Huawei Cloud Service Certification Training

HCIP-Cloud Service Solutions

Architect

Lab Guide
ISSUE: 3.0

HUAWEI TECHNOLOGIES CO., LTD.

1
Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com

Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd
 HCIP-Cloud Service Solutions Architect Lab Guide Page 1

Huawei Certification System

Huawei Certification is an integral part of the company's "Platform + Ecosystem"
strategy, and it supports the ICT infrastructure featuring "Cloud-Pipe-Device". It evolves
to reflect the latest trends of ICT development. Huawei Certification consists of two
categories: ICT Infrastructure Certification, and Cloud Service & Platform Certification,
making it the most extensive technical certification program in the industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Huawei Certification covers all ICT fields and adapts to the industry trend of ICT
convergence. With its leading talent development system and certification standards, it
is committed to fostering new ICT talent in the digital era, and building a sound ICT
talent ecosystem.
The courses of the HCIP-Cloud Service Solutions Architect V3.0 describe the
evolution of enterprise IT, cloud-based architecture of traditional applications, cloud
native application architecture, and Huawei Cloud innovations and solutions, etc.
Huawei certification helps you unlock opportunities to advance your career and
take one more step towards the top of the industry.
HCIP-Cloud Service Solutions Architect Lab Guide Page 2
 HCIP-Cloud Service Solutions Architect Lab Guide Page 3

About This Document

Introduction
This document is intended for readers who are preparing for the HCIP-Cloud Service
Solutions Architect exam or interested in the basics of the HCIP-Cloud Service Solutions
Architect courses, including the evolution of enterprise IT, cloud-based architecture of
traditional applications, solution design of cloud-based compute, storage, network,
database, and security, containers and cloud native, and Huawei Cloud O&M.

About the Exercises

This document includes eight exercises: compute architecture design, network
architecture design, storage architecture design, database architecture design, security
architecture design, containerized application deployment, microservice application
deployment, and cloud O&M.
 Exercise 1 is about compute architecture design. This exercise will guide you through
creating a WordPress website and configuring high availability (HA). This experiment
also provides guidance on configuring text injection in AS to facilitate resource
configuration management.
 Exercise 2 is about network architecture design. This exercise uses Huawei Cloud
resources in different regions to represent on-premises and cloud resources,
describes how on-premises resources can communicate with cloud resources and
manage cloud resources for O&M, and how cloud resources can communicate with
each other and access the internet. This exercise helps you deeply understand the
Huawei Cloud network architecture and usage principles.
 Exercise 3 is about storage architecture design. This exercise aims to help you
understand the architecture and principles of Huawei Cloud storage services by
setting up an environment to run video streaming services.
 Exercise 4 is about database architecture design. This exercise describes how to set
up a website using ECSs and cloud database instances and to configure a Redis
instance for it, helping you understand architectures and usage of Huawei cloud
databases.
 Exercise 5 is about security architecture design. This exercise describes host security,
two-factor authentication (2FA), address group, and key hosting on Data Encryption
Workshop (DEW). It helps you deeply understand the security architecture of Huawei
Cloud and how it works.
 Exercise 6 is about containerized application deployment. In this exercise, image is
created and pushed to Huawei SoftWare Repository for Container (SWR) for
deploying a container on Cloud Container Engine (CCE). In this way, you will
understand how to use the Dockerfile to build images and CCE, retain the latest
 HCIP-Cloud Service Solutions Architect Lab Guide Page 4

three object versions in the OBS bucket using FunctionGraph, and use and configure
FunctionGraph.
 Exercise 7 is about microservice application deployment, including microservice
deployment and weathermap microservice building through ServiceStage, helping
you understand the methods and principles of building ServiceStage microservices.
 Exercise 8 is about cloud O&M, including Cloud Eye and Application Operations
Management (AOM), helping you understand their architectures, principles, and
usage.

Knowledge Background
This document is part of the Huawei certification courses. Before reading this document,
readers should understand:
 Basics of the HCIA-Cloud Service courses and cloud computing
 Basics of Linux

Lab Environment
The lab environment of these exercises is Huawei Cloud
(https://www.huaweicloud.com/intl/en-us/). You do not need to purchase any equipment
and all the operations described in this document are performed in this environment. Log
in to Huawei Cloud Help Center (https://support.huaweicloud.com/intl/en-us/) if you
need technical help.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 5

Contents

About This Document .......................................................................................................................... 3

Introduction ....................................................................................................................................................................................... 3
About the Exercises ......................................................................................................................................................................... 3
Knowledge Background ................................................................................................................................................................ 4
Lab Environment .............................................................................................................................................................................. 4
1 Compute Architecture Design ........................................................................................................ 9
1.1 Introduction ................................................................................................................................................................................ 9
1.1.1 About This Exercise .............................................................................................................................................................. 9
1.1.2 Objectives ................................................................................................................................................................................ 9
1.1.3 Related Software ................................................................................................................................................................... 9
1.1.4 Networking............................................................................................................................................................................10
1.2 Procedure ..................................................................................................................................................................................10
1.2.1 Creating VPCs and Security Groups .............................................................................................................................10
1.2.2 Creating an RDS Instance ................................................................................................................................................14
1.2.3 Creating an ECS ...................................................................................................................................................................18
1.2.4 Installing WordPress ..........................................................................................................................................................21
1.2.5 Creating an Image and Applying for an ECS ............................................................................................................26
1.2.6 Buying Load Balancers ......................................................................................................................................................29
1.2.7 Creating an AS Group .......................................................................................................................................................35
1.3 Clearing Resources .................................................................................................................................................................44
1.4 Quiz .............................................................................................................................................................................................47
2 Network Architecture Design ....................................................................................................... 48
2.1 Introduction ..............................................................................................................................................................................48
2.1.1 About This Exercise ............................................................................................................................................................48
2.1.2 Objectives ..............................................................................................................................................................................48
2.1.3 Networking............................................................................................................................................................................49
2.2 Procedure ..................................................................................................................................................................................49
2.2.1 Creating VPCs .......................................................................................................................................................................49
2.2.2 Creating Security Groups .................................................................................................................................................52
2.2.3 Buying ECSs ...........................................................................................................................................................................54
2.2.4 Creating a VPC Peering Connection .............................................................................................................................59
2.2.5 Configuring a VPN ..............................................................................................................................................................64
2.2.6 Configuring ECS01 to Manage ECS03 .........................................................................................................................71
2.2.7 Creating a NAT Gateway .................................................................................................................................................73
 HCIP-Cloud Service Solutions Architect Lab Guide Page 6

2.3 Verifying the Result ...............................................................................................................................................................78

2.3.1 Logging In to a Remote Resource from an O&M Host ........................................................................................78
2.3.2 Cloud Resources Accessing the Internet Through a Public NAT Gateway.....................................................79
2.4 Clearing Resources .................................................................................................................................................................79
2.5 Quiz .............................................................................................................................................................................................80
3 Storage Architecture Design ......................................................................................................... 81
3.1 Introduction ..............................................................................................................................................................................81
3.1.1 About This Exercise ............................................................................................................................................................81
3.1.2 Objectives ..............................................................................................................................................................................81
3.1.3 Networking............................................................................................................................................................................81
3.1.4 Related Software .................................................................................................................................................................81
3.2 Procedure ..................................................................................................................................................................................82
3.2.1 Preparations ..........................................................................................................................................................................82
3.2.2 Creating a VPC .....................................................................................................................................................................82
3.2.3 Creating a Security Group ...............................................................................................................................................83
3.2.4 Creating an SFS File System ...........................................................................................................................................84
3.2.5 Creating an OBS Bucket ...................................................................................................................................................86
3.2.6 Creating an ECS ...................................................................................................................................................................89
3.2.7 Mounting the SFS File System .......................................................................................................................................91
3.2.8 Downloading the Object File ..........................................................................................................................................94
3.2.9 Attaching an EVS Disk.......................................................................................................................................................96
3.2.10 Compiling and Installing Nginx ................................................................................................................................ 100
3.2.11 Configuring HA............................................................................................................................................................... 101
3.3 Verifying the Result ............................................................................................................................................................ 110
3.4 Clearing Resources .............................................................................................................................................................. 111
3.5 Quiz .......................................................................................................................................................................................... 113
4 Database Architecture Design ................................................................................................... 114
4.1 Introduction ........................................................................................................................................................................... 114
4.1.1 About This Exercise ......................................................................................................................................................... 114
4.1.2 Objectives ........................................................................................................................................................................... 114
4.1.3 Networking......................................................................................................................................................................... 114
4.1.4 Related Software .............................................................................................................................................................. 114
4.2 Procedure ............................................................................................................................................................................... 115
4.2.1 Creating a Security Group ............................................................................................................................................ 115
4.2.2 Creating a VPC .................................................................................................................................................................. 116
4.2.3 Buying a Cloud Database Instance ............................................................................................................................ 117
4.2.4 Creating a Database for WordPress .......................................................................................................................... 120
4.2.5 Deploying WordPress ..................................................................................................................................................... 122
4.2.6 Creating a DCS Instance ................................................................................................................................................ 131
 HCIP-Cloud Service Solutions Architect Lab Guide Page 7

4.2.7 Enabling Redis Object Cache ....................................................................................................................................... 134

4.3 Verifying the Result ............................................................................................................................................................ 135
4.4 Clearing Resources .............................................................................................................................................................. 136
4.5 Quiz .......................................................................................................................................................................................... 137
5 Security Architecture Design ...................................................................................................... 138
5.1 Introduction ........................................................................................................................................................................... 138
5.1.1 About This Exercise ......................................................................................................................................................... 138
5.1.2 Objectives ........................................................................................................................................................................... 138
5.1.3 Networking......................................................................................................................................................................... 139
5.1.4 Related Software .............................................................................................................................................................. 139
5.2 Procedure ............................................................................................................................................................................... 140
5.2.1 Deploying DVWA ............................................................................................................................................................. 140
5.2.2 Enabling HSS ..................................................................................................................................................................... 151
5.2.3 Configuring Two-Factor Authentication .................................................................................................................. 156
5.2.4 Configuring a Security Group ...................................................................................................................................... 160
5.2.5 Configuring an IP Address Group .............................................................................................................................. 163
5.2.6 Hosting a Key on DEW .................................................................................................................................................. 167
5.3 Clearing Resources .............................................................................................................................................................. 175
5.4 Quiz .......................................................................................................................................................................................... 177
6 Containerized Application Deployment .................................................................................. 178
6.1 Introduction ........................................................................................................................................................................... 178
6.1.1 About This Exercise ......................................................................................................................................................... 178
6.1.2 Objectives ........................................................................................................................................................................... 178
6.1.3 Networking......................................................................................................................................................................... 178
6.1.4 Related Software .............................................................................................................................................................. 179
6.2 Procedure ............................................................................................................................................................................... 179
6.2.1 Deploying Containers & CCE........................................................................................................................................ 179
6.2.2 FunctionGraph .................................................................................................................................................................. 201
6.3 Clearing Resources .............................................................................................................................................................. 217
6.4 Quiz .......................................................................................................................................................................................... 221
7 Microservice Application Deployment..................................................................................... 222
7.1 Introduction ........................................................................................................................................................................... 222
7.1.1 About This Exercise ......................................................................................................................................................... 222
7.1.2 Objectives ........................................................................................................................................................................... 222
7.1.3 Related Software .............................................................................................................................................................. 222
7.2 Procedure ............................................................................................................................................................................... 223
7.2.1 Preparations ....................................................................................................................................................................... 223
7.2.2 Building a Microservice .................................................................................................................................................. 241
 HCIP-Cloud Service Solutions Architect Lab Guide Page 8

7.2.3 Deploying a Microservice .............................................................................................................................................. 251

7.3 Verifying the Result ............................................................................................................................................................ 272
7.4 Clearing Resources .............................................................................................................................................................. 274
7.5 Quiz .......................................................................................................................................................................................... 275
8 Cloud O&M Design ....................................................................................................................... 276
8.1 Introduction ........................................................................................................................................................................... 276
8.1.1 About This Exercise ......................................................................................................................................................... 276
8.1.2 Objectives ........................................................................................................................................................................... 276
8.1.3 Related Software .............................................................................................................................................................. 276
8.2 Procedure ............................................................................................................................................................................... 276
8.2.1 Preparations ....................................................................................................................................................................... 276
8.2.2 Cloud Eye ............................................................................................................................................................................ 281
8.2.3 AOM...................................................................................................................................................................................... 288
8.3 Clearing Resources .............................................................................................................................................................. 299
8.4 Quiz .......................................................................................................................................................................................... 300
 HCIP-Cloud Service Solutions Architect Lab Guide Page 9

1 Compute Architecture Design

1.1 Introduction
1.1.1 About This Exercise
In this exercise, you will be guided on how to create a WordPress website using Elastic Cloud
Server (ECS) and Relational Database Service (RDS) in Virtual Private Cloud (VPC) on Huawei
Cloud. In the cloud architecture, Elastic Load Balance (ELB) will be used to distribute traffic
and improve fault tolerance of the website. Auto Scaling (AS) will be used to ensure high
service quality and compute resource utilization. Text injection will be used to keep the
address of the backend database connected to ECSs created by AS unchanged during resource
scaling. After completing this exercise, you will understand how to use Huawei Cloud compute
services.

1.1.2 Objectives
Understand how to use cloud services in the cloud computing architecture design.
Master the methods for designing the availability, scalability, and performance of cloud
resources.

1.1.3 Related Software

WordPress is a free open-source project and a blog software. You can use WordPress to
set up your own websites on servers that support PHP and MySQL databases.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 10

1.1.4 Networking

Figure 1-1

1.2 Procedure
1.2.1 Creating VPCs and Security Groups
Step 1 Visit https://intl.huaweicloud.com/en-us/ and log in using your Huawei Cloud
account. Select CN-Hong Kong region (The CN-Hong Kong region is used as an
example in this exercise), and choose Networking > Virtual Private Cloud in the
service list.

Figure 1-2
Step 2 Click Create VPC. (Resources in this exercise will be created in this VPC.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 11

Figure 1-3
Step 3 Configure the following parameters and click Create Now.

Basic Information
 Region: CN-Hong Kong (The CN-Hong Kong region is used as an example in this
exercise.)
 Name: vpc-1
 IPv4 CIDR Block: 192.168.0.0/16
Default Subnet
 AZ: AZ3 (AZ3 is used as an example in this exercise.)
 Name: vpc-1-subnet
 IPv4 CIDR Block: 192.168.1.0/24

Figure 1-4
Step 4 On the Network Console, choose Access Control > Security Groups, and click Create
Security Group in the upper right corner.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 12

Figure 1-5
Step 5 Create a security group. (This security group is used by the RDS service and traffic
should be allowed on port 3306.)
 Name: sg-rds
 Template: Select a required one.

Figure 1-6
Step 6 In the dialog box displayed, click Manage Rule.

Figure 1-7
Step 7 Click the Inbound Rules tab, and then click Add Rule.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 13

Figure 1-8
Step 8 Add a rule as follows:
 Priority: 1
 Action: Allow
 Protocol: TCP
 Port: 3306
 Source: IP address and 0.0.0.0

Figure 1-9
Step 9 Click OK.

Figure 1-10
Step 10 Create the security group sg-web and select General-purpose web server as its
template. (This security group is used by the ECS in this exercise.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 14

Figure 1-11

1.2.2 Creating an RDS Instance

Step 1 In the service list, choose Relational Database Service.

Figure 1-12
Step 2 Click Buy DB Instance in the upper right corner.

Note: In this DB instance, a database will be created to interconnect with WordPress.

Figure 1-13
Step 3 Configure parameters as follows:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong (The CN-Hong Kong region is used as an example in this
exercise.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 15

 DB Instance Name: rds-wordpress

 DB Engine: MySQL
 DB Engine Version: 8.0
 DB Instance Type: Single
 AZ: az2 (az2 is used as an example in this exercise.)
 Instance Class: 2 vCPUs | 4 GB
 Storage Space (GB): 40
 Disk Encryption: Disable

Figure 1-14

Figure 1-15
 VPC: vpc-1
 Subnet: vpc-1-subnet
 Security Group: sg-rds
 Administrator Password: User-defined
 HCIP-Cloud Service Solutions Architect Lab Guide Page 16

 Retain the default values for other parameters.

Figure 1-16
Step 4 Click Next. Confirm the configurations and click Submit.

Step 5 On the Instances page, locate the instance and choose More > Log In in the
Operation column.

Figure 1-17
Step 6 Enter the username and password, click Test Connection, and then click Log In.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 17

Figure 1-18
Step 7 On the displayed page, click Create Database. The created database will be used to
interconnect with WordPress.

Figure 1-19
Step 8 Enter wordpress for Name, retain the default character set, and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 18

Figure 1-20
Step 9 Switch back to the RDS console. On the Instances page, click the instance name to
go to the Basic Information page.

Figure 1-21
Step 10 Record the floating IP address and port number of the instance for future use.

Note: When configuring WordPress, you need to enter such information in the
configuration file.

Figure 1-22

1.2.3 Creating an ECS

Step 1 In the service list, choose Compute > Elastic Cloud Server, and click Buy ECS in the
upper right corner.

Figure 1-23
Step 2 Configure settings for the ECS.

The following uses ecs-wordpress as an example.

 Billing Mode: Pay-per-use
 HCIP-Cloud Service Solutions Architect Lab Guide Page 19

 Region: CN-Hong Kong (The CN-Hong Kong region is used as an example in this
exercise.)
 AZ: AZ 2 (AZ 2 is used as an example in this exercise.)
 CPU Architecture: x86
 Specifications: 2 vCPUs | 4 GiB
 Image: Public image | CentOS 7.6 64bit(40GB)
 Host Security: Enable (Basic)
 Network: vpc-1 | vpc-1-subnet | Automatically assign IP address
 Security Group: sg-web
 EIP: Auto assign
 EIP Type: Premium BGP
 Billed By: Traffic
 Bandwidth Size: 10 Mbit/s
 System Disk: High I/O | 40 GiB
 ECS Name: ecs-wordpress
 Password: User-defined (with the username of root)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 20

Figure 1-24
Step 3 Confirm the configurations and click Submit.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 21

1.2.4 Installing WordPress

Step 1 Locate the newly purchased ECS in the ECS list and click Remote Login in the
Operation column.

Figure 1-25
Step 2 Install Linux, Apache, MySQL, PHP/Perl/Python (LAMP) and start related services.

[root@ecs-wordpress ~]# yum install -y httpd php php-fpm php-server php-mysql mysql

Figure 1-26
Step 3 Configure httpd.

[root@ecs-wordpress ~]# vim /etc/httpd/conf/httpd.conf

Step 4 In the configuration file, press Shift+G to go to the last line of the configuration file,
press I to enter the editing mode, move the cursor to the end of the configuration
file, and press Enter. Then copy and paste the following code.

Note: This step is used to set the host name and port number for the server. To enhance
reliability and predictability, use the host name and port number specified by
ServerName.

ServerName localhost:80
 HCIP-Cloud Service Solutions Architect Lab Guide Page 22

Figure 1-27
Step 5 Press Esc to exit the editing mode, enter :wq, and press Enter to save and exit the
configuration file.

Figure 1-28
Step 6 Download the WordPress installation package.

[root@ecs-wordpress ~]# wget -c https://cloudservice-v3.obs.cn-east-

3.myhuaweicloud.com/wordpress-4.9.10_en.tar.gz
 HCIP-Cloud Service Solutions Architect Lab Guide Page 23

Figure 1-29
Step 7 Decompress the WordPress installation package to /var/www/html.

[root@ecs-wordpress ~]# tar -zxvf wordpress-4.9.10_en.tar.gz -C /var/www/html/

The decompression is complete when wordpress/readme.html is displayed.

Figure 1-30
Step 8 Create a wp-config.php file.

[root@ecs-wordpress ~]# cd /var/www/html/wordpress

[root@ecs-wordpress wordpress]# cp wp-config-sample.php wp-config.php

Figure 1-31
Step 9 Configure database parameters in the wp-config.php file to interconnect with the
wordpress database.

[root@ecs-wordpress wordpress]# vi wp-config.php

Configure database parameters as follows:

 DB_NAME: wordpress
 DB_USER: root
 DB_PASSWORD: user-defined
 DB_HOST: Private IP address of the RDS instance:Port number (3306 by default)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 24

Figure 1-32
Step 10 Grant read and write permissions to the directory where the package is
decompressed.

[root@ecs-wordpress wordpress]# chmod -R 777 /var/www/html

Figure 1-33
Step 11 Enable httpd and php-fpm.

[root@ecs-wordpress wordpress]# systemctl start httpd.service

[root@ecs-wordpress wordpress]# systemctl start php-fpm.service

Step 12 Check the httpd service status. The status active (running) indicates that the httpd
service has been enabled.

[root@ecs-wordpress wordpress]# systemctl status httpd

Figure 1-34
Step 13 Check the php-fpm service status. The status active (running) indicates that the
php-fpm service has been enabled.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 25

[root@ecs-wordpress wordpress]# systemctl status php-fpm

Figure 1-35
Step 14 Set httpd and php-fpm to automatically start upon system startup.

[root@ecs-wordpress wordpress]# systemctl enable httpd

[root@ecs-wordpress wordpress]# systemctl enable php-fpm

Figure 1-36
Step 15 Open a browser and enter http://External IP address of ECS-
WordPress/wordpress/index.php in the address bar (in this exercise, enter
http://119.3.199.107/wordpress/index.php). If the information shown in the
following figure is displayed, the ECS is successfully interconnected with the
database.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 26

Figure 1-37

1.2.5 Creating an Image and Applying for an ECS

Step 1 Select Image Management Service from the service list.

Figure 1-38
Step 2 In the upper right corner, click Create Image.

This image will be used by Auto Scaling to provision ECSs.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 27

Figure 1-39
Step 3 Configure the following parameters and click Next.
 Region: CN-Hong Kong (The CN-Hong Kong region is used as an example in this
exercise.)
 Type: System Disk Image
 Source: ECS (Select ecs-wordpress you created.)
 Name: wordpress

Figure 1-40
Step 4 Locate wordpress in the image list and click Apply for Server in the Operation
column.

The ECSs created here and ecs-wordpress created previously will be added to a backend
server group of Elastic Load Balance (ELB).
 HCIP-Cloud Service Solutions Architect Lab Guide Page 28

Step 5 Configure the following parameters to apply for ECSs.

 Billing Mode: Pay-per-use
 Region: CN-Hong Kong (The CN-Hong Kong region is used as an example in this
exercise.)
 AZ: AZ 2 (AZ 2 is used as an example in this exercise.)
 CPU Architecture: x86
 Specifications: 2 vCPUs | 4 GiB
 Image: Private image | wordpress
 Network: vpc-1 | vpc-1-subnet | Automatically assign IP address
 Security Group: sg-web
 EIP: Not required
 System Disk: High I/O | 40 GiB
 ECS Name: ecs-awordpress
 Password: Set a password (or use the image password).
 HCIP-Cloud Service Solutions Architect Lab Guide Page 29

Figure 1-41

1.2.6 Buying Load Balancers

Step 1 Unbind the EIP from the ECS ecs-wordpress.

Note: The EIP will be bound to the load balancer in the follow-up exercise.

Figure 1-42
Step 2 In the service list, choose Networking > Elastic Load Balance.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 30

Figure 1-43
Step 3 Click Buy Elastic Load Balancer in the upper right corner.

Figure 1-44
Step 4 Configure the parameters as follows:
 Type: Shared
 Region: CN-Hong Kong (The CN-Hong Kong region is used as an example in this
exercise.)
 Network Type: Public network
 VPC: vpc-1
 Subnet: vpc-1-subnet
 Private IP Address: Automatically-assigned IP address
 HCIP-Cloud Service Solutions Architect Lab Guide Page 31

Figure 1-45
 EIP: Use existing (Assign the above unbound EIP to this load balancer.)
 Name: elb-wordpress

Figure 1-46
Step 5 Locate the elb-wordpress in the load balancer list and click Add listener.

Figure 1-47
Step 6 Configure the parameters as follows:
 Name: listener-wordpress
 Frontend Protocol: TCP
 Frontend Port: 80 (Used by this load balancer to receive requests from clients.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 32

Figure 1-48
 Enable Sticky Session to ensure that requests from a client always are routed to the
same server before a session ends. Use the default values for other parameters and
click Next: Add Backend Server.

Figure 1-49
 Click Add.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 33

 Select ECS ecs-wordpress and the ECS ecs-wordpress-0001 created using the image.

Figure 1-50
 Set Batch Add Ports to 80 (used by backend servers to receive requests from this
load balancer). Use the default values for other parameters, and click Finish.

Figure 1-51
 HCIP-Cloud Service Solutions Architect Lab Guide Page 34

 After the load balancer is created, choose Listeners > Backend Server Groups to
ensure the health check result is Healthy.

Figure 1-52
 View the created load balancer on the load balancer page.

Figure 1-53
Step 7 Log in to http://119.3.199.107 (EIP bound to this load balancer)
/wordpress/index.php again. If the following information is displayed, the load
balancer is successfully deployed.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 35

Figure 1-54
1.2.7 Creating an AS Group
Step 1 In the service list, choose Data Encryption Workshop under Security & Compliance.

Figure 1-55
Step 2 Choose Key Pair Service in the left navigation pane and click Create Key Pair.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 36

Figure 1-56
Set Key Pair Name to KeyPair-wordpress and click OK.
Note: In this exercise, the key pair is used to create an AS group only.

Figure 1-57
Step 3 In the service list, choose Auto Scaling under Compute.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 37

Figure 1-58
Step 4 Click Create AS Configuration in the upper right corner.

Figure 1-59
Step 5 Configure the parameters as follows:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong (The CN-Hong Kong region is used as an example in this
exercise.)
 Name: as-config-wordpress
 Configuration Template: Create new template
 HCIP-Cloud Service Solutions Architect Lab Guide Page 38

Figure 1-60
 Specifications: 2 vCPUs | 4 GiB
 Image: Private image | wordpress
 Disk: EVS | High I/O | 40 GB
 Security Group: sg-web
 EIP: Do not use

Figure 1-61
 Select Key Pair for Login Mode and select the key pair you created from the drop-
down list. Select Configure now for Advanced Settings, leave User Data to As text,
and copy the following content to the box to modify the database address in the wp-
config.php file in the selected image. (In this exercise, the IP address following
DB_HOST is changed from 192.168.1.137 to 192.168.1.207.)

#!/bin/bash
sed -i -E "s/'DB_HOST',\s*'.*?'/'DB_HOST', '192.168.1.207'/" /var/www/html/wordpress/wp-config.php
 HCIP-Cloud Service Solutions Architect Lab Guide Page 39

Note: 192.168.1.207 is the private IP address of the backend database in this lab. Replace
it with the actual IP address.

Figure 1-62
Step 6 After the AS configuration is created, click Create AS Group in the upper right
corner.

Figure 1-63
Step 7 Configure the parameters as follows:
 Region: CN-Hong Kong (The CN-Hong Kong region is used as an example in this
exercise.)
 AZ: Retain the default setting.
 Multi-AZ Scaling Policy: Balanced
 Name: as-config-wordpress
 Max. Instances: 4
 Expected Instances: 2 (Considering the lab environment capacity, you are advised to
set the expected number of instances to 2 in this exercise.)
 Min. Instances: 1
 AS Configuration: as-config-wordpress
 VPC: vpc-1
 Subnet: vpc-1-subnet
 Load Balancing: Elastic load balancer
 HCIP-Cloud Service Solutions Architect Lab Guide Page 40

 Load Balancer: elb-wordpress (Select the balancer you created previously.)

 Backend ECS Group: Select a backend ECS group bound with load balancer elb-
wordpress.

Figure 1-64
 Retain the default settings for other parameters and click Create Now.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 41

Figure 1-65
Step 8 In the AS group list, check that the created AS group is enabled.

Figure 1-66
Step 9 Click Elastic Cloud Server in the left navigation pane. Check that two ECSs are
created by AS and displayed in the ECS list.

Figure 1-67
Step 10 Locate an ECS and click Remote Login to log in to the ECS. Then run the following
command to view the wp-config.php file on the ECS. Check that the value of
DB_HOST has been changed from 192.168.1.137 to 192.168.1.207. (This step is
performed to verify the text injection is successful and does not affect login.)

[root@ecs-wordpress ~]# cat /var/www/html/wordpress/wp-config.php

Note: You can use text injection to easily modify the backend database address. In this
way, you can keep services run during resource scaling without the need to create
images.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 42

Figure 1-68
Step 11 Delete the two ECSs named ecs-wordpress you created manually in previous
sections.

Note: This step is to check whether the ECSs scaled out by AS can provide services
properly.

Figure 1-69
Step 12 Open a browser and enter http://(EIP of the load balancer)/wordpress/index.php.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 43

Figure 1-70
Step 13 Enter the registration information as follows and click Install WordPress. After the
installation is complete, log in to WordPress. If the login is successful, the ECS
created by AS can provide services properly.
 Site Title: HCIP
 Username: huawei (user-defined)
 Password: User-defined
 Your Email: User-defined
 HCIP-Cloud Service Solutions Architect Lab Guide Page 44

Figure 1-71

Figure 1-72

1.3 Clearing Resources

Step 1 Delete the AS group. In the service list, choose Auto Scaling under Compute. In the
navigation pane on the left, choose Instance Scaling.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 45

 On the AS Groups tab, locate the row containing the AS group to be deleted and
choose More > Delete in the Operation column.
 Click the AS Configurations tab, locate the row containing the AS configuration to be
deleted, and click Delete in the Operation column.

Step 2 Delete the key pair.

 In the service list, choose Data Encryption Workshop under Security & Compliance. In
the navigation pane on the left, choose Key Pair Service.
 On the Private Key Pairs tab, locate the row containing the key pair to be deleted
and click Delete in the Operation column.

Step 3 Deleting the load balancer

 In the service list, choose Elastic Load Balance under Networking. In the load
balancer list, click the load balancer purchased in this exercise. On the Backend
Server Groups tab, in the Basic Information area, select all backend servers and click
Remove above the server list.

Figure 1-73
 On the Listeners tab, delete the listener purchased in this exercise.

Figure 1-74
 Back to the load balancer list and click Delete in the Operation column to delete the
load balancer.
 In the displayed dialog box, select Release the EIP and click Yes.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 46

Figure 1-75
Step 4 Delete the image created in this exercise.
 In the service list, choose Image Management Service under Compute. In the private
image list, locate the image created in this exercise and choose More > Delete in the
Operation column.

Step 5 Delete the RDS instance.

 In the service list, choose Relational Database Service under Database. In the
instance list, locate the instance purchased in this exercise and click Delete in the
Operation column.

Step 6 Delete the ECS.

 In the service list, choose Elastic Cloud Server under Compute. In the ECS list, locate
the ECS purchased in this exercise and choose More > Delete in the Operation
column.
 In the displayed dialog box, select the check boxes displayed in the following picture
and click Yes.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 47

Figure 1-76
Step 7 Delete the security group.
 In the service list, choose Virtual Private Cloud under Networking. In the security
group list, locate the security group created in this exercise and click Delete in the
Operation column.

Step 8 Delete the subnet and VPC.

 Choose Subnets in the navigation pane on the left. Locate the subnet created in this
exercise and click Delete in the Operation column.
 Choose My VPCs in the navigation pane on the left. In the VPC list, locate the VPC
created in this exercise and click Delete in the Operation column.

1.4 Quiz
Question: If health check is enabled without specifying a health check port, how will the
health check be performed?
Answer: If you do not specify a health check port, a port of the backend server will be
used for health checks by default. If you specify a port, the port will be used for health
checks.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 48

2 Network Architecture Design

2.1 Introduction
2.1.1 About This Exercise
This exercise uses Huawei Cloud resources in different regions to represent on-premises
and cloud resources, describes how on-premises resources can communicate with cloud
resources and manage cloud resources for O&M, and how cloud resources can
communicate with each other and access the internet.
VPC 1 in the CN-Hong Kong region represents an on-premises network, and its ECS
represents an on-premises server used for O&M. VPC 2, VPC 3, and their ECSs in the AP-
Singapore region represent cloud resources.
To enable ECSs in VPC 2 and VPC 3 in the AP-Singapore region to communicate with
each other, a VPC peering connection is required. To enable the on-premises ECS used for
O&M in the CN-Hong Kong region to manage cloud resources in AP-Singapore region,
Virtual Private Network (VPN) and VPC peering connections are required. To enable
internet access, a NAT gateway is deployed in VPC 2 in the AP-Singapore region so that
ECSs in VPC 3 and VPC 2 can access the internet through the NAT gateway.
This exercise uses regions CN-Hong Kong and AP-Singapore as an example. Trainees can
select regions based on their own needs.

2.1.2 Objectives
Understand how to use the cloud services involved in the cloud network architecture.
Understand how to design cloud networks with scalability, manage cloud and on-
premises resources in unified manner, and allow cloud and on-premises communications.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 49

2.1.3 Networking

Figure 2-1

2.2 Procedure
2.2.1 Creating VPCs
Step 1 Visit https://intl.huaweicloud.com/en-us/ and log in using your Huawei Cloud
account. If you are an IAM user, log in as an IAM user.

Figure 2-2
 HCIP-Cloud Service Solutions Architect Lab Guide Page 50

Figure 2-3
Step 2 Click Console and select CN-Hong Kong.

Step 3 In the service list, choose Networking > Virtual Private Cloud.

Step 4 Click Create VPC in the upper right corner.

Figure 2-4
Step 5 Configure the following parameters and click Create Now.

Note: In this exercise, this VPC represents an on-premises network.

Basic Information
 Region: CN-Hong Kong
 Name: vpc-1
 IPv4 CIDR Block: 192.168.0.0/16
Default Subnet
 Name: vpc-1-subnet
 IPv4 CIDR Block: 192.168.1.0/24

Figure 2-5
Step 6 Repeat the preceding steps to create VPC 2 and VPC 3 as follows.

Note: VPC 2 and VPC 3 represent cloud networks.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 51

Basic Information
 Region: AP-Singapore
 Name: vpc-2
 IPv4 CIDR Block: 192.168.0.0/16
Default Subnet
 AZ: AZ1
 Name: vpc-2-subnet
 IPv4 CIDR Block: 192.168.2.0/24
Basic Information
 Region: AP-Singapore
 Name: vpc-3
 IPv4 CIDR Block: 192.168.0.0/16
Default Subnet
 AZ: AZ1
 Name: vpc-3-subnet
 IPv4 CIDR Block: 192.168.3.0/24
 HCIP-Cloud Service Solutions Architect Lab Guide Page 52

Figure 2-6

2.2.2 Creating Security Groups

Step 1 In the CN-Hong Kong region, choose Access Control > Security Groups on the
network console, and click Create Security Group in the upper right corner.

Figure 2-7
Step 2 Configure the parameters as follows and click OK.

Note: This security group is used by ECSs in VPC 1. You need to allow all ICMP traffic and
traffic on port 22. ICMP is used for connectivity tests, and port 22 is used for SSH login
tests.
 Name: sg-1
 Template: Select a required one.

Figure 2-8
Step 3 In the dialog box displayed, click Manage Rule.

Figure 2-9
Step 4 Add the first inbound rule as follows:
 HCIP-Cloud Service Solutions Architect Lab Guide Page 53

 Priority: 1
 Action: Allow
 Protocol: ICMP
 Port: All
 Source: IP address and 0.0.0.0/0

Figure 2-10
Step 5 Add the second inbound rule as follows:
 Priority: 1
 Action: Allow
 Protocol: TCP
 Port: 22
 Source: IP address and 0.0.0.0/0

Figure 2-11
Step 6 Repeat the preceding steps to create security group sg-4 in the AP-Singapore
region.

Note: Security group sg-4 is used by ECSs in the AP-Singapore region. You also need to
allow all ICMP traffic and traffic on port 22.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 54

2.2.3 Buying ECSs

Step 1 In the CN-Hong Kong region, click Buy ECS in the upper right corner.

Figure 2-12
Step 2 Configure the parameters as follows.

Note: ecs-01 represents an on-premises server used for O&M.

ecs-01 configuration:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: Random
 CPU Architecture: x86
 Specifications: 1 vCPUs | 2 GiB
 Image: Public image | CentOS 7.6 64bit(40GB)
 Host Security: Enable | Basic (free)
 Network: vpc-1 | vpc-1-subnet | Automatically assign IP address
 Security Group: sg-1
 EIP: Not required
 System Disk: High I/O | 40 GiB
 ECS Name: ecs-01
 Password: User-defined (with the username of root)
HCIP-Cloud Service Solutions Architect Lab Guide Page 55
 HCIP-Cloud Service Solutions Architect Lab Guide Page 56

Figure 2-13
Step 3 Repeat the preceding steps to purchase ecs-02 and ecs-03 in the AP-Singapore
region.

Note: ecs-02 and ecs-03 represent cloud resources.

ecs-02 configuration:
 Billing Mode: Pay-per-use
 Region: AP-Singapore
 AZ: Random
 CPU Architecture: x86
 Specifications: 1 vCPUs | 2 GiB
 Image: Public image | CentOS 7.6 64bit(40GB)
 Host Security: Enable | Basic (free)
 Network: vpc-2 | vpc-2-subnet | Automatically assign IP address
 Security Group: sg-4
 EIP: Not required
 System Disk: High I/O | 40 GiB
 ECS Name: ecs-02
 Password: User-defined (with the username of root)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 57

Figure 2-14
ecs-03 configuration:
 Billing Mode: Pay-per-use
 Region: AP-Singapore
 AZ: Random
 CPU Architecture: x86
 Specifications: 1 vCPUs | 2 GiB
 HCIP-Cloud Service Solutions Architect Lab Guide Page 58

 Image: Public image | CentOS 7.6 64bit(40GB)

 Host Security: Enable | Basic (free)
 Network: vpc-3 | vpc-3-subnet | Automatically assign IP address
 Security Group: sg-4
 EIP: Not required
 System Disk: High I/O | 40 GiB
 ECS Name: ecs-03
 Password: User-defined (with the username of root)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 59

Figure 2-15

2.2.4 Creating a VPC Peering Connection

Step 1 In the AP-Singapore region, choose VPC Peering on the Network Console, and click
Create VPC Peering Connection in the upper right corner.

Note: This VPC peering connection is used to enable cloud resources in VPC 2 and VPC 3
to communicate.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 60

Figure 2-16
Step 2 Configure the parameters as follows:
 Name: vpc2-vpc3
 Local VPC: vpc-2
 Account: My account
 Peer Project: ap-southeast-3
 Peer VPC: vpc-3

Figure 2-17
Step 3 Return to the VPC peering connection list, view the created VPC peering connection
vpc2-vpc3, and click the connection name vpc2-vpc3.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 61

Figure 2-18
Step 4 Click Route Tables on the Local Routes tab to go to the details page of the rtb-vpc-
2 route table.

Figure 2-19
Step 5 Click Add Route.

Figure 2-20
Step 6 Configure the parameters as follows and click OK.

Note: This route is added to the route table of VPC 2 to forward traffic to the subnet in
VPC 3.
 Destination: 192.168.3.0/24
 Next Hop Type: VPC peering connection
 Next Hop: vpc2-vpc3
 HCIP-Cloud Service Solutions Architect Lab Guide Page 62

Figure 2-21
Step 7 In the route table list, click the name of the rtb-vpc-3 route table to add a peer
route.

Figure 2-22
Step 8 Click Add Route.

Figure 2-23
Step 9 Configure the parameters as follows and click OK.

Note: This route is added to the route table of VPC 3 to forward traffic to the subnet in
VPC 2.
 Destination: 192.168.2.0/24
 Next Hop Type: VPC peering connection
 Next Hop: vpc2-vpc3
 HCIP-Cloud Service Solutions Architect Lab Guide Page 63

Figure 2-24
Step 10 Log in to ecs-03 and verify the communication between ecs-02 and ecs-03.
 Locate the row that contains ecs-03 and click Remote Login in the Operation
column.

Figure 2-25
 Enter the password to log in to ecs-03.

Figure 2-26
 Ping ecs-02 from ecs-03 to test the communication between them.
Note: 192.168.2.23 is the private IP address of ecs-02 in the VPC.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 64

Figure 2-27

2.2.5 Configuring a VPN

Step 1 In the CN-Hong Kong region, click Console, choose Virtual Private Network > VPN
Gateway, and click Buy VPN Gateway.

Figure 2-28
Step 2 Set the following parameters to create a VPN gateway.

Note: This VPN gateway connects the on-premises site in the CN-Hong Kong region to
cloud resources in the AP-Singapore region.
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 HCIP-Cloud Service Solutions Architect Lab Guide Page 65

Figure 2-29
VPN gateway configuration:
 Name: vpngw-vpc1
 VPC: vpc-1
 Type: IPsec
 Billed By: Bandwidth
 Bandwidth (Mbit/s): 5 Mbit/s

Figure 2-30
VPN connection configuration:
 Name: vpn-1
 Local Subnet: Select subnet | vpc-1-subnet
 Remote Gateway: 100.100.100.100 (Change this IP address to the actual IP address
of the remote gateway after you create the remote gateway.)
 Remote Subnet: 192.168.2.0/24,192.168.3.0/24
Note: Enter the subnets of both VPC 2 and VPC 3. This configuration specifies the
traffic of interest in IPsec on the local end. IPsec encapsulation will be performed on
the specified traffic.
 PSK: User-defined
 HCIP-Cloud Service Solutions Architect Lab Guide Page 66

Figure 2-31
Step 3 Confirm the configuration and click Submit.

Step 4 View the created VPN gateway, and record its IP address (159.138.15.141 in this
example).

Note: You need to enter this VPN gateway IP address when creating a remote VPN
gateway.

Figure 2-32
Step 5 In the AP-Singapore region, click Console, choose Virtual Private Network > VPN
Gateway, and click Buy VPN Gateway. Set parameters as follows to create a VPN
gateway:

Note: This VPN gateway is created on the cloud (AP-Singapore region) to connect to the
VPN gateway at the on-premises site (CN-Hong Kong region).
 Region: AP-Singapore
 Name: vpngw-vpc2
 VPC: vpc-2
 Type: IPsec
 Billed By: Bandwidth
 Bandwidth (Mbit/s): 5
 HCIP-Cloud Service Solutions Architect Lab Guide Page 67

Figure 2-33
Step 6 Set the following parameters to create a VPN connection.
 Name: vpn-1-2
 Local Subnet: Select subnet | vpc-2-subnet
 Remote Gateway: 159.138.15.141 (IP address of the VPN gateway created in Step 2)
 Remote Subnet: 192.168.1.0/24
Note: Enter the subnet of VPC 1. This configuration specifies the traffic of interest in
IPsec on the local end. IPsec encapsulation will be performed on the specified traffic.
 PSK: User-defined
 Advanced Settings: Default
 HCIP-Cloud Service Solutions Architect Lab Guide Page 68

Figure 2-34
Step 7 View the created VPN gateway, and record its IP address (159.138.81.15 in this
example).

Note: You need to change the value of Remote Gateway to this gateway IP address for
the VPN gateway in the CN-Hong Kong region.

Figure 2-35
Step 8 Switch to the CN-Hong Kong region, and choose Virtual Private Network > VPN
Connections.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 69

Figure 2-36
Step 9 Choose More > Modify in the Operation column.

Figure 2-37
Step 10 Change the value of Remote Gateway to 159.138.81.15, and click OK.
 Before change

Figure 2-38
 After change
 HCIP-Cloud Service Solutions Architect Lab Guide Page 70

Figure 2-39
Step 11 Check that the VPN connection status is Updating.

Note: When no traffic triggers IPsec SA negotiation, the VPN connection remains in the
Updating state.

Figure 2-40
Step 12 Log in to ECS01, and run the ping command to test connectivity with ECS02. Then,
traffic of interest in IPsec is sent, which triggers IPsec SA negotiation.

Figure 2-41
Step 13 Refresh the VPN connection page. The VPN connection status is changed to
Normal.

This means that the VPN connection is successfully established, IPsec SA negotiation is
successful, and packets can be properly transmitted.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 71

Figure 2-42

2.2.6 Configuring ECS01 to Manage ECS03

When the VPN connection is in normal state, ECS01 and ECS02 can communicate with
each other. To use ECS01 to log in to ECS03 for management, perform the following
operations:
 Add a route to 192.168.1.0/24 (subnet in VPC 1) to the route table of VPC 3, with the
next hop set to the VPC peering connection with VPC 2.
 Change the value of Local Subnet to Specify CIDR block for the VPN connection of
VPC 2, and add the CIDR block 192.168.3.0/24.

Step 1 Go to the route table management page of the AP-Singapore region, and select the
rtb-vpc-3 route table of VPC 3.

Figure 2-43
Step 2 Click Add Route.

Figure 2-44
Step 3 Add a route to 192.168.1.0/24, with the next hop set to a VPC peering connection.
Then, click Confirm.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 72

Note: This configuration adds a route destined for VPC 1 to the route table of VPC 3.
 Destination: 192.168.1.0/24
 Next Hop Type: VPC peering connection
 Next Hop: vpc2-vpc3

Figure 2-45
Step 4 In the AP-Singapore region, click Console, and choose Virtual Private Network >
VPN Connections. Change the value of Local Subnet to Specify CIDR block for the
VPN connection vpn-1-2, and add the CIDR block 192.168.3.0/24.
 Before change

Figure 2-46
 After change
 HCIP-Cloud Service Solutions Architect Lab Guide Page 73

Figure 2-47
Note: After the modification, VPC 3 has a route to 192.168.1.0/24, and the local subnet of
the VPN connection in the AP-Singapore region contains the CIDR block 192.168.3.0/24.
When packets on 192.168.3.0/24 reach VPC 2, IPsec encapsulation is triggered for the
packets.

2.2.7 Creating a NAT Gateway

Step 1 In the AP-Singapore region, choose Virtual Private Cloud under Networking. In the
navigation pane on the left, choose Elastic IP and Bandwidth > EIPs, click Buy EIP in
the upper right corner, set the following parameters, and click Next.

This NAT gateway is created in vpc-2 to enable Internet access for resources in vpc-2 and
vpc-3.
 Billing Mode: Pay-per-use
 Region: AP-Singapore
 EIP Type: Dynamic BGP
 Billed By: Traffic
 Bandwidth (Mbit/s): 5
 Bandwidth Name: NAT-IP
Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 74

Figure 2-48
Step 2 In the AP-Singapore region, choose NAT Gateway under Networking. On the
displayed Public NAT Gateway page, and click Buy Public NAT Gateway in the
upper right corner.

Figure 2-49
Step 3 Configure required parameters.
 Billing Mode: Pay-per-use
 Region: AP-Singapore
 Name: nat-vpc2
 VPC: vpc-2
 Subnet: vpc-2-subnet
 Specifications : Small
 HCIP-Cloud Service Solutions Architect Lab Guide Page 75

Figure 2-50
Step 4 In the displayed dialog box, click Add Rule.

Figure 2-51
Step 5 Add the first SNAT rule to enable servers in 192.168.2.0/24 of vpc-2 to access the
Internet.
 Scenario: VPC
 Subnet: Existing | vpc-2-subnet
 EIP: 121.36.79.241 (Select the newly created EIP.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 76

Figure 2-52
Step 6 Add the second SNAT rule to enable servers in 192.168.3.0/24 of vpc-3 to access the
Internet.
 Scenario: Direct Connect/Cloud Connect | 192.168.3.0/24
 EIP: 121.36.79.241 (Select the newly created EIP.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 77

Figure 2-53
Step 7 View the SNAT rule list. Check whether the SNAT rules you added are displayed in
the SNAT rule list.

Figure 2-54
Step 8 In route table rtb-vpc-3 of vpc-3, click Add Route.

Figure 2-55
Step 9 Add a default route pointing to the VPC peering connection and click OK.

The default route is used to divert Internet access traffic generated from vpc-3 to vpc-2
through a VPC peering connection. Then servers in vpc-3 can use the SNAT rule added in
vpc-2 to access the Internet.
 Destination: 0.0.0.0/0
 Next Hop Type: VPC peering connection
 Next Hop: vpc2-vpc3
 HCIP-Cloud Service Solutions Architect Lab Guide Page 78

Figure 2-56

2.3 Verifying the Result

2.3.1 Logging In to a Remote Resource from an O&M Host
Step 1 Log in to ECS01 in the CN-Hong Kong region and log in to ECS02 and ECS03 in SSH
mode from ECS01, respectively.

[root@ecs-01 ~]# ssh 192.168.2.23

[root@ecs-02 ~]# exit
[root@ecs-01 ~]# ssh 192.168.3.190
[root@ecs-03 ~]

Figure 2-57
The preceding information indicates that you can log in to ECS02 and ECS03 using SSH
from ECS01, and the on-premises O&M host (ECS01) can perform remote O&M on cloud
resources.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 79

2.3.2 Cloud Resources Accessing the Internet Through a Public

NAT Gateway
Step 1 In the AP-Singapore region, Log in to ECS03 and ping a public IP address.

Figure 2-58
Step 2 In the AP-Singapore region, Log in to ECS02 and ping a public IP address.

Figure 2-59
The preceding command output indicates that servers in vpc-2 and vpc-3 can access the
Internet through the public NAT gateway in vpc-2.

2.4 Clearing Resources

Step 1 Delete the public NAT gateway.

Choose NAT Gateway from the service list. Locate the public NAT gateway created in this
experiment and choose More > Delete in the Operation column.

Step 2 Delete the VPN gateway.

 Choose Virtual Private Network from the service list. On the displayed page, locate
the VPN connection created in this experiment in the list, and choose More > Delete
in the Operation column.
 In the navigation pane on the left, choose VPN Gateways, locate the VPN gateway
created in this experiment in the list, and choose More > Delete in the Operation
column.

Step 3 Delete the ECSs.

 In the service list, choose Elastic Cloud Server under Compute. In the ECS list, locate
the ECSs created in this exercise and choose More > Delete in the Operation column
to delete them one by one.
 In the displayed dialog box, select the check boxes displayed in the following picture
and click Yes.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 80

Figure 2-60
Step 4 Delete the VPC peering connection.

In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose VPC Peering, locate the VPC peering connection created in this
experiment and click Delete in the Operation column.

Step 5 Delete the security group.

In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Access Control > Security Groups. In the security group list, locate the
security group created in this exercise and choose More > Delete in the Operation
column.

Step 6 Delete the VPCs.

 In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Subnets. In the subnet list, locate the subnet created in this exercise
and click Delete in the Operation column.
 Choose Virtual Private Cloud in the navigation pane on the left. In the VPC list, locate
the VPCs created in this exercise and click Delete in the Operation column to delete
them one by one.

2.5 Quiz
Question: In the VPN connection configuration, how do I configure Local Subnet and
Remote Subnet?
Answer: Set Local Subnet to a VPC subnet that needs to access an on-premises network
through VPN. Set Remote Subnet to an on-premises subnet that needs to access a VPC
through VPN.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 81

3 Storage Architecture Design

3.1 Introduction
3.1.1 About This Exercise
In this exercise, you will establish an environment on Huawei Cloud to run video
streaming services. Initially, Huawei Cloud ECS, Elastic Volume Service (EVS), Scalable File
Service (SFS), and Object Storage Service (OBS) will be used to set up a video website.
Then, ELB will be used for distributing requests to different AZs for HA deployment.
This exercise uses region CN-Hong Kong as an example. You can use any region they
want.

3.1.2 Objectives
Acquire the operation principles and configuration methods of storage services.
Understand the service scenarios of cloud data management and configuration.

3.1.3 Networking

Figure 3-1

3.1.4 Related Software

Nginx is a lightweight web server that can act as a reverse proxy or mail (IMAP/POP3)
proxy, and released under the BSD-like protocol. It provides high concurrency with a low
memory footprint.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 82

3.2 Procedure
3.2.1 Preparations
Step 1 Download video files.
 Open a browser on the local PC, enter https://cloudservice-v3.obs.cn-east-
3.myhuaweicloud.com/video_en.zip in the address box, and press Enter to download
the exercise files.
 Obtain the exercise files shown in the following figure:
huawei-cloud.jpg, index.html, nginx-1.15.9.tar.gz, SampleVideo_1280x720_5mb.mp4,
video.js, and more

Figure 3-2

3.2.2 Creating a VPC

Step 1 In the CN-Hong Kong region, configure the parameters as follows to create a VPC:
(Resources in this exercise will be created in this VPC.)

Basic Information
 Region: CN-Hong Kong
 Name: vpc-video
 IPv4 CIDR Block: 10.1.0.0/16
Default Subnet
 Name: subnet-video
 IPv4 CIDR Block: 10.1.10.0/24
 HCIP-Cloud Service Solutions Architect Lab Guide Page 83

Figure 3-3

3.2.3 Creating a Security Group

Step 1 In the CN-Hong Kong region, configure the parameters as follows to create a
security group: (Servers running the video streaming service in this exercise will use
this security group.)
 Name: sg-video
 Template: General-purpose web server
 HCIP-Cloud Service Solutions Architect Lab Guide Page 84

Figure 3-4
Step 2 View the security group rules. You can see that there is an inbound rule that allows
traffic on port 80.

Figure 3-5

3.2.4 Creating an SFS File System

Step 1 In the CN-Hong Kong region, choose Scalable File Service > SFS Turbo and click
Create File System in the upper right corner.

Note: The file system created in this step will be mounted to the ECSs.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 85

Figure 3-6
Step 2 Configure the parameters as follows, confirm the configuration, and click Create
Now.
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: AZ1
 Storage Class: Standard
 Capacity (GB): 500
 Protocol Type: NFS

Figure 3-7
 VPC: vpc-video | subnet-video
 Security Group: sg-video
 Name: sfs-video
 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 86

Figure 3-8
Step 3 View the created SFS file system.

Step 4 The file system status is Available.

Figure 3-9

3.2.5 Creating an OBS Bucket

Step 1 In the CN-Hong Kong region, choose Object Storage Service > Object Storage and
click Create Bucket in the upper right corner.

Note: The video.zip file downloaded during preparations needs to be uploaded to the
bucket created in this step.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 87

Figure 3-10
Step 2 Configure the parameters as follows, confirm the configuration, and click Create
Now.
 Region: CN-Hong Kong
 Bucket Name: video-hcip
 Default Storage Class: Standard
 Bucket Policy: Public Read
 Direct Reading: Disable

Figure 3-11
Step 3 Click the name of the created OBS bucket to go to the bucket management page.

Figure 3-12
Step 4 Choose Objects > Upload Object.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 88

Figure 3-13
Step 5 Click add file, find the video_en.zip file in the local directory, and click Upload.

Figure 3-14
Step 6 In the object list, view the uploaded file.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 89

Figure 3-15

3.2.6 Creating an ECS

Step 1 In the CN-Hong Kong region, configure the parameters as follows to create an ECS.
Confirm the configuration and click Next.

Note: This ECS will be used to deploy the video streaming service.
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: Random
 Specifications: 2 vCPUs | 4 GiB
 Image: Public image | CentOS 7.6 64 bit(40 GB)
 Host Security: Basic (free)
 System Disk: High I/O | 40 GiB
 Network: vpc-video | subnet-video | Automatically assign IP address
 Security Group: sg-video
 EIP: Auto assign
 EIP Type: Premium BGP
 Billed By: Traffic
 Bandwidth Size: 10 Mbit/s
 ECS Name: ecs-video
 Password: User-defined (with the username of root)
HCIP-Cloud Service Solutions Architect Lab Guide Page 90
 HCIP-Cloud Service Solutions Architect Lab Guide Page 91

Figure 3-16

3.2.7 Mounting the SFS File System

Step 1 In the ECS list, locate the created ECS and click Remote Login to log in to ecs-video
using CloudShell.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 92

Figure 3-17
Step 2 Run the following commands to create the video folder and install the NFS client:

[root@ecs-video ~]# mkdir /video

[root@ecs-video ~]# yum -y install nfs-utils

Figure 3-18
If Complete is displayed, the NFS client has been installed:

Figure 3-19
Step 3 Go back to the Huawei Cloud console, choose Scalable File Service > SFS Turbo, and
click the name of the created SFS file system to go to the details page.

Step 4 Take note of the mount command.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 93

Figure 3-20
Step 5 Log in to esc-video and run the following command to mount the SFS file system:

[root@ecs-video ~]# mount -t nfs -o vers=3,nolock 10.1.10.25:/ /video

Note: Replace the "mount -t nfs -o vers=3,nolock 10.1.10.25:/" part in the preceding
command with what you have taken note of in the last step.

Figure 3-21
Step 6 Run the following command to verify the mounting:

[root@ecs-video ~]# mount|grep video

If the following information is displayed, the file system has been mounted.

Figure 3-22
Step 7 Run the following command to configure automatic mounting at system start:

[root@ecs-video ~]#echo "10.1.10.25:/ /video nfs

vers=3,timeo=600,nolock,rsize=1048576,wsize=1048576,hard,retrans=2,noresvport,async,noatime,nodi
ratime 0 0" >>/etc/fstab

Note: The IP address in the command varies with the file system. Use the actual IP
address of the file system.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 94

Figure 3-23
Step 8 Run the following commands to verify automatic mounting:

[root@ecs-video ~]# umount /video

[root@ecs-video ~]# mount -a
[root@ecs-video ~]# mount |grep video

If the following information is displayed, the configuration is successful.

Figure 3-24

3.2.8 Downloading the Object File

Step 1 In the CN-Hong Kong region, choose Object Storage Service > Object Storage. In
the bucket list, click the name of the created bucket video-hcip to go to the
configuration page.

Figure 3-25
Step 2 On the Objects page, click the name of video.zip in the object list.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 95

Figure 3-26
Step 3 View and take note of the object link.

Figure 3-27
Step 4 Log in to esc-video and run the following commands to download the object file:

[root@ecs-video ~]# cd /video

[root@ecs-video video]# wget https://video-hcip.obs.ap-southeast-1.myhuaweicloud.com/video.zip

Note: The object link in the command varies with the object. Use the one you have taken
note of in the last step.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 96

Figure 3-28

3.2.9 Attaching an EVS Disk

Step 1 In the CN-Hong Kong region, choose Elastic Volume Service > Disks and click Buy
Disk in the upper right corner.

Note: This disk will be attached to ecs-video, and Nginx will be installed on this disk.

Figure 3-29
Step 2 Configure the parameters as follows, confirm the configuration, and click Next.
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: AZ2
 Disk Type: Ultra-high I/O
 Disk Size: 10 GB
 Automatic Backup: Do not use
 Disk Name: volume-video
 HCIP-Cloud Service Solutions Architect Lab Guide Page 97

Figure 3-30
Step 3 In the EVS disk list, view the created ecs-video disk and click Attach.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 98

Figure 3-31
Step 4 In the displayed dialog box, select ECSs, select ecs-video, and click OK.

Figure 3-32
Step 5 Log in to ecs-video and run the following command to view the disk information:

[root@ecs-video video]# fdisk -l

Figure 3-33
Step 6 Run the following command to create a file system for the disk: (Use the device
name you have obtained in the last step.

[root@ecs-video video]# mkfs -t ext4 /dev/vdb

 HCIP-Cloud Service Solutions Architect Lab Guide Page 99

Figure 3-34
Step 7 Run the following commands to mount the disk on /opt and check whether the
mounting is successful:

[root@ecs-video /]# mount /dev/vdb /opt

[root@ecs-video /]# mount |grep opt

Figure 3-35
Step 8 Run the following command to configure automatic mounting at system start:

[root@ecs-video /]# echo -e "/dev/vdb/\t/opt\text4\tdefaults\t1 1" >>/etc/fstab

Figure 3-36
Step 9 Run the following commands to verify automatic mounting:

[root@ecs-video ~]# umount /opt

[root@ecs-video ~]# mount -a
[root@ecs-video ~]# mount |grep opt
 HCIP-Cloud Service Solutions Architect Lab Guide Page 100

Figure 3-37

3.2.10 Compiling and Installing Nginx

Step 1 Log in to ecs-video and run the following commands to compile and install Nginx
on the attached disk:

cd /video
yum install -y unzip
unzip -o video_en.zip
cd video
cp nginx-1.15.9.tar.gz /opt/
cd /opt
yum install -y pcre*
yum install -y zlib*
tar -xvf nginx-1.15.9.tar.gz
cd nginx-1.15.9
./configure --prefix=/opt/nginx
make && make install

Step 2 Run the following commands to edit the nginx.conf file:

[root@ecs-video nginx-1.15.9]# cd /opt/nginx/conf

[root@ecs-video conf]# sed -i "0,/root html/s/root html/root \/video\/video/" nginx.conf

Figure 3-38
Step 3 # Run the following commands to start Nginx:

[root@ecs-video conf]# cd /opt/nginx/sbin/

[root@ecs-video sbin]# ./nginx

Figure 3-39
Step 4 Run the following commands to configure automatic startup:

[root@ecs-video sbin]# echo -e "\n#start nginx\nsleep 10\ncd /opt/nginx/sbin\n./nginx" >>

/etc/rc.local
[root@ecs-video sbin]# chmod +x /etc/rc.d/rc.local
 HCIP-Cloud Service Solutions Architect Lab Guide Page 101

Figure 3-40
Step 5 Use a browser on the local PC to log in to ecs-video using the public IP address and
verify that the video can be played. If the following figure shows up, the video can
be played, indicating that the video streaming service has been set up.

Figure 3-41

3.2.11 Configuring HA
Step 1 In the CN-Hong Kong region, choose Storage > Cloud Backup and Recovery > Cloud
Backup Backups and click Buy Server Backup Vault in the upper right corner.
Configure the parameters as follows to create a server backup vault.

Note: A full-ECS image will be created in this exercise, so a cloud server backup vault
needs to be purchased in the first place.
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 Protection Type: Backup
 Associated Server: Skip
 Vault Capacity: 100 GB
 Auto Backup: Skip
 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 102

Figure 3-42
Step 2 View the server backup vault you have created.

Figure 3-43
Step 3 In the CN-Hong Kong region, choose Image Management Service and click Create
Image in the upper right corner.

Note: An ECS will be provisioned using the full-ECS image. The new ECS and ecs-video
will then be used as the ELB backend servers.

Figure 3-44
Step 4 Configure the parameters as follows, confirm the configuration, and click Next.
 Region: CN-Hong Kong
 Type: Full-ECS image
 Source: ECS | ecs-video
 HCIP-Cloud Service Solutions Architect Lab Guide Page 103

 Server Backup Vault: vault-video

 Name: ecs-video

Figure 3-45
Step 5 Click Apply for Server to create ecs-video2 in AZ1 using the created image. (ecs-
video resides in AZ2.)

Note: To ensure HA, ecs-video and ecs-video2 are deployed in different AZs. You can
select the AZs based on site requirements.

Figure 3-46
Step 6 Configure the parameters as follows:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: AZ1
 Specifications: 2 vCPUs | 4 GiB
 Image: Private image | ecs-video
 System Disk: High I/O | 40 GiB
 Data Disk: Extreme SSD | 10 GB
 Network: vpc-video | subnet-video
 HCIP-Cloud Service Solutions Architect Lab Guide Page 104

 Security Group: sg-video

 EIP: Not required
 ECS Name: ecs-video2
 Password: User-defined (with the username of root)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 105

Figure 3-47
Step 7 In the ECS list, locate the created esc-video2 and click Remote Login to log in to the
ECS using CloudShell.

Figure 3-48
Step 8 Run the following command to check the service status:

[root@ecs-video2 ~]# netstat -ntpule

If the following information is displayed, the Nginx service has been enabled.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 106

Figure 3-49
Step 9 In the service list, choose Elastic IP. In the EIP list, locate the EIP bound to ecs-video
and click Unbind to unbind the EIP from ecs-video.

Note: This EIP will then be bound to the load balancer.

Figure 3-50
Step 10 In the CN-Hong Kong region, choose Elastic Load Balance and click Buy Elastic Load
Balancer in the upper right corner.

Figure 3-51
Step 11 Configure the parameters as follows:
 Type: Shared
 Region: CN-Hong Kong
 Network Type: Public network
 VPC: vpc-video
 Subnet: subnet-video
 Private IP Address: Automatically-assigned IP address
 EIP: Use existing | 114.115.155.72 (select the EIP unbound from the ECS in step 9).
 Name: elb-video
 HCIP-Cloud Service Solutions Architect Lab Guide Page 107

Figure 3-52
Step 12 View the purchased load balancer and click Add listener.

Figure 3-53
Step 13 Configure the parameters as follows to create a listener:
 Name: listener-video (can be customized)
 Frontend Protocol: TCP
 Frontend Port: 80 (Used by this load balancer to receive requests from clients.)
 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 108

Figure 3-54
Step 14 Configure a backend routing policy:
 Name: server-group-video (can be customized)
 Backend Protocol: TCP
 Load Balancing Algorithm: Weighted round robin
 Retain the default settings for other parameters.

Figure 3-55
Step 15 Click Add. On the displayed page, select the two video servers and click Next.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 109

Figure 3-56
Step 16 Set Batch Add Ports to 80. (This port is used by backend servers to provide network
services.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 110

Figure 3-57
Step 17 Confirm the configuration and click Submit.

Step 18 View the created load balancer and take note of the EIP for future use.

Figure 3-58

3.3 Verifying the Result

Step 1 Use the browser on the local PC to log in to elb-video using the EIP recorded in the
last step and verify that the video can be played. If the following figure shows up,
the video can be played, indicating that the video streaming service has been set up
and ELB is working properly.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 111

Figure 3-59

3.4 Clearing Resources

Step 1 Delete the load balancer.
 In the service list, choose Networking > Elastic Load Balance. In the load balancer
list, click the load balancer purchased in this exercise. On the Backend Server Groups
tab, in the Basic Information area, select all backend servers and click Remove above
the server list.

Figure 3-60
 On the Listeners tab, delete the listener purchased in this exercise.

Figure 3-61
 Back to the load balancer list and click Delete in the Operation column to delete the
load balancer.
 In the displayed dialog box, select Release the EIP and click Yes.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 112

Figure 3-62
Step 2 Delete the ECSs.
 In the service list, choose Elastic Cloud Server. In the ECS list, locate the ECS
purchased in this exercise and choose More > Delete in the Operation column.
 In the displayed dialog box, select the check boxes displayed in the following picture
and click Yes.

Figure 3-63
Step 3 Delete the SFS file system.

In the service list, choose Scalable File Service. In the file system list, locate the file
system purchased in this exercise and choose More > Delete in the Operation column.

Step 4 Delete the OBS bucket.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 113

In the service list, choose Object Storage Service. In the bucket list, locate the bucket
purchased in this exercise and click Delete in the Operation column.

Step 5 Delete the security group.

In the service list, choose Virtual Private Cloud. On the network console, choose Access
Control > Security Groups. In the security group list, locate the security group created in
this exercise and click Delete in the Operation column.

Step 6 Delete the subnet and VPC.

 In the service list, choose Virtual Private Cloud. On the network console, choose
Subnets. In the subnet list, locate the subnet created in this exercise and click Delete
in the Operation column.
 Choose Virtual Private Cloud in the navigation pane on the left. In the VPC list, locate
the VPC created in this exercise and click Delete in the Operation column.

3.5 Quiz
Question: In this exercise, when HA is configured, a full-ECS image is used to provision an
ECS. Why a system disk image is not used instead?
Answer: In this exercise, an EVS disk was attached to ecs-video. So a full-ECS image is
required to create the image, in which the OS data, application data, and service data are
all included.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 114

4 Database Architecture Design

4.1 Introduction
4.1.1 About This Exercise
This exercise describes how to set up a WordPress website using an ECS and RDS for
MySQL instance on Huawei Cloud and how to deploy a DCS instance to speed up access
to the WordPress website.
This exercise uses region CN-Hong Kong as an example. Trainees can select regions
based on their own needs.

4.1.2 Objectives
Understand how to use the cloud services involved in the cloud database architecture.
Understand how to manage cloud databases and keep them available.

4.1.3 Networking

Figure 4-1

4.1.4 Related Software

Redis, which stands for Remote Dictionary Server, is an open source log-based, key-value
database written in ANSI C language. Redis supports both in-memory and persistent
storage, network connections, and APIs in multiple different languages.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 115

4.2 Procedure
4.2.1 Creating a Security Group
Step 1 Log in to the Huawei Cloud console and select region CN-Hong Kong. Then choose
Networking > Virtual Private Cloud. On the network console, choose Access
Control > Security Groups, click Create Security Group, and configure parameters as
follows to create security group sg-rds.

Note: This security group is for a RDS database instance, so port 3306 has to be enabled.
 Name: sg-rds
 Template: Custom

Figure 4-2
Step 2 Add an inbound rule to allow access to database port 3306.
 Priority: 1
 Action: Allow
 Protocol & Port: TCP and 3306
 Type: IPv4
 Source: IP address and 0.0.0.0/0
 HCIP-Cloud Service Solutions Architect Lab Guide Page 116

Figure 4-3
Step 3 Create security group sg-wordpress.

Note: This security group is for the ECSs used to set up WordPress. A general-purpose
web server template is required.
 Name: sg-wordpress
 Template: General-purpose web server

Figure 4-4

4.2.2 Creating a VPC

Step 1 In the service list, choose Virtual Private Cloud. On the displayed page, click Create
VPC.

Note: Resources required in this exercise will be created in this VPC.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 117

Figure 4-5
Step 2 Configure the required parameters to create VPC vpc-2.

Basic Information
 Region: CN-Hong Kong
 Name: vpc-2
 IPv4 CIDR Block: 192.168.0.0/16
Default Subnet
 AZ: AZ1 (This exercise uses AZ1 as an example. Trainees can select AZs based on
their needs. This note is valid for all similar resources and will not be described
later.)
 Name: vpc-2-subnet
 IPv4 CIDR Block: 192.168.2.0/24

Figure 4-6

4.2.3 Buying a Cloud Database Instance

Step 1 On the management console, select region CN-Hong Kong, click Service List, and
choose RDS under Databases.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 118

Figure 4-7
Step 2 Click Buy DB Instance in the upper right corner.

Note: In this DB instance, a database will be created to interconnect with WordPress.

Figure 4-8
Step 3 Configure the following parameters and click Next.
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 DB Instance Name: rds-wordpress
 DB Engine: RDS for MySQL
 DB Engine Version: MySQL 8.0
 DB Instance Primary/Standby
 AZ: AZ1
 Time Zone: (UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi
 Instance Class: Dedicated Edition | 4 vCPUs | 16 GB
 VPC: vpc-2 | vpc-2-subnet | Automatically-assigned IP
 Security Group: sg-rds
 Administrator Password: User-defined
 Parameter Template: Default-MySQL-8.0
 Quantity: 1
HCIP-Cloud Service Solutions Architect Lab Guide Page 119
 HCIP-Cloud Service Solutions Architect Lab Guide Page 120

Figure 4-9
Step 4 Confirm configurations, click Submit, and wait for 5 to 10 minutes until the instance
is created.

4.2.4 Creating a Database for WordPress

Step 1 On the Instances page, locate the created instance, record its private IP address,
and click Log In in the Operation column.

Figure 4-10
Step 2 In the displayed window, enter the instance login username and password and click
Test Connection. After a successful connection message is displayed, click Log In.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 121

Figure 4-11
Step 3 On the home page, click Create Database. The created database will be used to
interconnect with WordPress.

Figure 4-12
Step 4 In the displayed dialog box, enter a database name and specify a character set as
follows and click OK.
 Name: wordpress
 Character Set: utf8 (default setting)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 122

Step 5 View the created database in the database list.

Figure 4-13

4.2.5 Deploying WordPress

Step 1 In the service list, choose Compute > Elastic Cloud Server, and click Buy ECS in the
upper right corner.

Note: The created ECS will be used to deploy WordPress.

Figure 4-14
Step 2 Configure parameters as follows to create an ECS:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: AZ1
 Specifications: 2 vCPUs | 4 GiB
 HCIP-Cloud Service Solutions Architect Lab Guide Page 123

 Image: Public image|CentOS 7.6 64bit(40GB)

 Host Security: Basic (free)
 System Disk: High I/O | 40 GiB
 Network: vpc-2 | vpc-2-subnet | Automatically-assigned IP
 Security Group: sg-wordpress
 EIP: Auto assign
 EIP Type: Dynamic BGP
 Billed By: Traffic
 Bandwidth Size: 10 Mbit/s
 ECS Name: ecs-wordpress
 Password: User-defined (for username root)
HCIP-Cloud Service Solutions Architect Lab Guide Page 124
 HCIP-Cloud Service Solutions Architect Lab Guide Page 125

Figure 4-15
Step 3 In the ECS list, locate the created ECS and click Remote Login to log in to ECS esc-
wordpress using Remote Login.

Figure 4-16
Step 4 Run the following command to install Apache:

[root@ecs-wordpress ~]# yum install httpd -y

Figure 4-17
Step 5 Run the following command to install PHP:

[root@ecs-wordpress ~]# rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

[root@ecs-wordpress ~]# yum install --enablerepo=remi --enablerepo=remi-php72 php php-opcache
php-devel php-mysqlnd php-gd php-redis
 HCIP-Cloud Service Solutions Architect Lab Guide Page 126

Figure 4-18
Step 6 Enter y twice for confirmation.

Figure 4-19
Step 7 Run the following commands to download the WordPress installation package,
decompress the package, and copy the obtained files to Apache directory
/var/www/html:

[root@ecs-wordpress ~]# wget -c https://wordpress.org/wordpress-5.2.3.tar.gz

[root@ecs-wordpress ~]# tar -zxvf wordpress-5.2.3.tar.gz -C /var/www/html

Figure 4-20
Step 8 Run the following commands to switch to the httpd working directory and copy the
configuration file:

[root@ecs-wordpress ~]# cd /var/www/html/wordpress

[root@ecs-wordpress wordpress]# cp wp-config-sample.php wp-config.php
 HCIP-Cloud Service Solutions Architect Lab Guide Page 127

Figure 4-21
Step 9 Run the following command to configure database parameters in the wp-
config.php file to interconnect with the wordpress database:

[root@ecs-wordpress wordpress]# vi wp-config.php

Configure the parameters as follows:

 DB_NAME: wordpress
 DB_USER: root
 DB_PASSWORD: Huawei123!@# (user-defined)
 DB_HOST: 192.168.2.40:3306 (private IP address:port number of the DB instance)

Figure 4-22
Step 10 Run the following commands to configure permissions for the WordPress directory:

[root@ecs-wordpress ~]# cd /var/www/html/wordpress

[root@ecs-wordpress wordpress]# echo -e "define(\"FS_METHOD\",
\"direct\");\ndefine(\"FS_CHMOD_DIR\", 0777);\ndefine(\"FS_CHMOD_FILE\", 0777);" >> wp-
config.php
[root@ecs-wordpress wordpress]# tail -n 10 wp-config.php
[root@ecs-wordpress wordpress]# chmod -R 777 wp-content/
 HCIP-Cloud Service Solutions Architect Lab Guide Page 128

Figure 4-23
Step 11 Run the following commands to enable Apache. If information similar to the
following is displayed, Apache is running normally:

[root@ecs-wordpress ~]# systemctl start httpd

[root@ecs-wordpress ~]# ps -ef |grep httpd

Figure 4-24
Step 12 Open a browser on your local PC and enter EIP of ECS-WordPress/wordpress, for
example, enter 121.36.79.241/wordpress/index.php. After you log in to WordPress,
configure parameters as follows and click Install WordPress:
 Site Title: HCIP
 Username: huawei (user-defined)
 Password: User-defined
 Your Email: User-defined
 HCIP-Cloud Service Solutions Architect Lab Guide Page 129

Figure 4-25
Step 13 Click Log in.

Figure 4-26
Step 14 Enter the username and password configured in the previous step to log in to
WordPress. If the following page is displayed, WordPress is set up:
 HCIP-Cloud Service Solutions Architect Lab Guide Page 130

Figure 4-27
Step 15 In the navigation pane on the left, choose Plugins and then click Add New.

Figure 4-28
Step 16 Enter redis in the search box on the right, locate Redis Object Cache, and click
Install Now.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 131

Figure 4-29

4.2.6 Creating a DCS Instance

Step 1 Select region CN-Hong Kong, choose Service List > DCS, click Buy DCS Instance, and
configure parameters as follows to buy a DCS instance:

Note: This exercise uses the DCS instance to provide Redis services for WordPress.
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 Project: CN-Hong Kong (default)
 Cache Engine: Redis
 Version: 5.0
 Instance Type: Single-node
 Replicas: 2
 AZ: AZ1
 Instance Specifications: redis.single.xu1.large.2
 VPC: vpc-2
 Subnet: vpc-2-subnet
 Administrator Password: user-defined
 Quantity: 1
 Name: redis-wordpress
 HCIP-Cloud Service Solutions Architect Lab Guide Page 132

Figure 4-30
Step 2 In the instance list, locate the instance that you bought and click its name.

Figure 4-31
Step 3 On the Connection page, view and write down the administrator, IP address, port
number.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 133

Figure 4-32
Step 4 Log in to ECS ecs-wordpress and run the following commands to modify its
configuration file:

[root@ecs-wordpress ~]# cd /var/www/html/wordpress/

[root@ecs-wordpress wordpress]# vi wp-config.php

Add the following information to the file to interconnect with the DCS instance:

/*redis config*/
define('WP_REDIS_HOST', '192.168.2.IP');
define('WP_REDIS_PORT', '6379');
define('WP_REDIS_PASSWORD', 'DCS PASSWORD');

Note: 192.168.2.IP is the IP address of the DCS instance recorded in step 3. Configure the
IP address based on service requirements. DCS PASSWORD is the password of the DCS
instance set in step 1. Enter the required password.

Figure 4-33
Step 5 Run the following command to exit:

:wq
 HCIP-Cloud Service Solutions Architect Lab Guide Page 134

4.2.7 Enabling Redis Object Cache

Step 1 Before enabling Redis Object Cache, Please post a blog with text and pictures, then
open a browser, press F12, select Disable cache, and view the time required for
loading. Refresh the WordPress page and find that the time for loading content is
430ms.

Figure 4-34
Step 2 Log in to WordPress on your local PC, choose Plugins > Installed Plugins, locate
Redis Object Cache, and click Activate.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 135

Figure 4-35
Step 3 On the displayed page, click the Overview tab and click Enable Object Cache.

Figure 4-36
Step 4 Check whether the status is Connected. If yes, Redis Object Cache is enabled.

Figure 4-37

4.3 Verifying the Result

Step 1 Open a browser, press F12, select Disable cache, and view the time required for
page loading. Refresh the page. If the time for loading is 370ms, less than 430ms
required before Redis Object Cache is enabled, the website response is speed up.
This exercise is successful.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 136

Figure 4-38

4.4 Clearing Resources

Step 1 Delete the DCS instance.

Choose Service List > DCS. In the instance list, locate the DB instance that you bought in
this exercise and click Delete in the Operation column.

Step 2 Delete the RDS for MySQL instance.

Choose Service List > RDS. In the instance list, locate the DB instance that you bought in
this exercise and click Delete in the Operation column.

Step 3 Delete the ECS.

 Choose Service List > Elastic Cloud Server. In the ECS list, locate the ECS that you
created in this exercise and click Delete in the Operation column.
 In the displayed dialog box, select the options displayed in the following picture and
click Yes.

Figure 4-39 Deleting the ECS

Step 4 Delete the security groups.

Choose Service List > Virtual Private Cloud > Access Control > Security Groups. In the
security group list, locate the security group that you created in this exercise and click
Delete in the Operation column.

Step 5 Delete the subnet and VPC.

 Choose Service List > Virtual Private Cloud > Subnets. In the subnet list, locate the
subnet that you created in this exercise and click Delete in the Operation column.
 Choose My VPCs in the navigation pane on the left. In the VPC list, locate the VPC
that you created in this exercise and click Delete in the Operation column.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 137

4.5 Quiz
Question: What Service Can I Use If I Want to Improve Database Storage and
Performance by Configuring Multiple Database Instances?
Answer: You can use Huawei Cloud Distributed Database Middleware (DDM). It can scale
out your compute and storage resources linearly, helping you handle high concurrency
and real-time interactions
 HCIP-Cloud Service Solutions Architect Lab Guide Page 138

5 Security Architecture Design

5.1 Introduction
5.1.1 About This Exercise
This exercise involves the following operations:
 Damn Vulnerable Web Application (DVWA) server deployment: Deploy a DVWA
server on ECS to provide an exercise environment, and perform subsequent security
operations on the server.
 Host Security Service (HSS): Purchase HSS for the DVWA server. Obtain server status
and check server risks on the HSS console. Improve server security management
capabilities.
 Two-factor authentication: Configure two-factor authentication for the DVWA server,
and log in to the server through two-factor authentication. Learn the basic functions
of two-factor authentication.
 Host security group: Verify the access control function of the host security group by
deleting and adding port 8080 to the security group.
 IP address group: Verify how to configure the address group and security group and
learn how they work. Add a test cloud server address to an address group, and add
the address group to the deny rule of a security group.
 Data Encryption Workshop (DEW): In this exercise, create a key on the DEW console,
create an agency on the IAM page, and install the KooCLI client on the ECS. With
these configurations, the KooCLI client can obtain information about the keys
managed in DEW.

5.1.2 Objectives
To understand how HSS works.
To learn how to configure and use two-factor authentication, security groups, and
address groups.
To learn how to configure and use Web Application Firewall (WAF).
To learn how to use ECS to obtain the keys managed in DEW.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 139

5.1.3 Networking

Figure 5-1

5.1.4 Related Software

 Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is
highly vulnerable. Its main goal is to be an aid for security professionals to test their
skills and tools in a legal environment, help web developers better understand the
processes of securing web applications and to aid both students & teachers to learn
about web application security in a controlled class room environment. DVWA
contains common vulnerabilities that can be exploited by SQL injection, XSS, and
blind injection.
 XAMPP is a completely free, easy to install Apache distribution containing MySQL,
PHP, and Perl. The XAMPP open source package has been set up to be incredibly
easy to install and to use. It can help you easily set up a web server.
 Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts
are injected into otherwise benign and trusted websites. XSS attacks occur when an
attacker uses a web application to send malicious code, generally in the form of a
browser side script, to a different end user. The end user's browser has no way to
know that the script should not be trusted, and will execute the script. Because it
thinks the script came from a trusted source, the malicious script can access any
cookies, session tokens, or other sensitive information retained by the browser and
used with that site. These scripts can even rewrite the content of the HTML page.
 KooCLI is a Huawei Cloud Command Line Interface, a tool for managing cloud
service APIs released on API Explorer. With this tool, you can call open APIs of cloud
services to manage and use your cloud resources.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 140

5.2 Procedure
5.2.1 Deploying DVWA
Step 1 In the CN-Hong Kong region, choose Networking > Virtual Private Cloud in the
service list.

Figure 5-2
Step 2 Click Create VPC in the upper right corner. (Resources in this exercise will be
created in this VPC.)

Figure 5-3
Step 3 Configure the following parameters and click Create Now.

Basic Information
 Region: CN-Hong Kong
 Name: vpc-1
 IPv4 CIDR Block: 192.168.0.0/16
Default Subnet
 AZ: AZ1
 Name: subnet-20
 IPv4 CIDR Block: 192.168.20.0/24
 HCIP-Cloud Service Solutions Architect Lab Guide Page 141

Figure 5-4
Step 4 In the navigation pane on the left, choose Access Control > Security Groups, and
click Create Security Group in the upper right corner.

Note: This security group is used by DVWA ECSs and should allow all ICMP traffic and
traffic on ports 22, 443, 80, and 8080.

Figure 5-5
Step 5 Configure the parameters as follows and click OK.
 Name: sg-dvwa
 Template: Select a required one.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 142

Figure 5-6
Step 6 In the dialog box displayed, click Manage Rule.

Figure 5-7
Step 7 On the Inbound Rules tab, add the following inbound rules.
 Priority: 1
 Action: Allow
 Protocol & Port: TCP | 22
 Type: IPv4
 Source: IP address | 0.0.0.0/0
 HCIP-Cloud Service Solutions Architect Lab Guide Page 143

Figure 5-8
 Priority: 1
 Action: Allow
 Protocol & Port: TCP | 8080
 Type: IPv4
 Source: IP address | 0.0.0.0/0

Figure 5-9
 Priority: 1
 Action: Allow
 Protocol & Port: TCP | 443
 Type: IPv4
 Source: IP address | 0.0.0.0/0
 HCIP-Cloud Service Solutions Architect Lab Guide Page 144

Figure 5-10
 Priority: 1
 Action: Allow
 Protocol & Port: TCP | 80
 Type: IPv4
 Source: IP address | 0.0.0.0/0

Figure 5-11
 Priority: 1
 Action: Allow
 Protocol & Port: ICMP | All
 Type: IPv4
 Source: IP address | 0.0.0.0/0
 HCIP-Cloud Service Solutions Architect Lab Guide Page 145

Figure 5-12
Step 8 Check the added inbound rules. There are inbound rules that allow ICMP traffic and
traffic on ports 80, 22, 8080, and 443.

Figure 5-13
Step 9 In the service list, choose Elastic Cloud Server under Compute. On the displayed
page, click Buy ECS in the upper right corner.

Figure 5-14
Step 10 Configure settings for the ECS.

Note: This ECS will be used to deploy DVWA.

The following uses ecs-dvwa as an example.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 146

 Billing Mode: Pay-per-use

 Region: CN-Hong Kong
 AZ: Random
 CPU Architecture: x86
 Specifications: 1 vCPUs | 2 GiB
 Image: Public image | CentOS 7.6 64bit(40GB)
 Host Security: Enable (Basic)
 Network: vpc-1 | subnet-20 | Automatically assign IP address
 Security Group: sg-dvwa
 EIP: Auto assign
 EIP Type: Premium BGP
 Billed By: Traffic
 Bandwidth Size: 10 Mbit/s
 System Disk: High I/O | 40 GiB
 ECS Name: ecs-dvwa
 Password: User-defined (with the username of root)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 147

Figure 5-15
Step 11 Log in to the ECS and install Docker.

[root@ecs-dvwa ~]# yum install docker

[root@ecs-dvwa ~]# systemctl enable docker
[root@ecs-dvwa ~]# systemctl start docker
 HCIP-Cloud Service Solutions Architect Lab Guide Page 148

Figure 5-16
Step 12 Download the DVWA container image.

[root@ecs-dvwa ~]# docker pull docker.io/citizenstig/dvwa

Figure 5-17
Step 13 View the current image.

[root@ecs-dvwa ~]# docker images

Figure 5-18
Step 14 Run the image as a container and map the container service port 80 to port 8080.

[root@ecs-dvwa ~]# docker run -dit -p 8080:80 docker.io/citizenstig/dvwa

3b3f5da35aadd8223818bdbab650e50d305ffaf7fb262c1f82eff63c5dc6190c
[root@ecs-dvwa ~]# docker ps
 HCIP-Cloud Service Solutions Architect Lab Guide Page 149

Figure 5-19
Step 15 Open a local browser, enter http://182.160.6.0:8080 in the address bar to open the
DVWA web page and click Create/Reset Database. (182.160.6.0 is the EIP bound to
the ECS ecs-dvwa.)

Figure 5-20
Step 16 After the initialization is complete, the login page is displayed. Enter the username
and password for logging in to DVWA. If the following information is displayed, the
DVWA host is successfully deployed.

Note: The user name is admin and the password is password.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 150

Figure 5-21
Step 17 Log in to the ECS and download XAMPP.

[root@ecs-dvwa ~]# wget https://cloudservice-v3.obs.cn-east-3.myhuaweicloud.com/xampp-linux-

x64-7.3.6-2-installer.run

Figure 5-22
Modify permissions and install XAMPP.

[root@ecs-dvwa ~]# chmod 755 xampp-linux-*-installer.run

[root@ecs-dvwa ~]# ./xampp-linux-*-installer.run

Note: After running the command, perform operations as instructed in the following
figure to complete the installation.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 151

Figure 5-23
Step 18 In the local browser, enter http://182.160.6.0 in the address bar. If you can access
XAMPP, the installation is successful.

Note: In this exercise, 182.160.6.0 is the EIP bound to the ECS ecs-dvwa. Replace it with
the actual value.

Figure 5-24

5.2.2 Enabling HSS

Step 1 On the Service List page, select Host Security Service under Security & Compliance.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 152

Figure 5-25
Step 2 Click Buy HSS in the upper right corner.

Notes: HSS provides asset management, vulnerability management, baseline check,

intrusion detection, application recognition service (ARS), file integrity check, secure
operations, and web tamper protection functions, helping you identify and manage data
assets on your servers, scan for risks in real time, and block intrusions.

Figure 5-26
Step 3 Configure HSS parameters, as shown in the following figure. Click Pay Now.
 Billing mode: Pay-per-use
 Region: Hong Kong
 Edition: Enterprise
 HCIP-Cloud Service Solutions Architect Lab Guide Page 153

Figure 5-27
Step 4 After you are directed to the server list, click Switch Edition.

Figure 5-28
Step 5 Configure edition parameters, as shown in the following figure. Read the disclaimer,
select I have read and agree to the Host Security Service Disclaimer, and click OK.

Note: The basic edition is free of charge and provides only part of HSS functions. It does
not provide protection capabilities or support for DJCP MLPS compliance.
The enterprise edition supports DJCP MLPS L2 compliance, virus and Trojan scan and
removal, one-click vulnerability fix, and intrusion detection.
 Billing Mode: On-demand
 Edition: Enterprise
 HCIP-Cloud Service Solutions Architect Lab Guide Page 154

Figure 5-29
Step 6 Return to the Host Security Service home page. Click Dashboard to check the server
risk and protection statistics.

Figure 5-30
Step 7 Click the Asset Management > Servers & Quota tab, click the server’s name.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 155

Figure 5-31
Step 8 Click the Intrusions tab and check intrusions.

Note: The HSS the enterprise edition provides the intrusion detection function. It can
identify and block intrusions in real time, detect internal risks, and detect and remove
malicious programs.
You can log in to the ECS by tools like PUTTY but keep entering incorrect passwords to
simulate brute force attack.Then Haddle it by Add to Login Whitelist.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 156

Figure 5-32
Step 9 Click the Detection > Alarms to view blocked IP addresses and click cancel
interception.

Figure 5-33

5.2.3 Configuring Two-Factor Authentication

In practice, some service hosts or O&M hosts have high requirements on access security.
Authentication based only on usernames and passwords is considered insecure. In this
case, you can configure two-factor authentication to meet multi-dimensional
authentication requirements for host login.

Step 1 Create topics and add subscriptions on the Simple Message Notification (SMN)
console.

Note: The SMN configuration is used for subsequent two-factor authentication.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 157

 On the Service List page, select Simple Message Notification under Management &
Governance.

Figure 5-34
 On the Dashboard page, click Topics under My Resources.

Figure 5-35
 In the upper right corner, click Create Topic.

Figure 5-36
 Set Topic Name to Auth and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 158

Figure 5-37
 In the Operation column of the topic, click Add Subscription.

Figure 5-38
 Configure the following parameters:
Protocol: SMS
Endpoint: personal mobile number (customized by trainees)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 159

Figure 5-39
 Confirm the subscription on your mobile phone (SMS message) to make the
subscription take effect.

Step 2 Create two-factor authentication.

 On the Service List page, select Host Security Service under Security & Compliance.

Figure 5-40
 On the displayed page, in the navigation pane on the left, choose Installation &
Configuration. Choose the Two-Factor Authentication tab, locate the protected
server, and click Enable 2FA in the Operation column.

Figure 5-41
 Select the newly created SMN topic Auth and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 160

Figure 5-42
 Use PUTTY to Log in to the DVWA host.
Enter the username and password, enter the mobile number in the subscription, and
enter the received SMS verification code to log in to the host. If the login is successful,
the two-factor authentication configuration is successful. This section describes how to
verify the basic functions and usage of two-factor authentication.

Figure 5-43

5.2.4 Configuring a Security Group

Step 1 In the service list, choose Networking > Virtual Private Cloud. On the network
console, choose Access Control > Security Groups. In the security group list, click the
security group name sg-dvwa.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 161

Figure 5-44
Step 2 Click the Inbound Rules tab and delete the rule whose Protocol & Port is TCP: 8080.

Note: This rule is deleted to reject traffic on port 8080 and then we can verify the access
control function of the security group.

Figure 5-45
Step 3 In the displayed dialog box, click Yes.

Figure 5-46
Step 4 Check the inbound rule list. The rule that allows traffic on port 8080 does not exist.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 162

Figure 5-47
Step 5 Visit http://119.3.196.178 (EIP address of the DVWA ECS):8080. Refresh the page
and find that the login fails. This indicates that the security group sg-dvwa blocks
traffic on port 8080.

Figure 5-48
Step 6 Add an inbound rule to allow traffic on port 8080 again.

Figure 5-49
Step 7 Refresh the page. The login is successful. This indicates that the security group sg-
dvwa allows traffic on port 8080. The above operations exercise the basic functions
of security groups.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 163

Figure 5-50

5.2.5 Configuring an IP Address Group

If multiple IP addresses can use the same security group, you can add these IP addresses
to an IP address group.

Step 1 Create a test ECS in the VPC subnet created in "DVWA Deployment".

Note: This ECS is used only for connectivity test and verification and is not used for
application deployment.
Configure the ECS test as follows:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: Random
 CPU Architecture: x86
 Specifications: 1 vCPUs | 2 GiB
 Image: Public image | CentOS 7.6 64bit(40GB)
 Host Security: Enable | Basic (free)
 Network: vpc-1 | subnet-20 | Automatically assign IP address (Same network
configuration as ecs-dvwa)
 Security Group: default (Select a security group different from that of ecs-dvwa.)
 EIP: Not required
 System Disk: High I/O | 40 GiB
 ECS Name: test
 Password: User-defined (with the username of root)
HCIP-Cloud Service Solutions Architect Lab Guide Page 164
 HCIP-Cloud Service Solutions Architect Lab Guide Page 165

Figure 5-51
Step 2 Log in to the test ECS.

Figure 5-52
Step 3 Ping the DVWA ECS from the test ECS to verify the connectivity between them.

Note: Before configuring an IP address group, ensure that the two ECSs can communicate
with each other.

Figure 5-53
Step 4 Use the ifconfig command to query the IP address of the test ECS and make a note
of the IP address.

Note: The IP address will be added to the IP address group later.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 166

Figure 5-54
Step 5 On the Network Console, choose Access Control > IP Address Groups and click
Create IP Address Group in the upper right corner.

Note: This IP address group will be configured in the security group for traffic blocking
tests.

Figure 5-55
Step 6 Configure the parameters as follows and click OK.
 Name: test
 IP Address: Enter the private IP address of the test ECS.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 167

Figure 5-56
Step 7 In the security group list, locate the row that contains the security group sg-dvwa
and click Manage Rule in the Operation column.

Figure 5-57
Step 8 Click the Inbound Rules tab and then click Add Rule.
 Priority: 1
 Action: Deny
 Protocol & Port: ICMP | All
 Source: IP address group | test

Figure 5-58
Step 9 Log in to the test ECS again and check the connectivity between the test ECS and
the DVWA ECS. The communication fails. The security group with the IP address
group configured takes effect and blocks the corresponding traffic. This indicates
that IP address groups can work together with security groups.

5.2.6 Hosting a Key on DEW

5.2.6.1 Obtaining an AK/SK
Note: The AK/SK obtained in this section will be used in subsequent KooCLI initialization.

Step 1 Click the username in the upper right corner and choose My Credentials.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 168

Figure 5-59
Step 2 On the Access Keys page, click Create Access Key.

Figure 5-60
Step 3 Enter a description as needed and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 169

Figure 5-61
Step 4 Wait until the creation is successful, and click Download.

Figure 5-62
Step 5 Properly save the AK/SK on your local PC for later use.

Figure 5-63

5.2.6.2 Creating a Secret

Note: The secret is hosted in DEW and will be obtained by ECS through the KooCLI client.

Step 1 In the service list, choose Data Encryption Workshop under Security & Compliance.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 170

Figure 5-64
Step 2 On the Cloud Secret Management Service page, click Create Secret.

Figure 5-65
Step 3 Configure secret parameters, as shown in the following figure.
 Secret Name: test
 Secret Value: Set a value as needed. Example: HCIP@123
Retain the default settings for other parameters.

Figure 5-66
Step 4 Click the secret name to view details. The current version is v1.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 171

Figure 5-67

5.2.6.3 Creating an Agency

Note: The agency is used to delegate permissions to the ECS so that the ECS can obtain
DEW-managed keys through KooCLI.

Step 1 In the upper right corner of the page, hover the mouse over the username and
select Identity and Access Management.

Figure 5-68
Step 2 Choose Agencies in the navigation pane on the left and click Create Agency.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 172

Figure 5-69
Step 3 Configure the agency and click Next.
 Agency Name: ECS-password
 Agency Type: Cloud service
 Cloud Service: Elastic Cloud Server (ECS) and Bare Metal Server (BMS)
 Validity Period: Unlimited

Figure 5-70
Step 4 Select CSMS FullAccess and KMS CMKFullAccess.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 173

Figure 5-71
Step 5 Retain the default authorization scope and click OK.

Figure 5-72
Step 6 After the agency is created, view the assigned permissions on the Permissions page.

Figure 5-73

5.2.6.4 Installing KooCLI

Step 1 Create an ECS named ecs-test by referring to steps 3 to 4 in DVWA Deployment.

Note: This ECS is used only for installing KooCLI and obtaining keys.
Configure the ECS ecs-test as follows:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: Random
 CPU Architecture: x86
 Specifications: 1 vCPUs | 2 GiB
 Image: Public image | CentOS 7.6 64bit(40GB)
 Host Security: Enable (Basic)
 Network: vpc-1 | subnet-20 | Automatically assign IP address
 Security Group: default
 EIP: Auto assign
 EIP Type: Premium BGP
 HCIP-Cloud Service Solutions Architect Lab Guide Page 174

 Billed By: Traffic

 Bandwidth Size: 10 Mbit/s
 System disk: General-purpose SSD | 40 GiB
 ECS Name: ecs-test
 Password: User-defined (with the username of root)

Step 2 Log in to ecs-test and install the KooCLI client.

[root@ecs-test ~]# curl -sSL https://ap-southeast-3-hwcloudcli.obs.ap-southeast-

3.myhuaweicloud.com/cli/latest/hcloud_install.sh -o ./hcloud_install.sh && bash ./hcloud_install.sh -y

Step 3 Initialize the ECS. Enter “Y” to agree Privacy Statement at

https://www.huaweicloud.com/intl/zh-cn/declaration/sa_prp.html.

The AK/SK obtained in section 5.2.6.1 is required here.

[root@ecs-test ~]# hcloud configure init

Access Key ID [required]: Enter the AK.
Secret Access Key [required]: Enter the SK.
Region Name: Enter a region name, for example, ap-southeast-1.

Figure 5-74
If your current environment language is Chinese. To switch the language, run the hcloud
configure set --cli-lang=en command.

[root@ecs-test ~]# hcloud configure set --cli-lang=en

5.2.6.5 Using KooCLI to Obtain the Key

Step 1 Enter the KooCLI interaction mode:

[root@ecs-test ~]# hcloud --interactive

 HCIP-Cloud Service Solutions Architect Lab Guide Page 175

Step 2 View information about the key created in DEW. As shown in the following figure,
key HCIP@123 has been obtained, indicating that ECS can obtain the DEW-
managed key through the KooCLI client.

> hcloud csms ShowSecretVersion --secret_name=test --version_id=v1 --cli-region="ap-southeast-1"

# --secret_name=Key name
# --version_id=Key version
# --cli-region="Current region"

Figure 5-75

5.3 Clearing Resources

Step 1 Delete the agency.
 In the upper right corner of the page, hover the mouse over the username and select
Identity and Access Management.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 176

Figure 5-76
 Choose Agencies in the left navigation pane. Locate the row containing the agency
created in this exercise click Delete in the Operation column.

Step 2 Delete the secret.

 In the service list, choose Data Encryption Workshop under Security & Compliance. In
the navigation pane on the left, choose Cloud Secret Management Service, locate the
row containing the secret created in this exercise and click Delete in the Operation
column.
 In the displayed dialog box, select Delete now and click OK.

Step 3 Delete the ECS.

 In the service list, choose Elastic Cloud Server under Compute. In the ECS list, locate
the ECS purchased in this exercise and choose More > Delete in the Operation
column.
 In the displayed dialog box, select the check boxes displayed in the following picture
and click Yes.

Figure 5-77
Step 4 Delete two-factor authentication.

On the Service List page, select Host Security Service under Security & Compliance.
Choose Installation & Configuration, click the Two-Factor Authentication tab, and click
Delete in the Operation column of a record.

Step 5 Delete the SMN topic.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 177

In the service list, choose Simple Message Notification. In the navigation pane on the left,
choose Topic Management > Topics. In the right pane, locate the topic created in this
exercise, choose More > Delete in the Operation column, and click OK.

Step 6 Delete the IP address group.

In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Access Control > IP Address Groups. In the IP address group list, locate
the IP address group created in this exercise and click Delete in the Operation column.

Step 7 Delete the security group.

In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Access Control > Security Groups. In the security group list, locate the
security group created in this exercise and click Delete in the Operation column.

Step 8 Delete the subnet and VPC.

 In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Subnets. In the subnet list, locate the subnet created in this exercise
and click Delete in the Operation column.
 Choose Virtual Private Cloud in the navigation pane on the left. In the VPC list, locate
the VPC created in this exercise and click Delete in the Operation column.

5.4 Quiz
Question: Besides real-time intrusion detection, what functions does the HSS enterprise
edition provide?
Answer: Virus and Trojan detection and removal, baseline check, one-click vulnerability
fix, and security configuration
 HCIP-Cloud Service Solutions Architect Lab Guide Page 178

6 Containerized Application Deployment

6.1 Introduction
6.1.1 About This Exercise
This exercise consists of two parts:
1. Deploy Docker engine and containers on ECSs to provide web services. Use
Dockerfiles to build and push images to SoftWare Repository for Container (SWR).
To test whether the pushed image is available, use Cloud Container Engine (CCE) to
pull and deploy the image. Use a local browser to access the EIP of the CCE node to
check whether the web page is normal.
2. Use FunctionGraph to update object versions in an OBS bucket and retain only the
latest three versions.
This exercise uses the Hong Kong or Singapore region as an example.

6.1.2 Objectives
Understand how to use and configure Docker engine.
Understand how to use and configure SoftWare Repository for Container (SWR).
Understand how to use and configure Cloud Container Engine (CCE).
Understand how to use and configure FunctionGraph.

6.1.3 Networking
 HCIP-Cloud Service Solutions Architect Lab Guide Page 179

Figure 6-1 Container networking

6.1.4 Related Software

Docker is an open source container engine that allows developers to package
applications and dependency packages into a portable image and release the image to
any popular Linux or Windows operating system.
httpd is the main program of the Apache Hypertext Transfer Protocol (HTTP) server. It is
a backend process that runs independently and creates a pool of subprocesses or threads
that process requests.

6.2 Procedure
6.2.1 Deploying Containers & CCE
6.2.1.1 Creating a VPC
Step 1 On the upper area of the console, select CN-Hong Kong.

Step 2 In the service list, choose Networking > Virtual Private Cloud.

Step 3 Click Create VPC in the upper right corner. (Subsequent resources will be created in
the VPC.)

Figure 6-2
Step 4 Configure the following parameters and click Create Now.
 Region: CN-Hong Kong
 Name: vpc-1
 IPv4 CIDR Block: 192.168.0.0/16
Default Subnet
 Name: vpc-1-subnet
 IPv4 CIDR Block: 192.168.1.0/24

6.2.1.2 Creating a Security Group

Step 1 Create security group sg-docker in CN-Hong Kong based on the following
configurations:

Note: This security group is used by the ECS where the Docker engine will be deployed.
 Name: sg-docker
 General-purpose web server
 HCIP-Cloud Service Solutions Architect Lab Guide Page 180

Figure 6-3

6.2.1.3 Creating an ECS

Step 1 Create an ECS ecs-docker based on the following configurations:

Note: This ECS is used to deploy the Docker engine.

Configure the ECS ecs-docker as follows:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: Random
 CPU Architecture: x86
 Specifications: 2 vCPUs | 4 GiB
 Image: Public image | CentOS 7.6 64bit(40GB)
 Host Security: Enable | Basic (free)
 Network: vpc-1 | vpc-1-subnet | Automatically assign IP address
 Security Group: sg-docker
 EIP: Auto assign
 EIP Type: Dynamic BGP
 Billed By: Traffic
 Bandwidth Size: 10 Mbit/s
 System Disk: High I/O | 40 GiB
 ECS Name: ecs-docker
 Login Mode ：Password(User-defined )
HCIP-Cloud Service Solutions Architect Lab Guide Page 181
 HCIP-Cloud Service Solutions Architect Lab Guide Page 182

Figure 6-4

6.2.1.4 Installing and Deploying Docker

Step 1 Use Huawei Cloud CloudShell to log in to ecs-docker.

Figure 6-5
Step 2 Run the following command to install the yum unit:

Note: If a non-root user is used, sudo needs to be added to some commands.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 183

[root@ecs-docker ~]# yum install -y yum-utils

Figure 6-6
Step 3 Run the following command to add the yum source:

[root@ecs-docker ~]# yum-config-manager --add-repo

https://download.docker.com/linux/centos/docker-ce.repo

Figure 6-7
Step 4 Run the following command to install Docker:

[root@ecs-docker ~]# yum install docker-ce docker-ce-cli containerd.io

Figure 6-8
Step 5 Enter y twice.

Figure 6-9
Step 6 If Complete! is displayed, the installation is complete.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 184

Figure 6-10
Step 7 Run the following command to start Docker:

[root@ecs-docker ~]# systemctl start docker

Figure 6-11
Step 8 Run the following command to check whether the Docker engine works properly: If
Hello from Docker is displayed, the Docker engine is working properly.

[root@ecs-docker ~]# docker run hello-world

Figure 6-12

6.2.1.5 Pulling and Viewing the Image

Step 1 Run the following command to pull the Nginx image:

[root@ecs-docker ~]# docker pull nginx

 HCIP-Cloud Service Solutions Architect Lab Guide Page 185

Figure 6-13
Step 2 Run the following command to view the local image:

[root@ecs-docker ~]# docker images

Figure 6-14

6.2.1.6 Deploying Containers to Provide Web Services

Step 1 Run the following command to pull the httpd image to the local host:

[root@ecs-docker ~]# docker pull httpd

Figure 6-15
Step 2 Run the following command to run the image as a container in the background and
map port 80 of the container to port 80 of the host:

[root@ecs-docker ~]# docker run -d -p 80:80 httpd

 HCIP-Cloud Service Solutions Architect Lab Guide Page 186

Figure 6-16
Step 3 Log in to the public network address of ecs-docker.

Figure 6-17

6.2.1.7 Building an Image Using a Dockerfile

Step 1 Run the following commands to access the container (the CLI becomes the
interactive terminal) and view the HTML file path:

[root@ecs-docker ~]# docker container ls

[root@ecs-docker ~]# docker exec -it 511b4079be09 bash

Note: 511b4079be09 indicates the container ID.

Figure 6-18
Step 2 Run cat to view the index.html file in the htdocs directory. It works is displayed on
the web page. Record file directory: /usr/local/apache2/htdocs.

root@511b4079be09:/usr/local/apache2# cd htdocs/
root@511b4079be09:/usr/local/apache2/htdocs# cat index.html
 HCIP-Cloud Service Solutions Architect Lab Guide Page 187

Figure 6-19
Step 3 Run exit to exit the container and run the following commands to create an HTML
file in the new path:

[root@ecs-docker ~]# mkdir -p /root/httpd

[root@ecs-docker ~]# cd /root/httpd

Figure 6-20
Step 4 Run the following commands to create and edit the HTML file and write HCIP-
Cloud Service to the file:

[root@ecs-docker httpd]# vi index.html # Create an HTML file.

HCIP-Cloud Service # Fill in the HTML file.

Figure 6-21
Step 5 Run the following commands to create and edit the Dockerfile:

[root@ecs-docker httpd]# vi Dockerfile # Create a Dockerfile

FROM httpd
MAINTAINER huawei
COPY index.html /usr/local/apache2/htdocs
 HCIP-Cloud Service Solutions Architect Lab Guide Page 188

Figure 6-22
Step 6 Run the following commands to build a new image httpd2 using the Dockerfile:

[root@ecs-docker httpd]# docker build -t httpd2:v1 .

[root@ecs-docker httpd]# docker images

Figure 6-23
Step 7 Run the following commands to stop the httpd container:

[root@ecs-docker ~]# docker ps -a # View the container list and find the ID of the
httpd container.
[root@ecs-docker ~]# docker stop e1 # Stop the httpd container. e1 is the ID of the
httpd container.

Figure 6-24
Step 8 Run the following command to run the image as a container:

[root@ecs-docker ~]# docker run -d -p 80:80 httpd2:v1

Step 9 Log in to the public network address of ecs-docker again and view the content. If
the following information is displayed, the Dockerfile image is successfully built.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 189

Figure 6-25

6.2.1.8 Pushing an Image to SWR

Step 1 In the service list, choose SoftWare Repository for Container > Create Organization.

Note: You need to push the created image to the organization.

Figure 6-26
Step 2 Enter the organization name hcip (which is user-defined) and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 190

Figure 6-27
Step 3 Click Generate Login Command in the upper right corner to obtain the command.

Figure 6-28
Step 4 Copy the login command.

Figure 6-29
Step 5 Use Huawei Cloud CloudShell to log in to ecs-docker and run the recorded login
command.

Figure 6-30
Step 6 After the login is successful, run the following command on the node to view the ID
of the httpd2:v1 container:

[root@ecs-docker ~]# docker container ls

 HCIP-Cloud Service Solutions Architect Lab Guide Page 191

Figure 6-31
Step 7 Pack the httpd2:v1 container into an image and change the image tag.

[root@ecs-docker ~]# docker commit f56106f9c554 swr.ap-southeast-

1.myhuaweicloud.com/hcip/hcip-cloudservice:v1
#f56106f9c554: container ID
#swr.cn-north-1.myhuaweicloud.com: SWR address, which can be confirmed by viewing the last part
of the login command.
#hcip: organization name
#hcip-cloudservice:v1: Image name: Tag
[root@ecs-docker ~]# docker images

Figure 6-32
Step 8 Run the following command to push the image to SWR:

[root@ecs-docker ~]# docker push swr.ap-southeast-1.myhuaweicloud.com/hcip/hcip-cloudservice:v1

Figure 6-33
Step 9 Log in to SWR and view the image. If the following information is displayed, the
image is successfully pushed. Click the image name to view image details.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 192

Figure 6-34
Step 10 On the details page, the current image tag is v1.

Figure 6-35

6.2.1.9 Creating a CCE and Deploying a Container

Step 1 Log in to Huawei Cloud, click Cloud Container Engine in the service list.

Step 2 On the CCE console, click Create.

Note: You need to use this cluster to pull the image and use it to deploy the container.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 193

Figure 6-36
Step 3 Set CCE cluster parameters as follows:

CCE cluster:
 Billing Mode: Pay-per-use
 Cluster Name: cluster-hcip (user-defined)
 Version: v1.19
 Management Scale: 50 nodes
 Number of master nodes: 1
 Network Model: VPC network
 VPC: vpc-1
 Subnet: vpc-1-subnet
 Container Network Segment: 10.10.0.0/16
 Service Network Segment: Default
 HCIP-Cloud Service Solutions Architect Lab Guide Page 194

Figure 6-37
Step 4 After the preceding configurations are complete, click Next: Create Node.
 Create Node: create now
 Billing Mode: Pay-per-use
 Current Region: ap-southeast-1
 AZ: default
 Node Type: VM node
 Node Name: default
 Specifications: 4 cores | 8 GB
 OS: EulerOS 2.5
 HCIP-Cloud Service Solutions Architect Lab Guide Page 195

 System Disk: High I/O

 Data Disk: High I/O
 Subnet: default
 EIP: Do not use
 Login Mode: Password
 HCIP-Cloud Service Solutions Architect Lab Guide Page 196

Figure 6-38
Step 5 After the preceding configuration is complete, click Next: Install Add-on. Retain the
default settings for the add-on.

Step 6 After the preceding configuration is complete, click Next. Click Next: Confirm.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 197

Step 7 On the Resource Management page, select Clusters to view the created CCE cluster.
If the cluster status is Available, the cluster has been created.

Figure 6-39
Step 8 Click Nodes on the left to check the status of the new node.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 198

Figure 6-40
Step 9 Choose Workloads > Deployments on the left, click Create Deployment in the upper
right corner, and set the following parameters to create a workload.
 Workload Name: hcip-httpd (user-defined)
 Namespace: default
 Set Instances to 1.
 Select Container Image: My Images | hcip-cloud service
 Image Version：v1
 Container Name: container-httpd (user-defined)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 199

Figure 6-41
Step 10 After the workload is created, click Next: Set Application Access. Skip the service
configuration.

Figure 6-42
Step 11 Retain the default settings and click Create.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 200

Figure 6-43
Step 12 Return to the ECS page, purchase an EIP for the node in the CCE cluster, and bind
the EIP to the node. For details, see Compute Service Planning or Network Service
Planning.
Note: You need to use this EIP to implement external network access for the newly
deployed workload.
 Billing Mode: Pay-per-use
 Billed By: Traffic
 Bandwidth Size: 10 Mbit/s
 Quantity: 1

Figure 6-44
Step 13 Return to the CCE Clusters page, choose Workloads > Deployments. Click the target
workload, for example, hcip-httpd. Select Services, and click Create Service. Set
Access Type to NodePort, Container Port to 80, and Access Port to 30080. (Port
30080 is used as an example. You can select a port based on the site requirements.)
After the configuration is complete, click Create. The Resource Management >
Network page is displayed. Use a browser to access the EIP.
 Service Name: hcip-httpd
 HCIP-Cloud Service Solutions Architect Lab Guide Page 201

 Access Type: NodePort

 Service Affinity: Node level
 Protocol: TCP
 Container Port: 80
 Access Port: Specified port | 30080

Figure 6-45
Step 14 Log in to the IP address through http://EIP:30080. (http://49.0.231.46:30080 in this
experiment). If the following information is displayed, the image pushed to SWR is
successfully deployed on CCE.

Figure 6-46

6.2.2 FunctionGraph
FunctionGraph hosts and computes event-driven functions in a serverless context while
ensuring high availability, high scalability, and zero maintenance. All you need to do is
write your code and set conditions.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 202

In actual service scenarios, there are too many unnecessary historical object versions
stored in OBS, involving manual deletion and complex maintenance. In this case, you can
retain the latest three versions in the bucket by using FunctionGraph.

6.2.2.1 Preparing Resources

Step 1 Use https://cloudservice-v3.obs.cn-east-3.myhuaweicloud.com/DeleteOldVersions.zip
to download the code file.

6.2.2.2 Creating an Object Storage Bucket

Step 1 In the service list, choose Object Storage Service.

Description: Target bucket for executing functions.

Figure 6-47
Step 2 Click Create Bucket in the upper right corner.

Figure 6-48
Step 3 Create an OBS bucket:
 Region: AP - Singapore (user-defined)
 Bucket Name: obs-flash
 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 203

Figure 6-49

6.2.2.3 Creating an Agency

Step 1 Select Identity and Access Management from the username drop-down list.

Figure 6-50
Step 2 In the navigation pane on the left, choose Agencies and then click Create Agency in
the upper right corner.

Note: You need to use this agency to grant FunctionGraph permissions.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 204

Figure 6-51
Step 3 Configure the agency name and type, and cloud service as follows:
 Agency Name: fgh-commission
 Agency Type: Cloud service
 Cloud Service: Select FunctionGraph.
 Validity Period: Unlimited

Figure 6-52
 Select OBS Administrator and LTS FullAccess, as shown in the following figure.
Note: FunctionGraph needs to call OBS and LTS.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 205

Figure 6-53
 Retain the default values for other parameters and click OK.

Figure 6-54
Step 4 If you can view the agency in the agency list, as shown in the following figure, the
agency is created successfully.

Figure 6-55

6.2.2.4 Creating a Function

Step 1 In the service list, choose FunctionGraph.

Figure 6-56
Step 2 On the FunctionGraph console, click Create Function in the upper right corner.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 206

Figure 6-57
Step 3 Create a function as follows:
 Function Type: Event Function
 Region: AP-Singapore
 Function Name: obs-flash
 Agency: fgh-commission
 Runtime: Python 3.9

Figure 6-58

6.2.2.5 Configuring Simple Message Notification (SMN)

Step 1 On the Service List page, select Simple Message Notification under Management &
Governance.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 207

Figure 6-59
Step 2 In the navigation pane, choose Topic Management > Topics. Then, click Create
Topic in the upper right corner.

Note: In subsequent exercises, you need to use this SMN topic to trigger FunctionGraph.

Figure 6-60
Step 3 Set Topic Name to obs-flash and click OK.

Figure 6-61
Step 4 Click Add Subscription corresponding to obs-flash and add a subscription as follows:
 HCIP-Cloud Service Solutions Architect Lab Guide Page 208

Figure 6-62
 Select FunctionGraph (function) for Protocol and obs-flash for Endpoint.
Note: Select the created FunctionGraph function as the endpoint. When SMN is triggered,
FunctionGraph will be notified.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 209

Figure 6-63
 After the preceding configuration is complete (the version does not need to be
selected), click OK.

Figure 6-64
Step 5 Locate the obs-flash topic, click More in the Operation column, and select Configure
Topic Policy.

Figure 6-65
 Select OBS for Services that can publish messages to this topic and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 210

Figure 6-66

6.2.2.6 Configuring a Function Workflow

Step 1 Choose FunctionGraph > Functions > Function List, click the created function, for
example, obs-flash, and check whether a trigger is generated. The SMN trigger in
the following figure is the newly generated trigger.

Figure 6-67
Step 2 On the function page, click the Code tab.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 211

Figure 6-68
Step 3 Copy the content in the code file downloaded in 6.2.2.1 to the index.py file
(overwrite the original content).

Figure 6-69
Step 4 Click Deploy.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 212

Figure 6-70

6.2.2.7 Configuring the Object Storage Bucket

Step 1 In the service list, choose Object Storage Service.

Step 2 Click the new bucket obs-flash.

Figure 6-71
Step 3 On the navigation pane on the left, choose Basic Configurations > Event
Notification and click Create on the right.

Figure 6-72
Step 4 Create an event notification as follows:

Note: When an object is created in the bucket, this event notification will trigger an SMN
message and be forwarded to FunctionGraph.
 Name: event-xxx(user-defined)
 Events: ObjectCreated
 HCIP-Cloud Service Solutions Architect Lab Guide Page 213

 Notification Method: SMN topic | AP-Singapore | obs-flash

Figure 6-73
Step 5 On the navigation pane on the left, choose Overview > Objects. Click Edit next to
Versioning.

Note: You need to upload multiple versions of an object to test the execution of a
function.

Figure 6-74
Step 6 In the displayed dialog box, select Enable and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 214

Figure 6-75

6.2.2.8 Uploading an Object to the Object Storage Bucket

Step 1 Choose Overview > Objects. Click the Objects tab. Click Upload Object.

Figure 6-76
Step 2 Click add file.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 215

Figure 6-77
Step 3 Select a small test file from the local PC and click Upload.

Figure 6-78
Step 4 Repeat this operation twice and click the object name.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 216

Figure 6-79
Step 5 Click the Versions tab to view the saved version files. You can determine the version
by viewing the revision time of the files.

Figure 6-80
Step 6 Perform the upload operation again and check the historical versions again. It is
found that only the latest three version files are retained and the earliest uploaded
version is updated. The earlier version has been updated, indicating that the
function workflow has been triggered and taken effect.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 217

Figure 6-81

6.2.2.9 Viewing FunctionGraph Execution Logs

Step 1 On the Monitoring tab page of the created obs-flash function, click the Logs tab,
and click Enable LTS.

Figure 6-82
Step 2 Go back to the OBS page and upload the same file again (the file can be uploaded
for multiple times) to trigger FunctionGraph to delete the historical version.

Step 3 Return to the obs-flash function page and choose Monitoring > Logs to view the
calling status of the current function. Note: After the OBS file is uploaded, it may
take several minutes to view the log information.

Figure 6-83

6.3 Clearing Resources

Step 1 Delete workloads.

Choose Service List > Cloud Container Engine. In the navigation pane, choose
Workloads > Deployments, locate the Deployment created in this exercise and choose
More > Delete in the Operation column.

Step 2 Delete the CCE node.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 218

Choose Service List > Cloud Container Engine. In the navigation pane, choose Resource
Management > Nodes. In the node list, locate the node created in this exercise and
choose More > Delete in the Operation column.

Step 3 Delete the SWR organization.

 Choose Service List > SoftWare Repository for Container. In the navigation pane, click
Organization Management. Locate the organization created in this exercise and click
the organization name to go to the details page.

Figure 6-84
 Click Images and click the name of the image created in this exercise.

Figure 6-85
 On the displayed page, select all image versions and click Delete.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 219

Figure 6-86
 In the navigation pane, click Organization Management. Locate the organization
created in this exercise, click the organization name to go to the details page, and
click Delete in the upper right corner.

Figure 6-87
Step 4 Delete the ECS.
 In the service list, choose Elastic Cloud Server under Compute. In the ECS list, locate
the ECS created in this exercise and choose More > Delete in the Operation column.
 In the displayed dialog box, select the check boxes shown in the following figure and
click Yes.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 220

Figure 6-88
Step 5 Delete the security groups.

In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Access Control > Security Groups. In the security group list, locate the
security group created in this exercise and click Delete in the Operation column.

Step 6 Delete the subnet and VPC.

 In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Subnets. In the subnet list, locate the subnet created in this exercise
and click Delete in the Operation column.
 Choose Virtual Private Cloud in the navigation pane on the left. In the VPC list, locate
the VPC created in this exercise and click Delete in the Operation column.

Step 7 Delete the FunctionGraph function.

Choose Service List > FunctionGraph. On the Functions page on the left, locate the
function created in this exercise and click Delete in the Operation column.

Step 8 Delete the SMN topic.

In the service list, choose Simple Message Notification. In the navigation pane, choose
Topic Management > Topics. In the right pane, locate the topic created in this exercise
and choose More > Delete in the Operation column.

Step 9 Delete the agency.

 In the upper right corner of the page, hover the mouse over the username and select
Identity and Access Management.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 221

Figure 6-89
 In the navigation pane on the left, choose Agencies. In the agency list, locate the
agency created in this exercise and click Delete in the Operation column.

Step 10 Delete the OBS bucket.

In the service list, choose Object Storage Service. In the bucket list, locate the bucket
purchased in this exercise and click Delete in the Operation column.

6.4 Quiz
Question: What are the advantages of Huawei Cloud CCE?
Answer: Huawei Cloud CCE supports Deployments, StatefulSets, DaemonSets, jobs, and
cron jobs. It supports application upgrade and scaling of nodes and workloads,
streamlines deployment and upgrade, and allows hitless upgrade and automated O&M.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 222

7 Microservice Application Deployment

7.1 Introduction
7.1.1 About This Exercise
A weather forecast microservice application provides weather forecasts as well as displays
ultraviolet (UV) and humidity indexes. This exercise uses a weather forecast application
to demonstrate the application scenarios of the microservice architecture and best
practices of managing the runtime environment and setting up pipelines on ServiceStage.
A weather forecast service consists of a frontend application and a backend application.
The frontend application weathermapweb is developed using Node.js and connected to a
microservice engine using Mesher to discover the backend application. The backend
application is implemented using the Java microservice development framework and
includes microservices fusionweather, forecast, weather-beta, and weather.
This exercise uses the CN-Hong Kong region as an example. Trainees can select regions
as required. Multiple microservice components are deployed in the environment. You are
advised to configure related names based on this manual.

7.1.2 Objectives
Understand the concepts and application scenarios of the microservice architecture.
Understand methods of using ServiceStage to manage the runtime environment and
build pipelines.
Understand methods and design principles for building and deploying microservices using
ServiceStage.

7.1.3 Related Software

The fusionweather aggregation microservice provides comprehensive weather forecast
functions by accessing the weather and forecast services. The forecast microservice allows
you to query the weather in the next few days. The weather microservice allows you to
query weather and humidity. The weather-beta microservice is a new version of the
weather microservice and supports the function of querying the UA rays of a specified
city. (This microservice is used for dark launch and does not need to be deployed in this
exercise.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 223

Figure 7-1
GitHub is a platform for hosting open-source and private software projects. It supports
only Git as the version library format.

7.2 Procedure
7.2.1 Preparations
7.2.1.1 Preparing Resources
Step 1 Log in to Huawei Cloud and choose My Credentials.

Figure 7-2
Step 2 Choose Access Keys and click Create Access Key on the right.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 224

This access key will be used to create a key in ServiceStage.

Figure 7-3
Step 3 In the dialog box that is displayed, click Download and record the information.

Figure 7-4
Step 4 Create a VPC and subnet. For details, see the previous content.

CCE clusters will be created in this VPC.

Basic settings:
 Region: CN-Hong Kong
 Name: vpc-servicestage
 IPv4 CIDR Block: 192.168.0.0/16
Default subnet
 AZ: AZ2(user-defined)
 Name: subnet-servicestage
 IPv4 CIDR Block: 192.168.20.0/24

Step 5 Create a CCE cluster.

This CCE cluster will be used for container-based deployment of microservices.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 225

Figure 7-5
 Region: CN-Hong Kong
 Billing Mode: Pay-per-use
 Cluster Name: cluster-cce
 Version: v1.19
 Management Scale: 50 nodes
 Number of master nodes: 1 （This experiment is a test environment. Therefore, one
node is selected. Three nodes are recommended in the production environment）
 HCIP-Cloud Service Solutions Architect Lab Guide Page 226

Figure 7-6
 Network Model: VPC network
 VPC: vpc-servicestage
 Subnet: subnet-servicestage
 Container Network Segment: Retain the default value.
 Create Node: Create later
 HCIP-Cloud Service Solutions Architect Lab Guide Page 227

Figure 7-7
Step 6 After the cluster is created, click Buy Node to create a node for the CCE cluster.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 228

Figure 7-8
Step 7 Set the parameters as follows, confirm the configuration, and click Submit.
 Billing Mode: Pay-per-use
 AZ: Random
 Node Type: VM node
 Node Name: Use the default name or customize one.
 Specifications: 8 cores | 16 GB

Figure 7-9
 OS: EulerOS 2.5
 System Disk: Use the default setting.
 Data Disk: Use the default setting.
 Subnet: subnet-servicestage
 EIP: Automatically assign
 Billed By: Traffic
 Bandwidth: 10 Mbit/s
 Login Mode: Password
 Password: Customize one.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 229

Figure 7-10
Step 8 Confirm the configuration and click Finish.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 230

Figure 7-11
Step 9 On the Nodes page that is displayed, view the information about the created node.

Figure 7-12

7.2.1.2 Creating an Environment

Step 1 Log in to ServiceStage, choose Environment Management, and click Create
Environment.

Figure 7-13
Step 2 Set the following parameters and click Add Basic Resource.

This environment will be selected for subsequent microservice deployment.

 Environment: test-env
 HCIP-Cloud Service Solutions Architect Lab Guide Page 231

 VPC: vpc-1

Figure 7-14
Step 3 On the Cloud Container Engine (CCE) tab page, select the created CCE cluster and
click OK.

Figure 7-15
Step 4 Click Add Optional Resource.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 232

Figure 7-16
Step 5 On the Cloud Service Engine (CSE) tab page, select Cloud Service Engine, click OK,
and click Create Now.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 233

Figure 7-17
Step 6 Choose ServiceStage from Service List. In the Application List, click Create
Application in the upper right corner.

Figure 7-18
Step 7 Set Name to weathermap and click OK.

Figure 7-19

7.2.1.3 Creating a Secret

Step 1 Encode the AK/SK obtained using Base64. In the local Linux environment, run the
echo -n 'Content to be encoded' | base64 command.

Note：You can also create an ECS and run related commands in the ECS.

echo -n 'BM8QX6MNXVGIGXXXXXXX' | base64 #AK

echo -n 'FxRkLAJExA2lxnogHOMy7xYSr2McVEoXXXXXXXXXX' | base64 #SK
 HCIP-Cloud Service Solutions Architect Lab Guide Page 234

Figure 7-20
Step 2 Log in to ServiceStage and choose Application Management > Application
Configuration > Secret > Create.

You can create a secret for the frontend application component weathermapweb that is
based on the Mesher framework. After the component is deployed and running, Mesher
automatically reads the secret information.

Figure 7-21
Step 3 Set the parameters as follows:
 Creation Mode: Visualization
 Name: mesher-secret
 Cluster: cluster-cce
 Namespace: default
 Secret Type: Opaque
 Secret Data: cse_credentials_accessKey | encoded AK; cse_credentials_secretKey |
encoded SK
 HCIP-Cloud Service Solutions Architect Lab Guide Page 235

Figure 7-22
Step 4 If the created secret is displayed in the secret list, the secret is created.

Figure 7-23

7.2.1.4 Preparing the Weather Forecast Source Code

If you do not have a GitHub account, log in to the GitHub official website and register an
account.

Step 1 Log in to the GitHub account and click the Repositories tab on the personal
homepage.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 236

Figure 7-24
Step 2 Click New to create an organization.

Figure 7-25
Step 3 Create a repository based on the following configurations and click Create
repository.
 Repository name: hcip
 Retain the default settings for other parameters.

Figure 7-26
Step 4 On the page that is displayed, click Import code to import the source code.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 237

Figure 7-27
Step 5 On the page that is displayed, enter the source code address
https://github.com/servicestage-demo/weathermap.git and click Begin import.

Figure 7-28
Step 6 Check whether the source code file of the weather forecast service has been
imported to the hcip repository.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 238

Figure 7-29

7.2.1.5 Setting GitHub Repository Authorization

Step 1 Log in to ServiceStage, choose Continuous Delivery > Repository Authorization, and
click Create Authorization.

You will use this repository for authorization to build and deploy microservices.

Figure 7-30
Step 2 Set authorization parameters as follows:
 Name: auth-github
 Repository Type: GitHub
 Method: OAuth
 HCIP-Cloud Service Solutions Architect Lab Guide Page 239

Figure 7-31
Step 3 In the displayed dialog box, click Authorize CPE-OAuth.

Figure 7-32
Step 4 In the dialog box that is displayed, enter the password for confirmation.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 240

Figure 7-33
Step 5 View the created authorization. If the status is Normal, the repository authorization
is successfully created.

Figure 7-34

7.2.1.6 Creating an Organization

Step 1 Log in to ServiceStage and choose Software Center > Organization.

Resources in subsequent exercise will be associated with this organization.

Figure 7-35
Step 2 Click Create Organization. On the displayed page, enter the organization name hcip
and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 241

Figure 7-36

7.2.2 Building a Microservice

ServiceStage provides one-click application delivery pipelines and supports flexible
customization. You can pack and build applications based on the source code and
software packages. Project pipelines automatically implement the entire process of code
obtaining, compilation, packaging, archiving, and deployment. It helps you shorten the
service rollout duration and quickly seize the market in practice.
ServiceStage pulls source code from source code repositories, such as DevCloud, GitHub,
Gitee, Bitbucket, and GitLab.
In this exercise, you can create a build job on ServiceStage based on the source code to
obtain the weathermap source code from GitHub, compile and pack the source code into
an image, and archive the image to the image repository.

7.2.2.1 Creating a Build Job of Backend Applications

Step 1 Log in to ServiceStage, choose Continuous Delivery > Build, and click Create Source
Code Job.

Figure 7-37
Step 2 Set build project parameters as follows and click Next to set the environment.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 242

 Name: weathermap
 Code Source: GitHub
 Authorization: auth-github (Select the repository authorization created.)
 Username/Organization: Retain the default value (username/organization of your
GitHub account).
 Repository: hcip (name of the repository created in GitHub)
 Branch: master
 Cluster: cluster-servicestage (Select the CCE cluster created.)

Figure 7-38
Step 3 Select Custom and click Advanced Settings.

Figure 7-39
Step 4 Select Compile and click Add Plug-in. In the displayed right area, select Build
Common Cmd. Then, select Java for Language, and set parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 243

Figure 7-40
 Job Name: CommonCmd
 Language: Java
 Version: java-8

Figure 7-41
Step 5 In the Compile area, click Add Plug-in, select Docker, and add four build jobs with
parameters setting as follows:
 HCIP-Cloud Service Solutions Architect Lab Guide Page 244

Figure 7-42
Step 6 Create the first build job:
 Job Name: Docker (Retain the default value. You can set this parameter as required.
The same applies to the following.)
 Dockerfile Path: ./weather/
 Image Name: weather
 Image Tag: v1.0.${index}

Figure 7-43
Step 7 Repeat the preceding steps to create the second build job.
 Job Name: Docker-4xsb8p
 Dockerfile Path: ./weather-beta/
 Image Name: weather-beta
 Image Tag: v1.0.${index}
 HCIP-Cloud Service Solutions Architect Lab Guide Page 245

Figure 7-44
Step 8 Repeat the preceding steps to create the third build job.
 Job Name: Docker-5e40k3
 Dockerfile Path: ./forecast/
 Image Name: forecast
 Image Tag: v1.0.${index}

Figure 7-45
Step 9 Repeat the preceding steps to create the fourth build job.
 Job Name: Docker-aom49h
 Dockerfile Path: ./fusionweather/
 Image Name: fusionweather
 Image Tag: v1.0.${index}
 HCIP-Cloud Service Solutions Architect Lab Guide Page 246

Figure 7-46
Step 10 Select Archive and click Add Plug-in. In the displayed right area, select Publish Build
Image.

Figure 7-47
Step 11 In Archive, select the four created images (weather, weather-beta, forecast, and
fusionweather), retain the default values for Job Name, and select the created
repository organization hcip for Repository Organization.

After jobs are added, the image package is automatically archived to the image
repository for subsequent operations.
HCIP-Cloud Service Solutions Architect Lab Guide Page 247
 HCIP-Cloud Service Solutions Architect Lab Guide Page 248

Figure 7-48
Step 12 Click Build to start a build job. If the information shown in the following figure is
displayed, the background application weathermap is successfully built.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 249

Figure 7-49

7.2.2.2 Creating a Build Job of Frontend Applications

Step 1 Log in to ServiceStage, choose Continuous Delivery > Build, and click Create Source
Code Job.

Figure 7-50
Step 2 Set basic configurations as follows and click Next.
 Name: weathermapweb
 Code Source: GitHub
 Authorization: auth-github
 Username/Organization: Retain the default value (username/organization of your
GitHub account).
 Repository: hcip
 Branch: master
 Cluster: cluster-cce (Select the CCE cluster created.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 250

Figure 7-51
Step 3 Select a Docker build template.

Compile Docker to add a build job, and specify the job parameters as follows.
 Dockerfile Path: ./weathermapweb/
 Image Name: weathermapweb
 Repository Organization: hcip
 Branch: master
 Retain the default values for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 251

Figure 7-52
Step 4 Click Build. If the following information is displayed, the frontend application
weathermapweb is successfully built.

Figure 7-53

7.2.3 Deploying a Microservice

ServiceStage allows you to quickly deploy microservices in containers (such as CCE) or
VMs (such as ECS), or in serverless mode (such as CCI), and supports deployment using
source code, JAR/WAR packages, or Docker images. In addition, ServiceStage allows you
to deploy, upgrade, roll back, start, stop, and delete applications developed in different
programming languages, such as Java, PHP, Node.js, Go, and Python.
In this exercise, backend components developed in Java and frontend components
developed in Node.js are used.

7.2.3.1 Creating and Deploying Backend Application Components

You need to deploy applications in container-based mode and register microservice
instances with CSE.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 252

Step 1 Log in to ServiceStage and choose Application Management > Application List.

Step 2 Click Create Component in the Operation column.

Figure 7-54
Step 3 Select Custom in Configuration Method and Microservice for Select Component
Type, and click Next.

Figure 7-55
Step 4 Select Docker in Select Runtime System and click Next.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 253

Figure 7-56
Step 5 Select Java Chassis in Select Framework/Service Mesh and set Name to weather.
Click Create and Deploy to deploy the component.

Figure 7-57
Step 6 Set the parameters as follows and click Next.

After an application component is deployed, the microservice is registered with the

configured microservice engine. All applications must be registered with the same
microservice engine.
 Environment: test-env (Select the environment created.)
 Version: default
 Deployment System: Cloud Container Engine
 Instances: 1
 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 254

Figure 7-58
Step 7 Click Select Image.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 255

Figure 7-59
Step 8 In the displayed dialog box, select the weather image. Click OK.

Figure 7-60
Step 9 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 256

Figure 7-61
Step 10 In the Advanced Settings pane, add the following environment variables:
 MOCK_ENABLED: false
If an EIP has been bound to the ECS node in the CCE cluster created and the node can
access the public network, set this parameter to false or do not set this parameter. The
weather data used by the application is real-time data.
 servicecomb_credentials_accessKey: AK obtained in section 7.2.1.1.
 servicecomb_credentials_secretKey: SK obtained in section 7.2.1.1.
If the professional microservice engine is used, you need to configure an AK/SK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 257

Figure 7-62
Step 11 Click Next to confirm the specifications. Click Deploy to deploy the component.

Figure 7-63
Step 12 Check the status of the deployed component. If the weather service is in the
Running state, the component has been deployed.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 258

Figure 7-64
Step 13 Repeat the preceding steps to create and deploy the forecast and fusionweather
components.

Deploy the forecast component.

 Framework/Service Mesh: Java Chassis
 Name: forecast
 HCIP-Cloud Service Solutions Architect Lab Guide Page 259

Figure 7-65
 Environment: test-env
 Version: default
 Deployment System: Cloud Container Engine
 Instances: 1
 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 260

Figure 7-66
 Select the forecast image.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 261

Figure 7-67
In the Advanced Settings pane, add the following environment variables:
 MOCK_ENABLED: false
 servicecomb_credentials_accessKey: AK obtained in section 7.2.1.1.
 servicecomb_credentials_secretKey: SK obtained in section 7.2.1.1.

Figure 7-68
Deploy the fusionweather component.
 Framework/Service Mesh: Java Chassis
 Name: fusionweather
 HCIP-Cloud Service Solutions Architect Lab Guide Page 262

Figure 7-69
 Environment: test-env
 Version: default
 Deployment System: Cloud Container Engine
 Instances: 1
 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 263

Figure 7-70
 Select the fusionweather image.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 264

Figure 7-71
In the Advanced Settings pane, add the following environment variables:
 servicecomb_credentials_accessKey: AK obtained in section 7.2.1.1.
 servicecomb_credentials_secretKey: SK obtained in section 7.2.1.1.

Figure 7-72
Step 14 On ServiceStage, click the created application weathermap to view the microservice
deployment status. As shown in the following figure, the three services are Normal,
indicating that the backend application components fusionweather, forecast, and
weather have been deployed.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 265

Figure 7-73

7.2.3.2 Creating and Deploying Frontend Application Components

Step 1 Log in to ServiceStage and choose Application Management > Application List.

Step 2 Click an application. On the Overview tab page, click Create Component.

Figure 7-74
Step 3 Select Custom for Configuration Method. On the page that is displayed, select
Microservice and click Next.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 266

Figure 7-75
Step 4 Select Docker for Runtime System and click Next.

Figure 7-76
Step 5 Create a service component as follows and click Next.
 Framework/Service Mesh: Mesher
 Name: weathermapweb

Figure 7-77
Step 6 Set the parameters as follows: Click Next to configure the component.
 Environment: test-env
 HCIP-Cloud Service Solutions Architect Lab Guide Page 267

 Version: default
 Deployment System: Cloud Container Engine
 Instances: 1
 Retain the default settings for other parameters.

Figure 7-78
Step 7 Click Select Container Image.

Figure 7-79
Step 8 In the displayed dialog box, select the weathermapweb image. Click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 268

Figure 7-80
Step 9 Retain the default settings for other parameters，Click Next.

Figure 7-81
Step 10 Click Deploy to deploy the component.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 269

Figure 7-82
Step 11 View the deployed microservices. If the weathermapweb service is Running, the
service component has been deployed.

Figure 7-83
Step 12 Log in to ServiceStage and choose Infrastructure > Cloud Service Engines.

Step 13 Select the microservice engine created and click Console.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 270

Figure 7-84
Step 14 On the Microservice List page, if the following microservices are displayed and the
number of microservice instances is not 0, the deployment is successful:

Figure 7-85

7.2.3.3 Setting the Access Mode

Step 1 Log in to ServiceStage and choose Application Management > Application List.

Step 2 Click weathermap to go to the Overview page.

Step 3 Click weathermapweb. The Overview page is displayed.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 271

Figure 7-86
Step 4 Choose Access Mode > Add Service.

Figure 7-87
Step 5 Set the parameters as follows:
 Service Name: weathermapweb
 Access Mode: Public network access
 Access Type: Elastic IP address
 Service Affinity: Cluster level
 Port Mapping: TCP | 3000 | Automatically generated
 HCIP-Cloud Service Solutions Architect Lab Guide Page 272

Figure 7-88

7.3 Verifying the Result

Step 1 Log in to ServiceStage and choose Application Management > Application List.

Step 2 Click the application created (for example, weathermap). The Overview page is
displayed.

Step 3 Click the link next to External Access Address of the weathermapweb application
component.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 273

Figure 7-89
Step 4 If the information shown in the following figure is displayed, the weather forecast
application is successfully deployed.

When you access the application for the first time, it takes some time for the weather
system to be ready. If the preceding page is not displayed, refresh the page.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 274

Figure 7-90

7.4 Clearing Resources

Step 1 Delete a microservice.
 Log in to ServiceStage, choose Application Management > Application List, and click
application weathermap. The Overview page is displayed.
 On the Environment View tab page, select the component and choose Operation >
Delete.
 Back to the Application List and click Delete in the Operation column of application
weathermap.

Step 2 Delete the build job.

Log in to ServiceStage, choose Continuous Delivery > Build, select a build job, and choose
More > Delete.

Step 3 Delete repository authorization.

Log in to ServiceStage, choose Continuous Delivery > Repository Authorization, select an

authorization, and choose More > Delete.

Step 4 Deletes an organization.

Log in to ServiceStage, choose Software Center > Organization, select an organization,

and click Delete.

Step 5 Delete an environment.

Log in to ServiceStage, choose Environment Management, select an environment, and

click Delete.

Step 6 Delete a CCE node.

Choose Cloud Container Engine from Service List. In the navigation pane on the left,
choose Nodes. In the node list, select the node and choose More > Delete.

Step 7 Delete the subnet and VPC.

 In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Subnets. In the subnet list, locate the subnet created in this exercise
and click Delete in the Operation column.
 Choose Virtual Private Cloud in the navigation pane on the left. In the VPC list, locate
the VPC created in this exercise and click Delete in the Operation column.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 275

7.5 Quiz
Question: After an application component is deployed, the status is Not ready, indicating
that the application component fails to be deployed. How do I check the cause of this
failure?
Answer: Log in to ServiceStage, choose Application Management > Application List, and
click the application. On the Overview page that is displayed, select and click the
abnormal component. Then, choose Instance List, click the arrow button before the
instance name, and click Event. In the event list, view the event description to determine
the cause of the application component deployment failure.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 276

8 Cloud O&M Design

8.1 Introduction
8.1.1 About This Exercise
This exercise consists of three parts:
1. Cloud Eye: View metrics on Cloud Eye and configure server, site, and event
monitoring.
2. AOM: Connect an ECS to AOM and configure threshold rules, log dump, and log
analysis.
This exercise uses the CN-Hong Kong region as an example. Trainees can select other
regions as required.

8.1.2 Objectives
Understand the configuration and usage principles of Cloud Eye.
Master the methods and principles of alarm monitoring and log collection/analysis using
AOM.

8.1.3 Related Software

Tomcat is an open-source web application server. It is lightweight and commonly used in
small- or medium-sized systems or in scenarios with a small number of concurrent users.
It is preferred for Java Server Pages (JSP) program development and commissioning.
Java Development Kit (JDK) is a Java development tool package. It is the core of Java,
including the Java runtime environment, Java tools (JAVAC/JAVA/JDB), and basic Java
class libraries.

8.2 Procedure
8.2.1 Preparations
8.2.1.1 Creating a VPC by Referring to the Preceding Exercise
Basic settings:
 Region: CN-Hong Kong
 Name: vpc-1
 IPv4 CIDR Block: 192.168.0.0/16
Default subnet:
 HCIP-Cloud Service Solutions Architect Lab Guide Page 277

 Name: vpc-1-subnet
 IPv4 CIDR Block: 192.168.1.0/24

8.2.1.2 Creating an ECS by Referring to the Preceding Exercise

Note: This ECS is used only for O&M tests.
Configure the test ECS as follows:
 Billing Mode: Pay-per-use
 Region: CN-Hong Kong
 AZ: Random
 CPU Architecture: x86
 Specifications: 1 vCPUs | 2 GiB
 Image: Public image | CentOS 7.6 64 bit
 Host Security: Enable | Basic (free)
 System Disk: 40 GiB
 Network: vpc-1 | vpc-1-subnet | Automatically assign IP address
 Security Group: default
 EIP: Auto assign
 EIP Type: Dynamic BGP
 Billed By: Traffic
 Bandwidth Size: 10 Mbit/s
 ECS Name: test
 Password: custom password of the root user

8.2.1.3 Creating an SMN Topic

Step 1 In the service list, select Simple Message Notification.

Step 2 In the navigation pane, choose Topic Management > Topics. Then, click Create
Topic in the upper right corner.

Figure 8-1
Step 3 Set a topic name and click OK.

Note: This topic is shared by multiple services. Trainees can customize their own topic
name. abc is used as an example here.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 278

Figure 8-2
Step 4 Add a subscription.
 In the navigation pane, choose Subscriptions. Then, click Add Subscription in the
upper right corner.

Figure 8-3
 Set Topic Name to abc, set Protocol to Email or SMS (Email is used as an example
here), specify Endpoint, and click OK.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 279

Figure 8-4
Step 5 In the subscription list, view the created subscription and click Request
Confirmation.

Figure 8-5
Step 6 In the displayed dialog box, click OK.

Figure 8-6
Step 7 Check the subscription email and confirm the subscription.

Step 8 Return to the subscription list and check whether the subscription status changes to
Confirmed. If yes, the subscription is successfully added.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 280

Figure 8-7

8.2.1.4 Creating an OBS Bucket

Step 1 In the service list, choose Object Storage Service.

Note: This bucket is used for dumping AOM logs.

Figure 8-8
Step 2 Click Create Bucket in the upper right corner.

Figure 8-9
Step 3 Create an OBS bucket:
 Region: CN-Hong Kong
 Bucket Name: test-aom-hcip (user-defined)
 Default Storage Class: Standard
 Bucket Policy: Public Read and Write
 Retain the default settings for other parameters.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 281

Figure 8-10

8.2.2 Cloud Eye

Cloud Eye is a multi-dimensional monitoring service. With Cloud Eye, you can view the
resource usage and service running status in the cloud, and respond to exceptions in a
timely manner to ensure smooth service running.
After enabling a cloud service supported by Cloud Eye, you can view the running status of
the cloud service and the usage of each metric, and create alarm rules for metrics on the
Cloud Eye console.
You can monitor cloud service metrics (such as CPU/memory/disk usage) to ensure
smooth service running and prevent service interruption caused by overuse of resources.
You can query system events and custom events reported to Cloud Eye through APIs. You
can also create alarm rules for both system events and custom events. When specific
events occur, Cloud Eye generates alarms for them.

8.2.2.1 Metric Monitoring

Step 1 Log in to the Huawei Cloud console and choose Cloud Eye from the service list.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 282

Figure 8-11
Step 2 In the navigation pane, choose Cloud Service Monitoring > Elastic Volume Service,
locate the target resource, and click View Metric in the Operation column. The
metric monitoring page is displayed.

Wait for 7 to 8 minutes to view metrics after an ECS is deployed.

Figure 8-12
You can view graphs based on raw data collected in the last 1h, 3h, 12h, 1d, and 7d. In
the upper right corner of the graph, the maximum and minimum values of the metric in
the corresponding time period are dynamically displayed. You can also enable Auto
Refresh to view the data refreshed every minute.

Figure 8-13
Step 3 Click Select Metric in the upper right corner of the page.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 283

On the displayed page, select target metrics, and drag and drop them at desired locations
for monitoring.

Step 4 Hover over a metric and click in the upper right corner of the metric graph.
The monitoring details page is displayed.

Figure 8-14
You can view the metric monitoring details in a longer time range. In the upper left
corner, you can select 1h, 3h, 12h, 1d, 7d, or 30d to view monitoring data. You can also
customize a time range (up to six months).

Figure 8-15
To export data, click Export Data on the Cloud Service Monitoring page, set parameters
as prompted, and click Export.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 284

Figure 8-16

8.2.2.2 Server Monitoring

Step 1 Log in to the Huawei Cloud console and choose Cloud Eye from the service list.

Figure 8-17
Step 2 In the navigation pane, choose Server Monitoring.

Figure 8-18
Step 3 (Optional) On the displayed page, select the ECS where the agent is to be installed.
(If there are ECSs on which the agent is not installed) 1. Install the agent in one
click. If the agent has been installed, skip this step.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 285

Figure 8-19
Step 4 Locate the target ECS and click View Metric in the Operation column to view its
monitoring data.

Figure 8-20
OS Monitoring, Basic Monitoring, and Process Monitoring are available.

Figure 8-21

8.2.2.3 Event Monitoring

Step 1 In the navigation pane, choose Event Monitoring. All system events and custom
events generated in the last 24 hours are displayed by default. Locate the target
event and click View Graph in the Operation column to view its graph.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 286

Figure 8-22
Step 2 On the Event Monitoring page, click Create Alarm Rule in the upper right corner.

Figure 8-23
Step 3 Configure the alarm rule name, policy, notification, and other parameters as
prompted.
 Name: alarm-test
 Event Type: System event
 Event Source: Elastic Cloud Server
 HCIP-Cloud Service Solutions Architect Lab Guide Page 287

 Monitoring Scope: All resources

 Method: Configure manually
 Alarm Policy: Retain the default setting.

Figure 8-24
 Notification Object: abc (created during preparation)
 Retain the default settings for other parameters.

Figure 8-25
After you create the alarm rule, if the metric data triggers the present alarm policy, Cloud
Eye will immediately send SMN notifications.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 288

Step 4 Check whether the status of the alarm rule is Enabled. If yes, the alarm rule is
successfully created.

Figure 8-26

8.2.3 AOM
AOM is a one-stop, multidimensional O&M management platform for cloud applications.
It monitors applications and related cloud resources in real time, analyzes application
health status, and provides flexible data visualization functions. It helps you detect faults
in a timely manner and monitor running status of applications, services, and other
resources in real time.
By setting alarm rules, you can learn about the resource usage, trend, and alarms of
hosts in a timely manner. Administrators can quickly respond to exceptions to ensure
smooth host running.
AOM also provides powerful log management capabilities. You can quickly search for
required logs among a large quantity of logs, and dump logs to buckets for long-term
storage. You can also set statistical rules so that AOM periodically counts keywords and
generates metric data for real-time system performance and service monitoring.

8.2.3.1 Alarm Monitoring

Step 1 In the service list, choose Application Operations Management.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 289

Figure 8-27
Step 2 In the navigation pane, choose Configuration Management > Agent Management.
On the displayed page, click Install ICAgent.

Note: ICAgents collect metrics, logs, and application performance data. For hosts
purchased on the ECS or BMS console, manually install ICAgents.

Figure 8-28
Step 3 On the displayed page, enter the AK/SK downloaded in section 7.2.1.1 and copy the
installation command.

Figure 8-29
Step 4 Log in to the test ECS and run the copied command to install the ICAgent. If
ICAgent install success is displayed, the installation is complete.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 290

Figure 8-30
Step 5 Return to the Agent Management page and refresh the page. If the ICAgent status
of the test ECS is Running, the ICAgent is successfully installed.

Figure 8-31
Step 6 In the navigation pane, choose Alarm Center > Alarm Rules. Then, click Add Alarm
in the upper right corner.

Figure 8-32
Step 7 Add an alarm rule:
 Rule Name: cpu-usage
 HCIP-Cloud Service Solutions Architect Lab Guide Page 291

Figure 8-33
 Rule Type: Threshold Rule
 Monitored Object: Select resource objects
 Click Select resource objects.

Figure 8-34
 Add By: Resource
 Metric Name: Host/Host/CPU usage (This metric is used as an example. Trainees can
select a metric based on site requirements. It may take a while to discover a newly
deployed ECS.)
 Select indicator dimensions: test

Figure 8-35
 Alarm Condition: Custom
 Trigger conditions: 2 | 2 | Avg. | >= | 80 | Major (This condition is used as an example.
Trainees can configure trigger conditions based on site requirements.)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 292

Figure 8-36
Step 8 Check whether the status of the created rule is Started. If yes, the alarm rule is
successfully created.

Figure 8-37
Step 9 In the navigation pane, choose Overview > O&M. On the displayed page, view the
monitoring information of the connected resource.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 293

Figure 8-38

8.2.3.2 Log Collection

When a host system is abnormal, its logs will contain many errors. To identify an
exception in a timely manner, you can use AOM to count the number of errors in logs
and set alarm rules.

Step 1 In the navigation pane, choose Log > Log Dumps. Then, click Add Log Dump in the
upper right corner.

Figure 8-39
Step 2 Add a log dump:
 Dump File Format: Custom file
 Dump Mode: Periodic dump
 Log Type: System
 Cluster Name: Custom Cluster
 Host: 192.168.3.219 (private IP address of the test ECS)
 Log Group: syslog
 Target OBS Bucket: test-aom-hcip (created during preparation)
 HCIP-Cloud Service Solutions Architect Lab Guide Page 294

Figure 8-40
Step 3 View the creation time and last dump time on the log dump page.

Figure 8-41
Step 4 In the navigation pane, choose Log > Log Buckets. Then, click Add Log Bucket.

Note: This log bucket will be used when you create a statistical rule.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 295

Figure 8-42
Step 5 Add a log bucket:
 Log Bucket: syslog
 Log File: System | Custom Cluster | 192.168.3.219 | syslog
Note: 192.168.3.219 is the private IP address of the test ECS.

Figure 8-43
Step 6 In the navigation pane, choose Log > Statistical Rules. Then, click Create Statistical
Rule in the upper right corner.

Figure 8-44
Step 7 Create a statistical rule:
 Rule Type: Keyword
 Rule Name: count-error
 Keyword: error
 Log Bucket: syslog
 HCIP-Cloud Service Solutions Architect Lab Guide Page 296

Figure 8-45
Step 8 Locate the created statistical rule and click Adding a threshold rule in the Operation
column.

Figure 8-46
Step 9 Create a threshold rule:
 Alarm Name: count-error
 Statistic Method: Average
 Statistical Cycle: 1 minute
 Threshold Condition: >= | 3
 Consecutive Period (s): 1
 Alarm Severity: Minor
 Send Notification: Yes
 Topic: abc
 Trigger Condition: Threshold crossing
 HCIP-Cloud Service Solutions Architect Lab Guide Page 297

Figure 8-47

Figure 8-48
After the threshold rule is created, if the statistical result exceeds the threshold, an SMS
message or email notification will be sent immediately. O&M personnel can then locate
and rectify the fault at the earliest time.

8.2.3.3 CCE Cluster Monitoring

Step 1 Create a CCE cluster. For more information, see CCE-related sections.

Note: This CCE cluster will be monitored by AOM.

 HCIP-Cloud Service Solutions Architect Lab Guide Page 298

Figure 8-49
Create a cluster:
 Region: CN-Hong Kong
 Billing Mode: Pay-per-use
 Cluster Name: cluster-cce (user-defined)
 Version: v1.19
 Management Scale: 50 nodes
 Number of master nodes: 1
 Network Model: VPC network
 VPC: vpc-1 (Reuse the created VPC or customize one.)
 Subnet: vpc-1-subnet (Reuse the created subnet or customize one.)
Create a node:
 Billing Mode: Pay-per-use
 AZ: Random
 Node Type: VM node
 Specifications: 4cores | 8GB
 System Disk: Use the default setting.
 Data Disk: Use the default setting.
 OS: Default
 Node Name: Use the default name or customize one.
 Password: Customize one.
 Subnet: vpc-1-subnet (Reuse the created subnet.)
 EIP: Do not use
 Login Mode: Password
 HCIP-Cloud Service Solutions Architect Lab Guide Page 299

Step 2 In the service list, choose Application Operations Management. In the navigation
pane, choose Overview > O&M to view monitoring information. You can monitor
resources, applications, and application user experience on this page. You can also
monitor the running status of the CCE cluster.

Figure 8-50
Step 3 In the navigation pane, choose Monitoring > Host Monitoring. You can monitor
host resource usage and health status of the CCE cluster, as well as the usage of
common system devices such as disks and CPUs.

Figure 8-51
Step 4 In the navigation pane, choose Monitoring > Container Monitoring to view
information about plug-ins and containers in the CCE cluster.

Figure 8-52

8.3 Clearing Resources

Step 1 Delete the SMN topic.
 HCIP-Cloud Service Solutions Architect Lab Guide Page 300

In the service list, choose Simple Message Notification. In the navigation pane, choose
Topic Management > Topics. In the right pane, locate the topic created in this exercise
and choose More > Delete in the Operation column.

Step 2 Delete the alarm rule.

On the AOM console, choose Alarm Center > Alarm Rules in the navigation pane, locate
the alarm rule created in this exercise, and click Delete in the Operation column.

Step 3 Delete the statistical rule.

On the AOM console, choose Log > Statistical Rules in the navigation pane, locate the
statistical rule created in this exercise, and click Delete in the Operation column.

Step 4 Delete the log bucket.

On the AOM console, choose Log > Log Buckets in the navigation pane, locate the log
bucket created in this exercise, and click Delete in the Operation column.

Step 5 Delete the log dump.

On the AOM console, choose Log > Log Dumps in the navigation pane, locate the log
dump created in this exercise, and click Delete in the Operation column.

Step 6 Delete the ECS.

 In the service list, choose Elastic Cloud Server under Compute. In the ECS list, locate
the ECS created in this exercise and choose More > Delete in the Operation column.
 In the displayed dialog box, select the check boxes shown in the following figure and
click Yes.

Step 7 Delete the security group.

In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Access Control > Security Groups. In the security group list, locate the
security group created in this exercise and click Delete in the Operation column.

Step 8 Delete the subnet and VPC.

 In the service list, choose Virtual Private Cloud under Networking. On the network
console, choose Subnets. In the subnet list, locate the subnet created in this exercise
and click Delete in the Operation column.
 On the network console, choose My VPCs. In the VPC list, locate the VPC created in
this exercise, and click Delete in the Operation column.

8.4 Quiz
Question: How does AOM obtain a custom host IP address on the Agent management
page?
Answer: By default, AOM traverses all NICs on a VM and obtains the IP addresses of the
Ethernet, bond, and wireless NICs based on priorities in descending order. To ensure that
 HCIP-Cloud Service Solutions Architect Lab Guide Page 301

AOM obtains the IP address of a specific NIC, set the IC_NET_CARD=Desired NIC name
environment variable when starting the ICAgent.