Introduction to cloud basic knowledge and cloud component deployment

Introduction to cloud basic knowledge and cloud component deployment

Preface

With the development of business, all kinds of businesses have the need to go to the cloud, and everyone will often encounter various public cloud scenarios in their work. In fact, the public cloud functions of major manufacturers are very different. I believe many people have questions, how to deploy related cloud components and security products on the public cloud? With the mentality of learning together, it took half a month to produce this article. I hope that more partners can learn and master the basic operations and deployment components on Alibaba Cloud.

This article is divided into two chapters, the basic knowledge chapter and the creation and deployment chapter, to explain in detail.

Basic knowledge

• *Introduction to Alibaba Cloud:*

Alibaba's cloud computing brand was founded in 2009. In 2010, Alibaba Cloud opened up its technical service capabilities in the field of cloud computing. Through Alibaba Cloud, users can remotely obtain massive computing, storage resources, and big data processing capabilities using the Internet.

• What are the Alibaba Cloud products?

Alibaba Cloud product system is divided into six categories, namely: storage and content distribution services, elastic computing services, data storage and computing services, large-scale computing services, application services, and security and management services.

The products that are most closely integrated with us are elastic computing services, especially cloud servers (Elastic Compute Service, ECS), which all become ECS below.

• What is ECS?

ECS is a highly available, high-performance, and elastically scalable service. It is based on the Feitian distributed computing system independently developed by Alibaba Cloud. Based on advanced virtualization, distributed storage and other cloud computing technologies, it combines computing and storage The basic resources are integrated together and provide users with computing power through the Web. The computing service with elastically scalable processing power is simpler and more efficient than physical servers for management. No need to purchase investment in advance, users can create and release any number of cloud server instances at any time according to business needs.

• The concept of region:

The location refers to the physical location where the ECS instance is located

Note: The intranet of ECS instances in a region can communicate with each other, and the intranets of ECS instances in different regions cannot communicate with each other.

• The concept of availability zone:

It refers to a physical area where electricity and network are independent of each other in the same area.

The network delay of ECS instances in the same zone is smaller, and the intranet is interconnected between the zones in the same zone, and the zones can be fault isolated.

• What is Alibaba Cloud Network like?

Alibaba Cloud Network is divided into two types: classic network and private network

Classic network: IP addresses are uniformly assigned by Alibaba Cloud, which is easy to configure and easy to use. It is suitable for users who have high requirements for ease of operation and need to use ECS quickly.

Private network (focus on understanding): VirtualPrivate Cloud, referred to as VPC, is a logically isolated private network. Users can customize the network topology and IP address, and support connection through a dedicated line. Suitable for users who are familiar with network management.

note:

1. SSL-cloud can run on classic networks and private networks, while AF-cloud and WOC-cloud can only run on private networks.

2. The network types are only functionally distinguished by ECS products, and have nothing to do with the network quality of operators' public network access. Operators of any network type are connected to BGP lines.

The comparison between classic network and private network is as follows:

• What is the network IP address planning on Alibaba Cloud?

At present, the classic network IP address is uniformly allocated by Alibaba Cloud, including private network IP and public network IP. The private network IP is used for mutual visits with instances, and the public network IP is used for mutual visits between instances and the Internet, and can also be used for mutual visits between instances and cloud services. The export bandwidth of the public network IP needs to be charged according to the bandwidth.

The internal IP address of the VPC private network is independently planned by the user. The instance in the private network will not be assigned a public IP by default. If the instance needs to use the public IP, you can apply for an elastic public IP to bind to the instance. .

Can you explain in depth the elastic public network IP—EIP?

An elastic public network IP is a public network IP address that can be independently applied for, and can only be bound to an ECS instance of the private network type in the same region, so that this ECS instance has the ability to communicate on the public network.

Users can use EIP to further realize the following scenarios according to their needs:

1. Use this ECS as a SNAT gateway to provide public network access capabilities for other instances in the same VPC;

2. Use this ECS as a DNAT gateway, so that other instances in the same VPC can provide services to the public network;

Features of EIP:

1. An ECS instance can only be bound to one elastic public IP, and an elastic public IP can only be bound to one ECS instance;

2. EIP supports dynamic binding and unbinding, that is, after unbinding EIP from one instance, it can be bound to another instance;

3. The elastic public network IP is a kind of NAT IP. It is actually located on the public network gateway of Alibaba Cloud, and is mapped to the private network card bound to the ECS instance through NAT. Therefore, the NIC of the ECS instance bound with the elastic public IP address cannot see this IP address. But this instance can directly use this IP for public network communication.

4. After the EIP is bound, the default route of the ECS instance will take precedence over all static routes.

To learn more about proprietary networks and elastic IP, the links are as follows:

VPC Private Network-FAQ

http://help.aliyun.com/knowledge_detail/6716642.html?spm=5176.788315067.2.2.aW0d6H

Elastic public network IP-FAQ

http://help.aliyun.com/knowledge_detail/6716650.html?spm=5176.product8315065_vpc.3.1.Fzav3T

Create and deploy articles

Let's explain step by step how to deploy log audit/database audit/baseline verification/bastion machine and other products on Alibaba Cloud.

(1) Creation of vpc network

First we create a private VPC network

Fill in the corresponding information, including basic information such as name, network segment, description, etc.

The creation is successful, as shown in the following figure:

At this point, the creation of the VPC on Alibaba Cloud has been successful. Next, we will explain how to import images on Alibaba Cloud.

(2) Mirror upload and import

There are four types of Alibaba Cloud mirroring: public mirroring, custom mirroring, shared mirroring, and mirroring market. Our product has three products in the mirror market, namely SSL/IPSec VPN, virtualized next-generation firewall, WAN optimization WOC-Cloud/accelerated IPSec VPN can be bought in the mirror market, and the other mirrors need to use mirror sharing or custom mirroring. Import it.

This time I mainly explain custom mirroring and shared mirroring

Custom image:

The image upload is usually uploaded to the object storage in the area, made into a private image, and then when creating the ECS cloud server, select the private image to create the cloud server for use. The specific operation steps of the whole process are as follows:

Create storage: Log in to the Alibaba Cloud platform, move the mouse to the left and click "Object Storage OSS" to create a storage object.

Create a bucket for storage objects.

Upload mirror:

Method 1: Upload through the web console

Advantages: simple and convenient operation

Disadvantages: slow upload speed, unstable, maximum support 5GB file upload

Method Two

Upload via OBS Browser+ tool

Advantages: fast upload speed, stability, support for uploading large files over 5GB

Disadvantages: getting more information, more troublesome

Tool download link:

https://help.aliyun.com/document_detail/61872.html?spm=a2c4g.11186623.2.18.64ef3554ph5ssK#concept-xmg-h33-wdb

Endpoint: Default (public cloud)

How to obtain Access Key ID and Secret Access Key:

Fill in the Access Key ID and Secret Access Key

Access path: You can leave it blank, for only accessing a bucket in the object storage or accessing a path

Mirror upload: select the name of the corresponding bucket-file-add the file to upload

Next, copy the URL address of the mirror.

Create a custom mirror, select mirror-manual import.

Just fill in the basic information

OSS Obiect address: the URL address of the mirror. If the system platform is not in the option, select "other linux" and other information can be filled in the corresponding format according to the mirroring system and specifications. Here, wait for the custom mirroring to be completed. , When you create ECS later, you can select the private image you created.

Shared mirror:

If the Alibaba Cloud market does not have product images such as Sangfor LAS, please contact Sangfor engineers to provide them by sharing the image. (Sangfor shared with customers)

So how do we usually share it with others?

Here I will explain how to share, as follows.

Divided into two scenarios: different users in the same region, and different users in different regions

Different users in the same region:

Applicable scenarios: mirroring sharing between different accounts in the same region, and different cloud platforms through sharing conditions are also different

Alibaba Cloud: Account ID

HUAWEI CLOUD: Account name:

Tencent Cloud: Account ID

How to obtain the account ID: (The method of obtaining the sharing conditions of other cloud platforms is similar)

Mirror sharing operation steps:

Mirror—select the corresponding area—custom mirror—select the mirror to be shared—more—share the mirror

Enter the ID of the account that needs to be shared-share the mirror-confirm it

Different users in different regions:

First, copy the image that needs to be shared to the area where the cloud server is pre-created with the customer by mirroring, and then share it with the customer by mirroring.

Select Mirror—Customize—Copy Mirror—Choose the destination area of ​​the copy—Enter the name of the custom mirror—Confirm

After waiting for the mirror to be copied to the corresponding area, refer to the mirror sharing method between different customers in the same area to share the mirror with the customer.

At this point, our image import and upload is over. Next, we will explain how to create an ECS instance.

(3) Create an ECS instance

First, on the Aliyun interface, we click on the cloud server ECS-instance-create instance

Basic configuration, payment model and instance specifications are configured according to actual customer conditions

After selecting the corresponding image, you can choose a high-efficiency cloud disk or an SSD cloud disk for storage according to your needs.

Configure the private network and the public network address of the created ECS

Next, select the security group. Before the security group is configured, the default direction of entry is interception, and the direction of exit is allowed. Failure to customize the specifications will result in a situation where the cloud host cannot be accessed after the creation of the cloud host. Therefore, it is necessary to allow TCP443 port (https access), TCP8443 port (console management), TCP8082 port (management console), TCP22 port (ssh port), TCP161 port (snmp port), TCP514 port (accepted) in the security group Log). So we create a new security group to define related rules:

Note: The rule direction selects the inbound direction; the authorized action selects allow; the authorized object fills in 0.0.0.0/0 (represents any IP, if there are other requirements, fill in as needed)

After completing the filling, return to the page of configuring the cloud server, click the button to reselect the security group, and select the security group just created

The following configuration can be selected according to the actual situation, in general, keep the default

Finally, confirm the order payment to complete the creation of the cloud host. After the creation is completed, you can see the relevant information of the newly created log audit system host in the instance list, including operating status, internal network IP address, EIP address, configuration information, etc.

After the instance is created, use the public IP address to log in and configure the software.

(The same is true for the deployment of bastion servers, baseline verification, database auditing, etc.)

Points to note to avoid stepping on pits:

1. The image format supported on Alibaba Cloud is RAW\VHD\QCOW2.

2. Alibaba Cloud requires the size of the component system disk to be 20G-500G.

3. The database audit 202 does not support mongodb database, but 203 does. Therefore, redeploy and apply the corresponding patch (on-demand: single disk expansion patch) and mongodb database patch.

4. If OSM needs to build an application publishing server, remember to explain to customers in advance and reserve resources on Alibaba Cloud.

5. The networks in the same VPC in Alibaba Cloud are connected to each other. For example, 192.168.1.1 and 192.168.2.1 are connected and can visit each other.

Ending: So far, the introduction of Alibaba Cloud and the deployment of cloud components have been explained. "Three people must have my teacher." I hope you can give me a lot of advice!

\VHD\QCOW2。

2. Alibaba Cloud requires the size of the component system disk to be 20G-500G.

3. The database audit 202 does not support mongodb database, but 203 does. Therefore, redeploy and apply the corresponding patch (on-demand: single disk expansion patch) and mongodb database patch.

4. If OSM needs to build an application publishing server, remember to explain to customers in advance and reserve resources on Alibaba Cloud.

5. The networks in the same VPC in Alibaba Cloud are connected to each other. For example, 192.168.1.1 and 192.168.2.1 are connected and can visit each other.

Ending: So far, the introduction of Alibaba Cloud and the deployment of cloud components have been explained. "Three people must have my teacher." I hope you can give me a lot of advice!