Cloud Network Solution Design

Foreword
⚫ This lesson covers network cloud services on Huawei Cloud and describes
how to use these services to interconnect various resources, including
communications within a VPC in a single region, across VPCs in a single
region, between cloud and on-premises networks, across regions, and
between a cloud and the Internet.

2
 Objectives
⚫ Upon completion of this course, you will:
 Know Huawei Cloud network services.
 Get familiar with the functions, architectures, and use cases of VPCs,
security groups, network ACLs, EIPs, NAT gateways, and enterprise routers.
 Know what network services should be used in different scenarios.

3
 Contents
1. Huawei Cloud Network Service Overview

2. Cloud Network Solution Design

3. Five Principles of Network Architecture

4. High-Performance Network Solution Design Cases and Practices

4
Huawei Cloud Network Service Overview
Internet

Cloud access
network

IPv4/IPv6
DNS
ELB EIP NAT
Gateway
Cloud
network
VPCEP VPCEP

VPC
Cloud VPC
Connect

Hybrid cloud
network
VPN Direct
Connect

On-premises On-premises
data center data center
5
Huawei Cloud Network Service Overview
Internet
Internet EIP

Region
VPC VPC VPC
ELB

EIP Subnet 1 Subnet 2 Subnet 3 Subnet 4

Security Security Security Security Security VPC Security
group group group group VPC group group
Endpoint
SNAT Peering

Cloud
ECS ECS ECS ECS Connect ECS ECS

Network Network Network

Cloud
ACL ACL ACL
Connect

Direct
VPN Connect

On-premises
data center

6
 Contents
1. Huawei Cloud Network Service Overview

2. Cloud Network Solution Design

3. Five Principles of Network Architecture

4. High-Performance Network Solution Design Cases and Practices

7
Cloud Network Solution Design

Communications Within a VPC in

a Single Region • VPC and Subnet

Communications Between Cloud

and On-Premises Networks • Direct Connect and VPN

Communications Across VPCs in • VPC Peering, Enterprise Router,

a Single Region and VPC Endpoint

Communications Across Regions • Cloud Connect

Communications Between a
Cloud and the Internet • EIP, NAT Gateway, and DNS

8
VPC Network Planning and Design (1)
What is a Definition Private virtual cloud
VPC?

Limited applications, small service volume, small team

Single VPC scale, low latency, high-performance computing, and
simplified management
How many
VPC network
VPCs are
planning required?
There are different services that need to be isolated
Multiple VPCs from each other for a team or organization.

How do I
select a Region Select the region that is nearest to your users.
region for a
VPC?

How do I Reserve sufficient IP addresses for workload expansion.

If you need to connect a VPC to an on-premises data
select a VPC CIDR block center or connect two VPCs, take care to avoid IP
CIDR block? address conflicts.

9
What Is VPC?
⚫ Virtual Private Cloud (VPC) enables you to provision logically isolated, configurable, and manageable
virtual networks for cloud servers, containers, and databases, improving cloud service compliance and
simplifying network deployment.

• A software-defined • Allows you to configure IP

Q1 Q2
network. address ranges, subnets,
routes, and firewalls in a VPC.

• Provides an isolated and VPC

intra-connected network • Can use an EIP to connect
on Huawei Cloud. Q4 Q3
to the Internet.

10
Single VPC
⚫ Use a single VPC if your workloads need connectivity rather than isolation.
⚫ Suitable for:
 Limited applications, small service volume, and small teams
 Low-latency services, such as high-performance computing
 Simplified management, such as security and O&M management

For other scenarios, use:

Multiple VPCs Multiple projects or enterprise projects Multiple accounts

11
Multiple VPCs
⚫ In most cases, you can use multiple VPCs for isolation.
⚫ Suitable for:
 Different services that need to be isolated from each other. Not suitable for:
➢ Resource isolation
 Different VPCs that are used for different purposes, for example,
within an account
production zone and test zone. ➢ Permission division
within an account
 A single team or organization

Region

VPC 1 VPC 2

Service A Service B

cn-east-3

12
Multiple VPCs: Multiple IAM Projects or Enterprise
Projects
⚫ Suitable for: Region
 Managed Service Provider (MSP)
 Resource grouping and isolation required by VPC 1 VPC 2
medium- and large-sized teams or organizations
cn-east-1 cn-north-2
 More precise cost management based on projects
Enterprise project 1
Region
Region Region

VPC 1 VPC 2 VPC 1 VPC 2

cn-east-3 cn-north-4
IAM project 1 IAM project 2 Enterprise project 2
cn-north-4 Not suitable for:
➢ Services and workloads that need to be isolated.
➢ Large organizations that have high requirements on
management standards and complexity.
13
Multiple VPCs: Multiple Accounts
⚫ Suitable for:
 Large teams or organizations with multiple services and independent IT teams
 Independent services, permissions, and cost settlement

Region Region Region Region

VPC 1 VPC 2 VPC 1 VPC 2

cn-east-3 cn-north-4 cn-east-3 cn-north-4
Account 1 Account 2

14
What Do I Need to Pay Attention to When Creating
a VPC?
⚫ Each VPC can be used for a dedicated purpose, for example, development, testing, quasi-production, and production
environments. When creating a VPC, consider the region where the VPC is to be created, whether VPCs need to be
isolated from each other, resource allocation, and VPC quota.

Region selection
• Select the region nearest to your Resource allocation
users. VPCs are region-specific.
By default, VPCs cannot • Not all resources depend on VPCs.
communicate with each other
over a private network even if
they are in the same region.

VPC isolation VPC division

VPC quota
• Create a dedicated VPC for a
service that needs to be • Request for a VPC quota increase
isolated. in advance if necessary.

15
How Do I Select a VPC CIDR Block?
⚫ Select an IP address range for a VPC. A subnet is a range of IP addresses in
your VPC. All of the resources in a VPC must be deployed in subnets.
⚫ The IP address range for a VPC is defined using Classless Inter-Domain
Routing (CIDR) notation.
⚫ Recommended VPC CIDR blocks:
 10.0.0.0/8-24
 172.16.0.0/12-24
 192.168.0.0/16-24
 For example, 172.16.0.0/16 contains the IP addresses from 172.16.0.0 to 172.16.255.255.

16
 How Do I Select a Size for a VPC CIDR Block?
⚫ Consider the following when selecting an appropriate VPC CIDR block:

Estimated servers
Subnet allocation in different AZs
• Estimate the number of servers in
• Allocate subnets in different AZs
a VPC and ensure that the VPC
from a VPC CIDR block. Allocate
has enough IP addresses for
an IP address range to each
them.
subnet based on the expected
number of subnets and servers.

Future requirements IP address usage

• Select an IP address range that • Select an IP address range based

leaves room for future service on the actual requirements and
growth so that you can add more the number of servers. Do not
subnets and servers when needed select an excessively large IP
without having to redesign your address range, which will waste IP
network. addresses, or a range so small
there are no enough IP addresses.

17
Subnet Planning and Design (1)
⚫ A subnet should have enough IP addresses to meet service requirements.
⚫ For example, the VPC CIDR 192.168.0.0/22 has 1,024 IP addresses and you can create four
subnets in the VPC.

Notes: Five reserved IP addresses:

Subnet 2
➢ Five IP addresses are ➢ 192.168.0.0: network address. This address is
Subnet 1
251 251 reserved for each subnet. the beginning of the private IP address range
This has no adverse and will not be assigned to any device.
impact on a well-designed ➢ 192.168.0.1: gateway address
Subnet 4 Subnet 3 network. ➢ 192.168.0.253: system interface. This IP address
251 251
➢ A subnet does not need to is used by the VPC for external communications.
contain all IP addresses of ➢ 192.168.0.254: DHCP service address
its VPC. ➢ 192.168.0.255: broadcast address

18
Subnet Planning and Design (2)

Usage Principles VPC

➢ Use a subnet that has enough IP addresses. AZ a AZ b

➢ IP addresses of the subnet must belong to its VPC, but
do not need to cover all IP addresses of its VPC.
➢ The CIDR blocks of subnets in a VPC cannot overlap.
➢ IP addresses provided by a subnet can be used by ECS ECS
ECS ECS Subnet for external access
resources from a different AZ.

Planning and Design Principles

ECS ECS ECS ECS
Front-end subnet
One-to-one mapping between subnets and node types
➢ Deploy only one type of node in a given subnet.
➢ Deploy nodes with the same function in the same
RDS RDS
subnet.
➢ Subnets are logical concepts and are not restricted by Data subnet
traditional physical limitations.
cn-east-X

19
Subnet Planning and Design (3)

Each subnet needs a route table A route table can be associated

and can only have one route with different subnets.
table associated.

A route table contains a set of

routes that are used to determine
where network traffic from your Route planning
subnets is directed.
➢ Each VPC has a default route table,
which is associated with its subnets
that have no route table.
➢ Each route table controls traffic You can create multiple
across VPCs. custom route tables within a
➢ Default routes in a route table cannot certain limit.
be modified or deleted

20
Cloud Network Solution Design

Communications Within a VPC in

a Single Region • VPC and Subnet

Communications Between Cloud

and On-Premises Networks • Direct Connect and VPN

Communications Across VPCs in • VPC Peering, Enterprise Router,

a Single Region and VPC Endpoint

Communications Across Regions • Cloud Connect

Communications Between a
Cloud and the Internet • EIP, NAT Gateway, and DNS

21
Virtual Private Network
⚫ Virtual Private Network (VPN) provides end-to-end private communications channels. Internet Protocol Security
(IPsec) VPN establishes encrypted communications tunnels between remote users and VPCs over a public network, so
that the remote users can access resources in the VPCs.
Application Scenarios
➢ Site-to-cloud interconnection: connecting an on-premises data center
to a VPC over a private network
➢ Interconnection between VPCs in different regions

Key Technologies

➢ VPN gateway: an egress gateway created in a VPC. A VPN gateway

can be bound to a VPC. One VPN gateway connects to one remote
gateway.
➢ Remote gateway: a transit device for exchanging data between a
local network and a remote network over VPN connections. It
provides a range of functions such as communications data
transmission, data encryption, authentication, and traffic
management.
➢ VPN connection: a confidential and secure IPsec-encrypted
communications tunnel established over the Internet. It secures data
transmission between different networks.
22
VPN Constraints and Limitations
⚫ A local subnet is a subnet of the local network from which a VPN connection originates. A remote
subnet is a subnet on the remote network, which is the destination of a VPN connection. The local
subnet and remote subnet cannot overlap.
 A VPN gateway can be used to access multiple subnets of the associated VPC.
 The remote subnets for all VPN connections of the same VPN gateway cannot overlap.
 The remote subnets for the same VPN connection cannot overlap.
 The local subnets for all VPN connections of the same VPN gateway cannot overlap.

⚫ A VPN gateway can be associated with only one VPC.

23
VPN Application Scenario: Hybrid Cloud Deployment
for a Single Site
⚫ VPN connects an on-premises data center to a VPC. In this scenario, you can easily access ECSs and
block storage resources on the cloud from the on-premises data center. You can also migrate
applications to the cloud, deploy additional web servers, and expand the computing capacity on the
network, thereby creating a hybrid cloud architecture and reducing IT O&M costs.

VPC

Subnet
IPsec VPN

ECS
On-premises data center

24
VPN Application Scenario: Hybrid Cloud Deployment
for Multiple Sites
⚫ VPN connects multiple on-premises data centers to a VPC. In this scenario, you can easily
access ECSs and block storage resources on the cloud from the on-premises data centers.

City 1

IPsec VPN
VPC
On-premises data center

City 2
ECS
Subnet IPsec VPN

On-premises data center

25
VPN Application Scenario: Cross-Region VPC
Interconnection
⚫ VPN establishes communication tunnels between two VPCs in different
regions, so that these VPCs can communicate with each other.

Region 1 Region 2

VPC VPC

IPsec VPN

ECS ECS

Subnet Subnet

26
Direct Connect
⚫ Direct Connect enables you to set up a stable, reliable
dedicated connection between your on-premises data
center and Huawei Cloud. Direct Connect connections
are fast, secure, and low-latency.
Application Scenario
An on-premises data center needs to access VPCs over a
private network. Generally, a dedicated network connection
set up over an optical fiber is used. Direct Connect is a good
choice if you have strict requirements on network
transmission quality and security compliance.

Key Technologies
➢ A connection is a leased physical connection of a carrier used to
connect your on-premises data center to a Direct Connect access
point. This type of connection enables you to create multiple
virtual interfaces to connect to your VPCs.
➢ A virtual gateway is a logical gateway for accessing a VPC
through a Direct Connect connection. Multiple VPCs can share
one virtual gateway. If you have multiple connections, you can
use one virtual gateway to access the same VPC.
➢ A virtual interface links a connection with one or more virtual
gateways, each of which is associated with a VPC, so that your
on-premises network can access all these VPCs.

27
Benefits of Direct Connect
Local compliance
• Direct Connect makes it possible
for industries or enterprises to
comply with specific standards
and regulations.
Lower traffic costs
• Less bandwidth is used than
EIPs, so enterprises keep traffic
costs down.
28
Stable performance
• Direct Connect provides a
dedicated connection, which is
more stable than Internet-
based connections, which
makes Direct Connect suitable
for large-scale data
transmission, high-capacity
network traffic, and real-time
applications.
Differences Between VPN and Direct Connect
⚫ VPN
 The service is easy to use of the box and can be
Item VPN Direct Connect
used out of the box.
Accessing
Supported Supported
 Encrypted tunnels are used to transmit data over VPCs
Compliance VPN is not as good as Direct Connect.
the Internet.
Access
Public network Private network
⚫ Direct Connect channel
Depends on the Direct
Depends on the public
 Dedicated connections are used for Bandwidth
network
Connect connection
capability
communication, and the on-premises network is
In common scenarios, the latency of VPN is
isolated from the cloud network, which meets user Latency
higher than that of Direct Connect.
requirements for high network quality and data Time Depends on the
VPN can be used out
required for construction speed of
compliance. provisioning
of the box.
the carrier.
 Excellent performance, and low latency and jitter

29
Direct Connect Application Scenario: Connecting an
On-Premises Data Center to a VPC
⚫ Direct Connect enables an on-premises data center to access a VPC over a
high-performance, low-latency, compliant dedicated network connection.

Huawei Cloud

On-premises data center

Connecting on-premises servers to cloud servers in a VPC

30
Direct Connect Application Scenario: Connecting an On-
Premises Data Center to Multiple VPCs Across Regions
⚫ Direct Connect enables an on-premises data center to access more than one VPC across
regions, so the on-premises data center can leverage the compute resources in different
VPCs for hybrid computing.

Connecting on-premises servers to cloud servers in multiple VPCs

31
Cloud Network Solution Design

Communications Within a VPC in

a Single Region • VPC and Subnet

Communications Between Cloud

and On-Premises Networks • Direct Connect and VPN

Communications Across VPCs in • VPC Peering, Enterprise Router,

a Single Region and VPC Endpoint

Communications Across Regions • Cloud Connect

Communications Between a
Cloud and the Internet • EIP, NAT Gateway, and DNS

32
VPC Peering
⚫ A VPC peering connection is a network connection that connects two VPCs so they can
communicate using private IP addresses.

Characteristics
➢ After a VPC peering connection is created, you need to
add routes for the local and peer VPCs to enable
communications between them.
➢ VPC peering connections are free and easy to configure.
➢ VPCs connected by VPC peering connections
communicate with each other over a private network
instead of the Internet.

Add routes to subnet route tables to enable communications

between the two VPCs.

33
VPC Peering Connection Constraints
⚫ A VPC peering connection enables two VPCs in the same region to communicate over a private
network. The two VPCs can be from different accounts.
 Private IP addresses are used for communications.
 A VPC peering connection request sent to a peer account needs to be accepted by the account.
 To enable communications between different subnets in two VPCs, you just need to add more routes. There is
no need to create more VPC peering connections.
 You can only have one VPC peering connection between the same two VPCs at any time.
 VPCs connected by a VPC peering connection can be from different accounts and projects but not from different
regions.
 The CIDR blocks connected by a VPC peering connection cannot overlap.
 Both ECSs in VPCs connected by a VPC peering connection can access resources, such as cloud servers,
databases, and load balancers, at the peer end.

34
Enterprise Router
⚫ An enterprise router is a cloud router that connects
your VPCs and on-premises networks. It uses BGP to
learn routes and dynamically select or switch between
connections. This improves network scalability, O&M
efficiency, and service continuity.
35
Application Scenario
Enterprise Router can connect on-premises networks to cloud networks and
connect networks across clouds.
➢ Multiple VPCs can communicate with an on-premises data center over one
Direct Connect connection no matter whether these VPCs are connected.
➢ Multiple links share loads or work in active/standby pairs for enhanced
reliability.
➢ Multiple accounts share one enterprise router for internetworking.
Key Technologies and Specifications
➢ High performance: Cluster deployment and exclusive resources ensure high
performance and meet the requirements of large-scale networks.
➢ High availability: Multiple links share loads or work in active/standby pairs
for enhanced reliability. If one link fails, the other one can take over
automatically to ensure service continuity.
➢ Easier connectivity: You can attach all your resources (such as VPCs, VPN
gateways, Direct Connect virtual gateways) to an enterprise router, which
simplifies network topology and network management and improves
network O&M efficiency.
➢ High reliability: BGP enables flexible switchover between active and
standby connections. Load is balanced among Direct Connect connections,
and VPN connections can back up Direct Connect connections.
Network Topology Comparison
⚫ The network topology built using enterprise routers is simpler, more scalable, and easier to maintain.

Networking Without
Item Networking with Enterprise Routers Benefits of Enterprise Router
Enterprise Routers
• Connect the four VPCs to an enterprise router
• If there are four VPCs, six VPC
for forwarding traffic among the VPCs.
peering connections are required. • Eliminate the need to configure a large
Communication • The enterprise router can automatically learn
• In the route table of each VPC, you number of VPC peering connections.
between VPCs in VPC CIDR blocks and add them to its own
need to configure three routes to • Reduce the workload for configuring
the same region route table. You only need to configure routes
point to the other VPCs. A total of and maintaining routes.
to the enterprise router in the route table of
12 routes need to be configured.
each VPC.
• There is no need to connect all network
instances like using Cloud Connect,
Communication All the VPCs that need to
You only need to connect the enterprise routers simplifying the network topology.
between VPCs communicate with each other are
in each region over a cloud connection. • Route learning eliminates the need for
across regions connected over a cloud connection.
manual route configuration and lets you
set up a network faster.
• Route learning eliminates complex
Interworking
configurations and simplifies
between on- A Direct Connect or VPN connection Integrate Direct Connect or VPN with Enterprise
maintenance.
premises data is required between an on-premises Router so multiple VPCs can share a Direct
• Multiple links share loads or work in
centers and data center and a VPC. Connect or VPN connection.
active/standby pairs for enhanced
multiple VPCs
reliability.

36
VPC Endpoint
⚫ VPC Endpoint (VPCEP) is a cloud service that extends VPC Application scenarios
capabilities. It provides secure and private channels to connect
You do not want to connect to the Internet or expose all network
VPCs to endpoint services, providing powerful, flexible,
resources, but you need at least one access point to the Internet.
compliant, and stable networking without having to use EIPs. ➢ Cross-VPC connection
⚫ VPCEP provides two types of resources: VPC endpoint services ➢ Accessing certain Huawei Cloud services over the intranet
➢ An on-premises data center in a hybrid cloud accessing certain
that created by service providers, and VPC endpoints that are
Huawei Cloud services over the intranet
created by service users.

Advantages
➢ Excellent performance: Each gateway node can handle millions
of concurrent connections.
➢ Ready to use: VPC endpoints can be used within just a few
seconds of when they were created.
➢ High compliance: No EIP is required. You can privately connect
to a VPC endpoint service through a VPC endpoint.

37
Differences Between VPC Peering Connections and
VPC Endpoints
⚫ Similar to Enterprise Router, VPC peering connections enable network-wide communications. VPCEP exposes ports.

Dimension VPC Peering Connection VPC Endpoint

Allows access to a specific service or application. Only the

All resources in a VPC, such as ECSs and load
Security ECSs and load balancers in the VPC for which VPC
balancers, can be accessed.
endpoint services are created can be accessed.

CIDR Block overlapping Not supported Supported

VPCs connected through a peering connection Requests can only be initiated from a VPC endpoint to a
Communications mode
can communicate with each other. VPC endpoint service, but not the other way around.

If a peering connection is established between Using a VPC endpoint is like accessing an internal IP
Route configuration two VPCs, add routes to the VPCs so that they address of a local VPC. You do not need to configure
can communicate with each other. routes for applications.

Access using VPN/Direct

Supported Supported
Connect

Only the access ports are exposed. The intranet is not

Scenario Network-wide communications are available.
exposed.

38
Cloud Network Solution Design

Communications Within a VPC in

a Single Region • VPC and Subnet

Communications Between Cloud

and On-Premises Networks • Direct Connect and VPN

Communications Across VPCs in • VPC Peering, Enterprise Router,

a Single Region and VPC Endpoint

Communications Across Regions • Cloud Connect

Communications Between a
Cloud and the Internet • EIP, NAT Gateway, and DNS

39
Cloud Connect
⚫ Cloud Connect enables you to quickly build stable, high-speed, high-quality networks between VPCs in different
regions.
⚫ With Cloud Connect you can use a cloud connection to enable communications between network instances in the
same or different regions over a private network. The network instances can be those in your account or those that
other accounts allow you to use.
Application Scenario
➢ Cross-region multi-VPC communication: VPCs in different regions communicate with
each other over a compliant private network, which improves network topology
flexibility.
➢ Interworking between data centers and VPCs: Multiple on-premises data centers
communicate with VPCs in different regions. Direct Connect enables on-premises data
centers to access the VPCs, and Cloud Connect connects all the VPCs.

Key Technologies
➢ Full connectivity: Any two network nodes can be connected, and network packages can be
transmitted between them without passing through any other nodes.
➢ Ease of use: In just a few simple steps, you can establish cross-region network connectivity
that provides secure access to your loud resources.
➢ Excellent performance: Cloud Connect leverages Huawei's global network infrastructure to
securely transmit data through the shortest network path for ultra-low latency. You can
flexibly adjust bandwidth to meet different service requirements.
➢ Global compliance: Cloud Connect complies with local laws and regulations worldwide,
allowing you to focus better on your company and create business success.
➢ Multi-account support: Network instances in other accounts can be added to a cloud
connection in your account once the other accounts authorize the network instances to you.

40
Cloud Connect Constraints
⚫ By default, a cloud connection can connect a maximum of six network instances in each region.
⚫ By default, a cloud connection can connect network instances in a maximum of six regions.
⚫ A VPC can only be loaded to one cloud connection.
⚫ One or more subnets in a VPC to be connected over a cloud connection must be specified. A maximum of 50 CIDR
blocks can be specified for each network instance.

41
Cloud Network Solution Design

Communications Within a VPC in

a Single Region • VPC and Subnet

Communications Between Cloud

and On-Premises Networks • Direct Connect and VPN

Communications Across VPCs in • VPC Peering, Enterprise Router,

a Single Region and VPC Endpoint

Communications Across Regions • Cloud Connect

Communications Between a
Cloud and the Internet • EIP, NAT Gateway, and DNS

42
Elastic IP
⚫ EIPs are public IPv4 addresses.

➢An EIP can be bound to or unbound from an ECS.

➢An EIP needs to use public network bandwidth for Internet
access.

Billing options:
➢ Pay-per-use
➢ By bandwidth
➢ By traffic
➢ Yearly/Monthly
➢ Shared data package and
bandwidth add-on package

43
EIP Functions

• You can assign an EIP and bind

it to an ECS to allow the ECS to • You can assign a specific EIP if
EIP binding communicate with the Internet. Custom and the EIP is not allocated to
• Binding or unbinding an EIP automatic EIP another resource.
takes effect immediately. assignment • The system can assign an EIP
randomly.

• You can set the bandwidth size

Bandwidth limit for an EIP.
• You can specify a required
duration when assigning an
Required
EIP. The required duration can
• You can purchase EIPs
duration be from days to an unlimited
Individual EIP period.
separately. They are not locked
purchase to other cloud resources.

44
EIP Application Scenarios
⚫ Any connection to the Internet requires EIPs.
Scenario 1: Binding an Scenario 2: Binding an Scenario 3: Binding an EIP to a
EIP to an ECS EIP to a load balancer NAT gateway
You can allow cloud servers The load balancer can distribute Multiple cloud servers (such as ECSs, BMSs, and
to communicate with the requests from the Internet to desktops) can share an EIP to access the Internet or
Internet. backend servers. provide services accessible from the Internet.

Internet VPC
Internet
NAT
EIP EIP EIP gateway
VPC Subnet
Internet ECS
VPC ELB EIP
Cloud BMS
ECS BMS server
ECS ECS ECS
45
NAT Gateway
⚫ NAT Gateway provides the network address translation (NAT) service for servers in a VPC so
that multiple servers can share an EIP to access the Internet or provide services accessible
from the Internet.
 To provide services accessible from the Internet, you can bind an EIP to your server. To access the Internet, you
are not advised binding an EIP to your server.
 To access the Internet and ensure that your servers cannot be directly accessed, use NAT Gateway.

Using a NAT gateway

NAT Internet
Intranet:
192.168.1.0/24

46
Public NAT Gateway: SNAT
⚫ If your servers need to access the Internet, you can use a
public NAT gateway and add a Source Network Address
Translation (SNAT) rule. In the route table associated
with the subnet where your servers are deployed, add a
rule to route outbound traffic to the gateway.
⚫ Public NAT gateways have the following advantages:
 Security: Private IP addresses of your servers are not
exposed when they access the Internet.
 Ease-of-use: NAT Gateway is hosted and maintained
by Huawei Cloud, so high availability and throughput
are ensured.

47
Public NAT Gateway: DNAT
⚫ Destination Network Address Translation
(DNAT) enables servers within an AZ or
across AZs in a VPC to use the same EIP to
provide services accessible from the Internet.
⚫ NAT Gateway supports IP address mapping and
port mapping. An SNAT rule can use the same EIP
with a DNAT rule except for the DNAT rule with
Port Type set to All ports.

48
NAT Gateway Application Scenarios
To ensure architecture security, do not directly
bind an EIP to a VM. Use NAT Gateway to
improve network security.

DNAT enables you to make full use of EIP ports.

Otherwise, in most cases, DNAT can be replaced
by ELB.

49
Using an EIP to Allow an ECS to Be Accessed from
the Internet

Internet

EIP

VPC
ELB

ECS ECS ECS

To allow an ECS in a VPC to be accessed from the Internet, bind an EIP to the ECS.

50
Using an EIP and a NAT Gateway to Enable Multiple
ECSs to Access the Internet
Using an EIP and a NAT gateway together

To enable multiple cloud servers in a VPC to access the Internet, use an EIP and a NAT gateway together.
After you create a NAT gateway, add an SNAT rule and select the target EIP and subnet to enable cloud
servers in the subnet to access the Internet over the EIP.
51
Elastic Network Interfaces
⚫ A network interface is attached to an ECS for network communications.
⚫ Network interfaces can be transferred across ECSs in the same VPC and do not need to be in the same subnet as
the ECSs.
⚫ The primary network interface of an ECS cannot be detached from its instance.
⚫ A network interface is associated with the following:
 Private IP address
Extended network interfaces:
 EIP
➢ Security isolation
 Security group ➢ Failover
 MAC address ➢ Authorization (license) transfer

52
Virtual IP Addresses
⚫ A virtual IP address:
 Can be bound to or unbound from ECSs. Virtual IP address:
10.10.1.10
 Are assigned from a subnet and can only be bound to
resources in the same subnet.

⚫ Typical application scenarios: Active/standby ECS

switchovers and virtual IP address changes
ECS (active): 10.10.1.11 ECS (standby):
 A virtual IP address is bound to the primary network interface 10.10.1.12
of an ECS.
 If an active ECS is faulty and the communication between the
active and standby ECSs is abnormal, the virtual IP address is
unbound from the active ECS and bound to the standby ECS.
In this case, the standby ECS takes over services from the
active one and the active/standby ECS switchover and virtual
IP address change are complete.

53
Domain Name Service
⚫ Domain Name Service (DNS) is a highly available, scalable authoritative Domain Name System web
service that translates domain names into the IP addresses required for network connection, reliably
directing end users to your applications.
High performance
A single DNS node can handle millions of concurrent queries, allowing end users to
access your website or application more quickly.

Robust security
Enters a Sends a request to DNS offers built-in DDoS mitigation and works with Anti-DDoS to ensure that
domain name. the DNS server. requests from legitimate end users are not affected.
End user
Private DNS resolution
Public DNS DNS provides you with secure private domain name resolution. You can have your
own authoritative DNS servers in VPCs and avoid exposing your DNS records to the
Internet. Private domain names improve resolution efficiencies, reduce latencies, and
prevent DNS spoofing.

Reverse resolution
Reverse resolution allows to you use pointer records (PTR) to point IP addresses to
domain names to reduce spam.

54
DNS Application Scenarios
⚫ DNS provides private domain name resolution within VPCs to reduce service coupling. It can be used in
scenarios such as cloud server hostname management, cloud server switchover, access to cloud
resources, DR, and providing nearby access.
Cloud server hostname management: enterprise
development, testing, and production

Cloud server switchover: web application deployment

Access to cloud resources: cloud servers access to

cloud services, such as SMN and OBS

DR: Domain names are used for active/standby

switchover.

Nearby access: DNS resolution takes precedence

over local resolution.

55
Public DNS Resolution
⚫ Public DNS resolution translates a domain name (for example, www.example.com) and its subdomains
into IP addresses like 1.2.3.4 for routing traffic over the Internet.

Phase 1
1. Enters a 2. Queries the domain
domain name. name from the DNS server.
End user
3. Returns the IP
6. Returns the address of the website Public DNS
web page. server to the client.

5. Returns the 4. Accesses the

web page. website server. ➢ Phase 1 shows how DNS resolves your domain name.
➢ In phase 2, the client accesses the web server using the
returned IP address, and the web server returns the desired
content. If real-name authentication has not been completed
ECS
Phase 2 for the domain name and the website is not licensed, the
website cannot be accessed.
How DNS routes Internet
traffic to a website

56
Private DNS Resolution
⚫ Private DNS resolution maps a domain name (such as ecs.com) and its subdomains used within one or more VPCs
to private IP addresses (such as 192.168.1.1), so your ECSs can communicate with each other within the VPCs
without having to connect to the Internet.
⚫ Private domain names are used for access instead of IP addresses, which makes it easier for you to change the IP
addresses or change the servers to a cluster.
VPC
1. Requests a private
➢ When an ECS in the VPC requests a private
domain name. domain name, the private DNS server returns
a private IP address mapped to the domain
2. Returns a private
ECS 1
IP address.
name.
3. Accesses Private DNS
the ECS 4. Returns the ➢ If private domain names are configured, cloud
using the requested servers in the VPCs can be accessed using
private IP resources. domain names, instead of IP addresses. If IP
address.
addresses are changed, you only need to
ECS 2 modify the DNS record sets.

How DNS routes traffic

within a VPC

57
 Contents
1. Huawei Cloud Network Service Overview

2. Cloud Network Solution Design

3. Five Principles of Network Architecture

4. High-Performance Network Solution Design Cases and Practices

58
 Five Principles of Network Architecture

Architecture

Security Reliability Performance Cost- Maintainability

effectiveness

59
Huawei Network Architecture
Internet
Internet EIP

Region
VPC VPC VPC
ELB

EIP Subnet 1 Subnet 2 Subnet 3 Subnet 4

Security Security Security Security Security VPC Security
group group group group VPC group group
SNAT Endpoint
Peering

ECS ECS ECS ECS Cloud Connect

ECS ECS

Network Network Cloud Network

ACL ACL Connect ACL

Direct
VPN Connect

On-premises
data center
60
Security
Data security
➢ Static data security: Generally, data is encrypted using keys and encryption
management.
➢ Dynamic data security: Data transmission is not controlled by VPCs. Each
network takes care of transmission encryption using different technologies
or protocols, such as TLS, HTTPS, and IPsec tunnels, and VPN.
Network and application security
➢ Identity-based connectivity is not available for VPCs. VPCs are used for
internal communications and isolation.
➢ Access permissions are minimized, resources are isolated by default, and
minimal network openness is kept.
➢ OS firewalls are enabled on ECSs. Network ACLs are used to control cross-
subnet traffic. EIPs are used to manage Internet traffic. Route tables
manage cross-VPC access.
➢ Security groups can be used as an alternative to partial identity control for
protection at network layers.

Event response Auditing and logging

➢ Security event identification: System architectures, applications, tools, and ➢ LTS centrally collects VPC flow logs.
security teams can automatically identify risks on an existing network. ➢ CTS logs VPC modifications.
➢ Security event responses: Events are handled based on contingency plans
or automatic responses and contingency plans are modified based on
actual events.
➢ Security event drills: After a contingency plan is designed, its effectiveness
is proven through drills.

61
Reliability
⚫ Main VPC components are distributed software that will not cause single points of failure.
⚫ Some components correspond to real devices that provide built-in high availability or require high availability design.
 High availability is built in to VPN gateways.
 A NAT gateway can be deployed in multiple AZs for high availability. Multiple NAT gateways can also be used for high availability.

⚫ BGP can be used for transparent switchover of links when a fault occurs.
⚫ You can combine VPN and Direct Connect for high availability, assuming this complies with relevant standards. If it is
not compliant with relevant standards, two Direct Connect connections are required.
⚫ A balance is needed between and the priority of availability and costs.

62
Performance
⚫ Monitoring is key to mastering network performance.
⚫ Understanding application performance is critical to selecting the right components for the network
architecture.
⚫ Latency and bandwidth are two factors need to be noted in cloud network performance.
⚫ A VPC is a software-defined network. It is not a bottleneck.
⚫ There are performance limitations on VPN gateways, NAT gateways, and VPC endpoints. More research
is needed.

63
Cost-effectiveness
⚫ Understand the cost composition of VPC to reduce unnecessary network costs.
 Main VPC components are free of charge.
 Some VPC components are charged, including VPN gateways, NAT gateways, and VPC endpoints.

⚫ NAT gateways are billed on a daily basis. There is no reason to stop and restart them
within a day.
⚫ Bandwidth expenditures need to be carefully evaluated and optimized.
 Understand the service traffic models and use CDN and application data exchange optimization to reduce traffic costs.
 Make good use of traffic packages, bandwidth packages, and enhanced 95th percentile billing for fluctuating services.

⚫ Tips for using Direct Connect:

 Plan Direct Connect bandwidth carefully. If 1 Gbit/s of bandwidth is not required at the start, you can select shared bandwidth.
 Make the most of your Direct Connect bandwidth.

64
Maintainability
⚫ Network address planning requires consideration.
 IP address conflicts create connectivity challenges.

 The product line, production environment, and test environment can be determined through IP addresses.

 If there are not enough IP addresses, add a secondary CIDR block to a VPC, or use multiple subnets to manage nodes that provide
the same service.

⚫ Connectivity and openness depend on application requirements.

 Connectivity increases costs and makes maintenance more complicated. Confirm the necessity in advance.

 Open ports based on service requirements and keep the principle of minimum network openness in mind.

⚫ Consider the following during maintenance:

 Convenient operations on the console and automatic O&M using code scripts are supported for full software-defined networking.

 You can open port 22 in the security group using the bastion host login script and disable this port after access is no longer needed.

 Using automatic deployment tools reduces errors.

 Use scripts to scan configurations and CTS logs and other methods to check whether configurations have changed.

 VPC flow logs can help you track access status.

65
 Contents
1. Huawei Cloud Network Service Overview

2. Cloud Network Solution Design

3. Five Principles of Network Architecture

4. High-Performance Network Solution Design Cases and Practices

66
 Discussion: How Can Multiple VPCs Communicate
with Each Other?
⚫ In a complex network environment, a VPC corresponds to an independent service application system to
ensure that different services are isolated from each other.
⚫ Question: How do you design the following service systems with VPCs as an architect?
 A: Which method can be used for communications across VPCs in a single region?
 B: A public VPC is regarded as an O&M security safeguard. Which of the following VPCs do you think need to be connected to the public
VPC? How can you design it from the perspective of security and isolation?
 C: Is it necessary to connect all VPCs, not just the public VPC? Which of the following VPCs do you think need to be connected?

IoV VPC Public VPC VPC for financial services

Commercial Customer
Carrier access … Bastion host DNS/NTP Credit system
vehicles retail access
subnet subnet subnet subnet
subnet subnet

Test VPC R&D VPC Production VPC

Management R&D Secondhand
Mobile App R&D DB management Database OTA services
zone subnet car business
subnet subnet subnet subnet
subnet subnet

67
 Summary
⚫ This lesson described the technological features of common
network service products, analyzed the five cloud network
solutions, and discussed five principles of network architectures.

68
 Quiz
(Single-choice question) Which of the following network services allows
resources in different VPCs to communicate with each other over a private
network and allows a cloud service to access the specified port when accessing
backend resources in the peer VPC?
A. VPC Peering
B. VPCEP
C. Cloud Connect
D. ELB

69
 Acronyms and Abbreviations
⚫ BMS: Bare Metal Server
⚫ ECS: Elastic Cloud Server
⚫ EIP: Elastic IP
⚫ ELB: Elastic Load Balance

70
 Acronyms and Abbreviations
⚫ EVS: Elastic Volume Service
⚫ OBS: Object Storage Service
⚫ VPC: Virtual Private Cloud
⚫ VPN: Virtual Private Network
⚫ VPCEP: VPC Endpoint

71
 Recommendations
⚫ Huawei Cloud official website
 Huawei Cloud product help document:
https://support.huaweicloud.com/intl/en-us/index.html

72
Thank You.
Copyright © 2024 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information is
provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.