● Subnet: Cloud resources, such as ECSs and databases, must be deployed insubnets. After a VPC is created, you need to divide the VPC into one or moresubnets. The subnet CIDR block must be within the private CIDR block. Fordetails, see 9.1 Subnet.

● Route table: When you create a VPC, the system automatically generates adefault route table. The route table ensures that all subnets in the VPC cancommunicate with each other. If the routes in the default route table cannotmeet application requirements (for example, an ECS without an EIP boundneeds to access the Internet), you can create a custom route table. For moreinformation, see Example Custom Route in a VPC and Example CustomRoute Outside a VPC.

Secure Features

Security groups and network ACLs are used to ensure the security of cloudresources deployed in a VPC. A security group acts as a virtual firewall to providesaccess rules for cloud resources that have the same security protectionrequirements and are mutually trusted in a VPC. For more information, seeSecurity Group Overview. You can associate subnets that have the same trafficcontrol requirements with the same network ACL. You can add inbound andoutbound rules to precisely control inbound and outbound traffic at the subnetlevel. For more information, see Network ACL Overview.

VPC Connectivity



https://support.huaweicloud.com/en-us/usermanual-vpc/route_0002.html



https://support.huaweicloud.com/en-us/usermanual-vpc/en-us_topic_0073379079.html

https://support.huaweicloud.com/en-us/usermanual-vpc/acl_0001.html

HUAWEI CLOUD provides multiple VPC connectivity options to meet diverserequirements. For details about the application scenarios and connectivitysolutions, see 3 Application Scenarios.

● VPC Peering allows two VPCs in the same region to communicate with eachother using private IP addresses.

● Elastic IP or NAT Gateway allows ECSs in a VPC to communicate with theInternet.

● VPN, Cloud Connect, Direct Connect, or Layer 2 Connection Gateway canconnect a VPC to your data center.

Accessing the VPCYou can access the VPC service through the management console or using HTTPS-based APIs.● Management console

You can use the console to perform operations on VPC resources directly. Toaccess the VPC service, log in to the management console and select VirtualPrivate Cloud from the console homepage.

● APIIf you need to integrate the VPC service provided by the cloud system into athird-party system for secondary development, you can use an API to accessthe VPC service. For details, see the Virtual Private Cloud API Reference.



https://console.huaweicloud.com/console/?region=cn-north-1#/home

https://support.huaweicloud.com/en-us/api-vpc/en-us_topic_0173364201.html

2 Product Advantages

Flexible Configuration

You can create VPCs, add subnets, specify IP address ranges, and configure DHCPand route tables. You can configure the same VPC for ECSs that are in differentavailability zones (AZs).

Secure and Reliable

Each VPC is completely logically isolated from other VPCs using the tunnelingtechnology. By default, different VPCs cannot communicate with each other.Network access control lists (ACLs) are provided to protect subnets, and securitygroups are provided to protect ECSs. The network ACLs and security groups addadditional layers of security to your VPC, making your network very secure.

Figure 2-1 Secure and Reliable

Interconnectivity

By default, instances in a VPC cannot access the Internet. You can leverage elasticIP addresses (EIPs), Elastic Load Balance (ELB) functions, NAT gateways, VirtualPrivate Network (VPN) connections, and Direct Connect connections to enableaccess to or from the Internet.

Virtual Private CloudService Overview 2 Product Advantages


By default, instances in two VPCs cannot communicate with each other. You cancreate a VPC peering connection to enable the instances in the two VPCs tocommunicate with each other using private IP addresses.

To establish network communication between the cloud and on-premisesnetworks, Layer 2 Connection Gateway allows you to migrate data center orprivate cloud services to the cloud without changing subnets.

Multiple connectivity options are provided to meet enterprises' diverse servicerequirements for the cloud, to allow you to deploy enterprise applications withease, and to lower enterprise IT operation and maintenance (O&M) costs.

Figure 2-2 Interconnectivity

High-Speed AccessDynamic BGP is used to provide access to various carrier networks. For example,up to 21 dynamic BGP connections are established to multiple carriers. Thedynamic BGP connections enable real-time failover based on the preset routingprotocols, ensuring high network stability, low network latency, and smooth accessto services on the cloud.

Advantage ComparisonTable 2-1 lists the advantages of a VPC over a traditional IDC.



Table 2-1 Comparison Between a VPC and a Traditional IDC

Item VPC Traditional IDC

Deployment cycle

● You do not need to performcomplex engineeringdeployment, such asengineering planning andcabling.

● You can determine yournetworks, subnets, and routeson HUAWEI CLOUD based onservice requirements.

You need to set up networks andperform tests. The entire processtakes a long time and requiresprofessional technical support.

Totalcost

HUAWEI CLOUD networkservices provide multiple flexiblebilling modes. In addition, youdo not need to pay for upfrontcosts and network O&M costs,lowering TCO.

You need to invest heavily inequipment rooms, power supply,construction, and hardwarematerials. You also needprofessional O&M teams toensure network security. Assetmanagement costs increase withbusiness changes.

Flexibility

HUAWEI CLOUD providesmultiple network services. Youcan select services as required.When more network resources(such as bandwidth) arerequired for servicedevelopment, dynamicexpansion can be performedconveniently and quickly.

Service deployment must strictlycomply with the network plan.When service requirementschange, the network cannot bedynamically adjusted.

Security VPCs are logically isolated fromeach other. Security features andservices, such as network ACLs,security groups, and AdvancedAnti-DDoS (AAD), are used tosecure cloud resources.

The network is difficult tomaintain and has poor security.Therefore, professional networksecurity personnel are required.



3 Application Scenarios

Dedicated Networks on Cloud

Scenario

Each VPC represents a private network and is logically isolated from other VPCs.You can deploy your service system on HUAWEI CLOUD to build a private networkenvironment on the cloud. If you have multiple service systems, for example, theproduction environment and the test environment, you can use VPCs to isolate thesystems. If two VPCs need to communicate with each other, you can create a VPCpeering connection between the them.

Related Services

ECS

Figure 3-1 Dedicated networks on cloud

Web application or website hosting

Scenario

You can host web applications and websites in a VPC and use the VPC as a regularnetwork. With EIPs or NAT gateways, you can connect ECSs to the Internet for

Virtual Private CloudService Overview 3 Application Scenarios


running web applications deployed on the ECSs. With the load balancers providedby the ELB service, you can evenly distribute access traffic across multiple ECSs.

Cloud resources in a VPC can use the following cloud services to connect to theInternet.

Table 3-1 Accessing the Internet

CloudService

ApplicationScenario

Description Related Operations

EIP SingleECSaccessestheInternet.

You can assign an EIP and bind itto an ECS so that the ECS canaccess the Internet or provideservices accessible from theInternet.An EIP can be bound to orunbound from an ECS.Shared bandwidth and shareddata packages can be used tolower costs.

Setting Up an IPv4Network

NATGateway

MultipleECSsshare anEIP toaccesstheInternet.

A NAT gateway offers both sourcenetwork address translation(SNAT) and destination networkaddress translation (DNAT). SNATallows multiple ECSs in the sameVPC to share one or more EIPs toaccess the Internet. It reducesmanagement costs and preventsthe ECS EIPs from being exposedto the Internet. DNAT canimplement port-level dataforwarding. It maps EIP ports toECS ports so that the ECSs in aVPC can share the same EIP andbandwidth and provide Internet-accessible services. But DNAT doesnot balance traffic.

Using SNAT toAccess the InternetUsing DNAT toProvide ServicesAccessible fromthe Internet



https://support.huaweicloud.com/en-us/qs-vpc/en-us_topic_0017816228.html


https://support.huaweicloud.com/en-us/qs-natgateway/en-us_topic_0087895790.html


https://support.huaweicloud.com/en-us/qs-natgateway/nat_qs_0007.html




CloudService

ApplicationScenario


ELB Use loadbalancersprovidedby theELBservice toevenlydistributeaccesstrafficacrossmultipleECSs inhigh-concurrencyscenarios, such ase-commerce.

Load balancers distribute traffic tomultiple backend ECSs, balancingthe load on each ECS (at Layer 4or Layer 7). You can bind EIPs toECSs to allow the access from theInternet.ELB expands the servicecapabilities of your applicationsand improves availability byeliminating single points offailures.

What Is ElasticLoad Balance?

Related Services

ECS, EIP, NAT Gateway, and ELB

Figure 3-2 Web application or website hosting

Web Application Access ControlScenario



https://support.huaweicloud.com/en-us/productdesc-elb/en-us_topic_0015479966.html


You can create a VPC and security groups to host multi-tier web applications indifferent security zones. You can associate web servers and database servers withdifferent security groups and configure different access control rules for securitygroups. You can launch web servers in a publicly accessible subnet, but rundatabase servers in subnets that are not publicly accessible. This arrangementensures high security.

Related Services

ECS

Figure 3-3 Web application access control

VPC Connectivity Options

Scenario

You can use the following cloud products to allow two VPCs to communicate witheach other.

Table 3-2 Connecting VPCs

CloudService

ApplicationScenario


VPCPeering

ConnectVPCs inthe sameregion.

You can request a VPC peeringconnection with another VPC inyour account or in anotheraccount, but the two VPCs mustbe in the same region. VPCpeering connections are free.

Creating a VPCPeering Connectionwith Another VPCin Your AccountCreating a VPCPeering Connectionwith a VPC inAnother Account











CloudService

ApplicationScenario


CloudConnect(CC)

ConnectVPCs indifferentregions.

Cloud Connect allows you toconnect two VPCs in the sameaccount or in different accountseven they are in different regions.

CommunicationBetween VPCsAcross Regions

VPN Use VPNtoconnectVPCsacrossregionsat a lowcost.

VPN uses an encryptedcommunications tunnel toconnect VPCs in different regionsand sends traffic over theInternet. It is inexpensive, easy toconfigure, and easy to use.However, the VPN connection willbe affected by the Internetquality.

Connecting to aVPC Through aVPN

Related Services

ECS, CC, and VPN

Figure 3-4 VPC connectivity options

Hybrid Cloud DeploymentScenario

For a user who has built their own local Internet data center (IDC), the user doesnot need to migrate all of their business to the cloud. It may be more appropriateto connect their VPC to the IDC by constructing a hybrid cloud.



https://support.huaweicloud.com/en-us/qs-cc/cc_02_0201.html



https://support.huaweicloud.com/en-us/bestpractice-vpn/vpn_05_0001.html



Table 3-3 Connecting to an IDC

CloudService

ApplicationScenario

Description RelatedOperations

VPN Use VPNtoconnect aVPC to alocal IDCwith alow cost.

VPN uses an encryptedcommunications tunnel toconnect a VPC on the cloud to alocal IDC and sends traffic overthe Internet. It is inexpensive,easy to configure, and easy touse. However, the VPNconnection will be affected by theInternet quality.

Connecting to aVPC Through aVPNLayer 2ConnectionGateway

DirectConnect

Use aphysicaldedicatedconnection toconnect aVPC to alocal IDC.

Direct Connect provides physicaldedicated connections betweenVPCs and local data centers. Ithas the advantages of lowlatency and is very secure. DirectConnect is appropriate whenthere are strict requirements onnetwork transmission quality.

Accessing MultipleVPCs Using aConnectionLayer 2ConnectionGateway

CloudConnect(CC)

Connect alocal IDCto a VPCindifferentregions.

Cloud Connect allows the loadingof Direct Connect virtualgateways to a created CloudConnect connection,interconnecting a local IDC with aVPC across regions.

CommunicationBetween VPCs ofthe Same AccountCommunicationBetween DataCenters and VPCsin DifferentRegions

Related Services

ECS, Direct Connect, CC, and VPN

Figure 3-5 Hybrid cloud deployment






https://support.huaweicloud.com/en-us/usermanual-vpc/vpc_l2cg_0001.html



https://support.huaweicloud.com/en-us/bestpractice-dc/dc_05_0004.html














4 Functions

Table 4-1 lists the common VPC functions.

Before using the VPC, you are advised to learn basic concepts, such as subnets,route tables, security groups, and EIPs, to better understand the functions providedby the VPC service.

Table 4-1 Common VPC functions

Category Function Description

VPC andSubnet

VPC A VPC provides an isolated virtual network foryour cloud resources. You can configure andmanage the network as required.HUAWEI CLOUD allows you to create VPCs,modify basic information about VPCs, deleteVPCs, and export the VPC list.For details, see Creating a VPC.

Subnet A subnet is a network plane for managingcloud resources in a VPC. All cloud resourcesmust be deployed in a subnet.HUAWEI CLOUD allows you to create subnets,modify subnet information, and delete subnets.For details, see Creating a VPC.

Virtual Private CloudService Overview 4 Functions





Route Table A route table contains routes, which are usedto determine where traffic is directed.When you create a VPC, the systemautomatically creates a default route table. Theroute table ensures that all subnets in the VPCcan communicate with each other. You can alsoadd custom routes to control where traffic isdirected.HUAWEI CLOUD allows you to add, query,modify, and delete routes.For details, see Route Table Overview.In some regions, you can visit the route tablemodule directly from the navigate pane on theleft of the network console. You can associatesubnets with a route table to facilitate flexibleroute management. For details, see RouteTable (Decoupled).

Virtual IPAddress

A virtual IP address is not allocated to anactual ECS NIC. An ECS can have both privateand virtual IP addresses, and you can accessthe ECS through either one. In addition, thevirtual IP address has the same network accesscapability as the private IP address. Virtual IPaddresses are used for high availability as theymake active/standby ECS switchover possible.HUAWEI CLOUD allows you to assign virtual IPaddresses, delete virtual IP addresses, bind anEIP or ECS to a virtual IP address, and access avirtual IP address through an EIP, a VPN, aDirect Connect connection, or a VPC peeringconnection.For details, see Virtual IP Address Overview.

IPv4 andIPv6 Dual-StackNetwork(OBT)

IPv4 and IPv6 dual stack allows your resourcesto use both the IPv4 and IPv6 addresses forprivate and public network communication.HUAWEI CLOUD supports the IPv4/IPv6 dualstack. You can create an IPv4/IPv6 dual-stacknetwork or add an IPv6 subnet to an existingVPC to form a dual-stack network.For details, see IPv4 and IPv6 Dual-StackNetwork (OBT).




https://support.huaweicloud.com/en-us/usermanual-vpc/vpc_route01_0001.html

https://support.huaweicloud.com/en-us/usermanual-vpc/vpc_route01_0001.html

https://support.huaweicloud.com/en-us/usermanual-vpc/vpc_vip_0001.html

https://support.huaweicloud.com/en-us/usermanual-vpc/vpc_0002.html

https://support.huaweicloud.com/en-us/usermanual-vpc/vpc_0002.html


VPC FlowLog

A VPC flow log records information about thetraffic going to and from a VPC. VPC flow logshelp you monitor network traffic, analyzenetwork attacks, and determine whethersecurity group and network ACL rules requiremodification.HUAWEI CLOUD allows you to create, view,enable, disable, and delete VPC flow logs.For details, see VPC Flow Log Overview.

Access Control SecurityGroup

A security group is a collection of accesscontrol rules for ECSs that have the samesecurity protection requirements and aremutually trusted within a VPC. After a securitygroup is created, you can create differentaccess rules for the security group, these ruleswill apply to any ECS that is added to thissecurity group.HUAWEI CLOUD allows you to create, deletesecurity groups, add, quickly add multiplesecurity group rules, replicate security grouprules, modify, delete, import or export securitygroup rules, view the security group of an ECS,change the security group of an ECS, and addcloud resources to or remove them from asecurity group.For details, see Security Group Overview.

Network ACL A network ACL is an optional layer of securityfor your subnets. You associate one or moresubnets with a network ACL. The network ACLcan help you control traffic in and out of thesubnets.HUAWEI CLOUD allows you to create, view,modify, delete, enable, disable network ACLs,associate subnets with or disassociate themfrom network ACLs, add, modify, change thesequence of, enable, disable, and deletenetwork ACL rules.For details, see Network ACL Overview.



https://support.huaweicloud.com/en-us/usermanual-vpc/FlowLog_0002.html


https://support.huaweicloud.com/en-us/usermanual-vpc/acl_0001.html


EIP andBandwidth

EIP An EIP is a public IP address that can beaccessed directly over the Internet. An EIPconsists of a public IP address and someamount of public network egress bandwidth.You can bind EIPs to or unbind them fromcloud resources.HUAWEI CLOUD allows you to assign EIPs,bind EIPs to cloud resources, unbind EIPs fromcloud resources, release EIPs, modify EIPbandwidth, and upgrade static BGP to dynamicBGP.For details, see EIP Overview.

SharedBandwidth

Shared bandwidth allows multiple EIPs to sharethe same bandwidth. All ECSs, BMSs, and loadbalancers that have EIPs bound in a region canuse the same bandwidth.HUAWEI CLOUD allows you to assign, modify,delete a shared bandwidth, add EIPs to ashared bandwidth, and remove EIPs from ashared bandwidth.For details, see Shared Bandwidth Overview.

Shared DataPackage

A shared data package is a traffic package thatis easy to use and cost-effective. A shared datapackage takes effect immediately after youpurchase it. The shared data package offsetsthe traffic fees of the pay-per-use EIPbandwidth billed by traffic until the traffic inthe package is used up or the package expires.For details, see Shared Data PackageOverview.

BandwidthAdd-OnPackage

A bandwidth add-on package is used totemporarily increase the maximum shared ordedicated bandwidth of a yearly/monthly EIP.HUAWEI CLOUD allows you to purchase,modify, and unsubscribe from bandwidth add-on packages.For details, see Bandwidth Add-On PackageOverview.




https://support.huaweicloud.com/en-us/usermanual-vpc/vpc010004.html

https://support.huaweicloud.com/en-us/usermanual-vpc/traffic_0002.html

https://support.huaweicloud.com/en-us/usermanual-vpc/traffic_0002.html

https://support.huaweicloud.com/en-us/usermanual-vpc/bandwidthpk_0002.html

https://support.huaweicloud.com/en-us/usermanual-vpc/bandwidthpk_0002.html


ResourceInterconnection

VPC PeeringConnection

A VPC peering connection is a networkconnection between two VPCs. A VPC peeringconnection allows two VPCs communicate witheach other using private IP addresses as if theywere in the same VPC. You can create a VPCpeering connection between your own VPCs, orbetween your VPC and a VPC of anotheraccount within the same region. A VPC peeringconnection between VPCs in different regionswill not take effect.HUAWEI CLOUD allows you to create a VPCpeering connection with another VPC in youraccount or with a VPC in another account. Youcan also view, modify, and delete VPC peeringconnections.For details, see Creating a VPC PeeringConnection.

Layer 2ConnectionGateway

A Layer 2 connection gateway (L2CG) is avirtual tunnel gateway that works with a DirectConnect or VPN connection to establishnetwork communication between the cloudand on-premises networks. The gateway allowsyou to migrate data center or private cloudservices to the cloud without changing subnetsand IP addresses.HUAWEI CLOUD allows you to buy, query,modify, and delete L2CGs, and create, query,and delete Layer 2 connections.For details, see Layer 2 Connection Gateway.

Monitoring ViewingMetrics

After the VPC service becomes available to you,you can view the bandwidth and EIP usagethrough Cloud Eye, create and set alarm rules,and customize the monitored objects andnotification policies without adding plug-ins.For details, see Supported Metrics.

Auditing ViewingAudit Logs

With CTS, you can record operations performedon the VPC service for further query, audit, andbacktrack purposes.HUAWEI CLOUD allows you to view and exportoperation records of the last seven days on theCTS console.For details, see Supported VPC Operations.

Tag TagManagement

Tags help you identify and manage cloudresources. HUAWEI CLOUD allows you tomanage the tags of VPCs, subnets, and EIPs.









Permissions PermissionsManagement

You can use Identity and Access Management(IAM) to implement fine-grained permissionsmanagement for your VPCs, allowingenterprises to set different access permissionsbased on organizations and responsibilities.HUAWEI CLOUD allows you to create a user,grant permissions to the user, and createcustom VPC policies.For details, see Permissions Management.



https://support.huaweicloud.com/en-us/usermanual-vpc/permission_0003.html

5 Usage Restrictions

VPCTable 5-1 lists the quotas for VPC resources per region for your cloud account.

Table 5-1 VPC resource quotas

Resource DefaultQuota

How to Increase Quota

VPCs per account 5 Submit a service ticket.

Subnets per account 100 Submit a service ticket.

Security groups per account 100 Submit a service ticket.

Security group rules peraccount

5000 Submit a service ticket.

Routes per route table 100 This quota cannot be increased.

Routes per VPC 100 This quota cannot be increased.

VPC peering connections perregion

50 This quota cannot be increased.

Network ACLs per region 200 Submit a service ticket.

Layer 2 connection gatewaysper account

5 Submit a service ticket.

● It is recommended that a network ACL contain no more than 20 rules. Otherwise, theperformance of the network ACL may deteriorate.

● By default, each account can create only one Layer 2 connection gateway during theopen beta test.

Virtual Private CloudService Overview 5 Usage Restrictions


EIP● Each EIP can be used by only one cloud resource at a time. The EIP and the

cloud resource must be in the same region.● A maximum of 20 EIPs can be assigned in each cloud account. If you need

more EIPs, submit a service ticket to request quota increase.● You can only bind an EIP that is not bound to any resource.● If your EIP is billed by bandwidth, the bandwidth upper limit is 2000 Mbit/s. If

you need more bandwidth, submit a service ticket or contact your accountmanager.

● If your EIP is billed by traffic, the bandwidth upper limit is 300 Mbit/s.● You cannot bind or unbind frozen EIPs. (For example, EIPs may be frozen if

unexpected operations are performed or your account balance is insufficient.)● To request quota increase, your account must have valid orders and

continuously used cloud service resources. If your account has releasedresources immediately after subscription for multiple times, your request forquota increase will be rejected.

● If you have increased EIP quota but the quota has not been used for a longtime, HUAWEI CLOUD will reduce the quota to the default value. To increasethe quota, you can submit a service ticket.

● If you use the HUAWEI CLOUD EIP resources in violation of applicable lawsand regulations, HUAWEI CLOUD has the right to reclaim the EIP resourcesand stop providing services for you.

Bandwidth● Only pay-per-use EIPs can be added to a shared bandwidth.● Shared bandwidths can be billed by bandwidth or 95th percentile bandwidth

(enhanced). If the bandwidth billing option is used, the minimum sharedbandwidth that can be purchased is 5 Mbit/s. If the enhanced 95th percentilebandwidth billing option is used, the minimum shared bandwidth that can bepurchased is 300 Mbit/s.

● A maximum of pay-per-use 20 EIPs can be added to a shared bandwidth. Toadd more EIPs to a shared bandwidth, submit a service ticket to request quotaincrease.

● Each account can have a maximum of 5 shared bandwidths. If you need moreshared bandwidths, submit a service ticket to request quota increase.

● For a yearly/monthly bandwidth, you can only increase the bandwidth sizewithin the bandwidth validity period. To decrease the bandwidth size, you canspecify a smaller bandwidth size when renewing the bandwidth (after thecurrent bandwidth expires).

● The public cloud only charges for the bandwidth in the outbound direction. Ifthe bandwidth in the outbound direction is less than 100 Mbit/s, thebandwidth in the inbound direction is 100 Mbit/s. If the bandwidth in theoutbound direction is greater than 100 Mbit/s, the bandwidth in the inbounddirection is the same as that in the outbound direction.



● The inbound direction refers to the traffic from the Internet to the cloud, and theoutbound direction refers to the traffic from the cloud to the Internet.

● If the enhanced 95th percentile bandwidth billing is used, the bandwidth is billed basedon the average bandwidth in the inbound and outbound directions.

Shared Data Package● A shared data package takes effect only for bandwidth billed by traffic. Two

types of shared data packages are available: static BGP (for static BGPbandwidth) and dynamic BGP (for dynamic BGP bandwidth).

● A shared data package cannot be unsubscribed.

Bandwidth Add-On Package● A bandwidth add-on package takes effect only for yearly/monthly bandwidth.● The minimum duration of a bandwidth add-on package is one day. The start

time, end time, and bandwidth size of an obtained bandwidth add-onpackage cannot be changed.

For details about how to submit a service ticket, see Submitting a Service Ticket.



https://support.huaweicloud.com/en-us/usermanual-ticket/en-us_topic_0065264094.html

6 VPC and Other Services

Figure 6-1 shows the relationship between VPC and other services.

Figure 6-1 VPC and other services

Table 6-1 Related services

Interactive Function Service Reference

Provide network security forECSs.

Elastic Cloud Server(ECS)

Adding a SecurityGroup Rule

Connect ECSs in a VPC to theInternet.

Elastic IP (EIP) Configuring theVPC of ECSs ThatAccess theInternet UsingEIPs

NAT Gateway Using SNAT toAccess theInternet

Connect a VPC to a local datacenter.

Virtual Private Network(VPN)

Virtual PrivateNetwork

Virtual Private CloudService Overview 6 VPC and Other Services












https://support.huaweicloud.com/en-us/productdesc-vpn/en-us_topic_0035391393.html

https://support.huaweicloud.com/en-us/productdesc-vpn/en-us_topic_0035391393.html

Interactive Function Service Reference

Direct Connect Direct Connect

Connect VPCs across regions. Cloud Connect CommunicationBetween VPCsAcross Regions

Distribute incoming traffic tomultiple ECSs in a VPC.

Elastic Load Balance(ELB)

Elastic LoadBalance

If you need to assign differentpermissions to employees inyour enterprise to access yourVPC resources, IAM is a goodchoice for fine-grainedpermissions management.

Identity and AccessManagement (IAM)

Identity andAccessManagement

Check the bandwidth andtraffic usage.

Cloud Eye Viewing Metrics

Record VPC-related operationsfor later query, audit, andbacktrack.

Cloud Trace Service(CTS)

Viewing AuditLogs

Tags identify VPC resources forpurposes of easy categorizationand quick search.

Tag ManagementService (TMS)

Managing VPCTags

Virtual Private CloudService Overview 6 VPC and Other Services


https://support.huaweicloud.com/en-us/productdesc-dc/en-us_topic_0032053183.html






https://support.huaweicloud.com/en-us/iam_gls/index.html






https://support.huaweicloud.com/en-us/usermanual-vpc/vpc_vpc_0004.html

https://support.huaweicloud.com/en-us/usermanual-vpc/vpc_vpc_0004.html

7 Billing

Billing ItemThe VPC service is free of charge. However, you will be billed for using EIPbandwidth used together with a VPC based on the billing standards.

EIPs can be billed in the yearly/monthly or pay-per-use mode. You can select abilling mode as required.

The EIP price varies by the EIP billing mode. The following table shows the details.

Table 7-1 EIP billing details

BillingMode

Billed By EIP Retention Price BandwidthPrice

PublicNetworkTrafficPrice

Yearly/Monthly

Bandwidth - √ -

Pay-per-use Bandwidth Free of EIP retentionprice: The EIP is bound toan ECS, BMS, or loadbalancer.EIP retention pricerequired: The EIP isunbound but is notreleased.

√ -

Traffic - √

"-" indicates that the price will not be billed. "√" indicates that the price will be billed.

Virtual Private CloudService Overview 7 Billing


Billing OptionsWhen you use an instance, such as an Elastic Cloud Server (ECS), both outboundbandwidth and inbound bandwidth are used. However, HUAWEI CLOUD onlycharges fees associated with outbound bandwidth usage.

The public network bandwidth can be billed by fixed bandwidth or by trafficusage.

● By fixed bandwidth: You will be billed based on your specified bandwidth.During the usage, the actual outbound bandwidth will not exceed thespecified bandwidth.

● By traffic usage: You will be billed based on your actual traffic usage, which isa post payment method. To avoid high charges caused by sudden trafficspikes, you can set a peak value for the outbound bandwidth.

● You can determine which billing mode is more favorable based on thebandwidth usage. If your required bandwidth is lower than or equal to 5Mbit/s, billing by fixed bandwidth monthly is more favorable than billing bytraffic usage. If your required bandwidth is higher than 5 Mbit/s and thebandwidth usage is greater than 20%, billing by fixed bandwidth is morefavorable.

Table 7-2 EIP billing modes

BillingMode

BilledBy

Billing Characteristics Applicable Scenario

Yearly/Monthly

Bandwidth

Fixed bandwidth,unlimited traffic

For heavy/stable traffic

Pay-per-use

Bandwidth

Fixed bandwidth,unlimited traffic

For heavy/stable traffic

Traffic Specified maximumbandwidth, billing bythe used amount oftraffic hourly

For light/sharply fluctuatingtraffic

SharedBandwidth

Multiple EIPs sharingthe same bandwidth

For staggered traffic

Configuration Changes● Modifying the bandwidth size has the following impacts on the price:



Table 7-3 Impact on the price

CurrentBillingMode

ChangeScenario

Impact on Price

Pay-per-use

Increase ordecreasebandwidthsize.

After the change is successful, the new billingmode takes effect immediately.

Yearly/Monthly

Increasebandwidthby payingfor morebandwidth

The increased bandwidth size takes effectimmediately and the price difference will be billedaccordingly.The following prices are for reference only. Theactual prices are subject to Pricing Details.On November 1, 2018, a customer purchases a 1Mbit/s bandwidth for one month. The price is 18.4RMB per month. The customer pays for thebandwidth with the account balance of 18.4 RMB.On November 24, 2018, the customer increasesthe bandwidth to 5 Mbit/s at the price of 92 RMBper month.In this case, the number of remaining days is 6(30 - 24), and the price for the upgrade is 92/30 x6 - 18.4/30 x 6 = 14.72 RMB.For more information, see Pricing of a ChangedSpecification.

Decreasebandwidthafterrenewal

The decreased bandwidth size takes effect in thesubsequent billing cycle after a successfulrenewal.● Renewals cannot be canceled after the

payment has been made.● After a successful renewal in case of a

decreased bandwidth size, the bandwidthcannot be modified again within the firstbilling cycle.

Buy abandwidthadd-onpackage totemporarilyincrease theavailablebandwidth

A bandwidth add-on package is used totemporarily increase the yearly/monthlybandwidth. The validity period of the add-onpackage can be any number of days (full daysonly) that fall within the bandwidth subscriptionperiod. When the add-on package expires, theavailable bandwidth automatically returns to itsprevious amount.

● The following describes the changes between EIP billing modes and the

impacts on the price.



https://www.huaweicloud.com/en-us/pricing.html#/eip

https://support.huaweicloud.com/en-us/usermanual-billing/en-us_topic_0045348012.html


Figure 7-1 Billing change

Table 7-4 Impact on fees

CurrentBillingMode

ChangeScenario

Impact on Fees

Pay-per-use

Changingthe billingoptionbetween bytraffic andbybandwidth

After the change is successful, the new billingmode takes effect immediately.

Changingthe billingmode toyearly/monthly

You can change the billing mode from pay-per-use to yearly/monthly on the EIP page or in thebilling center. After the change is successful, thenew billing mode takes effect immediately.The billing mode of a pay-per-use EIP billed bytraffic cannot be directly changed to yearly/monthly. You must first change the pay-per-useEIP to be billed by bandwidth and then change itsbilling mode to yearly/monthly.

Yearly/Monthly

Changingthe billingmode topay-per-use

You can change the billing mode from yearly/monthly to pay-per-use in the billing center. Thenew billing mode takes effect only when theyearly/monthly mode expires.The yearly/monthly EIP can only be changed tothe pay-per-use EIP billed by bandwidth. If youwant to change to the pay-per-use EIP billed bytraffic, modify the EIP bandwidth configurationsafter the billing mode is changed to pay-per-usesuccessfully and then change it to be billed bytraffic.

Renewal

If you do not renew an EIP that is billed in yearly/monthly mode upon itsexpiration, a grace period and a retention period will be granted.

Such periods depend on the customer tier. For details, see Grace Period andRetention Period.

You can renew your resources on the Renewals page of the management console.For more details, see Renewal Management.



https://support.huaweicloud.com/en-us/usermanual-period/en-us_topic_0086671074.html

https://support.huaweicloud.com/en-us/usermanual-period/en-us_topic_0086671074.html

https://account.huaweicloud.com/usercenter/?locale=en-us#/userindex/renewalManagement

https://support.huaweicloud.com/en-us/usermanual-billing/renewals_topic_10000000.html

Expiration and Overdue PaymentIf you do not renew a yearly/monthly resource upon its expiration, a grace periodand a retention period will be granted. For details, see Stopping Services andReleasing Resources.

If your account is in arrears, you can view the arrears details in the Billing Center.To prevent related resources from being stopped or released, you need to top upyour account within the specified period. For details, see Repaying Arrears.






8 Permissions Management

If you need to assign different permissions to employees in your enterprise toaccess your VPC resources, IAM is a good choice for fine-grained permissionsmanagement. IAM provides identity authentication, permissions management,and access control, helping you securely manage access to your HUAWEI CLOUDresources.

With IAM, you can use your HUAWEI CLOUD account to create IAM users, andassign permissions to the users to control their access to specific resources. Forexample, some software developers in your enterprise need to use VPC resourcesbut should not be allowed to delete the resources or perform any other high-riskoperations. In this scenario, you can create IAM users for the software developersand grant them only the permissions required for using VPC resources.

If your HUAWEI CLOUD account does not need individual IAM users forpermissions management, you may skip over this section.

IAM can be used free of charge. You pay only for the resources in your account.For more information about IAM, see the IAM Service Overview.

VPC Permissions

By default, new IAM users do not have permissions assigned. You need to add auser to one or more groups, and attach permissions policies or roles to thesegroups. Users inherit permissions from the groups to which they are added andcan perform specified operations on cloud services based on the permissions.

VPC is a project-level service deployed and accessed in specific physical regions. Toassign VPC permissions to a user group, specify the scope as region-specificprojects and select projects for the permissions to take effect. If All projects isselected, the permissions will take effect for the user group in all region-specificprojects. When accessing VPC, the users need to switch to a region where theyhave been authorized to use VPC.

You can grant users permissions by using roles and policies.

● Roles: A type of coarse-grained authorization mechanism that definespermissions related to user responsibilities. This mechanism provides only alimited number of service-level roles for authorization. When using roles togrant permissions, you need to also assign other roles on which the

Virtual Private CloudService Overview 8 Permissions Management


https://support.huaweicloud.com/en-us/productdesc-iam/iam_01_0026.html

permissions depend to take effect. However, roles are not an ideal choice forfine-grained authorization and secure access control.

● Policies: A type of fine-grained authorization mechanism that definespermissions required to perform operations on specific cloud resources undercertain conditions. This mechanism allows for more flexible policy-basedauthorization, meeting requirements for secure access control. For example,you can grant VPC users only the permissions for managing a certain type ofresources. Most policies define permissions based on APIs. For the API actionssupported by VPC, see Permissions Policies and Supported Actions.

Table 8-1 lists all the system-defined roles and policies supported by VPC.

Table 8-1 System-defined roles and policies supported by VPC

Policy Name Description Policy Type Dependencies

VPC FullAccess All operations on VPC. System-definedpolicy

None

VPCReadOnlyAccess

Read-only permissions onVPC.

System-definedpolicy

None

VPCAdministrator

All operations on VPC. To begranted this permission,users must also have theTenant Guest permission.

System-defined role

Dependent onthe TenantGuest policy.

Table 8-2 lists the common operations supported by each system-defined policyor role of VPC. Select the policies or roles as required.

Table 8-2 Common operations supported by each system-defined policy or role ofVPC

Operation VPCReadOnlyAccess

VPC Administrator VPC FullAccess

Creating aVPC

x √ √

Modifying aVPC

x √ √

Deleting aVPC

x √ √

Viewing VPCinformation

√ √ √

Creating asubnet

x √ √



https://support.huaweicloud.com/en-us/api-vpc/permission_0001.html



Viewingsubnetinformation

√ √ √

Modifying asubnet

x √ √

Deleting asubnet

x √ √

Creating asecuritygroup

x x √

Viewingsecuritygroupinformation

√ x √

Modifying asecuritygroup

x x √

Deleting asecuritygroup

x x √

Adding asecuritygroup rule

x x √

Viewing asecuritygroup rule

√ x √

Modifying asecuritygroup rule

x x √

Deleting asecuritygroup rule

x x √

Creating anetwork ACL

x √ √

Viewing anetwork ACL

√ √ √

Modifying anetwork ACL

x √ √

Deleting anetwork ACL

x √ √





Adding anetwork ACLrule

x √ √

Modifying anetwork ACLrule

x √ √

Deleting anetwork ACLrule

x √ √

Creating aVPC peeringconnection

x √ √

Modifying aVPC peeringconnection

x √ √

Deleting aVPC peeringconnection

x √ √

Creating aroute table

x √ √

Deleting aroute table

x √ √

Adding aroute

x √ √

Modifying aroute

x √ √

Deleting aroute

x √ √

Helpful Links● What Is IAM?● Creating a User and Granting VPC Permissions● Permissions Policies and Supported Actions



https://support.huaweicloud.com/en-us/productdesc-iam/iam_01_0026.html

https://support.huaweicloud.com/en-us/usermanual-vpc/permission_0003.html

https://support.huaweicloud.com/en-us/api-vpc/permission_0001.html

9 Basic Concepts

9.1 SubnetA subnet is a range of IP addresses in your VPC and provides IP addressmanagement and DNS resolution functions for ECSs in it. The IP addresses of allECSs in a subnet belong to the subnet.

Figure 9-1 Subnet

By default, ECSs in all subnets of the same VPC can communicate with oneanother, but ECSs in different VPCs cannot.

To enable ECSs in different VPCs to communicate with one another, you can createa VPC peering connection. For details, see 9.5 VPC Peering Connection.

9.2 Elastic IP AddressAn EIP is a public IP address that can be accessed directly over the Internet. An EIPconsists of a public IP address and some amount of public network egressbandwidth. EIPs can be bound to or unbound from ECSs, BMSs, virtual IPaddresses, NAT gateways, or load balancers. Various billing modes are provided tomeet diverse service requirements.

Each EIP can be used by only one cloud resource at a time.

Virtual Private CloudService Overview 9 Basic Concepts


Figure 9-2 Connecting to the Internet using an EIP

9.3 Route TableIn some regions, you can visit the route table module directly from the navigatepane on the left of the network console. You can associate subnets with a routetable to facilitate flexible route management.

For details about the regions that you can visit the route table module directlyfrom the navigate pane, see Route Table (Decoupled), Default Route Table andCustom Route Table, and Route.

For details about the regions that you cannot visit the route table module directlyfrom the navigate pane, see Route Table (Not Decoupled).

Route Table (Decoupled)A route table contains a set of rules, called routes, that are used to control whereinbound and outbound subnet traffic is forwarded within a VPC. Each subnet inyour VPC must be associated with a route table. A subnet can only be associatedwith one route table at a time, but you can associate multiple subnets with thesame route table.



Figure 9-3 Route Table

Default Route Table and Custom Route Table

When you create a VPC, the system automatically generates a default route tablefor the VPC. After a subnet is created, the subnet automatically associates with thedefault route table. You can add routes to, delete routes from, and modify routesin the default route table, but cannot delete the table. When you create a VPNconnection, the default route table automatically delivers a route that cannot bedeleted or modified. You can associate the subnet with the custom route table orreplicate the route to the custom route table, and then add, modify, or delete theroute in the custom route table.

You can use the default route table or create a custom route table for a subnetand then associate the custom route table with the subnet. You can delete thecustom route table if it is no longer required.

To use a custom route table, you need to submit a service ticket. You need to click Increasequota on the Create Route Table page or choose More > Service Tickets > Create ServiceTicket in the upper right corner of the page. For more information, submit a service ticket.

Route

A route, that is a routing rule, is configured with the destination, next hop type,and next hop to determine where the network traffic is directed. Routes areclassified into system routes and custom routes.

● System route: Routes that are automatically added by the system and cannotbe modified or deleted.After a route table is created, the system automatically adds the followingsystem routes to the route table, indicating that instances in a VPC cancommunicate with each other.– Routes whose destination is 100.64.0.0/10 or 198.19.128.0/20.– Routes whose destination is a subnet CIDR block.

In addition to the preceding system routes, the system automatically adds aroute whose destination is 127.0.0.0/8, indicating the local loopback address.



https://support.huaweicloud.com/en-us/usermanual-ticket/en-us_topic_0065264094.html

● Custom route: A route that can be modified and deleted. The destination of acustom route cannot overlap with that of a system route.You can add a custom route and configure the destination, next hop type, andnext hop in the route to determine where the network traffic is directed.Table 9-1 lists the supported types of next hops.

Table 9-1 Next hop type

Next Hop Type Description

ECS Traffic intended for the destination is forwarded toan ECS in the VPC.

Extension NIC Traffic intended for the destination is forwarded tothe extension NIC of an ECS in the VPC.

VPN gateway Traffic intended for the destination is forwarded to aVPN gateway.

Cloud connection Traffic intended for the destination is forwarded to acloud connection.

NAT gateway Traffic intended for the destination is forwarded to aNAT gateway.

VPC peeringconnection

Traffic intended for the destination is forwarded to aVPC peering connection.

Virtual IP address Traffic intended for the destination is forwarded to avirtual IP address and then sent to active andstandby ECSs to which the virtual IP address isbound.

VPC endpoint Traffic intended for the destination is forwarded to aVPC endpoint.

● When you add a custom route to a default route table, the next hop type cannotbe set to VPN gateway.

● If you have to specify the destination when creating a service, a system route isdelivered. If you do not need to specify a destination when creating a service, acustom route that can be modified or deleted is delivered automatically.For example, you do not need to specify a destination when creating a NATgateway, the system automatically delivers a custom route that you can modify ordelete. However, when you create a VPN gateway, you need to specify the remotesubnet, that is, the destination of a route. In this case, the system delivers a systemroute. If the route destination can be modified on the Route Tables page, thedestination will be inconsistent with that configured remote subnet. To modify thedestination, you can go to the specific service page to modify the remote subnet,then the route destination will be changed accordingly.



Route Table (Not Decoupled)A route table contains a set of rules that are used to determine where networktraffic is directed. You can add routes to a route table to enable other ECSs in aVPC to access the Internet through the ECS that has a bound EIP.

You can use a route table configured in standalone or active/standby mode.

● Figure 9-4 shows the route table configured in standalone mode.

Figure 9-4 Route table configured in standalone mode

In standalone mode, ECSs in a VPC that do not have EIPs bound access theInternet through an ECS that has an EIP bound and has SNAT functionconfigured.You can create a route table for the VPC used by ECSs that do not have EIPsbound to enable these ECSs to access the Internet. The next hop in the routetable is the private IP address of the ECS that has an EIP bound (the private IPaddress of the SNAT server).

● Figure 9-5 shows the route table configured in active/standby mode.

Figure 9-5 Route table configured in active/standby mode

In active/standby mode, ECSs in a VPC that do not have EIPs bound access theInternet through two ECSs that have EIPs bound and have the SNAT functionconfigured.In active/standby mode, you can add a route table for the VPC used by ECSsthat do not have EIPs bound to enable these ECSs to access the Internet. The



next hop in the route table is the virtual IP address of the two ECSs that haveEIPs bound.

9.4 Security GroupA security group is a collection of access control rules for ECSs that have the samesecurity protection requirements and are mutually trusted within a VPC. After asecurity group is created, you can create different access rules for the securitygroup, these rules will apply to any ECS that is added to this security group.

Your account automatically comes with a security group by default. The defaultsecurity group allows all outbound traffic, denies all inbound traffic, and allows alltraffic between ECSs in the group. Your ECSs in the security group cancommunicate with each other by default. There is no need to add rules for this.

Figure 9-6 illustrates how the default security group works.

Figure 9-6 Default security group

Table 9-2 describes the default rules for a default security group.

Table 9-2 Default security group rules

Direction

Protocol Port/Range

Source/Destination

Description

Outbound

All All Destination:0.0.0.0/0

Allow all outboundtraffic.

Inbound All All Source: ID of thecurrent securitygroup (forexample, sg-xxxxx)

Allow communicationamong ECSs withinthe security groupand deny all inboundtraffic (incoming datapackets).

Inbound TCP 22 Source: 0.0.0.0/0 Allow all IP addressesto access Linux ECSsover SSH.



Direction

Protocol Port/Range

Source/Destination

Description

Inbound TCP 3389 Source: 0.0.0.0/0 Allow all IP addressesto access WindowsECSs over RDP.

You can use the default security groups and rules or create custom security groupsand rules as required.

If two ECSs are in the same security group but in different VPCs, the security group doesnot take effect. You can use a VPC peering connection to connect the two VPCs first. Fordetails about VPC connections, see Application Scenarios.

9.5 VPC Peering ConnectionA VPC peering connection is a network connection between two VPCs that enablesyou to route traffic between them using private IP addresses. ECSs in either VPCcan communicate with each other just as if they were in the same VPC. You cancreate a VPC peering connection between your own VPCs, or between your VPCand another account's VPC within the same region. A VPC peering connectionbetween VPCs in different regions will not take effect.

● Creating a VPC peering connection between VPCs in your account

Figure 9-7 Creating a VPC peering connection between VPCs in your account

If you create a VPC peering connection between two VPCs in your account,the system automatically accepts the connection by default. You need to add



https://support.huaweicloud.com/en-us/productdesc-vpc/overview_0002.html

routes for the local and peer VPCs to enable communication between the twoVPCs.

● Creating a VPC peering connection with a VPC in another account

Figure 9-8 Creating a VPC peering connection with a VPC in another account

If you create a VPC peering connection between your VPC and a VPC that is inanother account, the VPC peering connection will be in the Awaitingacceptance state. After the owner of the peer account accepts theconnection, the connection status changes to Accepted. The owners of thelocal and peer accounts must configure the routes required by the VPCpeering connection to enable communication between the two VPCs.If the local and peer VPCs have overlapping CIDR blocks, the routes added forthe VPC peering connection may be invalid. Before creating a VPC peeringconnection between two VPCs that have overlapping CIDR blocks, ensure thatno subnets in the two VPCs have overlapping CIDR blocks. In this case, thecreated VPC peering connection enables communication between two subnetsin the two VPCs.You can run the ping command to check whether the two VPCs cancommunicate with each other.

9.6 Network ACLA network ACL is an optional layer of security for your subnets. You associate oneor more subnets with a network ACL. The network ACL can help control traffic inand out of the subnets.



Figure 9-9 Security groups and network ACLs

Similar to security groups, network ACLs control access to the network. They addan additional layer of defense to your VPC. Security groups only have the "allow"rules, but network ACLs have both "allow" and "deny" rules. You can use networkACLs together with security groups to implement access control that is bothcomprehensive and fine-grained.

Network ACL Basics● Your VPC does not come with a default network ACL, but you can create one

and associate it with a subnet if required. By default, each network ACLdenies all inbound traffic to and outbound traffic from the associated subnetuntil you add rules.

● You can associate a network ACL with multiple subnets. However, a subnetcan only be associated with one network ACL at a time.

● Each newly created network ACL is in the Inactive state until you associatesubnets with it.

● Network ACLs are stateful. If you send a request, the response traffic of therequest is allowed to go in regardless of inbound network ACL rules.Responses to the allowed inbound traffic are allowed to go out regardless ofoutbound network ACL rules.The timeout period of connection tracking varies according to the protocol.The timeout period of a TCP connection in the established state is 600s, andthe timeout period of an ICMP connection is 30s. For other protocols, ifpackets are received in both directions, the connection tracking timeoutperiod is 180s. If one or more packets are received in one direction but nopacket is received in the other direction, the connection tracking timeoutperiod is 30s. For protocols other than TCP, UDP, and ICMP, only the IP addressand protocol number are tracked.



Default Network ACL RulesBy default, each network ACL has preset rules that allow the following packets:

● Packets whose source and destination are in the same subnet● Broadcast packets with the destination 255.255.255.255/32, which is used to

configure host startup information.● Multicast packets with the destination 224.0.0.0/24, which is used by routing

protocols.● Metadata packets with the destination 169.254.169.254/32 and TCP port

number 80, which is used to obtain metadata.● Packets from CIDR blocks that are reserved for public services (for example,

packets with the destination 100.125.0.0/16)● A network ACL denies all traffic in and out of a subnet excepting the

preceding ones. Table 9-3 shows the default network ACL rules. The defaultrules cannot be modified or deleted.

Table 9-3 Default network ACL rules

Direction

Priority

Action

Protocol

Source Destination

Description

Inbound

* Deny

All 0.0.0.0/0 0.0.0.0/0

Denies all inbound traffic.

Outbound

* Deny

All 0.0.0.0/0 0.0.0.0/0

Denies all outbound traffic.

Rule Priorities● Each network ACL rule has a priority value where a smaller value corresponds

to a higher priority. Any time two rules conflict, the one with the higherpriority is the one that get applied. The rule whose priority value is an asterisk(*) has the lowest priority.

● If multiple network ACL rules conflict, the rule with the highest priority takeseffect. If you need a rule to take effect before or after a specific rule, you caninsert that rule before or after the specific rule.

Application Scenarios● If the application layer needs to provide services for users, traffic must be

allowed to reach the application layer from all IP addresses. However, youalso need to prevent illegal access from malicious users.Solution: You can add network ACL rules to deny access from suspect IPaddresses.

● How can I isolate ports with identified vulnerabilities? For example, how do Iisolate port 445 that can be exploited by WannaCry worm?Solution: You can add network ACL rules to deny access traffic from specificport and protocol, for example, TCP port 445.



● No defense is required for the communication within a subnet, but accesscontrol is required for communication between subnets.

Solution: You can add network ACL rules to control traffic between subnets.

● For frequently accessed applications, a security rule sequence may need to beadjusted to improve performance.

Solution: A network ACL allows you to adjust the rule sequence so thatfrequently used rules are applied before other rules.

9.7 Virtual IP AddressA virtual IP address (VIP) is an IP address that is not allocated to an actual ECSNIC. An ECS can have both private and virtual IP addresses, and you can accessthe ECS through either one. A virtual IP address has the same network accesscapabilities as a private IP address, including layer 2 and layer 3 communication inVPCs, access between VPCs using peering connections, as well as Internet accessthrough EIPs, VPN connections, and Direct Connect connections.

Multiple ECSs deployed in active/standby mode can be bound to the same virtualIP address. The virtual IP address can then be bound to an EIP. When someoneaccesses that EIP from the Internet, since the virtual IP address has made itpossible to link active/standby mode copies of ECSs, those ECSs are highly faulttolerant.

Networking

Virtual IP addresses are used for high availability as they make active/standby ECSswitchover possible. If the active ECS becomes faulty and cannot provide services,the virtual IP address is dynamically switched to the standby ECS and servicescontinue uninterrupted. ECSs can be configured for HA or as load balancingclusters.

● Networking mode 1: HA

If you want to improve service availability and avoid single points of failure,you can deploy ECSs in the active/standby mode or one active and multiplestandby mode. In this arrangement, the ECSs all use the same virtual IPaddress. If the active ECS becomes faulty, a standby ECS takes over servicesfrom the active ECS and services continue uninterrupted.

Figure 9-10 Networking diagram of the HA mode



– In this configuration, two ECSs in a subnet are bound to a single virtual IPaddress.

– Keepalived is then used to configure the two ECSs to work in the active/standby mode. Follow industry standards for configuring Keepalived. Thedetails are not included here.

● Networking mode 2: HA load balancing clusterIf you want to build a high-availability load balancing cluster, use Keepalivedand configure LVS nodes as direct routers.

Figure 9-11 HA load balancing cluster

– Bind two ECSs to the same virtual IP address.– Configure the two ECSs as LVS nodes working as direct routers and use

Keepalived to configure the nodes in the active/standby mode. The twoECSs will evenly forward requests to different backend servers.

– Configure another two ECSs as backend servers.– Disable the source/destination check for the two servers.Follow industry standards for configuring Keepalived. The details are notincluded here.

Application Scenarios● Using an EIP to access a virtual IP address

If your application has high availability requirements and needs to provideservices through the Internet, it is recommended that you bind an EIP to avirtual IP address.

● Using a VPN, Direct Connect, or peering connection to access a virtual IPaddressTo ensure high availability and access to the Internet, use a VPN for securityand Direct Connect for a stable connection. The VPC peering connection isneeded so that the VPCs in the same region can communicate with eachother.



9.8 Layer 2 Connection GatewayA Layer 2 connection gateway (L2CG) is a virtual tunnel gateway that works witha Direct Connect or VPN connection to establish network communication betweenthe cloud and on-premises networks. The gateway allows you to migrate datacenter or private cloud services to the cloud without changing subnets and IPaddresses.

A Direct Connect or VPN connection establishes a Layer 3 network channelbetween the cloud and on-premises networks and the subnets on the cloud andon-premises networks must not overlap. If the cloud and on-premises networksare on the same subnet and the cloud and on-premises servers need tocommunicate with each other on that subnet, you can use a L2CG to enable thecommunication at a Layer 2 network.

Figure 9-12 shows the networking diagram of a L2CG.

Figure 9-12 L2CG networking

A L2CG is a tunnel gateway in a VPC and corresponds to a tunnel gateway yourdata center. A L2CG works together with a Direct Connect or VPN connection toestablish a Layer 2 network between a VPC and your data center.

A Layer 2 connection connects a VPC subnet to a L2CG and specifies the L2CG toconnect to the tunnel gateway in an enterprise data center so that the VPC subnetcan communicate with the subnet in the enterprise data center at the Layer 2network.

9.9 Region and AZ

Concept

A region and availability zone (AZ) identify the location of a data center. You cancreate resources in a specific region and AZ.

● Regions are divided based on geographical location and network latency.Public services, such as Elastic Cloud Server (ECS), Elastic Volume Service(EVS), Object Storage Service (OBS), Virtual Private Cloud (VPC), Elastic IP(EIP), and Image Management Service (IMS), are shared within the sameregion. Regions are classified into universal regions and dedicated regions. Auniversal region provides universal cloud services for common tenants. Adedicated region provides specific services for specific tenants.



● An AZ contains one or more physical data centers. Each AZ has independentcooling, fire extinguishing, moisture-proof, and electricity facilities. Within anAZ, computing, network, storage, and other resources are logically dividedinto multiple clusters. AZs within a region are interconnected using high-speed optical fibers to support cross-AZ high-availability systems.

Figure 9-13 shows the relationship between regions and AZs.

Figure 9-13 Regions and AZs

HUAWEI CLOUD provides services in many regions around the world. Select aregion and AZ based on requirements.

Selecting a Region

When selecting a region, consider the following factors:

● LocationIt is recommended that you select the closest region for low network latencyand quick access. Regions within the Chinese mainland provide the sameinfrastructure, BGP network quality, as well as resource operations andconfigurations. Therefore, if your target users are on the Chinese mainland,you do not need to consider the network latency differences when selecting aregion.– If your target users are in Asia Pacific (excluding the Chinese mainland),

select the AP-Hong Kong, AP-Bangkok, or AP-Singapore region.– If your target users are in Africa, select the AF-Johannesburg region.– If your target users are in Europe, select the EU-Paris region.

● Resource priceResource prices may vary in different regions. For details, see Product PricingDetails.

Selecting an AZ

When deploying resources, consider your applications' requirements on disasterrecovery (DR) and network latency.

● For high DR capability, deploy resources in different AZs within the sameregion.



https://www.huaweicloud.com/en-us/pricing.html

https://www.huaweicloud.com/en-us/pricing.html

● For low network latency, deploy resources in the same AZ.

Regions and EndpointsBefore you use an API to call resources, specify its region and endpoint. For moredetails, see Regions and Endpoints.



https://developer.huaweicloud.com/en-us/endpoint

Documents

Service Overview - HUAWEI CLOUD€¦ · solutions, see 3 Application Scenarios. VPC Peering allows two VPCs in the same region to communicate with each other using private IP addresses