Article Directory
1. Environment introduction
There are three cloud hosts on Huawei Cloud, and the internal CIDR is 192.168.0.0/24. There are three cloud hosts on Alibaba Cloud, and the internal CIDR is 172.26.32.0/24. Now I want to open up the intranet between the two cloud providers, so that the cloud host on Huawei Cloud can access the intranet IP address on Alibaba Cloud, and at the same time, the cloud host on Alibaba Cloud can access the intranet IP address on Huawei Cloud. The following will introduce the intranet communication between the Huawei Cloud 192.168.0.200 host and the Alibaba Cloud 172.26.32.235 cloud host through the GRE tunnel. After the GRE tunnel is established, 192.168.0.200 and 172.26.32.235 can pass through the intranet normally IP for intercommunication, but it cannot support intranet communication between 172.168.0.201 and 172.26.32.103 hosts. If you want to get through the intranet communication between Huawei Cloud intranet and Alibaba Cloud intranet for all cloud hosts, you need to build a GRE tunnel Afterwards, additional service configuration will be done, which will not be introduced in this chapter for the time being, and will be introduced separately later.
2 GRE tunnel construction
2.1 HUAWEI CLOUD GRE Tunnel Installation
We choose a cloud host with an intranet IP address of 192.168.0.200 to deploy a GRE tunnel.
- First modify the kernel configuration and enable it
ip_forward
.
cat > /etc/sysctl.d/gre.conf <<EOF
net.ipv4.ip_forward=1
EOF
sysctl -p /etc/sysctl.d/gre.conf
- Load the ip_gre module
modprobe ip_gre
- Check whether the ip_gre module is loaded successfully
lsmod | grep ip_gre
- Create a tunnel,
remote IP
the address is the public IP address of the Alibaba Cloud host, andlocal IP
the internal network address of the Huawei Cloud host.
ip tunnel add tunnel999 mode gre remote 114.116.84.123 local 192.168.0.200
- open tunnel
ip link set tunnel999 up mtu 1476
- Set the tunnel IP. The tunnel IP address can be set freely, but it should not conflict with the intranet CIDR.
ip addr add 192.168.100.1 peer 192.168.100.2/32 dev tunnel999
- Set up the tunnel route. It is recommended to use the Alibaba Cloud Intranet CIDR value for route configuration
ip route add 172.26.32.0/24 dev tunnel999
- view route
route -n
The GRE tunnel on HUAWEI CLOUD is set up, but the tunnel cannot work normally at this time. You need to wait for the tunnel on Alibaba Cloud to be set up before the tunnel can normally communicate between Alibaba Cloud and HUAWEI CLOUD intranet.
2.2 Alibaba Cloud GRE Tunnel Installation
We choose a cloud host with an intranet IP address of 172.26.32.235 to deploy a GRE tunnel.
- First modify the kernel configuration and enable ip_forward.
cat > /etc/sysctl.d/gre.conf <<EOF
net.ipv4.ip_forward=1
EOF
sysctl -p /etc/sysctl.d/gre.conf
- Load the ip_gre module
modprobe ip_gre
- Check whether the ip_gre module is loaded successfully
lsmod | grep ip_gre
- Create a tunnel,
remote IP
the address is the public IP address of the HUAWEI CLOUD host, andlocal IP
the internal network address of the Alibaba Cloud host.
ip tunnel add tunnel999 mode gre remote 112.124.59.21 local 172.26.32.235
- open tunnel
ip link set tunnel999 up mtu 1476
- Set the tunnel IP. The tunnel IP address can be set freely, but it should not conflict with the intranet CIDR.
ip addr add 192.168.100.2 peer 192.168.100.1/32 dev tunnel999
- Set the tunnel route. It is recommended to use the HUAWEI CLOUD intranet CIDR value for route configuration.
ip route add 192.168.0.0/24 dev tunnel999
- view routing table
route -n
As shown in the figure above, the tunnel999 virtual network card interface has two records.
3. Set up a security group
Different cloud providers have different menus for setting up security groups. For example, setting up security groups on HUAWEI CLOUD allows the GRE protocol. If no security group is set, the GRE tunnel will fail to communicate normally.
For setting security groups on Alibaba Cloud, please refer to the Alibaba Cloud Operation Manual. If there is a firewall policy that disables the GRE protocol, please clear the relevant settings in the firewall to allow the GRE protocol.
4. Verify GRE Tunnel
4.1 Ping the intranet IP of the Alibaba Cloud host on HUAWEI CLOUD
ping 172.26.32.235
4.2 Ping the intranet IP of the HUAWEI CLOUD host on Alibaba Cloud
ping 192.168.0.200
5. Summary
By building a GRE tunnel, the intranet of the cloud host between two different cloud providers is opened to realize the intranet communication of the nodes between the two clouds. This function is similar to the peer-to-peer connection provided by the cloud provider. The peer-to-peer connection service provided by the cloud provider is generally aimed at the network intercommunication between the same cloud provider across VPCs. By building a GRE tunnel by itself, it is possible to implement cloud connections between different cloud providers. Host intranet intercommunication, but this approach has network security issues, and network stability issues, after all, the GRE tunnel still communicates through the public network, if you want to achieve a more secure network tunnel service, you can establish encrypted communication services through IPSec or VPN to ensure Communication is safe and reliable. Alternatively, the encrypted transmission can be handled by the business application itself, and the GRE tunnel is only responsible for the capability of the network channel, but this method depends on the business application must support encrypted transmission.
The GRE tunnel configuration added through ip
the command line tool will disappear after the server is restarted. Therefore, the above method is suitable for testing or temporarily setting up a tunnel for debugging. If you need to make the GRE tunnel configuration persistent, you can make the above command into a shell systemctl
script . Start the execution script to create the GRE tunnel.