Virtual Private Cloud. User Guide. Issue 03 Date

Transcription

1 Issue 03 Date

2 Change History Change History Release Date What's New This issue is the third official release. Modified the following content: Help Center URL This issue is the second official release. Modified the following content: VPN authentication algorithm Traffic metering function This issue is the first official release. Issue 03 ( ) ii

3 Contents Contents Change History...ii 1 Overview Concepts Virtual Private Cloud Subnet Elastic IP Address Security Group VPN Remote Gateway Remote Subnet SNAT Service Access and Use VPC Functions and Application Scenarios Relationships with Other Services Accessing the VPC Getting Started Typical Application Scenarios Configuring the VPC of ECSs That Do Not Need to Access the Internet Overview Creating a VPC Creating a Subnet for the VPC Creating a Security Group Adding a Security Group Rule Configuring the VPC of ECSs That Access the Internet Using EIPs Overview Creating a VPC Creating a Subnet for the VPC Assigning an EIP and Binding It to an ECS Creating a Security Group Adding a Security Group Rule Configuring the VPC of ECSs That Access the Internet Through a VPN Overview Issue 03 ( ) iii

4 Contents Creating a VPC Creating a Subnet for the VPC Creating a VPN Creating a Security Group Adding a Security Group Rule Management Creating a VPC Modifying a VPC Creating a Subnet for the VPC Modifying a Subnet Assigning a Private IP Address to an ECS Releasing an ECS Private IP Address Assigning an EIP and Binding It to an ECS Unbinding an EIP from an ECS and Releasing the EIP Creating a Security Group Adding a Security Group Rule Deleting a Security Group Rule Deleting a Security Group Deleting a VPC Deleting a VPN Deleting a Subnet Deleting a VPC FAQs What Is Virtual Private Cloud? Which CIDR Blocks Are Available to the VPC Service? Can Subnets Communicate with Each Other? Which Network Segments Are Available to Subnets? How Many Subnets Can I Create? What Is the Bandwidth Size Range? What Are EIPs? How Does an ECS Use an EIP? How Many ECSs Can One EIP Be Assigned to? How Can I Access an ECS from Another Security Group After an EIP Is Bound to the ECS? What Is a Security Group? Which Protocols Does a Security Group Support? What Are the Functions of the Default Security Group Rules? How Can I Configure Security Group Rules? Can I Change the Security Group to Which an ECS Belongs? How Many Security Groups Can Each User Have? What Is the Resource Quota? How Can I Configure the Remote Device for a VPN? Which Remote VPN Devices Are Supported? Issue 03 ( ) iv

5 Contents 4.20 What Are the Reference Standards and Protocols for the IPsec VPN? How Can I Handle the VPN Connection Setup Failure? How Can I Handle the Failure in Accessing the ECSs from My Data Center or LAN Even If the VPN Connection Has Been Set Up? How Can I Handle the Failure in Accessing My Data Center or LAN from the ECSs Even If the VPN Connection Has Been Set Up? Does a VPN Allow for Communication Between Two VPCs? How Can I Configure the Security Group for Multi-Channel Protocols? Why Cannot I Access Public Websites Through Domain Names or Access Internal Public Cloud Domain Names When My ECS Has Multiple NICs What Is the Function of Parameter VPC in a Security Group?...63 Issue 03 ( ) v

6 1 Overview 1 Overview 1.1 Concepts Virtual Private Cloud The Virtual Private Cloud (VPC) service enables you to provision logically isolated, configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improving security of resources in the cloud and simplifying network deployment. You can create security groups and VPNs, assign IP addresses, and specify bandwidth sizes in your VPC. With a VPC, you can manage and configure internal networks and change network configurations, simplifying network management. You can also customize access rules to control ECS access within a security group and across different security groups to enhance ECS security. To be specific, a VPC enables you to: Have full control over your virtual networks, for example, creating your own network and configuring the DHCP service. Create security groups to improve your network security. Assign elastic IP addresses (EIPs) for use in a VPC, bind them to ECSs in your VPC to connect the ECSs to the Internet. Use a VPN to connect a VPC to your physical data center for smooth application migration to the cloud. Issue 03 ( ) 1

7 1 Overview Figure 1-1 VPC components Subnet A subnet is a network that manages ECS network planes. It supports IP address management as well as DHCP and DNS services. The IP addresses of all ECSs in a subnet belong to this subnet. ECSs in the same subnet can communicate with one another, while those in different subnets cannot communicate with one another Elastic IP Address Security Group VPN An EIP is a static, public IP address. You can bind an EIP to an ECS in your subnet and unbind the EIP from the ECS. The EIP enables the communication between your VPC and the Internet. A security group is a logical group that provides access rules to control inbound traffic to and outbound traffic from ECSs in a VPC. A security group consists of mutually trusted ECSs in a VPC that have the same security and protection requirements. After a security group is created, you can add various access rules for the security group. After an ECS is added to the security group, these rules take effect for the ECS. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. A virtual private network (VPN) establishes an encrypted communication tunnel between a remote user and a VPC, enabling the remote user to use service resources in the VPC through the VPN. Issue 03 ( ) 2

8 1 Overview Remote Gateway Remote Subnet SNAT Service By default, ECSs in a VPC cannot communicate with your physical data center or private network. To enable communication between them, you can create a VPN. For details about the VPN functions, see the VPN. A remote gateway is the public IP address of the physical device on the peer side in an IPsec VPN tunnel. The remote gateway of each IPsec VPN must be unique. A remote subnet is the destination network reachable through the tunnel. All IP packets sent to the network are transmitted through the IPsec VPN tunnel. You can configure more than one remote subnet. The remote subnet of a VPN cannot be a subnet in the VPC where the VPN is created. A VPC provides free source network address translation (SNAT) service, which allows ECSs to use limited bandwidth to gain one-way access to the Internet for operations, such as updating software. However, Internet users cannot directly access the ECSs. Figure 1-2 shows how the SNAT service works. ECSs' Internet access traffic is forwarded by the SNAT device to the Internet, and the response traffic from the Internet is forwarded to the ECSs also by the SNAT device. When forwarding ECS traffic to the Internet, the SNAT device converts the source IP addresses (ECS private IP addresses) in the data packets into the public IP addresses set on the SNAT device. When handing the response packets from the Internet to the ECSs, the SNAT device changes the public IP addresses in the response data packets to the private IP addresses of the ECSs. If an ECS has an EIP bound, the SNAT device forwards the service request of the ECS or the response from the Internet preferentially through this EIP. Figure 1-2 How SNAT service works Issue 03 ( ) 3

9 1 Overview The SNAT service takes effect for all ECSs by default. If you want to prevent an ECS from connecting to the Internet, you can configure an outbound rule for the security group that contains the ECS. Example: To prevent an ECS from connecting to the Internet but allow the ECS to access the /24 network segment, configure the following rule for the security group containing the ECS: 1. Delete the default outbound rule of the security group that allows all outgoing data packets. After this rule is deleted, ECSs in this security group are not allowed to access any network, including the internal networks in the VPC of the security group. Figure 1-3 Delete the default outbound rule of the security group 2. Add the required outbound rule. Figure 1-4 shows the added outbound rule that allows the ECS to access the /24 network segment. Figure 1-4 Add an outbound rule for the security group 1.2 Access and Use VPC Functions and Application Scenarios Functions A VPC provides the following functions: Private network customization You can customize private subnets in your VPC and deploy applications and other services in the subnets accordingly. Flexible security policy configuration You can use security groups to divide ECSs in a VPC into different security zones and then configure different access control rules for each security zone. An inbound security group rule enables external access to ECSs in a security group, and an outbound security group rule enables ECSs in a security group to access external Issue 03 ( ) 4

10 1 Overview networks. If a security group has no access rules after an ECS is added to the security group, the communication between the ECS and the external network is blocked. The default inbound rule enables an ECS to be accessed by other ECSs in the same security group, and the default outbound rule enables ECSs in the security group to access external networks. The security group function cannot resolve the problems caused by network faults or incorrect network configuration. For example, when two ECSs cannot communicate with each other due to the network configuration, they still cannot communicate with each other even if you configure a security group rule to allow the communication between them. EIP binding You can assign an independent EIP in your VPC. The EIP can be bound to or unbound from an ECS as required. The binding and unbinding operations take effect immediately after the operations are performed. VPN access Application Scenarios By default, ECSs in a VPC cannot communicate with your physical data center or private network. To enable communication between them, you can enable the VPN function. A VPN connects your physical data center or private network to a VPC, enabling you to migrate your applications to the cloud. Host universal web applications You can host web applications and websites in a VPC and use the VPC as a common network. You can also create a subnet in the VPC, add ECSs to the subnet, and then assign EIPs to the ECSs to enable the ECSs to communicate with the Internet for running web applications on the ECSs. The VPN gateway is used to establish a VPN channel between the web applications and the service system in the cloud, ensuring high-speed interconnection between the website and the service system. Host security-demanding services You can place multi-tier web applications into different security groups, and configure access control rules for each security group as required. In a VPC, you can add the web servers and database servers to different security groups. The subnet to which the web servers belong allows access from the Internet, but the subnet to which the databases belong allows only internal access. This method ensures database server security, meeting high security requirements. Extend your corporate network into the cloud You can connect a VPC to your private cloud using a VPN. With the VPN between the VPC and your traditional data center, you can easily use the ECSs and block storage resources provided by the public cloud system. Applications can be migrated to the cloud and additional web servers can be created to increase the computing capacity on a network. In this way, a hybrid cloud is built, which reduces IT O&M costs and protects enterprise core data from being leaked. VPCs can be created across availability zones (AZs), thereby improving high availability (HA) for e-commerce systems Relationships with Other Services The EIP can be bound to the ECS in a routed network. Therefore, the VPC service can work with the ECS service. Elastic Load Balance (ELB) uses the EIP and bandwidth provided by the VPC service. Issue 03 ( ) 5

11 1 Overview After the VPC service becomes available to you, you can use Cloud Eye (CES) to view monitored object status of the service without requiring additional plug-ins to be installed. Table 1-1 lists the VPC monitoring metrics supported by CES. Table 1-1 VPC monitoring metrics supported by CES Metric Definition Value Range Monitored Object Upstream bandwidth Specifies the outbound network rate of the monitored object. 0 byte/s Bandwidth or EIP Downstream bandwidth Specifies inbound network rate of the monitored object. 0 byte/s Bandwidth or EIP Accessing the VPC The public cloud system provides web-based service management platforms, including the management console and HTTPS-based Application programming interface (API) for you to access the VPC service. The details methods for accessing the VPC service are as follows: API If you need to integrate the VPC service provided by the public cloud system into a third-party system for secondary development, you can use the API to access the VPC service. For details, see the Virtual Private Cloud API Reference. Management console You can log in to the management console to perform other required operations on the VPC service. If you have signed up for an account in the public cloud system, you can access the VPC service by signing into the management console and selecting Virtual Private Cloud from the console homepage. Issue 03 ( ) 6

12 2 Getting Started 2 Getting Started 2.1 Typical Application Scenarios A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. If your ECSs do not need to access the Internet or need to access the Internet using a specified IP address with limited bandwidth on default network segment /11, for example, the ECSs functioning as the database or server nodes for deploying a website, you can configure a VPC for the ECSs by following the instructions described in chapter 2.2 Configuring the VPC of ECSs That Do Not Need to Access the Internet. If your ECSs need to access the Internet, you can configure EIPs for them. For example, the ECSs functioning as the service nodes for deploying a website need to be accessed by users over the Internet. Then, you can configure the VPC of these ECSs by following the instructions provided in chapter 2.3 Configuring the VPC of ECSs That Access the Internet Using EIPs. If you need to access ECSs in a VPC over the Internet to perform maintenance operations on the ECSs, you can configure a VPN. For example, a website administrator needs to use a VPN to access ECSs functioning as service nodes in the VPC over the Internet. Then, you can configure the VPC of the ECSs by following the instructions provided in chapter 2.4 Configuring the VPC of ECSs That Access the Internet Through a VPN. 2.2 Configuring the VPC of ECSs That Do Not Need to Access the Internet Overview If your ECSs do not need to access the Internet or need to access the Internet using a specified IP address with limited bandwidth on default network segment /11, for example, the ECSs functioning as the database nodes or server nodes for deploying a website, you can follow the procedure shown in Figure 2-1 to configure a VPC for the ECSs. Issue 03 ( ) 7

13 2 Getting Started Figure 2-1 Configuring the network Table 2-1 shows the procedure for configuring the network. Table 2-1 Configuration process description Task Create a VPC. Create another subnet for the VPC. Description This task is mandatory. You must configure required parameters to create a VPC. The created VPC comes with a default subnet. After the VPC is created, you can create other required network resources in the VPC based on your service requirements. This task is optional. If you need another subnet besides the default one, you can create a subnet in the VPC. The new subnet is used to assign IP addresses to NICs added to the ECS. Issue 03 ( ) 8

14 2 Getting Started Task Create a security group. Add a security group rule. Description This task is mandatory. You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule meets your service requirements, you do not need to add rules to the security group. This task is optional. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule cannot meet your service requirements, you can add a security group rule Creating a VPC Scenarios Procedure A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. To use a VPC, first create it by following the steps provided in this section. Then, create subnets, security groups, and VPNs and assign EIPs by following the steps provided in subsequent sections based on your actual network requirements. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. On the Dashboard page, click Create VPC. On the displayed page shown in Figure 2-2, set required parameters as prompted. Issue 03 ( ) 9

15 2 Getting Started Figure 2-2 Create VPC Table 2-2 Parameter description Parameter Description Example Value Name Specifies the VPC name. VPC-001 VPC CIDR AZ Specifies the Classless Inter-Domain Routing (CIDR) block for the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset (for multiple subnets in the VPC). The following CIDR blocks are supported: / / /16 24 Specifies the availability zone (AZ) to which the VPC subnet belongs. The following three AZs are supported: eu-de-01 eu-de-02 eu-de /16 eu-de-01 Name Specifies the subnet name. Subnet CIDR Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range /24 Gateway Specifies the gateway address of the subnet Issue 03 ( ) 10

16 2 Getting Started Parameter Description Example Value DHCP Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Enabled 4. Click Create Now Creating a Subnet for the VPC Scenarios Procedure A subnet is automatically created by default when you create a VPC. If required, you can create another subnet in the VPC. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, select the VPC for which a subnet is to be created. 4. On the Subnet page, click Create Subnet. 5. On the Create Subnet page shown in Figure 2-3, set the parameters as prompted. Figure 2-3 Create Subnet Issue 03 ( ) 11

17 2 Getting Started Table 2-3 Parameter description Parameter Description Example Value AZ Specifies the AZ to which the VPC subnet belongs. The following three AZs are supported: eu-de-01 eu-de-02 eu-de-03 eu-de-01 Name Specifies the subnet name. Subnet CIDR Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range /24 Gateway Specifies the gateway address of the subnet DHCP Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Enabled 6. Click OK Creating a Security Group Scenarios Procedure A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted in a VPC. You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule meets your service requirements, you do not need to add rules to the security group. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. Issue 03 ( ) 12

18 2 Getting Started 4. On the Security Group page, click Create Security Group. 5. On the Create Security Group page shown in Figure 2-4, set the parameters as prompted. Figure 2-4 Create Security Group NOTE 6. Click OK. You can change the security group name after a security group is created. It is recommended that you do not use the same name for different security groups Adding a Security Group Rule Scenarios Procedure The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. After a security group is created, you can create different access rules for the security group to protect the ECSs that are added to this security group. To access ECSs in a security group from external resources, create an inbound rule for the security group, for example: To access a remote Windows ECS using MSTSC, add an inbound rule in which Protocol is set to TCP and Port Range is set to To access a remote Linux ECS using SSH, add an inbound rule in which Protocol is set to TCP and Port Range is set to 22. Set Source to the IP address segment containing the IP address of the server accommodating the target ECS. Allocate ECSs that have different Internet access policies to different security groups. NOTE The default value of Source is /0, indicating that all IP addresses can access VMs in the security group. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. Issue 03 ( ) 13

19 2 Getting Started 4. On the Security Group page, expand the target security group and click Add Rule. 5. On the page shown in Figure 2-5, add a security group rule. Figure 2-5 Add Rule Table 2-4 Parameter description Parameter Description Example Value Protocol Transfer Direction Port Range Specifies the network protocol. The value can be TCP, UDP, ICMP, or ANY. Specifies the transfer direction of the traffic for which the security group rule takes effect. The value can be Inbound or Outbound. Value Inbound indicates that traffic enters the security group, and value Outbound indicates that traffic leaves the security group. Specifies the port or port range for which the security group rule takes effect. The value ranges from 0 to TCP Inbound 22 or Issue 03 ( ) 14

20 2 Getting Started Parameter Description Example Value Source Destination Specifies the source for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Inbound. The value can be an IP address or a security group. Specifies the destination for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Outbound. The value can be an IP address or a security group /0 default /0 default Destination can be set to Security Group or IP Address. The details are as follows: IP Address: This rule takes effect for the specified IP addresses /0 indicates that this rule takes effect for all IP addresses. Security Group: This rule takes effect for all ECSs in the selected security group. 6. Click OK. 2.3 Configuring the VPC of ECSs That Access the Internet Using EIPs Overview If your ECSs need to access the Internet, for example, the ECSs functioning as the service nodes for deploying a website, you can follow the procedure shown in Figure 2-6 to bind EIPs to the ECSs. Issue 03 ( ) 15

21 2 Getting Started Figure 2-6 Configuring the network Table 2-5 shows the procedure for configuring the network. Table 2-5 Configuration process description Task Create a VPC. Create another subnet for the VPC. Assign an EIP and bind it to an ECS. Description This task is mandatory. You must configure required parameters to create a VPC. The created VPC comes with a default subnet. After the VPC is created, you can create other required network resources in the VPC based on your service requirements. This task is optional. If you need another subnet besides the default one, you can create a subnet in the VPC. The new subnet is used to assign IP addresses to NICs added to the ECS. This task is mandatory. You can assign an EIP and bind it to an ECS to enable the ECS to access the Internet. Issue 03 ( ) 16

22 2 Getting Started Task Create a security group. Add a security group rule. Description This task is mandatory. You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule meets your service requirements, you do not need to add rules to the security group. This task is optional. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule cannot meet your service requirements, you can add a security group rule Creating a VPC Scenarios Procedure A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. To use a VPC, first create it by following the steps provided in this section. Then, create subnets, security groups, and VPNs and assign EIPs by following the steps provided in subsequent sections based on your actual network requirements. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. On the Dashboard page, click Create VPC. On the displayed page shown in Figure 2-7, set required parameters as prompted. Issue 03 ( ) 17

23 2 Getting Started Figure 2-7 Create VPC Table 2-6 Parameter description Parameter Description Example Value Name Specifies the VPC name. VPC-001 VPC CIDR AZ Specifies the Classless Inter-Domain Routing (CIDR) block for the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset (for multiple subnets in the VPC). The following CIDR blocks are supported: / / /16 24 Specifies the availability zone (AZ) to which the VPC subnet belongs. The following three AZs are supported: eu-de-01 eu-de-02 eu-de /16 eu-de-01 Name Specifies the subnet name. Subnet CIDR Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range /24 Gateway Specifies the gateway address of the subnet Issue 03 ( ) 18

24 2 Getting Started Parameter Description Example Value DHCP Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Enabled 4. Click Create Now Creating a Subnet for the VPC Scenarios Procedure A subnet is automatically created by default when you create a VPC. If required, you can create another subnet in the VPC. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, select the VPC for which a subnet is to be created. 4. On the Subnet page, click Create Subnet. 5. On the Create Subnet page shown in Figure 2-8, set the parameters as prompted. Figure 2-8 Create Subnet Issue 03 ( ) 19

25 2 Getting Started Table 2-7 Parameter description Parameter Description Example Value AZ Specifies the AZ to which the VPC subnet belongs. The following three AZs are supported: eu-de-01 eu-de-02 eu-de-03 eu-de-01 Name Specifies the subnet name. Subnet CIDR Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range /24 Gateway Specifies the gateway address of the subnet DHCP Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Enabled 6. Click OK Assigning an EIP and Binding It to an ECS Scenarios Procedure You can assign an EIP and bind it to an ECS to enable the ECS to access the Internet. Assign an EIP. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, choose EIP. 4. On the EIP page, click Assign EIP. 5. On the Assign EIP page shown in Figure 2-9, set parameters as prompted. Issue 03 ( ) 20

26 2 Getting Started Figure 2-9 Create EIP Table 2-8 Parameter description Parameter Description Example Value Name Specifies the name of the bandwidth. bandwidth Bandwidth Specifies the size of the bandwidth. 100 Quantity Specifies the number of EIPs to be assigned. 1 NOTE Only outbound bandwidth is limited. 6. Click Assign Now 7. Click Submit. Bind an EIP. 8. On the EIP page, locate the row that contains the target EIP, and click Bind. 9. On the Bind IP Address page, select the required ECS and NIC. Issue 03 ( ) 21

27 2 Getting Started Figure 2-10 Bind IP Address 10. Click OK Creating a Security Group Scenarios Procedure A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted in a VPC. You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule meets your service requirements, you do not need to add rules to the security group. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. 4. On the Security Group page, click Create Security Group. 5. On the Create Security Group page shown in Figure 2-11, set the parameters as prompted. Issue 03 ( ) 22

28 2 Getting Started Figure 2-11 Create Security Group NOTE 6. Click OK. You can change the security group name after a security group is created. It is recommended that you do not use the same name for different security groups Adding a Security Group Rule Scenarios The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. After a security group is created, you can create different access rules for the security group to protect the ECSs that are added to this security group. To access ECSs in a security group from external resources, create an inbound rule for the security group, for example: To access a remote Windows ECS using MSTSC, add an inbound rule in which Protocol is set to TCP and Port Range is set to To access a remote Linux ECS using SSH, add an inbound rule in which Protocol is set to TCP and Port Range is set to 22. Set Source to the IP address segment containing the IP address of the server accommodating the target ECS. Allocate ECSs that have different Internet access policies to different security groups. NOTE The default value of Source is /0, indicating that all IP addresses can access VMs in the security group. Procedure 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. 4. On the Security Group page, expand the target security group and click Add Rule. 5. On the page shown in Figure 2-12, add a security group rule. Issue 03 ( ) 23

29 2 Getting Started Figure 2-12 Add Rule Table 2-9 Parameter description Parameter Description Example Value Protocol Transfer Direction Port Range Source Specifies the network protocol. The value can be TCP, UDP, ICMP, or ANY. Specifies the transfer direction of the traffic for which the security group rule takes effect. The value can be Inbound or Outbound. Value Inbound indicates that traffic enters the security group, and value Outbound indicates that traffic leaves the security group. Specifies the port or port range for which the security group rule takes effect. The value ranges from 0 to Specifies the source for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Inbound. The value can be an IP address or a security group. TCP Inbound 22 or /0 default Issue 03 ( ) 24

30 2 Getting Started Parameter Description Example Value Destination Specifies the destination for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Outbound. The value can be an IP address or a security group /0 default Destination can be set to Security Group or IP Address. The details are as follows: IP Address: This rule takes effect for the specified IP addresses /0 indicates that this rule takes effect for all IP addresses. Security Group: This rule takes effect for all ECSs in the selected security group. 6. Click OK. 2.4 Configuring the VPC of ECSs That Access the Internet Through a VPN Overview If you need to access ECSs in a VPC over the Internet to perform maintenance operations on the ECSs, you can follow the procedure shown in Figure 2-13 to configure a VPN. For example, you can configure a VPN to enable a website administrator to access ECSs functioning as services node in the VPC over the Internet. Issue 03 ( ) 25

31 2 Getting Started Figure 2-13 Configuring the network Table 2-10 shows the procedure for configuring the network. Table 2-10 Configuration process description Task Create a VPC. Create another subnet for the VPC. Create a VPN. Description This task is mandatory. You must configure required parameters to create a VPC. The created VPC comes with a default subnet. After the VPC is created, you can create other required network resources in the VPC based on your service requirements. This task is optional. If you need another subnet besides the default one, you can create a subnet in the VPC. The new subnet is used to assign IP addresses to NICs added to the ECS. This task is mandatory. You can create an IPsec VPN to set up a secure and isolated communication tunnel between your data center and cloud services. Issue 03 ( ) 26

32 2 Getting Started Task Create a security group. Add a security group rule. Description This task is mandatory. You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule meets your service requirements, you do not need to add rules to the security group. This task is optional. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule cannot meet your service requirements, you can add a security group rule Creating a VPC Scenarios Procedure A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. To use a VPC, first create it by following the steps provided in this section. Then, create subnets, security groups, and VPNs and assign EIPs by following the steps provided in subsequent sections based on your actual network requirements. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. On the Dashboard page, click Create VPC. On the displayed page shown in Figure 2-14, set required parameters as prompted. Issue 03 ( ) 27

33 2 Getting Started Figure 2-14 Create VPC Table 2-11 Parameter description Parameter Description Example Value Name Specifies the VPC name. VPC-001 VPC CIDR AZ Specifies the Classless Inter-Domain Routing (CIDR) block for the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset (for multiple subnets in the VPC). The following CIDR blocks are supported: / / /16 24 Specifies the availability zone (AZ) to which the VPC subnet belongs. The following three AZs are supported: eu-de-01 eu-de-02 eu-de /16 eu-de-01 Name Specifies the subnet name. Subnet CIDR Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range /24 Gateway Specifies the gateway address of the subnet Issue 03 ( ) 28

34 2 Getting Started Parameter Description Example Value DHCP Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Enabled 4. Click Create Now Creating a Subnet for the VPC Scenarios Procedure A subnet is automatically created by default when you create a VPC. If required, you can create another subnet in the VPC. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, select the VPC for which a subnet is to be created. 4. On the Subnet page, click Create Subnet. 5. On the Create Subnet page shown in Figure 2-15, set the parameters as prompted. Figure 2-15 Create Subnet Issue 03 ( ) 29

35 2 Getting Started Table 2-12 Parameter description Parameter Description Example Value AZ Specifies the AZ to which the VPC subnet belongs. The following three AZs are supported: eu-de-01 eu-de-02 eu-de-03 eu-de-01 Name Specifies the subnet name. Subnet CIDR Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range /24 Gateway Specifies the gateway address of the subnet DHCP Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Enabled 6. Click OK Creating a VPN Overview By default, ECSs in a VPC cannot communicate with your physical data center or private network. To enable communication between them, enable the VPN function. To enable the VPN function, you need to create a VPN in your VPC and update the security group rules. Description of a Simple IPsec VPN Intranet Topology As shown in Figure 2-16, you have created a VPC that has two subnets, /24 and /24, in the cloud. You also have two subnets, /24 and /24 on your router deployed in your data center. In this case, you can create a VPN to connect the VPC subnets to the data center subnets. Currently, the site-to-site VPN and hub-spoke VPN are supported. In addition to creating a VPN in your VPC, you also need to set up a VPN in your physical data center to establish the VPN connection. You must ensure that the VPN in your VPC and that in your physical data center use the same IKE and IPsec policy configurations. Before creating a VPN, familiarize yourself with the Issue 03 ( ) 30

36 2 Getting Started protocols described in Table 2-13 and ensure that your device meets the requirements and configuration constraints of the involved protocols. Table 2-13 Involved protocols RFC Description Constraint RFC2409 RFC4301 Defines the IKE protocol, which negotiates and verifies key information to safeguard VPN connections. Defines the IPsec architecture, the security services that IPsec offers, and the collaboration between components. Use the PSK to reach an IKE peer agreement. Use the main mode to perform the negotiation. Set up a VPN connection using the IPsec tunnel. Figure 2-16 IPsec VPN Scenarios Perform the following steps to create an IPsec VPN that sets up a secure, isolated communication tunnel between your data center and cloud services. Procedure 1. Sign up and log in to the management console. 2. On the console homepage, under Network, click VPN. 3. On the VPN page, click Create VPN. 4. Set the parameters as prompted and click Create Now. Issue 03 ( ) 31

37 2 Getting Started Figure 2-17 Create VPN Table 2-14, Table 2-15, and Table 2-16 lists the parameters and their descriptions. Table 2-14 Basic parameters RFC Description Example Value Name Specifies the name of the VPN. VPN-001 Local Subnets PSK Remote Gateway Remote Subnets Specifies the VPC subnets that need to communicate with your data center or private network. Specifies the pre-shared key. The value is a string of 6 to 128 characters. This parameter value must be the same for the VPC VPN and the data center VPN. Specifies the public IP address of the VPN in your data center or on the private network. This IP address is used for communicating with the VPC VPN. Specifies the subnet of your data center or private network for communicating with the VPC / /24 Test@ / /24 Issue 03 ( ) 32

38 2 Getting Started Table 2-15 IKE policy parameters RFC Description Example Value Authentication Algorithm Encryption Algorithm DH Algorithm Version Lifecycle (sec) Specifies the authentication hash algorithm. The value can be sha1. Specifies the encryption algorithm. The value can be aes-128, aes-192, aes-256, or 3des. The 3des algorithm is not recommended because it is risky. Specifies the Diffie-Hellman key exchange algorithm. The value can be group2, group5, or group14. Specifies the version of the IKE protocol. The value can be V1 or V2. Specifies the lifetime of the security association (SA), in seconds. The SA will be renegotiated if its lifetime expires. sha1 aes-128 group5 v1 86,400 Table 2-16 IPsec policy parameters RFC Description Example Value Authentication Algorithm Encryption Algorithm DH AlgorithmDH Transfer Protocol Lifecycle (sec) Specifies the authentication algorithm. The value can be sha1. Specifies the encryption algorithm. The value can be aes-128, aes-192, aes-256, or 3des. The 3des algorithm is not recommended because it is risky. Specifies the Diffie-Hellman key exchange algorithm. The value can be group2, group5, or group14. Specifies the security protocol used for IPsec to transmit and encapsulate user data. The value can be ah, esp, and ahesp. Specifies the lifetime of the security association (SA), in seconds. The SA will be renegotiated if its lifetime expires. sha1 aes-128 group5 esp 3600 Issue 03 ( ) 33

39 2 Getting Started NOTE The IKE policy specifies the encryption and authentication algorithms to use in the negotiation phase of an IPsec tunnel. The IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to use in the data transmission phase of an IPsec tunnel. These parameters must be the same between your VPC VPN and your data center VPN. If they are different, the VPN tunnel cannot be set up. 5. Click Submit. After the IPsec VPN is successfully created, the system automatically assigns a public IP address (for example, , indicated in the red box in the following figure) to this VPN. Set the remote gateway to this public IP address when you configure the remote tunnel end in your data center. 6. Due to the symmetry of the tunnel, you also need to configure the IPsec VPN on your router or firewall in the data center. For details about the VPN configuration, see section 4.18 How Can I Configure the Remote Device for a VPN? For the protocols supported by VPN connections, see section 4.20 What Are the Reference Standards and Protocols for the IPsec VPN? For the supported VPN devices, see section 4.19 Which Remote VPN Devices Are Supported? Creating a Security Group Scenarios Procedure A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted in a VPC. You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule meets your service requirements, you do not need to add rules to the security group. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. 4. On the Security Group page, click Create Security Group. 5. On the Create Security Group page shown in Figure 2-18, set the parameters as prompted. Issue 03 ( ) 34

40 2 Getting Started Figure 2-18 Create Security Group NOTE 6. Click OK. You can change the security group name after a security group is created. It is recommended that you do not use the same name for different security groups Adding a Security Group Rule Scenarios The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. After a security group is created, you can create different access rules for the security group to protect the ECSs that are added to this security group. To access ECSs in a security group from external resources, create an inbound rule for the security group, for example: To access a remote Windows ECS using MSTSC, add an inbound rule in which Protocol is set to TCP and Port Range is set to To access a remote Linux ECS using SSH, add an inbound rule in which Protocol is set to TCP and Port Range is set to 22. Set Source to the IP address segment containing the IP address of the server accommodating the target ECS. Allocate ECSs that have different Internet access policies to different security groups. NOTE The default value of Source is /0, indicating that all IP addresses can access VMs in the security group. Procedure 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. 4. On the Security Group page, expand the target security group and click Add Rule. 5. On the page shown in Figure 2-19, add a security group rule. Issue 03 ( ) 35

41 2 Getting Started Figure 2-19 Add Rule Table 2-17 Parameter description Parameter Description Example Value Protocol Transfer Direction Port Range Source Specifies the network protocol. The value can be TCP, UDP, ICMP, or ANY. Specifies the transfer direction of the traffic for which the security group rule takes effect. The value can be Inbound or Outbound. Value Inbound indicates that traffic enters the security group, and value Outbound indicates that traffic leaves the security group. Specifies the port or port range for which the security group rule takes effect. The value ranges from 0 to Specifies the source for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Inbound. The value can be an IP address or a security group. TCP Inbound 22 or /0 default Issue 03 ( ) 36

42 2 Getting Started Parameter Description Example Value Destination Specifies the destination for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Outbound. The value can be an IP address or a security group /0 default Destination can be set to Security Group or IP Address. The details are as follows: IP Address: This rule takes effect for the specified IP addresses /0 indicates that this rule takes effect for all IP addresses. Security Group: This rule takes effect for all ECSs in the selected security group. 6. Click OK. Issue 03 ( ) 37

43 3 Management 3 Management 3.1 Creating a VPC Scenarios Procedure A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. To use a VPC, first create it by following the steps provided in this section. Then, create subnets, security groups, and VPNs and assign EIPs by following the steps provided in subsequent sections based on your actual network requirements. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. On the Dashboard page, click Create VPC. On the displayed page shown in Figure 3-1, set required parameters as prompted. Issue 03 ( ) 38

44 3 Management Figure 3-1 Create VPC Table 3-1 Parameter description Parameter Description Example Value Name Specifies the VPC name. VPC-001 VPC CIDR AZ Specifies the Classless Inter-Domain Routing (CIDR) block for the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset (for multiple subnets in the VPC). The following CIDR blocks are supported: / / /16 24 Specifies the availability zone (AZ) to which the VPC subnet belongs. The following three AZs are supported: eu-de-01 eu-de-02 eu-de /16 eu-de-01 Name Specifies the subnet name. Subnet CIDR Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range /24 Gateway Specifies the gateway address of the subnet Issue 03 ( ) 39

45 3 Management Parameter Description Example Value DHCP Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Enabled 4. Click Create Now. 3.2 Modifying a VPC Scenarios If the VPC CIDR conflicts with the subnet of a VPN created in the VPC, you can modify the VPC to change the VPC address range. Procedure 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. On the VPC page, locate the VPC to be modified and click. 4. On the Modify page shown in Figure 3-2, modify parameters as prompted. Figure 3-2 Modifying a VPC 5. Click OK. Issue 03 ( ) 40

46 3 Management 3.3 Creating a Subnet for the VPC Scenarios Procedure A subnet is automatically created by default when you create a VPC. If required, you can create another subnet in the VPC. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, select the VPC for which a subnet is to be created. 4. On the Subnet page, click Create Subnet. 5. On the Create Subnet page shown in Figure 3-3, set the parameters as prompted. Figure 3-3 Create Subnet Table 3-2 Parameter description Parameter Description Example Value AZ Specifies the AZ to which the VPC subnet belongs. The following three AZs are supported: eu-de-01 eu-de-02 eu-de-03 eu-de-01 Name Specifies the subnet name. Subnet CIDR Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range /24 Gateway Specifies the gateway address of the subnet Issue 03 ( ) 41

47 3 Management Parameter Description Example Value DHCP Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Enabled 6. Click OK. 3.4 Modifying a Subnet Scenarios Impact of the Operation Procedure If the DHCP policy and DNS server address configured for a subnet during subnet creation need to be modified, you can modify the subnet. If you disable the DHCP function for the subnet, ECSs in this VPC cannot automatically obtain IP addresses after they start. You must manually configure IP addresses for the ECSs. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, select the VPC for which the subnet is to be modified. 4. On the Subnet page, locate the target subnet, and click OK. On the page shown in Figure 3-4, set the parameters as prompted. Issue 03 ( ) 42

48 3 Management Figure 3-4 Modify Subnet Table 3-3 Parameter description Parameter Description Example Value Name Specifies the subnet name. Subnet DHCP DNS Server Address 1 DNS Server Address 2 Specifies whether to enable the DHCP function for the VPC. Enabled: enables the DHCP function. After an ECS in this VPC starts, the ECS automatically obtains an IP address using the DHCP protocol. Disabled: disables the DHCP function. After an ECS using this VPC starts, the ECS cannot automatically obtain an IP address. You must manually assign an IP address to the ECS. Specifies the IP address of DNS server 1. You can leave it blank. By default, the internal DNS server address is used. Specifies the IP address of DNS server 2. You can leave it blank. By default, the internal DNS server address is used. Enabled N/A N/A 5. Click OK. Issue 03 ( ) 43

49 3 Management 3.5 Assigning a Private IP Address to an ECS Scenarios Procedure When an ECS requires a floating IP address or a reserved IP address, you can assign a private IP address from the subnet to the ECS. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, choose VPC. 4. On the Subnet page, locate the target subnet, and click Manage Private IP Address. 5. Click Assign Private IP Address and set the parameters shown in Figure 3-5 as prompted. 6. Click OK. You can then query the assigned private IP address in the IP address list. Figure 3-5 Assigning a private IP address 3.6 Releasing an ECS Private IP Address Scenarios Procedure If you no longer need the private IP address or reserved IP address, you can release it to avoid resource occupation. The private IP address that has been bound to an ECS, gateway, or DHCP server cannot be released. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, choose VPC. 4. On the Subnet page, locate the target subnet, and click Manage Private IP Address. 5. Select the private IP address to be released from the IP address list and click Delete. 6. Click OK. Issue 03 ( ) 44

50 3 Management 3.7 Assigning an EIP and Binding It to an ECS Scenarios Procedure You can assign an EIP and bind it to an ECS to enable the ECS to access the Internet. Assign an EIP. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, choose EIP. 4. On the EIP page, click Assign EIP. 5. On the Assign EIP page shown in Figure 3-6, set parameters as prompted. Figure 3-6 Create EIP Table 3-4 Parameter description Parameter Description Example Value Name Specifies the name of the bandwidth. bandwidth Bandwidth Specifies the size of the bandwidth. 100 Quantity Specifies the number of EIPs to be assigned. 1 NOTE Only outbound bandwidth is limited. Issue 03 ( ) 45

51 3 Management 6. Click Assign Now 7. Click Submit. Bind an EIP. 8. On the EIP page, locate the row that contains the target EIP, and click Bind. 9. On the Bind IP Address page, select the required ECS and NIC. Figure 3-7 Bind IP Address 10. Click OK. 3.8 Unbinding an EIP from an ECS and Releasing the EIP Scenarios Procedure If you no longer need the EIP, unbind it from the ECS and release the EIP to release network resources. EIPs assigned and bound to ECSs in the Elastic Load Balance (ELB) service are displayed in the EIP list of the VPC service, but you cannot unbind these EIPs from ECSs. Only EIPs that are not bound to ECSs can be released. To release EIPs that are bound to ECSs, you must first unbind them. Unbind an EIP. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, choose EIP. 4. On the EIP page, locate the row that contains the target EIP, and click Unbind. Release an EIP. Issue 03 ( ) 46

52 3 Management 5. On the EIP page, locate the row that contains the target EIP, and click Release. 6. Click OK. 3.9 Creating a Security Group Scenarios Procedure A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted in a VPC. You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. If the default rule meets your service requirements, you do not need to add rules to the security group. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. 4. On the Security Group page, click Create Security Group. 5. On the Create Security Group page shown in Figure 3-8, set the parameters as prompted. Figure 3-8 Create Security Group NOTE 6. Click OK. You can change the security group name after a security group is created. It is recommended that you do not use the same name for different security groups Adding a Security Group Rule Scenarios The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. After a security group is created, you can Issue 03 ( ) 47

53 3 Management create different access rules for the security group to protect the ECSs that are added to this security group. To access ECSs in a security group from external resources, create an inbound rule for the security group, for example: To access a remote Windows ECS using MSTSC, add an inbound rule in which Protocol is set to TCP and Port Range is set to To access a remote Linux ECS using SSH, add an inbound rule in which Protocol is set to TCP and Port Range is set to 22. Set Source to the IP address segment containing the IP address of the server accommodating the target ECS. Allocate ECSs that have different Internet access policies to different security groups. NOTE The default value of Source is /0, indicating that all IP addresses can access VMs in the security group. Procedure 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. 4. On the Security Group page, expand the target security group and click Add Rule. 5. On the page shown in Figure 3-9, add a security group rule. Figure 3-9 Add Rule Issue 03 ( ) 48

54 3 Management Table 3-5 Parameter description Parameter Description Example Value Protocol Transfer Direction Port Range Source Destination Specifies the network protocol. The value can be TCP, UDP, ICMP, or ANY. Specifies the transfer direction of the traffic for which the security group rule takes effect. The value can be Inbound or Outbound. Value Inbound indicates that traffic enters the security group, and value Outbound indicates that traffic leaves the security group. Specifies the port or port range for which the security group rule takes effect. The value ranges from 0 to Specifies the source for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Inbound. The value can be an IP address or a security group. Specifies the destination for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Outbound. The value can be an IP address or a security group. TCP Inbound 22 or /0 default /0 default Destination can be set to Security Group or IP Address. The details are as follows: IP Address: This rule takes effect for the specified IP addresses /0 indicates that this rule takes effect for all IP addresses. Security Group: This rule takes effect for all ECSs in the selected security group. 6. Click OK Deleting a Security Group Rule Scenarios If the source IP addresses of an inbound or outbound security group rule need to be changed, you can first delete the security group rule and add a new one. Issue 03 ( ) 49

55 3 Management Procedure 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, click Security Group. 4. On the Security Group page, expand a security group. 5. If you do not need a security group rule, locate the row that contains the target rule, and click Delete. 6. Click OK Deleting a Security Group Scenarios Procedure You can delete a security group to release resources if the security group is no longer required. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, choose VPC. 4. On the Security Group page, locate the target security group, and click Delete. 5. Click OK Deleting a VPC Deleting a VPN Scenarios Procedure You can delete a VPN to release network resources if the VPN is no longer required. 1. Log in to the management console. 2. On the console homepage, under Network, click VPN. 3. On the VPN page, locate the target VPN and click Delete. 4. Click OK Deleting a Subnet Scenarios You can delete a subnet to release network resources if the subnet is no longer required. Issue 03 ( ) 50

56 3 Management A subnet cannot be deleted if it is used by an ECS, VPN, or a private IP address. To delete the subnet, you must first delete the ECS, VPN, and private IP address. Procedure 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, choose VPC. 4. On the Subnet page, locate the target subnet, and click Delete. 5. Click OK Deleting a VPC Scenarios Impact on the System Procedure You can delete a VPC to release network resources if the VPC is no longer required. You cannot delete a VPC when the VPC has a subnet or VPN. To delete the VPC, you must first delete the subnet, VPN, and security group. For details about how to delete a subnet, see section Deleting a Subnet. For details about how to delete a VPN, see section Deleting a VPN. If EIPs exist, the last VPC cannot be deleted. 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. On the VPC page, locate the row that contains the target VPC, and click. 4. Click OK. Issue 03 ( ) 51

57 4 FAQs 4 FAQs 4.1 What Is Virtual Private Cloud? The Virtual Private Cloud (VPC) service enables you to provision logically isolated, configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improving security of resources in the cloud and simplifying network deployment. You can create security groups and VPNs, assign IP addresses, and specify bandwidth sizes in your VPC. With a VPC, you can manage and configure internal networks and change network configurations, simplifying network management. You can also customize access rules to control ECS access within a security group and across different security groups to enhance ECS security. Have full control over your virtual networks, for example, creating your own network and configuring the DHCP service. Create security groups to improve your network security. Assign elastic IP addresses (EIPs) for use in a VPC, bind them to ECSs in your VPC to connect the ECSs to the Internet. Use a VPN to connect a VPC to your physical data center for smooth application migration to the cloud. Issue 03 ( ) 52

58 4 FAQs Figure 4-1 VPC components 4.2 Which CIDR Blocks Are Available to the VPC Service? The VPC service supports the following CIDR blocks: / / / Can Subnets Communicate with Each Other? Subnets are VPC resources. The subnets in one VPC can communicate with each other, but those in different VPCs cannot communicate. 4.4 Which Network Segments Are Available to Subnets? The network segments available to subnets must be included in the VPC network segments. This means that the network segments available to subnets are the same as the network segments available to the VPC service. They are / / /16 24 Issue 03 ( ) 53

59 4 FAQs 4.5 How Many Subnets Can I Create? By default, one user can create a maximum of 100 subnets. If the number of subnets cannot meet your service requirements, submit a work order to increase the quota. 4.6 What Is the Bandwidth Size Range? The available bandwidth size ranges from 1 Mbit/s to 300 Mbit/s. 4.7 What Are EIPs? EIPs are static IP addresses designed for dynamic cloud computing. An EIP is associated with your account. With an EIP, you can mask the failure of an ECS or software by rapidly remapping the address to another ECS in your account. Before you release the EIP, it is permanently associated with your account. 4.8 How Does an ECS Use an EIP? An EIP is a public IP address that can be dynamically bound to the internal IP address of any routed network in a VPC. Before starting an ECS, you can assign a private IP address and a public IP address to the ECS. The public IP address is assigned from the public IP address pool of the VPC and is mapped to the private IP address using Network Address Translation (NAT). After the EIP is released, you can no longer use the public IP address. 4.9 How Many ECSs Can One EIP Be Assigned to? One EIP can be assigned to only one ECS How Can I Access an ECS from Another Security Group After an EIP Is Bound to the ECS? Each ECS is automatically added to a security group after being created to ensure its security. The security group denies access traffic from the Internet by default. To allow external access to ECSs in the security group, add an inbound rule to the security group. Figure 4-2 shows the page for configuring security group rules. You can set Protocol to TCP, UDP, ICMP, or ANY as required. If the ECS needs to be accessible over the Internet and the IP address used to access the ECS over the Internet has been configured on the ECS, or the ECS does not need to be accessible over the Internet, set Source IP Address to the IP address segment containing the IP address that is allowed to access the ECS over the Internet. If the ECS needs to be accessible over the Internet and the IP address used to access the ECS over the Internet has not been configured on the ECS, it is recommended that you retain the default setting /0 for Source, and then set Port Range to improve network security. Issue 03 ( ) 54

60 4 FAQs Allocate ECSs that have different Internet access policies to different security groups. NOTE The default value of source is /0, indicates that all IP addresses can access VMs in the security group. Figure 4-2 Add Rule 4.11 What Is a Security Group? A security group implements access control for ECSs within a security group and between different security groups. After a security group is created, you can create different access rules for the security group to protect the ECSs that are added to this security group Which Protocols Does a Security Group Support? The protocol used by a security group can be set to TCP, UDP, ICMP, or ANY. ANY indicates that the security group takes effect for all protocols. If the TCP or UDP protocol is selected, configure ports 0 to for the protocols to access the security group. If the ICMP protocol is selected, you can set the ICMP protocol type. The default value is ANY What Are the Functions of the Default Security Group Rules? An inbound security group rule enables external access to ECSs in a security group, and an outbound security group rule enables ECSs in a security group to access external networks. Issue 03 ( ) 55

61 4 FAQs If no access rule is configured for a security group after an ECS is added to the security group, communication between the ECS and the external network is blocked. The default inbound rule enables an ECS to be accessed by other ECSs in the same security group, and the default outbound rule enables ECSs in the security group to access the external network. The security group function cannot resolve the problems caused by network faults or incorrect network configuration. For example, when two ECSs cannot communicate with each other due to a network problem, a security group rule will also not allow them to communicate How Can I Configure Security Group Rules? Security group rules consist of inbound and outbound rules. When adding an inbound rule, you can set the source address to a security group or CIDR network segment. If you want to set the source address to a security group, you can only select security groups from the same VPC as the destination security group. When adding an outbound rule, you can set the destination address to a security group or CIDR network segment. If you want to set the destination address to a security group, you can only select security groups from the same VPC as the source security group. ECSs in security groups in different VPCs cannot communicate with one another. To allow them to communicate, bind EIPs to them and configure security group rules Can I Change the Security Group to Which an ECS Belongs? Yes. You can change the security group to which an ECS belongs How Many Security Groups Can Each User Have? Each user can have a maximum of 100 security groups and 5000 security group rules What Is the Resource Quota? Quotas are used to limit the number of resources available to users. If the existing resource quota cannot meet your service requirements, you can submit a work order to increase your quota. Once your application is approved, your quota will be updated and a notification will be sent to you How Can I Configure the Remote Device for a VPN? Due to the symmetry of the tunnel, the VPN parameters configured in the cloud must be the same as those configured in your own data center. If they are different, the VPN connection cannot be established. To set up a VPN connection, you also need to configure the IPsec VPN on the router or firewall in your own data center. The configuration method may vary depending on your network device in use. For details, see the configuration guide of the network device. Issue 03 ( ) 56

62 4 FAQs This section describes how to configure the IPsec VPN on Huawei USG6600 series firewalls. In this example, the subnets of the data center are /24 and /24, the subnets of the VPC are /24 and /24, and the public IP address of the IPsec tunnel egress in the VPC is , which can be obtained from the remote gateway parameters of the IPsec VPN in the VPC. Procedure 1. Log in to the command-line interface (CLI) of the firewall. 2. Create an ACL and bind it to the target VPN instance. acl number 3065 vpn-instance vpn64 rule 1 permit ip source destination rule 2 permit ip source destination rule 3 permit ip source destination rule 4 permit ip source destination q 3. Create an IKE proposal. ike proposal 64 dh group5 authentication-algorithm sha1 integrity-algorithm hmac-sha2-256 sa duration 3600 q 4. Create an IKE peer and reference the created IKE proposal. The peer IP address is ike peer vpnikepeer_64 pre-shared-key ******** (******** specifies the pre-shared key.) ike-proposal 64 undo version 2 remote-address vpn-instance vpn sa binding vpn-instance vpn64 q 5. Create an IPsec protocol. ipsec proposal ipsecpro64 encapsulation-mode tunnel esp authentication-algorithm sha1 q 6. Create an IPsec policy and reference the IKE policy and IPsec proposal. ipsec policy vpnipsec64 1 isakmp security acl 3065 pfs dh-group5 ike-peer vpnikepeer_64 proposal ipsecpro64 local-address xx.xx.xx.xx q 7. Apply the IPsec policy to the subinterface. interface GigabitEthernet0/0/2.64 ipsec policy vpnipsec64 q 8. Test the connectivity. After you perform the preceding operations, you can test the connectivity between your ECSs in the cloud and the hosts in your data center. For details, see the following figure. Issue 03 ( ) 57

63 4 FAQs 4.19 Which Remote VPN Devices Are Supported? Table 4-1 lists the Huawei VPN devices supported by the remote end. Table 4-1 Huawei VPN devices Supported Peer Device Huawei USG6000 series Huawei USG9000 series Description USG6320/6310/6510-SJJ USG6306/6308/6330/6350/6360/6370/6380/6390/6507/6530/65 50/6570:2048 USG6620/6630/6650/6660/6670/6680 USG9520/USG9560/USG9580 Other devices that meet the requirements in the reference protocols described in section 4.20 What Are the Reference Standards and Protocols for the IPsec VPN? can also be deployed. However, some devices may fail to add because of inconsistent protocol implementation methods of these devices. If the connection setup fails, rectify the fault by following the instructions provided in section 4.21 How Can I Handle the VPN Connection Setup Failure? or contact customer service What Are the Reference Standards and Protocols for the IPsec VPN? The following standards and protocols are associated with the IPsec VPN: Issue 03 ( ) 58

64 4 FAQs RFC 4301: Security Architecture for the Internet Protocol RFC 2403: The Use of HMAC-MD5-96 within ESP and AH RFC 2409: The Internet Key Exchange (IKE) RFC 2857: The Use of HMAC-RIPEMD within ESP and AH RFC 3566: The AES-XCBC-MAC-96 Algorithm and its use with IPsec RFC 3625: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) RFC 3664: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE) RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers RFC 3748: Extensible Authentication Protocol (EAP) RFC 3947: Negotiation of NAT-Traversal in the IKE RFC 4109: Algorithms for Internet Key Exchange version 1 (IKEv1) RFC 3948: UDP Encapsulation of IPsec ESP Packets RFC 4305: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) RFC 4306: Internet Key Exchange (IKEv2) Protocol RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) RFC 4322: Opportunistic Encryption using the Internet Key Exchange (IKE) RFC 4359: The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload (ESP) and Authentication Header (AH) RFC 4434: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE) RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2) 4.21 How Can I Handle the VPN Connection Setup Failure? 1. Check whether the parameters listed in Table 4-2, Table 4-3, and Table 4-4 are consistent between the cloud VPN and the peer VPN. Table 4-2 Basic parameters Parameter Description Example Value PSK Specifies the pre-shared key. The value is a string of 6 to 128 characters. This parameter value must be the same for the VPC VPN and the data center VPN. Test@123 Issue 03 ( ) 59

65 4 FAQs Table 4-3 IKE policy parameters RFC Description Example Value Authentication Algorithm Encryption Algorithm DH Algorithm Version Lifecycle (sec) Specifies the authentication hash algorithm. The value can be sha1. Specifies the encryption algorithm. The value can be aes-128, aes-192, aes-256, or 3des. The 3des algorithm is not recommended because it is risky. Specifies the Diffie-Hellman key exchange algorithm. The value can be group2, group5, or group14. Specifies the version of the IKE protocol. The value can be V1 or V2. Specifies the lifetime of the security association (SA), in seconds. The SA will be renegotiated if its lifetime expires. sha1 aes-128 group5 v1 86,400 Table 4-4 IPsec policy parameters RFC Description Example Value Authentication Algorithm Encryption Algorithm DH AlgorithmDH Transfer Protocol Lifecycle (sec) Specifies the authentication algorithm. The value can be sha1. Specifies the encryption algorithm. The value can be aes-128, aes-192, aes-256, or 3des. The 3des algorithm is not recommended because it is risky. Specifies the Diffie-Hellman key exchange algorithm. The value can be group2, group5, or group14. Specifies the security protocol used for IPsec to transmit and encapsulate user data. The value can be ah, esp, and ah-esp. Specifies the lifetime of the security association (SA), in seconds. The SA will be renegotiated if its lifetime expires. sha1 aes-128 group5 esp 3600 Issue 03 ( ) 60

66 4 FAQs 2. Check whether the ACL configurations are correct. If the subnets of your data center are /24 and /24, and the VPC subnets are /24 and /24, configure the ACL rules for each data center subnet to permit the communication with the VPC subnets. The following provides an example of ACL configurations: rule 1 permit ip source destination rule 2 permit ip source destination rule 3 permit ip source destination rule 4 permit ip source destination How Can I Handle the Failure in Accessing the ECSs from My Data Center or LAN Even If the VPN Connection Has Been Set Up? The security group denies the access from all sources by default. If you want to access your ECSs, modify the security group configuration and allow the access from the peer subnets. For details, see section 3.9 Creating a Security Group How Can I Handle the Failure in Accessing My Data Center or LAN from the ECSs Even If the VPN Connection Has Been Set Up? Check whether you have properly configured the firewall policies for the access from the public IP address of the cloud VPN to the public IP address of your data center or LAN. No policies are configured to limit the access by default Does a VPN Allow for Communication Between Two VPCs? No. A VPN cannot be used to connect two VPCs How Can I Configure the Security Group for Multi- Channel Protocols? ECS Configuration The TFTP daemon determines whether the configuration file specifies the port range. If you use the TFTP configuration file that allows the data channel ports to be configurable, it is a best practice to configure a small range of ports that are not listened on. Security Group Configuration You can configure both port 69 and the data channel ports used by TFTP for the security group. In RFC1350, the TFTP protocol specifies that ports available to data channels range Issue 03 ( ) 61

67 4 FAQs from 0 to However, not all these ports are used by the TFTP daemon processes of different applications. Therefore, you can configure a small range of ports for the TFTP daemon. The following figure provides an example of the security group rule configuration if the ports used by data channels range from to Why Cannot I Access Public Websites Through Domain Names or Access Internal Public Cloud Domain Names When My ECS Has Multiple NICs When an ECS has more than one NIC, if different DNS server addresses are configured for the subnets used by the NICs, the ECS cannot access public websites through internal domain names. You can rectify this fault by configuring the same DNS server address for the subnets used by the same ECS. You can perform the following steps to modify DNS server addresses of subnets in a VPC: 1. Log in to the management console. 2. On the console homepage, under Network, click Virtual Private Cloud. 3. In the navigation pane on the left, choose Subnet. 4. In the displayed right pane shown in Figure 4-3, view the DNS server address of each subnet. Figure 4-3 Subnets 5. Click Modify in the right corner of each subnet and modify the DNS server address in the displayed dialog box shown in Figure 4-4. Issue 03 ( ) 62

68 4 FAQs Figure 4-4 Modifying the DNS server address 6. Click OK What Is the Function of Parameter VPC in a Security Group? ECSs can now use any security group in the system. The VPC for the security group is only an identifier for management purposes. Issue 03 ( ) 63