Virtual Private Cloud. VPC Product Introduction

Similar documents
Virtual Private Cloud. User Guide

Virtual Private Cloud. User Guide. Issue 03 Date

Top 30 AWS VPC Interview Questions and Answers Pdf

How to set up a Virtual Private Cloud (VPC)

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

Connect to Alibaba Cloud. For partners

EdgeConnect for Amazon Web Services (AWS)

Creating your Virtual Data Centre

Amazon Virtual Private Cloud. User Guide API Version

NetApp Cloud Volumes Service for AWS

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

AWS Networking Fundamentals

Data Center Configuration. 1. Configuring VXLAN

Amazon Virtual Private Cloud. Getting Started Guide

Pexip Infinity and Amazon Web Services Deployment Guide

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Networking for the Cloud DBA. Arup Nanda Longtime Oracle DBA And Explorer of New Things

Chapter 18 and 22. IPv4 Address. Data Communications and Networking

25 Best Practice Tips for architecting Amazon VPC

Web Cloud Solution. User Guide. Issue 01. Date

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

Virtual Private Network. Network User Guide. Issue 05 Date

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

vcloud Director Tenant Portal Guide vcloud Director 8.20

Chapter 3 - Implement an IP Addressing Scheme and IP Services to Meet Network Requirements for a Small Branch Office

1. Click on "IaaS" to advance to the Windows Azure Scenario. 2. Click to configure the "CloudNet" Virtual Network

Brief Notes on Networks

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

AWS_SOA-C00 Exam. Volume: 758 Questions

25 Best Practice Tips for architecting Amazon VPC. 25 Best Practice Tips for architecting Amazon VPC. Harish Ganesan- CTO- 8KMiles

KillTest *KIJGT 3WCNKV[ $GVVGT 5GTXKEG Q&A NZZV ]]] QORRZKYZ IUS =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX

Securely Access Services Over AWS PrivateLink. January 2019

Deploy the Firepower Management Center Virtual On the AWS Cloud

NGF0502 AWS Student Slides

Introducing AWS Transit Gateway

JStorm Based Network Analytics Platform. Alibaba Cloud Senior Technical Manager, Biao Lyu

Deploy ERSPAN with the ExtraHop Discover Appliance and Brocade 5600 vrouter in AWS

Pexip Infinity and Amazon Web Services Deployment Guide

Resizing your AWS VPC NAT Instance to a Lower Cost Instance Type

White Paper. Huawei Campus Switches VXLAN Technology. White Paper

1. VPC and Subnet Layout

CCNA. Course Catalog

CCNA-A Scope and Sequence (March 2007-Draft)

Exercise Sheet 4. Exercise 1 (Routers, Layer-3-Switches, Gateways)

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

QUESTION: 1 You have been asked to establish a design that will allow your company to migrate from a WAN service to a Layer 3 VPN service. In your des

Internet Routing Protocols, DHCP, and NAT

Firewall Mode Overview

Configuring NAT for IP Address Conservation

IP Addresses McGraw-Hill The McGraw-Hill Companies, Inc., 2000

VMware vcloud Air Key Concepts

Exam Name: VMware Certified Associate Network Virtualization

VXLAN Design with Cisco Nexus 9300 Platform Switches

Amazon AWS-Solutions-Architect-Professional Exam

MPLS VPN Inter-AS Option AB

Finding Feature Information

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

CloudEdge Deployment Guide

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

HP 5920 & 5900 Switch Series

TEN ESSENTIAL NETWORK VIRTUALIZATION DEFINITIONS

MPLS VPN--Inter-AS Option AB

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

Operation Manual MCE H3C S3610&S5510 Series Ethernet Switches. Table of Contents

IP Addressing Week 6. Module : Computer Networks Lecturer: Lucy White Office : 324

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

FortiMail AWS Deployment Guide

Cross-Site Virtual Network Provisioning in Cloud and Fog Computing

Transparent or Routed Firewall Mode

A Reference Design. VPN user access and VPC networking. Version Copyright Aviatrix Systems, Inc. All rights reserved.

OPEN CONTRAIL ARCHITECTURE GEORGIA TECH SDN EVENT

VoIP / RoIP for Technicians

Section 1. General Networking Theory

Creating Your Virtual Data Center

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

Creating Your Virtual Data Center

Top-Down Network Design

F5 BIG-IQ Centralized Management and Amazon Web Services: Setup. Version 5.4

L3VPN Configuration. L3VPN Overview. Introduction to L3VPN

Integrated Services. Integrated Services. RSVP Resource reservation Protocol. Expedited Forwarding. Assured Forwarding.

The Interconnection Structure of. The Internet. EECC694 - Shaaban

Best Practices for Extending the WAN into AWS (IaaS) with SD-WAN

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS

Hands-On TCP/IP Networking

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Amazon Virtual Private Cloud. VPC Peering

Contents. EVPN overview 1

Unified Load Balance. User Guide. Issue 04 Date

AT&T NetBond for SoftLayer

Configuring multicast VPN

Full file at

Solution of Exercise Sheet 4. Exercise 1 (Routers, Layer-3-Switches, Gateways)

Elastic Load Balance. User Guide. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

SAM 8.0 SP2 Deployment at AWS. Version 1.0

HP FlexFabric 5930 Switch Series

TopGlobal MB8000 VPN Solution

Transcription:

Product overview This document contains the following topics: - VPC overview - Basic architecture - VPC benefits VPC overview The Alibaba Cloud Virtual Private Cloud (VPC) is a private network established in Alibaba Cloud. It is logically isolated from other virtual networks in Alibaba Cloud. Alibaba Cloud VPC enables you to launch and use the Alibaba Cloud resources in your own VPC. You have full control over your Alibaba Cloud VPC, for example, you can select its IP address range, further segment your VPC into subnets, as well as configure routing tables and network gateways. Additionally, you can connect your VPC to your on-premises network using a physical connection or a VPN to form an on-demand customizable network environment. This allows you to smoothly migrate your applications to Alibaba Cloud with little effort. 1

Basic architecture Based on the mainstream tunneling technology, the virtual private cloud isolates the virtual network. Each VPC has a unique tunnel ID and a tunnel ID corresponds to a virtual network. The data packets transmitted between ECS instances within a VPC are encapsulated with a unique tunnel ID and then sent to the physical network for transmission. The tunnel IDs for ECS instances in different VPCs are different, communication is impossible between the two tunnels, which achieves data isolation between the two networks. The Alibaba Cloud development team developed VSwitch, Software Defined Network (SDN) and hardware gateway independently based on the tunneling technology. It is the support of these software and hardware devices, the Alibaba Cloud Virtual Private Cloud is emerged. VSwitches, gateways, and controllers are three important components of a VPC. VSwitches and gateways are the main path for data transfer. The controller uses self-developed protocol to forward routing tables to VSwitches and gateways. The configuration channel and data channel are separated in the whole architecture. Alibaba Cloud VPC provides you with a separate VRouter and VSwitch for better VPC configuration and gives you more freedom. If you have high demand on intranet security, you can use security groups to manage the VPC access control in a finer granularity. By default, an ECS instance can only communicate with other ECS instances (or other cloud services) within the same VPC. You can use the Elastic IP address and ExpressConnect functions provided by Alibaba Cloud to connect your VPC to the Internet, to other VPCs, and to your own networks. 2

VPC benefits Security isolation The cloud servers of different users are located in the different VPCs. Different VPCs are isolated by tunnel IDs. Using VSwitches and VRouters, you can segment your VPC into subnets as you do in the traditional network environment. Different cloud servers in the same subnet use the VSwitch to communicate with each other, while cloud servers in different subnets within a VPC use VRouters to communicate with each other. The intranet between different VPCs are completely isolated and can only be interconnected by external mapping of IP (Elastic IP and NAT IP). Because the IP packets of cloud servers are encapsulated with the tunneling ID, the data link layer (two-layer MAC address) of the cloud server will not transfer to the physical network. Therefore, the two-layer network of different cloud servers are isolated. In another word, the two-layer networks between different VPCs are isolated. The ECS instances within a VPC uses a security group firewall to control the network access. This is the third layer isolation. Access control Security groups provide flexible access control rules. Compliant with security isolation rules of government and financial users. Software Defined Network (SDN) SDN provides customized network configurations. Management operations take effect in real time. Various network connection methods Software VPNs are supported. Lease line connection is supported. VPC and VSwitches This document contains the following topics: - VPC CIDR - VSwitch - Default VPC and VSwitch Note: In Alibaba Cloud VPC, you can segment a VPC into subnets by adding VSwitches. In general, 3

VSwitch and subnet are the same. VPC CIDR When creating a VPC, you must specify the IP address range for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block, for example, 10.0.0.0/16. CIDR is a method for allocating IP addresses and IP routing. For more information about CIDR, refer to RFC 4632. Only one CIDR block can be assigned to a VPC. The following are available CIDR blocks: - 10.0.0.0/8-172.16.0.0/12 (The IP address range used by the default VPC.) - 192.168.0.0/16 If you want to use other CIDR blocks, you can submit a ticket. Alternatively, you can use the CreateVpc API to create a VPC, in this situation, you are allowed to use the subnet masks of these CIDR blocks as the IP address range. Note: You cannot change the size of a VPC after you create it. It is recommended that you use a large CIDR block to avoid resizing. The system will not create VRouters based on the CIDR block, therefore, a large CIDR block has no effect on usage. VSwitch A VSwitch is a basic network device of a VPC and used to connect different cloud product instances in a subnet with a VPC. After you create a VPC, you can further segment your VPC into subnets by adding one or more VSwitches. A VPC can have a maximum of 24 VSwitches. In a VPC, a VSwtich must reside in one Availability Zone and cannot span different Availability Zones. You can protect your applications from the failure of a single location by launching instances in separate Availability Zones. When creating a VSwitch, you also need to specify the IP address range for the VSwitch in the form of CIDR block. Adhere to the following rules when specifying a CIDR block: - The CIDR block of a VSwitch must belong to that of its VPC. - The CIDR block of a VSwitch can be same as that of the VPC that it belongs to. However, you can just have only one VSwitch in this situation. - The allowed size of a CIDR block assigned to a VSwitch is between a /16 netmask and /29 netmask. That is, the VSwitch can provide 8 ~ 65536 IP addresses. - The first IP address and the last three IP addresses in each VSwitch CIDR block are not available for you to use, and cannot be assigned to an instance. These IP addresses are reserved for system use. For example, in a VSwitch with CIDR block 192.168.1.0 /24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254 and 192.168.1.255 are reserved. - The CIDR block of a VSwitch and the destination CIDR block of the VPC's current route entry 4

cannot be the same. - The CIDR block of a VSwitch can be a subset of the destination CIDR block of the VPC's current route entry. - CIDR block cannot be modified after a VSwitch is created. Note: VSwitch does not support multicast and broadcast. Default VPC and VSwitch Alibaba Cloud provides you with a default VPC and VSwitch to use. When you create a cloud product instance, if you choose to use the VPC network type with the default settings as shown in the following figure, a default VPC and VSwitch are created by the system. Default VPC - The default VPC in each region is unique. - The CIDR block for a default VPC is always a /16 netmask (172.31.0.0/16), which provides up to 65536 private IP addresses. - The default VPC does not occupy the VPC quota that the Alibaba Cloud allocates to you. - The default VPC is created by the system, all the VPCs created by you are non-default VPCs. - The operations and limits between default and non-default VPCs are the same. Default VSwitch - The default VSwitch in each Availability Zone is unique. - The CIDR block for a default VSwitch is always a /20 netmask (172.31.0.0/20). This provides up to 4096 private IP addresses. - The default VSwitch does not occupy the VSwitch quota that the Alibaba Cloud allocates to you. - The default VSwitch is created by the system, all the VSwitches created by you are nondefault VSwitches. - The operations and limits between default and non-default VSwitches are the same. 5

VRouter and routing tables This document contains the following topics: - VRouter - Routing tables - Route entry - Routing rules VRouter A VRouter is a hub in the VPC that connects all VSwitches in the VPC and serves as a gateway device that connects the VPC to other networks. Each VRouter maintains a routing table that forwards network traffic based on the specific route entry settings. The system will automatically create a VRouter when you create a VPC. When a VPC is deleted, the corresponding VRouter is also deleted. Note: - Each VPC can only have one VRouter. - VRouter does not support dynamic routing protocols such as BGP and OSPF. - VRouter supports static routes but does not support the ECMP equal-cost routes. Routing table A routing table is a list of route entries on a VRouter. When creating a VPC, the system will automatically create a routing table. When a VPC is deleted, the corresponding routing table is also deleted. The routing table cannot be directly created or deleted. Note: - Each VRouter can only have one routing table. - Route entries in a routing table affect all the cloud product instances in the VPC. Currently, the source-address policy routing is not supported for routing a VSwitch or cloud product instance. Route entry 6

Each entry in a routing table is designated as a routing entry. A route entry defines the next hop address for the network traffic to be routed to the specified CIDR block destination. Route entries are categorized into system routes and custom routes. When a VPC is created, a system route is automatically created for the cloud product instances in the VPC to access cloud services outside the VPC. When a VSwitch is created, another corresponding system route is created. You can create and delete custom route entries. VPC IP addresses VPC IP addresses provide resources in a VPC with the capability to communicate with each other or to communicate with the other resources in the Internet. There are two types of IP addresses in Alibaba Cloud VPC, private IP addresses and Elastic IP addresses. Note: Refer to IP Addresses for Classic Network for information about IP addresses in the classic network. This document contains the following topics: - Private IP addresses - Elastic IP addresses Private IP addresses Private IP addresses are allocated to cloud product instances when they are created in VPC. Private IP address can be used for the intranet access for the VPC cloud product instances but cannot be used for the external Internet access. The VPC private IP addresses are different from the private IP address of the classic network: - The private IP address of an instance created in VPC is allocated from the VSwitch CIDR block that the instance belongs to and the instance's private IP address is unique within the VPC. The private IP address of an instance created in the classic network is uniformly allocated by Alibaba Cloud. 7

Elastic IP addresses An Elastic IP address is a NAT IP address. It resides in the public network gateway of the Alibaba Cloud and is mapped to the private network gateway of the bound ECS instance by NAT. Therefore, the ECS instance bound to an Elastic IP address can communicate with the Internet without disclosing its IP address in the network gateway. Elastic IP addresses are public IP address resources that you can buy separately. You can bind an Elastic IP address to any ECS instances in any VPC. With an Elastic IP address, the ECS instances can communicate with the Internet. Note: Currently only ECS instances support binding an Elastic IP address. Refer to Bind an Elastic IP address for more information on how to buy and bind an Elastic IP address. Elastic IP address features Independently purchased and possessed You can purchase an Elastic IP address independently instead of bundling with other computing resources or storage resources. You can possess an Elastic IP address as a separate resource in your account. Binding with computing resources You can bind an Elastic IP address with an ECS instance in any VPC as needed to make the instance accessible to the Internet, and release it when you do not need the communication with the Internet. Configurable network capabilities You can adjust the bandwidth of an Elastic IP address according to your needs. The bandwidth changes take effect immediately. Differences between EIP and ECS public IP The following table lists differences between Elastic IP addresses and ECS public IP addresses. Comparison Content Elastic IP addresses ECS public IP addresses Network environment type VPC Classic network Independently possessed Yes No Dynamically binding and unbinding with ECS Viewed on the network adapter of ECS instances Yes No No Yes 8

Limitation - An Elastic IP address can only be bound with an ECS instance in a VPC network. Instances in the classic network are not supported. - The ECS instance to be bound is not allocated with any public IP address. - One ECS instance can be bound with only one Elastic IP address, and conversely one Elastic IP address can be bound with only one ECS instance. - The Elastic IP address and the bound ECS instance must be in the same region. - A single account can possess a maximum of 20 Elastic IP addresses. VPC terminology Term Virtual Private Cloud (VPC) VSwitch VRouter Route table Route entry Description Virtual Private Cloud (VPC) is a private network established in Alibaba Cloud. It is logically isolated from other virtual networks in Alibaba Cloud. Alibaba Cloud VPC enables you to launch and use the Alibaba Cloud resources in your own VPC. A VSwitch is a basic network device of a VPC and used to connect different cloud product instances in a subnet with a VPC. A VRouter is a hub in the VPC that connects all VSwitches in the VPC and serves as a gateway device that connects the VPC to other networks. A route table is a list of route entries on a VRouter. Each entry in a route table is designated as a route entry. A route entry defines the next hop address for the network traffic to be routed to the specified CIDR block destination. Limits of Use VPC Restriction Restrictions on Normal Users Ticket submission permits exemption 9

Maximum VPCs for an account 5 Supported CIDR blocks available for VPCs 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, and their subnets Supported Maximum VRouters for a VPC Maximum VSwitches for a VPC Maximum routing tables for a VPC Maximum route entries for a routing table Maximum cloud products for a VPC 1 Unsupported 24 Unsupported 1 Unsupported 48 Supported 5000 Unsupported Note: VPC does not support broadcast or multicast for performance and security reasons. If you want to use broadcast and multicast functions, submit a ticket to Alibaba. Default VPC - The default VPC in each region is unique. - The CIDR block for a default VPC is always a /16 netmask (172.31.0.0/16), which provides up to 65536 private IP addresses. - The default VPC does not occupy the VPC quota that the Alibaba Cloud allocates to you. - The default VPC is created by the system, all the VPCs created by you are non-default VPCs. - The operations and limits between default and non-default VPCs are the same. VSwitch - The VSwitch of a VPC is a Layer 3 switch so it does not support Layer 2functions. - A VSwitch does not limit the quantity of cloud product instances. The quantity of instances that can be mounted to a VSwitch depends on the quantity of cloud product instances in the specified VPC. Currently, a maximum of 5000 cloud product instances can be created for a VPC. - VSwitch CIDR blocks cannot be modified. Default VSwitch - The default VSwitch in each Availability Zone is unique. - The CIDR block for a default VSwitch is always a /20 netmask (172.31.0.0/20). This provides up to 4096 private IP addresses. 10

- The default VSwitch does not occupy the VSwitch quota that the Alibaba Cloud allocates to you. - The default VSwitch is created by the system, all the VSwitches created by you are nondefault VSwitches. - The operations and limits between default and non-default VSwitches are the same. VRouter and routing table - Each VPC can only have one VRouter. - VRouter does not support dynamic routing protocols such as BGP or OSPF. - Each VRouter only have one routing table. - Route entries in a routing table affect all the cloud product instances in the VPC. Currently, the source-address policy routing is not supported for routing a VSwitch or a cloud product instance. ECS instance migration VPC allows you to migrate an ECS instance from one VSwitch to another through the same VRouter within a VPC. Note: The following operations are not supported: - ECS instance migration across VRouters. - ECS instance migration example from VPC to classic network. Release notes Release Date August 4, 2015 December 28, 2015 March 29, 2016 March 30, 2016 Changes Alibaba Cloud fully launched, providing the Virtual Private Cloud (VPC), VRouter, RouteTable, and VSwitch services. VPC supports Resource Access Management (RAM). Did an overall review. The function default VPC was released. 11

Related resources Forum To visit the forum, click here. Contact us Ticket: https://workorder.console.aliyun.com/console.htm?spm=5176.1879446.1001.2.j4nqcg#/ticke t/list/ Presales consultation: 400-118-3456 (5 8) Customer service: Cloud product (such as ECS, RDS and SLB) consultation: 0571-85025885 HiChina product (such as domain names, mailboxes, virtual machines) consultation: 400 600 8500 Filing assistance: 400 600 8500 (ext. 3) 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback