HCIP Study Notes-Network Service Planning-3

1. Overview of network services

1.1. What is Cloud Network

• Network functions and resources are hosted in public or private cloud platforms, managed on-premises or by service providers and provided on-demand.
• Today's highly mobile users and applications demand the performance, security, and management provided by the flexibility and scale of networking on the cloud.
• Networking on the cloud can also provide IT efficiencies and cost savings for office spaces, schools, home office environments, and healthcare and public spaces.

1.2. Comparison between cloud network and local network

1.3. HUAWEI CLOUD network panorama

• The network service panorama can be classified as follows according to network interworking
• Cloud network
  • General network on the cloud: 2VPC, security group, network ACL;
  • Intercommunication between the cloud and the Region: VPCEP, VPC-Peering;
  • Cross-region intercommunication in the cloud: cloud dedicated line, cloud connection, and VPN.
• Network access on the cloud: EIP, NAT gateway, ELB, cloud analysis service

2. Principles of network planning on the cloud

2.1 VPC network planning

2.1.1 Principles of network planning and design

2.1.2 VPC network planning

• Principles of address planning:
  • Make sure that the address range of the VPC network does not overlap with the address range of the enterprise private network; if it is a multi-region scenario, it is recommended that the networks between different regions do not overlap.
  • The size of the VPC network address range needs to consider future business growth
  • Do not allocate subnets and IP addresses all at once, and ensure that space for future expansion is reserved
• It is recommended to choose a private network segment:
  • Resources in the VPC/subnet apply for an IP address for internal network communication within the VPC. If a public network segment is configured for subsequent access to the public network, conflicts may occur.
  • 10.0.0.0-10.255.255.255 ( 10/8 prefix )
  • 172.16.0.0-172.31.255.255 ( 172.16/12 prefix )
  • 192.168.0.0-192.168.255.255 ( 192.168/16 prefix )

2.1.3 Case

• Single VPC

• Multiple VPCs

2.2 Cloud Network Security Planning

2.2.1 Security Group and Network ACL

• Same as the security group, the network ACL rule controls the inbound and outbound rules of each subnet. Through this rule, it is judged whether the data packet can flow into or out of the subnet.

2.2.2 Differences between security groups and network ACLs

2.2.3 Security Group and Network ACL Design Principles

2.2.4 Case

• Configure security groups and network ACLs

• Security group 1: The first one, if the capacity is expanded later, allow the web1 server to communicate with each other; the second one, allow any address on the public network to access the web1 website; the third one, there is no restriction on the outgoing direction.
• Security group 2: The first one, if the subsequent expansion, allow the App server to communicate with each other; the second one, allow the Web1 server to access the App server, and the third one, there is no restriction on the outbound direction.
• ACL1: The first one prohibits access to the test subnet; the second one allows access other than the above rules; the second one does not restrict the outbound direction.
• ACL2: Article 1, access to the production subnet is prohibited; Article 2, access other than the above rules is allowed; Article 3 hw3580, the outbound direction is not restricted.

2.3 Network connectivity planning on the cloud

2.3.1 Peer-to-peer connection VPC Peering

• When configuring a peer-to-peer connection, it is not recommended that the CIDRs of the VPCs at both ends overlap, as this may cause routing conflicts and the configuration will not take effect.
• If the CIDRs of two VPCs overlap, when establishing a peering connection, only the peering relationship can be established for the subnet. If the subnet segments under the two VPCs overlap, the peer relationship may not take effect. When establishing a peering connection, make sure that both ends of the peering connection do not contain overlapping subnets
• VPC A establishes peering connections with VPC B and VPCC respectively. If the network segments of VPG:B and VPC C overlap, routes with the same destination network segment cannot be added to VPC A.
• Multiple VPC peering connections cannot be established between two VPCs at the same time
• VPC peering connections do not support transitive peering relationships. For example, if a peering connection is established between VPC A and VPC B, and between VPC A and VPC C, then VPC B and VPC C cannot communicate through VPC A, and the user needs to establish a peering connection between VPC B and VPC C communication can be achieved.
• VPCs in different regions cannot create peering connections

2.3.2 Create a peer-to-peer connection with the same account

2.3.3 Create a peer-to-peer connection across accounts

• Cross-tenant application for VPC peering connection takes effect only after the peer tenant accepts it. Applying for a peer-to-peer connection with a tenant is accepted by default

2.3.4 VPC terminal node VPCEP

• VPC endpoints provide two types of resources: "endpoint service" and "endpoint":
• Terminal node service: Refers to cloud services or user private services, which can be configured to provide services in VPC terminal nodes. Users can create their own applications in VPC and configure them as services supported by VPC endpoints, that is, endpoint services. (Cloud service: the operation and maintenance personnel configure some services on the cloud platform as terminal node services. User private services: users configure service resources in their own VPC as terminal node services. These service resources are enhanced load balancing or cloud servers. )
• End Node: Provides a connection channel between the VPC and the End Node service. Users can create their own applications in the VPC and configure them as terminal node services. Other VPCs in the same region can obtain connections and communicate with terminal node services by creating terminal nodes in their own 5802:VPC

2.3.5 The difference between peer connection and VPC terminal node

• Functional differences:
  • The peering connection is mainly to open up the traffic between two VPCs, so that the instances in the subnets of the two VPCs can communicate with each other, as if they are in the same network.
  • A VPC terminal node exposes an instance in a certain VPC, and maps the ports of this instance to other VPCs through a dedicated gateway.
• Access scene:
  • The peer-to-peer connection is mainly used in network planning, and it is mostly used by the same tenant to plan its own network and connect the subnets of two VPCs.
  • The VPC terminal node is mainly to open the service on the cloud platform, which can be provided to the same tenant or other tenants.
  • Differences between VPC endpoints and peering connections in terms of security, communication direction, routing configuration, and other aspects

2.3.5 Applicable scenarios

• Realize intercommunication between IDC under the cloud and VPC1 on the cloud through the cloud private line
• Through terminal node 1, IDC can access the cloud resource ELB in VPC1.
• Through terminal node 2, IDC can access cloud resources ECS in VPC2 across VPCs
• Through terminal node 3, the IDC can access the cloud service DNS through the intranet.
• Through terminal node 4, IDC can access the cloud service OBS through the intranet.

2.3.6 Virtual Private Network (VPN)

• high security
  • Huawei professional equipment is used to encrypt transmission data based on IKE and IPsec, providing a high-reliability mechanism at the carrier level, and ensuring the stable operation of VPN services from three levels of hardware, software, and links.
• Seamlessly expand resources
  • Connect the user's local data center to the VPC on the cloud, quickly expand the business to the cloud, and realize hybrid cloud deployment

Applicable scene

2.3.7 Cloud private line DC

• The physical connection is the dedicated line connection between the user's local data center and the operator's physical network of the access point. The physical connection provides two dedicated line access methods:
  • Standard leased line access is a physical connection in which the user exclusively occupies port resources. This type of physical connection is created by the user and supports the creation of multiple virtual interfaces by the user.
  • Managed leased line access is a physical connection where multiple users share port resources. This type of physical connection is created by the partner, and only one virtual connection is allowed for the user. Users apply to partners to create managed physical connections, which require partners to allocate VLAN and bandwidth resources for users
• A virtual gateway, a virtual gateway is a logical access gateway that implements a physical connection to access a VPC. The virtual gateway is associated with the VPC accessed by the user. A VPC can only be associated with one virtual gateway. Multiple physical connections can be connected through a dedicated line through the same virtual gateway. access the same VPC.
• Virtual interface, the virtual interface is the entrance of the user's local data center to access the VPC through a dedicated line. The user creates a virtual interface to associate the physical connection with the virtual gateway, connect the user gateway and the virtual gateway, and realize the mutual access between the data center under the cloud and the VPC on the cloud.

2.3.8 Comparison between VPN and Cloud Private Line

• VPN:
  • Using IPSec VPN technology can escort data transmission. Easy to operate, ready to use
• Cloud Dedicated Line
  • Use private channels to open up sites, with high privacy and stable delay between sites, small jitter, and strong performance

Applicable scene

• prerequisites:
  • Single-mode 1 GE, 10 GE, 40 GE, or 100 GE optical modules must be used to interconnect with access device 0 of HUAWEI CLOUD.
  • Auto-negotiation must be disabled for the port, and the port speed and full-duplex mode must be manually configured
  • The user-side network must support 802.1Q VLAN encapsulation end-to-end.
  • The user-side device must support BGP and cannot use 64512 (this AS number is already used by Huawei)

2.3.9 Cloud Connection CC

• Applicable constraints:
  • In the same cloud connection instance, the addresses of all network instances cannot overlap, and the Subnet subnet addresses cannot conflict, otherwise it may cause intercommunication problems;
  • When loading a VPC network instance in a cloud connection instance and importing a subnet through advanced configuration, the loopback address, multicast address or broadcast address cannot be imported;
  • In all VPC network instances loaded in the same cloud connection instance, if a NAT gateway is created in the VPC at the same time, you can only import 0.0.0.0/0 in the VPC network instance at the same time through advanced configuration custom subnet default route.

Applicable scene one

Applicable scene two

3. Cloud network access planning

3.1 Elastic public network IP service EIP

3.1.1 Elastic public IP

• Shared Bandwidth:
  • Shared bandwidth allows multiple EIPs to share one bandwidth. Provides region-level bandwidth sharing and multiplexing capabilities. All ECS, BMS, ELB and other instances bound to elastic public network IPs in the same region share one bandwidth resource.
  • When a customer has a large number of businesses on the cloud, if each elastic cloud server uses a separate bandwidth, more bandwidth instances will be required, and the total bandwidth cost will be higher. If all instances share a bandwidth, the network of the enterprise can be saved Operating costs, while facilitating operation and maintenance statistics.

3.1.2 Principle of EIP Implementation

3.1.3 Line type

• Full dynamic BGP:
  • Using the BGP protocol to access multiple operators at the same time, the network structure can be automatically optimized in real time according to the set pathfinding protocol, and the network used by customers can be kept stable and efficient.
• Static BGP:
  • Routing information manually configured by the network operator. When the network topology or link status changes, operators need to manually modify the relevant static routing information in the routing table.
• Security comparison:
• Full dynamic BGP:
  • The BGP with multi-line access can sense the access line and the internal network status of the operator. When the internal failure of the operator occurs, it can quickly switch to the access link of other operators to ensure that users can access normally without interruption.
  • Currently supported operator lines include: Telecom, China Mobile, China Unicom, Education Network, Radio and Television, Dr. Peng, etc.
• Static BGP:
  • When the network structure changes in static BGP, the operator cannot automatically adjust the network settings at the first time, but switches through other technologies, so the static BGP delay is generally slightly longer.

3.1.3 ECS instances access the public network

3.1.4 Accessing ECS ​​in the cloud from the public network

Applicable scene

3.2 Load Balancing Service ELB

3.2.1 Elastic Load Balancing ELB

• Exclusive load balancing: Exclusive load balancing instance resources are exclusive, and the performance of the instance is not affected by other instances. Users can choose instances of different specifications according to business needs.
• Shared load balancing: it belongs to cluster deployment, instance resources are shared, and the performance of the instance will be affected by other instances. It does not support the selection of instance specifications

3.2.2 ELB related components

• Health check: The health check function is used to check the status of the servers in the back-end server group to ensure that traffic can be accessed normally after being distributed to the back-end servers, thereby improving business reliability.

3.2.3 Session persistence

• Layer 7 session hold time is up to 24 hours
• Layer 4 session hold time is up to 1 hour

3.2.4 Agreement

3.2.5 Strategy

Applicable scene one

• Elastic distribution of traffic for tidal business
  • For businesses with tidal effects, combined with the elastic scaling service, as the business volume grows and shrinks, the ECS instances that are automatically increased or decreased by the elastic scaling service can be automatically added to the back-end cloud server group of the ELB or from the back-end cloud of the ELB The server group is removed. Load balancing instances will flexibly use ECS instance resources according to policies such as traffic distribution and health checks, greatly improving resource availability on the basis of resource elasticity. For example, large-scale promotional activities such as "Double 11", "Double 12", and "618" of e-commerce, the number of business visits increased rapidly in a short period of time, and only lasted for a few days or even a few hours. Using load balancing and elastic scaling can save IT costs to the greatest extent.

Applicable scene two

• Use the ELB cross-availability zone feature to implement business disaster recovery deployment
  • For businesses with high requirements on reliability and disaster recovery, elastic load balancing can distribute traffic across availability zones to establish real-time business disaster recovery deployments. Even if there is a network failure in one availability zone, the load balancer can still forward the traffic to the backend cloud servers in other availability zones for processing.
  • Such as banking business, police business, large-scale application system, etc.

3.3 Gateway service NAT

3.3.1 Public network NAT gateway (1)

• Flexible deployment:
  • The public network NAT gateway supports cross-availability zone deployment and has high availability. Any failure in a single availability zone will not affect the business continuity of the public network NAT gateway. The specifications of the public network NAT gateway and the elastic public network IP can be adjusted at any time.
• Various and easy to use:
  • After a simple configuration of the public network NAT gateway, it can be used. The operation and maintenance are simple, and the distribution is fast. The operation is stable and reliable.
• cut costs:
• When the user's private IP address sends data through the public network NAT gateway, or the user's application provides services to the Internet, the public network NAT gateway service converts the private address and the public network address. Users do not need to purchase redundant elastic public network IPs and bandwidth resources for cloud hosts to access the Internet. Multiple cloud hosts share elastic public network IPs, effectively reducing costs.

3.3.2 Public network NAT gateway (2)

3.3.3 Private Network NAT Gateway

• Intermediate subnet: The intermediate subnet is equivalent to a transit network. Users can create a private IP in the intermediate subnet, that is, a transit IP, so that the cloud hosts in the local VPC can share the private IP to access the user's iDC or other remote VPCs.
• Transit VPC: The VPC where the transit subnet is located.
• Simple planning:
  • Support overlapping network segment communication: 5. Customers can keep the original network cloud without re-planning, which greatly simplifies the network planning of IDChw35802 cloud.
• high security
  • Meet industry regulatory requirements and map private network IPs to designated IPs for access
• Easy operation and maintenance management:
  • Supports IP address mapping of the private network, and the network segments of each department can be mapped to a unified VPC large network address for unified management, making the management of complex networks easier.
• zero conflict
  • Based on the large and small network mapping capabilities of the private network NAT gateway, it can support the intercommunication of overlapping network segments on the cloud, helping customers to have zero network conflicts after going to the cloud.

3.3.4 Applicable Scenarios of Public Network NAT

• Number of SNAT connections: A set of five elements consisting of source IP address, source port, destination IP address, destination port, and transport layer protocol is regarded as a connection. The source IP address and source port refer to the EIP and its port after SNAT conversion. Connections can distinguish between different sessions, and the corresponding sessions are unique.
• Throughput: The sum of the bandwidth of the elastic public IPs of DNAT rules. For example, 2gu3 public network NAT gateways have two DNAT rules, the EIP bandwidth bound to the first rule is 10 Mbit/s, and the EIP bandwidth bound to the second rule is 5 Mbit/s, then the public network The throughput of the NAT gateway is 15 Mbit/s.
• The maximum forwarding bandwidth supported by each public network NAT gateway is 20 Gbit/s.
• Common business models and specification options.
• Scenarios where there are not many access destination addresses and connections such as uploading, downloading, and surfing the Internet. Recommended: Small/Medium.
• Scenarios where there are many access destination addresses or ports and a large number of connections, such as crawlers and client push. Recommended: Large/Extra Large.
• Small (SNAT max connections): 10000.
• Medium (maximum number of SNAT connections): 50,000.
• Large (SNAT max connections): 200000
• Very large (maximum number of SNAT connections): 1,000,000.

3.3.5 Applicable scenarios of private network NAT

3.4 Cloud resolution service DNS

• Smooth switching without perception:
  • Supports migrating the domain name of the website in use to HUAWEI CLOUD Cloud Resolution Service for resolution. When the domain name is transferred, the user can create the domain name in advance and set the resolution record, so that the DNS service of the website can be switched smoothly and the user's access experience will not be interrupted.

3.4.1 Types of resolution services provided by DNS

• Public network domain name resolution: It can associate public network domain names with IP addresses, provide users with Internet-based domain name resolution services, and realize direct access to websites or web applications through domain names. Public network domain name resolution is a domain name resolution process based on the lnternet network, which can convert common domain names (such as www.example.com) into IP addresses (such as 1.2.3.4) for computer connections
• Intranet domain name resolution: The intranet domain name valid in the VPC can be associated with the private network IP address, and the domain name resolution service in the VPC can be provided for the user's Huatou cloud resources. Intranet domain name resolution is based on the domain name resolution process of the VPC network to convert domain names (such as ecs.com) into private network IP addresses (192.168.1.1) through the HUAWEI CLOUD intranet DNS. Intranet domain name resolution enables cloud servers to access each other directly through the intranet domain name in the VPC. At the same time, it also supports direct access to cloud services, such as OBS and SMN, through the intranet DNS without going through the public network.
• Reverse resolution: Support reverse acquisition of the domain name pointed to by the IP address through the IP address. It is usually used in the scenario of self-built mail server hw358(, and is a necessary setting to improve the reputation of the mailbox IP and domain name.
• Intelligent line analysis: Support to distinguish the source and type of visitor IP according to the dimensions of operators, regions, etc., and make different analysis responses to access requests of the same domain name, pointing to the IP addresses of different servers. When China Unicom users visit, the domain name resolution server returns the IP address of China Unicom server, and when China Telecom users visit, it returns the IP address of China Telecom server, which solves the problem of slow cross-network access and achieves efficient resolution. It also supports custom line analysis of visitors divided by IP network segment, and can set up analysis lines in a more granular manner to route visitors to different web servers

3.4.2 Public domain name resolution

3.4.3 Intranet domain name resolution

thinking questions