Network Cloud Services -

Virtual Private Cloud

 Foreword

 With ever-increasing online service requirements, enterprise networks

require a long time to market, have high O&M costs, and are faced with
high security risks. An increasing number of enterprises are using HUAWEI
CLOUD VPC to quickly set up networks for their online services.
 VPC is a network infrastructure service. It leverages secure tunneling
technology to provide secure and isolated network environments. This
chapter introduces you to the VPC service of HUAWEI CLOUD.

1 Huawei Confidential
 Objectives

On completion of this course, you will be able to:

 Become familiar with the VPC service.
 Understand the VPC concepts, functions, and application scenarios.
 Create and manage VPCs.

2 Huawei Confidential
 Contents

1. VPC Overview

2. VPC Concepts

3. VPC Application Scenarios

4. VPC Usage and Management

3 Huawei Confidential
VPC Concepts
 A Virtual Private Cloud (VPC) is a logically isolated virtual network. Within your own
VPC, you can create subnets, configure route tables, assign elastic IP addresses (EIPs)
and bandwidths, and implement access control through security groups and network
ACLs.

4 Huawei Confidential
VPC and Classic Network
 Classic network: All users on the public cloud share one network resource pool, and their
networks are not logically isolated. Private IP addresses are allocated by the system in a unified
manner. Each private IP address can only be allocated to one user.
 VPC: A VPC is a logically isolated virtual network on the public cloud. Within your own VPC, you
can assign more than one private IP address, define subnets and routes, and implement access
control through security groups and network ACLs.
Connection VPN Direct
NAT Custom O&M
between Connect
gateway gateway gateway gateway VPN
VPCs

Route table

Classic network VPC Network ACL A Network ACL B

User A
Subnet A Subnet B
User B

5 Huawei Confidential
VPC Product Architecture
 You can configure security
groups, VPNs, subnets, and
bandwidth in VPCs. With VPC,
you can easily manage and
configure private networks and
change network configurations
flexibly and securely. You can
also customize the ECS access
rules within a security group or
between security groups to
improve ECS security.

6 Huawei Confidential
VPC Product Advantages

Secure and reliable Flexible configuration

Private networks on the cloud are You can define and manage your
completely isolated. ECSs in the networks in an easy and flexible
same VPC can exist in different manner.
availability zones.

High-speed access Interconnection

Dynamic BGP network VPC Peering enables
connections enable seamless interconnection between VPCs.
high-speed access to cloud
services.

7 Huawei Confidential
 Contents

1. VPC Overview

2. VPC Concepts

3. VPC Application Scenarios

4. VPC Usage and Management

8 Huawei Confidential
VPC Concepts - Subnet
 A subnet is a network plane for managing cloud resources in a VPC. All cloud resources
must be deployed in subnets. By default, ECSs in all subnets of the same VPC can
communicate with one another, whereas ECSs in the subnets of different VPCs cannot
communicate with each other.

9 Huawei Confidential
VPC Concepts - Route Table
 A route table contains routes that determine where traffic is directed.
 When you create a VPC, the system automatically creates a default route table. The
route table ensures that all subnets in the VPC can communicate with each other. You
can also add custom routes to control where traffic is directed.

10 Huawei Confidential
VPC Concepts - Virtual IP Address
 A virtual IP address can be shared among multiple ECSs. An ECS can have both private
and virtual IP addresses. You can access the ECS through either IP address. A virtual IP
address has the same network access capability as a private IP address. Virtual IP
addresses are used for high availability because they facilitate active/standby ECS
switchover.

11 Huawei Confidential
VPC Concepts - Security Group
 A security group is a collection of access control rules for ECSs that have the same
security protection requirements and are mutually trusted in a VPC. After you create a
security group, you can create different access rules for the security group to protect the
ECSs that it contains.

12 Huawei Confidential
VPC Concepts - Network ACL
 A network ACL is an optional layer of
security for your subnets. After you
associate one or more subnets with a
network ACL, the network ACL can help
you control traffic in and out of the
subnets.

13 Huawei Confidential
VPC Concepts - EIP
 The Elastic IP (EIP) service enables you to use static public IP addresses and scalable
bandwidths to connect your cloud resources to the Internet. You can easily bind or
unbound EIPs to or from cloud resources to keep up with changes in demand.

14 Huawei Confidential
VPC Concepts - Shared Bandwidth
 Shared bandwidth allows multiple EIPs to share the same bandwidth. The ECSs, BMSs,
and load balancers that are bound with EIPs in the same region can use the same
shared bandwidth.
Bandwidth Bandwidth
75 Mbit/s

50 50 Mbit/s 50
40 Mbit/s
40 40
30 Mbit/s
30 30

00:00 08:00 16:00 24:00 Time 00:00 08:00 16:00 24:00 Time
Three EIPs use a total Three EIPs use the same shared
bandwidth of 120 Mbit/s. bandwidth of 75 Mbit/s.

15 Huawei Confidential
VPC Concepts - Shared Data Package
 A shared data package provides a quota for data usage. Such packages are cost-effective and
easy to use. Shared data packages take effect immediately after you purchase them. If you have
subscribed to pay-per-use EIPs billed by traffic in a region and buy a shared data package in the
same region, all your EIPs in that region will use the shared data package. After the package
quota is used up or the package expires, the EIPs will continue to be billed on a pay-per-use basis.

EIP billed by traffic

EIP billed by traffic

… use quota of

EIP billed by traffic

Shared data package
Pay-per-use EIPs billed by traffic automatically use the quota of the shared data package.
16 Huawei Confidential
VPC Concepts - Bandwidth Add-On Package
 A bandwidth add-on package can be used to temporarily increase the maximum shared
or dedicated bandwidth of a yearly/monthly EIP.

Bandwidth
Yearly/monthly
bandwidth increases to
100 Mbit/s temporarily
100

Yearly/monthly
bandwidth of 30 Mbit/s 30 Mbit/s
30
Add a 70 Mbit/s
bandwidth add-on
package

00:00 08:00 16:00 24:00 Time

Validity period of the
bandwidth add-on package

17 Huawei Confidential
VPC Concepts - VPC Peering
 A VPC peering connection is a network connection between two VPCs in the same region. A VPC
peering connection allows two VPCs to communicate with each other using private IP addresses if
they are in the same region. You can create a VPC peering connection between your own VPCs, or
between your VPC and a VPC of another account within the same region. A VPC peering
connection cannot be created between VPCs in different regions.

Router Router

VPC: VPC:
10.10.0.0/16 10.20.0.0/16
Subnet Subnet VPC peering Subnet Subnet
gateway gateway connection gateway gateway

Subnet: Subnet: Subnet: Subnet:

10.10.1.0/24 10.10.2.0/24 10.20.1.0/24 10.20.2.0/24

18 Huawei Confidential
 Contents

1. VPC Overview

2. VPC Concepts

3. VPC Application Scenarios

4. VPC Usage and Management

19 Huawei Confidential
Dedicated Networks on Cloud
 Each VPC represents a private network and is logically isolated from other VPCs. By deploying
your application system in a VPC, you have given it a private network environment on the cloud.
If you have multiple service systems, for example, a production system and a test system, you can
deploy them in two different VPCs to isolate them. If you want to establish communication
between these two VPCs, you can create a VPC peering connection between them.

20 Huawei Confidential
Web Application or Website Hosting
 You can host web applications and websites in a VPC and use the VPC as a regular network. With
EIPs or NAT gateways, you can connect ECSs running web applications to the Internet. With the
load balancers provided by the ELB service, you can evenly distribute access traffic across these
ECSs.

21 Huawei Confidential
Web Application Access Control
 You can create a VPC and security groups to host multi-tier web applications in different security
zones. You can associate web servers and database servers with different security groups and
configure different access control rules for security groups. You can launch web servers in a
publicly accessible subnet, but run database servers in subnets that are not publicly accessible.
This arrangement ensures high security.

22 Huawei Confidential
VPC Connectivity Options
 You can use VPC Peering, Cloud Connect, or VPN to allow different VPCs to
communicate with each other.

23 Huawei Confidential
Hybrid Cloud Deployment
 If you have an on-premises data center and you do not want to migrate all of your
business to the cloud, you can build a hybrid cloud, so that you can retain core data in
your data center.

24 Huawei Confidential
 Contents

1. VPC Overview

2. VPC Concepts

3. VPC Application Scenarios

4. VPC Usage and Management

25 Huawei Confidential
VPC Configuration Procedure (1)
 If any of your ECSs, for example, ECSs that function as the database or server nodes for
website deployment, do not need to be accessible from the Internet, you can configure
a VPC for the ECSs by performing the following procedure.

26 Huawei Confidential
VPC Configuration Procedure (2)
Optional or
Task Description
Mandatory

A created VPC comes with a default subnet you specified.

01 Create a VPC. After the VPC is created, you can create other required network resources in Mandatory
the VPC based on your service requirements.

If you need another subnet in addition to the default one, you can create a
02 Create another
subnet in the VPC. Optional
subnet for the VPC.
The new subnet will be used to assign IP addresses to NICs added to the ECS.

03 Create a security You can create a security group and add ECSs in the VPC to the security group
Mandatory
group. to enhance security for the ECSs.

After a security group is created, it has a default rule, which allows all outgoing
04 Add a security data packets. ECSs in a security group can access each other by default. If the
Optional
group rule. default rule meets your service requirements, you do not need to add rules to
the security group.

27 Huawei Confidential
VPC and Default Subnet Configuration Parameters
Parameter Description Example Value
Specifies the desired region. Regions are geographic areas that are physically isolated from each other. The
Region networks inside different regions are not connected to each other, so resources cannot be shared across CN North-Beijng4
different regions. For lower network latency and faster access to your resources, select the nearest region.

Name Specifies the VPC name. VPC-001

Specifies the CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC
CIDR Block (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). 192.168.0.0/16
Supported CIDR blocks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, 192.168.0.0 – 192.168.255.255.
Enterprise
Specifies the enterprise project to which the VPC belongs. By default, the VPC belongs to the Default project. Default
Project
•Key: vpc_key1
Tag Specifies the VPC tag, which consists of a key and value. You can add a maximum of ten tags to each VPC.
•Value: vpc-01

Name Specifies the subnet name. Subnet

CIDR Block Specifies the CIDR block for the subnet. This value must be within the VPC CIDR block. 192.168.0.0/24

Gateway Specifies the gateway address of the subnet. 192.168.0.1

DNS Server External DNS server addresses are used by default. If you change the DNS server address, ensure that the DNS
192.168.1.0
Address server addresses you specify are available.
Specifies the subnet tag, which consists of a key and value pair. You can add a maximum of ten tags to each •Key: subnet_key1
Tag
subnet. •Value: subnet-01

28 Huawei Confidential
Subnet Configuration Parameters

Parameter Description Example Value

Name Specifies the subnet name. Subnet
Specifies the CIDR block for the subnet. This value must be within
CIDR Block 192.168.0.0/24
the VPC CIDR block.
Gateway Specifies the gateway address of the subnet. 192.168.0.1
External DNS server addresses are used by default. If you change
DNS Server Address the DNS server address, ensure that the DNS server addresses you 192.168.1.0
specify are available.

Specifies the subnet tag, which consists of a key and value pair. •Key: subnet_key1
Tag
You can add a maximum of ten tags to each subnet. •Value: subnet-01

29 Huawei Confidential
Security Group Rules
 Scenarios
Security groups have default rules configured for them. You can add new inbound and outbound rules to the
security group.
Inbound rules control incoming traffic to ECSs associated with the security group.
Outbound rules control outgoing traffic from ECSs associated with the security group.
 Default security group rules

Direction Protocol Port Range Source/Destination Description

Outbound All All Destination: 0.0.0.0/0 Allows all outbound traffic.
Allows communication among ECSs within the
Source: Current security
Inbound All All security group and denies all inbound traffic
group (for example, sg-xxxxx)
(incoming data packets).
Allows all IP addresses to access Linux ECSs
Inbound TCP 22 Source: 0.0.0.0/0
over SSH.
Allows all IP addresses to access Windows ECSs
Inbound TCP 3389 Source: 0.0.0.0/0
over RDP.

30 Huawei Confidential
Security Group Rule Configuration Parameters
Parameter Description Example Value
Protocol Specifies the network protocol. TCP
Port: specifies the port or port range for which the security group rule takes effect. The
22 or 22-30
value ranges from 1 to 65535.
Port & Source: specifies the source of the security group rule. The value can be a security group or
Source an IP address. For example: 0.0.0.0/0
(Inbound) xxx.xxx.xxx.xxx/32 (IPv4 address) or
xxx.xxx.xxx.0/24 (subnet) default
0.0.0.0/0 (any IP address)
Port: specifies the port or port range for which the security group rule takes effect. The
22 or 22-30
value ranges from 1 to 65535.
Port & Destination: specifies the destination of the security group rule. The value can be a security
Destination group or an IP address. For example: 0.0.0.0/0
(Outbound) xxx.xxx.xxx.xxx/32 (IPv4 address) or
xxx.xxx.xxx.0/24 (subnet) default
0.0.0.0/0 (any IP address)
Provides supplementary information about the security group. This parameter is optional.
Description The description can contain a maximum of 255 characters and cannot contain angle -
brackets (< or >).

31 Huawei Confidential
VPC Billing
 The VPC service is free of charge. However, EIPs and bandwidths you use with a VPC
will be billed based on standard pricing.
 EIPs can be billed on a yearly/monthly or pay-per-use basis.

Bandwidth Public Network

Billing Mode Billed By EIP Retention Fee
Price Traffic Price

Yearly/Monthly Bandwidth - √ -

Bandwidth EIP retention fee is not included √ -

if the EIP is bound to an ECS,
BMS, or load balancer.
Pay-per-Use
EIP retention fee is included if
Traffic - √
the EIP is unbound but not
released.

32 Huawei Confidential
 Quiz

1. Which of the following are supported by HUAWEI CLOUD VPC?

A. Customizing CIDR blocks

B. Customizing access control policies

C. Accessing the Internet using EIPs

D. Connecting to an on-premises data center using VPN or Direct Connect

33 Huawei Confidential
 More Information

Abbreviation Full Name

AZ Availability Zone
BGP Border Gateway Protocol
DNS Domain Name Server
EIP Elastic IP
IPsec Internet Protocol Security
VPN Virtual Private Network
IGW Integration Gateway
NAT Network Address Translation

34 Huawei Confidential
 Summary

 Introduction to the VPC service.

 Introduction to the concepts, functions, and application scenarios of the
VPC service.
 Introduction to VPC creation, management, and billing modes.

35 Huawei Confidential
 Recommendations

 Huawei learning website

 https://e.huawei.com/en/talent
 HUAWEI CLOUD official website
 https://www.huaweicloud.com/intl/en-us/

36 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright© 2020 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
 Network Cloud Services - Elastic Load
Balance

39 Huawei Confidential
 Foreword

 Elastic Load Balance (ELB) automatically distributes incoming traffic across

multiple servers to balance their workloads. It enables you to achieve higher
fault tolerance for your applications and expand their service capabilities.

40 Huawei Confidential
 Objectives

On completion of this course, you will be able to:

 Know what is ELB.
 Know the concepts, functions, and scenarios of ELB.
 Create and manage load balancers.

41 Huawei Confidential
 Contents

1. ELB Overview

2. Application Scenarios

3. ELB Management

4. Related Services

42 Huawei Confidential
Product Concepts
 Elastic Load Balance (ELB) automatically distributes incoming traffic across multiple
backend servers based on the rules you configure. ELB expands service capabilities of
applications and eliminates single points of failure (SPOFs), improving application
availability.

43 Huawei Confidential
Product Architecture

44 Huawei Confidential
Load Balancer Types (1)
 ELB provides two types of load balancers:
 Classic load balancers: ideal for web services with low traffic and simple applications
 Shared load balancers: ideal for web services with high access traffic. Requests are forwarded
based on domain names or URLs, making request routing more flexible. (Shared load
balancers were previously called enhanced load balancers.)

 ELB supports both public and private network load balancing.

 Public network load balancers each have a public IP address bound and route requests from
clients to backend servers over the Internet.
 Private network load balancers work in a VPC and route requests from clients to backend
servers that are in the same VPC.

45 Huawei Confidential
Load Balancer Types (2)
 Load balancing at Layer 4 (TCP/UDP) and at Layer 7 (HTTP/HTTPS)
 Load balancing at Layer 4: supports TCP and UDP. After a load balancer receives requests
from clients, it directly routes the requests to backend servers. Load balancing at Layer 4
features high routing efficiency and fast data transmission.
 Load balancing at Layer 7: supports HTTP and HTTPS. After a load balancer receives a request
from a client, it identifies the fields in the HTTP/HTTPS packet header and routes the request
based on these fields. Though the routing efficiency is lower than that at Layer 4, load
balancing at Layer 7 provides some advanced functions such as encrypted transmission and
cookie-based sticky sessions.

46 Huawei Confidential
Load Balancing Algorithms
 What load balancing algorithms does ELB use to distribute traffic?
Algorithm Weight Description
Requests are distributed across backend servers in sequence based on their
weights. The weight indicates the processing performance of the server.
Round robin Supported
Servers with the same weights process an equal number of connections. This
algorithm is often used for short connections, such as HTTP connections.
The least connections algorithm routes requests based on the number of
active connections processed by each backend server. In addition to the
Least number of connections, each server is assigned a weight based on its
Supported
connections processing capability. Requests are routed to the server that has the lowest
connections-to-weight ratio. This algorithm is often used for persistent
connections, such as connections to a database.
The source IP address of each client is calculated using the consistent hashing
algorithm to obtain a unique hash key, and all backend servers are numbered.
Source IP The generated key allocates the client to a particular server. This enables
N/A
hash requests from different clients to be routed and ensures that a client is
allocated to the same server it was allocated to before. This algorithm applies
to TCP connections without cookies.

47 Huawei Confidential
Product Advantages

High Performance High Availability Flexible Scalability Easy to Use

ELB makes sure that your
ELB can simultaneously ELB is deployed in cluster mode applications always have Diverse set of protocols and
establish hundreds of and ensures that your services enough capacity for varying algorithms enable you to
millions of connections and are uninterrupted. If servers in levels of workloads. It works configure traffic routing policies
meet your requirements for an AZ are unhealthy, ELB with Auto Scaling to flexibly to suit your needs while keeping
handling huge numbers of automatically routes traffic to adjust the number of servers deployments simple.
concurrent requests. healthy servers in other AZs. and intelligently distribute
incoming traffic across
servers.

48 Huawei Confidential
 Contents

1. ELB Overview

2. Application Scenarios

3. ELB Management

4. Related Services

49 Huawei Confidential
Application Scenarios - High Traffic Business
 For businesses with high volume of traffic,
such as large portals and mobile app
stores, ELB evenly distributes incoming
traffic to multiple backend servers.
 Sticky sessions ensure that requests from
a client are forwarded to the same
backend server, improving access
efficiency.

50 Huawei Confidential
Application Scenario - Businesses with Significant
Traffic Peaks
 For businesses that have significant
traffic peaks, integration with AS
allows backend servers to be added or
removed to meet changing
requirements, improving resource
utilization.

51 Huawei Confidential
Application Scenario - SPOF Elimination
 ELB routinely performs health checks on
backend servers to monitor their healthy
state. If a backend server is detected
unhealthy, ELB will not route requests
to the unhealthy server till it becomes
healthy to ensure service continuity.

52 Huawei Confidential
Application Scenario - Cross-AZ Load Balancing
 ELB can distribute traffic across AZs. When an AZ becomes faulty, ELB
distributes traffic to backend servers in other AZs.

53 Huawei Confidential
 Contents

1. ELB Overview

2. Application Scenarios

3. ELB Management

4. Related Services

54 Huawei Confidential
ELB Management

 Adding a listener
 Creating a load balancer  Modifying a listener
 Deleting a load balancer  Deleting a listener

ELB

 Adding a certificate
 Adding a backend server group  Modifying a certificate
 Deleting backend server group  Deleting a certificate

55 Huawei Confidential
Load Balancer Management
Disabling a load balancer

Enabling a load balancer 04

Viewing details of
a load balancer 03
02 Deleting a
05 load balancer

Creating a 01 06 (Optional) Adjusting

load balancer the bandwidth

56 Huawei Confidential
Creating a Load Balancer - Parameter Settings (1)
Parameter Description Example Value
Name Specifies the load balancer name. elb_01
Specifies the network type of a load balancer. There are two options:
Network Type • Public network: The load balancer can receive requests over the Internet. Private network
• Private network: The load balancer receives and routes requests in a VPC.

VPC Specifies the VPC where the load balancer works. VPC_01

Subnet Specifies the subnet of the VPC where the load balancer works. subnet01

Private IP Specifies the private IP address that will be bound to the load balancer. You can Manually-specified
Address select Automatically-assigned IP address or Manually-specified IP address. IP address

Specifies the public IP address that will be bound to the load balancer when you
select Public network for Network Type. The following options are available:
EIP Use existing
• New EIP: The system will assign an EIP.
• Use existing: Select an existing EIP.

57 Huawei Confidential
Creating a Load Balancer - Parameter Settings (2)
Parameter Description Example Value

Specifies the link type (BGP) when a new EIP is used.

• Static BGP: Static BGP offers more routing control and protects against route
flapping, but an optimal path cannot be selected in real time when a network
Dynamic BGP
EIP Type connection fails.
• Dynamic BGP: When changes occur on a network using dynamic BGP, routing
protocols provide automatic, real-time optimization of network configurations,
ensuring network stability and optimal user experience.

Billed By Specifies how the new EIP is billed. Select Bandwidth or Traffic. Bandwidth

Bandwidth Specifies the bandwidth when a new EIP is used. 100

Description Provides supplementary information about the load balancer. -

Identifies load balancers so that they can be easily categorized and quickly searched.
-
Tag A tag consists of a tag key and a tag value. The tag key marks a tag, and the tag
value specifies specific tag content.

58 Huawei Confidential
Listener Management
 Adding a Listener
 Modifying a Listener
 Deleting a Listener

59 Huawei Confidential
Adding a Listener - Parameter Settings
Item Parameter Description Example Value
Name Specifies the listener name. Listener01
Specifies the protocol and port used by the load balancer to
receive requests. The following protocols are available:
Frontend TCP/22
 TCP: load balancing at Layer 4
Protocol/Port HTTP/80
 UDP: load balancing at Layer 4
 HTTP/HTTPS: load balancing at Layer 7
Specifies whether to enable mutual authentication between the
Mutual server and client. To enable mutual authentication, both a server
-
Authentication certificate and CA certificate are required. This feature can be
enabled when the frontend protocol is HTTPS.
Listener
Specifies the certificate the server uses to authenticate the
CA Certificate client. This parameter is mandatory when the frontend protocol -
is HTTPS and mutual authentication is enabled.

Specifies the certificate that the HTTPS load balancer uses. This certmiij/9125267e
Server
parameter is available only when the frontend protocol is 1b1a4526b346cdf
Certificate
HTTPS. b9b9f856a

Description Provides supplementary information about the listener. -

60 Huawei Confidential
Backend Server Group Management
 Adding a Backend Server Group
 Deleting a Backend Server Group

61 Huawei Confidential
Adding a Backend Server Group - Parameter Settings (1)

Item Parameter Description Example Value

Specifies a group of backend servers that have the same features. Two
Backend Server options are available:
Create new
Group • Create new
• Use existing
Name Specifies the backend server group name. pool-i28r
Specifies the algorithm the load balancer uses to distribute traffic.
Load Balancing Weighted round
The algorithms include weighted round robin, weighted least
Algorithm robin
Backend connections, and source IP hash.
server group Specifies whether all requests from the same client during one session
Sticky Session N/A
will be sent to the same backend server.
Sticky Session Specifies the sticky session type. The following options are available:
Source IP address
Type Source IP address, Load balancer cookie, and Application cookie.
Specifies the cookie name. When you select Application cookie, you
Cookie Name cookie1223
need to enter a cookie name.

Description Provides supplementary information about the backend server group. -

62 Huawei Confidential
Adding a Backend Server Group - Parameter Settings (2)
Item Parameter Description Example Value

Enable Health Check Specifies whether to enable the health check function.
N/A
Specifies the protocol the load balancer uses to perform health checks on backend servers.
You can use either TCP or HTTP. The protocol you select cannot be modified after the
Protocol TCP
listener is added to the load balancer. If the frontend protocol is UDP, the health check
protocol is UDP by default.
Specifies the domain name in the health check request. The domain name can contain
Domain Name digits, letters, hyphens (-), and periods (.), and must start with a digit or letter. The field is www.elb.com
left blank by default and is available only when the health check protocol is HTTP.
Health Specifies the port the load balancer uses to perform health checks on backend servers.
Port 80
check The port numbers range from 1 to 65535.
Specifies the maximum time between health checks in the unit of seconds.
Interval (s) 5
The value ranges from 1 to 50.
Specifies the maximum time required for waiting for a response from the health check in
Timeout Duration (s) 10
the unit of seconds. The value ranges from 1 to 50.
Specifies the health check URL, which is the destination on backend servers for health
Check Path checks. This parameter is available only when the health check protocol is set to HTTP. /test.html
The value can contain 1 to 80 characters.

Maximum Retries Specifies the maximum number of health check retries. The value ranges from 1 to 10. 3

63 Huawei Confidential
 Contents

1. ELB Overview

2. Application Scenarios

3. ELB Management

4. Related Services

64 Huawei Confidential
ELB Relationships with Other Services

65 Huawei Confidential
ELB Relationships with Other Services

Service Name Function Reference

Elastic Cloud Server (ECS) Buying an ECS
Has applications deployed to provide services
Bare Metal Server (BMS) to users and receives the traffic distributed Buying a BMS
by ELB.
Cloud Container Engine (CCE) LoadBalancer

Provides IP addresses and bandwidth for Assigning an EIP and Binding

Virtual Private Cloud (VPC)
load balancers. It to an ECS

Works with ELB to automatically scale the

Auto Scaling (AS) number of backend servers for better traffic Creating an AS Group
distribution.

Identity and Access Creating a User Group and

Provides authentication for ELB.
Management (IAM) Assigning Permissions

66 Huawei Confidential
ELB Relationships with Other Services

Service Name Function Reference

Cloud Trace Service (CTS) Records the operations performed on ELB resources. Viewing Traces

Monitors the status of load balancers and listeners,

Cloud Eye Viewing Metrics
without any additional plug-in.

Protects public network load balancers against DDoS

Anti-DDoS Enabling Anti-DDoS
attacks, ensuring stability and business continuity.

Allows you to view and analyze access logs of HTTP

Log Tank Service (LTS) Access Logging
and HTTPS requests for Layer 7 load balancing.

67 Huawei Confidential
 Quiz

1. Which of the following algorithms are supported by ELB? ( )

A. Weighted round robin
B. Weighted least connections
C. Source IP hash
D. Encryption algorithm
2. Which of the following protocols are supported by ELB? ( )
A. TCP
B. UDP
C. HTTP
D. HTTPS

68 Huawei Confidential
 Summary

 This course introduces the concepts and functions of ELB.

 This course also describes how to create load balancers, modify load
balancers and related resources, such as listeners and certificates.

69 Huawei Confidential
 Recommendations

 Online learning website

 https://e.huawei.com/en/talent
 Huawei Knowledge Base
 https://support.huawei.com/enterprise/en/knowledge?lang=en

70 Huawei Confidential
Thank you.

71 Huawei Confidential
 Network Cloud Services -
Virtual Private Network

73 Huawei Confidential
 Foreword

 A Virtual Private Network (VPN) connection is a secure, encrypted

communications tunnel between your local data center and your VPC on
HUAWEI CLOUD. A VPN lets you build a flexible, scalable hybrid cloud
environment.

74 Huawei Confidential
 Objectives

On completion of this course, you will be able to:

 Understand VPN concepts.
 Understand VPN application scenarios.
 Use a VPN.

75 Huawei Confidential
 Contents

1. Overview

2. Getting Started

3. Usage and Management

4. FAQs

76 Huawei Confidential
Concepts
 VPN establishes a secure and encrypted communication tunnel between your
data center and VPC. With VPN, you can connect to a VPC and access the
resources deployed there.

77 Huawei Confidential
VPN Types
 There are three basic types of VPNs, each designed for different uses:
 An Access VPN allows offsite workers to easily and securely connect with their
company's network while working remotely.

 An Intranet VPN connects different branches or sites of an enterprise and enables

private communications between them over the Internet.

 An Extranet VPN connects enterprise internal networks with networks of partners or

authorized agencies.

78 Huawei Confidential
IPsec VPN
 An Internet Protocol Security VPN (IPsec VPN) is a VPN that uses IPsec for
secure remote access. Defined by Internet Engineering Task Force (IETF), IPsec
is a framework of open standards for ensuring secure, private, and encrypted
communications over the Internet.

79 Huawei Confidential
IPsec VPN Topology

Firewall 2
Firewall 1 200.2.2.2/24
100.1.1.1/24

Internet
Private network 1 Private network 2
192.168.1.0/24 IPsec tunnel 192.168.2.0/24

SA: 100.1.1.1 SA: 100.1.1.1

DA: 200.2.2.2 DA: 200.2.2.2

Security header Security header SA: 192.168.1.1

SA: 192.168.1.1
DA: 192.168.2.1 DA: 192.168.2.1

Encrypted data Encrypted data

Data DATA

80 Huawei Confidential
HUAWEI CLOUD VPN Components
 A VPN consists of a VPN gateway and one or more VPN connections. A VPN gateway
provides an Internet egress for a VPC and works together with the remote gateway in
an on-premises data center. A VPN connection uses an encrypted connection to link the
VPN gateway to a remote gateway to enable communication between a data center
and a VPC. The VPN connection allows you to quickly build a secure hybrid cloud
environment.

81 Huawei Confidential
VPN Gateway
 A VPN gateway is an egress gateway of a VPC.
With a VPN gateway, you can create a secure,
reliable, and encrypted connection between a VPC
and your data center or between two VPCs in
different regions.
 A VPN gateway works together with the gateway
in an on-premises data center. Each data center
must have a gateway, and each VPC must have a
VPN gateway. The VPN service allows you to set
up site-to-site and hub-and-spoke VPN
connections. A VPN gateway can connect to one
or more remote gateways.

82 Huawei Confidential
VPN Connection
 A VPN connection uses IPsec encryption to establish a secure and reliable
communications tunnel between a VPN gateway and the gateway in an on-premises
data center. Currently, only IPsec encryption is supported.
 VPN connections use IKE and IPsec to cost-effectively and securely encrypt data
transmitted over the Internet.

83 Huawei Confidential
Application Scenarios: Site-to-Site VPN Connection
 You use a VPN to establish a hybrid cloud by connecting an on-premises data
center to a VPC.

84 Huawei Confidential
Application Scenarios: Hub-and-Spoke VPN Connection

 You can also establish a hybrid cloud by using a VPN to connect multiple data
centers to a VPC.

85 Huawei Confidential
Product Advantages

Data security Seamless scale-out Low-cost connection Ease-of-use

Huawei-proprietary With VPN, you can connect Encrypted IPsec VPN You can create an easy-to-
hardware encrypts data your local data center to connections over the Internet use VPN connection by
based on IKE and IPsec with your VPC and quickly extend provide a cost-effective specifying parameters on the
carrier-class reliability and services from the data center alternative to Direct Connect console and configuring it in
ensures a stable VPN to the cloud, forming a connections. your data center.
connection. hybrid cloud.

86 Huawei Confidential
Billing
Pay-per-use
 If billing by bandwidth is selected, the billing cycle is one hour. The generated fee depends on the bandwidth size. The
total price includes the VPN gateway bandwidth price and the price of the VPN connection created together with the
gateway. If you create another connection for the gateway, you will be charged for the additional connection.

Total price = VPN gateway bandwidth price + VPN connection price

 The traffic for each hour will be recorded, and the billing unit is 1 GB. If less than 1 GB is used, the proportion of 1 GB
used is calculated and billed accordingly. In this case, modifying the bandwidth size does not change the public network
traffic price per GB. Only traffic in the outbound direction is billed.

Total price = Public network traffic price + VPN connection price

87 Huawei Confidential
 Contents

1. Overview

2. Getting Started

3. Usage and Management

4. FAQs

88 Huawei Confidential
Getting Started
 Procedure
 Buying a VPN Gateway
 Buying a VPN Connection

89 Huawei Confidential
Buying a VPN Gateway (1/4)
 Procedure
 Register an account and log in to the management console.
 On the console homepage, under Network, click Virtual Private Network.
 In the navigation pane on the left, choose Virtual Private Network > VPN Gateways.
 On the VPN Gateways page, click Buy VPN Gateway.
 Set the parameters as prompted and click Buy Now.
 Review the VPN gateway details and click Submit.

90 Huawei Confidential
Buying a VPN Gateway (2/4)

91 Huawei Confidential
Buying a VPN Gateway (3/4)
 Parameter descriptions
Example
Parameter Description
Value
Specifies the billing mode for your VPN gateway. VPN gateways are
billed on a pay-per-use basis.
Billing Mode The price of a pay-per-use VPN gateway consists of the gateway price Pay-per-use
and bandwidth price.
CN East-
Region Specifies the region where your VPN gateway is located. Shanghai2
VPC Specifies the name of the VPC to which the VPN accesses. vpc-001
Name Specifies the VPN gateway name. vpngw-001
Type Specifies the VPN type. IPsec is selected by default. IPsec

92 Huawei Confidential
Buying a VPN Gateway (4/4)
 Parameter descriptions

Parameter Description Example Value

A VPN gateway can be billed by bandwidth or by traffic.
• Bandwidth: You specify a maximum bandwidth and pay for
Billed By the amount of time you use the bandwidth. Traffic
• Traffic: You specify a maximum bandwidth and pay for the
total traffic you use.
Specifies the bandwidth allowed (Mbit/s) for the VPN gateway.
The bandwidth will be shared by all VPN connections created for
Bandwidth
the VPN gateway. The total bandwidth used by all VPN 100
(Mbit/s)
connections created for a VPN gateway cannot exceed the
bandwidth configured for the VPN gateway.
Description Provides supplementary information about the VPN gateway. -

93 Huawei Confidential
Buying a VPN Connection (1)
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Network.
 In the navigation pane on the left, choose Virtual Private Network > VPN
Connections.
 On the VPN Connections page, click Buy VPN Connection.
 Set the parameters as prompted and click Buy Now.
 Confirm the VPN connection information and click Submit.
 Due to the symmetry of the tunnel, you also need to configure the IPsec VPN tunnel
on your router or firewall of your data center.

94 Huawei Confidential
Buying a VPN Connection (2)

95 Huawei Confidential
VPN Connection Parameters (1)
 Parameter descriptions
Parameter Description Example Value
Specifies the billing mode of a VPN connection. VPN connections are
Billing Mode Pay-per-use
billed on a pay-per-use basis.
Specifies the region where the VPN connection is located. Each region CN East-
Region
comprises one or more AZs and is isolated from other regions. Shanghai2
Name Specifies the VPN connection name. vpn-001
VPN Gateway Specifies the VPN gateway used by the VPN connection. vpcgw-001
Specifies the VPC subnets that need to communicate with your data
center or private network. You can set the local subnet using either of
192.168.1.0/24,
Local Subnet the following methods:
192.168.2.0/24
• Select subnet
• Specify CIDR block
Specifies the public IP address of the gateway in your data center or
Remote
on the private network. This IP address is used for communication -
Gateway
with the VPN gateway of a VPC.

96 Huawei Confidential
VPN Connection Parameters (2)
 Parameter descriptions
Parameter Description Example Value
Specifies the subnets of your data center or private network for
communication with a VPC. The remote and local subnets cannot
Remote 192.168.3.0/24,
have overlapping or matching CIDR blocks. The remote subnet
Subnet 192.168.4.0/24
CIDR block cannot overlap with CIDR blocks involved in existing
VPC peering connections created for the local VPC.
Specifies the pre-shared key. The value is a string of 6 to 128
PSK characters. This parameter value must be the same for the VPN Test@123
connection at both ends.
Confirm PSK Enter the pre-shared key again. Test@123
Advanced • Default
Custom
Settings • Custom: including IKE and IPsec policies.

97 Huawei Confidential
VPN Connection Parameters (3)
 IKE policy
Parameter Description Example Value
Specifies the hash algorithm used for authentication. The value can be
Authentication
SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5. SHA1
Algorithm
The default value is SHA1.
Specifies the encryption algorithm. The value can be AES-128, AES-192,
Encryption AES-256, or 3DES. The 3DES algorithm is not recommended because it
AES-128
Algorithm is not strong enough to protect data.
The default value is AES-128.
Specifies the Diffie-Hellman key exchange algorithm. The value can be
Group 2, Group 5, or Group 14.
DH Algorithm The default value is Group 5. Group 5
The DH algorithms used at both ends of a VPN connection must be the
same. Otherwise, the negotiation will fail.
Specifies the version of the IKE protocol. The value can be v1 or v2.
Version v1
The default value is v1.

98 Huawei Confidential
VPN Connection Parameters (4)
 IKE policy

Parameter Description Example Value

Specifies the lifetime of the SA, in seconds.
Lifecycle (s) The SA will be renegotiated if its lifetime expires. 86400
The default value is 86400.
This parameter is available only if the IKE policy version is
Negotiation
v1. The value can be Main or Aggressive. Main
Mode
The default value is Main.

99 Huawei Confidential
VPN Connection Parameters (5)
 IPsec policy

Parameter Description Example Value

Specifies the hash algorithm used for authentication. The value can
Authentication
be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5. SHA1
Algorithm
The default value is SHA1.
Specifies the encryption algorithm. The value can be AES-128, AES-
Encryption 192, AES-256, or 3DES. The 3DES algorithm is not recommended
AES-128
Algorithm because it is not strong enough to protect data.
The default value is AES-128.
Specifies the Diffie-Hellman key exchange algorithm. This function
enables DH key exchange during the phase-two negotiation,
improving key security. The value can be Group 2, Group 5, or
DH Algorithm Group 14. Group 5
The DH algorithms used at both ends of a VPN connection must be
the same. Otherwise, the negotiation will fail.
The default value is Group 5.

100 Huawei Confidential

VPN Connection Parameters (6)
 IPsec policy

Parameter Description Example Value

Specifies the security protocol IPsec used to transmit and

Transfer
encapsulate data. The value can be AH, ESP, or AH-ESP. ESP
Protocol
The default value is ESP.
Specifies the lifetime of the SA, in seconds.
Lifecycle (s) The SA will be renegotiated if its lifetime expires. 3600
The default value is 3600.

101 Huawei Confidential

 Contents

1. Overview

2. Getting Started

3. Usage and Management

4. FAQs

102 Huawei Confidential

Usage and Management
 Viewing a VPN Gateway
 Modifying a VPN Gateway
 Deleting a VPN Gateway
 Viewing a VPN Connection
 Modifying a VPN Connection
 Deleting a VPN Connection

103 Huawei Confidential

Viewing a VPN Gateway
 Scenario
 After creating a VPN gateway, you wish to view your VPN gateway details.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Network.
 In the navigation pane on the left, choose Virtual Private Network > VPN Gateways.
 On the VPN Gateways page, view your VPN gateway details.

104 Huawei Confidential

Modifying a VPN Gateway
 Scenario
 VPN gateway details need to be updated to keep up with the latest network
configuration.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Network.
 In the navigation pane on the left, choose Virtual Private Network > VPN Gateways.
 On the VPN Gateways page, locate the row that contains the target VPN gateway
and click Modify in the Operation column.
 Set the required parameters and click OK.

105 Huawei Confidential

Deleting a VPN Gateway
 Scenario
 You wish to delete a VPN gateway because it is no longer required.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Network.
 In the navigation pane on the left, choose Virtual Private Network > VPN Gateways.
 On the VPN Gateways page, locate the row that contains the VPN gateway you wish
to delete and, in the Operation column, click Delete.

106 Huawei Confidential

Viewing a VPN Connection
 Scenario
 After creating a VPN connection, you want to review your VPN connection details.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Network.
 In the navigation pane on the left, choose Virtual Private Network > VPN
Connections.
 On the VPN Connections page, view information about your VPN connection.

107 Huawei Confidential

Modifying a VPN Connection
 Scenario
 The VPN connection needs to be modified to keep up with a change in the network
configuration.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Network.
 In the navigation pane on the left, choose Virtual Private Network > VPN
Connections.
 On the VPN Connections page, locate the row that contains the target VPN
connection and, in the Operation column, click Modify.
 Set the required parameters and click OK.

108 Huawei Confidential

Deleting a VPN Connection
 Scenario
 You wish to delete a VPN connection that is no longer required.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Network.
 In the navigation pane on the left, choose Virtual Private Network > VPN
Connections.
 On the VPN Connections page, locate the row that contains the VPN connection you
wish to delete and, in the Operation column, click Delete.

109 Huawei Confidential

Related Services

Function Service Reference

After a VPC is created, services in an on-premises

data center can be migrated to the cloud through a VPC Creating a VPC
VPN.

With a VPC, you can create security groups, define

security group rules, and add ECSs in the VPC to VPC Creating a Security Group
different security groups, improving ECS security.

Cloud Connect works together with VPN to enable Setting Up a Cross-Border

stable network communication between an on- Cloud Connect Network Connection
premises data center and cross-border VPCs. Through VPN

Using SNAT and DNAT

A NAT gateway enables servers in an on-premises
Rules to Enable Inter-
data center to access the Internet or provide NAT Gateway
Cloud High-Speed
services that are accessible from the Internet.
Internet Access

110 Huawei Confidential

 Contents

1. Overview

2. Getting Started

3. Usage and Management

4. FAQs

111 Huawei Confidential

FAQs (1/3)
 What types of VPNs are supported?
 Currently, only IPsec VPNs are supported.
 How many VPN connections can I have?
 A maximum of two VPN gateways can be created in each account by default.
 A maximum of two VPN connections can be created in each account by default. You
can request to increase the VPN connection quota to up to 20. If you still need more
VPN connections, contact the customer service.
 Does IPsec VPN support automatic negotiation?
 Yes. IPsec VPNs support automatic negotiation.

112 Huawei Confidential

FAQs (2/3)
 Why is Not Connected displayed as the status for the VPN I created?
 After a VPN is created, its status only changes to Normal if the servers on both ends of the
VPN can communicate with each other.
 IKE v1: If no traffic goes through the VPN connection for a certain length of time, the VPN will
automatically disconnect and need to be renegotiated. The delay before a VPN disconnects
depends on Lifecycle (s) in the IPsec policy. Generally, the value of Lifecycle (s) is 3600 (1
hour), which means a renegotiation will be initiated in the fifty-fourth minute. If the
negotiation succeeds, the connection remains connected until the next round of negotiation. If
the negotiation fails, its status will be Not Connected for the next hour. To restore the
connection, both ends of the VPN connection must be able to communicate with each other.
Disconnections can be avoided by using a network monitoring tool, such as IP SLA, to
generate packets, which will keep the connection active.
 IKE v2: If no traffic goes through the VPN connection for a period of time, the VPN remains in
the connected status.
113 Huawei Confidential
FAQs (3/3)
 Does a VPN allow for communication between two VPCs?
 If the two VPCs are in the same region, you can use a VPC peering connection to
enable communication between them.
 If the two VPCs are in different regions, you can use a VPN to enable communication
between the VPCs. The CIDR blocks of the two VPCs are the local and remote
subnets.

114 Huawei Confidential

 More Information

Abbreviations

Abbreviation Full Name

GRE Generic Routing Encapsulation
L2TP Layer 2 Tunneling Protocol
PPTP Point-to-Point Tunneling Protocol
IKE Internet Key Exchange
SA Security Associations
AH Authentication Header
ESP Encapsulated Security Payload

115 Huawei Confidential

 Quiz

1. Which of the following are the advantages of the VPN service?

A. Data security

B. Seamless scale-out

C. Low-cost connection

D. Ease-of-use

116 Huawei Confidential

 Recommendations

 Huawei learning website

 http://support.huawei.com/learning/Index!toTrainIndex
 Huawei knowledge base
 https://support.huawei.com/enterprise/en/knowledge?lang=en

117 Huawei Confidential

Thank you.

118 Huawei Confidential

 Network Cloud Services - Direct Connect

120 Huawei Confidential

 Foreword

 This chapter describes the Direct Connect service of HUAWEI CLOUD.

121 Huawei Confidential

 Objectives

On completion of this course, you will be able to:

 Know the basic concepts of Direct Connect.
 Create Direct Connect connections.
 Manage Direct Connect connections.

122 Huawei Confidential

 Contents

1. Overview

2. Management

3. FAQs

123 Huawei Confidential

Direct Connect Overview
 Direct Connect allows you to establish a dedicated network connection between
your on-premises data center and the public cloud. With Direct Connect, you
can easily build a secure and reliable hybrid cloud.

124 Huawei Confidential

Product Architecture
 Key components for Direct Connect are a connection, virtual gateway, and virtual
interface.
 A connection links your on-premises data center to the public cloud. A virtual gateway
is associated with the VPC that you want to access. A virtual interface connects your
gateway to the virtual gateway to enable your on-premises data center to access the
VPC.

125 Huawei Confidential

VPN vs Direct Connect

VPN VS Direct Connect

• VPN establishes an Internet connection between • Direct Connect allows you to establish a dedicated

your on-premises data center and the public network connection from your on-premises data center

cloud, and the network quality of this connection to the public cloud. Direct Connect enables you to take

is not as good as that of a Direct Connect full advantages of the public cloud while retaining legacy

connection. IT facilities to establish a scalable hybrid cloud computing

• VPN is easy to provision, and its cost is much environment.

lower than Direct Connect. • Direct Connect features low latency and stable network

• VPN can be used immediately after you enable quality, but is more expensive.

the service and complete the configuration. • A longer time is required to deploy the leased line.

126 Huawei Confidential

Direct Connect Network Planning - Standard Connection
 A standard connection provides a dedicated port for your exclusive use. You can create
standard connections on the management console. You have more than one connection
terminated at different Direct Connect locations. These connections work as a backup
for each other, improving the reliability of connections. If you select only one carrier
due to special requirements, you must configure different routes.

127 Huawei Confidential

Direct Connect Network Planning - Hosted Connection
 The partner has deployed the leased line between your data center and the Direct
Connect location you selected and provisions a hosted connection for you.

128 Huawei Confidential

Direct Connect Advantages

High Security Low Latency

You can use Direct Connect to connect to one or more A dedicated network is used for data transmission,
VPCs. With Direct Connect, a dedicated channel that is which brings high network performance, low
isolated from other networks is used for latency, and excellent user experience.
communication, ensuring high security.

High Bandwidth Great Scalability

By connecting on-premises systems to HUAWEI
A connection supports a maximum of 10 Gbit/s bandwidth,
CLOUD, you gain access to cloud resources for
meeting your current and future connectivity needs.
flexible, scalable hybrid deployment.

129 Huawei Confidential

 Contents

1. Direct Connect Overview

2. Direct Connect Management

3. FAQs

130 Huawei Confidential

Process for Establishing Network Connectivity
 To establish network connectivity using Direct Connect, do as follows:

Create a Create a Configure

Make Create a
virtual virtual local End
preparations. connection.
gateway. interface. routes.

131 Huawei Confidential

Procedure for Establishing Network Connectivity
1. Before you request a standard connection, confirm the detailed address of the Direct Connect location and the port availability,
contact the carrier for a site survey, and confirm the cost.

2. Create a connection to reserve a port for the connection and work with the carrier and HUAWEI CLOUD to connect your on-
premises network to the public cloud. The entire process involves the customer, carrier, and HUAWEI CLOUD. The Direct
Connect console details the instructions for each phase of the process.

3. Create a virtual gateway and a virtual interface to connect your on-premises network to HUAWEI CLOUD.

132 Huawei Confidential

Preparations - Selecting a Direct Connect Location
 When selecting a Direct Connect location, you need to consider the region,
carrier, and port.
 Select a location closest to your data center to reduce network latency. The carriers
and bandwidth capabilities vary at different locations.
 Select a carrier that can best meet your service requirements. You can choose one
from carriers such as China Unicom, China Telecom, and China Mobile.
 Decide the type of port you want to use: an optical port or electrical port.

Direct Connect locations: https://support.huaweicloud.com/intl/en-us/productdesc-dc/dc_01_0004.html.

133 Huawei Confidential

Preparations - Site Survey by Carrier
 After you select a location, contact the carrier for a site survey.
 Consult the carrier about the way to access the cloud.
 Submit an application to HUAWEI CLOUD for a site survey in the equipment room. The application
must include the name, ID card number, contact information of the personnel who will go to the
equipment room for the site survey.
 After the application is approved, HUAWEI CLOUD will assist in completing the site survey within
two working days.
 Contact the carrier to perform a site survey and confirm the costs, including the cost of:
 Port (paid to HUAWEI CLOUD) and one-time setup (free for now)
 Leased line (paid to the carrier)
 In-building cabling

134 Huawei Confidential

 Connection - Self-service Connection
 A connection consists of a line that you leased
from a carrier and a port provided by HUAWEI
CLOUD. Create a connection and use it to
connect your on-premises data center to the
Direct Connect location you selected. After you
have created a connection on the console,
HUAWEI CLOUD provides you with a port for
exclusive use. To establish network connectivity,
you need to connect the leased line to the
Direct Connect location you selected.

135 Huawei Confidential

Connection - Full-service Connection

 HUAWEI CLOUD completes all operations

required for connecting your data center
to the cloud, including integrating the
network resources and ports.

136 Huawei Confidential

Parameters for Purchasing a Self-service Connection
Parameter Description Example Value

Specifies the billing mode of the connection. Currently, only Yearly/Monthly

Billing Mode -
is supported.
Region Specifies the region where the connection will be used. CN South-Guangzhou
Specifies the equipment room from which the on-premises data center is
Location Beijing-Centrin
connected to the cloud.
Name Specifies the connection name. dc-123
Specifies the type of the port used for the connection. The value can be 1GE
Port Type 1GE
or 10GE.
Bandwidth Specifies the bandwidth of the connection in the unit of Mbit/s. 100 Mbit/s

Carrier Specifies the provider of the leased line. China Mobile

Your Equipment
Specifies the specific location of your equipment room. Shenzhen
Room Address
Description Provides supplementary information about the connection. -
Required
Specifies how long the connection will be used. 5 months
Duration

137 Huawei Confidential

Parameters for Creating a Hosted Connection
Parameter Description Example Value
Specifies the connection name.
Name client-dc-123
The value can contain 1 to 64 characters.
Project ID Specifies the ID of the project for the hosted connection. cn-north-1
Operations Specifies the operations connection on which the hosted
direconnect-1
Connection connection depends.
Specifies the bandwidth of the hosted connection in the unit of
Bandwidth Mbit/s. The value cannot exceed the remaining bandwidth value 100 Mbit/s
of the operations connection.
VLAN Specifies the VLAN of the hosted connection. 30
Your Equipment XXX company, XXX
Specifies the specific location of your equipment room.
Room Address Street, XXX City
Provides supplementary information about the hosted connection.
Description -
The description can contain a maximum of 128 characters.

138 Huawei Confidential

Creating a Virtual Gateway and a Virtual Interface
 After creating a connection, you need to create a virtual gateway and a virtual interface to access
the desired VPC.
1. Log in to the management console.
2. Under Network, click Direct Connect.

3. In the left navigation pane, choose Virtual Gateways.

4. Click Create Virtual Gateway.

5. In the Create Virtual Gateway dialog box, set the parameters.

6. Click OK. Ensure that the status of the virtual gateway is Normal.
7. Switch back to the left navigation pane and choose Virtual Interfaces.
8. Click Create Virtual Interface.

9. In the Create Virtual Interface dialog box, set the parameters.

10. Click Create Now. Ensure that the status of the virtual gateway is Normal.

11. Ping the IP address of a server in the VPC from your on-premises data center to test network connectivity. If the test is
successful, your on-premises data center can connect to the cloud and access the desired VPC.

139 Huawei Confidential

Parameters for Creating a Virtual Gateway
Parameter Description Example Value

Specifies the virtual gateway name.

Name vgw-123
The value can contain 1 to 64 characters.

VPC Specifies the VPC to be associated with the virtual gateway. VPC-001

Specifies the CIDR blocks of the VPC to be accessed.

Subnet CIDR
You can add one or more CIDR blocks. Separate multiple 192.168.0.0/16
Block
CIDR blocks with commas.

Provides supplementary information about the virtual

Description gateway. -
The description can contain a maximum of 128 characters.

140 Huawei Confidential

Parameters for Creating a Virtual Interface (1)
Parameter Description Example Value

Specifies the region in which the services will be handled.

CN South-
Region If you already selected a region and a project on the management console,
Guangzhou
you do not need to select the region here.
Specifies the virtual interface name.
Name vif-123
The value can contain 1 to 64 characters.
Connection Specifies the connection to be associated. dc-123

Virtual Gateway Specifies the virtual gateway to which the virtual interface connects. vgw-123
Specifies the ID of the VLAN in which the virtual interface works.
VLAN 30
The system automatically allocates a VLAN ID.
Local Gateway Specifies the IP address for connecting to the cloud. 10.0.0.1/24
Specifies the IP address for connecting to your network.
Remote Gateway The remote gateway must be in the same IP address range as the local 10.0.0.2/24
gateway. It is recommended that both IP addresses use a 30-bit mask.

141 Huawei Confidential

Parameters for Creating a Virtual Interface (2)

Parameter Description Example Value

Specifies the routing mode. Two options are available, static

Routing Mode
routing and BGP routing.
Specifies the subnets and masks of your network. Separate
Remote Subnet 192.168.51.0/24
multiple subnets with commas (,).
Specifies the autonomous system number (ASN) of the BGP peer.
BGP ASN -
This parameter is required when BGP routing is selected.
BGP MD5 Specifies the MD5 value of the BGP peer.
-
Authentication Key This parameter is required when BGP routing is selected.
Provides supplementary information about the virtual interface.
Description -
The description can contain a maximum of 128 characters.

142 Huawei Confidential

Configuring Local Routes - Static Routes
 Wait for route advertisement on the cloud.
 The Direct Connect device automatically advertises the routes.

 Advertise the routes on your device.

Configuration example:
 ip route-static 192.168.0.0 255.255.0.0 10.0.0.1

143 Huawei Confidential

Configuring Local Routes - BGP Routes
 Wait for route advertisement on the cloud.
 The Direct Connect device automatically advertises the routes.

 Advertise the routes on your device.

Configuration example:
 bgp 64510
 peer 10.0.0.1 as-number 64512
 peer 10.0.0.1 password simple 1234567
 network 10.1.123.0 255.255.255.0

144 Huawei Confidential

Direct Connect Resource Quotas

Resource Quota Remarks

Number of connections that can be This quota cannot be
10
created for an account in each region increased.
Number of virtual interfaces that can be This quota cannot be
50
created for an account in each region increased.
Number of virtual gateways that can be Submit a service ticket to
5
created for an account in each region increase the quota.
Number of routes for BGP sessions on a This quota cannot be
100
virtual interface increased.
Number of static routes on a virtual This quota cannot be
50
interface increased.

145 Huawei Confidential

Restrictions on Using Direct Connect

• There may be more than one • 100.64.0.0/10 is used in VPCs. Plan

Direct Connect location in a the CIDR blocks in your on-premises
region. In this case, network data center and on the cloud in
Direct Connect
latency from each location to Connection advance to ensure that IP addresses
different AZs in the region location of the HUAWEI CLOUD gateway and
should be less than 5 ms. your on-premises gateway do not
• If your services have high overlap.
requirements on network • Currently, 1GE and 10GE single-mode
latency, you can submit a service optical ports can transmit data up to
ticket to consult the location 10 km. If you need an optical port that
that is the nearest to the AZ can transmit data for more than 10 km,
where your cloud servers reside. or you need a 40GE or 100GE port,
you need to purchase optical modules
by yourself.

146 Huawei Confidential

Direct Connect Billing
 You can create a standard connection for exclusive use of the port, or request a hosted
connection from a partner to share a port with others.
 Billing Mode
 Prepayment (yearly/monthly subscription)

147 Huawei Confidential

 Contents

1. Direct Connect Overview

2. Direct Connection Management

3. FAQs

148 Huawei Confidential

FAQs (1/3)
 Can I access one VPC using multiple connections?
 Yes. To do so, you need to create multiple virtual interfaces, and select the same
virtual gateway but different connections for each virtual interface.
 What port types does Direct Connect provide?
 Direct Connect provides 1GE and 10GE optical ports. The maximum bandwidth
supported by a standard or operations connection is 10 Gbit/s.
 What are the requirements for IP addresses used by a connection?
 Servers at the two ends of a connection must use different private IP addresses. If
you use public IP addresses on your on-premises network, you need to map them
into private IP addresses network address translation (NAT).

149 Huawei Confidential

FAQs (2/3)
 How is Direct Connect billed?
 Currently, only the yearly/monthly billing mode is available.
 How can I unsubscribe from Direct Connect?
 For a connection requested through email or call, contact customer service to
unsubscribe from it.
 For a connection created on the console, you need to delete its virtual gateway and
virtual interface before the unsubscription.

150 Huawei Confidential

FAQs (3/3)
 Is a connection still available after it is frozen?
 After a connection expires, it will be frozen and become unavailable. If you renew
the subscription within the period for which the connection is frozen, the connection
will become available again.
 If you do not renew your subscription within this period, your connection will be
deleted and you can no longer renew the subscription. Contact customer service for
more information about the period for which a connection is frozen.

151 Huawei Confidential

 Quiz

Which of the following are characteristics of Direct Connect when compared with
VPN? ( )
A. Out-of-the-box

B. Lower latency, stabler service quality, but higher costs

C. Longer provisioning time due to line deployment

D. Based on the Internet

152 Huawei Confidential

 Recommendations

 Online learning website

 https://e.huawei.com/en/talent/#/
 Huawei Knowledge Base
 https://support.huawei.com/enterprise/en/knowledge?lang=en

153 Huawei Confidential

Thank you.

154 Huawei Confidential

 Network Cloud Services - VPC Peering

156 Huawei Confidential

 Foreword

 This chapter introduces the HUAWEI CLOUD VPC Peering function.

157 Huawei Confidential

 Objectives

On completion of this course, you will be able to:

 Understand the concept of VPC peering connections.
 Understand the application scenarios of VPC peering connections.
 Use VPC peering connections.

158 Huawei Confidential

 Contents

1. Overview

2. Getting Started

3. Usage and Management

4. FAQs

159 Huawei Confidential

Concepts - VPC Peering Connection
 A VPC peering connection is a network connection that allows two VPCs to communicate with
each other using private IP addresses if they are in the same region. You can create a VPC peering
connection between your own VPCs, or between your VPC and a VPC of another account within
the same region. A VPC peering connection cannot be created between VPCs in different regions.

Router Router

VPC: VPC:
10.10.0.0/16 10.20.0.0/16
Subnet Subnet Subnet Subnet
VPC peering
gateway gateway gateway gateway
connection

Subnet: Subnet: Subnet: Subnet:

10.10.1.0/24 10.10.2.0/24 10.20.1.0/24 10.20.2.0/24

160 Huawei Confidential

Concepts - Subnet
 A subnet is a network plane for managing cloud resources in a VPC. All cloud resources
are deployed in subnets.

VPC Router

Subnet gateway Subnet gateway Subnet gateway

Subnet: IP address: Subnet: IP address: Subnet: IP address:

10.10.1.0/24 10.10.1.1 10.10.2.0/24 10.10.2.1 10.10.3.0/24 10.10.3.1

161 Huawei Confidential

Concepts - Route Table
 A route table contains routes, which determine where traffic is directed.

VPC
Subnet

EIP ECS deployed with the Route table

SNAT service: 0.0.0.0/10.10.1.124
10.10.1.124

ECSs with no EIP bound

162 Huawei Confidential

Concepts - CIDR Block
 You need to specify a CIDR block when creating a VPC or subnet.
 There are five classes of IPv4 addresses: Class A, Class B, Class C, Class D, and Class E. However,
only IP addresses of Class A, Class B, and Class C can be assigned.

0.0.0.0-127.255.255.255

Class A 0 Network part (8 bits) Host Host

part part (24 bits)
(24 bits)
128.0.0.0-191.255.255.255

Class B 10 Network part (16 bits) Host part (16 bits)

192.0.0.0-223.255.255.255

Class C 110 Network part (24 bits) Host part (8 bits)

163 Huawei Confidential

Concepts - CIDR Block
 Generally, an IP address range is represented by CIDR notation.
 We use 192.168.1.0/24 as an example here. The part 192.168.1.0 indicates the network part and
the host part, and the /24 part indicates the binary length of the subnet mask.

Network part Host part

192.168.1 .0

11000000.10101000.00000001 .00000000

Subnet mask

255.255.255 .0

11111111.11111111.11111111 .00000000

164 Huawei Confidential

Concepts - CIDR Block
 You can calculate the number of IP addresses in a CIDR block based on its subnet mask bit.

IP address 192 .168 .1 .7

Subnet mask 255 .255 .255 .0

11000000 10101000 00000001 00000111

11111111 11111111 11111111 00000000
Network address
(binary) 11000000 10101000 00000001 00000000

Network address 192 .168 .1 .0

Hosts: 2n 256
Available hosts: 2n - 2 254

165 Huawei Confidential

Subnet Planning
 Determine the size of a subnet CIDR block based on your service requirements.

VPC 10.0.0.0/16
AZ1 10.0.0.0/18
Subnet A 10.0.0.0/19
Subnet B 10.0.32.0/20
Subnet C 10.0.48.0/21
AZ2 10.0.64.0/18
Subnet X 10.0.64.0/19
Subnet Y 10.0.96.0/20
Subnet Z 10.0.112.0/21

166 Huawei Confidential

Restrictions on Subnets When Creating a VPC Peering
Connection
 If VPCs connected by a VPC peering connection have overlapping CIDR blocks, the
connection can only enable communication between specific (non-overlapping) subnets
in the VPCs. If two subnets have overlapping CIDR blocks, a VPC peering connection
cannot be created between them. When creating a VPC peering connection, ensure that
the VPCs involved do not contain overlapping subnets.

167 Huawei Confidential

 Contents

1. Overview

2. Getting Started

3. Usage and Management

4. FAQs

168 Huawei Confidential

Process for Configuring a VPC Peering Connection
 Configuration process

Determine
the VPC
Creat
CIDR Creat Create a VPC Test the
Confirm the Configure a ea
block and ea peering connectivit
network plan. subnet. route
subnet VPC. connection. y.
table.
CIDR
block.

169 Huawei Confidential

Connection Design
You can use VPC Peering to
 Connect two VPCs.
 Connect multiple VPCs.

VPC 1 VPC 2

CIDR block: CIDR block:

192.168.0.0/16 10.0.0.0/16
VPC peering
Subnet-A connection Subnet-X
192.168.1.0/24 10.0.1.0/24

Subnet-B Subnet-Y
192.168.2.0/24 10.0.2.0/24

170 Huawei Confidential

CIDR Block Planning
Plan CIDR blocks and ensure that the CIDR blocks of different VPCs do not
overlap.

VPC 1 CIDR Block VPC 2 CIDR Block

VPC 192.168.0.0/16 VPC 10.0.0.0/16
Subnet-A 192.168.1.0/24 Subnet-X 10.0.1.0/24
Subnet-B 192.168.2.0/24 Subnet-Y 10.0.2.0/24

171 Huawei Confidential

Route Configuration
 Routes are required to enable communication between VPC 1 and VPC 2. The following
shows the routes required for the VPC peering connection to establish communication
between VPC 1 and VPC 2.

VPC 1 VPC 2
VPC Peering Route Table VPC Peering Route Table
Destination Next Hop Destination Next Hop
10.0.0.0/16 vpc-peering 192.168.0.0/16 vpc-peering

172 Huawei Confidential

Creating a VPC and Subnet (1)
 Create VPC 1.

173 Huawei Confidential

Creating a VPC and Subnet (2)
 Create Subnet-A and Subnet-B.

174 Huawei Confidential

Creating a VPC and Subnet (3)
 Create VPC 2.

175 Huawei Confidential

Creating a VPC and Subnet (4)
 Create Subnet-X and Subnet-Y.

176 Huawei Confidential

Configuring a VPC Peering Connection (1)
 Create a VPC peering connection.

177 Huawei Confidential

Configuring a VPC Peering Connection (2)
 Configuration parameters
Parameter Description Example Value
Specifies the name of the VPC peering connection.
Name The name can contain a maximum of 64 characters. Only letters, digits, hyphens (-), and vpc-peering
underscores (_) are allowed.
Local VPC Specifies the local VPC. Select a local VPC from the drop-down list. VPC1

Local VPC CIDR Block Specifies the CIDR block for the local VPC. 192.168.0.0/16

Specifies the account to which the peer VPC belongs.

• My account: The VPC peering connection will be created between two VPCs, in the same
Account region, in your account. My account
• Another account: The VPC peering connection will be created between your VPC and a
VPC in another account, in the same region.
Specifies the peer project name. The project name of the current project is used by
Peer Project XXX
default.
Specifies the peer VPC. You can select one from the drop-down list if the VPC peering
Peer VPC VPC2
connection is created between two VPCs in your own account.
Specifies the CIDR block for the peer VPC.
Peer VPC CIDR Block The local and peer VPCs cannot have overlapping CIDR blocks. Otherwise, the routes 10.0.0.0/16
added for the VPC peering connection may not take effect.

178 Huawei Confidential

Configuring a VPC Peering Connection (3)
 Add a route to the route table of VPC 1.

179 Huawei Confidential

Configuring a VPC Peering Connection (4)
 Add a route to the route table of VPC 2.

180 Huawei Confidential

Configuring a VPC Peering Connection (5)
 Route parameter descriptions

Parameter Description Example Value

Specifies the destination
Destination address. Set it to the peer VPC 192.168.0.0/16
or subnet CIDR block.
Specifies the next hop type,
which can be ECS, VPN
Next Hop Type VPC peering connection
gateway, cloud connection, or
VPC peering connection.
Specifies the next hop. The
vpc-peering ID: d1a7863b-
default value is the VPC
Next Hop 9d5e-4d27-8eaf-
peering connection ID. Retain
ab14d2a9148b
the default value.

181 Huawei Confidential

 Contents

1. Overview

2. Getting Started

3. Usage and Management

4. FAQs

182 Huawei Confidential

Usage and Management
 Viewing a VPC Peering Connection
 Viewing Routes Added to Local and Peer Route Tables
 Modifying Local and Peer Route Tables
 Deleting Routes from Local and Peer Route Tables
 Deleting a VPC Peering Connection

183 Huawei Confidential

Viewing a VPC Peering Connection
 Scenarios
 After creating a VPC peering connection, you can view details about your connection.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Cloud. In the
navigation pane on the left, click VPC Peering.
 On the displayed page, you can view the VPC peering connection, including its local
VPC and peer VPC.

184 Huawei Confidential

Viewing Routes Added to Local and Peer Route Tables
 Scenarios
 You can view information about the routes added to local and peer route tables.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Cloud. In the
navigation pane on the left, click Route Tables.
 On the Route Tables page, you can view the route tables. Click the name of a route
table to view added routes.

185 Huawei Confidential

Modifying Local and Peer Route Tables
 Scenarios
 You can modify the routes added to the local and peer route tables.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Cloud. In the
navigation pane on the left, click Route Tables.
 On the Route Tables page, locate the route table you want to modify and click its
name. On the displayed page, add or modify routes.

186 Huawei Confidential

Deleting Routes from Local and Peer Route Tables
 Scenarios
 You can delete the added routes from a route table. However, the system route
cannot be deleted.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Cloud. In the
navigation pane on the left, click Route Tables.
 On the Route Tables page, locate the route table and click its name. On the
displayed page, delete the routes that you no longer require.

187 Huawei Confidential

Deleting a VPC Peering Connection
 Scenarios
 You can delete a VPC peering connection if you no longer require it.
 Procedure
 Log in to the management console.
 On the console homepage, under Network, click Virtual Private Cloud. In the
navigation pane on the left, click VPC Peering.
 On the displayed page, locate the row that contains the VPC peering connection you
want to delete and click Delete in the Operation column.

188 Huawei Confidential

 Contents

1. Overview

2. Getting Started

3. Usage and Management

4. FAQs

189 Huawei Confidential

FAQs
 Can I create a VPC peering connection to enable communication between two
VPCs that have overlapping subnet CIDR blocks?
 No. If VPCs connected by a VPC peering connection have overlapping CIDR blocks,
the connection can only enable communication between specific (non-overlapping)
subnets in the VPCs. If two subnets have overlapping CIDR blocks, a VPC peering
connection cannot be created between them.
 Can I create more than one VPC peering connection between two VPCs at the
same time?
 No.

190 Huawei Confidential

FAQs
 Can I create a VPC peering connection to enable communications between two
VPCs in different regions?
 No. You can use Cloud Connect to connect VPCs in different regions.
 If VPC A is peered with VPC B, and VPC B has EIPs that can be used to access
the Internet, can resources in VPC A access the Internet using EIPs in VPC B?
 No.

191 Huawei Confidential

 Quiz

1. What is the function of a VPC peering connection?

2. Why do I need to configure route tables after creating a VPC peering connection?

192 Huawei Confidential

 Summary

 This chapter describes the basic concepts and application scenarios of VPC
peering connections, as well as the procedure and restrictions for
configuring VPC peering connections, to help you better use the
connections.

193 Huawei Confidential

 Recommendations

 Huawei learning website

 https://e.huawei.com/en/talent
 Huawei knowledge base
 https://support.huawei.com/enterprise/en/knowledge?lang=en

194 Huawei Confidential

Thank you.

195 Huawei Confidential

 Revision Record Do Not Print this Page

Course Code Product Product Version Course Version

HUAWEI CLOUD
Product version V2.2
products

Author/ID Date Reviewer/ID New/Update

Wei Huanjie/WX577304 2020.07 Wang Jiale/WX280978 New

196 Huawei Confidential