Best Practices
Issue 01
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.
Contents
1 Connecting Two VPCs in Different Regions... 1
2 Connecting Multiple VPCs Across Regions... 9
3 Communication Between an On-premises Data Center and Multiple VPCs in
Different Cloud Regions... 18
4 Working with SNAT to Access the Internet Outside China from the Private
Network... 34
5 Working with DNAT to Allow Access the Private Network from the Internet
Outside China... 37
6 Accelerating Access to a Website Across Regions... 40
7 Accessing OBS Across Regions by Using Cloud Connect and VPCEP...44
1
Connecting Two VPCs in Different
Regions
Scenarios
If your company has two branches, one in Beijing and the other in Hong Kong, and the two branches require private network communication and data
transmission. What you need is a cloud connection that links the VPC in the CN North-Beijing region to the VPC in the AP-Hong Kong region, so that a network is built between the two VPCs, and the two branches can communicate with each other through this network. The following figure shows the specific scenario. Figure 1-1 Communications between VPCs in different cloud regions
Solution Design
Configuration Procedure
1. Complete the cross-border application. 2. Create a cloud connection.
3. Load the two VPCs. 4. Buy a bandwidth package.
5. Configure an inter-region bandwidth.
Table 1-1 Resource information
Region VPC Subnet Other CIDR Block
CN North-Beijing1 VPC-01 subnet-1
(192.168.1.0/24) 192.168.44.0/24 AP-Hong Kong VPC-e725 subnet-e730
(192.168.0.0/24) 192.168.11.0/24
Prerequisites
Complete the cross-border application. Step 1 Offline material preparation
1. Log in to the management console. 2. Under Network, click Cloud Connect.
3. In the navigation pane on the left, choose Cloud Connect > Cross-Border Application.
4. Click Download Materials.
5. Print and sign the Cloud Connect Cross-Border Circuit Service Agreement and China Unicom Letter of Commitment to Information Security of the Cross-Border Circuit Service, and stamp your company's official seal.
6. Prepare a scanned copy of the business license, Cloud Connect Cross-Border Circuit Service Agreement, and China Unicom Letter of Commitment to Information Security of the Cross-Border Circuit Service, respectively. Ensure that all materials are stamped with your company's official seal.
Step 2 Online cross-border application
1. Log in to the management console. 2. Under Network, click Cloud Connect.
3. In the navigation pane on the left, choose Cloud Connect > Cross-Border Application.
4. Click Submit Application.
5. Fill in the enterprise and representative information, and upload the prepared materials.
6. Click Submit.
After the application is submitted, the status of the cross-border application is Pending approval. The review takes about one working day. When the status becomes Approved, the cross-border application is completed.
----End
Procedure
1. Create a cloud connection.
b. Under Network, click Cloud Connect.
c. Click Create Cloud Connection. On the displayed page, set the parameters and click OK.
Figure 1-2 Creating a cloud connection
2. Load network instances.
a. Locate cloud connection cloudconnect-001 and click its name. b. Click Load Network Instance.
c. Set other parameters based on Table 1-2 and then click OK. Table 1-2 Parameter description
Parameter Description Example Value
Account Specifies whether a network instance will be loaded across accounts.
Current account
Region Specifies the region where the VPC
to be connected is located. CN North-Beijing1 AP-Hong Kong Instance
Type Specifies the type of the networkinstance to be loaded to the cloud connection.
Two options are available, VPC and Virtual gateway.
Parameter Description Example Value VPC Specifies the name of the VPC that
needs to be loaded to the cloud connection for communication. This parameter is mandatory when Instance Type is set to VPC.
CN North Beijing1: VPC-01 AP-Hong Kong: VPC-e725 VPC CIDR
Block Specifies the subnets of the VPC tobe loaded and custom CIDR blocks. If Instance Type is set to VPC, configure the following two parameters:
● Subnet: Select one or all subnets of the VPC.
● Other CIDR Block: Add one or more custom CIDR blocks as needed. Subnet: CN North-Beijing1: subnet-1 (192.168.1.0/24) AP-Hong Kong: subnet-e730 (192.168.0.0/24) Other CIDR block: CN North-Beijing1: 192.168.44.0/24 AP-Hong Kong: 192.168.11.0/24
Figure 1-3 Loading network instances
3. Buy a bandwidth package.
By default, the cross-region communication bandwidth of a cloud connection is 10 Kbit/s, which is used only for connectivity tests. To enable
communication between different cloud regions that are in the same
geographic region or in different geographic regions, you need to purchase a bandwidth package, bind it to a cloud connection, and configure the inter-region bandwidth.
a. Under Network, click Cloud Connect.
b. In the navigation pane on the left, choose Cloud Connect > Bandwidth Packages.
c. Click Buy Bandwidth Package.
d. Set the parameters based on Table 1-3 and click Buy Now. Figure 1-4 Buying a bandwidth package
Table 1-3 Parameter description
Parameter Description Example Value
Billing Mode Specifies how a bandwidth package is billed.
You can purchase it by year or month as desired.
Yearly/Monthly
Name Specifies the bandwidth package name.
The name contains 1 to 64 characters, including digits, letters, hyphens (-),
underscores (_), and periods (.).
Parameter Description Example Value Billed By Specifies by what a bandwidth
package is billed. Bandwidth Bandwidth
Package Applicability
Specifies whether the
bandwidth package is used for communication within a geographic region or between geographic regions.
Two options are available: Intra-geographic region indicates that the cloud regions for which inter-region bandwidths are to be
configured are in the same geographic region.
Inter-geographic region indicates that the cloud regions for which inter-region bandwidths are to be
configured are in different geographic regions.
Inter-geographic region
Geographic
Region Specifies the geographicregion where regions for which inter-region bandwidths are to be configured are located.
Chinese mainland Asia-Pacific
Bandwidth Specifies the bandwidth in the unit of Mbit/s. It is the sum of all inter-region bandwidths configured based on the bandwidth package. Plan the bandwidth based on network conditions.
5
Required
Duration Specifies how long thebandwidth package is used. Automatic renewal is supported.
1 month
Cloud
Connection Specifies the cloud connectionto which you want to bind the bandwidth package.
Two options are available, Bind now and Bind later.
Bind now
Go back to the bandwidth package in the bandwidth package list. If Status becomes Normal, the bandwidth package has been purchased. 4. Configure an inter-region bandwidth.
a. Log in to the management console.
b. Click in the upper left corner to select a region and a project. c. Under Network, click Cloud Connect.
d. In the cloud connection list, click the name of the created cloud connection.
e. Click Inter-Region Bandwidths.
f. Click Configure Inter-Region Bandwidth and set the parameters based on Table 1-4.
Table 1-4 Parameter description
Parameter Description Example
Value Regions Specifies the two regions between which
network communication is required. CN North-Beijing1 AP-Hong Kong Bandwidth
Package Specifies the bandwidth package boundto the cloud connection. bandwidthPackge-8047 (Chinese mainland – Asia Pacific) Bandwidth Specifies the bandwidth required for
communication between the two regions in the unit of Mbit/s.
The sum of all inter-region bandwidths configured based on the bandwidth package must not exceed the bandwidth of the bandwidth package. Plan the bandwidth in advance.
5 Mbit/s
g. Click OK.
2
Connecting Multiple VPCs Across
Regions
Background
Generally, resources in VPCs in different cloud regions can use EIPs or VPN connections to communicate with each other. However, EIPs and VPN connection work on the Internet. EIPs are unstable, and data cannot be encrypted, which may cause data leakage. VPN connections use IPsec to encrypt data. Though security is guaranteed, communication may become unstable. In this case, you can use CC to provide a secure, stable, reliable, and high-performance network for
communications among VPCs. You need to create a cloud connection, load VPCs in each region to the cloud connection, purchase different types of bandwidth
packages, and configure inter-region bandwidths.
Scenarios
Figure 2-1 Cross-region multi-VPC communication (logic diagram)
When configuring CC, pay attention to the following:
● Subnet CIDR blocks of the VPCs cannot overlap or conflict with each other. ● Existing route entries, including these added for VPC Peering, Direct Connect,
or the VPN service, cannot conflict with the routes of subnets loaded to the cloud connection.
Prerequisites
● VPCs and subnets that need to communicate with each other across regions have been created.
● Your account has sufficient balance to purchase bandwidth packages.
● In this practice, since two VPCs reside outside the Chinese mainland, a cross-border application must be submitted. Before purchasing bandwidth
packages, you need to prepare materials for cross-border application to China Unicom according to the regulations of the Ministry of Industry and
Information Technology. Skip this step if your business does not cross the border of the Chinese mainland (for example, communication across regions within the Chinese mainland or across regions outside the Chinese mainland).
Procedure
Step 1 Create a cloud connection.
A cloud connection works as a private network for VPCs or virtual gateways loaded to it for communications with each other. To create a cloud connection, perform the following steps:
1. Log in to the management console.
Figure 2-2 Accessing the CC console
3. On the Cloud Connect page, click Create Cloud Connection. Figure 2-3 Create Cloud Connection
4. (Optional) In the Create Cloud Connection dialog box, enter the name and description of the cloud connection.
Figure 2-4 Configuring the parameters
Table 2-1 Parameter description
Parameter Description Example Value
Name Specifies the cloud connection name. The value can contain only letters, digits, underscores (_), and hyphens (-).
CloudConnect
Description Provides supplementary information about the cloud connection. Generally, the value contains a maximum of 255 characters. A Cloud Connect instance for Demo 5. Click OK.
Step 2 Load network instances.
Load the network instances that need to communicate with each other to the created cloud connection. To load network instances to a cloud connection, perform the following steps:
1. Locate the newly created cloud connection from the cloud connection list and then click its name CloudConnect.
Figure 2-5 Locating the cloud connection
NO TE
You can view information about the cloud connection, such as its name, ID, status, creation time, and description. The following four tabs are displayed: Network
Instances, Bandwidth Packages, Inter-Region Bandwidths, and Route Information. Figure 2-6 Cloud connection details
3. In the Load Network Instance dialog box, select CN East-Shanghai1 for Region and VPC for Instance Type, select the VPC and its subnets in East China, and click OK.
Figure 2-8 Loading a network instance
4. Repeat the preceding operations to load the other VPC in the CN East-Shanghai2 region, the VPC in the AP-Hong Kong region, and the VPC in the AF-Johannesburg region to the cloud connection.
NO TE
After the loading is complete, the VPCs in the three regions are on the same network. You can view VPC route entries in each region on the Route Information tab page. For connectivity tests, CC allocates 10 kbit/s bandwidth between two regions by default. You can ping an ECS in one VPC to an ECS in another VPC to check the network connectivity between the two VPCs. VPCs in the same cloud region can communicate with each other by default after they are loaded to one cloud connection. You do not need to buy a bandwidth package.
Step 3 Submit an application.
Figure 2-9 Cross-border application
2. View the three steps required for completing a cross-border application. Click Download Materials to download the document templates and examples. Figure 2-10 Downloading material templates
3. After all materials are ready, click Cross-Border Application to complete the information and upload the prepared materials.
4. Click Submit and wait for the approval from the provider, which requires one working day.
Step 4 Buy bandwidth packages.
The default inter-region bandwidth of a cloud connection is 10 kbit/s, which is used for testing connectivity only.
To enable cross-region communication, you need to purchase bandwidth packages and bind the purchased packages to the cloud connection.
1. Locate the created cloud connection and click its name to go to the details page. Under Bandwidth Packages, click Buy Bandwidth Package.
Figure 2-12 Buying a bandwidth package (1)
2. On the Buy Bandwidth Package page, set the name, billing mode, bandwidth package applicability, geographic region, bandwidth size, and required duration, determine whether to enable automatic renewal, and determine whether to bind the purchased bandwidth package to the cloud connection right now. When setting the bandwidth package applicability, select Inter-geographic region for there are two VPCs are outside the Chinese mainland.
a. To enable network communication between the CN East-Shanghai2 region and the AP-Hong Kong region, select Chinese mainland and Asia Pacific as geographic regions, and set the bandwidth to 30 Mbit/s. b. To enable network communication between the CN East-Shanghai2
region and AF-Johannesburg region, select Chinese mainland and South Africa as geographic regions, and set the bandwidth to 2 Mbit/s.
Figure 2-13 Buying a bandwidth package (2)
3. On the Bandwidth Packages page, view the purchased bandwidth package and its details, including the billing mode, order information, bound cloud connection, used bandwidth, and remaining bandwidth. You can also modify, unbind, renew, and unsubscribe from the bandwidth package.
Figure 2-14 Bandwidth packages
Step 5 Configure inter-region bandwidths.
After you purchase the bandwidth packages, configure the bandwidths for communication between regions on the cloud connection details page.
Figure 2-15 Configuring inter-region bandwidths (1)
2. Select CN East-Shanghai1 and AP-Hong Kong for Regions. The bandwidth package that you have purchased is displayed. Set the bandwidth to 30 Mbit/s.
Repeat the preceding steps to configure 2 Mbit/s bandwidth for communication between CN East-Shanghai1 and AF-Johannesburg. 3. View the configured inter-region bandwidths on the Inter-Region
Bandwidths tab page.
Now, network communications among VPCs between the Chinese mainland to Hong Kong, and between the Chinese mainland to South Africa are established.
3
Communication Between an
On-premises Data Center and Multiple VPCs in
Different Cloud Regions
Scenarios
You have a VPC in CN East-Shanghai1, CN North-Beijing, and CN South-Guangzhou regions, respectively. The VPC in CN East-Shanghai1 communicates with the on-premises data center through Direct Connect, and on-premises servers need to access resources in other regions.
To achieve this, you can use CC to connect the VPCs in the three regions so that the on-premises data center can access the VPCs in CN South-Guangzhou and CN North-Beijing.
NO TE
When configuring CC, pay attention to the following:
● Subnet CIDR blocks of the VPCs cannot overlap or conflict with each other.
● Existing route entries, including these added for VPC Peering, Direct Connect, or the VPN service, cannot conflict with the routes of subnets loaded to the cloud connection.
Prerequisites
● VPCs and subnets that need to communicate with each other across regions have been created.
● All VPC subnets have been configured in the equipment room of your data center.
● Your account has sufficient balance to purchase bandwidth packages.
Procedure
Step 1 Configure Direct Connect.
1. Create a Direct Connect connection.
a. Log in to Direct Connect console. In the upper right corner of the Connections page, click Create Connection.
b. On the Create Connection page, enter information about the equipment room, location, and port based on Table 3-1.
Table 3-1 Parameter description
Parameter Description Example Value
Your Equipment Room Address
Specifies the address of your equipment room. The address must be specific to the floor on which your equipment room is located, for example, Equipment Room XX, Building XX, No. XX, Huajing Road, Fengdong District, Shanghai.
N/A
Region Specifies the region where the connection resides. You can change the region here, or use the region selector in the upper left corner of the console.
CN South-Guangzhou
Location Specifies the location where your
leased line can access. Guangzhou1-Huaxinyuan Carrier Specifies the carrier that provides the
leased line. China Telecom
Name Specifies the connection name. Enter
Parameter Description Example Value Port Type Specifies the type of the port used by
the connection. There are two types of ports: 1GE single-mode optical port and 10GE single-mode optical port.
1GE single-mode optical port
Billing Mode Specifies the billing model of the connection. Currently, only Yearly/ Monthly is supported.
Yearly/Monthly
Required
Duration Specifies how long the connection isused. 5 months Auto-renew Specifies whether to automatically
renew the connection to ensure service continuity. It is recommended that the renewal duration is the same as the subscription duration. If the required duration is three months, the system automatically renews the subscription for three months. 5 months Contact Person Name/ Contact Number/ Contact Email
Specifies information about the person who is responsible for your connection.
If the contact information is not provided, your account information will be queried. This will increase the review period. Tom +852 92345789 (Hong Kong) [email protected] m Leased Line
Bandwidth Specifies the bandwidth of theconnection in the unit of Mbit/s. Select a value from the drop-down list. This is the bandwidth of the leased line your bought from the carrier.
1,000
Description Provides supplementary information
about the connection. N/A c. Click Next and complete the payment.
2. Connect your environment to the location.
a. After the payment is complete, switch back to the connection list. Locate the newly created connection, click Apply for LOA in the Operation column, and then enter information about the construction plan and equipment room LOA as prompted.
c. After the LOA is approved, arrange the carrier for construction. Click Download LOA, save and print the LOA, and contact your carrier. The carrier and construction personnel must carry the LOA when entering the construction site.
d. After the cabling is complete, obtain the line code and in-building cable label from your carrier and click Report Completion of Construction. Before reporting the project completion, you need to obtain the line code and cable label from the carrier.
e. Wait for HUAWEI CLOUD's construction to complete. HUAWEI CLOUD engineers connect the leased line to the HUAWEI CLOUD gateway port. f. After the construction is completed, click Confirm Completion in the
Operation column.
g. Click Confirm. The connection status changes to Normal. NO TE
LOA application, cabling by the carrier, and HUAWEI CLOUD construction involve coordination with the equipment room operator, and the time required may be affected by special situations such as holidays and policies.
3. Create a virtual gateway.
After creating a connection, you need to create a virtual gateway to associate it with the VPC to be accessed (that is, the one in South China).
a. Log in to the management console. b. Under Network, click Direct Connect.
c. In the navigation pane on the left, choose Virtual Gateways. d. Click Create Virtual Gateway.
Figure 3-2 Create Virtual Gateway
Table 3-2 Parameter description
Parameter Description Example Value
Name Specifies the virtual gateway name. The value contains 1 to 64
characters.
vgw-dc-cc
VPC Specifies the VPC associated with
the virtual gateway. VPC-GuangZhou Subnet
CIDR Block Specifies CIDR blocks of the subnetsin the VPC to be accessed using Direct Connect. 192.168.1.0/24,192 . 168.3.0/24,192.168 .5.0/24 Descriptio
n Provides supplementary informationabout the virtual gateway. The value contains 0 to 128
characters.
Add all VPC subnets.
NO TE
f. Click OK.
When the virtual gateway status becomes Normal, the virtual gateway has been created.
4. Create a virtual interface.
After the connection and the virtual gateway are ready, you need to create a virtual interface so that your network can access the VPC in South China. a. Log in to the management console.
b. Under Network, click Direct Connect.
c. In the navigation pane on the left, choose Virtual Interfaces. d. Click Create Virtual Interface in the upper right corner. e. Set the parameters based on Table 3-3.
Figure 3-3 Create Virtual Interface
Table 3-3 Parameter description
Parameter Description Example Value
Region Specifies the region where the connection resides. You can change the region here, or use the region selector in the upper left corner of the console.
Parameter Description Example Value Name Specifies the virtual interface
name.
The value contains 1 to 64 characters.
vif-dc-cc
Connection Specifies the connection you can use to connect your environment to HUAWEI CLOUD.
dc-cc
Virtual
Gateway Specifies the virtual gateway towhich the virtual interface connects.
vgw-dc-cc
VLAN Specifies the VLAN in which the virtual interface works.
You need to configure the VLAN if you buy a connection through self-service.
The VLAN for a hosted
connection is allocated by the carrier or partner. You do not need to configure the VLAN.
25
Bandwidth Specifies the bandwidth that can be used by the virtual interface in the unit of Mbit/s. The bandwidth cannot exceed that of the
connection.
500
Local
Gateway Specifies the IP address of thenetwork interface on the HUAWEI CLOUD side.
192.168.4.2/30
Remote
Gateway Specifies the network IP addressfor connecting to your environment.
The IP address of the remote gateway must be in the same network segment as that of the local gateway, and it is
recommended that both IP addresses use a 30-bit mask.
192.168.4.1/30
Remote
Subnet Specifies the subnets and masksof your network. If there are multiple subnets, use commas (,) to separate them.
Parameter Description Example Value Routing
Mode Specifies the routing mode. Twooptions are available, static routing and BGP routing.
If there are two or more
connections, select BGP routing.
BGP
BGP ASN Specifies the ASN of the BGP peer. The value ranges from 1 to 65535, with the exception of 64512, which is reserved by HUAWEI CLOUD.
This parameter is required when BGP routing is selected.
12345
BGP MD5 Authenticatio n Key
Specifies the password used to authenticate the BGP peer using MD5. The value is case sensitive and cannot contain spaces or Chinese characters.
This parameter is mandatory when BGP routing is selected, and the parameter values on both gateways must be the same.
12345678
Description Provides supplementary information about the virtual interface.
The value contains 0 to 128 characters.
N/A
f. Click Submit. When the status of the virtual interface becomes Normal, the virtual interface has been created.
g. Ping the IP address of a server in the VPC from your environment to test network connectivity. Now your environment can connect to HUAWEI CLOUD and access the desired VPC.
Step 2 Configure CC.
1. Create a cloud connection.
A cloud connection works as a private network for VPCs or virtual gateways loaded to it for communications with each other.
a. Log in to the management console.
Figure 3-4 Cloud Connect
d. On the Cloud Connect page, click Create Cloud Connection. Figure 3-5 Create Cloud Connection
e. Set the parameters based on Table 3-4. Table 3-4 Parameter description
Parameter Description Example Value
Name Specifies the cloud connection name.
The value contains 1 to 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).
CloudConnect
Description Provides supplementary information about the cloud connection.
The value contains 0 to 255 characters.
A cloud connection for demo
f. Click OK.
2. Load network instances.
Load the network instances that need to communicate with each other to the created cloud connection. A network instance can be a VPC or virtual
gateway.
NO TE
On the displayed page, you can view information about the cloud connection, such as its name, ID, status, creation time, and description. The following four tabs are displayed: Network Instances, Bandwidth Packages, Inter-Region
Bandwidths, and Route Information. Figure 3-6 Cloud connection details
b. Under Network Instances, click Load Network Instance. Figure 3-7 Load Network Instance
c. In the Load Network Instance dialog box, select CN South-Guangzhou for Region and VPC for Instance Type, select the VPC and its subnets in South China, and click OK.
NO TE
To communicate with the equipment room of the data center, you need to add a custom subnet.
d. Repeat the preceding operations to load the VPCs in North China and East China to the cloud connection.
NO TE
After the loading is complete, the VPCs in the three regions are on the same network. You can view VPC route entries in each region on the Route
Information tab page.
Figure 3-10 Route Information
For connectivity tests, CC allocates 10 kbit/s bandwidth between two regions by default. You can ping an ECS in one VPC to an ECS in another VPC to check the network connectivity between the two VPCs. VPCs in the same cloud region can communicate with each other by default after they are loaded to one cloud connection. You do not need to buy a bandwidth package.
3. Buy a bandwidth package.
The default inter-region bandwidth of a cloud connection is 10 kbit/s, which is used for testing connectivity only.
To enable cross-region communication, you need to purchase bandwidth packages and bind the purchased packages to the cloud connection.
a. On the CC console, click the name of the newly created cloud connection. On the details page of the cloud connection, choose Bandwidth
Packages > Buy Bandwidth Package. Figure 3-11 Buy Bandwidth Package
b. When setting the bandwidth package applicability, select
Intra-geographic region because all three VPCs are in the Chinese mainland and set the bandwidth to 3 Mbit/s.
▪
1 Mbit/s bandwidth is required for network communication between VPCs in the East China and North China.After you have purchased the bandwidth package, bind it to the created cloud connection. Confirm the configuration and click Buy Now.
Figure 3-12 Buying a bandwidth package
NO TE
On the Buy Bandwidth Package page, you can set the bandwidth package name, billing mode, applicability, geographic region, bandwidth size, and required duration, determine whether to enable automatic renewal, and determine whether to bind the purchased bandwidth package to the cloud connection right now.
c. On the Bandwidth Packages page, view the purchased bandwidth package and its details, including the billing mode, order information, bound cloud connection, used bandwidth, and remaining bandwidth. You can also modify, unbind, renew, and unsubscribe from the bandwidth package.
4. Configure inter-region bandwidths.
The default inter-region bandwidth of a cloud connection is 10 kbit/s, which is used for testing connectivity only.
After you purchase the bandwidth package, configure the bandwidths for communications among VPCs.
Figure 3-13 Inter-Region Bandwidths
b. Select CN East-Shanghai1 and CN North-Beijing1 for Regions. The bandwidth package that you have purchased is displayed. Set the bandwidth to 1 Mbit/s.
Repeat the preceding operations to allocate 1 Mbit/s bandwidth for communication between CN East-Shanghai1 and CN South-Guangzhou, and 1 Mbit/s bandwidth for communication between CN North-Beijing1 and CN South-Guangzhou.
c. View the configured inter-region bandwidths on the Inter-Region Bandwidths tab page.
----End
Verification
2. Ping one ECS in the other two VPCs and an ECS in your data center from an ECS in the CN North-Beijing1 region.
4. View the route information.
NO TE
4
Working with SNAT to Access the
Internet Outside China from the Private
Network
Scenarios
This practice provides detailed operations for accessing the Internet outside China by using CC, VPN, and NAT Gateway.
Figure 4-1 shows the networking diagram. Figure 4-1 Networking
NO TE
● In this practice, you can consider the VPC in CN East-Shanghai1 as the on-premises network.
● The network outside China is 8.8.8.0/24, and 8.8.8.8 is the only IP address for test. ● Your account must have permissions for cross-border network communication. If you do
not have the permissions, you can authorize others to load the VPCs to a cloud connection.
Procedure
Step 1 Create VPCs.
For details, see Creating a VPC.
● VPC in CN East-Shanghai1: 172.18.0.0/24 ● VPC in CN North-Beijing4: 172.16.0.0/24 ● VPC in AP-Hong Kong: 172.17.0.0/24 Step 2 Configure the VPN service.
Buy a VPN gateway and a VPN connection to connect networks in CN North-Beijing4 and CN East-Shanghai1.
For details, see Buying a VPN Gateway and Buying a VPN Connection. ● Gateway and subnet configuration for CN North-Beijing4:
– Local subnets: 172.16.0.0/24, 172.17.0.0/24, and 8.8.8.0/24 – Remote gateway: 223.223.223.223
– Remote subnet: 172.18.0.0/24
● Gateway and subnet configuration for CN East-Shanghai1: – Local subnet: 172.18.0.0/24
– Remote gateway: 49.49.49.49
– Remote subnets: 172.16.0.0/24, 172.17.0.0/24, and 8.8.8.0/24 NO TE
When configuring the VPN connection between CN North-Beijing4 and CN East-Shanghai1, ensure that local subnets in CN North-Beijing4 and remote subnets in CN East-Shanghai1 contain the network outside China (8.8.8.0/24) so that this network can be pinged. Step 3 Configure CC.
1. Create a cloud connection.
For details, see Creating a Cloud Connection. 2. Load the VPCs.
For details, see Loading a Network Instance. 3. Add custom CIDR blocks.
For details, see Adding a Custom CIDR block.
– Custom CIDR blocks for CN North-Beijing4: 172.18.0.0/24 and 172.16.0.0/24
– Custom CIDR blocks for AP-Hong Kong: 172.17.0.0/24 and 8.8.8.0/24 NO TE
To enable communications among all nodes, you need to add all local subnets. 4. Buy a bandwidth package.
The default inter-region bandwidth of a cloud connection is 10 kbit/s, which is used for testing connectivity only.
For details, see Buying a Bandwidth Package. 5. Configure an inter-region bandwidth.
For details, see Configuring an Inter-Region Bandwidth.
Step 4 Buy an ECS in CN North-Beijing4, CN East-Shanghai1, and AP-Hong Kong, respectively.
● Private IP address of the ECS in CN North-Beijing4: 172.16.0.3 ● Private IP address of the ECS in CN East-Shanghai1: 172.18.0.3 ● Private IP address of the ECS in AP-Hong Kong: 172.17.0.3 Step 5 Buy an EIP and configure a NAT gateway.
Buy an EIP in the AP-Hong Kong region, buy a NAT gateway, and create SNAT rules that include the following CIDR blocks:
For details, see Assigning an EIP and Binding It to an ECS and Adding an SNAT Rule.
● VPC CIDR block: 172.17.0.0/24
● Direct Connect/CC CIDR block: 172.18.0.0/24 ● Direct Connect/CC CIDR block: 172.16.0.0/24
NO TE
SNAT rules are to access to the Internet and ping the network outside China (8.8.8.0/24). ----End
Verification
5
Working with DNAT to Allow Access the
Private Network from the Internet Outside
China
Scenarios
● This practice provides detailed operations for allowing access from the network outside China.
● A DNAT rule is required so that ECSs in the VPCs in China can provide services accessible from the Internet.
Figure 5-1 shows the networking diagram. Figure 5-1 Networking
NO TE
In this practice, you can consider the VPC in CN East-Shanghai1 as the on-premises network.
The network outside China is 0.0.0.0/0.
Procedure
Step 1 Create VPCs.
For details, see Creating a VPC.
Ensure that the VPC CIDR blocks do not conflict with each other. ● VPC in CN East-Shanghai1: 172.16.36.0/24
● VPC in AP-Hong Kong: 192.168.120.0/24 Step 2 Configure CC.
1. Create a cloud connection.
For details, see Creating a Cloud Connection. 2. Load the VPCs.
For details, see Loading a Network Instance. 3. Add a custom CIDR block.
For details, see Adding a Custom CIDR block. Custom CIDR block for AP-Hong Kong: 0.0.0.0/0
NO TE
You need to add the default route 0.0.0.0/0 from the cloud connection to NAT gateway.
4. Buy a bandwidth package.
The default inter-region bandwidth of a cloud connection is 10 kbit/s, which is used for testing connectivity only.
For details, see Buying a Bandwidth Package. 5. Configure an inter-region bandwidth.
For details, see Configuring an Inter-Region Bandwidth. Step 3 Buy an ECS in CN East-Shanghai1.
For details, see Purchasing an ECS.
Private IP address of the ECS in CN East-Shanghai1: 172.16.36.220 Step 4 Buy an EIP and configure a NAT gateway.
Purchase an EIP in AP-Hong Kong, purchase a NAT gateway, and add a DNAT rule. (Select Direct Connect/Cloud Connect when you add the DNAT rule.)
For details, see Assigning an EIP and Binding It to an ECS and Adding a DNAT Rule.
Set the private IP address to 172.16.36.220 when you add the DNAT rule. NO TE
Verification
After the configuration is complete, test the network connectivity and access the corresponding port.
6
Accelerating Access to a Website Across
Regions
Scenarios
This practice provides detailed operations for accelerating access to a website across regions.
NO TE
Components required in this scenario include a NAT gateway, cloud connection, and web proxy server.
Figure 6-1 shows the networking diagram. Figure 6-1 Networking
NO TE
In this practice, HTTP proxy is used for browser-based web access.
Proxy-Client: Prepare a Windows host with the web proxy installed and set the proxy address to the EIP in CN East-Shanghai1.
Prerequisites
● Your cross-border application has been approved.
● You have deployed a proxy server based on your network conditions. NO TE
In this practice, Squid is used to provide the proxy service, and we provide steps to a Squid proxy server.
Procedure
Step 1 Create VPCs.
For details, see Creating a VPC.
Ensure that the VPC CIDR blocks do not conflict with each other. Add two subnets to the VPC in the CN East-Shanghai1.
● Subnet 1: 172.16.100.0/24 ● Subnet 2: 172.16.101.0/24 Step 2 Configure CC.
Create a cloud connection, load the VPCs, and add a custom CIDR block. 1. Create a cloud connection.
For details, see Creating a Cloud Connection. 2. Load the VPCs.
When you load the VPC in CN East-Shanghai1, select only subnet 2. For details, see Loading a Network Instance.
3. Add a custom CIDR block.
Add a custom CIDR block 0.0.0.0/0 for the VPC in CN East-Shanghai1. For details, see Adding a Custom CIDR block.
NO TE
You need to add the default route 0.0.0.0/0 from the cloud connection to NAT gateway.
4. Buy a bandwidth package.
The default inter-region bandwidth of a cloud connection is 10 kbit/s, which is used for testing connectivity only.
For details, see Buying a Bandwidth Package. 5. Configure an inter-region bandwidth.
For details, see Configuring an Inter-Region Bandwidth. Step 3 Buy an ECS with two NICs in CN East-Shanghai1.
● Eth 0: 172.16.100.100 ● Eth 1: 172.16.101.100
NO TE
An EIP is bound to Eth 0 so that the ECS can access the Internet. Step 4 Configure the Squid proxy server.
Deploy the Squid proxy service on the ECS in CN East-Shanghai1.
Set up a proxy server based on your network conditions in the actual deployment. NO TE
To ensure normal route forwarding, add a policy-based route to the Squid proxy server:
ip rule add from 172.16.101.100 table 100 ip route add default via 172.16.101.1 table 100
In this solution, Squid is installed on the ECS to work as the proxy. The following provides detailed steps for you to deploy Squid on your server:
1. Install Squid on the server.
#yum -y install squid //Install Squid.
2. Enable the Squid service to automatically start upon ECS startup.
# systemctl enable squid //Set the Squid service to start upon ECS startup. #systemctl start squid //Start the Squid service.
3. Configure the squid.conf file on the server. (Retain only the content modified in the test environment. Modify other configuration items based on site requirements.)
# vi /etc/squid/squid.conf
http_port 31280 //Listening IP address and port number
acl localnet src 0.0.0.0/0 //Customer CIDR block. To ensure network security, you are advised to add the public IP address of the client.
http_access allow all //Change deny to allow.
4. Save the modification and restart Squid. Step 5 Buy two EIPs and configure a NAT gateway.
1. Buy an EIP in CN East-Shanghai1 and bind the EIP to Eth 0 (172.16.100.100). For details, see Assigning an EIP and Binding It to an ECS.
2. Buy an EIP in CN East-Shanghai1, purchase a NAT gateway, and add a DNAT rule. (Select Direct Connect/Cloud Connect when you add the DNAT rule.) For details, see Assigning an EIP and Binding It to an ECS and Adding a DNAT Rule.
NO TE
Private IP address: IP address (172.16.101.100) of the Eth 1 on the proxy server EIP: EIP (114.119.XX.XX) used by Proxy_Client
Proxy server: Buy an ECS with two NICs in CN East-Shanghai1. One (Eth 0) is used for Internet access, and the other (Eth 1) is used for DNAT mapping.
Configuring the DNAT rule enables the proxy server in the VPC to provide services accessible from the Internet.
Step 6 Configure Proxy-Client.
Prepare a Windows host to configure the proxy. 1. Select Settings.
4. Set Address and Port.
Figure 6-2 Proxy configuration
NO TE
Address: Enter the EIP (114.119.XX.XX) bound to the DNAT rule.
5. Click Save. ----End
Verification
7
Accessing OBS Across Regions by Using
Cloud Connect and VPCEP
Scenarios
By integrating CC and VPCEP, your ECSs can access Object Storage Service (OBS) across regions through a stable cloud connection.
NO TE
Cloud services required in this practice include OBS, VPCEP, CC, and ECS. Figure 7-1 shows the networking diagram.
Figure 7-1 Networking
NO TE
OBS: provides object storage and is deployed in CN East-Shanghai1.
VPCEP: is deployed in CN East-Shanghai1 and connects the VPC in CN-East-Shanghai1 through a VPC endpoint.
CC: connects the VPC in CN South-Shanghai1 and the VPC in AP-Singapore.
ECS: is deployed in AP-Singapore and accesses OBS in CN East-Shanghai1 over a cloud connection.
Prerequisites
Procedure
Step 1 Deploy OBS.
You need to create an OBS bucket in CN East-Shanghai1. For details, see Creating a Bucket.
NO TE
You can obtain the domain name of the OBS bucket on the page displaying the OBS bucket details.
Step 2 Create two VPCs.
For details, see Creating a VPC.
Ensure that the VPC CIDR blocks do not conflict with each other. ● VPC in CN East-Shanghai1: 172.16.15.0/24
● VPC in AP-Singapore: 172.16.99.0/24 Step 3 Configure CC.
1. Create a cloud connection.
For details, see Creating a Cloud Connection. 2. Load the VPCs.
Load the VPC in CN East-Shanghai1 and the VPC in AP-Singapore to the cloud connection.
For details, see Loading a Network Instance.
3. Resolve the public network address mapped to the OBS bucket domain name. You can use the dig command to resolve the public network address mapped to the domain name.
4. Add a custom CIDR block.
Add a custom CIDR block (the resolve IP address with a 32-bit mask) for the VPC in CN East-Shanghai1.
For details, see Adding a Custom CIDR block. NO TE
5. Buy a bandwidth package.
The default inter-region bandwidth of a cloud connection is 10 kbit/s, which is used for testing connectivity only.
For details, see Buying a Bandwidth Package. 6. Configure an inter-region bandwidth.
For details, see Configuring an Inter-Region Bandwidth. Step 4 Configure VPCEP.
Buy a VPC endpoint in CN East-Shanghai1. For details, see Buying a VPC Endpoint.
When you create the VPC endpoint, select the cloud service with the suffix obs-internet, and select the VPC created for CN East-Shanghai1 in Step 2.
NO TE
If the cloud service you want to select does not exist, contact customer service to solve this problem.
Step 5 Buy an ECS in AP-Singapore.
For details, see Purchasing an ECS. Private IP address of the ECS: 172.16.99.38 ----End
Verification
8
Authorizing Network Instances Across
Accounts
Scenarios
CC enables you to load the VPCs of others to your own cloud connections so that your VPCs can communicate with those of others.
NO TE
● Account A: This is your account. You need to create a cloud connection, ask account B to authorize VPC 2 to you, and load it to your cloud connection.
● Account B: authorizes VPC 2 to you.
If multiple VPCs in different cloud regions under account B need to communicate with each other, you can ask account B to authorize these VPCs to you as needed.
● After account B authorizes VPC 2, you can load VPC 1 and VPC 2 to your cloud
connection so that the two VPCs can communicate with each other. Account B does not need to create a cloud connection, purchase a bandwidth package, or configure an inter-region bandwidth.
Prerequisites
You must have the permissions of Tenant Guest, VPC Administrator, and Cross Connect Administrator in the region where the authorized VPC resides.
In this scenario, account A must have the permissions of the preceding roles in the CN South-Guangzhou region where VPC 2 of account B resides.
For details, see Permission Management.
Procedure
Step 1 Create VPCs.
For details, see Creating a VPC. Account A: 172.16.100.0/24 Account B: 172.16.200.0/24
CIDR blocks of the two VPCs cannot conflict with each other. Step 2 Create a cloud connection.
Create a cloud connection using your account. For details, see Creating a Cloud Connection. Step 3 Ask account B to authorize the VPC.
Ask account B to authorize VPC2 to your account. For details, see Authorizing a Network Instance. Step 4 Load the network instances.
Load the VPCs to your cloud connection.
Load VPC 2 of account B. For details, see Loading Network Instances of Others. Load VPC 1. For details, see Loading a Network Instance.
Step 5 Buy a bandwidth package and bind it to your cloud connection. Use your account to purchase the bandwidth package.
Step 6 Configure an inter-region bandwidth.
Use your account to configure the inter-region bandwidth. For details, see Configuring an Inter-Region Bandwidth. ----End
Verification
After the configuration is complete, you can view the route information of the cloud connection to verify that the network communication between the two VPCs is normal.
