Quick Start - Huawei€¦ · Virtual Private Cloud Quick Start Issue 19 Date 2018-07-30 HUAWEI TECHNOLOGIES CO., LTD

Virtual Private Cloud

Quick Start

Issue 19

Date 2018-07-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. i

http://www.huawei.com

mailto:[email protected]

Contents

1 Typical Application Scenarios.................................................................................................... 1

2 Configuring the VPC of ECSs That Do Not Need to Access the Internet.......................... 22.1 Overview........................................................................................................................................................................ 22.2 Creating a VPC...............................................................................................................................................................32.3 Creating a Subnet for the VPC....................................................................................................................................... 62.4 Creating a Security Group.............................................................................................................................................. 82.5 Adding a Security Group Rule....................................................................................................................................... 9

3 Configuring the VPC of ECSs That Access the Internet Using EIPs.................................123.1 Overview...................................................................................................................................................................... 123.2 Creating a VPC.............................................................................................................................................................133.3 Creating a Subnet for the VPC..................................................................................................................................... 163.4 Assigning an EIP and Binding It to an ECS.................................................................................................................183.5 Creating a Security Group............................................................................................................................................ 203.6 Adding a Security Group Rule..................................................................................................................................... 22

4 Configuring the VPC of ECSs That Access the Internet Through a VPN........................254.1 Overview...................................................................................................................................................................... 254.2 Creating a VPC.............................................................................................................................................................274.3 Creating a Subnet for the VPC..................................................................................................................................... 304.4 Applying for a VPN......................................................................................................................................................314.5 Creating a Security Group............................................................................................................................................ 374.6 Adding a Security Group Rule..................................................................................................................................... 39

Virtual Private CloudQuick Start Contents

Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. ii

1 Typical Application Scenarios

A VPC provides an isolated virtual network for ECSs. You can configure and manage thenetwork as required.

l If your ECSs do not need to access the Internet, for example, the ECSs functioning as thedatabase or server nodes for deploying a website, you can configure a VPC for the ECSsby following the instructions described in section 2 Configuring the VPC of ECSsThat Do Not Need to Access the Internet.

l If your ECSs need to access the Internet, you can configure EIPs for them. For example,the ECSs functioning as the service nodes for deploying a website need to be accessedby users over the Internet. Then, you can configure the VPC of these ECSs by followingthe instructions provided in section 3 Configuring the VPC of ECSs That Access theInternet Using EIPs.

l If you need to access ECSs in a VPC over the Internet to perform maintenanceoperations, you can configure a VPN. For example, a website administrator needs to usea VPN to access ECSs functioning as service nodes in the VPC over the Internet. Then,you can configure the VPC of these ECSs by following the instructions provided insection 4 Configuring the VPC of ECSs That Access the Internet Through a VPN.

Virtual Private CloudQuick Start 1 Typical Application Scenarios

Issue 19 (2018-07-30) Copyright © Huawei Technologies Co., Ltd. 1

2 Configuring the VPC of ECSs That Do Not

Need to Access the Internet

2.1 OverviewIf your ECSs do not need to access the Internet, for example, the ECSs functioning as thedatabase nodes or server nodes for deploying a website, you can follow the procedure shownin Figure 2-1 to configure a VPC for the ECSs.

Figure 2-1 Configuring the network

Table 2-1 describes the different tasks in the procedure for configuring the network.

Virtual Private CloudQuick Start

2 Configuring the VPC of ECSs That Do Not Need toAccess the Internet


Table 2-1 Configuration process description

Task Description

Create a VPC. This task is mandatory.You must configure required parameters to create aVPC. The created VPC comes with a default subnetyou specified.After the VPC is created, you can create other requirednetwork resources in the VPC based on your servicerequirements.

Create another subnet for theVPC.

This task is optional.If you need another subnet in addition to the defaultone, you can create a subnet in the VPC.The new subnet is used to assign IP addresses to NICsadded to the ECS.

Create a security group. This task is mandatory.You can create a security group and add ECS in theVPC to the security group to improve ECS accesssecurity.After a security group is created, it has a default rule,which allows all outgoing data packets. ECSs in asecurity group can access each other without the needto add rules. If the default rule meets your servicerequirements, you do not need to add rules to thesecurity group.

Add a security group rule. This task is optional.After a security group is created, it has a default rule,which allows all outgoing data packets. ECSs in asecurity group can access each other without the needto add rules. If the default rule does not meet yourservice requirements, you can add a security grouprule.

2.2 Creating a VPC

Scenarios


Procedure1. Log in to the management console.

2. Click in the upper left corner and select the desired region and project.




3. On the console homepage, under Network, click Virtual Private Cloud.4. On the Dashboard page, click Create VPC.5. On the Create VPC page, set parameters as prompted.

Table 2-2 VPC parameter description

Parameter Description Example Value

Region Regions are geographic areasisolated from each other.Resources are region-specific andcannot be used across regionsthrough internal networkconnections. For low networklatency and quick resourceaccess, select the nearest region.

CN North-Beijng1

Name Specifies the VPC name. VPC-001

CIDR Block Specifies the CIDR block for theVPC. The CIDR block of asubnet can be the same as theCIDR block for the VPC (for asingle subnet in the VPC) or asubset (for multiple subnets inthe VPC).The following CIDR blocks aresupported:10.0.0.0 – 10.255.255.255172.16.0.0 – 172.31.255.255192.168.0.0 – 192.168.255.255

192.168.0.0/16

Tag Specifies the VPC tag, whichconsists of a key and value pair.You can add a maximum of tentags to each VPC.The tag key and value must meetthe requirements listed in Table2-3.

l Key: vpc_key1l Value: vpc-01

Name Specifies the subnet name. Subnet

CIDR Block Specifies the CIDR block for thesubnet. This value must be withinthe VPC CIDR range.

192.168.0.0/24

Gateway Specifies the gateway address ofthe subnet.

192.168.0.1





DNS ServerAddress

The external DNS server addressis used by default. If you need tochange the DNS server address,ensure that the configured DNSserver address is available.

192.168.1.0

Tag Specifies the subnet tag, whichconsists of a key and value pair.You can add a maximum of tentags to each subnet.The tag key and value must meetthe requirements listed in Table2-4.

l Key: subnet_key1l Value: subnet-01

Table 2-3 VPC tag key and value requirements

Parameter Requirements ExampleValue

Key l Cannot be left blank.l Must be unique for the same VPC and can be the

same for different VPCs.l Can contain a maximum of 36 characters.l Cannot contain equal signs (=), asterisks (*), left

angle brackets (<), right angle brackets (>),backslashes (\), commas (,), vertical bars (|), andslashes (/), and the first and last characters cannotbe spaces.

vpc_key1

Value l Can contain a maximum of 43 characters.l Cannot contain equal signs (=), asterisks (*), left


vpc-01




Table 2-4 Subnet tag key and value requirements

Parameter Requirements Example Value

Key l Cannot be left blank.l Must be unique for each subnet.l Can contain a maximum of 36 characters.l Cannot contain equal signs (=), asterisks

(*), left angle brackets (<), right anglebrackets (>), backslashes (\), commas (,),vertical bars (|), and slashes (/), and thefirst and last characters cannot be spaces.

subnet_key1

Value l Can contain a maximum of 43 characters.l Cannot contain equal signs (=), asterisks


subnet-01

6. Confirm the current configuration and click Create Now.

2.3 Creating a Subnet for the VPC

Scenarios

A subnet is automatically created when you create a VPC. If required, you can create anothersubnet in the VPC.

The created subnet is configured with DHCP by default. After an ECS using this VPC starts,the ECS automatically obtains an IP address using DHCP.


2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Cloud.4. In the navigation pane on the left, click Virtual Private Cloud.5. On the Virtual Private Cloud page, locate the VPC for which a subnet is to be created

and click the VPC name.6. On the displayed Subnets tab, click Create Subnet.7. In the Create Subnet area, set parameters as prompted.

Table 2-5 Parameter description







CIDR Block Specifies the CIDR block for the subnet. Thisvalue must be within the VPC CIDR range.

192.168.0.0/24

Gateway Specifies the gateway address of the subnet. 192.168.0.1

Tag Specifies the subnet tag, which consists of akey and value pair. You can add a maximum often tags to each subnet.The tag key and value must meet therequirements listed in Table 2-6.

l Key:subnet_key1

l Value:subnet-01





subnet_key1



subnet-01

8. The external DNS server address is used by default. If you need to change the DNS

server address, select Custom for Advanced Settings and configure the DNS serveraddresses. You must ensure that the configured DNS server addresses are available.

9. Click OK.

PrecautionsAfter a subnet is created, five IP addresses in the subnet will be reserved and cannot be used.For example, in a subnet with CIDR block 192.168.0.0/24, the following five IP addresses arereserved:

l 192.168.0.0: Network address.l 192.168.0.1: Gateway address.l 192.168.0.253: DHCP service address.l 192.168.0.254: Reserved for the system interface. This IP address is used by the VPC for

external communication.




l 192.168.0.255: Network broadcast address.

If you set Advanced Settings to Custom during subnet creation, the reserved IP addressesmay be different from the preceding default ones. The system will reserve five IP addressesbased on your subnet settings.

2.4 Creating a Security Group

Scenarios

To improve ECS access security, you can create a security group and add ECSs in the VPC tothe security group. We recommend that you allocate ECSs that have different Internet accesspolicies to different security groups.



3. On the console homepage, under Network, click Virtual Private Cloud.

4. In the navigation pane on the left, click Security Group.

5. On the Security Group page, click Create Security Group.

6. In the Create Security Group area shown in Figure 2-2, set the parameters asprompted. Table 2-7 lists the parameters to be configured.

Figure 2-2 Create Security Group





Parameter Description ExampleValue

Name Specifies the security group name. This parameteris mandatory.The security group name can contain a maximum of64 characters, which may consist of letters, digits,underscores (_), hyphens (-), and periods (.). Thename cannot contain spaces.NOTE

You can change the security group name after a securitygroup is created. It is recommended that you use differentnames for different security groups.

sg-318b

Description Provides supplementary information about thesecurity group. This parameter is optional.The security group description can contain amaximum of 255 characters and cannot containangle brackets (<) or (>).

N/A

7. Click OK.

2.5 Adding a Security Group Rule

ScenariosAfter a security group is created, it has default rules. You can add new inbound and outboundrules to the security group.

l Inbound rules control incoming traffic to servers in the security group.l Outbound rules control outgoing traffic from servers in the security group.


2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Cloud.4. In the navigation pane on the left, click Security Group.5. On the Security Group page, locate the target security group and click Manage Rule in

the Operation column to switch to the page for managing inbound and outbound rules.6. On the Inbound tab, click Add Rule. In the displayed dialog box, set required

parameters to add an inbound rule.You can click + to add more inbound rules.




Figure 2-3 Add Inbound Rule

Table 2-8 Inbound rule parameter description


Protocol/Application Specifies the network protocol for which thesecurity group rule takes effect. The valuecan be TCP, UDP, ICMP, All, or others.

TCP

Port & Source Port: specifies the port or port range forwhich the security group rule takes effect.The value ranges from 1 to 65535.

22 or 22-30

Source: specifies the source of the securitygroup rule. The value can be another securitygroup, a CIDR block, or a single IP address.For example:xxx.xxx.xxx.xxx/32 (IPv4 address)xxx.xxx.xxx.0/24 (CIDR block)0.0.0.0/0 (any IP address)

0.0.0.0/0default

Description Provides supplementary information aboutthe security group. This parameter isoptional.The security group description can contain amaximum of 255 characters and cannotcontain angle brackets (<) or (>).

N/A

7. On the Outbound tab, click Add Rule. In the displayed dialog box, set required

parameters to add an outbound rule.You can click + to add more outbound rules.

Figure 2-4 Add Outbound Rule




Table 2-9 Outbound rule parameter description



TCP

Port & Destination Port: specifies the port or port range forwhich the security group rule takes effect.The value ranges from 1 to 65535.

22 or 22-30

Destination: Specifies the destination of thesecurity group rule. The value can be anothersecurity group, a CIDR block, or a single IPaddress. For example:xxx.xxx.xxx.xxx/32 (IPv4 address)xxx.xxx.xxx.0/24 (CIDR block)0.0.0.0/0 (any IP address)

0.0.0.0/0default


N/A




3 Configuring the VPC of ECSs That Access

the Internet Using EIPs

3.1 OverviewIf your ECSs need to access the Internet, for example, the ECSs functioning as the servicenodes for deploying a website, you can follow the procedure shown in Figure 3-1 to bindEIPs to the ECSs.



3 Configuring the VPC of ECSs That Access the InternetUsing EIPs




Task Description




Assign an EIP and bind it to anECS.

This task is mandatory.You can assign an EIP and bind it to an ECS to enablethe ECS to access the Internet.

Create a security group. This task is mandatory.You can create a security group and add ECSs in theVPC to the security group to improve ECS accesssecurity.After a security group is created, it has a default rule,which allows all outgoing data packets. ECSs in asecurity group can access each other without the needto add rules. If the default rule meets your servicerequirements, you do not need to add rules to thesecurity group.


3.2 Creating a VPC

Scenarios






2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Cloud.4. On the Dashboard page, click Create VPC.5. On the Create VPC page, set parameters as prompted.




CN North-Beijng1



192.168.0.0/16





192.168.0.0/24






192.168.0.1

DNS ServerAddress


192.168.1.0








vpc_key1



vpc-01








subnet_key1



subnet-01



Scenarios

A subnet is automatically created when you create a VPC. If required, you can create anothersubnet in the VPC.













192.168.0.0/24



l Key:subnet_key1

l Value:subnet-01





subnet_key1



subnet-01



9. Click OK.

PrecautionsAfter a subnet is created, five IP addresses in the subnet will be reserved and cannot be used.For example, in a subnet with CIDR block 192.168.0.0/24, the following five IP addresses arereserved:


external communication.




l 192.168.0.255: Network broadcast address.


3.4 Assigning an EIP and Binding It to an ECS

Scenarios

You can assign an EIP and bind it to an ECS to enable the ECS to access the Internet.

Procedure

Assign an EIP.

1. Log in to the management console.



4. In the navigation pane on the left, click Elastic IP.

5. On the Elastic IP page, click Buy EIP.

6. Set the parameters as prompted.



Region Regions are geographic areasisolated from each other. Resourcesare region-specific and cannot beused across regions through internalnetwork connections. For lownetwork latency and quick resourceaccess, select the nearest region.

CN North-Beijng1

Type l Dynamic BGP: When changesoccur on a network usingdynamic BGP, routing protocolsprovide automatic, real-timeoptimization of networkconfigurations, ensuring networkstability and optimal userexperience.

l Static BGP: When changesoccur on a network using staticBGP, carriers cannot adjustnetwork configurations in realtime to ensure optimal userexperience.

Dynamic BGP





Billing Mode The following billing modes areavailable:l Yearly/Monthlyl Pay-per-use

Pay-per-use

Tag Specifies the EIP tag that consists ofa key and value pair.The tag key and value must meet therequirements listed in Table 3-8.

l Key: Ipv4_key1l Value:

192.168.12.10

Select Bandwidth Specifies whether you can useexisting bandwidth or allocate newbandwidth.

Allocate new

Bandwidth Name Specifies the name of thebandwidth.

bandwidth

Bandwidth Type The following bandwidth types areavailable:l Dedicated: The bandwidth can

be used by only one EIP.l Shared: The bandwidth can be

allocated to multiple EIPs andcan be shared among the EIPs.

Dedicated

Billed By Specifies whether the bandwidth ischarged by bandwidth size or bytraffic.

Bandwidth

Bandwidth Size Specifies the bandwidth size inMbit/s.

100

Quantity l You must specify the requiredduration if Billing Mode is set toYearly/Monthly.

l You can set the number of EIPsto be assigned only when BillingMode is set to Pay-per-use.

1 or 1 month

Enterprise Project Specifies the enterprise project towhich the EIP belongs. By default,an EIP belongs to the Defaultproject.

Default




Table 3-8 EIP tag requirements


Key l Cannot be left blank.l Must be unique for each EIP.l Can contain a maximum of 36 characters.l Cannot contain equal signs (=), asterisks


Ipv4_key1



192.168.12.10

NOTE

Only outbound bandwidth is limited.

To buy a pay-per-use EIP, if you want to use the shared bandwidth, you can only select an existingshared bandwidth from the Bandwidth Name drop-down list. If the Bandwidth Name option isgrayed out, there is no available bandwidth for you to choose. Allocate required bandwidth first.

7. Click Next.8. Click Submit.

If you create a new bandwidth to buy an EIP, you also need to buy the bandwidth.

Bind an EIP.

9. On the Elastic IP page, locate the row that contains the target EIP, and click Bind.10. On the Bind EIP page, select the desired instances.11. Click OK in the displayed dialog box.


Scenarios







3. On the console homepage, under Network, click Virtual Private Cloud.4. In the navigation pane on the left, click Security Group.5. On the Security Group page, click Create Security Group.6. In the Create Security Group area shown in Figure 3-2, set the parameters as

prompted. Table 3-9 lists the parameters to be configured.






sg-318b


N/A




7. Click OK.


Scenarios

After a security group is created, it has default rules. You can add new inbound and outboundrules to the security group.










TCP


22 or 22-30






0.0.0.0/0default


N/A







TCP


22 or 22-30






0.0.0.0/0default


N/A




4 Configuring the VPC of ECSs That Access

the Internet Through a VPN

4.1 OverviewIf you need to access ECSs in a VPC over the Internet to perform maintenance operations onthe ECSs, you can follow the procedure shown in Figure 4-1 to configure a VPN. Forexample, you can configure a VPN to enable a website administrator to access ECSsfunctioning as service nodes in the VPC over the Internet.


4 Configuring the VPC of ECSs That Access the InternetThrough a VPN





Task Description







Task Description

Create a VPN. This task is mandatory.You can create a VPN to set up a secure and isolatedcommunications tunnel between your data center andcloud services.

Create a security group. This task is mandatory.You can create a security group and add ECSs in theVPC to the security group to improve ECS accesssecurity.After a security group is created, it has a default rule,which allows all outgoing data packets. ECSs in asecurity group can access each other without the needto add rules. If the default rule meets your servicerequirements, you do not need to add rules to thesecurity group.


4.2 Creating a VPC

ScenariosA VPC provides an isolated virtual network for ECSs. You can configure and manage thenetwork as required.


2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Cloud.4. On the Dashboard page, click Create VPC.5. On the Create VPC page, set parameters as prompted.







CN North-Beijng1



192.168.0.0/16





192.168.0.0/24


192.168.0.1

DNS ServerAddress


192.168.1.0












vpc_key1



vpc-01





subnet_key1







subnet-01



ScenariosA subnet is automatically created when you create a VPC. If required, you can create anothersubnet in the VPC.









192.168.0.0/24



l Key:subnet_key1

l Value:subnet-01








subnet_key1



subnet-01



9. Click OK.

Precautions

After a subnet is created, five IP addresses in the subnet will be reserved and cannot be used.For example, in a subnet with CIDR block 192.168.0.0/24, the following five IP addresses arereserved:


external communication.l 192.168.0.255: Network broadcast address.


4.4 Applying for a VPN

Overview

By default, ECSs in a VPC cannot communicate with your data center or private network. Toenable communication between them, use a VPN. To use a VPN, you must first create one inyour VPC and update the security group rules.




Description of a Simple IPsec VPN Intranet TopologyIn the example shown in Figure 4-2, you have created a VPC that has two subnets,192.168.1.0/24 and 192.168.2.0/24, on the cloud. You also have two subnets, 192.168.3.0/24and 192.168.4.0/24 on your router deployed in your data center. In this case, you can create aVPN connection to connect the VPC subnets to the data center subnets.

Figure 4-2 IPsec VPN connection

Currently, the site-to-site VPN and hub-spoke VPN are supported. In addition to creating aVPN connection in your VPC, you also need to set up a VPN connection in your data centerto enable the communication.

You must ensure that the VPN connection in your VPC and that in your data center use thesame IKE and IPsec policy configurations. Before creating a VPN connection, familiarizeyourself with the protocols described in Table 4-7 and ensure that your device meets therequirements of the involved protocols.

Table 4-7 Involved protocols

RFC Description Requirements

RFC 2409 Defines the IKE protocol, which negotiatesand verifies key information to safeguardVPN connections.

l Use the PSK to reach anIKE peer agreement.

l Use the main mode andaggressive mode fornegotiation.

RFC 4301 Defines the IPsec architecture, the securityservices that IPsec offers, and thecollaboration between components.

Set up a VPN connectionusing the IPsec tunnel.

ScenariosPerform the following procedure to create a VPN connection that sets up a secure, isolatedcommunication tunnel between your data center and cloud services. A VPN gateway is an




egress gateway in your VPC for establishing an IPsec VPN connection. It is used to establisha secure, reliable, and encrypted communications channel between your VPC and externaldata center. A VPN connection is an encrypted communications channel established betweenthe VPN gateway in your VPC and that in an external data center. Currently, only IPsec VPNconnections are supported. You must first create a VPN gateway and then a VPN connection.Multiple VPN connections can be created for a VPN gateway.

NOTE

Currently, the function for you to create a VPN is available only to the East China regions. The functionfor you to create a VPN gateway and VPN connection is available only to the South China and NorthChina regions.

Apply for a VPN Gateway.1. Log in to the management console.


3. On the console homepage, under Network, click Virtual Private Network.

4. In the navigation pane on the left, choose Virtual Private Network > VPN Gateways.

5. On the VPN Gateways page, click Buy VPN Gateway.

6. Set the parameters as prompted and click Next.

Table 4-8 VPN gateway parameter description

Category Parameter Description Example Value

Basicinformation

Region Regions are geographic areasisolated from each other. Resourcesare region-specific and cannot beused across regions through internalnetwork connections. For lownetwork latency and quick resourceaccess, select the nearest region.

CN North-Beijng1

VPC Specifies the name of the VPC towhich the VPN has access.

vpc-001

Name Specifies the name of the VPNgateway.

vpngw-001

Type Specifies the VPN type. IPsec isselected by default.

IPsec

Bandwidth Specifies the bandwidth size (inMbit/s) of the local VPN gateway.

100

Reliability In the current environment, onlystandalone is supported.

Standalone

Basicinformation

Billed By A VPN gateway can be billed bybandwidth or by traffic.

Traffic




7. Confirm the information and click Submit.

NOTE

After a VPN gateway is created, its status in the VPN gateway list is Creating. If a VPN connectionuses this VPN gateway, the VPN gateway status changes to Normal.

Apply for a VPN Connection.1. Log in to the management console.

2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Network.4. In the navigation pane on the left, choose Virtual Private Network > VPN

Connections.5. On the VPN Connection page, click Buy VPN Connection.6. Set the parameters as prompted and click Next.

Table 4-9 VPN connection parameter description


Payment BillingMode

VPN connections are pay-per-use. Pay-per-use

Basicinformation


CN North-Beijng1

VPNGateway

Specifies the name of the VPNgateway used by the VPNconnection.

vpcgw-001

Name Specifies the VPN connectionname.

vpn-001

PSK Specifies the pre-shared key. Thevalue is a string of 6 to 128characters. This parameter valuemust be the same for the VPN inthe VPC and that in the datacenter.

Test@123

ConfirmPSK

Specifies the confirm pre-sharedkey.

Test@123





LocalSubnet

Specifies the VPC subnets thatneed to communicate with yourdata center or private network.You can set the local subnet usingeither of the following methods:l Select existing subnets.l Manually specify one or more

CIDR blocks.

192.168.1.0/24192.168.2.0/24

RemoteGateway

Specifies the public IP address ofthe VPN in your data center or onthe private network. This IPaddress is used forcommunicating with the VPN inthe VPC. In active-active mode,you can enter two remotegateway addresses.

N/A

RemoteSubnet

Specifies the subnets of your datacenter or private network forcommunicating with the VPC.The remote and local subnetscannot have overlapping ormatching CIDR blocks. Theremote subnet CIDR block cannotoverlap with CIDR blocksinvolved in existing VPC peeringconnections created for the localVPC.

192.168.3.0/24192.168.4.0/24

AdvancedSettings

l Default configurationl Custom configuration: uses

custom IKE and IPsecpolicies. For details about thepolicies, see Table 4-10 andTable 4-11.

Customconfiguration

Table 4-10 IKE policy

RFC Description ExampleValue

Authentication Algorithm Specifies the authentication hashalgorithm. The value can be sha1,sha2-256, sha2-384, sha2-512, or md5.The default value is sha1.

sha1





Encryption Algorithm Specifies the encryption algorithm. Thevalue can be aes-128, aes-192, aes-256, or3des. The 3des algorithm is notrecommended because it is risky.The default value is aes-128.

aes-128

DH Algorithm Specifies the Diffie-Hellman keyexchange algorithm. The value can begroup2, group5, or group14.The default value is group5.

group5

Version Specifies the version of the IKE protocol.The value can be v1 or v2.The default value is v1.

v1

Lifecycle (s) Specifies the lifetime of the SA, inseconds.The SA will be renegotiated if its lifetimeexpires.The default value is 86400.

86,400

Negotiation Mode If the IKE policy version is v1, thenegotiation mode can be configured. Thevalue can be main or aggressive.The default value is main.

main

Table 4-11 IPsec policy


Authentication Algorithm Specifies the authentication hashalgorithm. The value can be sha1,sha2-256, sha2-384, sha2-512, or md5.The default value is sha1.

sha1

Encryption Algorithm Specifies the encryption algorithm. Thevalue can be aes-128, aes-192, aes-256,or 3des. The 3des algorithm is notrecommended because it is risky.The default value is aes-128.

aes-128

DH Algorithm Specifies the Diffie-Hellman keyexchange algorithm. The value can begroup2, group5, or group14.The default value is group5.

group5





Transfer Protocol Specifies the security protocol used forIPsec to transmit and encapsulate userdata. The value can be ah, esp, or ah-esp.The default value is esp.

esp

Lifecycle (s) Specifies the lifetime of the SA, inseconds.The SA will be renegotiated if its lifetimeexpires.The default value is 3600.

3600

NOTE

The IKE policy specifies the encryption and authentication algorithms to use in the negotiationphase of an IPsec tunnel. The IPsec policy specifies the protocol, encryption algorithm, andauthentication algorithm to use in the data transmission phase of an IPsec tunnel. These parametersmust be the same between the VPN connection in your VPC and that in your data center. If theyare different, the VPN tunnel cannot be set up.

7. Click Submit.After the IPsec VPN is created, a public network egress IP address is assigned to theIPsec VPN. The IP address is the local gateway address of a created VPN connection onthe network console. When configuring the peer tunnel in your data center, you must setthe remote gateway address to this IP address.

Figure 4-3 Gateway egress IP address

8. Due to the symmetry of the tunnel, you also need to configure the IPsec VPN on yourrouter or firewall in the data center.– For details about the VPN configuration, see section How Do I Configure a

Remote Device for a VPN.– For a list of protocols supported by VPN connections, see section What Are the

Reference Standards and Protocols for the IPsec VPN.– For a list of supported VPN devices, see section Which Remote VPN Devices Are

Supported.


Scenarios





http://support.huaweicloud.com/en-us/vpc_faq/vpc_faq_0052.html









4. In the navigation pane on the left, click Security Group.

5. On the Security Group page, click Create Security Group.

6. In the Create Security Group area shown in Figure 4-4, set the parameters asprompted. Table 4-12 lists the parameters to be configured.






sg-318b






N/A

7. Click OK.


ScenariosAfter a security group is created, it has default rules. You can add new inbound and outboundrules to the security group.













TCP


22 or 22-30


0.0.0.0/0default


N/A







TCP






22 or 22-30


0.0.0.0/0default


N/A




Documents

Quick Start - Huawei€¦ · Virtual Private Cloud Quick Start Issue 19 Date 2018-07-30 HUAWEI TECHNOLOGIES CO., LTD