Virtual Private Cloud. VPC Product Introduction

Transcription

1

2 Product overview This document contains the following topics: - VPC overview - Basic architecture - VPC benefits VPC overview The Alibaba Cloud Virtual Private Cloud (VPC) is a private network established in Alibaba Cloud. It is logically isolated from other virtual networks in Alibaba Cloud. Alibaba Cloud VPC enables you to launch and use the Alibaba Cloud resources in your own VPC. You have full control over your Alibaba Cloud VPC, for example, you can select its IP address range, further segment your VPC into subnets, as well as configure routing tables and network gateways. Additionally, you can connect your VPC to your on-premises network using a physical connection or a VPN to form an on-demand customizable network environment. This allows you to smoothly migrate your applications to Alibaba Cloud with little effort. 1

3 Basic architecture Based on the mainstream tunneling technology, the virtual private cloud isolates the virtual network. Each VPC has a unique tunnel ID and a tunnel ID corresponds to a virtual network. The data packets transmitted between ECS instances within a VPC are encapsulated with a unique tunnel ID and then sent to the physical network for transmission. The tunnel IDs for ECS instances in different VPCs are different, communication is impossible between the two tunnels, which achieves data isolation between the two networks. The Alibaba Cloud development team developed VSwitch, Software Defined Network (SDN) and hardware gateway independently based on the tunneling technology. It is the support of these software and hardware devices, the Alibaba Cloud Virtual Private Cloud is emerged. VSwitches, gateways, and controllers are three important components of a VPC. VSwitches and gateways are the main path for data transfer. The controller uses self-developed protocol to forward routing tables to VSwitches and gateways. The configuration channel and data channel are separated in the whole architecture. Alibaba Cloud VPC provides you with a separate VRouter and VSwitch for better VPC configuration and gives you more freedom. If you have high demand on intranet security, you can use security groups to manage the VPC access control in a finer granularity. By default, an ECS instance can only communicate with other ECS instances (or other cloud services) within the same VPC. You can use the Elastic IP address and ExpressConnect functions provided by Alibaba Cloud to connect your VPC to the Internet, to other VPCs, and to your own networks. 2

4 VPC benefits Security isolation The cloud servers of different users are located in the different VPCs. Different VPCs are isolated by tunnel IDs. Using VSwitches and VRouters, you can segment your VPC into subnets as you do in the traditional network environment. Different cloud servers in the same subnet use the VSwitch to communicate with each other, while cloud servers in different subnets within a VPC use VRouters to communicate with each other. The intranet between different VPCs are completely isolated and can only be interconnected by external mapping of IP (Elastic IP and NAT IP). Because the IP packets of cloud servers are encapsulated with the tunneling ID, the data link layer (two-layer MAC address) of the cloud server will not transfer to the physical network. Therefore, the two-layer network of different cloud servers are isolated. In another word, the two-layer networks between different VPCs are isolated. The ECS instances within a VPC uses a security group firewall to control the network access. This is the third layer isolation. Access control Security groups provide flexible access control rules. Compliant with security isolation rules of government and financial users. Software Defined Network (SDN) SDN provides customized network configurations. Management operations take effect in real time. Various network connection methods Software VPNs are supported. Lease line connection is supported. VPC and VSwitches This document contains the following topics: - VPC CIDR - VSwitch - Default VPC and VSwitch Note: In Alibaba Cloud VPC, you can segment a VPC into subnets by adding VSwitches. In general, 3

5 VSwitch and subnet are the same. VPC CIDR When creating a VPC, you must specify the IP address range for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block, for example, /16. CIDR is a method for allocating IP addresses and IP routing. For more information about CIDR, refer to RFC Only one CIDR block can be assigned to a VPC. The following are available CIDR blocks: / /12 (The IP address range used by the default VPC.) /16 If you want to use other CIDR blocks, you can submit a ticket. Alternatively, you can use the CreateVpc API to create a VPC, in this situation, you are allowed to use the subnet masks of these CIDR blocks as the IP address range. Note: You cannot change the size of a VPC after you create it. It is recommended that you use a large CIDR block to avoid resizing. The system will not create VRouters based on the CIDR block, therefore, a large CIDR block has no effect on usage. VSwitch A VSwitch is a basic network device of a VPC and used to connect different cloud product instances in a subnet with a VPC. After you create a VPC, you can further segment your VPC into subnets by adding one or more VSwitches. A VPC can have a maximum of 24 VSwitches. In a VPC, a VSwtich must reside in one Availability Zone and cannot span different Availability Zones. You can protect your applications from the failure of a single location by launching instances in separate Availability Zones. When creating a VSwitch, you also need to specify the IP address range for the VSwitch in the form of CIDR block. Adhere to the following rules when specifying a CIDR block: - The CIDR block of a VSwitch must belong to that of its VPC. - The CIDR block of a VSwitch can be same as that of the VPC that it belongs to. However, you can just have only one VSwitch in this situation. - The allowed size of a CIDR block assigned to a VSwitch is between a /16 netmask and /29 netmask. That is, the VSwitch can provide 8 ~ IP addresses. - The first IP address and the last three IP addresses in each VSwitch CIDR block are not available for you to use, and cannot be assigned to an instance. These IP addresses are reserved for system use. For example, in a VSwitch with CIDR block /24, the IP addresses , , and are reserved. - The CIDR block of a VSwitch and the destination CIDR block of the VPC's current route entry 4

6 cannot be the same. - The CIDR block of a VSwitch can be a subset of the destination CIDR block of the VPC's current route entry. - CIDR block cannot be modified after a VSwitch is created. Note: VSwitch does not support multicast and broadcast. Default VPC and VSwitch Alibaba Cloud provides you with a default VPC and VSwitch to use. When you create a cloud product instance, if you choose to use the VPC network type with the default settings as shown in the following figure, a default VPC and VSwitch are created by the system. Default VPC - The default VPC in each region is unique. - The CIDR block for a default VPC is always a /16 netmask ( /16), which provides up to private IP addresses. - The default VPC does not occupy the VPC quota that the Alibaba Cloud allocates to you. - The default VPC is created by the system, all the VPCs created by you are non-default VPCs. - The operations and limits between default and non-default VPCs are the same. Default VSwitch - The default VSwitch in each Availability Zone is unique. - The CIDR block for a default VSwitch is always a /20 netmask ( /20). This provides up to 4096 private IP addresses. - The default VSwitch does not occupy the VSwitch quota that the Alibaba Cloud allocates to you. - The default VSwitch is created by the system, all the VSwitches created by you are nondefault VSwitches. - The operations and limits between default and non-default VSwitches are the same. 5

7 VRouter and routing tables This document contains the following topics: - VRouter - Routing tables - Route entry - Routing rules VRouter A VRouter is a hub in the VPC that connects all VSwitches in the VPC and serves as a gateway device that connects the VPC to other networks. Each VRouter maintains a routing table that forwards network traffic based on the specific route entry settings. The system will automatically create a VRouter when you create a VPC. When a VPC is deleted, the corresponding VRouter is also deleted. Note: - Each VPC can only have one VRouter. - VRouter does not support dynamic routing protocols such as BGP and OSPF. - VRouter supports static routes but does not support the ECMP equal-cost routes. Routing table A routing table is a list of route entries on a VRouter. When creating a VPC, the system will automatically create a routing table. When a VPC is deleted, the corresponding routing table is also deleted. The routing table cannot be directly created or deleted. Note: - Each VRouter can only have one routing table. - Route entries in a routing table affect all the cloud product instances in the VPC. Currently, the source-address policy routing is not supported for routing a VSwitch or cloud product instance. Route entry 6

8 Each entry in a routing table is designated as a routing entry. A route entry defines the next hop address for the network traffic to be routed to the specified CIDR block destination. Route entries are categorized into system routes and custom routes. When a VPC is created, a system route is automatically created for the cloud product instances in the VPC to access cloud services outside the VPC. When a VSwitch is created, another corresponding system route is created. You can create and delete custom route entries. VPC IP addresses VPC IP addresses provide resources in a VPC with the capability to communicate with each other or to communicate with the other resources in the Internet. There are two types of IP addresses in Alibaba Cloud VPC, private IP addresses and Elastic IP addresses. Note: Refer to IP Addresses for Classic Network for information about IP addresses in the classic network. This document contains the following topics: - Private IP addresses - Elastic IP addresses Private IP addresses Private IP addresses are allocated to cloud product instances when they are created in VPC. Private IP address can be used for the intranet access for the VPC cloud product instances but cannot be used for the external Internet access. The VPC private IP addresses are different from the private IP address of the classic network: - The private IP address of an instance created in VPC is allocated from the VSwitch CIDR block that the instance belongs to and the instance's private IP address is unique within the VPC. The private IP address of an instance created in the classic network is uniformly allocated by Alibaba Cloud. 7

9 Elastic IP addresses An Elastic IP address is a NAT IP address. It resides in the public network gateway of the Alibaba Cloud and is mapped to the private network gateway of the bound ECS instance by NAT. Therefore, the ECS instance bound to an Elastic IP address can communicate with the Internet without disclosing its IP address in the network gateway. Elastic IP addresses are public IP address resources that you can buy separately. You can bind an Elastic IP address to any ECS instances in any VPC. With an Elastic IP address, the ECS instances can communicate with the Internet. Note: Currently only ECS instances support binding an Elastic IP address. Refer to Bind an Elastic IP address for more information on how to buy and bind an Elastic IP address. Elastic IP address features Independently purchased and possessed You can purchase an Elastic IP address independently instead of bundling with other computing resources or storage resources. You can possess an Elastic IP address as a separate resource in your account. Binding with computing resources You can bind an Elastic IP address with an ECS instance in any VPC as needed to make the instance accessible to the Internet, and release it when you do not need the communication with the Internet. Configurable network capabilities You can adjust the bandwidth of an Elastic IP address according to your needs. The bandwidth changes take effect immediately. Differences between EIP and ECS public IP The following table lists differences between Elastic IP addresses and ECS public IP addresses. Comparison Content Elastic IP addresses ECS public IP addresses Network environment type VPC Classic network Independently possessed Yes No Dynamically binding and unbinding with ECS Viewed on the network adapter of ECS instances Yes No No Yes 8

10 Limitation - An Elastic IP address can only be bound with an ECS instance in a VPC network. Instances in the classic network are not supported. - The ECS instance to be bound is not allocated with any public IP address. - One ECS instance can be bound with only one Elastic IP address, and conversely one Elastic IP address can be bound with only one ECS instance. - The Elastic IP address and the bound ECS instance must be in the same region. - A single account can possess a maximum of 20 Elastic IP addresses. VPC terminology Term Virtual Private Cloud (VPC) VSwitch VRouter Route table Route entry Description Virtual Private Cloud (VPC) is a private network established in Alibaba Cloud. It is logically isolated from other virtual networks in Alibaba Cloud. Alibaba Cloud VPC enables you to launch and use the Alibaba Cloud resources in your own VPC. A VSwitch is a basic network device of a VPC and used to connect different cloud product instances in a subnet with a VPC. A VRouter is a hub in the VPC that connects all VSwitches in the VPC and serves as a gateway device that connects the VPC to other networks. A route table is a list of route entries on a VRouter. Each entry in a route table is designated as a route entry. A route entry defines the next hop address for the network traffic to be routed to the specified CIDR block destination. Limits of Use VPC Restriction Restrictions on Normal Users Ticket submission permits exemption 9

11 Maximum VPCs for an account 5 Supported CIDR blocks available for VPCs /16, /12, /8, and their subnets Supported Maximum VRouters for a VPC Maximum VSwitches for a VPC Maximum routing tables for a VPC Maximum route entries for a routing table Maximum cloud products for a VPC 1 Unsupported 24 Unsupported 1 Unsupported 48 Supported 5000 Unsupported Note: VPC does not support broadcast or multicast for performance and security reasons. If you want to use broadcast and multicast functions, submit a ticket to Alibaba. Default VPC - The default VPC in each region is unique. - The CIDR block for a default VPC is always a /16 netmask ( /16), which provides up to private IP addresses. - The default VPC does not occupy the VPC quota that the Alibaba Cloud allocates to you. - The default VPC is created by the system, all the VPCs created by you are non-default VPCs. - The operations and limits between default and non-default VPCs are the same. VSwitch - The VSwitch of a VPC is a Layer 3 switch so it does not support Layer 2functions. - A VSwitch does not limit the quantity of cloud product instances. The quantity of instances that can be mounted to a VSwitch depends on the quantity of cloud product instances in the specified VPC. Currently, a maximum of 5000 cloud product instances can be created for a VPC. - VSwitch CIDR blocks cannot be modified. Default VSwitch - The default VSwitch in each Availability Zone is unique. - The CIDR block for a default VSwitch is always a /20 netmask ( /20). This provides up to 4096 private IP addresses. 10

12 - The default VSwitch does not occupy the VSwitch quota that the Alibaba Cloud allocates to you. - The default VSwitch is created by the system, all the VSwitches created by you are nondefault VSwitches. - The operations and limits between default and non-default VSwitches are the same. VRouter and routing table - Each VPC can only have one VRouter. - VRouter does not support dynamic routing protocols such as BGP or OSPF. - Each VRouter only have one routing table. - Route entries in a routing table affect all the cloud product instances in the VPC. Currently, the source-address policy routing is not supported for routing a VSwitch or a cloud product instance. ECS instance migration VPC allows you to migrate an ECS instance from one VSwitch to another through the same VRouter within a VPC. Note: The following operations are not supported: - ECS instance migration across VRouters. - ECS instance migration example from VPC to classic network. Release notes Release Date August 4, 2015 December 28, 2015 March 29, 2016 March 30, 2016 Changes Alibaba Cloud fully launched, providing the Virtual Private Cloud (VPC), VRouter, RouteTable, and VSwitch services. VPC supports Resource Access Management (RAM). Did an overall review. The function default VPC was released. 11

13 Related resources Forum To visit the forum, click here. Contact us Ticket: t/list/ Presales consultation: (5 8) Customer service: Cloud product (such as ECS, RDS and SLB) consultation: HiChina product (such as domain names, mailboxes, virtual machines) consultation: Filing assistance: (ext. 3) 12