User Guide · 2019. 7. 18. · 1.1.1 Virtual Private Cloud The Virtual Private Cloud (VPC) service enables you to provision logically isolated, configurable, and manageable virtual

Virtual Private Cloud

User Guide

Issue 05

Date 2017-07-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 05 (2017-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

Contents

1 Overview......................................................................................................................................... 11.1 Concepts......................................................................................................................................................................... 11.1.1 Virtual Private Cloud................................................................................................................................................... 11.1.2 Subnet.......................................................................................................................................................................... 21.1.3 Elastic IP Address........................................................................................................................................................21.1.4 Custom Route.............................................................................................................................................................. 21.1.4.1 Route Table...............................................................................................................................................................21.1.4.2 SNAT........................................................................................................................................................................ 41.1.5 Bandwidth....................................................................................................................................................................41.1.6 Security Group.............................................................................................................................................................41.1.7 VPN............................................................................................................................................................................. 51.1.8 Remote Gateway..........................................................................................................................................................51.1.9 Remote Subnet.............................................................................................................................................................51.1.10 VPC Peering Connection...........................................................................................................................................51.1.11 Firewall...................................................................................................................................................................... 51.2 Access and Use...............................................................................................................................................................51.2.1 VPC Functions and Application Scenarios................................................................................................................. 51.2.2 Relationships with Other Services...............................................................................................................................71.2.3 Accessing the VPC...................................................................................................................................................... 71.3 Pricing.............................................................................................................................................................................71.3.1 Charging Standards......................................................................................................................................................8

2 Getting Started............................................................................................................................... 92.1 Typical Application Scenarios........................................................................................................................................92.2 Configuring the VPC of ECSs That Do Not Need to Access the Internet..................................................................... 92.2.1 Overview..................................................................................................................................................................... 92.2.2 Creating a VPC.......................................................................................................................................................... 112.2.3 Creating a Subnet for the VPC.................................................................................................................................. 132.2.4 Creating a Security Group......................................................................................................................................... 142.2.5 Adding a Security Group Rule.................................................................................................................................. 162.3 Configuring the VPC of ECSs That Access the Internet Using EIPs...........................................................................182.3.1 Overview................................................................................................................................................................... 182.3.2 Creating a VPC..........................................................................................................................................................202.3.3 Creating a Subnet for the VPC.................................................................................................................................. 22

Virtual Private CloudUser Guide Contents


ii

2.3.4 Assigning an EIP and Binding It to an ECS..............................................................................................................232.3.5 Creating a Security Group......................................................................................................................................... 252.3.6 Adding a Security Group Rule.................................................................................................................................. 272.4 Configuring the VPC of ECSs That Access the Internet Through a VPN................................................................... 292.4.1 Overview................................................................................................................................................................... 292.4.2 Creating a VPC..........................................................................................................................................................312.4.3 Creating a Subnet for the VPC.................................................................................................................................. 332.4.4 Applying for VPN Permission and Creating a VPN................................................................................................. 342.4.5 Creating a Security Group......................................................................................................................................... 392.4.6 Adding a Security Group Rule.................................................................................................................................. 41

3 VPC and Subnet...........................................................................................................................443.1 Creating a VPC.............................................................................................................................................................443.2 Modifying a VPC..........................................................................................................................................................463.3 Creating a Subnet for the VPC..................................................................................................................................... 473.4 Modifying a Subnet...................................................................................................................................................... 483.5 Assigning a Private IP Address to an ECS................................................................................................................... 503.6 Releasing an ECS Private IP Address.......................................................................................................................... 503.7 Querying and Modifying Bandwidth............................................................................................................................513.8 Deleting a VPC.............................................................................................................................................................513.8.1 Deleting a VPN..........................................................................................................................................................513.8.2 Deleting a Subnet.......................................................................................................................................................523.8.3 Deleting a VPC..........................................................................................................................................................52

4 Security.......................................................................................................................................... 544.1 Security Group..............................................................................................................................................................544.1.1 Creating a Security Group......................................................................................................................................... 544.1.2 Adding a Security Group Rule.................................................................................................................................. 554.1.3 Deleting a Security Group Rule.................................................................................................................................584.1.4 Deleting a Security Group......................................................................................................................................... 584.2 Firewall.........................................................................................................................................................................584.2.1 Creating a Firewall.................................................................................................................................................... 584.2.2 Enabling or Disabling a Firewall...............................................................................................................................594.2.3 Associating Subnets with a Firewall......................................................................................................................... 604.2.4 Performing Operations on a Firewall Rule................................................................................................................604.2.4.1 Adding a Firewall Rule...........................................................................................................................................604.2.4.2 Enabling or Disabling a Firewall Rule................................................................................................................... 624.2.4.3 Modifying a Firewall Rule..................................................................................................................................... 634.2.4.4 Changing the Sequence of a Firewall Rule............................................................................................................ 644.2.4.5 Deleting a Firewall Rule.........................................................................................................................................654.2.5 Viewing a Firewall.....................................................................................................................................................654.2.6 Modifying a Firewall................................................................................................................................................. 654.2.7 Deleting a Firewall.................................................................................................................................................... 664.2.8 Disassociating a Subnet from a Firewall................................................................................................................... 66



iii

5 Network Components.................................................................................................................675.1 EIP................................................................................................................................................................................ 675.1.1 Assigning an EIP and Binding It to an ECS..............................................................................................................675.1.2 Unbinding an EIP from an ECS and Releasing the EIP............................................................................................ 695.2 Custom Route............................................................................................................................................................... 695.2.1 Configuring a SNAT Server...................................................................................................................................... 705.2.2 Adding a Route..........................................................................................................................................................725.2.3 Querying a Route.......................................................................................................................................................725.2.4 Modifying a Route.....................................................................................................................................................735.2.5 Deleting a Route........................................................................................................................................................ 735.3 VPC Peering Connection..............................................................................................................................................735.3.1 VPC Peering Connection Creation Procedure...........................................................................................................735.3.2 VPC Peering Connection Configuration Plans..........................................................................................................755.3.3 Creating a VPC Peering Connection with Another VPC of Your Own.................................................................... 775.3.4 Creating a VPC Peering Connection with a VPC of Another Tenant....................................................................... 815.3.5 Viewing VPC Peering Connections...........................................................................................................................845.3.6 Modifying a VPC Peering Connection......................................................................................................................855.3.7 Deleting a VPC Peering Connection......................................................................................................................... 855.3.8 Viewing Routes Configured for a VPC Peering Connection on the Peering Connection Details Page....................865.3.9 Viewing Routes Configured for a VPC Peering Connection in the VPC Peering Route Table................................ 875.3.10 Deleting a Route on the VPC Peering Connection Details Page.............................................................................875.3.11 Deleting a Route from the VPC Peering Route Table............................................................................................. 885.4 VPN.............................................................................................................................................................................. 885.5 Direct Connect..............................................................................................................................................................88

6 FAQs...............................................................................................................................................896.1 What Is Virtual Private Cloud?.....................................................................................................................................896.2 Is the VPC Service Charged?....................................................................................................................................... 906.3 Which CIDR Blocks Are Available to the VPC Service?............................................................................................ 906.4 How Many VPCs Can I Create?...................................................................................................................................906.5 Can Subnets Communicate with Each Other?..............................................................................................................906.6 What Subnet CIDR Blocks Are Available?..................................................................................................................916.7 Can I Change the Network Segments Available to Subnets?....................................................................................... 916.8 How Many Subnets Can I Create?............................................................................................................................... 916.9 What Is the Bandwidth Size Range?............................................................................................................................ 916.10 What Bandwidth Types Does the VPC Service Support?.......................................................................................... 916.11 Do I Need to Apply for the Shared Bandwidth?.........................................................................................................916.12 How Can I Apply for the Shared Bandwidth?............................................................................................................916.13 How Many Elastic IP Addresses Can One Shared Bandwidth Service Centrally Control?.......................................936.14 Can I Use the Shared Bandwidth for an Elastic IP Address That Is Limited by the Exclusive Bandwidth?.............936.15 What Are EIPs?.......................................................................................................................................................... 936.16 How Does an ECS Use an EIP?................................................................................................................................. 936.17 How Many ECSs Can One EIP Be Assigned to?.......................................................................................................93



iv

6.18 How Can I Access an ECS from Another Security Group After an EIP Is Bound to the ECS?................................936.19 How Many IPsec VPNs Can I Create?.......................................................................................................................946.20 What Is a Security Group?..........................................................................................................................................946.21 Which Protocols Does a Security Group Support?.................................................................................................... 946.22 What Are the Functions of the Default Security Group Rule?...................................................................................956.23 How Can I Configure Security Group Rules?............................................................................................................ 956.24 Can I Change the Security Group to Which an ECS Belongs?.................................................................................. 956.25 How Many Security Groups Can Each User Have?...................................................................................................956.26 Is the Security Group Service Charged?.....................................................................................................................966.27 Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict?...................................... 966.28 What Is a Resource Quota?........................................................................................................................................ 966.29 How Do I Configure a Remote Device for a VPN?................................................................................................... 966.30 Which Remote VPN Devices Are Supported?........................................................................................................... 986.31 What Are the Reference Standards and Protocols for the IPsec VPN?......................................................................986.32 What Do I Do If VPN Connection Setup Fails?.........................................................................................................996.33 What Do I Do If I Cannot Access the ECSs from My Data Center or LAN After a VPN Connection Has Been SetUp?....................................................................................................................................................................................1016.34 What Do I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection Has Been SetUp?....................................................................................................................................................................................1016.35 Does a VPN Allow for Communication Between Two VPCs?................................................................................1016.36 How Can I Configure a Security Group for Multi-Channel Protocols?................................................................... 1016.37 Why Cannot I Access Public Websites Through Domain Names or Access Internal Domain Names in the CloudWhen My ECS Has Multiple NICs?.................................................................................................................................1026.38 What Is a Route Table?.............................................................................................................................................1026.39 Can a Route Table Span Multiple VPCs?.................................................................................................................1026.40 How Many Routes Can Be Contained in a Route Table?.........................................................................................1026.41 What Are the Limitations of a Route Table?............................................................................................................ 1036.42 Does a Route Table Incur Any Charges?..................................................................................................................1036.43 Do the Direct Connect Connections and Custom Routes in the Same VPC Have Routing Priority Competition?.1036.44 What Are the Routing Priorities of the VPN and Custom Routes in the Same VPC?............................................. 1036.45 What Are the Limitations of VPC Peering?............................................................................................................. 1036.46 What Can I Do If VPCs in a VPC Peering Connection Cannot Communicate with Each Other?...........................1046.47 How Many VPC Peering Connections Can I Have?................................................................................................ 1056.48 How Many Routes Can Be Added for a VPC?........................................................................................................ 1056.49 Does a Security Group rule or Firewall Rule Immediately Take Effect for Its Original Traffic After BeingModified?..........................................................................................................................................................................1056.50 What Can I Do If a Subnet Cannot Be Deleted Because It Is Used By Other Resources?...................................... 105

A Change History......................................................................................................................... 106



v

1 Overview

1.1 Concepts

1.1.1 Virtual Private CloudThe Virtual Private Cloud (VPC) service enables you to provision logically isolated,configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improvingthe security of resources in the cloud system and simplifying network deployment.

You can create security groups and VPNs, configure IP address segments, and specifybandwidth sizes in your VPC. With a VPC, you can manage and configure internal networksand change network configurations, simplifying network management. You can alsocustomize access rules to control ECS access within a security group and across differentsecurity groups to enhance ECS security.

To be specific, a VPC enables you to:

l Have full control over your virtual networks, for example, creating your own networkand configuring the DHCP service.

l Create security groups to improve your network security.l Assign elastic IP addresses (EIPs) for use in a VPC, and bind them to ECSs in your VPC

to connect the ECSs to the Internet.l Use a VPN to connect a VPC to your physical data center for smooth application

migration to the cloud.l Communicate with other VPCs using VPC peering connections.

Virtual Private CloudUser Guide 1 Overview


1

http://www.hwclouds.com/product/en-us/vpc.html

Figure 1-1 VPC components

1.1.2 SubnetA subnet is a network that manages ECS network planes. It supports IP address managementand DNS. The IP addresses of all ECSs in a subnet belong to the subnet.

By default, ECSs in all subnets of the same VPC can communicate with one another, whileECSs in different VPCs cannot communicate with one another.

You can create VPC peering connections to enable ECSs in different VPCs to communicatewith one another. For details, see section 1.1.10 VPC Peering Connection.

1.1.3 Elastic IP AddressAn EIP is a static, public IP address. You can bind an EIP to an ECS in your subnet andunbind the EIP from the ECS. An EIP enables an ECS in your VPC to communicate with theInternet through a fixed public IP address.

1.1.4 Custom Route

1.1.4.1 Route Table

A route table contains a set of rules that are used to determine where network traffic isdirected. You can add routes to a route table to enable other ECSs in a VPC to access theInternet through the ECS that has an EIP bound.

You can use the route table function configured in standalone or active/standby mode.

l Figure 1-2 shows the route table function configured in standalone mode.



2

Figure 1-2 Route table function configured in standalone mode

In standalone mode, ECSs in a VPC that do not have EIPs bound access the Internetthrough an ECS that has an EIP bound and has the source network address translation(SNAT) function configured.In standalone mode, you can add a route table for the VPC used by ECSs that do nothave EIPs bound to enable these ECSs to access the Internet. The next hop in the routetable is set to the private IP address of the ECS that has an EIP bound (the private IPaddress of the SNAT server).

l Figure 1-3 shows the route table function configured in active/standby mode.

Figure 1-3 Route table function configured in active/standby mode



3

In active/standby mode, ECSs in a VPC that do not have EIPs bound access the Internetthrough two ECSs that have EIPs bound and have the SNAT function configured.

In active/standby mode, you can add a route table for the VPC used by ECSs that do nothave EIPs bound to enable these ECSs to access the Internet. The next hop in the routetable is set to the floating private IP address of the two ECSs that have EIPs bound.

In both the standalone and active/standby modes, the ECSs that have EIPs bound must havethe SNAT function. For details about the SNAT function, see section 1.1.4.2 SNAT. Fordetails about how to configure an ECS as the SNAT server, see section 5.2.1 Configuring aSNAT Server.

NOTICEl Before using the route table function, you need to deploy the SNAT server. For details, see

section 5.2.1 Configuring a SNAT Server.

l The ECS providing SNAT can have only one network interface card (NIC).

l The ECS providing SNAT must have the source/destination check function disabled.

l In active/standby mode, if the floating private IP address is set to the next hop in a routetable, EIPs bound with all floating private IP addresses in the VPC will become invalid.

1.1.4.2 SNAT

Some ECSs not only require services provided by the system but also need to access theInternet to obtain information or download software. Then, users can bind EIPs to virtualNICs (ports) of ECSs to enable the ECSs to access the Internet. However, assigning a publicIP address to each ECS consumes already-limited IPv4 addresses, incurs additional costs, andmay increase the attack surface for a virtual environment. Therefore, enabling multiple ECSsto share one public IP address is a preferable and feasible method. This can be done usingSNAT.

The public cloud system supports SNAT. A public IP address is assigned to an ECS thatserves as the SNAT router or gateway for other ECSs from the same subnet or VPC.

For details about how to configure SNAT, see section 5.2.1 Configuring a SNAT Server.

1.1.5 BandwidthYou can allocate bandwidth when assigning an EIP so that the ECS bound with the EIP canuse the bandwidth to access the Internet.

The bandwidth displays network resource usage and can be used for service metering.

1.1.6 Security GroupA security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC. After a security group is created,you can create different access rules for the security group to protect the ECSs that are addedto this security group. The default security group rule allows all outgoing data packets. ECSsin a security group can access each other without the need to add rules.



4

1.1.7 VPNA virtual private network (VPN) establishes an encrypted communication tunnel between aremote user and a VPC, enabling the remote user to use service resources in the VPC throughthe VPN.

By default, ECSs in a VPC cannot communicate with your physical data center or privatenetwork. To enable communication between them, you can create a VPN.

For more information about VPNs, see the VPN User Guide.

1.1.8 Remote GatewayA remote gateway is the public IP address of the physical device on the peer side in an IPsecVPN tunnel. The remote gateway of each IPsec VPN must be unique.

1.1.9 Remote SubnetA remote subnet is the destination network reachable through the tunnel. All IP packets sentto the network are transmitted through the IPsec VPN tunnel. You can configure more thanone remote subnet. The remote subnet of a VPN cannot be a subnet in the VPC where theVPN is created.

1.1.10 VPC Peering ConnectionA VPC peering connection is a networking connection between two VPCs that enables you toroute traffic between them using private IP addresses. ECSs in either VPC can communicatewith each other just as if they were in the same VPC. You can create a VPC peeringconnection between your own VPCs, or between your VPC and another tenant's VPC withinthe same region.

For details, see section 5.3 VPC Peering Connection.

1.1.11 FirewallA firewall consists of one or more access control lists (ACLs). Based on inbound andoutbound network ACLs, the firewall determines whether data packets are allowed in or outof any associated subnet.

1.2 Access and Use

1.2.1 VPC Functions and Application Scenarios

Functions

A VPC provides the following functions:

l Private network customizationYou can customize private subnets in your VPC and deploy applications and otherservices in the subnets accordingly.

l Flexible security policy configuration



5

http://support.hwclouds.com/vpn/index.html

http://www.hwclouds.com/en-us/product/vpc.html

You can use security groups to divide ECSs in a VPC into different security zones andthen configure different access control rules for each security zone.

An inbound security group rule enables external access to ECSs in a security group, andan outbound security group rule enables ECSs in a security group to access externalnetworks. If a security group has no access rules after an ECS is added to the securitygroup, the communication between the ECS and the external network is blocked. Thedefault inbound rule enables an ECS to be accessed by other ECSs in the same securitygroup, and the default outbound rule enables ECSs in the security group to accessexternal networks. The security group function cannot resolve problems caused bynetwork faults or incorrect network configuration. For example, when two ECSs cannotcommunicate with each other due to the network configuration, they still cannotcommunicate with each other even if you configure a security group rule to allow thecommunication between them.

l EIP binding

You can assign an independent EIP in your VPC. The EIP can be bound to or unboundfrom an ECS as required. The binding and unbinding operations take effect immediatelyafter the operations are performed.

l VPN access

By default, ECSs in a VPC cannot communicate with your physical data center orprivate network. To enable communication between them, you can enable the VPNfunction.

A VPN connects your data center or private network to a VPC, enabling you to migrateyour applications to the cloud.

Application Scenariosl Hosting universal web applications

You can host web applications and websites in a VPC and use the VPC as a commonnetwork. You can also create a subnet in the VPC, add ECSs to the subnet, and thenassign EIPs to the ECSs to enable the ECSs to communicate with the Internet for runningweb applications on the ECSs. The VPN gateway is used to establish a VPN channelbetween the web applications and the service system in the cloud, ensuring high-speedinterconnection between the website and the service system.

l Hosting security-demanding services

You can place multi-tier web applications into different security groups, and configureaccess control rules for each security group as required. In a VPC, you can add the webservers and database servers to different security groups. The subnet to which the webservers belong allows access from the Internet, but the subnet to which the databasesbelong allows only internal access. This method ensures database server security,meeting high security requirements.

l Extending your corporate network into the cloud

You can connect a VPC to your private cloud using a VPN. With the VPN between theVPC and your traditional data center, you can easily use the ECSs and block storageresources. Applications can be migrated to the cloud and additional web servers can becreated to increase the computing capacity on a network. In this way, a hybrid cloud isbuilt, which reduces IT O&M costs and protects enterprise core data from being leaked.VPCs can be created across AZs, thereby ensuring high availability of e-commercesystems.



6

1.2.2 Relationships with Other Servicesl EIPs need to be bound to required ECSs provided by the ECS service.l Elastic Load Balance (ELB) uses the EIP and bandwidth provided by the VPC service.l After the VPC service becomes available to you, you can use Cloud Eye (CES) to view

status of monitored objects of the service without requiring additional plug-ins to beinstalled. Table 1-1 lists the VPC monitoring metrics supported by CES.

Table 1-1 VPC monitoring metrics

Metric Definition ValueRange

Monitored Object

Upstreambandwidth

Specifies the outboundnetwork rate of themonitored object.

≥ 0 bit/s Bandwidth or EIP

Downstreambandwidth

Specifies inbound networkrate of the monitored object.

≥ 0 bit/s Bandwidth or EIP

UpstreamTraffic

Specifies the outboundnetwork traffic of themonitored object.

≥ 0 byte Bandwidth or EIP

DownstreamTraffic

Specifies the inboundnetwork traffic of themonitored object.

≥ 0 byte Bandwidth or EIP

1.2.3 Accessing the VPCWeb-based service management platforms, including the management console and HTTPS-based application programming interface (API), are provided for you to access the VPCservice. The detailed methods for accessing the VPC service are as follows:

l APIIf you need to integrate the VPC service in the public cloud system into a third-partysystem for secondary development, use the API to access the VPC service. For details,see the Virtual Private Cloud API Reference.

l Management consoleYou can log in to the management console to perform other required operations on theVPC service. You can access the VPC service by logging in to the management consoleand selecting Virtual Private Cloud from the console homepage.

1.3 Pricing



7

http://support.hwclouds.com/vpc/

1.3.1 Charging Standards

Bandwidthl Charging mode: pay-per-use or monthly/yearly

l Charging factor:– Bandwidth size (Mbit/s). You need to pay a higher fee to use a higher bandwidth.– Use duration.– EIP: The total fees you need to pay for EIPs can be obtained by multiplying the

number of EIPs you use by the unit price of an EIP.– Traffic

VPNl Charging mode: pay-per-usel Charging factor: use duration



8

2 Getting Started

2.1 Typical Application ScenariosA VPC provides an isolated virtual network for ECSs. You can configure and manage thenetwork as required.

l If your ECSs do not need to access the Internet, for example, the ECSs functioning as thedatabase or server nodes for deploying a website, you can configure a VPC for the ECSsby following the instructions described in section 2.2 Configuring the VPC of ECSsThat Do Not Need to Access the Internet.

l If your ECSs need to access the Internet, you can configure EIPs for them. For example,the ECSs functioning as the service nodes for deploying a website need to be accessedby users over the Internet. Then, you can configure the VPC of these ECSs by followingthe instructions provided in section 2.3 Configuring the VPC of ECSs That Access theInternet Using EIPs.

l If you need to access ECSs in a VPC over the Internet to perform maintenanceoperations, you can configure a VPN. For example, a website administrator needs to usea VPN to access ECSs functioning as service nodes in the VPC over the Internet. Then,you can configure the VPC of these ECSs by following the instructions provided insection 2.4 Configuring the VPC of ECSs That Access the Internet Through a VPN.

2.2 Configuring the VPC of ECSs That Do Not Need toAccess the Internet

2.2.1 OverviewIf your ECSs do not need to access the Internet, for example, the ECSs functioning as thedatabase nodes or server nodes for deploying a website, you can follow the procedure shownin Figure 2-1 to configure a VPC for the ECSs.

Virtual Private CloudUser Guide 2 Getting Started


9

Figure 2-1 Configuring the network

Table 2-1 describes the different tasks in the procedure for configuring the network.

Table 2-1 Configuration process description

Task Description

Create a VPC. This task is mandatory.You must configure required parameters to create aVPC. The created VPC comes with a default subnetyou specified.After the VPC is created, you can create other requirednetwork resources in the VPC based on your servicerequirements.

Create another subnet for theVPC.

This task is optional.If you need another subnet in addition to the defaultone, you can create a subnet in the VPC.The new subnet is used to assign IP addresses to NICsadded to the ECS.



10

Task Description

Create a security group. This task is mandatory.You can create a security group and add ECSs in theVPC to the security group to improve ECS accesssecurity.After a security group is created, it has a default rule,which allows all outgoing data packets. ECSs in asecurity group can access each other without the needto add rules. If the default rule meets your servicerequirements, you do not need to add rules to thesecurity group.

Add a security group rule. This task is optional.After a security group is created, it has a default rule,which allows all outgoing data packets. ECSs in asecurity group can access each other without the needto add rules. If the default rule does not meet yourservice requirements, you can add a security grouprule.

2.2.2 Creating a VPC

ScenariosA VPC provides an isolated virtual network for ECSs. You can configure and manage thenetwork as required.

To use a VPC, first create it by following the procedure provided in this section. Then, createsubnets, security groups, and VPNs, and assign EIPs by following the procedure provided insubsequent sections based on your actual network requirements.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. On the Dashboard page, click Apply for VPC.

On the displayed Apply for VPC page shown in Figure 2-2, set the parameters asprompted.



11

Figure 2-2 Apply for VPC

Table 2-2 Parameter description

Parameter Description Example Value

Name Specifies the VPC name. VPC-001

VPC CIDR Specifies the Classless Inter-Domain Routing(CIDR) block for the VPC. The CIDR block ofa subnet can be the same as the CIDR blockfor the VPC (for a single subnet in the VPC) ora subset (for multiple subnets in the VPC).The following CIDR blocks are supported:10.0.0.0/8–24172.16.0.0/12–24192.168.0.0/16–24

192.168.0.0/16

AZ Specifies the AZ to which the VPC subnetbelongs.

AZ1

Name Specifies the subnet name. Subnet

CIDR Specifies the CIDR block for the subnet. Thisvalue must be within the VPC CIDR range.

192.168.0.0/24

Gateway Specifies the gateway address of the subnet. 192.168.0.1



12


DHCP Specifies whether to enable the DHCPfunction for the VPC.l Enabled: enables the DHCP function.

After an ECS using this VPC starts, theECS automatically obtains an IP addressusing the DHCP protocol.

l Disabled: disables the DHCP function.After an ECS using this VPC starts, theECS cannot automatically obtain an IPaddress. You must manually assign an IPaddress to the ECS.

Enabled

4. The external DNS server address is used by default. If you need to change the DNSserver address, click Show Advanced Settings and configure the DNS server addresses.You must ensure that the configured DNS server addresses are available.

5. Read and agree to the service agreement. Click Create Now.

2.2.3 Creating a Subnet for the VPC

Scenarios

A subnet is automatically created by default when you create a VPC. If required, you cancreate another subnet in the VPC.

Procedure1. Log in to the management console.

2. On the console homepage, under Network, click Virtual Private Cloud.

3. In the navigation pane on the left, select the VPC for which a subnet is to be created.

4. On the Subnet page, click Create Subnet.

5. In the Create Subnet area shown in Figure 2-3, set the parameters as prompted.

Figure 2-3 Create Subnet



13




AZ1



192.168.0.0/24





Enabled

6. The external DNS server address is used by default. If you need to change the DNS

server address, click Show Advanced Settings and configure the DNS server addresses.You must ensure that the configured DNS server addresses are available.

7. Click OK.

2.2.4 Creating a Security Group

Scenarios

A security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC.

To improve ECS access security, you can create a security group and add ECSs in the VPC tothe security group.

After a security group is created, it comes with a default security group rule if you do notspecify a rule. The default security group rule allows all outgoing data packets. ECSs in asecurity group can access each other without the need to add rules. If the default rule meetsyour service requirements, you do not need to add rules to the security group.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Security Group.4. On the Security Group page, click Create Security Group.



14

5. In the Create Security Group area shown in Figure 2-4, set the parameters asprompted. Table 2-4 lists the parameters to be configured.

Figure 2-4 Create Security Group



Name Specifies the securitygroup name. Thisparameter is mandatory.The security group namecontains a maximum of 64characters, which consistof letters, digits,underscores (_), andhyphens (-). The namecannot contain spaces.NOTE

You can change the securitygroup name after a securitygroup is created. It isrecommended that you usedifferent names for differentsecurity groups.

sg-34d6

Description Provides supplementaryinformation about thesecurity group. Thisparameter is optional.The security groupdescription can contain amaximum of 128characters and cannotcontain angle brackets (<)or (>).

N/A

6. Click OK.



15

2.2.5 Adding a Security Group Rule

ScenariosThe default security group rule allows all outgoing data packets. ECSs in a security group canaccess each other without the need to add rules. After a security group is created, you cancreate different access rules for the security group to protect the ECSs that are added to thissecurity group.

To access ECSs in a security group from external resources, create an inbound rule for thesecurity group, for example:

l To access a remote Windows ECS using MSTSC, add an inbound rule in which Protocolis set to TCP and Port Range is set to 3389.

l To access a remote Linux ECS using SSH, add an inbound rule in which Protocol is setto TCP and Port Range is set to 22.

l The default security group has the preceding two inbound rules by default. Securitygroups created by users do not have the preceding two inbound rules by default.

l Set Source to the IP address segment containing the IP address of the serveraccommodating the target ECS.

Allocate ECSs that have different Internet access policies to different security groups.

NOTE

The default source IP address 0.0.0.0/0 indicates that all IP addresses can access ECSs in the securitygroup.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Security Group.4. On the Security Group page, expand the target security group and click Add Rule.5. On the page shown in Figure 2-5, add a security group rule.



16

Figure 2-5 Add Rule


Parameter Description ExampleValue

Protocol Specifies the network protocol forwhich the security group rule takeseffect. The value can be TCP, UDP,ICMP, or ANY.

TCP

Transfer Direction Specifies the transfer direction of thetraffic for which the security group ruletakes effect. The value can be Inboundor Outbound.Inbound traffic flows to ECSs in asecurity group, and outbound trafficflows from ECSs in a security group.

Inbound

Port Range Specifies the port or port range forwhich the security group rule takeseffect. The value ranges from 1 to65535.

22 or 22-30



17


Source Specifies either the source IP addressand subnet mask or the source securitygroup for which the security group ruletakes effect. This parameter is requiredwhen Transfer Direction is set toInbound.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0default

Destination Specifies either the destination IPaddress and subnet mask or thedestination security group for which thesecurity group rule takes effect. Thisparameter is required when TransferDirection is set to Outbound.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0default

Destination can be set to Security Group or IP Address. The details are as follows:– IP Address: This rule takes effect for the specified IP addresses. 0.0.0.0/0 indicates

that this rule takes effect for all IP addresses.– Security Group: This rule takes effect for all ECSs in the selected security group.

6. Click OK.

2.3 Configuring the VPC of ECSs That Access the InternetUsing EIPs

2.3.1 OverviewIf your ECSs need to access the Internet, for example, the ECSs functioning as the servicenodes for deploying a website, you can follow the procedure shown in Figure 2-6 to bindEIPs to the ECSs.



18




Task Description



This task is optional.If you need another subnet besides the default one, youcan create a subnet in the VPC.The new subnet is used to assign IP addresses to NICsadded to the ECS.

Assign an EIP and bind it to anECS.

This task is mandatory.You can assign an EIP and bind it to an ECS to enablethe ECS to access the Internet.



19

Task Description










20






192.168.0.0/16


AZ1



192.168.0.0/24




21





Enabled




Scenarios










22




AZ1



192.168.0.0/24





Enabled



7. Click OK.

2.3.4 Assigning an EIP and Binding It to an ECS

ScenariosYou can assign an EIP and bind it to an ECS to enable the ECS to access the Internet.

ProcedureAssign an EIP.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Elastic IP Address.4. On the Elastic IP Address page, click Assign EIP.5. In the displayed Assign EIP area shown in Figure 2-9, set the parameters as prompted.



23

Figure 2-9 Apply for EIP



Flavor Dynamic BGP: When changesoccur on a network using dynamicBGP, routing protocols provideautomatic, real-time optimization ofnetwork configurations, ensuringnetwork stability and optimal userexperience.Static BGP: When changes occuron a network using static BGP,carriers cannot adjust networkconfigurations in real time to ensureoptimal user experience.

Dynamic BGP

Charge Mode The following charging modes areavailable:l Yearly/Monthlyl Metered

Metered

Validity Period You must specify the validity periodif Charge Mode is set to Metered.

1 month

Select Bandwidth You can allocate bandwidth to theEIP.

Create Bandwidth

Bandwidth Name Specifies the name of thebandwidth.

bandwidth



24


Sharing Type The following bandwidth types areavailable:l Exclusive: The bandwidth can be

used by only one EIP.l Shared: The bandwidth can be

allocated to multiple EIPs andcan be shared among the EIPs.

The bandwidth sharing type cannotbe changed after the EIP is obtained.

Exclusive

Measured By Specifies whether the bandwidth ismetered by bandwidth size or bytraffic.

By Bandwidth

Bandwidth Size Specifies the bandwidth size inMbit/s.

100

Quantity Specifies the number of EIPs to beobtained.You can set Quantity only whenSharing Type is set to Exclusive.

1

If Select Bandwidth is set to Create Bandwidth, Sharing Type of the new bandwidthcan be set to Exclusive or Shared. To create an exclusive bandwidth, you are required tosubmit a work order. For details, see section How Can I Apply for the SharedBandwidth?.

NOTE

Only outbound bandwidth is limited.

6. Click Buy Now.7. Confirm the order, and read and agree to the service agreement. Click Submit.

If you specify the bandwidth size when assigning an EIP, you also need to pay for thebandwidth.

Bind an EIP.

8. On the Elastic IP Address page, locate the row that contains the target EIP, and clickBind.

9. On the Bind IP Address page, select the required cloud server and NIC.10. Click OK in the displayed dialog box.


Scenarios

A security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC.



25

http://support.hwclouds.com/en-us/vpc_faq/vpc_faq_0031.html






3. In the navigation pane on the left, click Security Group.

4. On the Security Group page, click Create Security Group.

5. In the Create Security Group area shown in Figure 2-10, set the parameters asprompted. Table 2-10 lists the parameters to be configured.






sg-34d6



26



N/A

6. Click OK.


Scenarios

The default security group rule allows all outgoing data packets. ECSs in a security group canaccess each other without the need to add rules. After a security group is created, you cancreate different access rules for the security group to protect the ECSs that are added to thissecurity group.







NOTE





4. On the Security Group page, expand the target security group and click Add Rule.

5. On the page shown in Figure 2-11, add a security group rule.



27

Figure 2-11 Add Rule




TCP


Inbound


22 or 22-30



28



0.0.0.0/0default


0.0.0.0/0default



6. Click OK.

2.4 Configuring the VPC of ECSs That Access the InternetThrough a VPN

2.4.1 OverviewIf you need to access ECSs in a VPC over the Internet to perform maintenance operations onthe ECSs, you can follow the procedure shown in Figure 2-12 to configure a VPN. Forexample, you can configure a VPN to enable a website administrator to access ECSsfunctioning as service nodes in the VPC over the Internet.



29




Task Description



This task is optional.If you need another subnet besides the default one, youcan create a subnet in the VPC.The new subnet is used to assign IP addresses to NICsadded to the ECS.



30

Task Description

Create a VPN. This task is mandatory.You can create an IPsec VPN to set up a secure andisolated communication tunnel between your datacenter and cloud services.










31






192.168.0.0/16


AZ1



192.168.0.0/24




32





Enabled




Scenarios










33




AZ1



192.168.0.0/24





Enabled



7. Click OK.

2.4.4 Applying for VPN Permission and Creating a VPN

OverviewBy default, ECSs in a VPC cannot communicate with your physical data center or privatenetwork. To enable communication between them, use a VPN. To use a VPN, you must firstcreate one in your VPC and update the security group rules.

Description of a Simple IPsec VPN Intranet TopologyIn the example shown in Figure 2-15, you have created a VPC that has two subnets,192.168.1.0/24 and 192.168.2.0/24, on the cloud. You also have two subnets, 192.168.3.0/24and 192.168.4.0/24 on your router deployed in your physical data center. In this case, you cancreate a VPN to connect the VPC subnets to the data center subnets.



34

Figure 2-15 IPsec VPN

Currently, the site-to-site VPN and hub-spoke VPN are supported. In addition to creating aVPN in your VPC, you also need to set up a VPN in your physical data center to establish theVPN connection.

You must ensure that the VPN in your VPC and that in your physical data center use the sameIKE and IPsec policy configurations. Before creating a VPN, familiarize yourself with theprotocols described in Table 2-15 and ensure that your device meets the requirements andconfiguration constraints of the involved protocols.

Table 2-15 Involved protocols

RFC Description Constraint

RFC2409 Defines the IKE protocol, which negotiatesand verifies key information to safeguardVPN connections.

l Use the PSK to reach anIKE peer agreement.

l Use the main mode toperform the negotiation.

RFC4301 Defines the IPsec architecture, the securityservices that IPsec offers, and thecollaboration between components.

Set up a VPN connectionusing the IPsec tunnel.

Provision the VPN Service

Before applying for a VPN, you are required to submit a work order to provision the VPNservice.

1. Log in to the management console.

2. On the console homepage, under Network, click VPN.

3. On the VPN page, click Provision Now.

4. In User Center, submit a work order. Figure 2-16 shows the page for submitting a workorder.



35

Figure 2-16 Submitting a work order

– Cloud Service ZoneSelect the zone where your resources are located.

– Service TypeChoose VPC.

– Question TemplateChoose Enable Network Function.

– Question DescriptionInclude the following information in the question description:- Application reason- Services to be provisioned, such as the shared bandwidth or VPN.

– Specify other parameters as prompted.

Apply for VPNPerform the following procedure to create an IPsec VPN that sets up a secure, isolatedcommunication tunnel between your data center and cloud services.

1. Sign up and log in to the management console.2. On the console homepage, under Network, click VPN.3. On the VPN page, click Create VPN.4. Set the parameters as prompted and click Buy Now.



36

Figure 2-17 Creating a VPN

Table 2-16, Table 2-17, and Table 2-18 lists the parameters and their descriptions.

Table 2-16 Basic parameters

RFC Description Example Value

VPC Specifies the name of the VPC. VPC-001

Name Specifies the name of the VPN. VPN-001

PSK Specifies the pre-shared key. Thevalue is a string of 6 to 128characters. This parameter value mustbe the same for the VPC VPN and thedata center VPN.

Test@123

Confirm PSK Specifies the confirm pre-shared key. Test@123

Type Specifies the VPN type. IPsec isselected by default.

IPsec

Local Subnets Specifies the VPC subnets that needto communicate with your data centeror private network.

192.168.1.0/24192.168.2.0/24

Remote Gateway Specifies the public IP address of theVPN in your data center or on theprivate network. This IP address isused for communicating with theVPC VPN.

88.88.88.88

Remote Subnets Specifies the subnets of your datacenter or private network forcommunicating with the VPC. Theremote and local subnets cannot haveoverlapping or matching CIDRblocks. The remote subnet CIDRblock cannot overlap with CIDRblocks involved in existing VPCpeering connections created for thelocal VPC.

192.168.3.0/24192.168.4.0/24



37

Table 2-17 IKE policy

RFC Description ExampleValue

Authentication Algorithm Specifies the authentication hashalgorithm. The value can be sha1,sha2-256, sha2-384, sha2-512, or md5.

sha1

Encryption Algorithm Specifies the encryption algorithm. Thevalue can be aes-128, aes-192, aes-256, or3des. The 3des algorithm is notrecommended because it is risky.

aes-128

DH Algorithm Specifies the Diffie-Hellman keyexchange algorithm. The value can begroup2, group5, or group14.

group5

Version Specifies the version of the IKE protocol.The value can be v1 or v2.

v1

Lifecycle (s) Specifies the lifetime of the securityassociation (SA), in seconds.The SA will be renegotiated if its lifetimeexpires.

86,400

Table 2-18 IPsec policy


Authentication Algorithm Specifies the authentication hashalgorithm. The value can be sha1,sha2-256, sha2-384, sha2-512, or md5.

sha1

Encryption Algorithm Specifies the encryption algorithm. Thevalue can be aes-128, aes-192, aes-256,or 3des. The 3des algorithm is notrecommended because it is risky.

aes-128

DH Algorithm Specifies the Diffie-Hellman keyexchange algorithm. The value can begroup2, group5, or group14.

group5

Transfer Protocol Specifies the security protocol used forIPsec to transmit and encapsulate userdata. The value can be ah, esp, or ah-esp.

esp



38


Lifecycle (s) Specifies the lifetime of the SA, inseconds.The SA will be renegotiated if its lifetimeexpires.

3600

NOTE

The IKE policy specifies the encryption and authentication algorithms to use in the negotiationphase of an IPsec tunnel. The IPsec policy specifies the protocol, encryption algorithm, andauthentication algorithm to use in the data transmission phase of an IPsec tunnel. These parametersmust be the same between your VPC VPN and your data center VPN. If they are different, theVPN tunnel cannot be set up.

5. Read and agree to the service agreement. Click Submit.After the IPsec VPN is created, a public network egress IP address is assigned to theIPsec VPN. This IP address is the local gateway address of a created VPN on the VPNpage shown in Figure 2-18. When configuring the peer tunnel in your data center, youmust set the remote gateway address to this IP address.

Figure 2-18 Gateway ingress IP address

6. Due to the symmetry of the tunnel, you also need to configure the IPsec VPN on yourrouter or firewall in the data center.– For details about the VPN configuration, see section How Can I Configure the

Remote Device for a VPN?.– For a list of protocols supported by VPN connections, see section What Are the

Reference Standards and Protocols for the IPsec VPN?.– For a list of supported VPN devices, see section Which Remote VPN Devices Are

Supported?.


ScenariosA security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC.





39







Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Security Group.4. On the Security Group page, click Create Security Group.5. In the Create Security Group area shown in Figure 2-19, set the parameters as

prompted. Table 2-19 lists the parameters to be configured.






sg-34d6



40



N/A

6. Click OK.


Scenarios

The default security group rule allows all outgoing data packets. ECSs in a security group canaccess each other without the need to add rules. After a security group is created, you cancreate different access rules for the security group to protect the ECSs that are added to thissecurity group.







NOTE









41

Figure 2-20 Add Rule




TCP


Inbound


22 or 22-30



42



0.0.0.0/0default


0.0.0.0/0default



6. Click OK.



43

3 VPC and Subnet

3.1 Creating a VPC





Virtual Private CloudUser Guide 3 VPC and Subnet


44






192.168.0.0/16


AZ1



192.168.0.0/24




45





Enabled



3.2 Modifying a VPC

Scenarios

If the VPC CIDR conflicts with the subnet of a VPN created in the VPC, you can modify theVPC to change the VPC address range.



3. On the Virtual Private Cloud page, locate the VPC to be modified and click .

4. On the Modify dialog box shown in Figure 3-2, set the parameters as prompted.

Figure 3-2 Modifying a VPC

5. Click OK.



46

3.3 Creating a Subnet for the VPC

ScenariosA subnet is automatically created by default when you create a VPC. If required, you cancreate another subnet in the VPC.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, select the VPC for which a subnet is to be created.4. On the Subnet page, click Create Subnet.5. In the Create Subnet area shown in Figure 3-3, set the parameters as prompted.





AZ1



192.168.0.0/24




47





Enabled



7. Click OK.

3.4 Modifying a Subnet

ScenariosIf the DHCP policy or DNS server address configured for a subnet during subnet creationneeds to be modified, you can modify the subnet.

Impact of the OperationIf you disable the DHCP function for the subnet, ECSs in this VPC cannot automaticallyobtain IP addresses after they start. You must manually configure IP addresses for the ECSs.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, select the VPC for which the subnet is to be modified.4. On the Subnet page, locate the target subnet, and click Modify. Modify the parameters

as prompted in the dialog box shown in Figure 3-4.



48

Figure 3-4 Modify Subnet




DHCP Specifies whether to enable theDHCP function for the VPC.l Enabled: enables the DHCP

function. After an ECS usingthis VPC starts, the ECSautomatically obtains an IPaddress using the DHCPprotocol.

l Disabled: disables the DHCPfunction. After an ECS usingthis VPC starts, the ECS cannotautomatically obtain an IPaddress. You must manuallyassign an IP address to the ECS.

Enabled

DNS Server Address 1 Specifies the IP address of DNSserver 1. You can leave it blank. Bydefault, the external DNS serveraddress is used.

N/A

DNS Server Address 2 Specifies the IP address of DNSserver 2. You can leave it blank. Bydefault, the external DNS serveraddress is used.

N/A



49


Add DNS Server Address Two DNS server addresses areconfigured for a subnet by default.If you need more DNS servers, youcan use this option to add DNSserver addresses.

N/A

5. Click OK.

3.5 Assigning a Private IP Address to an ECS

Scenarios

When an ECS requires a floating IP address or a reserved IP address, you can assign a privateIP address from the subnet to the ECS.



3. In the navigation pane on the left, choose Virtual Private Cloud.

4. On the Subnet page, locate the target subnet, and click Manage Private IP Address.

5. Click Assign Private IP Address and set the parameters shown in Figure 3-5 asprompted.

6. Click OK.

You can then query the assigned private IP address in the IP address list.

Figure 3-5 Assigning a private IP address

3.6 Releasing an ECS Private IP Address

Scenarios

If you no longer need the private IP address or reserved private IP address, you can release itto avoid wasting resources.

The private IP address that has been bound to an ECS, gateway, or DHCP server cannot bereleased.



50

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Virtual Private Cloud.4. On the Subnet page, locate the target subnet, and click Manage Private IP Address.5. Select the private IP address to be released from the IP address list and click Delete.6. Click OK in the displayed dialog box.

3.7 Querying and Modifying BandwidthYou can query and modify the bandwidth of an elastic IP address or an elastic IP addressgroup.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the left navigation pane on the left, click Bandwidth.4. On the Bandwidth page, locate the row that contains the target bandwidth, and click

Modify.5. On the page shown in Figure 3-6, set the parameters as prompted.

Figure 3-6 Modifying the bandwidth

6. Click Save.

3.8 Deleting a VPC

3.8.1 Deleting a VPN

Scenarios

You can delete a VPN to release network resources if the VPN is no longer required.



51

Procedure1. On the console homepage, under Network, click VPN.2. Log in to the management console.3. On the console homepage, under Network, click VPN.4. On the VPN page, locate the target VPN and click Delete.5. Click OK in the displayed dialog box.

3.8.2 Deleting a Subnet

Scenarios

You can delete a subnet to release network resources if the subnet is no longer required.

A subnet cannot be deleted if it is being used by an ECS, VPN, or private IP address. Todelete a subnet these cases, you must first delete the ECS, VPN, or private IP address.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Virtual Private Cloud.4. On the Subnet page, locate the target subnet, and click Delete.5. Click OK in the displayed dialog box.

3.8.3 Deleting a VPC

Scenarios

You can delete a VPC to release network resources if the VPC is no longer required.

A VPC cannot be deleted if it contains VPNs, Direct Connect connections, or subnets. Todelete the VPC, you must first delete the resources.

l For details about how to delete a subnet, see section 3.8.2 Deleting a Subnet.l For details about how to delete a VPN, see section 3.8.1 Deleting a VPN.l For details about how to disable a Direct Connect connection, see the Direct Connect

User Guide.

Impact on the System

If EIPs exist, the last VPC cannot be deleted.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Virtual Private Cloud.

4. On the Virtual Private Cloud page, locate the target VPC, and click .



52

5. Click OK in the displayed dialog box.



53

4 Security

4.1 Security Group


ScenariosA security group is a collection of access control rules for ECSs that have the same securityprotection requirements and are mutually trusted in a VPC.



Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, click Security Group.4. On the Security Group page, click Create Security Group.5. In the Create Security Group area shown in Figure 4-1, set the parameters as

prompted. Table 4-1 lists the parameters to be configured.

Virtual Private CloudUser Guide 4 Security


54






sg-34d6


N/A

6. Click OK.


ScenariosThe default security group rule allows all outgoing data packets. ECSs in a security group canaccess each other without the need to add rules. After a security group is created, you can



55

create different access rules for the security group to protect the ECSs that are added to thissecurity group.







NOTE







Figure 4-2 Add Rule



56




TCP


Inbound


22 or 22-30


0.0.0.0/0default


0.0.0.0/0default

Destination can be set to Security Group or IP Address. The details are as follows:

– IP Address: This rule takes effect for the specified IP addresses. 0.0.0.0/0 indicatesthat this rule takes effect for all IP addresses.

– Security Group: This rule takes effect for all ECSs in the selected security group.



57

6. Click OK.

4.1.3 Deleting a Security Group Rule

Scenarios

If the source IP addresses of an inbound or outbound security group rule need to be changed,you can first delete the security group rule and add a new one.




4. On the Security Group page, expand a security group.

5. If you do not need a security group rule, locate the row that contains the target rule, andclick Delete.


4.1.4 Deleting a Security Group

Scenarios

You can delete a security group to release resources if the security group is no longerrequired.



3. In the navigation pane on the left, choose Virtual Private Cloud.

4. On the Security Group page, locate the target security group, and click Delete.


4.2 Firewall

4.2.1 Creating a Firewall

Scenarios

A firewall consists of one or more ACLs. Based on inbound and outbound network ACLs, thefirewall determines whether data packets are allowed in or out of any associated subnet. Youcan create a custom firewall. By default, a newly created firewall is disabled. It does not havesubnets associated with it nor does it have any inbound or outbound rules. Each user cancreate a maximum of 200 firewalls by default.



58

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation tree on the left, click Firewall.4. In the right pane displayed, click Create Firewall.5. In the displayed Create Firewall area, enter firewall information as prompted. Table 4-3

lists the parameters to be configured.



Name Specifies the firewall name. This parameteris mandatory.The firewall name contains a maximum of64 characters, which may consist of letters,digits, underscores (_), and hyphens (-). Thename cannot contain spaces.

fw-34d6

Description Provides supplementary information aboutthe firewall. This parameter is optional.The firewall description can contain amaximum of 128 characters and cannotcontain angle brackets (<) or (>).

N/A

6. Click OK.

The firewall is created.

4.2.2 Enabling or Disabling a Firewall

Scenarios

After a firewall is created, enable it based on your network security requirements. You canalso disable an enabled firewall when required. Before enabling or disabling a firewall, ensurethat subnets have been associated with the firewall and that inbound and outbound rules havebeen added to the firewall.

A firewall is in the Inactive state if no subnets are associated with the firewall. If you enable afirewall in the Inactive state, the firewall does not take effect for any subnet.

A firewall is in the Normal state if subnets are associated with the firewall. If you enable afirewall in the Normal state, the firewall has the following default rules:l Allows broadcast packets with a destination of 255.255.255.255/32.l Allows multicast packets with a destination of 224.0.0.0/24.l Allows metadata packets with a destination of 169.254.169.254/32 and with TCP port

80.l Allows packets from the CIDR blocks that are reserved for public services. For example,

allows packets with a destination of 100.126.0.0/16.



59

l Denies all other packets by default.

After the firewall is enabled, firewall rules take precedence over security group rules.



3. In the navigation tree on the left, click Firewall.4. Locate the required firewall in the right pane, and click Enable or Disable in the

Operation column.


The firewall is enabled or disabled.

4.2.3 Associating Subnets with a Firewall

Scenarios

On the page showing firewall details, associate desired subnets with a firewall.



3. In the navigation tree on the left, click Firewall.4. Locate the target firewall in the right pane, and click the firewall name to switch to the

page showing details of that particular firewall.

5. On the displayed page, click the Subnet Association tab.

6. On the Subnet Association page, click Add.

7. On the displayed page, select the subnets to be associated with the firewall, and clickSave.

The selected subnets are associated with the firewall.

NOTE

Subnets that have already been associated with firewalls will not be displayed on the page for you toselect. One-click subnet association and disassociation are not currently supported. Furthermore, asubnet can only be associated with one firewall. If you want to reassociate a subnet that has already beenassociated with another firewall, you must first disassociate the subnet from the original firewall.

4.2.4 Performing Operations on a Firewall Rule

4.2.4.1 Adding a Firewall Rule

Scenarios

Add an inbound or outbound firewall rule based on your network security requirements.



60

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation tree on the left, click Firewall.4. Locate the target firewall in the right pane, and click the firewall name to switch to the

page showing details of that particular firewall.5. On the displayed page, click the Inbound tab.6. Click Add Rule. In the displayed dialog box, configure the parameters as prompted.

Table 4-4 lists the parameters to be configured.



Policy Specifies the action in the firewall rule. Thisparameter is mandatory. You can select a valuefrom the drop-down list. The value can bePermit, Deny, or Reject.

Permit

Protocol Specifies the protocol supported by the firewall.This parameter is mandatory. You can select avalue from the drop-down list. The value can beTCP, UDP, ICMP, or ANY. If ICMP or ANYis selected, you do not need to specify portinformation.

ANY

Source Specifies the source IP address from which thetraffic is permitted.The default value is 0.0.0.0/0, which indicatesthat traffic from all IP addresses is permitted.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0

Source PortRange

Specifies the source port number or port numberrange. You must specify this parameter if TCPor UDP is selected for Protocol.The value ranges from 0 to 65535. For a portnumber range, enter two port numbers connectedby a hyphen (-), for example 1-100. The rangecannot start with 0.

22 or 22-30



61


Destination Specifies the destination IP address to which thetraffic is permitted.The default value is 0.0.0.0/0, which indicatesthat traffic to all IP addresses is permitted.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0

DestinationPort Range

Specifies the destination port number or portnumber range.You must specify this parameter if TCP or UDPis selected for Protocol.The value ranges from 0 to 65535. For a portnumber range, enter two port numbers connectedby a hyphen (-), for example 1-100. The rangecannot start with 0.

22 or 22-30

7. Click OK.

The firewall rule is added. The procedure for adding an outbound rule is the same as thatfor adding an inbound rule.

4.2.4.2 Enabling or Disabling a Firewall Rule

Scenarios

Enable or disable an inbound or outbound firewall rule based on your network securityrequirements.



3. In the navigation tree on the left, click Firewall.

4. Locate the target firewall in the right pane, and click the firewall name to switch to thepage showing details of that particular firewall.

5. On the displayed page, click the Inbound tab.

6. In the displayed Inbound area, locate the target firewall rule, click More in theOperation column, and select Enable or Disable.


The rule is enabled or disabled. The procedure for enabling or disabling an outboundfirewall rule is the same as that for enabling or disabling an inbound firewall rule.



62

4.2.4.3 Modifying a Firewall Rule

Scenarios

Modify an inbound or outbound firewall rule based on your network security requirements.


page showing details of that particular firewall.5. On the displayed page, click the Inbound tab.6. In the displayed Inbound area, locate the target firewall rule and click Modify in the

Operation column. In the displayed dialog box, configure the parameters as prompted.Table 4-5 lists the parameters to be configured.



Policy Specifies the action in the firewall rule. Thisparameter is mandatory. You can select a valuefrom the drop-down list. The value can bePermit, Deny, or Reject.

Permit

Protocol Specifies the protocol supported by the firewall.This parameter is mandatory. You can select avalue from the drop-down list. The value can beTCP, UDP, ICMP, or ANY. If ICMP or ANYis selected, you do not need to specify portinformation.

ANY

Source Specifies the source IP address from which thetraffic is permitted.The default value is 0.0.0.0/0, which indicatesthat traffic from all IP addresses is permitted.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0

Source PortRange

Specifies the source port number or port numberrange. You must specify this parameter if TCPor UDP is selected for Protocol.The value ranges from 0 to 65535. For a portnumber range, enter two port numbers connectedby a hyphen (-), for example 1-100. The rangecannot start with 0.

22 or 22-30



63


Destination Specifies the destination IP address to which thetraffic is permitted.The default value is 0.0.0.0/0, which indicatesthat traffic to all IP addresses is permitted.For example:xxx.xxx.xxx.xxx/32 (IP address)xxx.xxx.xxx.0/24 (subnet)0.0.0.0/0 (any IP address)

0.0.0.0/0

DestinationPort Range

Specifies the destination port number or portnumber range.You must specify this parameter if TCP or UDPis selected for Protocol.The value ranges from 0 to 65535. For a portnumber range, enter two port numbers connectedby a hyphen (-), for example 1-100. The rangecannot start with 0.

22 or 22-30

7. Click OK.

The firewall rule is modified. The procedure for modifying an outbound firewall rule isthe same as that for modifying an inbound rule.

4.2.4.4 Changing the Sequence of a Firewall Rule

Scenarios

If multiple firewall rules conflict, the rules in the front take precedence. If you need a rule totake effect before or after a specific rule, you can insert that rule before or after the specificrule.





5. On the displayed page, click the Inbound tab.

6. In the Inbound area, locate the target firewall rule, click More in the Operationcolumn, and select Insert Above or Insert Below.

7. In the displayed dialog box, configure required parameters and click OK.

The firewall rule is inserted. The procedure for inserting an outbound firewall rule is thesame as that for inserting an inbound firewall rule.



64

4.2.4.5 Deleting a Firewall Rule

Scenarios

Delete an inbound or outbound firewall rule based on your network security requirements.


page showing details of that particular firewall.5. On the displayed page, click the Inbound tab.6. In the Inbound area, locate the target firewall rule, and click Delete in the Operation

column.7. Click OK in the displayed dialog box.

The firewall rule is deleted.

4.2.5 Viewing a Firewall

Scenarios

View details about a firewall.


page showing details of that particular firewall.5. On the displayed page, click the Subnet Association, Inbound, and Outbound tabs,

and view details about the associated subnets, inbound rules, and outbound rules.

4.2.6 Modifying a Firewall

Scenarios

Modify the name and description of a firewall.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation tree on the left, click Firewall.4. In the navigation pane on the left, choose Firewall.



65


6. On the displayed page, click on the right of Name and edit the firewall name.

7. Click √ to save the new firewall name.

8. Click on the right of Description and edit the firewall description.

9. Click √ to save the new firewall description.

4.2.7 Deleting a Firewall

Scenarios

Delete a firewall when it is no longer required.




4. Locate the target firewall in the right pane and click Delete in the Operation column.


The firewall is deleted.

NOTE

After a firewall is deleted, associated subnets are disassociated and added rules are deleted fromthe firewall.

4.2.8 Disassociating a Subnet from a Firewall

Scenarios

Disassociate a subnet from a firewall when necessary.





5. On the displayed page, click the Subnet Association tab.

6. On the Subnet Association page, locate the target firewall and click Disassociate in theOperation column.


The subnet is disassociated from the firewall.



66

5 Network Components

5.1 EIP

5.1.1 Assigning an EIP and Binding It to an ECS

ScenariosYou can assign an EIP and bind it to an ECS to enable the ECS to access the Internet.

ProcedureAssign an EIP.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Elastic IP Address.4. On the Elastic IP Address page, click Assign EIP.5. In the displayed Assign EIP area shown in Figure 5-1, set the parameters as prompted.

Figure 5-1 Apply for EIP

Virtual Private CloudUser Guide 5 Network Components


67



Flavor Dynamic BGP: When changesoccur on a network using dynamicBGP, routing protocols provideautomatic, real-time optimization ofnetwork configurations, ensuringnetwork stability and optimal userexperience.Static BGP: When changes occuron a network using static BGP,carriers cannot adjust networkconfigurations in real time to ensureoptimal user experience.

Dynamic BGP

Charge Mode The following charging modes areavailable:l Yearly/Monthlyl Metered

Metered

Validity Period You must specify the validity periodif Charge Mode is set to Metered.

1 month

Select Bandwidth You can allocate bandwidth to theEIP.

Create Bandwidth

Bandwidth Name Specifies the name of thebandwidth.

bandwidth

Sharing Type The following bandwidth types areavailable:l Exclusive: The bandwidth can be

used by only one EIP.l Shared: The bandwidth can be

allocated to multiple EIPs andcan be shared among the EIPs.

The bandwidth sharing type cannotbe changed after the EIP is obtained.

Exclusive

Measured By Specifies whether the bandwidth ismetered by bandwidth size or bytraffic.

By Bandwidth

Bandwidth Size Specifies the bandwidth size inMbit/s.

100

Quantity Specifies the number of EIPs to beobtained.You can set Quantity only whenSharing Type is set to Exclusive.

1



68

If Select Bandwidth is set to Create Bandwidth, Sharing Type of the new bandwidthcan be set to Exclusive or Shared. To create an exclusive bandwidth, you are required tosubmit a work order. For details, see section How Can I Apply for the SharedBandwidth?.

NOTE

Only outbound bandwidth is limited.

6. Click Buy Now.7. Confirm the order, and read and agree to the service agreement. Click Submit.

If you specify the bandwidth size when assigning an EIP, you also need to pay for thebandwidth.

Bind an EIP.

8. On the Elastic IP Address page, locate the row that contains the target EIP, and clickBind.

9. On the Bind IP Address page, select the required cloud server and NIC.10. Click OK in the displayed dialog box.

5.1.2 Unbinding an EIP from an ECS and Releasing the EIP

Scenarios

If you no longer need the EIP, unbind it from the ECS and release the EIP to avoid wastingnetwork resources.

l EIPs assigned and bound to ECSs in the Elastic Load Balance (ELB) service aredisplayed in the EIP list of the VPC service, but you cannot unbind these EIPs fromECSs.

l Only EIPs that are not bound to ECSs can be released. To release EIPs that are bound toECSs, you must first unbind them.

Procedure

Unbind an EIP.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose Elastic IP Address.4. On the Elastic IP Address page, locate the row that contains the target EIP, and click

Unbind.

Release an EIP.

5. On the Elastic IP Address page, locate the row that contains the target EIP, and clickRelease.

6. Click OK.

5.2 Custom Route



69



5.2.1 Configuring a SNAT Server

Scenarios

To use the route table function provided by the VPC service, you need to configure SNAT onan ECS to enable other ECSs that do not have EIPs bound in a VPC to access the Internetthrough this ECS.

Prerequisitesl You have obtained the ECS where SNAT is to be deployed.l The ECS where SNAT is to be deployed runs the Linux OS.l The ECS where SNAT is to be deployed has only one network interface card (NIC)

configured.

Procedure1. Log in to the management console.2. On the console homepage, under Computing, click Elastic Cloud Server.3. On the displayed page, locate the target ECS in the ECS list and click the ECS name to

switch to the page showing ECS details.4. Click NIC tab and disable the source/destination check function.

By default, the source/destination check function is enabled. When this function isenabled, the system checks whether source IP addresses contained in the packets sent byECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs tosend the packets. This mechanism prevents packet spoofing, thereby improving systemsecurity. If SNAT is used, the SNAT server needs to forward packets. This mechanismprevents the packet sender from receiving returned packets. Therefore, you need todisable the source/destination check function for SNAT servers.

5. Follow the procedure provided in section 5.1.1 Assigning an EIP and Binding It to anECS to associate an EIP with the private IP address of the ECS.

NOTICEDo not associate the EIP with the floating private IP address.

6. On the ECS console, use the remote login function to log in to the ECS on which SNATis to be configured.

7. Run the following command and enter the password of user root to switch to user root:su - root

8. Run the following command to check whether the ECS can access the Internet.

NOTE

Before running the command, you must disable the response iptables rule on the ECS whereSNAT is deployed and enable the security group rules.

ping www.huawei.comThe ECS can access the Internet if the following information is displayed:



70

[root@localhost ~]# ping www.huawei.comPING www.a.shifen.com (xxx.xxx.xxx.xxx) 56(84) bytes of data.64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms

9. Run the following command to check whether IP forwarding in Linux is enabled:cat /proc/sys/net/ipv4/ip_forwardIn the command output, 1 indicates enabled, and 0 indicates disabled. The default valueis 0.– If IP forwarding in Linux is enabled, go to step 11.– If IP forwarding in Linux is disabled, perform step 10 to enable IP forwarding in

Linux.Many OSs support packet routing. Before forwarding packets, OSs change source IPaddresses in the packets to OS IP addresses. Therefore, the forwarded packets containthe IP address of the public sender so that the response packets can be sent back in thesame path to the initial packet sender. This method is called SNAT. The OSs need tokeep track of the packets in which the IP addresses have been changed to ensure that thedestination IP addresses in the packets can be rewritten and that packets can beforwarded to the initial packet sender. To achieve these purposes, you need to enable theIP forwarding function and configure SNAT rules.

10. Use the vi editor to open /etc/sysctl.conf file, change the value of net.ipv4.ip_forwardto 1, enter :wq to save the change and exit.Run the following command to make the change take effect:sysctl -p /etc/sysctl.conf

11. Configure SNAT.Run the following command to enable all ECSs on the network segment (for example,192.168.1.0/24) to access the Internet using the SNAT function:iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ipFigure 5-2 shows the example command.

Figure 5-2 Configuring SNAT

12. Run the following command to check whether the operation is successful:iptables -t nat --listThe operation is successful if the information shown in Figure 5-3 (for example,192.168.1.0/24) is displayed.



71

Figure 5-3 Verifying configuration

Add a route. For details, see section 5.2.2 Adding a Route.

The destination is 0.0.0.0/0, and the next hop is the private IP address of the ECS wherethe SNAT function is deployed. For example, the next hop is 192.168.1.4.

5.2.2 Adding a Route

Scenarios

When ECSs in a VPC need to access the Internet, add a route to enable the ECSs to access theInternet through the ECS that has an EIP bound.



3. In the navigation pane on the left, select a VPC to which a route is to be added and clickRoute Table.

4. On the Route Table page, click Add Route.

5. Set route information on the displayed page.

– Destination: indicates the destination network segment. The default value is0.0.0.0/0.

– Next Hop: indicates the IP address of the next hop. Set it to a private IP address ora floating private IP address in a VPC.

NOTE

If Next Hop is set to a floating private IP address, the floating private IP addresses in the VPCcannot have EIPs bound. Otherwise, the route will not take effect.

6. Click OK.

5.2.3 Querying a Route

Scenarios

Query a route that has been added.



72

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, select the target VPC or ALL VPCs and click Route

Table.4. View information about a single route or all routes in the right pane.

5.2.4 Modifying a Route

ScenariosModify a route.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, select the VPC to which the route to be modified

belongs and click Route Table.4. In the right pane, locate the target route and click Modify in the Operation column. In

the displayed dialog box, modify the route information as required.5. Click OK.

5.2.5 Deleting a Route

ScenariosDelete a route if it is no longer required.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, select the VPC to which the route to be deleted

belongs and click Route Table.4. In the right pane, locate the target route and click Delete.5. Click OK in the displayed dialog box.

5.3 VPC Peering Connection

5.3.1 VPC Peering Connection Creation ProcedureA VPC peering connection is a networking connection between two VPCs that enables you toroute traffic between them using private IP addresses. ECSs in either VPC can communicatewith each other just as if they were in the same VPC. You can create a VPC peeringconnection between your own VPCs, or between your VPC and another tenant's VPC withinthe same region.



73

l Procedure for creating a VPC peering connection with another VPC of your own

If you create a VPC peering connection between two VPCs of your own, the systemautomatically accepts the connection by default. You need to create routes for the localand peer VPCs to enable communication between the two VPCs.

l Procedure for creating a VPC peering connection with a VPC of another tenant

If you create a VPC peering connection between your VPC and another tenant's VPC,the VPC peering connection will be in the Awaiting acceptance state. After the peertenant accepts the connection, the connection status changes to Accepted. The local andpeer tenants must configure the routes required by the VPC peering connection to enablecommunication between the two VPCs.



74

If the local and peer VPCs have overlapping CIDR blocks, the routes added for the VPCpeering connection may be invalid. Before creating a VPC peering connection betweentwo VPCs that have overlapping CIDR blocks, ensure that no subnets in the two VPCshave overlapping CIDR blocks. In this case, the created VPC peering connection enablescommunication between two subnets in the two VPCs.

5.3.2 VPC Peering Connection Configuration PlansTo enable two VPCs to communicate with each other, you can create a VPC peeringconnection between the two VPCs. If the two VPCs have non-overlapping CIDR blocks, youcan configure routes that point to entire VPCs for the VPC peering connection. If the twoVPCs have overlapping CIDR blocks, you can only configure routes that point to specificsubnets of the VPCs for the VPC peering connection.

l Configurations with Routes to Entire VPCs– Configurations with routes to entire VPCs include the following situations: two

VPCs peered together and multiple VPCs peered together.– No matter in which configuration, if you need to configure routes that point to

entire VPCs in a VPC peering connection, none of the VPCs involved in theconnection can have overlapping CIDR blocks. Otherwise, the VPC peeringconnection does not take effect because the routes are unreachable.

– The destination address of the route that points to an entire VPC is the CIDR blockof the peer VPC, and the next hop is the VPC peering connection ID.

l Configurations with Routes to Specific SubnetsIf VPCs in a VPC peering connection have overlapping CIDR blocks, the peeringconnection can only be created to enable communication between subnets in the VPCs.If subnets in the VPCs of a VPC peering connection have overlapping network segments,the peering connection does not take effect. To create a VPC peering connection, ensurethat the VPCs involved do not contain overlapping subnets.For example, VPC1 and VPC2 have matching CIDR blocks, but the subnets in the twoVPCs do not overlap. Then, a VPC peering connection can be created between twosubnets that do not overlap with each other in the two VPCs. The route table is used tocontrol the specific subnets for which the VPC peering connection is created. Figure 5-4shows a VPC peering connection created between two subnets. Routes are required toenable communication between Subnet A in VPC1 and Subnet X in VPC2 in the figure.



75

Figure 5-4 VPC peering connection

Figure 5-5 shows the routes configured for the VPC peering connection between SubnetA and Subnet X. After the routes are configured, Subnet A and Subnet X are peered witheach other and can communicate with each other.

Figure 5-5 VPC peering connection route table

If two VPCs have overlapping subnets, the VPC peering connection created between thetwo subnets does not take effect, and the subnets cannot communicate with each other.As shown in Figure 5-6, Subnet B and Subnet Y have matching network segments.Therefore, a VPC peering connection cannot be created between Subnet A and Subnet Y.



76

Figure 5-6 Invalid VPC peering connection

If VPC1 is peered with multiple VPCs, for example, VPC2, VPC3, and VPC4, thesubnet CIDR blocks of VPC1 cannot overlap with those of VPC2, VPC3, and VPC4. IfVPC2, VPC3, and VPC4 have overlapping subnets, a VPC peering connection can becreated between only one of these overlapping subnets and a subnet of VPC1. If a VPCpeering connection is created between a subnet and the other N subnets, none of thesubnets can have overlapping CIDR blocks.

5.3.3 Creating a VPC Peering Connection with Another VPC ofYour Own

Scenarios

To create a VPC peering connection, first create a request to peer with another VPC. You canrequest a VPC peering connection with another VPC of your own in the same region. Thesystem automatically accepts the request.

Prerequisites

Two VPCs in the same region have been created.

Procedure

Create a VPC peering connection.

1. Log in to the management console.


3. In the navigation pane on the left, choose VPC Peering.

4. In the right pane displayed, click Create VPC Peering Connection.

5. In the displayed area shown in Figure 5-7, configure parameters as prompted. You mustselect Current Tenant for Tenant. Table 5-2 lists the parameters to be configured.



77

Figure 5-7 Creating a VPC peering connection



Name Specifies the name of theVPC peering connection.The name contains amaximum of 64characters, which consistof letters, digits, hyphens(-), and underscores (_).

peering-001

Local VPC Specifies the local VPC.You can select one fromthe drop-down list.

vpc_002(0a396cff-8bc1-4509-98b9-267cae5ac460)

Local VPC CIDR Block Specifies the CIDR blockfor the local VPC.

192.168.10.0/24



78


Tenant Specifies the tenant of theVPC to peer with.l Current Tenant: The

VPC peeringconnection will becreated between yourlocal VPC and a VPCof your own in thesame region.

l Other Tenant: TheVPC peeringconnection will becreated between yourlocal VPC and a VPCof another tenant in thesame region.

N/A

Project Name Specifies the project name.The project name of thecurrent project is used bydefault.

-

Peer VPC Specifies the peer VPC.You can select one fromthe drop-down list if theVPC peering connection iscreated between two VPCsof your own.

vpc_fab1(65d062b3-40fa-4204-8181-3538f527d2ab)

Peer VPC CIDR Block Specifies the CIDR blockfor the peer VPC.The local and peer VPCscannot have matching oroverlapping CIDR blocks.Otherwise, the routesadded for the VPC peeringconnection may not takeeffect.

192.168.2.0/24

6. Click OK.

Add routes for a VPC peering connection.

If you request a VPC peering connection with a VPC of your own, the system automaticallyaccepts the request. To enable communication between the two VPCs, you need to add routesfor the VPC peering connection.

1. On the console homepage, under Network, click Virtual Private Cloud.2. In the navigation pane on the left, choose VPC Peering.

3. Locate the target VPC peering connection in the connection list shown in Figure 5-8.



79

Figure 5-8 VPC peering connection list

4. Click the name of the VPC peering connection to switch to the page showing detailsabout the connection.

5. On the displayed page, click the Local Route tab.6. In the displayed Local Route area, click Add Local Route. In the displayed dialog box

shown in Figure 5-9, add a local route. Table 5-3 lists the parameters to be configured.

Figure 5-9 Add Local Route

Table 5-3 Route parameter description


Destination Specifies the destinationaddress. Set it to the peerVPC or subnet CIDRblock.

192.168.10.0/24

Next Hop Specifies the next hopaddress. The default valueis the VPC peeringconnection ID. Keep thedefault value.

N/A

7. Click OK to switch to the page showing the VPC peering connection details.8. On the displayed page, click the Peer Route tab.9. In the displayed Peer Route area, click Add Peer Route and add a route.10. Click OK in the displayed dialog box.

After a VPC peering connection is created, the two VPCs can communicate with eachother through private IP addresses. If two VPCs cannot communicate with each other,check the configuration by following the instructions provided in section 6.46 WhatCan I Do If VPCs in a VPC Peering Connection Cannot Communicate with EachOther?.



80

If the two VPC cannot communicate with each other, check the configuration byfollowing the instructions provided in section What Can I Do If VPCs in a VPCPeering Connection Cannot Communicate with Each Other?.

5.3.4 Creating a VPC Peering Connection with a VPC of AnotherTenant

ScenariosThe VPC service also allows you to create a VPC peering connection with a VPC of anothertenant. The two VPCs must be in the same region. If you request a VPC peering connectionwith a VPC of another tenant in the same region, the peer tenant must accept the request toactivate the connection.

ProcedureCreate a VPC peering connection.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose VPC Peering.4. In the right pane displayed, click Create VPC Peering Connection.5. In the displayed area shown in Figure 5-10, configure parameters as prompted. You

must select Other Tenant for Tenant. Table 5-4 lists the parameters to be configured.

Figure 5-10 Creating a VPC peering connection



81





Name Specifies the name of theVPC peering connection.The name contains amaximum of 64characters, which consistof letters, digits, hyphens(-), and underscores (_).

peering-001

Local VPC Specifies the local VPC.You can select one fromthe drop-down list.

0a396cff-8bc1-4509-98b9-267cae5ac460

Local VPC CIDR Block Specifies the CIDR blockfor the local VPC.

192.168.10.0/24

Tenant Specifies the tenant of theVPC to peer with.l Current Tenant: The

VPC peeringconnection will becreated between yourlocal VPC and a VPCof your own in thesame region.

l Other Tenant: TheVPC peeringconnection will becreated between yourlocal VPC and a VPCof another tenant in thesame region.

N/A

Peer Domain Name For details about how toobtain a domain name, seesection How to Obtain aDomain Name.

N/A

Peer VPC ID Specifies the ID of thepeer VPC.

65d062b3-40fa-4204-8181-3538f527d2ab

6. Click OK.

Accept a VPC peering connection.

To request a VPC peering connection with a VPC of another tenant, the peer tenant mustaccept the request to activate the connection.

1. The peer tenant logs in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose VPC Peering.



82

4. Locate the target VPC peering connection in the connection list shown in Figure 5-11.


5. Locate the row that contains the target VPC peering connection in the connection list,and click Accept Request in the Operation column.


Refuse a VPC peering connection.

The peer tenant can reject any received VPC peering connection request. After a VPC peeringconnection request is rejected, the connection will not be established. You must delete therejected VPC peering connection request before creating a new VPC peering connectionbetween the same VPCs as those in the rejected request.

1. The peer tenant logs in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose VPC Peering.4. In the right pane displayed, locate the target VPC peering connection in the connection

list.5. Click Reject Request in the Operation column.6. Click OK in the displayed dialog box.

Add routes for a VPC peering connection.

If you request a VPC peering connection with a VPC of another tenant, the peer tenant mustaccept the request. To enable communication between the two VPCs, you need to add routesfor the VPC peering connection. The local tenant can add only the local route because thelocal tenant does not have the required permission to perform operations on the peer VPC.The peer tenant must add the peer route. The procedure for adding a local route and a peerroute is the same.

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose VPC Peering.

4. Locate the target VPC peering connection in the connection list.5. Click the name of the VPC peering connection to switch to the page showing details

about the connection.6. On the displayed page, click the Local Route tab.7. In the displayed Local Route area, click Add Local Route. In the displayed dialog box

shown in Figure 5-12, add a local route. Table 5-5 lists the parameters to be configured.



83

Figure 5-12 Add Local Route

Table 5-5 Route parameter description


Destination Specifies the destinationaddress. Set it to the peerVPC or subnet CIDRblock.

192.168.10.0/24

Next Hop Specifies the next hopaddress. The default valueis the VPC peeringconnection ID. Keep thedefault value.

N/A

8. Click OK.

The routes are added for the VPC peering connection.

After a VPC peering connection is created, the two VPCs can communicate with each otherthrough private IP addresses. If two VPCs cannot communicate with each other, check theconfiguration by following the instructions provided in section 6.46 What Can I Do If VPCsin a VPC Peering Connection Cannot Communicate with Each Other?.

How to Obtain a Domain Name1. Log in to the management console.2. Click the username in the upper right corner. In the displayed area, select My

Credential.3. In the Account Information area, obtain the domain name of the user.

5.3.5 Viewing VPC Peering Connections

Scenarios

Both the local and peer tenants can view information about the VPC peering connections inthe Awaiting acceptance and Accepted states.



84

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose VPC Peering.4. In the displayed right pane shown in Figure 5-13, view the VPC peering connections.

You can find the required VPC peering connections by connection status or name.


5. Click the VPC peering connection name. On the displayed page, view detailedinformation about the VPC peering connection.

5.3.6 Modifying a VPC Peering Connection

Scenarios

Both the local and peer tenants can modify a VPC peering connection in any state. Currentlyonly the name of a VPC peering connection can be changed.




5. Locate the target VPC peering connection and click More in the Operation column.6. Click Modify. In the displayed dialog box, modify information about the VPC peering

connection.7. Click OK in the displayed dialog box.

5.3.7 Deleting a VPC Peering Connection

Scenarios

Both the local and peer tenants can delete a VPC peering connection in any state. After a VPCpeering connection is deleted, routes configured for the connection will be automaticallydeleted.



85




5. Locate the target VPC peering connection and click More in the Operation column.6. Click Delete to delete the VPC peering connection.7. Click OK in the displayed dialog box.

5.3.8 Viewing Routes Configured for a VPC Peering Connectionon the Peering Connection Details Page

ScenariosAfter routes are added for a VPC peering connection, both the local and peer tenants can viewinformation about the routes on the page showing details about the VPC peering connection.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose VPC Peering.4. Locate the target VPC peering connection in the connection list shown in Figure 5-16.



6. On the displayed page, click the Local Route tab and view information about the localroute added for the VPC peering connection.

7. On the page showing details about the VPC peering connection, click the Peer Route taband view information about the peer route added for the VPC peering connection.



86

5.3.9 Viewing Routes Configured for a VPC Peering Connectionin the VPC Peering Route Table

ScenariosAfter routes are added for a VPC peering connection, both the local and peer tenants can viewinformation about the routes in the VPC peering route table.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, select a VPC from the VPC drop-down list.4. In the navigation pane on the left, choose Route Table.5. In the displayed right pane, click the VPC Peering Route Table tab and view route

information.

5.3.10 Deleting a Route on the VPC Peering Connection DetailsPage

ScenariosAfter routes are added for a VPC peering connection, both the local and peer tenants candelete the routes on the page showing details about the peering connection.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, choose VPC Peering.4. Locate the target VPC peering connection in the connection list shown in Figure 5-17.



6. On the displayed page, click the Local Route tab and view information about the localroute added for the VPC peering connection.

7. On the Local Route page, locate the target local route, and click Delete in theOperation column.

8. Click OK in the displayed dialog box.9. On the page showing details about the VPC peering connection, click the Peer Route tab

and view information about the peer route added for the VPC peering connection.10. On the Peer Route page, locate the target peer route, and click Delete in the Operation

column.



87


5.3.11 Deleting a Route from the VPC Peering Route Table

ScenariosAfter routes are added for a VPC peering connection, both the local and peer tenants candelete the routes from the VPC peering route table.

Procedure1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. In the navigation pane on the left, select a VPC from the VPC drop-down list.4. In the navigation pane on the left, choose Route Table.5. In the right pane displayed, click the VPC Peering Route Table tab and view routes

configured for VPC peering connections.

6. Click on the left of the VPC name to display route information about the VPCpeering connection.

7. Locate the row that contains the target route, and click Delete in the Operation column.8. Click OK in the displayed dialog box.

5.4 VPNFor more information about VPNs, see the VPN User Guide.

5.5 Direct ConnectDirect Connect allows you to establish a dedicated network connection between your datacenter and the public cloud system. With Direct Connect, you can set up a dedicated networkconnection between the public cloud system and your local data center, office, or collocationenvironment. This helps reduce network latency and provides a more consistent and reliablenetwork experience than Internet-based connections.

For more information about Direct Connect, see the Direct Connect User Guide.



88

http://support.hwclouds.com/vpn/index.html

6 FAQs

6.1 What Is Virtual Private Cloud?The Virtual Private Cloud (VPC) service enables you to provision logically isolated,configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improvingthe security of resources in the cloud system and simplifying network deployment.

You can create security groups and VPNs, configure IP address segments, and specifybandwidth sizes in your VPC. With a VPC, you can manage and configure internal networksand change network configurations, simplifying network management. You can alsocustomize access rules to control ECS access within a security group and across differentsecurity groups to enhance ECS security.

l Have full control over your virtual networks, for example, creating your own networkand configuring the DHCP service.

l Create security groups to improve your network security.l Assign elastic IP addresses (EIPs) for use in a VPC, and bind them to ECSs in your VPC

to connect the ECSs to the Internet.l Use a VPN to connect a VPC to your physical data center for smooth application

migration to the cloud.l Communicate with other VPCs using VPC peering connections.

Virtual Private CloudUser Guide 6 FAQs


89

http://www.hwclouds.com/product/en-us/vpc.html

Figure 6-1 VPC components

6.2 Is the VPC Service Charged?The VPC service is free of charge itself. However, you are charged for the bandwidth or VPNused in the VPC.

6.3 Which CIDR Blocks Are Available to the VPC Service?The VPC service supports the following CIDR blocks:

l 10.0.0.0/8–24l 172.16.0.0/12–24l 192.168.0.0/16–24

6.4 How Many VPCs Can I Create?By default, a user can create a maximum of two VPCs. If your quota cannot fulfill yourservice requirements, submit a work order for capacity expansion.

6.5 Can Subnets Communicate with Each Other?Subnets belong to VPCs. Subnets in the same VPC can communicate with each other. Subnetsin different VPCs cannot communicate with each other by default. However, you can createVPC peering connections to enable subnets in different VPCs to communicate with eachother.



90

6.6 What Subnet CIDR Blocks Are Available?The subnet CIDR blocks must be included in the VPC CIDR blocks. The VPC CIDR blocksare 10.0.0.0/8–24, 172.16.0.0/12–24, and 192.168.0.0/16–24. The subnet CIDR blocksmust be within these CIDR blocks, and the subnet masks of the subnets must range from 16 to28.

6.7 Can I Change the Network Segments Available toSubnets?

The network segments cannot be changed after subnets are created.

6.8 How Many Subnets Can I Create?By default, one tenant can create a maximum of 100 subnets. If the number of subnets doesnot meet your service requirements, submit a work order to increase the quota.

6.9 What Is the Bandwidth Size Range?The available bandwidth size ranges from 1 Mbit/s to 300 Mbit/s.

6.10 What Bandwidth Types Does the VPC ServiceSupport?

The VPC service supports the exclusive and shared bandwidth types. The exclusivebandwidth limits the traffic rate of only one elastic IP address, whereas the shared bandwidthcentrally limits the traffic rate of multiple elastic IP addresses.

6.11 Do I Need to Apply for the Shared Bandwidth?To use shared bandwidth, you must first submit a work order. You can use the sharedbandwidth only after your work order is approved.

6.12 How Can I Apply for the Shared Bandwidth?Before applying for the shared bandwidth, submit a work order to provision the sharedbandwidth service.

1. Sign up and log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.3. On the Elastic IP Address page, click Create EIP.4. On the Apply for EIP page, set Select Bandwidth to Create Bandwidth.5. In the Create Bandwidth area on the page shown in Figure 6-2, click Apply for

Shared Bandwidth OBT Qualification.



91

https://account.hwclouds.com/usercenter/#/userindex/createfeedback

Figure 6-2 Apply for shared bandwidth

6. In User Center, submit a work order. Figure 6-3 shows the page for submitting a workorder.

Figure 6-3 Submitting a work order

– Cloud Service Zone

Select the zone where your resources are located.

– Service Type

Choose VPC.

– Question Template

Choose Enable Network Function.

– Question Description

Include the following information in the question description:

- Application reason

- Services to be provisioned, such as the shared bandwidth or VPN.

– Specify other parameters as prompted.



92

6.13 How Many Elastic IP Addresses Can One SharedBandwidth Service Centrally Control?

One shared bandwidth service can centrally limit the traffic rate for a maximum of 20 elasticIP addresses.

6.14 Can I Use the Shared Bandwidth for an Elastic IPAddress That Is Limited by the Exclusive Bandwidth?

After the traffic rate of an elastic IP address is limited by the exclusive bandwidth, you cannotuse the shared bandwidth to limit its traffic rate.

Likewise, the elastic IP address that is limited by the shared bandwidth cannot be limited bythe exclusive bandwidth.

6.15 What Are EIPs?EIPs are static IP addresses designed for dynamic cloud computing. An EIP is associated withyour account. With an EIP, you can mask the failure of an ECS or software by rapidlyremapping the address to another ECS in your account. Before you release the EIP, it ispermanently associated with your account.

6.16 How Does an ECS Use an EIP?An EIP is a public IP address that can be dynamically bound to the internal IP address of anyrouted network in a VPC. Before starting an ECS, you can assign a private IP address and apublic IP address to the ECS. The public IP address is assigned from the public IP addresspool of the VPC and is mapped to the private IP address using Network Address Translation(NAT). After the EIP is released, you can no longer use the public IP address.

6.17 How Many ECSs Can One EIP Be Assigned to?Each EIP can be assigned to only one ECS.

6.18 How Can I Access an ECS from Another SecurityGroup After an EIP Is Bound to the ECS?

Each ECS is automatically added to a security group after being created to ensure its security.The security group denies access traffic from the Internet by default (except TCP traffic fromport 22 through SSH to the Linux OS and TCP traffic from port 3389 through RDP to theWindows OS). To allow external access to ECSs in the security group, add an inbound rule tothe security group.

On the page for adding security group rules, as shown in Figure 6-4, you can set Protocol toTCP, UDP, ICMP, or ANY as required.



93

l If the ECS needs to be accessible over the Internet and the IP address used to access theECS over the Internet has been configured on the ECS, or the ECS does not need to beaccessible over the Internet, set Source IP Address to the IP address segment containingthe IP address that is allowed to access the ECS over the Internet.

l If the ECS needs to be accessible over the Internet and the IP address used to access theECS over the Internet has not been configured on the ECS, it is recommended that youretain the default setting 0.0.0.0/0 for Source, and then set Port Range to improvenetwork security.

l Allocate ECSs that have different Internet access policies to different security groups.NOTE

The default value of Source is 0.0.0.0/0, indicating that all IP addresses can access VMs in thesecurity group.

Figure 6-4 Add Rule

6.19 How Many IPsec VPNs Can I Create?By default, a user can create a maximum of two IPsec VPNs. If your quota cannot fulfill yourservice requirements, submit a work order to increase the quota.

6.20 What Is a Security Group?A security group implements access control for ECSs within a security group and betweendifferent security groups. After a security group is created, you can create different accessrules for the security group to protect the ECSs that are added to this security group.

6.21 Which Protocols Does a Security Group Support?The protocol used by a security group can be set to TCP, UDP, ICMP, or ANY. ANYindicates that the security group takes effect for all protocols. If the TCP or UDP protocol is



94

selected, configure ports 1 to 65535 for the protocols to access the security group. If theICMP protocol is selected, you can set the ICMP protocol type. The default value is ANY.

6.22 What Are the Functions of the Default Security GroupRule?

An inbound security group rule enables external access to ECSs in a security group, and anoutbound security group rule enables ECSs in a security group to access external networks.

If no access rule is configured for a security group after an ECS is added to the security group,communication between the ECS and the external network is blocked.

The default inbound rule enables an ECS to be accessed by other ECSs in the same securitygroup, and the default outbound rule enables ECSs in the security group to access externalnetworks.

Security groups cannot resolve the problems caused by network faults or incorrect networkconfiguration. For example, when two ECSs cannot communicate with each other due to anetwork problem, a security group rule will also not allow them to communicate.

6.23 How Can I Configure Security Group Rules?Security group rules consist of inbound and outbound rules.

When adding an inbound rule, you can set the source address to a security group or CIDRblock. If you want to set the source address to a security group, you can only select securitygroups from the same VPC as the destination security group.

When adding an outbound rule, you can set the destination address to a security group orCIDR block. If you want to set the destination address to a security group, you can only selectsecurity groups from the same VPC as the source security group.

ECSs in security groups in different VPCs cannot communicate with one another. To allowthem to communicate, bind EIPs to them and configure security group rules.

6.24 Can I Change the Security Group to Which an ECSBelongs?

Yes. Log in to the ECS console, switch to the page showing ECS details, and change thesecurity group to which the ECS belongs.

6.25 How Many Security Groups Can Each User Have?Each user can have a maximum of 100 security groups and 5000 security group rules.

When creating an ECS, you can select multiple security groups (no more than five isrecommended).



95

6.26 Is the Security Group Service Charged?The security group service is free of charge.

6.27 Which Security Group Rule Has Priority WhenMultiple Security Group Rules Conflict?

Security group rules use the whitelist mechanism. If multiple security group rules conflict, theunion of these rules takes effect.

6.28 What Is a Resource Quota?Quotas are used to limit the number of resources available to users. If the existing resourcequota cannot meet your service requirements, you can submit a work order to increase yourquota. Once your application is approved, your quota will be updated and a notification willbe sent to you.

6.29 How Do I Configure a Remote Device for a VPN?Due to the symmetry of the tunnel, the VPN parameters configured in the cloud must be thesame as those configured in your own data center. If they are different, a VPN connectioncannot be established.

To set up a VPN connection, you also need to configure the IPsec VPN on the router orfirewall in your own data center. The configuration method may vary depending on yournetwork device in use. For details, see the configuration guide of your network device.

This section describes how to configure the IPsec VPN on Huawei USG6600 seriesV100R001C30SPC300 firewalls for your reference.

In this example, the subnets of the data center are 192.168.3.0/24 and 192.168.4.0/24, thesubnets of the VPC are 192.168.1.0/24 and 192.168.2.0/24, and the public IP address of theIPsec tunnel egress in the VPC is 93.188.242.110, which can be obtained from the localgateway parameters of the IPsec VPN in the VPC.

Procedure1. Log in to the command-line interface (CLI) of the firewall.2. Check firewall version information.

display version 17:20:502017/03/09Huawei Versatile Security Platform SoftwareSoftware Version: USG6600 V100R001C30SPC300(VRP (R) Software, Version 5.30)Copyright (C) 2014-2016 Huawei Technologies Co., Ltd..

3. Create an access control list (ACL) and bind it to the target VPN instance.acl number 3065 vpn-instance vpn64rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0



96

0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255q

4. Create an IKE proposal.ike proposal 64 dh group5 authentication-algorithm sha1 integrity-algorithm hmac-sha2-256 sa duration 3600 q

5. Create an IKE peer and reference the created IKE proposal. The peer IP address is93.188.242.110.ike peer vpnikepeer_64pre-shared-key ******** (******** specifies the pre-shared key.)ike-proposal 64undo version 2remote-address vpn-instance vpn64 93.188.242.110sa binding vpn-instance vpn64q

6. Create an IPsec protocol.ipsec proposal ipsecpro64encapsulation-mode tunnelesp authentication-algorithm sha1q

7. Create an IPsec policy and reference the IKE policy and IPsec proposal.ipsec policy vpnipsec64 1 isakmpsecurity acl 3065pfs dh-group5ike-peer vpnikepeer_64proposal ipsecpro64local-address xx.xx.xx.xxq

8. Apply the IPsec policy to the subinterface.interface GigabitEthernet0/0/2.64ipsec policy vpnipsec64q

9. Test the connectivity.After you perform the preceding operations, you can test the connectivity between yourECSs in the cloud and the hosts in your data center. For details, see the following figure.



97

6.30 Which Remote VPN Devices Are Supported?Table 6-1 lists the Huawei VPN devices supported by the remote end.

Table 6-1 Huawei VPN devices

Supported PeerDevice

Description

Huawei USG6000 series USG6320/6310/6510-SJJUSG6306/6308/6330/6350/6360/6370/6380/6390/6507/6530/6550/6570:2048USG6620/6630/6650/6660/6670/6680

Huawei USG9000 series USG9520/USG9560/USG9580

Other devices that meet the requirements outlined in the reference protocols described insection VPN Reference Standards and Protocols can also be deployed. However, somedevices may fail to add because of the inconsistent protocol implementation methods of thesedevices. If the connection setup fails, rectify the fault by following the procedure provided insection 6.32 What Do I Do If VPN Connection Setup Fails? or contact customer service.

6.31 What Are the Reference Standards and Protocols forthe IPsec VPN?

The following standards and protocols are associated with the IPsec VPN:



98

l RFC 4301: Security Architecture for the Internet Protocol

l RFC 2403: The Use of HMAC-MD5-96 within ESP and AH

l RFC 2409: The Internet Key Exchange (IKE)

l RFC 2857: The Use of HMAC-RIPEMD-160-96 within ESP and AH

l RFC 3566: The AES-XCBC-MAC-96 Algorithm and its use with IPsec

l RFC 3625: More Modular Exponential (MODP) Diffie-Hellman groups for Internet KeyExchange (IKE)

l RFC 3664: The AES-XCBC-PRF-128 Algorithm for the Internet Key ExchangeProtocol (IKE)

l RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE)Peers

l RFC 3748: Extensible Authentication Protocol (EAP)

l RFC 3947: Negotiation of NAT-Traversal in the IKE

l RFC 4109: Algorithms for Internet Key Exchange version 1 (IKEv1)

l RFC 3948: UDP Encapsulation of IPsec ESP Packets

l RFC 4305: Cryptographic Algorithm Implementation Requirements for EncapsulatingSecurity Payload (ESP) and Authentication Header (AH)

l RFC 4306: Internet Key Exchange (IKEv2) Protocol

l RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2(IKEv2)

l RFC 4322: Opportunistic Encryption using the Internet Key Exchange (IKE)

l RFC 4359: The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload(ESP) and Authentication Header (AH)

l RFC 4434: The AES-XCBC-PRF-128 Algorithm for the Internet Key ExchangeProtocol (IKE)

l RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2)

l RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2)

6.32 What Do I Do If VPN Connection Setup Fails?1. Check whether the parameters listed in Table 6-2, Table 6-3, and Table 6-4 are

consistent between the cloud VPN and the peer VPN.

Table 6-2 Basic parameters


PSK Specifies the pre-shared key. The value is astring of 6 to 128 characters. This parametervalue must be the same for the VPC VPN andthe data center VPN.

Test@123



99

Table 6-3 IKE policy


Authentication Algorithm Specifies the authentication hash algorithm.The value can be sha1, sha2-256, sha2-384,sha2-512, or md5.

sha1


aes-128

DH Algorithm Specifies the Diffie-Hellman key exchangealgorithm. The value can be group2,group5, or group14.

group5

Version Specifies the version of the IKE protocol.The value can be v1 or v2.

v1

Lifecycle (s) Specifies the lifetime of the securityassociation (SA), in seconds.The SA will be renegotiated if its lifetimeexpires.

86,400

Table 6-4 IPsec policy


Authentication Algorithm Specifies the authentication hash algorithm.The value can be sha1, sha2-256, sha2-384,sha2-512, or md5.

sha1


aes-128

DH Algorithm Specifies the Diffie-Hellman key exchangealgorithm. The value can be group2,group5, or group14.

group5

Transfer Protocol Specifies the security protocol used forIPsec to transmit and encapsulate user data.The value can be ah, esp, or ah-esp.

esp

Lifecycle (s) Specifies the lifetime of the SA, in seconds.The SA will be renegotiated if its lifetimeexpires.

3600



100

2. Check whether the ACL configurations are correct.

If the subnets of your data center are 192.168.3.0/24 and 192.168.4.0/24, and the VPC subnetsare 192.168.1.0/24 and 192.168.2.0/24, configure the ACL rules for each data center subnet topermit the communication with the VPC subnets. The following provides an example of ACLconfigurations:rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

6.33 What Do I Do If I Cannot Access the ECSs from MyData Center or LAN After a VPN Connection Has BeenSet Up?

A security group denies the access from all sources by default. If you want to access yourECSs, modify the security group configuration and allow the access from the peer subnets.For details, see section Creating a Security Group.

6.34 What Do I Do If I Cannot Access My Data Center orLAN from the ECSs After a VPN Connection Has Been SetUp?

Check whether you have properly configured the firewall policies for the access from thepublic IP address of the cloud VPN to the public IP address of your data center or LAN. Nopolicies are configured to limit the access by default.

6.35 Does a VPN Allow for Communication Between TwoVPCs?

A VPN does not allow two VPCs to communicate with each other. However, you can create aVPC peering connection to enable two VPCs to communicate with each other.

6.36 How Can I Configure a Security Group for Multi-Channel Protocols?

ECS ConfigurationThe TFTP daemon determines whether the configuration file specifies the port range. If youuse the TFTP configuration file that allows the data channel ports to be configurable, it is abest practice to configure a small range of ports that are not listened on.

Security Group ConfigurationYou can configure both port 69 and the data channel ports used by TFTP for the securitygroup. In RFC1350, the TFTP protocol specifies that ports available to data channels range



101

http://support.hwclouds.com/usermanual-vpc/en-us_topic_0013748715.html

from 0 to 65535. However, not all these ports are used by the TFTP daemon processes ofdifferent applications. Therefore, you can configure a small range of ports for the TFTPdaemon.

The following figure provides an example of the security group rule configuration if the portsused by data channels range from 60001 to 60100.

6.37 Why Cannot I Access Public Websites ThroughDomain Names or Access Internal Domain Names in theCloud When My ECS Has Multiple NICs?

When an ECS has more than one NIC, if different DNS server addresses are configured forthe subnets used by the NICs, the ECS cannot access public websites or internal domainnames in the cloud.

You can rectify this fault by configuring the same DNS server address for the subnets used bythe same ECS. You can perform the following steps to modify DNS server addresses ofsubnets in a VPC:

1. Log in to the management console.2. On the console homepage, under Network, click Virtual Private Cloud.

1. In the navigation pane on the left, choose Subnet.2. In the right pane displayed, view the DNS server addresses of each subnet.3. Click Modify in the right corner of each subnet and modify the DNS server address in

the displayed dialog box.4. Click OK.

6.38 What Is a Route Table?A route table contains a set of rules that are used to determine where network traffic isdirected. You can add routes to a route table to enable other ECSs in a VPC to access theInternet through the ECS that has an EIP bound.

6.39 Can a Route Table Span Multiple VPCs?No.

6.40 How Many Routes Can Be Contained in a RouteTable?

Currently, a route table can contain only one route.



102

6.41 What Are the Limitations of a Route Table?l The ECS providing SNAT can have only one NIC.

l The ECS providing SNAT must have the Unbind IP from MAC function enabled.

l If the destination in a route table is 0.0.0.0/0, the next hop must be a private IP address ora floating private IP address in the VPC. Otherwise, the route table will not take effect.

l If the private floating IP address is set to the next hop in a route table, EIPs bound withall private floating IP addresses in the VPC will become invalid.

6.42 Does a Route Table Incur Any Charges?The route table function itself is free of charge. However, you are charged for the ECSs andbandwidth used together with the route table function.

6.43 Do the Direct Connect Connections and CustomRoutes in the Same VPC Have Routing PriorityCompetition?

No. Direct Connect connections and custom routes are used in different scenarios. Therefore,there is no routing priority competition between them.

6.44 What Are the Routing Priorities of the VPN andCustom Routes in the Same VPC?

VPNs and custom routes have the same routing priorities.

6.45 What Are the Limitations of VPC Peering?l VPC peering connections created between VPCs that have overlapping subnet CIDR

blocks may not take effect.

l You cannot have more than one VPC peering connection between the same two VPCs atthe same time.

l You cannot create a VPC peering connection between VPCs in different regions.

l VPC peering does not support transitive peering relationships. In a VPC peeringconnection, your VPC does not have access to any other VPCs that the peer VPC may bepeered with. For example, VPC A is peered with VPC B, VPC B is peered with VPC C,but VPC A and VPC C are not peered, you cannot use VPC B as a transit point forpeering between VPC A and VPC C.

l You cannot use the EIPs, VPNs, or Direct Connect connections in a VPC of a VPCpeering connection to access resources in the other VPC. For example, VPC A is peeredwith VPC B, VPC B has EIPs that can be used to access the Internet, you cannot useEIPs in VPC B to access the Internet from VPC A.



103

l To request a VPC peering connection with a VPC of another tenant, the peer tenant mustaccept the request to activate the connection. If you request a VPC peering connectionwith a VPC of your own, the system automatically accepts the request to activate theconnection.

l After a VPC peering connection is established, the local and peer tenants must add routesin the local and peer VPCs to enable communication between the two VPCs.

l VPC A is peered with both VPC B and VPC C. If VPC B and VPC C have overlappingCIDR blocks, routes with the same destinations cannot be added in VPC A.

l To ensure security, do not accept VPC peering connections from unknown tenants.

l Either owner of a VPC in a peering connection can delete the VPC peering connection atany time. If a VPC peering connection is deleted by one of its owners, all informationabout this connection will be automatically deleted immediately, including routes addedfor the VPC peering connection.

l Currently, the route table of a VPC takes effect for all subnets in the VPC. You cannotadd a route table dedicated for a specific subnet. The route preference is as follows:direct route > VPC peering connection route > custom route.

l If two VPCs in a VPC peering connection have overlapping CIDR blocks, the peeringconnection can only enable communication between two subnets in the two VPCs. Ifsubnets in the two VPCs in a VPC peering connection have overlapping CIDR blocks,the peering connection does not take effect. To create a VPC peering connection, ensurethat the two VPCs involved do not contain overlapping subnets.

l You cannot delete a VPC for which VPC peering connection routes have beenconfigured.

6.46 What Can I Do If VPCs in a VPC Peering ConnectionCannot Communicate with Each Other?

1. Check whether a VPC peering connection has been successfully created for the twoVPCs. Confirm the IDs of the VPCs in the VPC peering connection.

2. Check whether routes that point to the CIDR block (or portion of the CIDR block) of theother VPC have been configured.

3. Check whether routes configured for the VPC peering connection are correct. If VPCs ina VPC peering connections have overlapping CIDR blocks, you can only add routes toenable communication between two subnets in the two VPCs.

4. Check whether the VPCs in the VPC peering connection contain overlapping subnets.

5. Check whether required security group rules have been configured for the ECSs thatneed to communicate with each other and whether restriction rules have been added tothe iptables or firewall used by the ECSs.

6. If a message indicating that this route already exists is displayed when you add routes fora VPC peering connection, check whether the route's destination IP addresses of theVPN, Direct Connect connection, and VPC peering connection already exist.

7. If the route's destination IP addresses of a VPC peering connection overlap with those ofa Direct Connect connection or VPN, the route may be invalid.

8. If VPCs in a VPC peering connection cannot communicate with each other after all thesepossible faults have been rectified, contact customer service.



104

6.47 How Many VPC Peering Connections Can I Have?A tenant can have a maximum of 50 VPC peering connections in one region. Accepted VPCpeering connections consume the quota of both owners of a VPC peering connection. A VPCpeering connection consumes the quota of only the requester (tenant of the local VPC).

6.48 How Many Routes Can Be Added for a VPC?By default, a maximum of 100 routes can be added for a VPC. The routes include those addedfor Direct Connect connections and VPC peering connections.

6.49 Does a Security Group rule or Firewall RuleImmediately Take Effect for Its Original Traffic AfterBeing Modified?

No. After a security group rule or firewall rule is modified, the new rule may not immediatelytake effect for its original traffic. Users need to interrupt the original traffic for about 120seconds for the new rule to take effect for the traffic.

6.50 What Can I Do If a Subnet Cannot Be DeletedBecause It Is Used By Other Resources?

The VPC service allows you to create private, isolated virtual network environments. In aVPC, you can manage private IP address segments, subnets, and network gateways. ECSs,BMSs, databases, and some other applications use secure networks created in VPCs.

Subnets in a VPC cannot be deleted if the subnets are used by the following resources:

l ECS

l BMS

l CCE cluster

l RDS instance

l Workspace

l MRS cluster

l DCS instance

l Elastic load balancer

l VPN

l Private IP address

Check whether the subnet is used by the preceding resources. If yes, delete all resources in thesubnet and delete the subnet.



105

A Change History

Release Date What's New

2017-07-20 This issue is the fifth official release, which incorporates thefollowing changes:Added description about the following features:l VPC peeringl Firewalll Custom route

2017-04-28 This issue is the fourth official release, which incorporates thefollowing change:Added description about how to add DNS server addresses duringsubnet information modification.

2016-10-19 This issue is the third official release, which incorporates thefollowing change:l Updated the Help Center URL.

2016-07-15 This issue is the second official release, which incorporates thefollowing changes:l Modified the VPN authentication algorithm.l Optimized the traffic metering function.

2016-03-14 This issue is the first official release.

Virtual Private CloudUser Guide A Change History


106

Documents

User Guide · 2019. 7. 18. · 1.1.1 Virtual Private Cloud The Virtual Private Cloud (VPC) service enables you to provision logically isolated, configurable, and manageable virtual