Cloud Basics

Foreword

⚫ This chapter describes the cloud trend of enterprise IT facilities, overview

and features of cloud computing, background, definition, and technical
features of public cloud development, and basic architecture, basic
concepts, delivery modes, and ecosystem construction of HUAWEI CLOUD .

2 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Understand the background of cloud computing and the trend of enterprise IT
cloudification.
 Understand the definition and technical features of public cloud.
 Understand the basic architecture, basic concepts, and ecosystem construction
of HUAWEI CLOUD.

3 Huawei Confidential
 Contents

1. Cloud Computing Basics

2. Public Cloud Overview

3. HUAWEI CLOUD Overview

4 Huawei Confidential
 Network era transformation, information and data growth
⚫ With the prevalence of the mobile Internet and fully connected era, more terminal devices
are being used and data is exploding every day, posing unprecedented challenges on
conventional ICT infrastructure.

PC era Mobile Internet era IoT era

Computers of the Mobile phones of the ARM x86, ARM, DSP, MIPS, FPGA, etc.
x86 architecture architecture

Windows/Linux Android/iOS IoT OS

5 Huawei Confidential

• The PC era is essentially in which computers are networked, and personal

computers are connected through servers. Now, in the mobile era, we can assess
the Internet through mobile phones. With the advent of 5G, all computers,
mobile phones, and intelligent terminals can be connected, and we can enter an
era of Internet of Everything (IoE).

• In the IoE era, the entire industry will compete for ecosystem. From the PC era to
the mobile era, and to the IoE era, the ecosystem experiences fast changes at the
beginning, then tends to relatively stable, and rarely changed when it is stable. In
the PC era, a large number of applications run on Windows, Intel chips, and x86
architecture. Then, browsers come with the Internet. In the mobile era,
applications run on iOS and Android systems that use the ARM architecture.

• Compared with the previous generation, the number of devices and the market
scale of each generation increase greatly, presenting future opportunity. As the
Intel and Microsoft in the PC era and the ARM and Google in the mobile era,
each Internet generation has its leading enterprises who master the industry
chain. In the future, those who have a good command of core chips and
operating systems will dominate the industry.
 Challenges Faced by Conventional IT Architecture
⚫ The Internet era has brought a large amount of traffic, users, and data to enterprises, but conventional
IT architecture cannot meet the requirements for rapid enterprise development.

Slow service rollout

Difficult expansion

Low reliability

Complex lifecycle management

Latency caused by I/O bottlenecks

High TCO

6 Huawei Confidential

• The Internet brings a large amount of traffic, users, and data, so enterprises need
to continually purchase traditional IT devices to keep pace with their rapid
development. Therefore, the disadvantages of traditional IT devices gradually
emerge.

▫ Long procurement period causes slow rollout of new business systems.

▫ The centralized architecture has poor scalability and can only increase the
processing performance of a single node.

▫ Traditional hardware devices exist independently, and their reliability

depends only on software.

▫ Devices and vendors are heterogeneous and hard to manage.

▫ The performance of a single device is limited.

▫ The utilization of devices is low, while the total cost remains high.
 Enterprises Are Migrating To the Cloud Architecture

Conventional IT architecture Virtualized architecture Cloud architecture

App 1 App 2
App 1 App 2

OS OS OS OS
App 1 App 2

OS OS Virtualization Cloud OS

7 Huawei Confidential

• The traditional IT architecture consists of hardware and software, including

infrastructure, data centers, servers, network hardware, desktop computers, and
enterprise application software solutions. This architecture requires more power,
physical space, and capital, and is usually installed locally for enterprises or
private use.

• With the virtualization technology, computer components run on the

virtualization environment, not on the physical environment. Virtualization
enables maximum utilization of the physical hardware and simplifies software
reconfiguration.

• With cloud transformation, enterprise data centers are transformed from

resource silos to resource pooling, from centralized architecture to distributed
architecture, from dedicated hardware to software-defined storage (SDS) mode,
from manual handling to self-service and automatic service, and from distributed
statistics to unified metering.
 Definition and Features of Cloud Computing
⚫ Definition
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service provider interaction.

--National Institute of Standards and Technology (NIST)

⚫ Features
- On-demand self-service
- Broad network access
- Resource pooling
- Quick deployment and auto scaling
- Measured service

8 Huawei Confidential

• On-demand self-service: Customers can deploy processing services based on

actual requirements on the server running time, network, and storage, and do
not need to communicate with each service provider.

• Broad network access: Various capabilities can be obtained over the Internet, and
the Internet can be accessed in standard mode from various clients, such as
mobile phones, laptops, and PADs.

• Resource pooling: Computing resources of the service provider are centralized so

that customers can rent services. In addition, different physical and virtual
resources can be dynamically allocated and reallocated based on the customer
requirements. Customers generally cannot control or know the exact location of
the resources. The resources include the storage devices, processors, memory,
network bandwidth, and virtual machines.

• Quick deployment and auto scaling: Cloud computing can rapidly and elastically
provide computing capabilities. A customer can rent unlimited resources and
purchase required resources at any time.

• Measured services: Cloud services are billed based on the actual resource usage,
such as the CPU, memory, storage capacity, and the bandwidth consumption of
cloud servers. Cloud services provide two billing modes: pay-per-use and
yearly/monthly.
 Key Cloud Computing Technologies
⚫ Virtualization Technology
 Server virtualization is an important cornerstone of the underlying architecture of cloud computing. In server
virtualization, virtualization software needs to abstract hardware and allocate, schedule, and manage resources.

⚫ Data storage technology

 The cloud computing system needs to meet the requirements of a large number of users and provide services
for a large number of users in parallel. Therefore, the data storage technology of cloud computing must have
the characteristics of distributed, high throughput and high transmission rate.

⚫ Massive Data Management Technology

 Cloud computing is characterized by massive data storage and analysis after reading. How to improve the data
update rate and further improve the random read rate is a problem that must be solved by future data
management technology.

9 Huawei Confidential

• In addition to the preceding key technologies, there are two important

technologies:

▫ Programming mode: Cloud computing provides a distributed computing

mode, which objectively requires a distributed programming mode. Cloud
computing adopts a simple distributed parallel programming model Map-
Reduce. Map-Reduce is a programming model and task scheduling model.
It is mainly used for parallel computing of data sets and scheduling of
parallel tasks. In this mode, Users only need to compile Map and Reduce
functions to perform parallel computing.

▫ Cloud computing platform management technology: Cloud computing

resources are huge, servers are numerous and distributed in different places,
and hundreds of applications are running at the same time. How to
effectively manage these servers and ensure that the entire system provides
uninterrupted services is a huge challenge.

• Virtualization Technology

▫ A Virtual machine(VM) consists of disk files and description files, which are
encapsulated in the same folder.

▫ Multiple VMs running on the server are encapsulated and isolated from
each other. That is, multiple folders exist.

▫ The essence of virtualization is to logically convert a physical device into a

folder or file to decouple software and hardware.
 Eight Common Characteristics of Cloud Computing
⚫ Massive scale
⚫ Homogeneity
⚫ Virtualization
⚫ Resilient computing
⚫ Low-cost software
⚫ Advanced security technologies
⚫ Geographical distribution
⚫ Service orientation

10 Huawei Confidential

• Massive scale: Cloud computing service is in large scale as it centralizes IT

resource supply. This makes cloud computing different from conventional IT.
• Homogeneity: Homogeneity can also be understood as standardization, which is
similar to power utilization. Voltage and socket interface should be the same for
various electrical appliances and devices.
• Virtualization: Virtualization has two meanings. One is accurate computing units.
If a cake is too large for one person, it is better to divide it into small pieces to
share. That is, with smaller computing units, IT resources can be fully used. The
other meaning is the separation of software and hardware. Before virtualization,
software and specified hardware are bound together, and after virtualization,
software can be freely migrated on all hardware, which is like renting a house
instead of buying one.
• Elastic computing: Elastic computing means that IT resources can be elastically
provided.
• Low-cost software: Low-cost software is provided to meet the market
competition and requirements. Cloud computing, with low individual technical
skill and financial requirements, makes IT easy to use. Small and micro startups
are always willing to enjoy the more IT services at the lowest cost. Based on this
situation, low-cost software is required to earn money at small profits but quick
turnover.
• Geographic distribution: As the broad access mentioned above, IT services can be
provided anytime and anywhere. From the perspective of users, cloud computing
data centers, are geographically distributed and the performance of network
bandwidth varies by regions. Large public cloud service providers have dozens or
even hundreds of data centers or service nodes to provide cloud computing
services to global customers.
• Service orientation: Cloud computing is a service model, and the overall design is
service-oriented.
• Advanced security technology: Public cloud has a large number of users with
different requirement. Therefore, advanced security technologies must be
adopted to protect cloud computing.
 Deployment Models for Cloud Computing

Private cloud

Enterprise firewall
Hybrid cloud

Public cloud

Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization.
Public cloud: The cloud infrastructure is owned and managed by a third-party provider and shared with multiple
organizations using the public Internet.
Hybrid cloud: This is a combination of public and private clouds, viewed as a single cloud externally.

12 Huawei Confidential

• Private cloud is a cloud infrastructure operated solely for a single organization.

All data of the private cloud is kept within the organization's data center.
Attempts to access such data will be controlled by ingress firewalls deployed for
the data center, offering maximum data protection.

• Public cloud service provider owns and operates the cloud infrastructure and
provides cloud services open to the public or enterprise customers. This model
gives users access to convenient, on-demand IT services, comparable to how they
would access utilities like water and electricity.

• A hybrid cloud is a combination of a public cloud and a private cloud or on-

premises resources, that remain distinct entities but are bound together, offering
the benefits of multiple deployment models. Users can migrate workloads across
these cloud environments as needed.
 Contents

1. Cloud Computing Basics

2. Public Cloud Overview

3. HUAWEI CLOUD Overview

13 Huawei Confidential
 What is Public Cloud?
⚫ Concepts
 Public cloud refers to cloud services provided by third-party providers over the public Internet. Users can access
the cloud and enjoy various services, including but not limited to computing, storage, and network services.
Public cloud services can be free or pay-per-use.

⚫ Features and Values

 The core attribute of the public cloud is the shared resource service. Third-party providers provide shared
computing, storage, and network resources to users on demand. Users can enjoy IT services on a pay-per-use
basis without initial IT infrastructure investment, greatly reducing digital barriers and IT costs.
 For most SMBs or startups, public cloud is the best choice:
◼ From the perspective of operation, the public cloud can provide users with required resources on demand and charge fees to reduce the TCO and
reduce costs.
◼ From the perspective of O&M, traditional enterprises build their own data centers to support their services. The workload brought by self-
construction includes infrastructure. (including wind, fire, water and electricity, servers, storage, switches, firewalls, etc.) , systems, middleware
services, etc. Maintenance is complex and costly.
◼ From the perspective of services, the public cloud provides a wide variety of services, enabling users to enjoy the convenience brought by the
cloud.
◼ From the perspective of security, the security level of mainstream public cloud service providers is beyond the reach of most enterprises.

14 Huawei Confidential

• From the perspective of operation, especially for small- and medium-sized

enterprises, the public cloud can meet the requirements of devices that do not
have sufficient budget to purchase, use and release devices in a short period of
time (testing and verification), and require ultra-large computing capabilities.

• From the perspective of O&M: By using the public cloud, users only need to focus
on their own services. This greatly reduces maintenance complexity and costs and
focuses on continuous service innovation.

• From the perspective of security: Mainstream public cloud providers provide

services that have passed most security and privacy certifications, effectively
ensuring user data and privacy security.
 Public Cloud Architecture
⚫ The following figure shows the common public cloud architecture, including Infrastructure as a Service (IaaS),
Platform as a Service (PaaS), and Software as a Service (SaaS). Software as a Service (SaaS), O&M, operation, and
security. market other O&M
IaaS Console PaaS Console SaaS Console -place
Portal
console console

SaaS
Workspace

DevCloud Third-party

PaaS Security
Business protection
RDS CAE DOCKER O&M
operation platform
platform
IaaS
Computing Storage Network
Virtualization Virtualization Virtualization

Server Storage Device Network device Firewall

15 Huawei Confidential

• The IaaS layer abstracts computing, storage, and network resources for users to
use and provides corresponding services based on actual application
requirements.

• The PaaS layer provides container services and microservice development services
for users based on the IaaS layer. That is, an open platform is provided for users.

• The SaaS layer mainly provides scenario-based applications, that is, provides
applications as services for users.

• At the O&M layer, the public cloud provides user- and platform-oriented O&M
capabilities. The public cloud provides O&M capabilities for users using cloud
services, such as permission control, performance monitoring, status monitoring,
and fault alarm reporting. On the platform side, the public cloud assurance team
performs O&M to ensure high reliability, high availability, and security of the
platform.

• At the operation layer, the public cloud provides user- and platform-oriented
operation capabilities. Users have operation capabilities such as submitting work
orders, orders, and charging to help users understand operation costs and
analyze service trends. The public cloud operation team processes and manages
users' work orders and investments, and performs visualized management on the
overall revenue of the public cloud.

• At the security level, the public cloud needs to meet requirements on system
security, platform security, O&M security, and network security to ensure the data
and property security of users and cloud service providers.
• RDS: Relational Database Service

• CAE: Cloud Application Engine (CAE) is a serverless hosting service oriented to

web and microservice applications. It provides a one-stop application hosting
solution that features fast deployment, low cost, and simplified O&M.

• DevCloud: is a one-stop cloud DevSecOps platform for developers. It can be used

out of the box and deliver the entire software lifecycle on the cloud anytime and
anywhere, covering requirement delivery, code submission, code check, code
compilation, verification, deployment, and release. Streamline the complete
software delivery path and provide end-to-end support for the software R&D
process.
Three Service Modes of the Public Cloud
⚫ The public cloud service mode is being developed and improved. In the industry, the
public cloud service mode is classified into the following three types:
 IaaS: Infrastructure as a service
 PaaS: Platform as a service • Target : enterprise users/individual

SaaS •
users
Examples: enterprise application
 SaaS: Software as a service services, email, IM, and microblogging.

• Target: Developers
• Provides database middleware, MySQL,
PaaS Mangodb, and Java.
• Examples: CloudFoundry and OpenShift

• Target: enterprises (or a few individual users)

IaaS • Provides basic equipment services such as computers,
storage devices, and networks.
• Examples: AWS, Google Cloud, Azure, OpenStack

17 Huawei Confidential
 Features of the Three Service Modes
⚫ IaaS is infrastructure as a service. IT infrastructure is provided as a service through the network.
 Users do not need to build data centers. Instead, they rent infrastructure services, including servers, storage
devices, and networks.
 In terms of usage, IaaS is similar to traditional host hosting, but IaaS has strong advantages in service flexibility,
scalability, and cost.
⚫ PaaS is Platform as a Service. A software platform has been built on the cloud, and the customer
rents the required software platform.
 When users use the cloud, the operating system, database, middleware, and runtime library have been set up.
 Compared with IaaS, PaaS has low freedom and flexibility and is not suitable for highly professional IT technical
professionals.
⚫ SaaS is software as a service. The operating system, middleware, database, runtime library, and
software applications required by the customer have been deployed on the cloud. Most SaaS
applications can run directly through the browser without the need for client installation.
⚫ Summary: For users, the relationship between the three service models is independent because the user
groups are different. Technically, the three are not simply inherited. SaaS is based on PaaS, and PaaS is
based on IaaS.

18 Huawei Confidential

• A simple example, convenient more intuitive understanding of the three modes, if

Users want to develop a small program mall system.

• The first solution is: buy servers, buy databases, buy domain names, develop
small program mall, that this model is IaaS model.

• The second solution is that applets provide cloud development services,

eliminating the need for servers, storage, and domain names. I can only develop
programs. This mode is the PaaS mode.

• The third solution is: Huawei provides the mall applet. Users only need to enable
it. This mode is the SaaS mode.
Advantages of the Public Cloud over Traditional IT Systems
Item Traditional IT Public cloud
Low resource utilization High resource utilization
• The resource usage of traditional servers is • Select cloud services of different specifications and models as required to
Resource
unbalanced, ranging from 30% to 40% in some make full use of resources.
utilization
cases to 10% in most cases. The IT resources
put into production are not effectively used.
Expensive Savings
• It is expensive to prepare network, computing, • With the elastic computing capabilities of the public cloud, resources can be
Cost and storage resources. As the business grows, added or released at any time when services increase.
the cost increases. • Various computing modes, including yearly/monthly and pay-per-use.

Poor scalability Good scalability

• Architectures typically require a long time and a • Scalability allows organizations to better control costs and resources.
Scalability lot of resources to upgrade or downgrade. • Businesses can upgrade or downgrade their computing and storage capacity
as needed.

Long service rollout time Quick service rollout

Service rollout • Deploying new services takes months to years. • Users can quickly purchase, start, and update resources on the GUI.
duration • Deploy services by using various applications, high-availability templates, and
solutions.

Long maintenance period Short maintenance time

Maintenance • The fault rectification period is long. • Select resource specifications and perform quick upgrade in one-click mode.
Interval • The maintenance labor cost is high. • Multi-channel after-sales ensures continuous and efficient business
operation.

19 Huawei Confidential
 Advantages and Concerns of Public Cloud
• Advantages • Worries about

• Security • Security.
Security
 Cloud computing provides the most reliable and secure
• Performance
data storage center. Users do not need to worry about data
• Data ownership Performance
loss and virus intrusion.

• Convenient • reliability
 Cloud computing has the lowest requirements on user • Consistency Data
devices and is the most convenient to use. ownership
• ...
• Data sharing Consistency
 Cloud computing makes it easy to share data and
applications between different devices. reliability
• Infinite possibilities
 Cloud computing offers almost infinite possibilities for us to
use the network.
???

20 Huawei Confidential

• Security: Who is allowed to view the enterprise's proprietary data?

• Performance: Will the application system perform as expected at peak

processing times?

• Data Ownership: Is ownership of the "cloud" the ownership of the data on the
system platform?

• Reliability: An enterprise can deploy many data centers and redundant systems
to meet the need for uptime. Will companies that offer "cloud" services offer the
same services?

• Consistency: A growing number of companies in the public enterprise, financial

services and health sectors are facing strict regulations; They need to be able to
prove who accessed the data, when or where it was processed, and what
software and hardware is required when it is processed. In an enterprise's internal
database, this is very difficult to do. Can they allow the same work in the cloud?
More likely, for important applications, the enterprise will deploy web-based
access mechanisms that allow those applications to run in the current host
location. As for application updates, the enterprise may create an on-premise
cloud.

• Think about any other concerns? If Users are a user, what other concerns do
Users have?
 Cloud customers are generally concerned about cloud security
⚫ As with many emerging technologies, the security of cloud services has attracted much attention, and the emerging
security and compliance issues will challenge the widespread deployment and development of cloud services.
 Security vendor Ermetic surveyed more than 300 information security executives. Nearly 80% of enterprises have experienced at least one cloud data
breach in the past 18 months, and 43% have reported more than 10 times.

 According to a survey conducted by security vendor Barracuda, 70 percent of respondents said security concerns were limiting their organization's
adoption of public cloud. These security concerns include the security of the public cloud infrastructure, the impact of cyber attacks, and the security
of applications deployed in the public cloud.

⚫ When providing services, cloud service providers may face both internal and external security threats. For example:
 In terms of internal threats, there may be unknown or uncontrolled assets and devices. Data centers may be damaged by extreme natural disasters.
Cloud service products may have security vulnerabilities caused by design defects. Ineffective access control may cause data leakage, malicious use of
data, and abuse of access rights.

 In terms of external threats, organizations may face hacker attacks, third-party vendors' products may have defects, and business processes may
have vulnerabilities and be exploited for fraud.

21 Huawei Confidential

• According to the cloud security report released in 2021, up to 96% of enterprises

are worried about public cloud security. According to the anxiety level, the
security concerns are 23% (moderate), 41% (very), and 32% (extremely).

• In September 2020, the Cloud Security Alliance (CSA) released 11 types of top
cloud computing threats. Compared to the 12 threats released in the previous
2016 release, CSA noted a decline in the ranking of traditional cloud security
issues due to efforts by cloud service providers. Concerns such as denial of
service, sharing technology vulnerabilities, and cloud service provider data loss
and system vulnerabilities (All of the previous top 12 potential risks) Now the
rating is so low that it is no longer on the list of top threats. This suggests that
the traditional security problems that are the responsibility of cloud service
providers seem to have been effectively mitigated.
Cloud Service Providers Improve Security Management Capabilities
⚫ How to solve the cloud service security problems and challenges faced by cloud service providers and reduce
customers' concerns is a key issue for all cloud service providers to continuously provide services. In order to better
address the potential security risks posed by public cloud services, internal and external security threats, cloud
security compliance risks, and enhance the understanding of the shared security responsibility model among
stakeholders, cloud service providers must adopt appropriate management and technical means. Gradually improve
cloud security and privacy management capabilities. For example:
 Integrates security services from third-party security vendors to quickly integrate more and more updated security products and capabilities into the
cloud platform.

 Strengthen measures such as access management, log review, and security training for internal personnel to mitigate internal security risks.

 Strengthen vulnerability management and in-depth protection measures to defend against external threats.

 Deeply understand compliance requirements and improve compliance capabilities,

 Avoid fines, lawsuits, and damage to the reputation of the enterprise caused by violations and regulations.

22 Huawei Confidential
Cloud service customers can leverage security services and
products provided by cloud service providers
⚫ Because the responsibility for cloud service security is shared between the cloud service provider and the cloud service customer, the cloud
service customer also needs to think about how to manage security in the cloud computing environment. To meet the increasing cloud security
management requirements, cloud service customers can use the service products provided by cloud service providers to improve their cloud
security management capabilities.
 Visible advanced security capabilities. Cloud service providers can provide visualized security monitoring and protection capabilities for cloud
computing environments to help cloud service customers discover and block security vulnerabilities, detect suspicious behaviors, and respond to
possible intrusion attacks in a timely manner.
 Security solutions applicable to multiple scenarios. Cloud service providers use innovative capabilities to integrate multiple mature products and
the latest technologies to design network security solutions for cloud service customers in various business scenarios, escorting customers' digital
transformation and enabling customers to invest in new technology changes with confidence. For example, the Content Moderation service
automatically detects content violation, helping customers reduce service violation risks.
 Rich cloud security ecosystem. The rich cloud security ecosystem greatly expands the variety of cloud security services, enables cloud service
customers to have more autonomy in product selection, and helps cloud service customers flexibly select services and products based on different
scenario requirements, improving the security of their IT systems.
 Other cloud security services. Cloud service providers can also provide security and compliance consulting and security hosting services to customers,
so that cloud service customers can quickly obtain high-level security management capabilities by leveraging the capabilities and experience of cloud
service providers.

23 Huawei Confidential
 Contents

1. Cloud Computing Basics

2. Public Cloud Overview

3. HUAWEI CLOUD Overview

24 Huawei Confidential
 HUAWEI CLOUD Everything is a Service

800 + 300 + 90% 90% 85% 75% 300 + 120 +

Financial Top 50 Chinese e-commerce Top 50 Chinese Game Top 50 Chinese Audio and Video SAP cloudification
e-Government cloud Top 30 Chinese automakers Carriers
customers companies Enterprises Enterprises customers

Technology as a Service HUAWEI Experience as a Service

Put innovation at their fingertips and

CLOUD Replicate excellent products and enable
accelerate application modernization industry cloudification.

Infrastructure as a Service
Build a single network for global storage and
computing, enabling services to be accessible
globally.

240+ cloud 4+ million 10,000 + Item

41000+ Partners
services developers Quantity

25 Huawei Confidential

• In 2017, Huawei officially launched the HUAWEI CLOUD brand, which opens
Huawei's 30-year-old technology accumulation and product solutions in the ICT
field to customers. Through infrastructure as a service, technology as a service,
and experience as a service, we realize "everything is a service". Provides stable,
reliable, secure, reliable, and sustainable cloud services for customers, partners,
and developers.

• According to Gartner's Market Share: IT Services, Worldwide 2021 research report

released in April 2022, HUAWEI CLOUD ranks top 5 in the global IaaS market,
second in China, third in Thailand, and fourth in emerging Asia Pacific.

• HUAWEI CLOUD has launched 248 cloud services and more than 78,000 APIs, has
joined more than 40 million partners around the world, and has developed more
than 4 million developers. More than 10,000 applications have been released to
the market.

• In China, HUAWEI CLOUD has served more than 700 government cloud projects
and has worked with more than 150 cities to build "one city, one cloud". Serves
six major banks, 12 joint-stock commercial banks, top 5 insurance institutions
and 7 top 10 traditional securities firms in China. Serves more than 30 smart
airports, more than 30 urban rail, and 29 provincial highways; It serves 14
provincial companies of State Grid Group, more than 30 automobile
manufacturing enterprises, more than 20 top building materials & mining
enterprises, and more than 15 top household appliance enterprises.
• HUAWEI CLOUD Enablement Cloud has deployed more than 160 innovation
centers and built more than 60 industrial Internet innovation centers across the
country, helping 23,000 manufacturing enterprises with digital transformation.
80% of the top 50 Internet enterprises have chosen HUAWEI CLOUD. 90% of
China's top 30 automobile enterprises have chosen HUAWEI CLOUD. HUAWEI
CLOUD opens the autonomous driving ecosystem, and 80% of the enterprises in
the autonomous driving industry chain conduct R&D on HUAWEI CLOUD.

• In the Asia-Pacific region, HUAWEI CLOUD is the fastest growing mainstream

public cloud provider. It ranks top 3 in Thailand and top 4 in emerging markets.
HUAWEI CLOUD has served more than 20 financial customers, more than 100
government customers, and more than 170 Internet and cloud-native valued
customers in the Asia-Pacific region. In 2021, the number of valued customers
will increase by more than 150%, and the revenue of partners will increase by
more than 150%. HUAWEI CLOUD has become one of the best partners in
enterprise digital transformation.
 Everything as a Service - Infrastructure as a Service
⚫ HUAWEI CLOUD is deployed globally.
 83 AZs are operated in 29 regions (self-operated and jointly operated), covering Asia Pacific, Latin
America, Africa, Europe, and Middle East. Currently, more than 220 cloud services and 210 solutions
have been launched, meeting the service requirements of various users.

⚫ Huawei Cloud Global Infrastructure

 Product categories cover infrastructures such as computing, container, storage, network, CDN and
intelligent edge, database, AI, big data, IoT, application middleware, development and O&M,
enterprise applications, video, security and compliance, management and supervision, migration,
and blockchain.

27 Huawei Confidential

• Based on the operation status, the regions, AZs, cloud services, and solutions
deployed by HUAWEI CLOUD will be adjusted based on the actual situation.
 Everything as a Service - Technology as a Service
⚫ Technology-as-a-Service, bringing innovation within reach
 Huawei's more than 30 years of ICT technology accumulation will be translated into various cloud services on HUAWEI CLOUD,
which will be applied by more enterprises. Instead of creating wheels repeatedly, we will focus on customers' own service
innovation.

⚫ 100,000 R&D engineers invest tens of billions of dollars in R&D every year, covering four tPaaS development
production lines.
 MetaStudio, a digital content development line. Help thousands of industries to achieve the seamless integration of virtual world
and real world.
 DataArts Studio, a data governance production line. Help enterprises quickly build data operation capabilities and implement
integrated governance of batch, stream, and interactive data.
 Software development production line CodeArts. A one-stop, end-to-end, secure, and reliable software development production
line, which is ready to use out of the box and has years of Huawei's best R&D practices built in, facilitating efficiency double and
digital transformation.
 AI development production line, AI platform ModelArts. Helps users quickly create and deploy models and manage full-cycle AI
workflows.

28 Huawei Confidential

• MetaStudio, a digital content production line, provides platform capabilities such

as 3D model creation (Creator), asset management (Store), content editing
(Editor), and cloud rendering (Rendering) based on two media engines: graphics
engine and space engine. Joint partners will build production lines such as digital
human production, virtual live broadcast, enterprise 3D space, and virtual and
real integration to help thousands of industries seamlessly integrate the virtual
world and the real world.
Everything as a Service - Experience as a Service aPaaS
⚫ HUAWEI CLOUD aPaaS integrates industry capabilities and industry experience, provides a one-stop open platform
for unified application distribution and operation, improves application construction, development, and use
experience, and supports rapid innovation of applications in various industries.
coal mine government Internet ......
Education Industry
affairs

Industrial aPaaS e-Government aPaaS Power aPaaS Coal Mine aPaaS Highway aPaaS Airport and Orbital aPaaS

Industrial Data Management License Event Request Intelligent power generation Probing and support inspection Charge audit Active operation control ......
scheduling

Check the task generation. Digital power transmission Belt foreign matter identification Smart construction site Fault image AI detection TFDS
Data model-driven engine
... ... ... ... ... ...

Industry aPaaS
Industry aPaaS

......
KooMessage KooPhone
KooMap
KooSearch EDS

Basic aPaaS

Integrated Enterprise API Center

Workbench Workbench

29 Huawei Confidential
Basic aPaaS, accelerating enterprise digital upgrade
Basic aPaaS Definition and Function
Cloud • Integrate multiple customer access channels, including intelligent information, service numbers, PUSH messages, and 5G messages,
Message provide one-stop industry services and user growth services for industry customers, achieve all-scenario and all-end customers, and
Service improve final consumer service satisfaction and marketing conversion rate.
KooMessage • This feature is available only to enterprise certified customers.
• The KooMap satellite image processing service converges high-quality satellite sources and provides global satellite image processing,
Cloud Map
supporting application transformation and innovation for government and enterprise customers.
Service
• Precipitate industry assets, build an open platform, and provide one-stop out-of-the-box space-time information services, such as space-
KooMap
time processing, analysis, and visualization.
• KooPhone is a cloud mobile phone service that features excellent experience and high security based on Huawei Kunpeng ARM servers,
introduces Huawei core technologies such as audio and video codec and real-time transmission, and the rich application ecosystem of
Cloud Phone HUAWEI CLOUD. It provides new application scenarios for customers in industries such as government, enterprise, and Internet.
Service • Breaks through physical resource restrictions and enables on-demand scaling and flexible conversion of mobile phone instance
KooPhone specifications. Based on cloudification advantages, tens of thousands of mobile phones are provisioned in minutes, and massive resources
are centrally managed and controlled.

• KooSearch is a fully managed search service. It provides search services for Huawei internal office and customer search services.
Enterprise • With built-in capabilities such as industry word segmentation, semantic understanding, and industry sorting algorithms, Huawei provides
search service customers with simpler, more accurate, and faster search services.
KooSearch • Huawei cloud provides enterprise-level data security, permission control, and global deployment capabilities to meet enterprise-level
application requirements.
• The Exchange Data Space (EDS) is an exchange and sharing platform designed to protect enterprise data sovereignty, promote efficient
Exchange data circulation, and maximize data value.
data space • The platform provides 21 policies, which are based on policies during data use. (e.g. "validity period, number of viewing times,
EDS downloading, etc.) Implement corresponding use control to ensure that data is used in compliance with the rules and regulations on the
basis of data sovereignty and control.

30 Huawei Confidential
HUAWEI CLOUD Basic Concepts – Account
⚫ The HUAWEI CLOUD account system consists of two types of
accounts:
 Accounts: registered or created on HUAWEI CLOUD. An account has the highest
permissions on HUAWEI CLOUD. It can access all of its resources and pays for the
use of these resources. Accounts include HUAWEI IDs and HUAWEI CLOUD accounts.

 IAM users: created and managed using an account in IAM. The account
administrator grants permissions to IAM users and makes payment for the resources
they use. IAM users use resources as specified by the permissions.

⚫ Users can log in to HUAWEI CLOUD using a HUAWEI ID, Huawei website
account, Huawei enterprise partner account, or HUAWEI CLOUD account,
and use their resources and cloud services.

⚫ If Users are an IAM user created by an account or a user of a third-party

system that has established a trust relationship with HUAWEI CLOUD, log in
to HUAWEI CLOUD through the corresponding page and then use resources
and cloud services as specified by the permissions granted by the account.

31 Huawei Confidential
Huawei ID and HUAWEI CLOUD Account
⚫ You can register a HUAWEI ID to access all Huawei services, such as HUAWEI
CLOUD and Vmall.
 Registration: Register a HUAWEI ID on any Huawei service website, such as the HUAWEI
ID website.

 HUAWEI CLOUD login: Log in to HUAWEI CLOUD by clicking HUAWEI ID. If this is the first
time you log in to HUAWEI CLOUD with a HUAWEI ID, enable HUAWEI CLOUD services or
bind the HUAWEI ID to your HUAWEI CLOUD account by following the on-screen prompts.

⚫ HUAWEI CLOUD accounts can only be used to log in to HUAWEI CLOUD.

 Registration: To improve login experience, we have unified our account system. You can
only register HUAWEI IDs on HUAWEI CLOUD from October 30, 2021.

 HUAWEI CLOUD login: Log in to HUAWEI CLOUD by clicking HUAWEI ID or HUAWEI

CLOUD Account.

32 Huawei Confidential
 IAM User
⚫ Huawei Cloud Identity and Access Management (IAM) provides permissions management to help you securely
control access to your cloud services and resources. If you want to share resources with others but do not want to
share your own account and password, you can create an IAM user.
 You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity
credentials (passwords or access keys) and uses cloud resources based on assigned permissions. IAM users cannot make
payments themselves.
 IAM users do not own resources and cannot make payments. Any activities performed by IAM users in your account are billed to
your account.

33 Huawei Confidential

• Identity and Access Management (IAM) is a unified identity authentication

service that helps users more securely control access to cloud services and
resources. The IAM user is used to prevent multiple users from sharing the
passwords of the accounts. This section describes IAM in detail in the following
sections.
Relationship between accounts and IAM users
⚫ An account and its IAM users share a parent-child relationship. The account owns the resources and makes
payments for the resources used by IAM users. It has full permissions for these resources.
 IAM users are created by the account administrator, and only have the permissions granted by the administrator. The
administrator can modify or revoke the IAM users' permissions at any time.
 Fees generated by IAM users' use of resources are paid by the account.

34 Huawei Confidential
User Group
⚫ You can use user groups to assign permissions to IAM users.
 After an IAM user is added to a user group, the user has the permissions of the group and can perform operations on cloud
services as specified by the permissions.
 If a user is added to multiple user groups, the user inherits the permissions assigned to all these groups.
 The default user group admin has all permissions required to use all of the cloud resources. Users in this group can perform
operations on all the resources, including but not limited to creating user groups and users, modifying permissions, and
managing resources.

35 Huawei Confidential
 Permission
⚫ You can grant permissions by using roles and policies.
 Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a
limited number of service-level roles are available for authorization.
 Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud
resources under certain conditions. IAM supports both system-defined and custom policies.
◼ system-defined policy defines the common actions of a cloud service. System-defined policies can be used to assign permissions to user groups,
and cannot be modified.
◼ Custom policies function as a supplement to system-defined policies. You can create custom policies using the actions supported by cloud
services for more refined access control. You can create custom policies in the visual editor or in JSON view.

Authorized

Project strategy

User group

36 Huawei Confidential

• A fine-grained authorization strategy that defines permissions required to

perform operations on specific cloud resources under certain conditions. This type
of authorization is more flexible and is ideal for least privilege access. For
example, you can grant users only permission to manage ECSs of a certain type.

• If you need to assign permissions for a specific service to a user group or agency
on the IAM console but cannot find corresponding policies, it indicates that the
service does not support permissions management through IAM. You can submit
a service ticket to request that permissions for the service be made available in
IAM.
 Agency
⚫ A trust relationship that you can establish between your account and another account or a cloud service to delegate
resource access.
 Account delegation: You can delegate another account to implement O&M on your resources based on assigned permissions.
 Cloud service delegation: Huawei Cloud services interwork with each other, and some cloud services are dependent on other
services. You can create an agency to delegate a cloud service to access other services.

37 Huawei Confidential

• The IAM. Agency element is used to create agencies on IAM, specify entrusted
accounts, and grant rights. After an administrator assigns agent operator
permissions to an entrusted account user, the user can manage corresponding
resources.
 Advantages of IAM
⚫ Fine-grained access control for Huawei Cloud resources
 If you purchase multiple Huawei Cloud resources for different teams or applications in your enterprise, you can use your account to create IAM users
for the team members or applications and grant them permissions required to complete specific tasks.

 The IAM users use their own usernames and passwords to log in to Huawei Cloud and access resources in your account.

⚫ Cross-account resource access delegation

 If you purchase multiple Huawei Cloud resources, you can delegate another account to manage some of your resources for efficient O&M

⚫ Federated access to Huawei Cloud with existing enterprise accounts (identity federation)
 If your enterprise has an identity system, you can create an identity provider (IdP) in IAM to provide single sign-on (SSO) access to Huawei Cloud for
employees in your enterprise. The identity provider establishes a trust relationship between your enterprise and Huawei Cloud, allowing the
employees to access Huawei Cloud using their existing accounts.

38 Huawei Confidential

• In addition to IAM, you can use Enterprise Management to control access to

cloud resources. Enterprise Management supports more fine-grained permissions
management and enterprise project management. You can choose either IAM or
Enterprise Management to suit your requirements.

• For example, you can create an agency for a professional O&M company to
enable the company to manage specific resources with the company's own
account. If the delegation changes, you can modify or revoke the delegated
permissions at any time. In the following figure, account A is the delegating party,
and account B is the delegated party.
Huawei Cloud-Security Cloud Platform
⚫ 100+ global security compliance certifications
 Currently, HUAWEI CLOUD has passed various international authoritative certifications and practice standards. The following are
some examples:
◼ Security-related certifications include ISO 27001, ISO 27017, CSA STAR Gold Certification, China Ministry of Public Security Information Security
Level 3/Level 4 Certification, PCI DSS for the payment card industry, and NIST CSF Cyber Security Framework.
◼ The following privacy-related specifications are ISO 27018, ISO 27701, BS 10012, ISO 29151, and ISO 27799.

 "3CS" is a new security governance system for the entire process of cloud services.
◼ HUAWEI CLOUD has developed a governance system that covers mainstream cloud security standards in the industry and security management
requirements of HUAWEI CLOUD. It is called Cloud Service Cybersecurity & Compliance Standard (3CS for short).
◼ This governance system provides valuable reference solutions for enterprises or partners who are willing to learn from Huawei's practical
experience.

 DevSecOps, covering the entire lifecycle of services from development, deployment, to operation.
◼ HUAWEI CLOUD seamlessly embeds the security lifecycle (SDL) into the new DevOps process with fast iteration, combining security R&D and
O&M, ensuring cloud service security activities without affecting rapid continuous integration, release, and deployment.

39 Huawei Confidential
Enterprise Solutions
⚫ HUAWEI CLOUD provide comprehensive cloud solutions to help you accelerate growth, from startup to
management and expansion.

Website Building
Solution ⚫ Build your enterprise website with ease, flexibility, and speed, and at low costs.

Enterprise Cloud
Box ⚫ Content management powered by AI and cloud computing for efficiency, security, and ease of use

Marketing ⚫ Marketing Automation helps you streamline data, manage leads, identify and incubate quality potential
Automation
customers

Cross-border ⚫ HUAWEI CLOUD help you expand your business internationally and help you enter and thrive in
Enterprise Business
Chinese market

On-premises to
On-cloud ⚫ Free cloud resources and professional migration services

40 Huawei Confidential
 Solutions by Use Case
⚫ HUAWEI CLOUD pre-integrates products and capabilities to meet the requirements of running ICT
businesses on the cloud.

Backup and Restore Business Applications Enterprise Office

Hybrid Cloud Infrastructure for

Internet of Things
Solution Media

IPv6 Web & Mobile SAP on Cloud

Haydn Solution
HPC on Cloud
Digital Platform

41 Huawei Confidential

• Huawei cloud general solutions are as follows (for the latest classification, see
the HUAWEI CLOUD official website):
▫ Backup and Restore :Obtain first-class disaster recovery and backup without
huge capital and operational investments.
▫ Business Applications: Ensure maximum performance, resilience, and
security for your mission-critical applications.
▫ Enterprise Office: Work whenever, wherever, one any device with secure
access to the applications, data, and IT tools.
▫ Hybrid Cloud Solution: Get the flexibility, scalability, and cost efficiency of
cloud while retaining mission-critical data on-premises.
▫ Infrastructure for Media : Supercharge the transmission of high-quality
video to a massive number of mobile terminals.
▫ Internet of Things: Benefit from the enormous potential of IoT without
building the infrastructure from scratch.
▫ IPv6: Provide dual-stack(IPv4/IPv6) Internet connectivity for your
applications.
▫ Web & Mobile: Build scalable and use big-data insights to drive scales.
▫ SAP in Cloud: Get enterprise-grade security, performance, and availability
for you SAP workloads.
▫ HPC on Cloud: Quickly build HPC clusters to run the most compute
intensive HPC workloads.
▫ Haydn Solution Digital Platform: One-stop solution full-lifecycle digital
platform for partners and customers on Huawei Cloud.
 Solutions by Industry
⚫ HUAWEI CLOUD provides solutions for a wide range of industries, so you can always find the cloud services you
need.

Smart City Telecom Automotive

Campus E-Commerce Education

Healthcare and Life

Financial Services Gaming
Sciences

Media &
Manufacturing Retail
Entertainment

42 Huawei Confidential

• Huawei cloud industry solutions are as follows (for the latest classification, see
the HUAWEI CLOUD official website):
▫ Smart City: Facilitating the upgrade of city infrastructure, management, and
services. Serves the needs of four types of users — residents, legal persons,
government employees, and decision-makers, and helps refactor or
optimize public service processes for better user experience, improving
people's livelihoods, satisfaction, and sense of security.
▫ Telecom: Enable carriers/operators to achieve network monetization,
innovate services, and improve operation efficiency. Huawei Cloud provides
powerful solutions representing accumulation of more than 30 years of ICT
expertise, solutions that help you go cloud and help your customers go
digital.
▫ Automotive: Cut operations cost, improve quality and efficiency, and
enhance sales support. The global automotive industry is witnessing a CASE
(connected, autonomous, shared, and electric) transformation. Automotive
enterprises are going digital with intelligent upgrades. Huawei Cloud offers
these enterprises tailored solutions that leverage cloud computing, big data,
AI, IoT, and 5G
▫ Campus: Empowers your industrial park and campus with innovative AI, IoT,
big data, and cloud computing. Campuses contain a large number of
facilities that must all be monitored to ensure security. There were more
than 1.2 million campuses spread across China in 2017. Seeing the great
potential, HUAWEI CLOUD geared up its solution so partners can build
smart campuses with higher safety standards at lower cost.
▫ E-Commerce: Build and host your e-commerce websites on your highly
scalable and available cloud infrastructure.
▫ Education: Cost-effectively upgrade communications and learning systems.
This solution ensures stable and efficient resource allocation. It provides
quality services for customers in the education sector. Designed for
scenarios such as talent cultivation, scientific research and innovation, smart
campus, and online education, this solution uses cloud computing, big data,
IoT, and artificial intelligence to accelerate education modernization,
promoting education equity and improving the quality of education
available to all.
▫ Financial Services: Get the agility while maintaining your FSI safe, stable,
and secure. By combining industrial features and Huawei's cloud services,
this solution provides end-to-end cloud services for financial customers such
as banks, insurance agents, security companies, or Internet finance
enterprises. It helps customers quickly migrate their services to the cloud,
promoting fast growth and improving their competitiveness.
▫ Gaming: Deliver a flawless, lag-free gaming experience. . Cloud, AI, and 5G
technologies are transforming the industry with a brand new gaming
experience. With its powerful cloud infrastructure capabilities and
innovative technical advantages, HUAWEI CLOUD provides professional,
fast, stable, and secure one-stop cloud service solutions for gaming
enterprises to build high-quality, comprehensive cloud gaming platforms.
▫ Manufacturing: Increase production, perform preventive maintenance, and
accurately predict customer demands.
▫ Healthcare and Life Sciences: Accelerate research, scale telemedicine
services, and improve health outcomes. Leveraging core cloud services such
as cloud-network synergy, Big Data, and artificial intelligence of HUAWEI
CLOUD and its partners, the Healthcare and Life Sciences solution provides
high-performance, reliable, and secure resources and technologies and a
full portfolio of applications and services for the medical and healthcare
industry.
 Practical Application of Huawei Cloud Solutions
⚫ The Practical Application of Huawei Cloud Solutions describes the architecture and deployment of
Huawei Cloud solutions in specific scenarios. The source codes have been technically verified by experts
for one-click deployment. Technical support is also available to assist you in resolving problems that
arise during the deployment.

Source Code Compilation with

CDN for Download Acceleration CSS-based SQL Acceleration
Jenkins

Application Containerization on the Quickly Deploying a High-Availability Quick Deployment of an MHY MySQL
Cloud RabbitMQ Cluster Cluster

Scheduled ECS Specification

Serverless Real-Time Log Analysis Website O&M Analysis Based on LTS
Modification

Scheduled ECS Startup/Shutdown

44 Huawei Confidential

• Source Code Compilation with Jenkins: Quickly deploy source code compilation
environments on ECS.
• CDN for Download Acceleration: Use CDN and OBS to provide turnkey download
acceleration for static resources.
• CSS-based SQL Acceleration; Use CSS to quickly build SQL acceleration solutions.
• Application Containerization on the Cloud: Quickly deploy a cross-AZ HZ
container cluster environment and containerize service systems.
• Quickly Deploying a High-Availability RabbitMQ Cluster: Set up a high-
availability RabbitMQ cluster.
• Quick Deployment of an MHY MySQL Cluster: Use MHA to deploy highly
available MySQL clusters on ECSs.
• Serverless Real-Time Log Analysis: Collect, analyze, and archive ECS logs with a
serverless architecture.
• Website O&M Analysis Based on LTS: Quickly interconnect LTS with ELB for
routine website O&M analysis.
• Scheduled ECS Specification Modification: Use a FuctionGraph timer trigger to
periodically modify ECS specifications.
• Scheduled ECS Startup/Shutdown: Use a FunctionGraph timer trigger to
periodically start and stop ECSs.
 Create, share, and win-win results to build a new industry
ecosystem

co-creation Sharing Win-win

Public cloud + hybrid
Application enable, data Marketplace, reseller
cloud + edge cloud
enable, and AI enable channel
Share innovation
Help enterprises explore Enable excellent
capabilities and multi-
and practice innovative software to serve
cloud application
solutions more enterprises
ecosystem

Build a Black Land for Ecosystem Development with HUAWEI CLOUD as the Foundation

45 Huawei Confidential

• HUAWEI CLOUD adheres to the concept of joint creation, sharing, and win-win
ecosystem. With HUAWEI CLOUD as the foundation, we build a black land for
ecosystem development. Our colleagues and partners work together to facilitate
digital transformation and intelligent upgrade of industries.

• Co-creation: Continuous technological innovation enables industry innovation.

HUAWEI CLOUD builds three enablement platforms: application enablement,
data enablement, and AI enablement to help ecosystem partners realize
cloudification, SaaS, and intelligence of applications.

• Sharing: Industry applications are evolving towards cloud-edge-device synergy.

HUAWEI CLOUD uses the Optimus architecture to streamline the public cloud,
hybrid cloud, and edge cloud to build a unified application ecosystem and share
innovation capabilities in multiple industries, application scenarios, and
deployment forms.

• Win-win: HUAWEI CLOUD works with partners to create value for customers,
enable excellent software to serve more enterprises, and achieve win-win results
with customers and partners in the digital era.

• Currently, we have aggregated 1800000 developers, more than 13,000 consulting

partners, more than 7,000 technical partners, and more than 100000 paid users.
We have released more than 4000 applications on the cloud market. The annual
transaction amount exceeds 1 billion RMB, and the number of paid users exceeds
100,000. We sincerely invite more excellent enterprises to join the HUAWEI
CLOUD ecosystem.
 Continuously deepen the new partner system
GoCloud: technology symbiosis

Create an Enablement Points Digital transformation consulting

offering. and Card and system integration
HUAWEI CLOUD
certification
Partner network
Software Partners
10 categories Industry
4 partners 28 Certifications capabilities Success Stories Service Partners
Supported Coupons Product Ability
Platforms Capabilities Assessment
Hardware Appliance Partners
One Partner ID GrowCloud: Win-Win Business
Join partner program Transaction Learning and enablement
Incentives
Role partners

sole distributor Partners

partner Cloud Solution sole distributor Commercial
program Provider Partners incentive policy
1 identity Two cooperation frameworks 6 roles

46 Huawei Confidential

• HUAWEI CLOUD will focus on building partner capabilities and carry out
comprehensive partner system transformation.

• In 2022, a new partner system was released, including GoCloud and GrowCloud
cooperation frameworks. GoCloud aims to cultivate and develop partners'
capabilities, help partners build rich solutions and services on HUAWEI CLOUD,
and create more value for customers. The goal of GrowCloud is to help partners
expand customer coverage, accelerate sales growth, and achieve business win-
win results.

• HUAWEI CLOUD provides six growth paths for different types of partners, such
as:
For service partners: Provide training for service professionals, subsidies for
dedicated teams, and migration incentives to enable partners to build delivery
centers of competence and help customers migrate services to HUAWEI CLOUD.
• For software partners: Huawei provides experts, tools, cloud resources, and cash
incentives to help partners build SaaS applications and solutions based on
HUAWEI CLOUD. At the same time, the cloud application store connects
customers and partners to help partners monetize their business.
For digital transformation consulting and system integration partners: Through
business opportunity sharing and enablement training, help partners build
HUAWEI CLOUD-based consulting and service capabilities and enable partners to
provide customers with one-stop digital transformation services, such as digital
transformation consulting, migration, and managed services.

• After the development in 2022, more and more partners have recognized and
joined our partner system. Currently, more than 2000 partners have joined the
GoCloud cooperation framework and jointly built solutions with us. In addition,
we provided a special fund of US$120 million to provide enablement and
incentives for software, service, and training partners. In the GrowCloud
cooperation framework, more than 41,000 partners have chosen to cooperate
with HUAWEI CLOUD and jointly serve more than 110,000 customers. Our
partners' revenue has increased by more than 55% year-on-year.
 HUAWEI CLOUD Grows Together with Global Developers

Simplified tool Enable service Business incubation

Application SaaS HMS

DevCloud ModelArts IoT Studio AppCube AI Enabled Data Enable
...... Enablement HUAWEI Huawei Application ecosystem
......
CLOUD Application support support
Marketplace Market program program

130 +
4, 000, 000 + 41, 000 + 10, 000 + Partners with sales
Developer Partners Marketplace volume exceeding 10
Offering million

Two Application Distribution Platforms, Accelerating Business Value Transformation

Cloud Marketplace Application Market

48 Huawei Confidential

• Specifically, HUAWEI CLOUD provides a series of simplified tools and templates

to improve development efficiency. In addition, Huawei provides application, data,
and AI enabling services, and builds multiple industry knowledge and asset
models to flexibly respond to market requirements.
• More importantly, HUAWEI CLOUD should help developers monetize their
business. HUAWEI CLOUD provides powerful application distribution capabilities
and the most potential business support program. Developers can obtain rich
cloud resources and traffic support and have the opportunity to communicate
and cooperate with top enterprise accelerators and incubators. We hope that
developers can grow, succeed, and achieve success on HUAWEI CLOUD.
• HUAWEI CLOUD Marketplace is an application distribution platform for
government and enterprise users. Over the past two years, we have developed
rapidly. Currently, the annual transaction volume of HUAWEI CLOUD
Marketplace has exceeded 1 billion, and the number of orders has exceeded
100,000. The sales volume of 30 partners has exceeded 10 million.
• AppGallery, the familiar Huawei terminal application distribution platform, is the
third largest application market in the world. It has 530 million active users
worldwide, and the total number of distributed applications has exceeded 384.4
billion. HUAWEI CLOUD cooperates with AppGallery Connect to build a one-stop
solution for mobile applications, providing more technical and resource support
for innovative applications that integrate HMS Core.
• HUAWEI CLOUD hopes that the two application distribution platforms can help
developers accelerate business value transformation.
 Quiz
1. In the cloud computing deployment mode, the infrastructure is owned by a single organization and
runs only for that organization. Which of the following deployment modes is the cloud computing
deployment mode?
A. Private cloud

B. Public cloud

C. Hybrid cloud

2. (True or false) Huawei Cloud uses Identity and Access Management (IAM) projects to group and
isolate resources in different regions.

A. True

B. False

49 Huawei Confidential

• Answer:

• 1, A

• 2, False B. IAM can restrict the permissions of IAM users and user groups to use
resources in different regions, but cannot isolate resources and groups in
different regions.
 Summary

After reviewing this chapter, we have a preliminary understanding of cloud

computing and public cloud, and have a basic understanding of their development
background, future trends, and technical characteristics. This chapter described
the basic architecture, basic concepts, technical features, ecosystem construction,
and future market trends of HUAWEI CLOUD, and have a preliminary impression
on HUAWEI CLOUD.

50 Huawei Confidential
 Recommendations

⚫ Huawei Talent
 https://e.huawei.com/en/talent/cert/#/careerCert
⚫ Huawei Technical Support Website
 https://support.huaweicloud.com/intl/en-us/help-novicedocument.html
⚫ HUAWEI CLOUD Academy
 https://edu.huaweicloud.com/intl/en-us/

51 Huawei Confidential
 Acronyms and Abbreviations

AI: Artificial intelligence

AS: Auto Scaling

APM: Application Performance Management

AOM: Application Operations Management

AZ: Availability Zone

API: Application Programming Interface

BMS: Bare Metal Server

BCS: Hyperledger Fabric

CCE: Cloud Container Engine

CDN: Content Delivery Network

52 Huawei Confidential
 Acronyms and Abbreviations

CBH: Cloud Bastion Host

CPTS: Cloud Performance Test Service

CAE: Computer Aided Engineering

CES: Cloud Eye Service

CTS: Cloud Trace Service

CCS: Cloud Catalog Service

CRS: Cloud Record Service

CDM: Cloud Data Migration

CMC: Cloud Migration Center

DES: Data Express Service

53 Huawei Confidential
 Acronyms and Abbreviations

DNS: Domain Name Service

DDS: Document Database Service

DDM: Distributed Database Middleware

DAS: Data Admin Service

DBSS: Database Security Service

DMS: Distributed Message Service

DWS: Data Warehouse Service

DevOps: Development and Operations

ECS: Elastic Cloud Server

EVS: Elastic Volume Service

54 Huawei Confidential
 Acronyms and Abbreviations

ELB: Elastic Load Balance

EI: enterprise intelligence

ERP: Enterprise Resource Planning

GES: Graph Engine Service

HMS: Huawei Mobile Service

HSS: Host Security Service

ICT: Information and Communications Technology

IMS: Image Management Service

IAM: Identity and Access Management

IOPS: Input/Output Operations Per Second

55 Huawei Confidential
 Acronyms and Abbreviations

I/O: Input/Output

LTS: Log Tank Service

MVP: Most Valuable Player

MRS: MapReduce Service

NIC: Network Interface Controller

OBS: Object Storage Service

OCR: Optical Character Recognition

OMS: Object Storage Migration Service

OVS: Open Virtual Switch

QoS: Quality of Service

56 Huawei Confidential
 Acronyms and Abbreviations

RoCE: RDMA over Converged Ethernet, a network protocol that allows remote direct
memory access (RDMA) over Ethernet
RDS: Relational Database Service

SDK: Software Development Kit

SFS: Scalable File Service

SA: Situation Awareness, situational awareness

SMN: Simple Message Notification

SWR: SoftWare Repository for Container

SMS: Server Migration Service

SSD: Solid State Disk

57 Huawei Confidential
 Acronyms and Abbreviations

SAP: System Applications and Products

TMS: Tag Management Service

TTS: Text-To-Speech

VBS: Volume Backup Service

VPC: Virtual Private Cloud

VPN: Virtual Private Network

VXLAN: Virtual Extensible Local Area Network

WAF: web application firewall

58 Huawei Confidential
Thank Users. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright© 2023 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ
materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference
purpose only and constitutes neither an offer nor an acceptance.
Huawei may change the information at any time without notice.
Compute Cloud Services
 Foreword

⚫ Computing resources have always been the main artery for the
development of the entire enterprise service system. Without computing
resources, enterprise services cannot run properly. In the cloud computing
era, computing services are also the first type of cloud services. Therefore,
the importance of computing resources can be seen.
⚫ This chapter describes the computing services on HUAWEI CLOUD.

2 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Understand common computing services on HUAWEI CLOUD.
 Understand the basic concepts, features, usage methods, and application scenarios of ECSs.
 Have a good command of the basic concepts, features, usage methods, and application
scenarios of IMS.
 Understand the basic concepts, features, usage methods, and application scenarios of the AS
service.
 Have a good command of the basic concepts and features of the BMS service.
 Learn about CCE and other computing cloud services.

3 Huawei Confidential
Computing cloud service
⚫ A compute resource is a measurable amount of computing power that can be requested, allocated, and
used for a compute activity. Common computing resources include the CPU and memory.
⚫ A computing cloud service is a service or product that can provide computing resources on the cloud.

Elastic Cloud Server Bare Metal Server Auto Scaling Image Management Service
ECS BMS AS IMS

Cloud Container Engine

CCE Cloud Phone FunctionGraph Dedicated Host
CPH DeH

4 Huawei Confidential
 Contents

1. Elastic Cloud Server (ECS)

2. Image Management Service (IMS)

3. Auto Scaling (AS)

4. Bare Metal Server (BMS)

5. Cloud Container Engine (CCE)

6. Other Compute Services

5 Huawei Confidential
 What Is Elastic Cloud Server (ECS)?
⚫ An ECS is a basic computing unit that consists of vCPUs, memory, an OS, and Elastic Volume
Service (EVS) disks. After an ECS is created, you can use it on the cloud similarly to how you
would use your local computer or physical server.

Memory
NIC

Disk Network

vCP vCPU
Image
U

ECS
6 Huawei Confidential

• An ECS is a computer system that has complete hardware, operating system, and
network functions and runs in a completely isolated environment.

• ECS has the following advantages:

▫ A variety of specifications to choose from: Different ECS types are available
for different applications. There are multiple, customizable specifications for
each type.
▫ A wide range of available images: Public, private, and shared images can be
selected.
▫ Different types of EVS disks: Common I/O, high I/O, general-purpose SSD,
and ultra-high I/O EVS disks are available for different service requirements.
▫ Flexible billing: Yearly/monthly and pay-per-use billing modes are available
for different applications. You can purchase and release resources as service
levels fluctuate.
▫ Reliable data: Virtual block storage based on a distributed architecture
provides robust throughput that is scalable and reliable.
▫ Security: The network is isolated from viruses and Trojans by security group
rules. Security services, such as Anti-DDoS, Web Application Firewall and
Vulnerability Scan Service are also available to protect your ECSs.
▫ Flexible, easy-to-use: Elastic computing resources are automatically
adjusted based on service requirements and policies to efficiently meet
service requirements.
▫ Highly efficient O&M: Multi-choice management via the management
console, remote access, and APIs with full management permissions.
▫ Cloud monitoring: Cloud Eye monitors your ECSs in real time, generating
alarms and sending notifications when it detects abnormal metrics.
▫ Load balancing: Elastic Load Balance automatically distributes traffic to
multiple ECSs to keep the loads on the servers balanced. It improves the
fault tolerance of your applications and enhances application capabilities.
 ECS Advantages

Scalability Hardware and Software

⚫ Automatic adjustment of ⚫ Professional hardware
compute resources devices
⚫ Flexible adjustment of ⚫ Virtual resources
ECS configurations accessible anytime,
⚫ Flexible billing modes Scalability anywhere

Hardware
Security
Reliability Reliability and
Software
⚫ A range of security
⚫ A variety of EVS disk types services available for
⚫ Reliable data multi-dimensional
⚫ Backup and restoration of protection
Security Security evaluation
ECSs and EVS disks ⚫

⚫ Intelligent process
management
⚫ Vulnerability scans

7 Huawei Confidential

• Reliability

▫ A variety of EVS disk types: Common I/O, high I/O, ultra-high I/O, general
purpose SSD, and extreme SSD disks are available for different service
requirements.

▫ Reliable data: Scalable, reliable, high-throughput virtual block storage is

based on a distributed architecture. This architecture ensures that data can
be quickly migrated or restored, if necessary, which means you will not lose
your data as the result of a single hardware fault.

▫ Backup and restoration of ECSs and EVS disks: You can configure backup
policies on the management console or use an API to back up ECSs and EVS
disks periodically or at a specified time.

• Security Protection

▫ A range of security services provide multi-dimensional protection: Security

services, such as Web Application Firewall and Vulnerability Scan Service,
are available to protect your ECSs.

▫ Security evaluation: The security of cloud environments is evaluated to help

you quickly detect security vulnerabilities and threats. Security
configurations are reviewed and suggestions provided on how to improve
system security. Actions will be recommended to reduce or avoid altogether
potential losses resulting from viruses or other malicious attacks.
• Hardware and Software

▫ Professional hardware devices ECSs are equipped with professional

hardware devices and can be optimized for virtualization. Users do not need
to build their own equipment rooms.

▫ Virtual resources can be obtained at any time from the virtual resource pool
and exclusively used. Elastic cloud servers can be used on the cloud like
local PCs, ensuring reliable, secure, flexible, and efficient application
environments.

• Scalability

▫ Automatic scaling of computing resources: Based on the monitoring data of

the scaling group, ECSs are dynamically added or deleted based on the
running status of applications.

▫ Scheduled scaling: Based on service expectations and operation plans, you

can customize scheduled and periodic policies to automatically add or
delete ECS instances on time.

▫ ECS configuration specifications and bandwidth can be flexibly adjusted

based on service requirements, efficiently matching service requirements.

▫ Flexible billing modes: yearly/monthly, pay-per-use, and bidding ECSs can

be purchased and released at any time based on service fluctuation.
 ECS Architecture

9 Huawei Confidential

• ECS works with other products and services to provide computing, storage,
network, and image installation functions.

▫ ECSs are deployed in multiple Availability Zones (AZs) connected with each
other through an intranet. If an AZ becomes faulty, other AZs in the same
region will not be affected.

▫ With the Virtual Private Cloud (VPC) service, you can build a dedicated
network, configure subnets and security groups, and allow the VPC to
communicate with the external network through an EIP with bandwidth
assigned.

▫ With the Image Management Service (IMS), you can create images for ECSs,
or create ECSs using private images for rapid service deployment.

▫ EVS provides storage and Volume Backup Service (VBS) provides data
backup and recovery functions.

▫ Cloud Eye is a key service to help ensure ECS performance, reliability, and
availability. You can use Cloud Eye to monitor ECS resource usage.

▫ Cloud Backup and Recovery (CBR) backs up data for EVS disks and ECSs
and creates snapshots in case you need to restore them.
 Purchasing an ECS

Confirm the
Configure basic Configure
Start Configure network. configurations and End
settings. advanced settings.
buy the ECS.

⚫ Billing Mode ⚫ Network ⚫ ECS Name ⚫ Confirm the

⚫ Region ⚫ Security Group ⚫ Login Mode configurations.
⚫ AZ ⚫ EIP ⚫ Cloud Backup ⚫ Buy the ECS.
⚫ CPU and Recovery
Architecture ⚫ ECS Group
⚫ Specifications ⚫ Advanced
⚫ Image Options
⚫ Host security
⚫ System Disk

10 Huawei Confidential

• Select a billing mode, yearly/monthly or pay-per-use.

▫ You can purchase a yearly/monthly ECS subscription and enter your

required duration. Yearly/monthly subscriptions are pre-paid, using a single,
lump sum payment.

▫ If you choose pay-per-use billing, you do not need to choose a required

duration. Pay-per-use usage is postpaid.

• Select required specifications: HUAWEI CLOUD provides various ECS types for you
to select based on different applications. You can view the available ECS types
and specifications in the list. Alternatively, you can enter a flavor (such as c3) or
search for a flavor by vCPU and memory.

• Set Network by selecting an available VPC and subnet from the drop-down list,
and specifying a private IP address assignment mode. You can also create a VPC
if needed. VPC provides a network, including subnets and security groups, for an
ECS.

• Set EIP. If you want the ECS to connect to the Internet, it needs to have an EIP
bound.

• Set Login Mode. Key pair is recommended because key pair authentication is
more secure than using a password.
 Configuring Basic Settings
⚫ Set Billing Mode, Region, AZ, CPU Architecture, and Specifications.

11 Huawei Confidential

• Configure basic settings

▫ . Billing Mode: An ECS can be billed on a pay-per-use, yearly/monthly, or
spot price basis. For yearly/monthly subscriptions, the longer the
subscription, the more you save.
▫ Region and AZ: ECSs in different regions cannot communicate with each
other over an intranet. Select a region closest to your target users to ensure
low network latency and quick access.
▫ CPU Architecture: x86-based CPUs use Complex Instruction Set Computing
(CISC). Kunpeng CPUs use Reduced Instruction Set Computing (RISC).
▫ Specifications: Select a flavor and image based on service requirements.
• The central processing unit (CPU) is mainly composed of three parts: calculator,
controller and register. The calculator plays the role of operation. The controller
is responsible for issuing the information required by each instruction of the CPU.
The register stores the temporary files of the operation or instruction, which can
ensure a higher speed.

• The CPU architecture is a specification defined by the CPU vendor for the CPU
products of the same series. The main purpose is to distinguish different types of
CPUs.

• Complex instruction set computer (CISC): Intel, AMD

• Reduced instruction set computer (RISC) CPU: IBM, ARM

• CISC has strong compatibility, a variety of instructions, variable length, and is

implemented by microprogramming. RISC, on the other hand, has few
instructions and similar frequency, and is mainly implemented by hardware
(general-purpose registers, hard-wired logic control).
 Billing Mode
⚫ Yearly/Monthly
 prepaid billing mode and is cost-effective for long-term use.
⚫ Pay-per-Use
 A postpaid billing mode in which an ECS will be billed based on usage frequency and
duration.
⚫ Spot price
 Spot price ECSs are billed based on the market price, which varies according to the
changes in supply and demand.

12 Huawei Confidential

• Yearly/Monthly: The ECS will be billed based on the service duration. This cost-
effective mode is ideal when the duration of ECS usage is predictable.

• Pay-per-use: The ECS will be billed based on usage frequency and duration. This
mode is ideal when you want more flexibility and control on ECS usage.

• Spot price: The ECS will be billed based on the price that is effective for the time
it is being used. This mode is more cost-effective than pay-per-use, and the spot
price will be adjusted based on supply-and-demand changes.
 Region
⚫ Regions are divided based on geographical location and network latency. Public services,
such as ECS, EVS, OBS, VPC, EIP, IMS, are shared within the same region.
⚫ It is recommended that you select the closest region for lower network latency and quick
access.

13 Huawei Confidential

• A region can be regarded as a large independent data center, which is divided by

geographical location. Intranets in different areas are not connected

• Huawei Cloud provides services in many regions around the world. You can select
a region and an AZ based on requirements. For more information,
see https://www.huaweicloud.com/intl/en-us/global/.

• Regions are classified into universal regions and dedicated regions. A universal
region provides universal cloud services for common tenants. A dedicated region
provides specific services for specific tenants.

• If your target users are in Asia Pacific (excluding the Chinese mainland), select
the CN-Hong Kong, AP-Bangkok, or AP-Singapore region.

• If your target users are in Africa, select the AF-Johannesburg region.

• If your target users are in Latin America, select the LA-Santiago region. The LA-
Santiago region is located in Chile.

• Resource prices may vary in different regions. .

• https://www.huaweicloud.com/intl/en-us/
 Availability Zone
⚫ An AZ contains one or more physical data centers. Each AZ has independent cooling,
fire extinguishing, moisture-proof, and electricity facilities. Within an AZ, computing,
network, storage, and other resources are logically divided into multiple clusters.

HUAWEI CLOUD

Region 1 Region 2

AZ 1 AZ 1

AZ 3 AZ 2 AZ 3 AZ 2

14 Huawei Confidential

• AZs within a region are interconnected using high-speed optical fibers, to support
cross-AZ high-availability systems.

• When deploying resources, consider your applications' requirements on disaster

recovery (DR) and network latency.

▫ For high DR capability, deploy resources in different AZs within the same
region.

▫ For lower network latency, deploy resources in the same AZ.

• A region has multiple equipment rooms, and each equipment room is an AZ. A
region can have multiple AZs, and an AZ can belong to only one region. Each AZ
is independent of each other, for example, an independent network and a
separate power supply system.

• In addition, AZs in each region can communicate with each other. Although each
AZ has its own independent network (in the HA layer), they can communicate
with each other at the network layer.
 Relationship Between Regions and AZs
Tenant view Physical View

Public cloud Public cloud Low-latency and High-latency and

high-speed network low-speed network

Region Region Region

AZ AZ AZ
AZ AZ
DC DC DC DC DC DC
VM VM
pod pod pod pod pod pod pod

Name target Description

The network latency to the nearest region is less than or equal to 100 ms.
Users can select low-latency cloud data centers nearby,
Region Inter-region network latency is greater than 10 ms, and intra-region network
avoiding long-distance physical transmission delay.
latency is 1–10 ms.

Physically isolated resource areas. Different AZs have The network latency in the AZ is less than 1 ms. The storage in the AZ can be
AZ
independent wind, fire, and water resources. shared. The distance between AZs ranges from 30 km to 200 km.

Data center with the concept of physical location; A single DC Not visible to tenants. Currently, an AZ has only one DC and supports multiple
DC can carry one or more sites. A single DC can have one or DCs. The layer 2 network latency in a DC is equivalent to that in an AZ. The
more Layer 2 networks. layer-3 network latency in a DC is equivalent to the latency in a region.

15 Huawei Confidential

• A DC is the infrastructure of the public cloud domain.

• POD, virtualization platform management resource pool, and independent cloud

platform software instance. Invisible to tenants. A POD contains 512 servers,
which will be expanded to 1024 servers in the future. If a POD is located on a
Layer 2 network, the network latency is equivalent to that of the AZ.
 Specifications
⚫ ECS specifications refer to ECS configurations, including the CPU,
memory, bandwidth, disk, and OS.
Number of vCPU Cores
⚫ AB indicates the ECS type and type ID.
 A specifies the ECS type.
◼ Kunpeng flavor names start with letter k. For example, kc indicates
AB. C. D
Kunpeng general computing-plus.
Generation Memory/vCPU
 B specifies the type ID. Name ratio

⚫ C specifies the flavor size (the number of vCPUs), such as small,

medium, large, xlarge, 2xlarge, 4xlarge, and 8xlarge. s2. medium. 4
⚫ D specifies the ratio of memory to vCPUs and is expressed in a digit. For
example, value 4 indicates that the ratio of memory to vCPUs is 4.

16 Huawei Confidential

• A: For example, s indicates a general-computing ECS, c indicates a general

computing-plus ECS, and m indicates a memory-optimized ECS.

• B: For example, 1 in s1 indicates the first-generation general-computing ECS, and

2 in s2 indicates the second-generation general-computing ECS. Generally, a
larger number indicates a newer generation, which is more cost-effective. For
example, compared with s1 and s2, s6 is more cost-effective.
 Configuring Network
⚫ Select a VPC, subnet, and security groups for the ECS.

17 Huawei Confidential

• VPC: A Virtual Private Cloud (VPC) is a logically isolated virtual network. You can
create subnets, configure route tables, assign EIPs, and implement access control
through security groups and network ACLs.

• Subnet: Subnets are logical subdivisions in your VPC. Each subnet is a unique
CIDR block with a range of IP addresses.

• Network Interfaces: A network interface is a virtual network card. You can create
network interfaces and attach them to your ECSs for flexible and highly available
network configurations.

• Source/destination check ensures that the ECS processes only traffic that is
destined specifically for it. This function is enabled by default but should be
disabled if the ECS functions as a SNAT server or has a virtual IP address bound
to it.Source/destination check is not used for existing NICs. It is only used for NICs
created together with the ECS.

• Create a security group with inbound and outbound rules to control traffic to and
from the ECSs in the security group.

• An EIP bound to an ECS enables the ECS to access the Internet. EIP bandwidth
can be modified at any time.
 Configuring Advanced Settings
⚫ Set ECS Name, Login Mode, Cloud Backup and Recovery, ECS Group, and Advanced
Options.

18 Huawei Confidential

• The advanced configurations of the ECS include:

▫ ECS Name: It can be customized but must comply with the naming rules. If
multiple ECSs are purchased at a time, the system automatically sequences
these ECSs.

▫ Login Mode:

▪ Key pair: You use a key pair for login authentication.

▪ Password: You use a username and its initial password for ECS
authentication. For Linux ECSs, the initial password is the root
password. For Windows ECSs, it is the Administrator password.

▫ Cloud Backup and Recovery: With CBR, you can back up data for EVS disks
and ECSs, and use backups to restore the EVS disks and ECSs if something
happens.

▫ ECS Group (Optional): An ECS group applies the anti-affinity policy to the
ECSs in it so that the ECSs are automatically allocated to different hosts.

▫ Advanced Options is optional.

 ECS group
⚫ An ECS group allows ECSs within the group to be automatically allocated to
different hosts.

anti-affinity

ECS group 1

ECS group 2

ECS group 3

Physical host 1 Physical host 2 Physical host 3

19 Huawei Confidential

• An ECS group logically groups ECSs. ECSs in an ECS group comply with the same
policy associated with the ECS group.

• If an ECS is associated with an anti-affinity policy, ECSs added to the ECS group
are deployed on different hosts for higher reliability.
 Access Methods
⚫ HUAWEI CLOUD provides a web-based management platform. You can access ECSs
through the management console or HTTPS-based REST APIs.

API Management Console

Use an API if you need to integrate the ECSs into a After registering on HUAWEI CLOUD, log in to
third-party system for secondary development. the management console and click Elastic Cloud
Server under Compute on the homepage.

20 Huawei Confidential

• You can also access your ECSs using SDKs.

 Logging In to a Windows ECS
⚫ Select a login method and log in to the ECS.

Password- VNC
authenticated ECS

RDP

Key-pair- Decrypt the key file for

MSTSC
authenticated ECS a password

Mobile terminal

Mac

21 Huawei Confidential

• Select a login method and log in to the Windows ECS.

▫ Through the management console (VNC): The login username is

Administrator.

▫ Using the RDP file provided on the management console: The login
username is Administrator, and the ECS must have an EIP bound.

▫ Using MSTSC: The login username is Administrator, and the ECS must be
bound with an EIP.

▫ From a mobile terminal: The login username is Administrator, and the ECS
must have an EIP bound.

▫ From a Mac: The login username is Administrator, and the ECS must have
an EIP bound.

• For more login methods, visit https://support.huaweicloud.com/intl/en-

us/usermanual-ecs/en-us_topic_0092494943.html.
 Logging In to a Linux ECS
⚫ The method of logging in to an ECS varies depending on the login authentication
configured when you purchased the ECS.
VNC+Password

Password-
SSH password+EIP
authenticated ECS

Mobile terminal

Key-pair-
SSH key+EIP
authenticated ECS

22 Huawei Confidential

• To log in to Linux ECS using a password for the first time, you can log in as root:

▫ Through the management console (VNC).

▫ Using an SSH password, as long as the ECS has an EIP bound.

▫ From a mobile terminal, as long as the ECS has an EIP bound.

 Reinstalling/Changing an ECS OS
⚫ Scenarios: If the OS of an ECS fails to start, requires optimization, or cannot meet
service requirements, reinstall or change the OS.

Notes
• Only the original image of the ECS can be used to reinstall the OS.
• Changing the OS will change the system disk of the ECS. After the
change, there will be a new system disk ID, and the original system
disk will be gone.

23 Huawei Confidential

• Procedure

▫ Log in to the management console.

▫ Click the map icon in the upper left corner and select the desired region
and project.

▫ Under Compute, select Elastic Cloud Server.

▫ Locate the row containing the target ECS. Click More in the Operation
column and select Manage Image/Disk > Reinstall OS. Before reinstalling
the OS, stop the ECS or select Automatically stop the ECSs and then
reinstall OSs.

▫ Configure the login mode. If the target ECS used key pair authentication,
you can replace the original key pair.
 Modifying ECS Specifications
⚫ If the specifications of an existing ECS cannot meet service requirements, modify the
ECS specifications as needed, for example, by increasing the number of vCPUs or
adding memory.
⚫ Notes
 To modify the specifications of a yearly/monthly ECS, select the target specification, pay
the difference in price or claim the refund, and restart the ECS.
 There is no need to make an additional up front payment and there are no refunds if you
modify the specifications of a pay-per-use ECS.

24 Huawei Confidential

• When changing the ECS Specification, you cannot select the CPU and memory
resources that have been sold out.

• If the ECS specification (CPU or memory) decreases, the ECS performance will be
affected.

• If the EVS disk status is Expanding, the ECS specifications cannot be modified.
 Resetting the ECS Login Password
⚫ Scenarios: The ECS password is lost or has expired.
⚫ Prerequisites: One-click password reset plug-ins have been installed on the ECS.
⚫ Notes: ECSs created using a public image have the one-click password reset plug-in installed
by default.

25 Huawei Confidential

• Plug-in name: CloudResetPwdAgent and CloudResetPwdUpdateAgent.

• After installing the one-click password reset plug-ins, do not delete the
CloudResetPwdAgent or CloudResetPwdUpdateAgent process, or one-click
password reset will not be supported.
 Scenarios – Internet
Application Scenarios

Website R&D and testing, and small-scale databases

Recommended ECS
General-computing ECSs and general computing-plus
ECSs
Recommendation Reasons
ELB VPC ⚫ Requirements: To minimize upfront deployment
and O&M costs, applications need to be deployed
on only one or just a few servers, but there are no
special requirements for CPU performance,
memory, disk capacity, or bandwidth, strong
security and reliability.
⚫ Solution: General-computing ECSs provide a

balance of compute, memory, and network

ECS ECS ECS resources. They are appropriate for medium-
workload applications and meet the cloud service
needs of both enterprises and individuals.

26 Huawei Confidential

• General-computing ECSs provide a balance of compute, memory, and network

resources and a baseline level of vCPU performance with the ability to burst
above the baseline. These ECSs are suitable for many applications, such as web
servers, enterprise development, and small databases.

• General computing-plus ECSs use dedicated vCPUs to deliver powerful

performance. In addition, the ECSs use latest-generation network acceleration
engines and Data Plane Development Kit (DPDK) to provide high network
performance.
 Scenarios – E-Commerce

Application Scenarios

Precision marketing, E-Commerce, and mobile apps

Recommended ECS

Memory-optimized ECSs
ELB VPC
Recommendation Reasons

⚫ Requirements: large amount of memory, rapid

processing of large volumes of data, and fast
network access
⚫ Solution: memory-optimized ECSs, which feature a

large amount of memory, ultra-high I/O EVS disks,

ECS ECS ECS and appropriate bandwidths

27 Huawei Confidential

• Memory-optimized ECSs have a large memory size and provide high memory
performance. They are designed for memory-intensive applications that involve a
large amount of data, such as precision advertising, e-commerce big data
analysis, and IoV big data analysis.
• E-commerce presents special challenges.
▫ Sudden Traffic Surges: Access traffic can surge to hundreds of times normal
levels during promotions, flash sales, and sweepstakes. Servers become
overloaded and e-commerce platforms may even crash.
▫ Poor User Experience: Massive amounts of static data, such as product
pictures and videos content, is usually stored on servers, resulting in slow
loading, time-consuming and costly. Users in different network
environments may experience delayed access to such data, resulting in poor
user experience.
▫ Lack of Proper Analytics: Due to the lack of big data platforms and analysis
tools, existing customers, financial products, and transaction data cannot be
effectively analyzed. As a result, there are problems such as high promotion
investment and low second-order rate.
▫ Security: E-commerce enterprises have to deal with risks in various
processes, such as traffic diversion, registration and login, browsing and
comparison, preference obtaining, ordering, payment, delivery, and
evaluation. The vulnerabilities may come from credential stuffing, scalpers,
web page tampering, DDoS attacks, data breaches, and Trojans.
 Contents

1. Elastic Cloud Server (ECS)

2. Image Management Service (IMS)

3. Auto Scaling (AS)

4. Bare Metal Server (BMS)

5. Cloud Container Engine (CCE)

6. Other Compute Services

28 Huawei Confidential
 What Is IMS?
⚫ Image Management Service (IMS)
allows you to manage the entire
lifecycle of your images. You can create
ECSs or BMSs from public, private, or
shared images. You can also create a
private image from a cloud server or an
external image file to make it easier to
migrate workloads to the cloud or on
the cloud.

29 Huawei Confidential

• An image is a server or disk template that contains an operating system (OS),

service data, and necessary application software, such as database software. IMS
provides public, private, Marketplace, and shared images.
 Why IMS?

Secure Saving Time and Effort

⚫ Multiple copies of our images ⚫ You can create a private
ensure high data reliability. image from an ECS or
external image file, also use
Secure an existing image to create
ECSs.
Saving Time
Unified
and Effort

Unified Flexible
⚫ Images can be used to Flexible ⚫ Image can be easily
Uniformly deploy or upgrade managed through the
applications, ensuring management console or
consistency of your APIs.
application enviroments.

30 Huawei Confidential

• Saving Time and Effort

▫ Deploying services on cloud servers is much faster and easier when you use
images.

▫ A private image can be created from an ECS, a BMS, or an external image

file. It can be a system, disk, or full-ECS image that suites your different
needs.

▫ Private images can be transferred between accounts, regions, or cloud

platforms through image sharing, replication, and export.

• Secure

▫ Public images use Huawei EulerOS and mainstream OSs such as Ubuntu,
Windows Server, and CentOS. These OSs have been thoroughly tested to
provide secure and stable services.

▫ Multiple copies of image files are stored on Object Storage Service (OBS),
which provides excellent data reliability and durability.

▫ Private images can be encrypted for data security by using envelope

encryption provided by Key Management Service (KMS).
• Flexible

▫ You can manage images through the management console or using APIs.

▫ You can use a public image to deploy a general-purpose environment, or

use a private image or Marketplace image to deploy a custom environment.

▫ You can use IMS to migrate servers to the cloud or on the cloud, and back
up server running environments.

• Unified

▫ IMS provides a self-service platform to simplify image management and

maintenance.

▫ IMS allows you to batch deploy and upgrade application systems,

improving O&M efficiency and ensuring consistency.

▫ Public images comply with industry standards. Preinstalled components

only include clean installs, and only kernels from well-known third-party
vendors are used to make it easier to transfer images from or to other
cloud platforms.
 Image Types
⚫ A public image is a standard image provided by
the cloud platform. It contains an OS and various
preinstalled applications, and is available to all
users.
⚫ A private image is created by users and is visible
only to the user who created it.
⚫ A shared image is a private image another user
has shared with you.
⚫ A Marketplace image is a third-party image
published in the Marketplace. It has an OS,
various applications, and custom software
preinstalled.

32 Huawei Confidential

• Public image: A public image is a standard image provided by the cloud platform
and is available to all users. It contains an OS and various preinstalled public
applications. If a public image does not contain the application environment or
software you need, you can use a public image to create an ECS and then install
the software you need. Public images include the following OSs to choose from:
Windows, CentOS, Debian, openSUSE, Fedora, Ubuntu, EulerOS, and CoreOS.
When you use certain public images, the system recommends the Host Security
Service (HSS) and server monitoring. HSS supports two-factor authentication for
logins, defense against account cracking, and weak password detection to protect
your ECSs against brute force attacks.

• Private image: A private image is only available to the user who created it. It
contains an OS, service data, preinstalled public applications, and custom
applications that the image creator added. A private image can be a system disk
image, data disk image, or full-ECS image.

▫ A system disk image contains an OS and pre-installed software for various

services. You can use a system disk image to create ECSs and migrate your
services to the cloud.

▫ A data disk image contains only service data. You can use a data disk image
to create EVS disks and use them to migrate your service data to the cloud.
 ▫ An ISO image is created from an external ISO image file. It is a special
image that is not available on the ECS console.

▫ A full-ECS image contains an OS, pre-installed software, and service data.

• Shared image: A shared image is a private image another user has shared with
you.

• Marketplace image: A Marketplace image is a third-party image published in the

Marketplace. It has an OS, application environment, and software pre-installed.
You can use these images to deploy websites and application development
environments in just a few clicks. No additional configuration is required.
Marketplace images are provided by service providers who have extensive
experience configuring and maintaining cloud servers. All the images are
thoroughly tested and have been approved by HUAWEI CLOUD before being
published.
 Creating a Private Image

Creating a system disk image from a Creating a Windows

Windows ECS system disk image from
an external image file

Creating a system disk image from a

Linux ECS Creating a Linux system
disk image from an
external image file
Creating a full-ECS image from an ECS

Creating a data disk

Creating a full-ECS image from a CSBS image from an external
backup image file

Creating a data disk image from an ECS

...

34 Huawei Confidential

• You can use an ECS or external image file to create an ECS private image.

• You can also:

▫ Use an ISO file to create an ECS system disk image.

▫ Use a CBR backup to create a full-ECS image.

▫ Use a BMS to create a system disk image.

 Common IMS Operations
⚫ Modifying an Image
 You can modify the following information of an image: name, description, minimum memory, maximum memory, NIC multi-
queue, and SR-IOV driver.
⚫ Sharing images
 You can share your images with other tenants. The tenants can use the shared images to quickly create identical ECSs or EVS
disks.
⚫ Exporting Images
 You can export private images to your OBS bucket and download them to your local PC for backup.
 By exporting an image of a cloud server from the cloud platform, you can reproduce the cloud server and its running
environments in on-promises clusters or private clouds. The following figure shows the process of exporting an image.
⚫ image replication
 In-region replication: This is used for conversion between encrypted and unencrypted images or for enabling advanced features
(such as fast ECS creation) for images.
 Cross-region replication: This is used for replicating a private image in the current region to the same account in another region.
You can use this private image to deploy the same application environment in the two regions.

35 Huawei Confidential

• You can modify the following attributes of a private image:

Name/Description/Minimum Memory/Maximum Memory/NIC Multi-Queue(NIC
multi-queue enables multiple CPUs to process NIC interruptions for load
balancing.)/Boot Mode/SR-IOV driver(After the SR-IOV driver is installed on an
image, the network processing performance of the ECS is greatly improved.)
Encrypting an Image
⚫ You can create an encrypted image to
securely store data.
⚫ Encrypted images cannot be shared
with other users or published in the
Marketplace.
⚫ The system disk of an ECS created from
an encrypted image is also encrypted,
and its key is the same as the image
key.
⚫ If an ECS has an encrypted system disk,
private images created from the ECS are
also encrypted.

36 Huawei Confidential
 Scenarios - Migrating Servers to the Cloud or in the Cloud
Recommendation Reasons

You can import local images to the cloud platform and use the images to quickly create cloud servers for service
migration to the cloud. You can also share or replicate images across regions to migrate ECSs between accounts and
regions.

37 Huawei Confidential

• A variety of image formats can be imported, including VMDK, VHD, QCOW2,

RAW, VHDX, QED, VDI, QCOW, ZVHD2, and ZVHD. Image files in other formats
need to be converted to one of these formats before being imported. You can use
the open-source tool qemu-img or the Huawei tool qemu-img-hw to convert
the image.

• https://support.huaweicloud.com/intl/en-us/productdesc-ims/ims_01_0001.html
 Scenarios - Deploying a Specific Software Environment

Application Scenarios

Deploying a specific software environment

Application OS
IMS Recommendation Reasons

Middleware You can use shared or Marketplace images to quickly

build custom software environments without having to
manually configure environments or install any
software. This is especially useful for Internet startups.

Application OS
...
ECS
Middleware

38 Huawei Confidential

• In traditional batch service deployment, you need to evaluate different service

scenarios, select an OS, database, and software, and install them. The
deployment quality depends on the skills of R&D and O&M personnel.

• On the cloud platform, you can quickly create ECSs by using public, private,
Marketplace, or shared images. You only need to identify sources of shared
images. Public, private, and Marketplace images have been thoroughly tested to
ensure security and stability.
 Scenarios - Backing Up Server Environments

Application Scenarios

Backing up server environments

Application OS

ECS Recommendation Reasons

Middleware Data You can create an image from an ECS to back up the
Back up Restore ECS. If the ECS breaks down for some reason, you can
use the image to restore it.

Application OS
IMS

Middleware Data

39 Huawei Confidential

• This is similar to system restoration with Ghost. You can create a Ghost recovery
point for your PC. If the PC is infected with a virus or the system breaks down for
some reason, you can restore it to the recovery point you created.

• On the public cloud, you can create a private image to back up an ECS. If periodic
backup is required, you are advised to use cloud services such as Cloud Server
Backup Service (CSBS) and Volume Backup Service (VBS) for the backup.
 Contents

1. Elastic Cloud Server (ECS)

2. Image Management Service (IMS)

3. Auto Scaling (AS)

4. Bare Metal Server (BMS)

5. Cloud Container Engine (CCE)

6. Other Compute Services

40 Huawei Confidential
 What Is AS?
⚫ Auto Scaling (AS) automatically adjusts resources to keep up with changes in demand based
on pre-configured AS policies. You can specify AS configurations and policies based on
service requirements. These configurations and policies free you from having to repeatedly
adjust resources to keep up with service changes and spikes in demand, helping you reduce
the resources and manpower required.

vCPU

3 GB 32 GB ROM

ECS ECS specifications ECSs

Define AS policies and

Create an AS group. AS automatically scales ECSs.
configurations.

41 Huawei Confidential

• Auto Scaling (AS) helps you automatically scale Elastic Cloud Server (ECS) and
bandwidth resources to keep up with changes in demand based on pre-
configured AS policies. It allows you to add ECS instances or increase bandwidths
to handle load increases and also save money by removing resources that are
sitting idle.
 Why AS?

Automatic resource adjustment Enhanced cost management

AS automatically adjusts resources AS adjusts ECS instances and

on demand for applications. Automatic bandwidths on demand, enabling you
resource to pay for what you need.
Scaling

High fault Enhanced cost

tolerance management

Higher
High fault tolerance Availability Improved availability
AS checks ECSs powering AS ensures proper resources
applications and replaces faulty deployed for applications.
instances with new ones.

42 Huawei Confidential

• AS advantages:

▫ Automatic resource Scaling: AS adds ECS instances and increases

bandwidths for your applications when the access volume increases and
removes unneeded resources when the access volume drops, ensuring
system stability and availability.

▫ Enhanced cost management: AS enables you to use ECS instances and

bandwidths on demand by automatically scaling resources for your
applications, eliminating waste of resources and reducing costs.

▫ Higher Availability: AS ensures that you always have the right amount of
resources available to handle the fluctuating load of your applications.
When working with ELB, AS automatically associates a load balancing
listener with any instances newly added to the AS group. Then, ELB
automatically distributes access traffic to all instances in the AS group
through the listener, which improves system availability.

▫ High fault tolerance: AS monitors instances in an AS group, and replaces

any unhealthy instances it detects with new ones.
 AS Architecture
⚫ AS automatically adjusts compute resources based on service demands and configured AS policies. The
number of ECS instances changes to match service demands, ensuring service availability.
Configure a scheduled or
Configure an alarm-based policy.
periodic policy.

Add Remove
300 visits 1000 visits 300 visits
Cloud Eye ECS Scheduled

Increase
10 Mbit/s 20 Mbit/s Decrease
10 Mbit/s
Bandwidth

Controls
Scaling triggered by alarms based scaling. Scaling triggered by a
on metrics, such as vCPUs, scheduled or periodic policy
memory, disk, or incoming traffic

43 Huawei Confidential

• AS allows you to adjust the number of ECSs in an AS group and EIP bandwidths
bound to the ECSs.

▫ Scaling control: You can specify thresholds and schedule when different
scaling actions are taken. AS will trigger scaling actions on a repeating
schedule, at a specific time, or when configured thresholds are reached.

▫ Policy configuration: You can configure alarm-based, scheduled, and

periodic policies as needed.

▫ Alarm-based: You can configure alarm metrics such as vCPU, memory, disk,
and inbound traffic.

▫ Scheduled: You can schedule actions to be taken at a specific time.

▫ Periodic: You can configure scaling actions to be taken at scheduled

intervals, a specific time, or within a particular time range.

▫ When Cloud Eye generates an alarm for a monitoring metric, for example,
CPU usage, AS automatically increases or decreases the number of
instances in the AS group or the EIP bandwidth.

▫ When the configured triggering time arrives, a scaling action is triggered to

increase or decrease the number of ECS instances or the bandwidth.
 Process of creating an AS
3 Scaling policy:
AS policies can trigger scaling actions and adjust the number of instances in an AS
CPU group. A scaling policy specifies the conditions for triggering a scaling action and
the operations to be performed. When the scaling conditions are met, the system
automatically triggers a scaling action.

3 GB 32 GB ROM

1 AS configuration: ECS Specifications Alarm policy: When the value of xx is greater than xx, add or delete instances.
An AS configuration Scheduled policy... xx hours xx minutes, adding or deleting instances
is a template for ECS Periodic policy: daily/weekly/monthly, adding/reducing instances
instances in an AS
group. It defines the
specifications of the Configuring the AS policy
instances to be
added to the AS
group. including the Add or delete
ECS type, vCPU, instances in an AS
memory, image, disk, … group based on the AS
and login mode. policy and AS
ecs-as01 ecs-as02 ecs-asN
configuration.

2 AS group:
An AS group is a collection of instances that have the same
application scenario. It is the basic unit for starting and stopping AS
policies and performing scaling actions.

44 Huawei Confidential

• AS Basic Concepts
▫ AS group: An AS group consists of a collection of instances and AS policies
that have similar attributes and apply to the same scenario. It is the basis
for enabling or disabling AS policies and performing scaling actions.
▫ AS configuration: An AS configuration is a template specifying specifications
for the instances to be added to an AS group. The specifications include the
ECS type, vCPUs, memory, image, disk, and login mode.
▫ AS policy: An AS policy can trigger scaling actions to adjust the number of
instances in an AS group. An AS policy defines the condition to trigger a
scaling action and the operations to be performed. When the triggering
condition is met, the system automatically triggers a scaling action.
▫ Scaling action: A scaling action adds instances to or removes instances from
an AS group. It ensures that the number of instances in an application
system is the same as the expected number of instances by adding or
removing instances when the triggering condition is met, which improves
system stability.
▫ Cooldown period: To prevent an alarm policy from being repeatedly
triggered for the same event, we use a cooldown period. The cooldown
period specifies how long any alarm-triggered scaling action will be
disallowed after a previous scaling action is complete. The cooldown period
is not used for scheduled or periodic scaling actions.
▫ Bandwidth scaling: AS automatically adjusts a bandwidth based on the
configured bandwidth scaling policy. AS can only adjust the bandwidth of
pay-per-use EIPs and shared bandwidths. It cannot adjust the bandwidth of
yearly/monthly EIPs.
Creating an AS Configuration
⚫ Configuration Template options

Create a specifications template Use specifications of an existing ECS

If you have special requirements on the You can use an existing ECS to quickly
specifications of the ECSs used for create an AS configuration. Then, the
capacity expansion, specify the specifications of this ECS, such as the
specifications in a template and use it to vCPUs, memory, image, disk, and ECS
create an AS configuration. Then, the type, will be applied to ECSs added to
specifications will be applied to the ECSs the AS group in scaling actions.
added to the AS group in scaling actions.

45 Huawei Confidential
 Creating an AS Group
⚫ An AS group consists of a collection of instances and AS policies that 1
have similar attributes and apply to the same scenario. It is the basis
for enabling or disabling AS policies and performing scaling actions.
⚫ AS automatically scales in or out instances or maintains a fixed
number of instances in an AS group through scaling actions triggered
by configured AS policies.
⚫ When creating an AS group, you need to configure parameters, such
as Max. Instances, Min. Instances, Expected Instances, and Load
Balancing.

46 Huawei Confidential

• Main parameters for creating an AS group

▫ Multi-AZ Expansion Policy: This parameter is required only when two or

more AZs are selected.

▫ Max./Min. Instances: Specifies the minimum or maximum number of ECS

instances in an AS group.

▫ Expected Instances: Specifies the number of ECSs that are expected to run
in an AS group. It is between the minimum and maximum numbers of
instances. Generally, when the service peak is about to arrive, Expected
Instances enables you to quickly provision a large number of ECS instances.

▫ Instance Removal Policy: When instances are automatically removed from

your AS group, the instances that are not in the currently used AZs will be
removed first. Additionally, AS will check whether instances are evenly
distributed in the currently used AZs. If the load among AZs is unbalanced,
AS balances the load among AZs when removing instances. If the load
among AZs is balanced, AS removes instances following the instance
removal policy you configured here.
 Creating an AS Policy
⚫ Main parameters: Policy Type and Cooldown Period

47 Huawei Confidential

• If the service workloads are unpredictable, you can configure alarm-based AS

policies. These policies are used to trigger scaling actions based on real-time
monitoring data (such as CPU usage) to dynamically adjust the number of
instances in the AS group. AS restarts the cooldown period after a scaling action
is complete. During the cooldown period, scaling actions triggered by alarms will
be denied. Scheduled and periodic scaling actions are not affected.
 Scenarios – Web Applications

Application Scenarios
E-commerce
website
⚫ E-commerce websites
⚫ Heavy-traffic web portals

ELB
Recommendation Reasons
....
⚫ E-commerce: During big promotions, E-commerce
AS ECS ECS
websites need more resources. AS automatically
scales out ECS instances and bandwidth within
Content update minutes to ensure that promotions go smoothly.
⚫ Heavy-traffic portals: Service load changes are
Website data (images, static web pages, large
files, and videos) difficult to predict for heavy-traffic web portals. AS
dynamically scales in or out ECS instances based on
monitored ECS metrics, such as vCPU usage and
OBS memory usage.

48 Huawei Confidential

• Using ELB with AS

▫ Working with ELB, AS automatically increases or decreases resources based

on changes in demand while ensuring that the load of all the ECS instances
in the AS group stays balanced.

▫ After ELB is enabled in an AS group, AS automatically associates a load

balancing listener with instances newly added to the AS group. Then, ELB
automatically distributes access traffic to all instances in the AS group
through the listener, which improves system availability. If the instances in
the AS group are running a range of different types of applications, you can
bind multiple load balancing listeners to the AS group to listen to each of
these applications, improving scalability.
 Contents

1. Elastic Cloud Server (ECS)

2. Image Management Service (IMS)

3. Auto Scaling (AS)

4. Bare Metal Server (BMS)

5. Cloud Container Engine (CCE)

6. Other Compute Services

49 Huawei Confidential
 What Is BMS?
⚫ Bare Metal Server (BMS) provides tenants with dedicated servers featuring excellent computing
performance equivalent to physical servers as well as high security and reliability. You can obtain BMSs
as easily and quickly as ECS and also use the service together with IMS, EVS, and VPC. The BMS service
offers both the stability of traditional hosted servers and the high scalability of cloud-based services.
Audit
VPC
Cloud Trace Service
Provide images (CTS)

BMS BMS BMS BMS

Export images
Image Management Monitor
Service
(IMS) Security group Cloud Eye

Provide Storage Backup

Dedicated Dedicated Elastic Volume Cloud Server

Distributed Enterprise Storage Service Backup Service
Storage Service Service (EVS) (CSBS)
(DSS) (DESS)

50 Huawei Confidential

• Essentially, a BMS is a physical server. The difference is that BMSs can be easily
configured and purchased on the cloud platform, but traditional physical servers
can only be configured and purchased in person.

• BMSs support automatic provisioning, automatic O&M, VPC connection, and

interconnection with shared storage. You can provision and use BMSs as easily as
ECSs and enjoy excellent computing, storage, and network performance of
physical servers.

• A Bare Metal Server (BMS) features both the scalability of Elastic Cloud Servers
(ECSs) and high performance of physical servers. It provides dedicated servers on
the cloud, delivering the performance and security required by core databases,
critical applications, high-performance computing (HPC), and Big Data.
 Why BMS?

High Security and Reliability High performance

⚫ Dedicated servers, VPC network, ⚫ No virtualization overhead or
and security group performance loss
⚫ Server security protection High ⚫ Cloud-based storage and network access
⚫ Disk backup and restoration Security and ⚫ Deployment density and performance
⚫ Dedicated storage Reliability for mission-critical services
Quick
Provisioning High
and Unified Performance
O&M
Quick Provisioning and Unified O&M Quick integration
Quick
⚫ Quick provisioning (can be Integration
booted from EVS disks) Quick integration with cloud services and
⚫ Self-service lifecycle cloud solutions for accelerated cloud

management and O&M transformation

51 Huawei Confidential

• Advantages of BMS:
▫ High Security and Reliability: BMS allows you to use dedicated compute
resources, add servers to VPCs and security groups for network isolation,
and integrate related components for server security. The BMSs running on
the QingTian architecture can use EVS disks, which can be backed up for
restoration. BMS interconnects with Dedicated Storage Service (DSS) to
ensure the data security and reliability required by enterprise services.
▫ High performance: BMS has no virtualization overhead, allowing compute
resources to be dedicated to running services. Running on QingTian, an
architecture from Huawei that is designed with hardware-software synergy
in mind, BMS supports high-bandwidth, low-latency storage and networks
on the cloud, meeting the deployment density and performance
requirements of mission-critical services such as enterprise databases, big
data, containers, HPC, and AI.
▫ Quick Provisioning and Unified O&M: Hardware-based acceleration
provided by the QingTian architecture enables EVS disks to be used as
system disks. The required BMSs can be provisioned within minutes after
you submit an order. You can manage your BMSs through their lifecycle
from the management console or using open APIs with SDKs.
▫ Quick integration of cloud services and solutions: Based on the unified VPC
model, cloud services and cloud solutions (such as database, big data,
container, HPC, and AI solutions) can be quickly integrated to run on BMSs.
This accelerates cloud transformation.
 BMS Architecture

52 Huawei Confidential

• BMS works together with other cloud services to provide compute, storage,
network, and imaging.

▫ BMSs are deployed in multiple availability zones (AZs) connected with each
other through an internal network. If an AZ becomes faulty, other AZs in
the same region will not be affected.

▫ With the Virtual Private Cloud (VPC) service, you can build a dedicated
network for BMS, configure subnets and security groups, and allow
resources deployed in the VPC to communicate with the Internet through
an EIP (with bandwidth assigned).

▫ With the Image Management Service (IMS), you can install OSs on BMSs or
create BMSs using private images for rapid service deployment.

▫ The Elastic Volume Service (EVS) provides storage, and Volume Backup
Service (VBS) provides data backup and restoration.

▫ Cloud Eye is a key tool to monitor BMS performance, reliability, and

availability. Using Cloud Eye, you can monitor BMS resource usage in real
time.

▫ Cloud Backup and Recovery (CBR) backs up data for EVS disks and BMSs,
and uses snapshot backups to restore the EVS disks and BMSs when
necessary.
 Comparisons Between a BMS, ECS, and Physical Server

Item BMS ECS Physical Server

Physical
Exclusive Shared Exclusive
resources
Mission-critical
Application applications or services General-purpose and
Traditional services
scenarios that require high specific services
performance
Provisioning Flexible Flexible Inflexible
Automatic
Automatic provisioning,
provisioning,
automatic O&M, VPC
Advanced automatic O&M, VPC
interconnection, and Traditional features
features interconnection, and
interconnection with
interconnection with
shared storage
shared storage

53 Huawei Confidential

• A lack of flexibility is the main problem with physical servers. Although cloud
computing is super popular right now, some enterprises may still choose physical
servers for absolute best possible performance. The only reason is that physical
servers do not have performance loss due to no virtualization overhead.

• However, it takes a long time to deploy physical servers, the O&M is complex,
and the architecture cannot be reconstructed easily. When physical servers break
down, it takes a lot of time, effort, and money to fix them.

• When Enterprises choose to avoid VMs (ECSs), it is typically because VMs are not
able to provide the performance required by their core databases. Additionally,
they do not want to adjust their core applications to adapt to VM deployment.
These enterprises are faced with a dilemma.

• BMS is designed to address this dilemma. It provides physical servers exclusive to

a particular enterprise's use, so they do not have to compromise on performance
or resource isolation.

• Meanwhile, it delivers cloud capabilities such as online delivery, automatic O&M,

VPC interconnection, and interconnection with shared storage. You can provision
and use BMSs as easily as ECSs and enjoy excellent computing, storage, and
network performance of physical servers.
• BMS can also offer services that ECSs cannot provide due to various architecture
restrictions, such as virtualization services, high-performance computing services,
services that have high requirements on I/O performance, and services that have
high requirements on core data control and resource isolation. In addition,
HUAWEI CLOUD provides O&M for BMSs, which helps keep your costs down.
 Scenarios - Core Database
ECS cluster
BMS cluster Application Scenarios

Core database. Multiple BMS flavors are available and

shared EVS disks can be attached to BMSs, providing the
Internet Database
performance and security required by core databases.

BMS Recommendation Reasons

ECS

EVS
⚫ Requirements: Some critical database services cannot
be deployed on VMs and must be deployed on
BMS
ECS physical servers that have dedicated resources,
isolated networks, and assured performance.
VBS ⚫ Solution: The BMS service meets these database
BMS
service requirements by providing high-performance
servers dedicated to individual users.
OBS

55 Huawei Confidential

• Cluster Deployment: An EVS disk can be attached to multiple BMSs, enabling

cluster-based application deployment.

• Large Capacity: A BMS can have multiple EVS disks attached, each as large as 32
TB. EVS disk capacity can be expanded as needed and you only pay for what you
use.

• High Reliability: Three-copy backup ensures high data durability.

 Scenarios - High Performance Computing (HPC)

...
Application Scenarios
Intelligent Connected Smart
Vehicles (ICV) manufacturing
Supercomputing centers and DNA sequencing. For high
performance and high throughput scenarios, BMSs with the
... latest CPUs, coupled with a 100 Gbit/s network, provide low
GPU Accelerated BMS OBS Big Data
Cloud Server
latency and high performance services.
(GACS)

Recommendation Reasons
VPC
⚫ Requirements: In HPC scenarios, such as supercomputer
Enterprise user centers and DNA sequencing, massive volumes of data need
EVS to be processed and the computing performance, stability,
BMS BMS and real-time responsiveness need to be stellar.
(HPC node) (HPC node) ⚫ Solution: HPC node (BMS)

• Low latency: 100 Gbit/s, isolated, microsecond-level

Direct InfiniBand latency network
OBS
Connect
• High performance: the latest Intel CPUs
• Convenient scale-up: open APIs for easy ecosystem
BMS BMS integration
(HPC node) (HPC node)

56 Huawei Confidential

• High-performance ECS: Compute-intensive ECSs, such as general computing-plus

(C6) and memory-optimized (M6) ECSs, use 2nd Gen Intel® Xeon® scalable
processors to provide robust, stable computing performance, and Huawei-
developed intelligent high-speed NICs to provide networks with ultra-high
bandwidth and ultra-low latency.

• High-performance BMS: High-performance computing (H2) BMSs with 100 Git/s

EDR InfiniBand NICs provide excellent computing performance with no
virtualization overhead. You can apply for BMSs on demand through the
management console.

• Excellent network performance: Secure, isolated virtual networks are provided for
HPC users on the public cloud. The networks communicate with each other
through intelligent high-speed NICs that deliver excellent bandwidth.

• Other application scenarios:

▫ Database scenario: Key database services for government, enterprise, and

financial services must be carried on physical servers with dedicated
resources, isolated networks, and guaranteed performance. The bare metal
server provides dedicated high-performance physical servers to meet service
requirements.

▫ Container scenario: Internet elastic service load. Compared with VMs, BMS
containers provide higher deployment density, lower resource overhead,
and more agile deployment efficiency. Cloud native technologies help
customers achieve the goal of reducing cloudification costs.
 Contents

1. Elastic Cloud Server (ECS)

2. Image Management Service (IMS)

3. Auto Scaling (AS)

4. Bare Metal Server (BMS)

5. Cloud Container Engine (CCE)

6. Other Compute Services

57 Huawei Confidential
 Container
⚫ Container is a lightweight virtualization technology. It can pack applications and their dependencies together to
form an independent running environment, implementing quick deployment and migration of applications.
⚫ The core of the container technology is the namespace and CGroups functions of the Linux kernel. The namespace
and CGroups functions can isolate different processes, file systems, networks, and resources, thereby implementing
application isolation and secure running.

Features Container VM

Start Time Second-level Minute-level

Virtualization
Operating system virtualization Hardware-based virtualization
Type

OS Dependency All containers share the host OS. Each VM runs in its own OS

Isolation Policy Namespace, CGroups Hypervisor

Mirror Size KB - MB GB - TB

58 Huawei Confidential

• Containers are a kernel virtualization technology originating with Linux. They

provide lightweight virtualization to isolate processes and resources.
 Docker and Kubernetes
⚫ Docker is the first system that allows containers to be portable in different machines. It simplifies both the
application packaging and the application library and dependency packaging.
⚫ Kubernetes is a containerized application software system that can be easily deployed and managed. It facilitates
container scheduling and orchestration.
Docker architecture

architecture
Kubernetes
59 Huawei Confidential

• Containers have become popular since the emergence of Docker.

• Even the OS file system can be packaged into a simple portable package, which
can be used on any other machine that runs Docker.
• Docker is developed and implemented by using the Go language launched by
Google. Docker encapsulates and isolates processes based on technologies such
as cgroup and namespace of the Linux kernel and Union FS of the AUFS type.
Docker is an operating system virtualization technology. Because an isolated
process is independent of the host and other isolated processes, it is also called a
container.
• Docker further encapsulates the file system, network interconnection, and process
isolation based on containers, greatly simplifying container creation and
maintenance.
• The "8" in the Kubernetes abbreviation K8S represents the eight letters of the
word "ubernete".
• For application developers, Kubernetes can be regarded as a cluster operating
system. Kubernetes provides functions such as service discovery, scaling, load
balancing, self-healing, and even leader election, freeing developers from
infrastructure-related configurations.When using Kubernetes, it's like you run a
large number of servers as one on which your applications run. Regardless of the
number of servers in a Kubernetes cluster, the method for deploying applications
in Kubernetes is always the same.
• A Kubernetes cluster consists of master nodes (Masters) and worker nodes
(Nodes). Applications are deployed on worker nodes, and you can specify the
nodes for deployment.
 What Is CCE?
⚫ Cloud Container Engine (CCE) is a highly scalable, high-performance, enterprise-
class Kubernetes service for you to run containers and applications. With CCE, you
can easily deploy, manage, and scale containerized applications on HUAWEI CLOUD.

60 Huawei Confidential

• CCE is a one-stop platform integrating compute, networking, storage, and many

other services. It supports heterogeneous computing architectures such as GPU,
NPU, and Arm. Supporting multi-AZ and multi-region disaster recovery, CCE
ensures high availability of Kubernetes clusters.
 Why CCE?

Easy to Use Open and compatible

⚫ Create Kubernetes clusters in a few
⚫ Fully compatible with Kubernetes
clicks on the console. APIs and kubectl
⚫ Scale clusters and workloads on the
⚫ Easy management of large-scale
console. container clusters
⚫ Upgrade Kubernetes clusters on the Easy to Use
console.
⚫ Experience out-of-the box usability.
High- Open and
⚫ Enjoy auto deployment and O&M of
containerized applications.
performance compatible

High-performance Highly Highly Available and Secure

⚫ Bare-metal servers with NUMA and Available ⚫ You can deploy 3 master nodes on the
high-speed InfiniBand NICs and Secure cluster control plane for high availability
⚫ Industry-leading container engine (HA).
⚫ Users have complete control of clusters
they create.

61 Huawei Confidential

• Easy to Use:
▫ Creating a Kubernetes cluster is as easy as a few clicks on the console. You
can create either VM nodes or bare-metal nodes, or both, in a cluster.
▫ From auto deployment to O&M, you can manage your containerized
applications all in one place throughout their lifecycle.
▫ You can also scale your clusters and workloads in just a few clicks on the
console. Auto scaling policies can be flexibly combined to deal with in-the-
moment load spikes.
▫ The console enables you to easily upgrade your clusters.
▫ Application Service Mesh (ASM) and Helm charts are pre-integrated,
delivering out-of-the-box usability.
• High-performance:
▫ CCE draws on Huawei's years of field experience in computing, network,
storage, and heterogeneous infrastructure. You can concurrently launch
containers at scale.
▫ The bare-metal NUMA architecture and high-speed InfiniBand network
cards yield a three- to five-fold improvement in computing performance.
• Highly Available and Secure:
▫ You can create 3 master nodes for your cluster control plane to avoid single
points of failure. Faults in one or two of the master nodes do not interrupt
the whole cluster. CCE allows you to deploy nodes and workloads in a
cluster across AZs. Such a multi-active architecture ensures service
continuity against host faults, data center outages, and natural disasters.
▫ Clusters are private and completely controlled by users. With deeply
integrated Kubernetes RBAC capabilities, CCE allows you to set different
RBAC permissions for sub-users on the console.
• Open and compatible
▫ CCE streamlines deployment, resource scheduling, service discovery, and
dynamic scaling of applications that run in Docker containers.
▫ CCE is built on Kubernetes and compatible with Kubernetes native APIs and
kubectl (a command line tool). CCE provides full support for the most
recent Kubernetes and Docker releases.
 CCE Architecture

63 Huawei Confidential

• CCE is a one-stop platform integrating compute, networking, storage, and many

other services. It supports heterogeneous computing architectures such as GPU,
NPU, and Arm. Supporting multi-AZ and multi-region disaster recovery, CCE
ensures high availability of Kubernetes clusters.
• Huawei Cloud is one of world's first Kubernetes Certified Service Providers
(KCSPs). It is the first in China to engage in the Kubernetes community. As a
constant contributor, Huawei Cloud marks its presence in the container
ecosystem. It is also a founder and platinum member of Cloud Native Computing
Foundation (CNCF). CCE is one of the first Certified Kubernetes offerings in the
world..
• Provides highly scalable and high-performance enterprise-level Kubernetes
clusters and supports Docker containers. It provides full-stack container
capabilities, including Kubernetes cluster management, containerized application
lifecycle management, application service grid, Helm application template, plug-
in management, application scheduling, monitoring, and O&M. Provides one-stop
container platform services for users. Cloud Container Engine makes it easy to
deploy, manage, and scale containerized applications in.
• CCE can use various heterogeneous infrastructures, such as high-performance
ECSs, bare metal server, and GPU-accelerated ECSs. You can quickly create hybrid
clusters, Kunpeng clusters, and CCE Turbo clusters in CCE based on service
requirements and manage the created clusters in a unified manner.
• CCE deeply integrates with the ASM and provides out-of-the-box ASM traffic
governance capabilities. Users can implement gray release, traffic governance,
and traffic monitoring without modifying code.
• Kubernetes supports automatic scaling of pods and cluster nodes. You can set
scaling rules to automatically scale pods and cluster nodes when external
conditions (such as CPU usage) meet certain conditions.
 Basic Concepts
⚫ A cluster is a collection of cloud resources required for running
Cluster
containers, such as cloud servers and load balancers.

⚫ A pod consists of one or more related containers that share the same
Pod
storage and network space.

Node ⚫ A node is a server (a VM or PM) on which containerized applications run.

⚫ A container is a running instance of a Docker image. Multiple containers

Service
can run on the same node.

⚫ A container is a running instance of a Docker image. Multiple containers

Container
can run on the same node.

⚫ An image is a binary that includes all of the requirements for running a

Image
container.

64 Huawei Confidential

• A cluster is a group of one or more cloud servers (also known as nodes) in the
same subnet. It has all the cloud resources (including VPCs and compute
resources) required for running containers.
• A pod is the smallest and simplest unit in the Kubernetes object model that you
create or deploy. A pod encapsulates an application container (or, in some cases,
multiple containers), storage resources, a unique network IP address, and options
that govern how the containers should run.
• A node is a cloud server (virtual or physical machine) running an instance of the
Docker Engine. Containers are deployed, run, and managed on nodes. The node
agent (kubelet) runs on each node to manage container instances on the node.
The number of nodes in a cluster can be scaled.
• A Service is an abstract method that exposes a group of applications running on
a pod as network services.
• A container is a running instance of a Docker image. Multiple containers can run
on one node. Containers are actually software processes. Unlike traditional
software processes, containers have separate namespace and do not run directly
on a host.
• Images become containers at runtime, that is, containers are created from
images. Containers can be created, started, stopped, deleted, and suspended..
• In addition to these basic concepts, there are many other concepts. For details,
https://support.huaweicloud.com/intl/en-us/productdesc-
cce/cce_productdesc_0011.html.
 Workload
⚫ A workload is an application running on Kubernetes.
 Deployment: Pods are completely independent of each other and functionally identical. They feature auto
scaling and rolling upgrade. Typical examples include Nginx and WordPress.
 StatefulSet: Pods are not completely independent of each other. They have stable persistent storage, and
feature orderly deployment and deletion. Typical examples include MySQL-HA and etcd.
 DaemonSet: A DaemonSet ensures that all or some nodes run a pod. It is applicable to pods running on every
node. Typical examples include Ceph, Fluentd, and Prometheus Node Exporter.
 Job: It is a one-time task that runs to completion. It can be executed immediately after being created. Before
creating a workload, you can execute a job to upload an image to the image repository.
 Cron job: It runs a job periodically on a given schedule. You can perform time synchronization for all active
nodes at a fixed time point.

65 Huawei Confidential

• No matter how many components are there in your workload, you can run it in a
group of Kubernetes pods. A workload is an abstract model of a group of pods in
Kubernetes. Workloads classified in Kubernetes include Deployments, StatefulSets,
DaemonSets, jobs, and cron jobs.
Service
⚫ A Service is an abstract method that exposes a group of applications running on a pod as network
services.

 ClusterIP: ClusterIP Service, as the default Service type, is exposed through the internal IP
address of the cluster. If this mode is selected, Services can be accessed only within the cluster.
 NodePort: NodePort Services are exposed through the IP address and static port of each node. A ClusterIP
Service, to which a NodePort Service will route, is automatically created. By sending a request to
<NodeIP>:<NodePort>, you can access a NodePort Service from outside of a cluster.
 LoadBalancer (ELB): LoadBalancer (ELB) Services are exposed by using load balancers of the cloud provider.
External load balancers can route to NodePort and ClusterIP Services.
 DNAT: A DNAT gateway translates addresses for cluster nodes and allows multiple cluster nodes to share an EIP.
DNAT Services provide higher reliability than EIP-based NodePort Services in which the EIP is bound to a single
node and once the node is down, all inbound requests to the workload will be distributed.

66 Huawei Confidential
 Scenario - Auto Scaling in Second

Function Description
Kubernetes cluster CCE adjusts compute resources based on auto scaling
policies to handle fluctuating service loads. Specifically,
CCE automatically adds or reduces cloud servers for
Node N
your cluster or containers for your workload.

Agent Benefits
ELB Node 2
⚫ Flexible: Multiple scaling policies are supported and
containers can be provisioned within seconds when
User Node 1 specific conditions are met.
⚫ Highly available: Pods are automatically monitored

and unhealthy pods will be replaced with new ones

to ensure high service availability.
⚫ Low cost: You are billed only for the cloud servers

Application Operations Cluster you use.

Management management
(AOM)

67 Huawei Confidential

• Application scenarios:

▫ Shopping apps and websites, especially during promotions and flash sales

▫ Live streaming, where service loads often fluctuate

▫ Games, where many players may go online in certain time periods

 Scenario - DevOps and CI/CD

Function Description
CCE automatically completes code compilation, image
build, grayscale release, and container-based deployment
based on code sources. CCE can interconnect with your
CI/CD systems. You can containerize traditional
Testing applications and deploy them in the cloud.
CI/CD

SoftWare Benefits
Repository for Production
Container (SWR) ⚫ Efficient CI/CD management: Reduces scripting
Third-
party tool
workload by more than 80% through streamlined
Development process interaction.
⚫ Flexible integration: Provides various APIs to
User Code library
CCE integrate with existing CI/CD systems, facilitating
customization.
⚫ High performance: Allows for flexible task

scheduling with a fully containerized architecture.

68 Huawei Confidential

• Development and Operations (DevOps) is a set of processes, approaches, and

systems for collaboration between software development, O&M, and quality
assurance (QA) teams.

• Scenario description: You may receive a lot feedback and requirements for your
apps or services. You may want to boost user experience with new features.
Continuous integration (CI) and delivery (CD) can help. CI/CD automates builds,
tests, and merges, making app delivery faster.

• Continuous integration (CI), continuous delivery (CD), and continuous

deployment
 Contents

1. Elastic Cloud Server (ECS)

2. Image Management Service (IMS)

3. Auto Scaling (AS)

4. Bare Metal Server (BMS)

5. Cloud Container Engine (CCE)

6. Other Compute Services

69 Huawei Confidential
 Cloud Phone Service (CPH)
⚫ Cloud Phone Host (CPH) provides you with cloud servers virtualized from Huawei Cloud BMSs and running native
Android. Just one of these cloud servers can virtualize up to 60 cloud phones with the functions of virtual phones.
You can remotely control cloud phones in real time and run Android applications on the cloud. Cloud phone
compute lets you build and test phone applications more efficiently.

70 Huawei Confidential

• Scenarios
▫ Cloud gaming is a popular trend of the game industry. It provides players
with a download-free game service that is independent of mobile phone
performance. The video streaming modes it uses include PC game
streaming and mobile game streaming. As a cloud-based emulation phone,
a cloud phone server can take the advantage of instruction isomorphism of
mobile games and carry game applications on the cloud.
▫ With the popularization of mobile apps, more and more enterprises are
starting to allow work from mobile terminals. However, they are faced with
the challenge of data security. Although purchasing customized secure
mobile phones can enhance security, leakage of sensitive data cannot be
prevented. As an alternative solution, cloud phones store core enterprise
data on the cloud and control access to mobile phone screens only within
authorized employees.
▫ Generally, mobile phones provide services for individuals. As the type and
number of mobile applications increase, enterprises may need to run a
large number of mobile applications on mobile phones in specific scenarios
to implement automation or intelligence functions. To run these
applications, a large number of simulation mobile phones are needed.
▫ Streaming interaction is another CPH scenario. It allows the host to stream
the mobile phone screen to audiences and interact with them to bring an
enjoyable interaction experience.
 What Is DeH?
⚫ Dedicated Host (DeH) provides
dedicated physical hosts to ensure
isolation, security, and performance
for your ECSs. You can bring your
own license (BYOL) to DeH to
reduce the costs on software
licenses and facilitate the
independent management of ECSs..

71 Huawei Confidential

• Application scenarios:

▫ Industries that have high requirements for regulation compliance and

security: You can exclusively use a physically isolated host to meet
compliance and security requirements.

▫ Tenants that need to use their existing licenses (BYOL): If you have a
licensed OS or software (licensed based on the number of physical sockets
or cores), you can bring your own license and migrate your services to the
cloud platform.

▫ Industries that are extremely sensitive to performance and stability: DeH is

ideal for service scenarios with higher requirements on server performance
and stability such as finance, securities and gaming applications. DeH
guarantees the stability of CPUs and network I/O, ensuring smooth running
of applications.

▫ Independent resource deployment and flexible management: You can

create ECSs on a specified DeH and specify your ECS specifications based on
the type of DeH. You can also migrate ECSs between DeHs or migrate ECSs
from public resource pool to a specified DeH.
 What Is FunctionGraph?
⚫ FunctionGraph allows you to run your
code without provisioning or managing
servers, while ensuring high availability
and scalability. All you need to do is
upload your code and set execution
conditions, and FunctionGraph will take
care of the rest. You pay only for what
you use and you are not charged when
your code is not running.

72 Huawei Confidential

• FunctionGraph is designed for real-time file and data stream processing, web and
mobile app backends, and artificial intelligence (AI) applications.
▫ FunctionGraph processes files in real time by triggering a function once a
client uploads a file to OBS. Functions can generate image thumbnails,
convert video formats, and aggregate and filter data files.
▫ FunctionGraph also works with Data Ingestion Service (DIS) to process data
streams in real time. It supports application activity tracking, sequential
transaction processing, data stream analysis, data sorting, metric
generation, log filtering, indexing, social media analysis, and IoT device data
telemetry and metering.
▫ FunctionGraph also interconnects with your VMs or other services to build
highly available and scalable web and mobile app backends.
▫ Finally FunctionGraph also works with Enterprise Intelligence (EI) services
for text recognition and illicit image identification. For example, build a
function to identify pornographic and terrorism-related images.
 Quiz

1. (True or False) There is a hypervisor layer in containerization, just like the

traditional virtualization featuring VMs.
A. True

B. False

2. (True or False) The functions of an IMS image are the same as those of an ISO
image.
A. True

B. False

73 Huawei Confidential

• 1.B False. Containerization has no virtualization layer.

• 2.B False. An ISO image is used to install an OS. An IMS image is more like a
template that is generated after an ISO image is modified. It is mainly used to
batch create cloud servers instead of just installing cloud server OSs.
 Summary

After reviewing this chapter, we have learned about the features, usage methods,
and application scenarios of Elastic Cloud Server (ECS), Auto Scaling (AS), Image
Management (IMS), bare metal server, and Cloud Container Engine (CCE). Based
on the knowledge in this chapter and the lab manual, you can use HUAWEI
CLOUD to deploy your own compute instances and services.

74 Huawei Confidential
 Recommendations

⚫ Huawei Talent
 https://e.huawei.com/en/talent/cert/#/careerCert
⚫ Huawei Technical Support Website
 https://support.huaweicloud.com/intl/en-us/help-novicedocument.html
⚫ HUAWEI CLOUD Academy
 https://edu.huaweicloud.com/intl/en-us/

75 Huawei Confidential
 Acronyms and Abbreviations
⚫ AI: Artificial intelligence
⚫ API: Application Programming Interface
⚫ AS: Auto Scaling
⚫ BMS: Bare Metal Server
⚫ CCE: Cloud Container Engine
⚫ CI/CD: Continuous Integration/Continuous Delivery
⚫ CISC: Complex Instruction Set Computer
⚫ CPH: Cloud Phone
⚫ CPU: Central Processing Unit
⚫ DeH: Dedicated Host

76 Huawei Confidential
 Acronyms and Abbreviations
⚫ DevOps: Development and Operations
⚫ DHCP: Dynamic Host Configuration Protocol
⚫ ECS: Elastic Cloud Server
⚫ EI: Enterprise Intelligence
⚫ GPU: Graphics Processing Unit
⚫ HPC: High Performance Computing
⚫ HTTPS: Hypertext Transfer Protocol over Secure Sockets Layer
⚫ IB: InfiniBand
⚫ IMS: Image Management Service
⚫ K8s: Kubernetes

77 Huawei Confidential
 Acronyms and Abbreviations
⚫ IPoIB: Internet Protocol over Infiniband
⚫ NUMA: Non-Uniform Memory Access
⚫ RDMA: Remote Direct Memory Access
⚫ RISC: Reduced Instruction Set Computer
⚫ SR-IOV: Single Root Input/Output Virtualization
⚫ VLAN: Virtual Local Area Network
⚫ VPC: Virtual Private Cloud

78 Huawei Confidential
Thank Users. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright© 2023 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ
materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference
purpose only and constitutes neither an offer nor an acceptance.
Huawei may change the information at any time without notice.
Compute Cloud Services
 Foreword

⚫ Network resources are essential to the development of the ICT

infrastructure. With network resources, devices and systems can
communicate with each other so that enterprises can provide better
services to their end users.
⚫ This chapter describes the network services provided by HUAWEI CLOUD.

2 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Understand what network services are and the application scenarios of different services.
 Understand the concepts and usage of VPC.
 Understand the concepts and usage of EIP.
 Understand the concepts and usage of VPN and NAT gateway.
 Learn about other Huawei cloud network services.

3 Huawei Confidential
 Network Services
⚫ A network is a system that connects multiple computers or other devices together so that they can communicate
and share resources with each other. A network can be a different type, such as a local area network (LAN), a wide
area network (WAN), or the Internet.
⚫ Huawei Cloud provides various network services to help you build secure and scalable networks on the cloud,
connect cloud and on-premises networks in a high-speed and reliable way, and connect your on-premises data
center to the Internet.

4 Huawei Confidential

• VPC provides an isolated network environment on HUAWEI CLOUD.

• VPCEP provides secure access to cloud services and private services hosted on
HUAWEI CLOUD.

• ELB automatically distributes incoming traffic across multiple backend servers.

• NAT Gateway provides network address translation (NAT) for cloud servers.

• EIP provides independent public IP addresses for accessing the Internet.

• Direct Connect establishes a dedicated channel between an on-premises data

center and the cloud.

• VPN establishes an IPsec encrypted channel between an on-premises data center

and the cloud.

• CC connects VPCs in multiple regions and allows one or more on-premises data
centers to access multiple VPCs.

• DNS provides authoritative DNS services and domain name management services.
 Contents

1. Virtual Private Cloud (VPC)

2. Elastic IP (EIP)

3. Elastic Load Balance (ELB)

4. Virtual Private Network (VPN)

5. NAT Gateway

6. Other Services

5 Huawei Confidential
 What Is a VPC?
⚫ The Virtual Private Cloud (VPC) service enables you to provision logically isolated,
configurable, and manageable virtual networks for cloud servers, cloud containers,
and cloud databases, improving cloud service security and simplifying network
deployment.
VPC 1 VPC 2

ECS ECS ECS

ECS ECS ECS

Tunneling technology

6 Huawei Confidential

• A Virtual Private Cloud (VPC) is a logically isolated virtual network. Within your
own VPC, you can create subnets, configure route tables, assign EIPs and
bandwidths, and configure security groups to manage access control.

• VPC is the basis of HUAWEI CLOUD networks. VPC provides secure and isolated
networks based on tunneling technology. You can customize your own VPCs,
including dividing subnets, configuring route tables, specifying IP addresses, and
configuring network ACLs and security groups.
 VPC Advantages

Seamless Interconnectivity
⚫ Multiple methods for connecting
to the Internet
⚫ A VPC peering connection enables
Seamless High-Speed Access
two VPCs to communicate with
Interconnectivity ⚫ Dynamic BGP access to multiple carriers
each other using private IP ⚫ Automatic failover in real time
addresses.
Secure and High-Speed
Secure and Reliable Reliable Access
⚫ 100% logical isolation
⚫ Comprehensive security Flexible
Configuration
Flexible Configuration
⚫ User-defined network
⚫ ECSs can be deployed across AZs.

7 Huawei Confidential

• A VPC has many advantages.

▫ You can create VPCs, add subnets, specify IP address ranges, and configure
DHCP and route tables. You can configure the same VPC for ECSs that are
in different availability zones (AZs).

▫ Secure and Reliable: VPCs are logically isolated from each other. By default,
different VPCs cannot communicate with each other. Network ACLs protect
subnets, and security groups protect ECSs.

▫ Seamless Interconnectivity: By default, a VPC cannot communicate with the

Internet. You can use EIP, ELB, NAT Gateway, VPN, and Direct Connect to
enable access to or from the Internet. By default, two VPCs in the same
region cannot communicate with each other. You can create a VPC peering
connection to enable them to communicate with each other using private
IP addresses.

▫ High-speed access: Up to 21 dynamic BGP connections are established to

multiple carriers. Dynamic BGP provides automatic failover in real time and
chooses the optimal path when a network connection fails.
VPC Architecture

8 Huawei Confidential
 VPC Components
⚫ Each VPC consists of a private CIDR block, route tables, and at least one subnet.

VPC

Private IP address: 192.168.0.0/16

Routing Table

Subnet 1 192.168. 1.0 / 24 Subnet 2 192.168. 2.0 / 24

Security Security Security

group A group B group A

ECS ECS RDS ECS BMS

9 Huawei Confidential

• Private CIDR blocks: When creating a VPC, you need to specify the private CIDR
block used by the VPC. The VPC service supports the following CIDR blocks:
10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 –
192.168.255.255

• Subnets: Cloud resources, such as cloud servers and databases, must be deployed
in subnets. After you create a VPC, you can divide the VPC into one or more
subnets. Each subnet must be within the VPC.

• Route tables: When you create a VPC, the system automatically generates a
default route table. The route table ensures that all subnets in the VPC can
communicate with each other. If the routes in the default route table cannot
meet application requirements (for example, if there is an ECS without an elastic
IP address (EIP) bound that needs to access the Internet), you can create a
custom route table.
 VPC Concepts

Subnet EIP

Virtual IP
Security address
group

VPC
IP address VPC peering
group connection

Elastic NIC
Routing Table

Network ACL

10 Huawei Confidential

• An elastic network interface (NIC) is a virtual network card. You can create and
configure network interfaces and attach them to your instances (ECSs and BMSs)
to create flexible and high availability network configurations.

• An IP address group is a collection of IP addresses that use the same security

group rules. You can use an IP address group to manage IP addresses that have
the same security requirements or whose security requirements change
frequently. An IP address group frees you from repeatedly modifying security
group rules and simplifies security group rule management.
 Subnet
⚫ A subnet is a unique CIDR block, a range of IP addresses, in your VPC.
⚫ All resources in a VPC must be deployed on subnets.
⚫ Once a subnet has been created, its CIDR block cannot be modified.

11 Huawei Confidential

• By default, ECSs in all subnets of the same VPC can communicate with one
another, but ECSs in different VPCs cannot.

• You can create VPC peering connections to enable ECSs in different VPCs to
communicate with one another.

• The subnets used to deploy your resources must reside within your VPC, and the
subnet masks used to define them can be between the netmask of its VPC CIDR
block and /28 netmask.

▫ 10.0.0.0 – 10.255.255.255

▫ 172.16.0.0 – 172.31.255.255

▫ 192.168.0.0 – 192.168.255.255

• https://support.huaweicloud.com/intl/en-us/productdesc-vpc/en-
us_topic_0030969424.html
 Elastic IP
⚫ The Elastic IP (EIP) service enables your cloud resources to communicate with the Internet using static
public IP addresses and scalable bandwidths. EIPs can be bound to or unbound from ECSs, BMSs,
virtual IP addresses, NAT gateways, or load balancers.

12 Huawei Confidential

• Each EIP can be used by only one cloud resource at a time.

 Route Table
⚫ A route table contains a set of routes that are used to determine where network traffic from your
subnets in a VPC is directed. Each subnet must be associated with a route table. You can associate a
subnet with only one route table at a time, but you can associate multiple subnets with the same route
table.

13 Huawei Confidential

• You can add, query, modify, and delete routes.

• When you create a VPC, the system automatically generates a default route table
for the VPC. If you create a subnet in the VPC, the subnet automatically
associates with the default route table. You can add, delete, and modify routes in
the default route table, but you cannot delete the route table. When you create a
VPN connection, the default route table automatically delivers a route that
cannot be deleted or modified. If you want to modify or delete the route, you can
associate your subnet with a custom route table and replicate the route to the
custom route table to modify or delete it.

• You can also create a custom route table and associate subnets that have the
same routing requirements with this table. Custom route tables can be deleted if
they are no longer required.

• The way you can access the route table module varies by region.

▫ If the route table module is not decoupled from the VPC module in your
selected region, access the route table module by clicking the Route Tables
tab on the VPC details page.

▫ If the route table module is decoupled from the VPC module in your
selected region, access the route table module by clicking Route Tables in
the left navigation pane of the VPC console.
 Security Group
⚫ A security group is a collection of access control rules for ECSs that have the same
security requirements and are mutually trusted within a VPC. After you create a
security group, you can create different access rules for the security group, and the
rules will apply to any ECS that the security group contains.

14 Huawei Confidential

• Your account automatically comes with a security group by default. The default
security group allows all outbound traffic and denies all inbound traffic. Your
ECSs in this security group can communicate with each other without the need to
add rules.
 VPC Peering Connection
⚫ A VPC peering connection is a network connection between two VPCs in the same region. It
enables you to route traffic between them using private IP addresses. You can create a VPC
peering connection between your own VPCs, or between your VPC and a VPC of another
account within the same region. However, you cannot create a VPC peering connection
between VPCs in different regions.

15 Huawei Confidential

• The VPCs to be peered can be in the same account or different accounts, but
must be in the same region.

• If you create a VPC peering connection between two VPCs in your account, the
system accepts the connection by default. To enable communication between the
two VPCs, you need to add routes for the local and peer VPCs.

• If you request a VPC peering connection with a VPC in another account in the
same region, the VPC peering connection will be in the Awaiting acceptance
state. After the owner of the peer account accepts the connection, the connection
status changes to Accepted. The owners of both the local and peer accounts
must configure the routes required by the VPC peering connection to enable
communication between the two VPCs.
 Network ACL
⚫ A network ACL is an optional layer of security for your subnets. After you associate
one or more subnets with a network ACL, you can control traffic in and out of the
subnets.

16 Huawei Confidential

• Similar to security groups, network ACLs control access to subnets and add an
additional layer of defense to your subnets. Security groups only have the "allow"
rules, but network ACLs have both "allow" and "deny" rules. You can use network
ACLs together with security groups to implement comprehensive and fine-
grained access control.

• You can associate a network ACL with multiple subnets. However, a subnet can
only be associated with one network ACL at a time.

• Each newly created network ACL is in the Inactive state until you associate
subnets with it.

• Network ACLs are stateful. If the network ACL allows outbound traffic and you
send a request from your instance, the response traffic for that request is allowed
to flow in regardless of inbound network ACL rules. Similarly, if inbound traffic is
allowed, responses to allowed inbound traffic are allowed to flow out, regardless
of outbound rules.
 Virtual IP Address
⚫ A virtual IP address can be shared among multiple ECSs. An ECS can have both
private and virtual IP addresses, and you can access the ECS through either IP
address. A virtual IP address has the same network access capability as a private IP
address. Virtual IP addresses are used for high availability as they make
active/standby ECS switchover possible.

17 Huawei Confidential

• Networking mode 1: high availability of ECSs

▫ If you want to improve service availability and avoid single points of failure,
you can deploy ECSs in the active/standby mode or deploy one active ECS
and multiple standby ECSs. In this arrangement, the ECSs all use the same
virtual IP address. If the active ECS becomes faulty, a standby ECS takes
over services from the active ECS and services continue uninterrupted.

• Networking mode 2: high availability of a load balancing cluster

▫ If you want to build a high-availability load balancing cluster, use

Keepalived and configure LVS nodes as direct routers.
 Elastic Network Interface
⚫ An elastic network interface (Elastic NIC) is a virtual network card. You can create and configure
network interfaces and attach them to your instances (ECSs and BMSs) to obtain flexible and highly
available network configurations.
 A primary network interface is created together with an instance by default, which cannot be detached from its instance.
 You can create extension network interfaces, attach them to an instance, and detach them from the instance. The number of
extension network interfaces that you can attach to an ECS varies by ECS flavor.

18 Huawei Confidential

• A primary network interface cannot be detached from its instance.

• The number of extension network interfaces that you can attach to an instance
varies by instance flavor.

• Elastic network interfaces and extension NICs cannot be used to directly access
Huawei Cloud services, such as DNS. You can use VPCEP to access these services.
 IP address group
⚫ An IP address group is a collection of IP addresses. It can be associated with security groups and
network ACLs to simplify IP address configuration and management.

19 Huawei Confidential

• You can add IP address ranges and IP addresses that need to be managed in a
unified manner to an IP address group. An IP address group can work together
with different cloud resources.
 VPC Configuration Process

(Optional) Create another

subnet for the VPC.

Create a VPC. (The created

Start Create a security group. End
VPC has a default subnet.)

(Optional) Add a security

group rule.

20 Huawei Confidential

• Before creating your VPCs, determine how many VPCs, the number of subnets,
and what IP address ranges you will need. Ensure that the subnets do not overlap
with those of the end of VPN or Direct Connect connections.

• For network security, define access control policies based on specific services and
minimize the access permissions. For example, a security group allows access
from only certain source IP addresses on certain ports.
 VPC Configuration - Subnet
⚫ Each VPC comes with a default subnet. If the default subnet cannot meet your requirements, create
one.
⚫ The subnet is configured with DHCP by default. When an ECS in this subnet starts, the ECS
automatically obtains an IP address using DHCP.
⚫ An AZ is a physical location where resources use independent power supplies and networks within a
given region.

21 Huawei Confidential

• The CIDR block of a subnet can be within the CIDR block for the VPC. The
supported CIDR blocks are 10.0.0.0/8-24, 172.16.0.0/12-24, and 192.168.0.0/16-
24.

• An external DNS server address is used by default. If you need to change the DNS
server address, ensure that the configured DNS server address is available.

• Dynamic Host Configuration Protocol (DHCP) is a network protocol for local area
networks. It means that the server controls a range of IP addresses, and the client
can automatically obtain the IP address and subnet mask assigned by the server
when logging in to the server.
 VPC Configuration - Security Group
⚫ Your account automatically comes with a default security group. You can add inbound and
outbound rules to the default security group or create a new security group.
⚫ Inbound rules control incoming traffic to ECSs in the security group.
⚫ Outbound rules control outgoing traffic from ECSs in the security group.
⚫ Default security group rules

22 Huawei Confidential

• The default security group cannot be deleted, but you can modify the rules in the
default security group.

• If two ECSs are in the same security group but in different VPCs, the ECSs cannot
communicate with each other. To enable communications between the ECSs, use
a VPC peering connection to connect the two VPCs.

• In a VPC, if you want to copy resources from an ECS in a security group to

another ECS in another security group, you can add rules to enable internal
network communication between the ECSs and then copy resources. Within a
given VPC, ECSs in the same security group can communicate with one another
by default. However, ECSs in different security groups cannot communicate with
each other by default. To enable these ECSs to communicate with each other,
you need to add certain security group rules.
VPC vs. Traditional IDC
Compariso
Virtual private cloud Traditional IDC
n Item

You do not need to perform complex engineering deployment, including

You need to set up networks and perform tests. The entire
Deployment engineering planning and cabling.
process takes a long time and requires professional
cycle You can determine your networks, subnets, and routes on Huawei Cloud
technical support.
based on service requirements.

You need to invest heavily in equipment rooms, power

Huawei Cloud provides flexible billing modes for network services. You
supply, construction, and hardware materials. You also
can select whichever one best fits your business needs. There are no
Total cost need professional O&M teams to ensure network security.
upfront costs and network O&M costs, reducing the total cost of
Asset management costs increase with any change in
ownership (TCO).
business requirements.

You have to strictly comply with the network plan to

Huawei Cloud provides a variety of network services for you to choose
complete the service deployment. If there are changes in
Flexibility from. If you need more network resources (for instance, if you need more
your service requirements, it is difficult to dynamically
bandwidth), you can expand resources on the fly.
adjust the network.

VPCs are logically isolated from each other. You can use security features The network is insecure and difficult to maintain. You need
Security such as network ACLs and security groups, and even security services like professional technical personnel to ensure network
Advanced Anti-DDoS (AAD) to protect your cloud resources. security.

23 Huawei Confidential
 Application Scenario - Dedicated Networks on Cloud
⚫ Each VPC represents a private network and is logically isolated from other VPCs. You can deploy your
service systems in a private network on the cloud. If you have multiple service systems, for example, a
production system and a test system, you can keep them isolated by deploying them in two different
VPCs.

24 Huawei Confidential

• To enable two VPCs in the same region to communicate with each other, you can
create a VPC peering connection between them.
Application Scenario - Web Application/Website Hosting
⚫ You can host web applications and websites in a VPC and use the VPC as a regular network. With EIPs
or NAT gateways, you can connect ECSs running your web applications to the Internet. You can then
use load balancers provided by the ELB service to evenly distribute traffic across multiple ECSs.

25 Huawei Confidential
 Contents

1. Virtual Private Cloud (VPC)

2. Elastic IP (EIP)

3. Elastic Load Balance (ELB)

4. Virtual Private Network (VPN)

5. NAT Gateway

6. Other Services

26 Huawei Confidential
What Is Elastic IP
⚫ An EIP is a public IP address that can be accessed directly over the Internet. An EIP consists of a public
IP address and some amount of public network egress bandwidth. EIPs can be bound to or unbound
from ECSs, BMSs, virtual IP addresses, NAT gateways, and load balancers.

27 Huawei Confidential
 EIP Types
Comparison
Static BGP Dynamic BGP Preferred BGP
Dimension

Premium BGP chooses the optimal path and

ensures low-latency and high-quality networks.
Static routes are manually Dynamic BGP provides automatic
BGP is used to interconnect with lines of multiple
configured and must be manually failover and chooses the optimal path
Definitions reconfigured anytime the network based on the real-time network
mainstream carriers. Public network connections
that feature low latency and high quality are
topology or link status changes. conditions as well as preset policies.
directly established between Chinese mainland
and Hong Kong (China).

When changes occur on a network

When a fault occurs on a carrier's link, Premium BGP has the same assurance capability
that uses static BGP, the manual
dynamic BGP will quickly select as that of dynamic BGP.
Assurance configuration takes some time and
another optimal path to take over In addition, premium BGP ensures higher network
high availability cannot be
services, ensuring service availability. quality and lower latency.
guaranteed.

Service
99% 99.95% 99.95%
availability

28 Huawei Confidential

• If you select static BGP, your application system must have disaster recovery
setups in place.

• Currently, mainstream Dynamic BGP carriers in Hong Kong (China) are

supported.

• Premium BGP is now available only in the CN-Hong Kong region.

Application Scenario - Binding an EIP to an ECS
⚫ You can bind an EIP to an ECS to enable the ECS to access the Internet.

29 Huawei Confidential
 Application Scenario - Binding an EIP to a NAT Gateway
⚫ After an EIP is bound to a NAT gateway and SNAT and DNAT rules are added, multiple servers (such as
ECSs and BMSs) can use the same EIP to access the Internet and provide services accessible from the
Internet.

30 Huawei Confidential

• An SNAT rule allows servers in a specific VPC subnet to use the same EIP to
access the Internet.

• A DNAT rule enables servers in a VPC to provide services accessible from the
Internet.
Application Scenario - Binding an EIP to a Load Balancer
⚫ After you attach an EIP to a load balancer, the load balancer can distribute requests
from the Internet to backend servers.

31 Huawei Confidential
 Contents

1. Virtual Private Cloud (VPC)

2. Elastic IP (EIP)

3. Elastic Load Balance (ELB)

4. Virtual Private Network (VPN)

5. NAT Gateway

6. Other Services

32 Huawei Confidential
 What Is ELB?
⚫ Elastic Load Balance (ELB) automatically distributes incoming traffic across multiple backend servers
based on the listening rules you configure. ELB expands the service capabilities of your applications and
improves their availability by eliminating single points of failure (SPOFs).

33 Huawei Confidential

• ELB provides shared load balancers and dedicated load balancers.

▫ Dedicated load balancers have exclusive use of underlying resources, so

that the performance of a dedicated load balancer is not affected by other
load balancers. In addition, there are a wide range of specifications
available for selection.

▫ Shared load balancers are deployed in clusters and share underlying

resources, so that the performance of a load balancer is affected by other
load balancers. Shared load balancers were previously named enhanced
load balancers.
 ELB Advantages
⚫ Supports multiple allocation
⚫ Cluster-based deployment, ⚫ Deploy the ELB quickly
policies and forwarding
intra-city active-active DR and take effect in real
policies, and forwards traffic
for multiple AZs, and time.
in multiple modes to meet
seamless real-time ⚫ Multiple scheduling
different forwarding
switchover algorithms are available.
requirements.

High Flexible Easy to

availability forwarding use

Boundless
Robust Flexible
Load
performance Scalability
Balancing

• A cluster supports 100 ⚫ Automatic distribution based ⚫ Exclusive ELB provides the
on application traffic, hybrid load balancing
million concurrent
seamless integration with capability (cross-VPC
connections, meeting
the AS service, and flexible backend) to uniformly
users' massive service
expansion of external service load resources between
access requirements. capabilities of user on- and off-cloud clouds.
applications

34 Huawei Confidential

• ELB has the following advantages:

▫ Robust performance: Each load balancer has exclusive use of isolated
resources, meeting your requirements for handling a massive number of
requests. A single load balancer deployed in one AZ can handle up to 20
million concurrent connections.
▫ High availability: ELB can route traffic uninterruptedly. If your servers in one
AZ are unhealthy, it automatically routes traffic to healthy servers in other
AZs. ELB provides a comprehensive health check system to ensure that
incoming traffic is routed only to healthy backend servers, improving the
availability of your applications..
▫ Flexible Scalability: ELB ensure that your applications are always ready for
any size of workloads. It works with Auto Scaling (AS) to flexibly adjust the
number of backend servers and intelligently distribute incoming traffic
across them.
▫ Flexible Forwarding: ELB allows you to create custom forwarding policies to
meet your requirements in different scenarios.
▫ Boundless Load Balancing: Dedicated load balancers can route traffic to
both cloud and on-premises servers, improving the scalability of your hybrid
cloud network.
▫ Ease-of-use: A diverse set of protocols and algorithms enable you to
customize traffic routing policies to your needs while keeping deployments
simple.
 ELB Architecture
⚫ ELB consists of three components: load balancers, listeners, and backend server groups.

Load balancer

Listener Listener Listener

Forwarding Protocol: HTTPS Forwarding Protocol: HTTP Forwarding Protocol: TCP
policy Port: 443 policy Port: 81 policy Port: 80

Backend server Backend server Backend server Backend server Backend server Backend server Backend server

Health Protocol: HTTPS Backend Health Protocol: HTTP Backend Health Protocol: TCP Backend
check Port: 443 server group check Port: 81 server group check Port: 80 server group

35 Huawei Confidential

• ELB consists of load balancers, listeners, and backend server groups.

▫ A load balancer is an instance that distributes incoming traffic across

backend servers in one or more availability zones (AZs).

▫ A listener uses the protocol and port you specify to check for requests from
clients and route the requests to associated backend servers based on the
listening rules you define. You can add one or more listeners to a load
balancer.

▫ A backend server group uses the protocol and port you specify to receive
the requests from the load balancer and route them to one or more
backend servers. You need to add at least one backend server to a backend
server group. You can set a weight for each backend server so that the load
balancer can route requests based on their performance. You can also
configure health checks for a backend server group to check the health of
backend servers in the group. If a backend server is unhealthy, the load
balancer stops routing new requests to this server until it recovers.
 ELB - Load Balancer
⚫ A load balancer distributes incoming traffic across multiple backend servers. Load
balancers can work on both public and private networks.

Load Load
balancer balancer
on a on a
public private
network network

36 Huawei Confidential

• Each load balancer on a public network has an EIP bound to it and routes
requests from clients to backend servers over the Internet.

• Load balancers on a private network work within a VPC and route requests to
backend servers in the same VPC as the clients.
 ELB - Listener
⚫ A listener listens on requests from clients and routes the requests to backend servers
based on the settings that you configure when you add the listener.

Load
Listening
balancing
protocols
algorithms

⚫ Load balancing at Layer 4: TCP or Weighted round robin, weighted least

UDP connections, source IP hash, and connection
⚫ Load balancing at Layer 7: HTTP or ID (Connection ID is supported only by
HTTPS dedicated load balancers.)

37 Huawei Confidential

• A listener specifies the protocol and port used to receive requests from the clients,
and the protocol, the port, and the load balancing algorithm to forward the
requests to one or more backend servers. A listener also defines the health check
configuration, which the load balancer uses to continually check the statuses of
backend servers. If a backend server is unhealthy, the load balancer routes traffic
to the healthy ones. Traffic routing to this server resumes after it recovers.

• The OSI model consists of the application layer, presentation layer, session layer,
transport layer, network layer, data link layer, and physical layer.

▫ Protocols at the application layer: HTTP, SNMP, FTP, NFS, Telnet, and SMTP

▫ Protocols at the presentation layer: none

▫ Protocols at the session layer: none

▫ Protocols at the transport layer: TCP and UDP

▫ Protocols at the network layer: IP and ICMP

▫ Protocols at the data link layer: FDDI, Ethernet, ARPANET, PDN, SLIP, and
PPP

▫ Protocols at the physical layer: IEEE 802.1A, IEEE 802.2 to IEEE 802.11
ELB-Backend Server Group
⚫ A backend server group is a group of cloud servers that have same features. When you add a listener, you select a load balancing
algorithm and create or select a backend server group. Incoming traffic is routed to the corresponding backend server group based
on the listener's configuration.

Load balancer

Listener Listener

Backend Backend Backend Backend Backend

server server server server server
Health Backend Heal Backend
check server group check server group

38 Huawei Confidential
 ELB - Health Check
⚫ ELB periodically sends heartbeat messages to associated backend servers to check
their health and ensure that traffic is distributed only to healthy servers. This can
improve the availability of your applications. If a backend server is unhealthy, the
load balancer stops routing traffic to it. The load balancer will resume routing
requests to the backend server after it recovers.

TCP health check

Server

39 Huawei Confidential

• How does a health check work?

▫ UDP listeners: UDP is used for health checks by default, and UDP probe
packets are sent to backend servers to obtain their health results.

▫ TCP, HTTP, or HTTPS listeners: HTTP can be used for health checks. ELB
sends HTTP GET requests to backend servers to check their health.

• If the health check result of a backend server is Unhealthy, you need to check its
configuration.

• The security group that contains the backend servers must allow access from
100.125.0.0/16. Otherwise, health checks cannot be performed.

• If UDP is used for health checks, the backend server group's protocol must be
UDP.
 ELB - Load Balancing Algorithms
⚫ The load balancer forwards the request from the client to the backend server for processing. You can add an ECS
instance as the backend server of the load balancer. The listener uses the configured protocol and port to check
connection requests from clients and forwards the requests to backend ECSs in the backend server group based on
the user-defined allocation policy. The specific policies are as follows:

Weighted Round robin Weighted Least connections Source IP hash Connection ID

40 Huawei Confidential

• Each backend server can be given a numeral value from 0 to 100 to indicate the
proportion of requests the backend server can receive. The higher the weight, the
more requests the backend server receives. You can set a weight for each
backend server when you select one of the following algorithms:
▫ Weighted round robin: Requests will not be routed to a backend server
whose weight is 0, even if the backend server is considered healthy. If none
of the servers have a weight of 0, the load balancer routes requests to
these servers using the round robin algorithm based on their weights. If two
backend servers have the same weights, they receive the same number of
requests.
▫ Weighted least connections: Requests will not be routed to a backend
server whose weight is 0. If none of the servers have a weight of 0, the load
balancer calculates each server's overhead using the formula: Overhead =
Number of current connections/Server weight. The load balancer routes
requests to the backend server with the lowest overhead.
▫ Source IP hash: If a backend server's weight is 0, requests will not be routed
to this server. If the server weights are not 0, they will not take effect, and
requests from the same IP address will be routed to the same backend
server.
▫ Connection ID: If a backend server's weight is 0, requests will not be routed
to this server. If the server weights are not 0, they will not take effect, and
requests from the same client and with the same connection ID will be
routed to the same backend server.
• Currently, only dedicated load balancers support the Connection ID algorithm.

• In addition to the load balancing algorithm, fa

• Assume that there are two backend servers with the same weight (not zero), the
weighted least connections algorithm is selected, sticky sessions are not enabled,
and 100 connections have been established with backend server 01, and 50
connections with backend server 02.

• When client A wants to access backend server 01, the load balancer establishes a
persistent connection with backend server 01 and continuously routes requests
from client A to backend server 01 before the persistent connection is
disconnected. When other clients access backend servers, the load balancer
routes the requests to backend server 02 using the weighted least connects
algorithm.

• In addition to the load balancing algorithm, factors that affect load balancing
generally include connection type, session stickiness, and server weights.
 ELB Configuration Process
1. Creating a Load Balancer
 Click Buy Elastic Load Balancer. 1 Load balancer
 Select the load balancer type.
 Configure the network. Listener Listener
2
2. Adding a Listener
 Locate the created load balancer.
 Configure the protocol and port.
3. Adding a Backend Server Group Backend Backend Backend Backend Backend
server server server server server
 Select a load balancing algorithm. 3 Health Backend Health Backend
check server group check server group
 Configure a health check.

42 Huawei Confidential

• A listener specifies the protocol and port used to receive requests from the clients,
and the protocol, the port, and the load balancing algorithm to forward the
requests to one or more backend servers. A listener also defines the health check
configuration, which the load balancer uses to continually check the statuses of
backend servers. If a backend server is unhealthy, the load balancer routes traffic
to the healthy ones. Traffic routing to this server resumes after it recovers.
 ELB Configuration - Creating a Load Balancer
⚫ Before creating a load balancer, you need to plan its region, network, protocol, and
backend servers.

43 Huawei Confidential

• Click the icon in the upper left corner to select a region and a project.

• Hover on the upper left to display Service List. Under Networking, click Elastic
Load Balance.

• Click Buy Elastic Load Balancer and then configure the parameters.

• Click Next.

• Confirm the configuration and submit your request.

• View the newly created load balancer in the load balancer list.
 ELB Configuration - Adding a Listener
⚫ After you have created a load balancer, you need to add at least one listener. A
listener listens on requests from clients and routes the requests to backend servers
based on the settings that you configure when you add the listener.

44 Huawei Confidential

• Frontend Protocol/Port: The load balancer uses the protocol and port to receive
requests from clients and forward the requests to backend servers.

• Obtain Client IP Address:

▫ Enable this option if you want to pass source IP addresses of the clients to
backend servers.

▫ It is enabled for dedicated load balancers by default and cannot be

disabled.
 ELB Configuration - Adding a Backend Server Group
⚫ A backend server group is a collection of cloud servers that have the same features
and receive the requests routed by the load balancer.

45 Huawei Confidential

• The load balancer uses one of the following algorithms to distribute traffic:

▫ Weighted round robin: Requests are distributed across backend servers in

sequence based on their weights. Backend servers with higher weights
receive proportionately more requests, whereas equally-weighted servers
receive the same number of requests.

▫ Weighted least connections: In addition to the number of active connections

established with each backend server, each server is assigned a weight
based on its capacity. Requests are routed to the server with the lowest
connections-to-weight ratio.

▫ Source IP hash: Requests from the same source IP address are routed to the
same backend server.

▫ Connection ID (only for dedicated load balancers): Requests from the same
client and with the same connection ID are routed to the same backend
server.
Application Scenario: Heavy-Traffic Applications
⚫ For an application with heavy traffic, such as a large web portal or mobile app store,
ELB evenly distributes incoming traffic to multiple backend servers, balancing the
load while ensuring stable performance. Sticky sessions ensure that requests from
one client are always forwarded to the same backend server.

46 Huawei Confidential
 Application Scenario: Applications with different Traffic
⚫ For an application that has predictable peaks and troughs in traffic volumes, ELB works with AS to add
or remove backend servers to keep up with changing demands. One example is flash sales, during
which there are predictable traffic spikes that only last a short while. ELB can work with AS to run only
the required number of backend servers needed to handle the load of your application.

47 Huawei Confidential

• Traffic to some applications may fluctuate significantly at different time periods.

 Application Scenario: Zero SPOFs
⚫ ELB routinely performs health checks on backend servers. If any backend server is
unhealthy, ELB will not route requests to this server until it recovers. This makes ELB
a good choice for running applications that require high reliability.

48 Huawei Confidential

• A single point of failure (SPOF) is a part of a system that, if it fails, will stop the
entire system from working. SPOFs are undesirable in any system with a goal of
high availability or reliability, such as a business system, software application, or
other industrial system.
 Contents

1. Virtual Private Cloud (VPC)

2. Elastic IP (EIP)

3. Elastic Load Balance (ELB)

4. Virtual Private Network (VPN)

5. NAT Gateway

6. Other Services

49 Huawei Confidential
 Virtual Private Network
⚫ Virtual Private Network (VPN) allows you to establish an encrypted, Internet-based
communications tunnel between your on-premises data center and a VPC, so you
can access resources in the VPC remotely.

50 Huawei Confidential

• VPN tunnels support three protocols: PPTP, L2TP, and IPsec.

• Virtual Private Network (VPN) establishes a secure, encrypted communications

tunnel between your local data center and your VPC on HUAWEI CLOUD. With
VPN, you can build a flexible and scalable hybrid cloud environment.
 VPN Advantages

Cost-
High security High availability Easy to use
effectiveness

• Support for multiple link modes

• Encrypted IPsec • Branches can access each other.
• IKE and IPsec encryption • Dual Connectivity
connections over the • Out of the box
• A stable VPN connection • Active-Active Gateway
Internet • Affiliate Enterprise Router
• Direct Connect mutual backup

51 Huawei Confidential

• VPN advantages:

• High security

▫ Data is encrypted using IKE and IPsec, ensuring high data security.

▫ A VPN gateway is exclusive to a tenant, isolating tenants from each other.

▫ VPN gateways of the GM specification are supported, in compliance with

the GB∕T 36968-2018 Information security technology —Technical
specification for IPSec VPN.

• High availability

▫ A VPN gateway provides two elastic IP addresses (EIPs) to establish dual

independent VPN connections with a customer gateway. If one VPN
connection fails, traffic can be quickly switched to the other VPN
connection.

▫ Active-active gateways are deployed in different availability zones (AZs) to

ensure AZ-level high availability.

▫ Active/Standby mode: In normal cases, a VPN gateway communicates with

a customer gateway through the active connection. If the active connection
fails, traffic is automatically switched to the standby VPN connection. After
the fault is rectified, traffic is switched back to the active VPN connection.
• Cost-effectiveness
▫ IPsec connections over the Internet provide a cost-effective alternative to
Direct Connect.
▫ A VPN gateway can be bound to EIPs that share bandwidth, reducing
bandwidth costs.
▫ The bandwidth can be adjusted when an EIP instance is created.
• Easy to use
▫ A VPN gateway supports multiple connection modes, including policy-based,
static routing, and BGP routing, to meet different access requirements of
customer gateways.
▫ A VPN gateway on the cloud can function as a VPN hub, enabling on-
premises branch sites to access each other.
▫ A VPN connection can be created in a few simple steps on the VPN device
in an on-premises data center and on the VPN console, and is ready to use
immediately after being created.
▫ VPN can be used together with the enterprise router service, allowing
enterprises to build more flexible cloud-based networks.
▫ Backup between VPN and Direct Connect is supported, and automatic
failover is supported.
▫ Private VPN gateways are supported to encrypt traffic transmitted over
Direct Connect connections, improving data transmission security.
 VPN Networking
⚫ A VPN consists of a VPN gateway and one or more VPN connections.
 A VPN gateway provides an Internet egress for a VPC and works together with the gateway in your on-premises
data center.
 A VPN connection connects a VPN gateway to a customer gateway through encrypted tunnels, enabling
communication between a VPC and your on-premises data center. This helps quickly establish a secure hybrid
cloud environment.

53 Huawei Confidential

• VPN components:

▫ A VPN gateway is an egress gateway for a VPC. With a VPN gateway, you
can create a secure, reliable, and encrypted connection between a VPC and
your on-premises data center or between two VPCs in different regions.
Each data center must have a gateway, which works as the remote
gateway. Each VPC must have a VPN gateway. A VPN gateway needs to be
paired with a remote gateway. Each VPN gateway can connect to one or
more remote gateways, so you can set up point-to-point or hub-and-spoke
VPN connections.

▫ Customer gateway: is a resource that provides information to Huawei

Cloud about your customer gateway device, which can be a physical device
or software application in your on-premises data center.

▫ A VPN connection is a secure and reliable communications tunnel

established between a VPN gateway and a gateway in your on-premises
data center. Only IPsec VPNs are supported. VPN connections use IKE and
IPsec protocols to cost-effectively and securely encrypt data transmitted
over the Internet.
 IPSec VPN
⚫ Internet Protocol Security (IPsec) VPN uses a secure network protocol suite that authenticates and
encrypts the packets of data to provide secure encrypted communication between different networks.

54 Huawei Confidential

• Assume that you have created a VPC with two subnets (192.168.1.0/24 and
192.168.2.0/24) on the cloud, and the router in your on-premises data center also
has two subnets (192.168.3.0/24 and 192.168.4.0/24). In this case, you can create
a VPN to connect the VPC subnets and the data center subnets.
 VPN Configuration Process(Classic)
⚫ You can create a VPN gateway and a VPN connection on the management console.

Region 1 Region 2

VPC 1 VPC 2

ECS 1 ECS 2 ECS 3

Subnet 1 Subnet 2 Subnet 3

VPN VPN
gateway 1 gateway 2

VPN connection 1 VPN connection 2

55 Huawei Confidential

• A VPN enables communications between VPCs in different regions.

• In this example, ECS 2 in region 1 needs to communicate with ECS 3 in region 2.

A VPN connection linking region 1 and region 2 can make this possible.

• Step 1: Create a VPN gateway in region 1 and configure parameters such as

Billing Mode, Region (Region 1), VPC (VPC 1), Billed by, Bandwidth, and
encryption policies.

• Step 2: Create a VPN connection in region 1. Select subnet 2 for Local Subnet and
subnet 3 for Remote Subnet. Configure the remote gateway. (VPN gateway 2 has
not been created. Just enter a random address. You can change it later.)

• Step 3: Create a VPN gateway in region 2 and configure parameters such as

Billing Mode, Region (Region 2), VPC (VPC 2), Billed by, Bandwidth, and
encryption policies.

• Step 4: Create a VPN connection in region 2. Select subnet 3 for Local Subnet and
subnet 2 for Remote Subnet. Configure the remote gateway by entering the IP
address of VPN gateway 1.

• Step 5: Change the remote gateway address of VPN connection 1 to the address
of VPN gateway 2.

• Step 6: Test the connectivity between ECS 2 and ECS 3 and check the VPN
connection status.
 VPN Configuration: VPN Gateway
⚫ To allow your ECSs in a VPC to access your on-premises network, you must first
create a VPN gateway.

56 Huawei Confidential

• VPN Gateway
▫ You can modify the name and description of a VPN gateway if needed. If
the bandwidth of a VPN gateway cannot meet your requirements, you can
modify the bandwidth, too. If the number of VPN connections associated
with a VPN gateway cannot meet your requirements, you can modify the
VPN gateway specifications. You can change the billing mode of a VPN
gateway billed by bandwidth from pay-per-use to yearly/monthly.
▫ If a VPN gateway is no longer required, you can delete it to release network
resources as long as it has no VPN connections configured. If it has any
connections configured, they have to be deleted before you can delete the
gateway.
• VPC: the name of the VPC that the VPN connects to
• Type: the VPN type. IPsec is selected by default.
• Billed By: There are two options available, bandwidth, and traffic.
▫ Bandwidth: You specify a bandwidth and pay the bill based on the amount
of time you use the bandwidth.
▫ Traffic: You specify a bandwidth and pay for the total traffic you generate.
• Bandwidth (Mbit/s):
▫ The bandwidth (Mbit/s) of the VPN gateway. The bandwidth size is shared
by all VPN connections created for the VPN gateway. The total bandwidth
size used by all VPN connections created for a VPN gateway cannot exceed
the VPN gateway bandwidth size.
▫ If the network traffic exceeds the VPN gateway bandwidth, the network
may get congested and VPN connections may be interrupted. Make sure
you configure enough bandwidth.
▫ You can configure alarm rules on Cloud Eye to monitor the bandwidth.
 VPN Configuration: VPN Connection
⚫ To connect your ECSs in a VPC to your private network, after the VPN gateway is
obtained, you also have to create a VPN connection.

57 Huawei Confidential

• VPN Connection:

▫ A VPN connection is an encrypted communications channel established

between the VPN gateway in your VPC and that in your on-premises data
center. The VPN connection can be modified later.

▫ You can delete a VPN connection to release network resources if it is no

longer required. When you delete the last VPN connection for a pay-per-use
VPN gateway, the associated gateway will be deleted along with it.

• VPN Gateway: the name of the VPN gateway used by the VPN connection

• Local Subnet: the VPC subnets that will access your on-premises network
through VPN. Possible values are Select subnet and Specify CIDR block.

• Remote Gateway: the public IP address of the VPN device translated by the VPN
gateway in your on-premises private network. This IP address is used for
communications with your VPC.

• Remote Subnet: the subnets of your on-premises network that will access the
VPC through a VPN. The local subnet cannot include the CIDR block of the
remote subnet.

• PSK: Enter 6 to 128 characters. The PSK at both ends of a VPN connection must
be the same.
Application Scenario – Hybrid Cloud Deployment
⚫ You can use a VPN to connect your on-premises data center to a VPC on the cloud and use
the elastic and fast scaling capabilities of the cloud to expand application computing
capabilities.

58 Huawei Confidential
 Application Scenario – Cross-Region Interconnection Between VPCs
⚫ With VPNs, you can connect VPCs in different regions to enable connectivity
between user services in these regions.

59 Huawei Confidential

• Enterprise Branch Interconnection

▫ A VPN gateway functions as a VPN hub to connect enterprise branches. This

eliminates the need to configure VPN connections between every two
branches.

• Backup Between VPN and Direct Connect

▫ For high reliability purposes, you can connect your on-premises data center
to a VPC on the cloud through Direct Connect and VPN that back up each
other.
 Contents

1. Virtual Private Cloud (VPC)

2. Elastic IP (EIP)

3. Elastic Load Balance (ELB)

4. Virtual Private Network (VPN)

5. NAT Gateway

6. Other Services

60 Huawei Confidential
 NAT Gateway
⚫ The NAT Gateway service provides network address translation (NAT) service for servers in a
VPC and enables servers to share an EIP to access the Internet. NAT gateways can be either
public or private.
Internet

Public NAT EIP

gateway

VPC 1 SNAT DNAT VPC 2

Subnet 1 Subnet 2
Subnet 3

ECS ECS ECS ECS

ECS
SNAT/DNAT
Private NAT gateway

61 Huawei Confidential

• With the increase of network applications, the problem of IPv4 address

exhaustion becomes more and more serious. Although IPv4 can solve the
problem of insufficient IPv4 address space, many network devices and network
applications are based on IPv4. Therefore, before IPv6 is widely used, some
transition technologies (such as CIDR and private network addresses) are the
main solutions to this problem. NAT is one of these transition technologies.

• If the NAT function is enabled on the gateway, the device translates the IP
address and port number in the header of the received packet to another IP
address and port number, and then forwards the packet to the public network. In
this process, the device can use the same public IP address to translate the
packets sent by multiple private network users and distinguish different private
network users by port number. In this way, the address reuse is achieved.

• A public NAT gateway enables cloud and on-premises servers in a private subnet
to share an EIP to access the Internet or provide services accessible from the
Internet.

• A private NAT gateway provides NAT service for servers in a VPC, so that multiple
servers can share a private IP address to access or provide services accessible
from an on-premises data center or other VPCs.
 NAT Gateway Advantages

Security Ease of Use

Flexible deployment Reduced costs
High performance

An extra-large NAT Instead of exposing Instances in different Private NAT Multiple instance
gateway can handle the EIP of each subnets or AZs can share gateways allow for can share the same
millions of concurrent server on the public the same public NAT communications EIP and the
connections to a single network, multiple gateway for Internet between your VPC associated
destination address servers share the access or the same without the need to bandwidth resources
and port. same EIP. private NAT gateway for change existing for Internet access.
communication with an networks or IP
on-premises data center addresses.
or a remote VPC.

62 Huawei Confidential

• Advantages of Public NAT Gateways

▫ Flexible deployment: A NAT gateway can be shared across subnets and

AZs, so that even if an AZ fails, the public NAT gateway can still run
normally in another AZ. The specifications and EIP of a public NAT gateway
can be changed at any time.

▫ Ease of use: Multiple NAT gateway specifications are available. Public NAT
gateway configuration is simple, the operation & maintenance is easy, and
they can be provisioned quickly. Once provisioned, they can run stably.

▫ Cost-effectiveness: Servers can share one EIP to connect to the Internet.

You no longer need to configure one EIP for each server, which saves
money on EIPs and bandwidth.
• Advantages of Private NAT Gateways

▫ Easier network planning: Different departments in a large enterprise may

have overlapping CIDR blocks, so the enterprise has to replan its network
before migrating their workloads to the cloud. The replanning is time-
consuming and stressful. The private NAT gateway eliminates the need to
replan the network so that customers can retain their original network
while migrating to the cloud.

▫ Easy operation & maintenance: Departments of a large enterprise usually

have hierarchical networks for hierarchical organizations, rights- and
domain-based management, and security isolation. Such hierarchical
networks need to be mapped to a large-scale network for enabling
communication between them. A private NAT gateway can map the CIDR
block of each department to the same VPC CIDR block, which simplifies the
management of complex networks.

▫ Strong security: Departments of an enterprise may need different levels of

security. Private NAT gateways can expose the IP addresses and ports of
only specified CIDR blocks to meet high security requirements. An industry
regulation agency may require other organizations to use a specified IP
address to access their regulation system. Private NAT gateways can help
meet this requirement by mapping private IP addresses to that specified IP
address.

▫ Zero IP conflicts: Isolated services of multiple departments usually use IP

addresses from the same private CIDR block. After the enterprise migrates
workloads to the cloud, IP address conflicts occur. Thanks to IP address
mapping, the private NAT gateways allow for communication between
overlapping CIDR blocks.
 SNAT and DNAT
⚫ Source network address translation (SNAT): During NAT, only the source address in packets is
translated. This NAT mode applies to the scenario where private network users access the public
network.
⚫ Destination network address translation (DNAT): During NAT, only the destination address and port
number in packets are translated. DNAT applies to the scenario where public network users access
private network services.

116.63. 39.73
116.63. 39.73

eth1:122.9.73.203
eth1:122.9.73.203

eth0:192.168.1.1
eth0:192.168.1.1

192.168. 1.11 192.168. 1.12

192.168. 1.11 192.168. 1.12

64 Huawei Confidential

• NAT Gateway provides both source NAT (SNAT) and destination NAT (DNAT) for
your resources in a VPC and allows servers in your VPC to access or provide
services accessible from the Internet.
 NAT Gateway Architecture (Public NAT Gateway)
⚫ A public NAT gateway enables cloud and on-premises servers in a private subnet to share an EIP to access
the Internet or provide services accessible from the Internet. Cloud servers are ECSs and BMSs in a VPC. On-
premises servers are servers in on-premises data centers that connect to a VPC through Direct Connect or
Virtual Private Network (VPN). A public NAT gateway supports up to 20 Gbit/s of bandwidth.

65 Huawei Confidential

• Public NAT gateways support SNAT and DNAT.

▫ SNAT translates private IP addresses into EIPs, allowing servers in a VPC to

share an EIP to access the Internet in a secure and efficient way.

▫ DNAT enables servers in a VPC to share an EIP to provide services accessible

from the Internet through IP address mapping or port mapping.
 NAT Gateway Architecture (Private NAT Gateway)
⚫ A private NAT gateway
provides NAT service for
servers in a VPC, so that
multiple servers can share
a private IP address to
access or provide services
accessible from an on-
premises data center or
other VPCs.

66 Huawei Confidential

• You can configure SNAT and DNAT rules for a NAT gateway to translate the
source and destination IP addresses of originating packets into a transit IP
address.

▫ SNAT enables servers within one AZ or across AZs in a VPC to share a

transit IP address to access on-premises data centers or other VPCs.

▫ DNAT enables servers that share the same transit IP address in a VPC to
provide services accessible from on-premises data centers or other VPCs.

• Transit subnet: A transit subnet is a transit network and is the subnet to which
the transit IP address belongs.

• Transit IP Address: A transit IP address is a private IP address that can be

assigned from a transit subnet. Cloud servers in your VPC can share a transit IP
address to access on-premises networks or other VPCs.

• Transit VPC: A transit VPC is the VPC to which the transit subnet belongs.
 Process for Buying a NAT Gateway
Public NAT gateway:

67 Huawei Confidential

• Before you use public NAT gateway, buy an EIP.

• SNAT translates private IP addresses into EIPs, allowing servers in a VPC to share
an EIP to access the Internet in a secure and efficient way.

• DNAT enables servers in a VPC to share an EIP to provide services accessible from
the Internet through IP address mapping or port mapping.

• SNAT and DNAT rules are designed for different functions. If an SNAT rule and a
DNAT rule use the same EIP, there may be service conflicts.

• An SNAT rule cannot share an EIP with a DNAT rule with Port Type set to All
ports.
 Buying a NAT Gateway
⚫ When you buy a public NAT gateway, you must specify its VPC, subnet, and type.
⚫ Check whether the default route (0.0.0.0/0) of the VPC is in use by any other
gateways. If yes, add another route for the gateway you purchased or add the
default route to a new route table that you will associate with the gateway.

68 Huawei Confidential

• Subnet:

▫ This is the subnet where the public NAT gateway is deployed.

▫ The subnet must have at least one available IP address.

▫ The selected subnet cannot be changed after the public NAT gateway is
created.

• Type:

▫ The type can be Small, Medium, Large, and Extra-large. You can click
Learn more on the page to view details about each type.
 SNAT Rule Configuration
⚫ If your servers are in a VPC and need to access the Internet, select VPC.
⚫ If your on-premises servers access a VPC over a Direct Connect or VPN connection
need to access the Internet, select Direct Connect/Cloud Connect.

69 Huawei Confidential

• Scenario:

▫ After the public NAT gateway is created, add SNAT rules to enable your
cloud or on-premises servers to access the Internet by sharing an EIP.

▫ Each SNAT rule is configured for one subnet. If there are multiple subnets
in a VPC, you can create several SNAT rules to allow them to share EIPs.

• Elastic IP:

▫ This is the EIP used for accessing the Internet.

▫ You can select only an EIP that is not bound to any resource, an EIP that is
bound to a DNAT rule whose Port Type is not set to All ports, or an EIP
that is bound to an SNAT rule of the current NAT gateway.

▫ You can select multiple EIPs at once. Up to 20 EIPs can be selected for each
SNAT rule. If you have selected multiple EIPs for an SNAT rule, an EIP will
be chosen from your selection at random.
 DNAT Rule Configuration
⚫ VPC: A DNAT rule allows servers
in a VPC to share an EIP and
provide services accessible from
the Internet.
⚫ Direct Connect/Cloud Connect: A
DNAT rule allows servers in an
on-premises data center
connected to a VPC through
Direct Connect or Cloud Connect
to provide services accessible
from the Internet.

70 Huawei Confidential

• Scenario:
▫ After a public NAT gateway is created, you can add DNAT rules to allow
servers in your VPC to provide services accessible from the Internet.
▫ You can configure a DNAT rule for each port on a server. If multiple servers
need to provide services accessible from the Internet, create multiple DNAT
rules.
• Outside Port:
▫ This is the port bound to the EIP. This parameter is available if you select
Specific port for Port Type. Ports 1 to 65535 can all be selected.
• Inside Port:
▫ This is the port of the server that provides services accessible from the
Internet using the DNAT rule. This parameter is available if you select
Specific port for Port Type. The value ranges from 1 to 65535.
• Port Type:
▫ Specific port: The NAT gateway forwards requests to your servers only
from the outside port and to the inside port configured here, and only if
they use the right protocol.
▫ All ports: This is effectively like having a regular EIP bound to your servers.
Any requests received by the gateway will be forwarded to your servers,
regardless of what port or protocol was used.
 Application Scenario - Using SNAT to Access the Public Network
(Public Network NAT)
⚫ When the ECSs in a VPC need to access the public network and a large number of requests are sent, the NAT
gateway can provide different number of connections to save EIP resources and prevent the ECS IP addresses from
being exposed to the public network. Based on the service plan, you can create multiple SNAT rules to share EIP
resources.

71 Huawei Confidential

• Application scenarios of other public network NAT:

▫ If a large number of servers need to access the Internet securely, reliably,

and at a high speed, or provide services for the Internet, the SNAT or DNAT
function of the public network NAT gateway can be used.

▫ In the IT system, the bound EIP may be blocked by attacks. To improve

system reliability, you can add multiple EIPs when configuring an SNAT
rule. When one EIP is blocked by an attack, services using other EIPs can be
properly running. If multiple EIPs are bound to the SNAT rule, the system
randomly selects an EIP to access the public network.

▫ When the performance of a single gateway reaches the bottleneck, for

example, the maximum number of connections supported by SNAT is 1
million or the maximum bandwidth conversion capability of 20 Gbit/s
cannot meet service requirements, you are advised to use multiple
gateways to expand the capacity horizontally. If you want to expand the
capacity of multiple gateways, you only need to associate the routing table
associated with the VPC subnet with the public network NAT gateway
instance.
 Application Scenario - Using DNAT to Provide Services for Cloud
Hosts to the Public Network (Public Network NAT)
⚫ When the cloud hosts in a VPC need to provide services for the public network, the DNAT function of
the NAT gateway can be used.

72 Huawei Confidential

• If the DNAT function is bound to an EIP, the NAT gateway forwards the requests
for accessing the EIP using the specified protocol and port to the specified port of
the target ECS instance. You can also configure an EIP for the ECS through IP
address mapping. Any request for accessing the EIP will be forwarded to the
target ECS instance. This feature enables multiple ECSs to share EIPs and
bandwidth, precisely controlling bandwidth resources.

• One DNAT rule is configured for a cloud host. If multiple cloud hosts need to
provide services for the public network, you can configure multiple DNAT rules to
share one or more EIP resources.
 Contents

1. Virtual Private Cloud (VPC)

2. Elastic IP (EIP)

3. Elastic Load Balance (ELB)

4. Virtual Private Network (VPN)

5. NAT Gateway

6. Other Services

73 Huawei Confidential
 What Is DNS?
⚫ Domain Name Service (DNS) provides highly available and scalable authoritative
DNS services that translate domain names into IP addresses required for network
connection, reliably directing end users to your applications.

74 Huawei Confidential

• DNS provides highly available and scalable authoritative DNS services that
translate domain names (such as www.example.com) into IP addresses (such as
192.1.2.3) required for network connection, allowing users to visit your website or
web application using your domain name.
 DNS Resolution Services

Public domain Private domain

name resolution name resolution

China Unicom users China Telecom users

Intelligent
Reverse resolution
China Unicom server
resolution
China Telecom server

75 Huawei Confidential

• Public domain name resolution: DNS translates domain names like

www.example.com to public IP addresses like 1.2.3.4, so that users can access
your website or web application over the Internet by entering your domain name
in the address box of their browser.
• Private domain name resolution: DNS translates domain names like ecs.com to
private IP addresses like 192.168.1.1 that are used in associated VPCs. With
private domain names, your ECSs can communicate with each other within the
VPCs without having to connect to the Internet. You can also access cloud
services, such as OBS and SMN, over a private network.
• Reverse resolution: DNS obtains a domain name based on an IP address. Reverse
resolution, or reverse DNS lookup, is typically used to affirm the credibility of
email servers. After a recipient server receives an email, it checks whether the IP
address and domain name of the sender server are trustworthy and determines
whether the email is spam. If the recipient server cannot obtain the domain
name mapped to the IP address of the sender server, it concludes that the email
was sent by a malicious host and rejects it. It is necessary to configure pointer
records (PTR) to point the IP addresses of your email servers to domain names. If
no PTR records are configured, the recipient server will treat emails from the
email server as spam or malicious and discard them. If you want to build an
email server, it is necessary to configure a PTR record to map the email server's
IP address to your domain name.
• Intelligent resolution: DNS allows you to configure resolution lines. With these
resolution lines, you can specify the DNS server that returns different resolution
results for the same domain name based on the networks or geographic
locations of visitors' IP addresses. For example, if the visitor is a China Unicom
user, the DNS server will return an IP address of China Unicom. With this function,
you can improve DNS resolution efficiency and speed up cross-network access.
You can also create more fine-grained resolution lines based on source IP
addresses.
 What are DC and CC?
⚫ Direct Connect allows you to establish a stable,
high-speed, low-latency, secure dedicated
network connection that connects your on-
premises data center to Huawei Cloud. Direct
Connect allows you to maximize legacy IT
facilities and leverage cloud services to build a
flexible, scalable hybrid cloud computing
environment.
⚫ Cloud Connect allows you to connect Virtual
Private Clouds (VPCs) in different regions to
allow instances in these VPCs to communicate
over a private network as if they were within the
same network.
76 Huawei Confidential

• In Direct Connect, a connection is an abstraction between a user's local data

center and a VPC on the cloud. A virtual interface is the entry for the local data
center to access the VPC. After the VGW associates the virtual interface with the
VPC, the local data center can access the VPC. VGW is the access router of Direct
Connect.

• Differences Between Direct Connect and VPN

▫ Cost: VPN costs less than private lines and is easy to provision.

▫ Public network quality; VPN has high latency, lower security than cloud
private lines, and lower service stability.

▫ Provisioning period: Direct Connect requires longer deployment period than

VPN because it is limited by the deployment of Direct Connect and the line
resources of the carrier. In this case, there is an order of magnitude. If both
parties have Internet resources, the VPN is basically ready-to-use. After the
configuration and negotiation, the two parties can communicate with each
other.
• Application scenarios of the cloud connection:

▫ Cross-region VPC private network communication: When VPCs in multiple

regions on the cloud need to communicate with each other over a private
network, Cloud Connect can easily connect multiple VPCs across regions
based on your network plan, improving network topology flexibility. It also
provides secure and reliable private network communication for users.

▫ Interconnection between multiple data centers and VPCs in multiple

regions: When multiple local data centers need to communicate with VPCs
in multiple regions on the cloud, you can connect the local data centers to
the VPCs on the cloud through Direct Connect. Then, the cloud connection
is used to load the VPCs that need to communicate with each other and the
VGWs connected to the data center to implement private network
communication between the local data center and VPCs in multiple regions,
implementing multi-point full-frequency communication.
 What's an Enterprise Router?
⚫ An enterprise router (ER) connects virtual private clouds (VPCs) and on-premises networks to build a
central hub network. It has high specifications, provides high bandwidth, and delivers high
performance. Enterprise routers use the Border Gateway Protocol (BGP) to learn, dynamically select, or
switch between routes, thereby ensuring the service continuity and significantly improving network
scalability and O&M efficiency.

78 Huawei Confidential

• Enterprise routers have the following advantages:

• High Performance: Enterprise routers use exclusive resources and are deployed
in clusters to deliver the highest possible performance for workloads on large-
scale networks.
• High Availability: Enterprise routers can be deployed in multiple availability
zones to work in active-active or multi-active mode, thereby ensuring service
continuity and real-time seamless switchovers.
• Simplified Management: Enterprise routers can connect to multiple VPCs, Direct
Connect connections, or enterprise routers in different regions and route traffic
among them. The network topology is simpler and the network is easier to
manage and maintain. For cross-VPC communications, you only need to maintain
the route tables on the VPCs without requiring so many VPC peering connections.
For communications between VPCs and an on-premises data center, multiple
VPCs can connect to an enterprise router and then communicate with the data
center over a shared Direct Connect or VPN connection. You do not need to
establish Direct Connect or VPN connections between the data center and each
of the VPCs. Enterprise routers can automatically learn, update, and synchronize
routes, eliminating the need to manually configure or update routes whenever
the network topology changes.
• Seamless Failover Between Lines: Enterprise routers use the Border Gateway
Protocol (BGP) to select the best path from multiple lines working in load-
sharing or active/standby mode. If a single line fails, services can be failed over to
another functioning line within seconds to ensure service continuity.
 Quiz
1. (Single choice) Which of the following is not a component of ELB?
A. Backend server group
B. Listener
C. Load balancer
D. NAT Gateway
2. (Single choice) Can resources in a subnet of one VPC communicate with those in
a subnet of another VPC in the same region?
A. Yes
B. No
C. Yes, they can communicate with each other by default
D. Yes, but VPN is required

79 Huawei Confidential

• D

• A
 Summary

⚫ This chapter described basic network knowledge and common network

cloud services. After completing this course, you will be able to understand
the functions of networks as well as how network cloud services work and
where you can use these services. For example, a VPC is like the internal
network used by an enterprise, and applications can provide Internet-
accessible services using EIPs. Mastering these concepts can help you better
prepare for cloud migration of legacy systems.

80 Huawei Confidential
 Recommendations

⚫ Huawei Talent
 https://e.huawei.com/en/talent/cert/#/careerCert
⚫ Huawei Technical Support Website
 https://support.huaweicloud.com/intl/en-us/help-novicedocument.html
⚫ HUAWEI CLOUD Academy
 https://edu.huaweicloud.com/intl/en-us/

81 Huawei Confidential
 Acronyms and Abbreviations
⚫ ACL: access control list
⚫ AS: autonomous system
⚫ BGP: Border Gateway Protocol
⚫ CC: Cloud Connect
⚫ DHCP: Dynamic Host Configuration Protocol
⚫ DNAT: destination network address translation
⚫ DNS: Domain Name System/Domain Name Service
⚫ ECS: Elastic Cloud Server

82 Huawei Confidential
 Acronyms and Abbreviations
⚫ EIP: Elastic IP
⚫ ELB: Elastic Load Balance
⚫ HTTP: Hypertext Transfer Protocol
⚫ HTTPS: Hypertext Transfer Protocol Secure
⚫ ICT: information and communications technology
⚫ IDC: Internet data center
⚫ IPsec: IP security
⚫ NAT: network address translation

83 Huawei Confidential
 Acronyms and Abbreviations
⚫ SNAT: source network address translation
⚫ TCP: Transmission Control Protocol
⚫ UDP: User Datagram Protocol
⚫ VPC: Virtual Private Cloud
⚫ VPCEP: VPC Endpoint
⚫ VPN: Virtual Private Network
⚫ Web: World Wide Web (WWW)

84 Huawei Confidential
Thank Users. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright© 2023 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ
materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference
purpose only and constitutes neither an offer nor an acceptance.
Huawei may change the information at any time without notice.
Storage Cloud Services
 Foreword

⚫ Data is everywhere. We use USB flash drives and cloud disks to store data,
and these devices are called storage devices. That is enough for most of us,
but what do you use if you are an enterprise? In today's age of cloud
computing, what are the most common storage cloud services?
⚫ In this section, we will cover some common storage services on HUAWEI
CLOUD.

2 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Acquire a basic understanding of cloud storage.
 Understand the principles behind and uses of common storage services on
HUAWEI CLOUD.

3 Huawei Confidential
 What is a storage cloud service?
• Storage refers to the process of storing data or information in a computer or other electronic device.
Storage can be temporary or long-term, such as keeping files on hard drives or cloud storage.
• Storage Services is a service that stores data on the Internet. It allows users to upload data to remote
servers over the Internet, and access and manage that data anytime, anywhere. Cloud storage is
usually provided by cloud service providers and can be used by users through subscription services. The
benefits of cloud storage include data backup and recovery, data sharing, data security, and reliability.

storage
cloud
service

Slate,
clay slab Hard disk,
Sheepskin
floppy disk,
Rolls,
paper USB flash
papyrus
drive

4 Huawei Confidential

• Storage is an important part of a computer system. It can not only store data,
but also implement disaster recovery through storage.
 Contents

1. Elastic Volume Service

2. Object Storage Service

3. Scalable File Service

4. Cloud Backup and Recovery Service

5 Huawei Confidential
Enterprise requirements for block storage

High
performance

Shared Disks Snapshots Disk Backup

Requirements
High Storage Disaster Disk
APIs
Recovery Service Encryption
reliability
Capacity Changing Disk
……
Monitoring
Expansion Type

High
security Rich enterprise value-added features

6 Huawei Confidential
 What Is EVS
⚫ Elastic Volume Service (EVS) offers scalable block storage for cloud servers. With high reliability, high
performance, and a variety of specifications, EVS disks can be used for distributed file systems,
development and test environments, data warehouses, and high-performance computing (HPC)
applications. Cloud servers that EVS supports include Elastic Cloud Servers (ECSs) and Bare Metal
Servers (BMSs).

7 Huawei Confidential

• An EVS disk is similar to a hard disk on a PC. It must be attached to an ECS and
cannot be used independently. You can initialize attached EVS disks, create file
systems, and store data persistently on EVS disks.
EVS Features and Benefits

Three copies of
EVS disks of various Supports on-demand data High data durability.
smooth capacity expansion On Cloud Eye, you can
specifications are provided Supports multiple protection
without interrupting monitor the disk health and
to meet the requirements of mechanisms such as encryption,
services. operating status at any time
different service scenarios. backup, and snapshot.

EVS provides various disk Security protection can prevent

The capacity of an EVS disk Monitor the performance
types, to meet service loss caused by application
ranges from 10 GiB to 32 exceptions and data deletion and health status of EVS
requirements of different TiB. disks at any time.
scenarios. by mistake.

A Variety of High Security and Real-Time

Specifications Elastic Scalability Reliability Monitoring

8 Huawei Confidential
Disk Types and Performance
General Purpose SSD
Metric Extreme SSD Ultra-high I/O General Purpose SSD High I/O
V2
Max. capacity
System disk: 1,024 Data disk: 32,768
(GiB)
Max. IOPS
128000 128,000 50,000 20000 5000
（reference）
Max. Throughput
1000 MiB/s 1,000 MiB/s 350 MiB/s 250 MiB/s 150 MiB/s
（reference）
Single-queue
access latencyd Sub-millisecond 1 ms 1 ms 1 ms 1 ms ~ 3 ms
（reference）
Enterprise OA、Medium-
Enterprise OA and virtual
Database workloads Transcoding services、 scale development and
desktops、Large-scale Common
Typical Oracle、SQL Server、 I/O-intensive workloads test environments、Small-
development and testing、 development and
workloads ClickHouse、AI NoSQL、Oracle、SQL and medium-sized
Transcoding services、 test environments
workloads Server、PostgreSQL databases、Web
System disks
applications、System disks

Read/w
IOPS Number of read/write Throu Amount of data read rite I/O Minimum interval between
operations performed by an ghput from and written into latenc two consecutive read/write
EVS disk per second. an EVS disk per second. operations on an EVS disk

9 Huawei Confidential
 EVS Device Types
⚫ There are two EVS device types: Virtual Block Device (VBD) and Small Computer
System Interface (SCSI).

VBD ⚫ VBD is the default EVS device type.

(Virtual Block Device) ⚫ VBD EVS disks support only basic read/write SCSI commands.

SCSI ⚫ SCSI EVS disks support transparent SCSI command transmission and the cloud
server OS can directly access the underlying storage media.
(Small Computer ⚫ Besides basic read/write SCSI commands, SCSI EVS disks also support more
System Interface) advanced SCSI commands.

10 Huawei Confidential

• The disk mode is configured when a disk is purchased and cannot be changed
after the disk is purchased.
 Shared EVS Disks
⚫ Shared EVS disks are block storage devices that support
concurrent read/write operations and can be attached to
multiple servers. Shared EVS disks feature multiple
attachments, high-concurrency, high-performance, and
high-reliability. They are usually used for enterprise
business-critical applications that require cluster
deployment for high availability (HA). Multiple servers
can access the same shared EVS disk at the same time.
⚫ You can create shared EVS disks with device type VBD
and SCSI.

11 Huawei Confidential

• You must set up a shared file system or cluster management system before using
shared EVS disks. If you directly attach a disk to multiple servers, the sharing
function will not work and data may be overwritten.

• A shared EVS disk can be attached to a maximum of 16 servers. Servers that EVS
supports include ECSs and BMSs. To share files, you need to deploy a shared file
system or a cluster management system, such as Windows MSCS, Veritas VCS, or
CFS.
 EVS Encryption
⚫ In case your services require encryption for the data stored on EVS disks, EVS provides you
with the encryption function. You can encrypt newly created EVS disks.
⚫ EVS uses the industry-standard XTS-AES-256 encryption algorithm and keys to encrypt EVS
disks.

12 Huawei Confidential

• A security administrator (with the Security Administrator permission) can directly

authorize EVS to access Key Management Service (KMS) and use the encryption
function.

• When an encrypted disk is mounted, EVS accesses KMS and KMS sends the data
key (DK) to the memory of the host machine for storage. EVS encrypted disks
use the DK plaintext in the memory of the host machine to encrypt and decrypt
disk I/Os. The DK plaintext is used only in the memory of the host machine
where the ECS instance is located and is not stored in plaintext on the media.

• For a tenant, common users in the same region can directly use the encryption
function as long as the security administrator successfully authorizes EVS to
access KMS.

• When a common user (without the Security Administrator permission) uses the
encryption function, whether the common user is the first user in the current
region or project to use the encryption function is classified as follows:

▫ If yes, the common user is the first user in the current region or project to
use the encryption function. You need to contact the security administrator
for authorization before using the encryption function.

▫ No: indicates that other users in the region or project have used the
encryption function. The common user can use the encryption function
directly.
 EVS Backup
⚫ If the data in an EVS disk is important, you can use the VBS backup function to back up the
existing data.
⚫ Cloud Disk Backup supports online backup without stopping the ECS. In addition, data can
be restored using a backup copy at any time to ensure data correctness and security.

Backup Backup
Service Service

13 Huawei Confidential

• Configure a backup policy to automatically back up EVS disk data based on the
backup policy. Periodic backups are used as baseline data for creating EVS disks
or restoring data to EVS disks.

• VBS backup data can be shared between users. You can use the shared backup
data to create EVS disks.
 EVS Snapshot
⚫ An EVS snapshot is a complete copy or image of the disk data taken at a specific point in time. They
are used for disaster recovery. If anything happens, you can completely restore the disk data to the
state from when the snapshot was taken.
⚫ You can create snapshots to rapidly save the disk data at specified time points. In addition, you can use
snapshots to create new disks so that the created disks will contain the snapshot data in the beginning.

14 Huawei Confidential

• The snapshot function helps address your following needs:

▫ Routine data backup:You can create snapshots for disks on a timely basis
and use snapshots to recover your data in case that data loss or data
inconsistency occurred due to unintended operations, viruses, or attacks.

▫ Rapid data restoration:You can create a snapshot or multiple snapshots

before an application software upgrade or a service data migration. If an
exception occurs during the upgrade or migration, service data can be
rapidly restored to the time point when the snapshot was created.
Differences Between EVS Backups and EVS Snapshots
⚫ Both EVS backups and EVS snapshots provide redundancies for improved disk data reliability.

Metric Storage Solution Data Synchronization DR Range Service Recovery

A backup is a copy of a disk taken at To restore data and

Backups are stored in OBS,
a given point of time and is stored in recover services, you can
instead of disks. This A backup and its
a different location. Automatic restore the backups to
Backup ensures data restoration source disk reside in
backup can be performed based on their original disks or
upon disk damage or different AZs.
backup policies. Deleting a disk will create new disks from the
corruption.
not delete its backups. backups.

A snapshot is the state of a disk at a

You can use a snapshot to
Snapshots are stored on specific point in time and is stored A snapshot and its
roll back its original disk
Snapshot the same disk as the on the same disk. If the disk is source disk reside in
or create a disk from the
original data. deleted, all its snapshots will also be the same AZ.
snapshot.
deleted.

15 Huawei Confidential
 EVS Three-Copy Redundancy
⚫ The backend storage system of EVS employs three-copy redundancy to guarantee data reliability. With
this mechanism, one piece of data is by default divided into multiple 1 MiB data blocks. Each data
block is saved in three copies, and these copies are stored on different nodes in the system according to
the distributed algorithms.
⚫ Three-copy redundancy has the following characteristics:
 The storage system saves the data copies on different disks of different servers across cabinets, ensuring that services
are not interrupted if a physical device fails.
 The storage system guarantees strong consistency between the data copies.

16 Huawei Confidential

• The storage system ensures strong data consistency between the three copies of
data: for example, for block P1 on physical disk A of server A, The system backs
up its data as P1' on physical disk B of server B and P1' on physical disk C of
server C. P1, P1', and P1' form three copies of the same data block. If the physical
disk where P1 is located is faulty, P1' and P1'' can continue to provide storage
services to ensure that services are not affected.

• When the storage system detects a hardware (server or physical disk) fault, it
automatically starts data repair. Because copies of data blocks are stored on
different nodes, data reconstruction is started on different nodes at the same
time during data recovery. Only a small part of data needs to be reconstructed
on each node, and multiple nodes work concurrently, thereby effectively avoiding
a performance bottleneck generated when a single node rebuilds a large amount
of data. Minimize the impact on upper-layer services.
EVS Application Scenario
⚫ EVS disk encryption is used to improve Huawei's business security compliance.
 The VM cluster runs development and testing, OA, and database services. A bare metal cluster runs
a critical enterprise database.
VMs cluster BMS Cluster

Database(DB)
hybrid
networking
DB OA development Enterprise critical database

ECS BMS

Dedicated
EVS key

...
KMS

17 Huawei Confidential
 Contents

1. Elastic Volume Service

2. Object Storage Service

3. Scalable File Service

4. Cloud Backup and Recovery Service

18 Huawei Confidential
 What Is Object storage
⚫ OBS is an object-based massive storage service. It provides data storage capabilities that are
easy to expand, secure, reliable, and cost-effective.
⚫ OBS is a service oriented to Internet access. It provides HTTP/HTTPS-based web service
interfaces for users to access the Internet anytime and anywhere.
HTTP/S3/Swift ...
REST API
Features:
bucket bucket
• Flattened structure and data isolation Object
Object Object
between tenants
bucket
• Users can create buckets (like folders), Object
System Object Object
upload or download objects, and share data
by forwarding links.
...

19 Huawei Confidential

• It is suitable for storing files of any type. It is generally used in large-scale data
storage scenarios, such as massive content on the Internet. (Videos, pictures,
photos, books, audio-visual, magazines, etc.) , web disk, digital media, backup,
and archiving.
 Object Storage Service
⚫ Object Storage Service (OBS) is a scalable service that provides secure, reliable, and cost-effective cloud
storage for massive amounts of data.
⚫ OBS basically consists of buckets and objects.
 Buckets are containers for storing objects. OBS provides flat storage in the form of buckets and objects. Unlike
the conventional multi-layer directory structure of file systems, all objects in a bucket are stored at the same
logical layer..
 Objects are basic units stored in OBS. An object contains both data and the metadata that describes data
attributes. Data uploaded to OBS is stored in buckets as objects.

20 Huawei Confidential

• An object consists of the following:

▫ A key that specifies the name of an object. An object key is a UTF-8 string
up to 1,024 characters long. Each object is uniquely identified by a key
within a bucket.

▫ Metadata that describes an object. The metadata is a set of key-value pairs

that are assigned to objects stored in OBS. There are two types of metadata:
system-defined metadata and custom metadata.

▪ System-defined metadata is automatically assigned by OBS for

processing objects. Such metadata includes Date, Content-Length,
Last-Modified, ETag, and more.

▪ You can specify custom metadata to describe the object when you
upload an object to OBS.

▫ Data that refers to the content of an object.

 OBS Advantages

Data durability Multi-level 100-billion level Tiered storage

protection and objects, 10- Easy use and
and service authorization million level and on-
management
continuity management concurrency demand use

OBS has passed OBS provides standard

Five-level intelligent scheduling Both pay-per-use
REST APIs, SDKs in
the Trusted Cloud and response, and yearly/monthly
reliablility different programming
Service (TRUCS) optimized data access billing are available
architecture paths languages, and data
certification migration tools for OBS

21 Huawei Confidential

• Level5: region--Cross-region replication,Level4: data center--Multi-AZ,Level3:

cabinets--Cabinet redundancy,Level2: servers--Erasure Code,Level1: storage
media--Detection of slow disks and bad sectors.

• Measures, including versioning, server-side encryption, URL validation, virtual

private cloud (VPC)-based network isolation, access log audit, and fine-grained
access control are provided to keep data secure and trusted.

• Measures, including versioning, server-side encryption, URL validation, virtual

private cloud (VPC)-based network isolation, access log audit, and fine-grained
access control are provided to keep data secure and trusted.

• Online upgrade, online capacity expansion, and upgrade capacity expansion are
supported without customer perception.

• Supports independent metering and billing of standard, infrequent access, and

archived, reducing storage costs.
OBS Access Modes
Compared Item Description How to Use

OBS Console is a web-based GUI for you to easily manage OBS Accessing the Cloud Service Console Using a
OBS Console resources Web Page
Download OBS Browser+ and log in using
OBS Browser+ is a Windows client that lets you easily manage
OBS Browser+ OBS resources from your desktop
the access key (AK/SK) or account and
password
OBS offers the REST API for you to access it from web applications
API with ease. By making API calls, you can upload and download Use the key (AK/SK) to perform operations
data anytime, anywhere over the Internet
OBS SDKs encapsulate the REST API provided by OBS to simplify You can set the access key (AK/SK) and
SDK development. You can call API functions provided by the OBS directly invoke the API functions provided by
SDKs to enjoy OBS capabilities the SDK
obsutil is a command line tool for you to perform common
Download the obsutil tool, configure the
configuration and management operations on OBS. If you are
obsutil comfortable using the command line interface (CLI), obsutil is
server address, and use the access key
(AK/SK) for identity authentication
recommended for batch processing and automated tasks
obsfs is an OBS tool based on Filesystem in Userspace (FUSE). It
Download the obsfs tool, configure the
helps you mount parallel file systems to Linux, so that you can
obsfs easily access virtually unlimited storage space of OBS the same
server address, and use the access key
(AK/SK) for identity authentication
way as you would use a regular local file system

22 Huawei Confidential
Storage Classes
⚫ OBS offers the storage classes below to meet your requirements for storage performance and cost:
 Standard: The Standard storage class features low latency and high throughput. It is therefore good for storing
frequently (multiple times per month) accessed files or small files (less than 1 MB). Its application scenarios include big
data analytics, mobile apps, hot videos, and social apps.
 Infrequent Access: The Infrequent Access storage class is for storing data that is infrequently (less than 12 times per
year) accessed, but when needed, the access has to be fast. It can be used for file synchronization, file sharing and many
other scenarios. This storage class has the same durability, low latency, and high throughput as the Standard storage
class, with a lower cost, but its availability is slightly lower than the Standard storage class.
 Archive: The Archive storage class is ideal for storing data that is rarely (once per year) accessed. Its application
scenarios include data archive and long-term backups. This storage class is secure, durable, and inexpensive, so it can be
used to replace tape libraries. To keep cost low, it may take hours to restore data from the Archive storage class

Hot data Warm data Cold data

Standard Infrequent Access Archive

multiple times per month less than 12 times per year once per year

23 Huawei Confidential
Versioning
⚫ OBS can store multiple versions of an object. You can quickly search for and restore different
versions or restore data in the event of accidental deletions or application faults.
⚫ By default, versioning is disabled for new OBS buckets. New objects will overwrite existing
objects in case they have the same names.

With versioning enabled, OBS automatically allocates a unique

version ID to a newly uploaded object.
When an object with the same name as an existing object is
uploaded again, both objects are stored in OBS with the same
name but different version IDs.

24 Huawei Confidential
Cross-Region Replication
⚫ Cross-region replication provides the capability for disaster recovery across regions, allowing
you to set up a remote backup solution.
⚫ Cross-region replication refers to the process of automatically and asynchronously replicating
data from a bucket (source bucket) to another bucket (destination bucket) across regions by
creating a cross-region replication rule. The source bucket and destination bucket must
belong to the same account. Replication across accounts is not supported.

25 Huawei Confidential
Encryption
⚫ OBS allows you to configure default encryption for a bucket. After the configuration, objects
uploaded to this bucket are automatically encrypted using the specified key, making data
storage more secure.
⚫ You can choose SSE-KMS or SSE-OBS for encryption when creating a bucket (see Creating a
Bucket). You can also enable or disable encryption for a bucket after it is created.

① Files uploaded to OBS 3.0 must be stored in

server-side encryption mode and contain
② OBS 3.0 requests the key from KMS.
key information.

user OBS KMS

③ OBS uses keys to encrypt data.

26 Huawei Confidential
 URL Validation
⚫ Some rogue sites may steal links from other sites to enrich their content without any costs.
Link stealing hurts the interests of the original websites and it is also a strain on their servers.
OBS provides URL validation to solve this problem.
⚫ Such authorization is controlled using a whitelist and a blacklist.
web1.site.com web2.site.com

Whitelisted：web1.site.com
Blacklisted：web2.site.com

OBS

27 Huawei Confidential

• In HTTP, the Referer field allows websites and web servers to identify where
people are visiting them from. URL validation of OBS utilizes this Referer field.
The idea is that once you find that a request to your resource is not originated
from an authorized source (for example, a URL), you can have the request
blocked or redirected to a specific web page. This way, OBS prevents
unauthorized access to data stored in buckets.
 Permissions Control
⚫ By default, OBS resources (buckets and objects) are private. Only resource owners can access
their OBS resources. Without authorization, other users cannot access your OBS resources.
⚫ OBS provides multiple permission control mechanisms, including IAM permissions and
bucket policies.

⚫ IAM permissions define the actions that can be performed on your

IAM permissions cloud resources.
⚫ IAM permissions specify what actions are allowed or denied

⚫ A bucket policy is attached to a bucket and objects in the bucket

Bucket policies
⚫ Bucket owners can use bucket policies to grant IAM users or other
accounts the permissions to operate buckets and objects in the buckets.

28 Huawei Confidential

• OBS permission control means to grant permissions to other accounts or IAM

users by editing access policies. For example, if you have a bucket, you can
authorize another IAM user to upload objects to your bucket. You can also open
buckets to the public, so that anyone can access your buckets over the Internet.
OBS offers multiple methods to help you to assign resource permissions to others.
Resource owners can formulate different permissions control policies based on
service requirements to ensure data security.

• Scenario:

▫ IAM permissions: Controlling access to cloud resources as a whole under an

account; Controlling access to all OBS buckets and objects under an
account.

▫ Bucket policies: Granting other Huawei Cloud accounts the permissions to

access OBS resources; Configuring bucket policies to grant IAM users
various access permissions to different buckets.
 Bucket policies
⚫ A bucket owner can configure a bucket policy to manage access to the bucket.
⚫ Bucket policies centrally control access to buckets and objects based on a variety of request
elements, such as actions, principals, resources, and others (like IP addresses).

Bucket Public Read

read-only and Write

Bucket Public Read

read and
write

Bucket
policy
Directory template Directory
read-only read and
write
29 Huawei Confidential

• If the resource is set to *, the permission applies to all objects in a bucket. For
example, an account can create a policy to:

▫ Grant users the write permission for a specific bucket.

▫ Grant users in a specific network the write permission.

Scenario: Backup and Archiving
⚫ OBS offers a highly reliable, inexpensive storage system featuring high concurrency and low latency. It
can hold massive amounts of data, meeting the archive needs for unstructured data of applications
and databases.

You can use the synchronization clients (such as

OBS Browser+ and obsutil), Cloud Storage Gateway
(CSG), DES, or mainstream backup software to
back up your on-premises data to OBS.
OBS also provides lifecycle rules to automatically
transition objects between storage classes to save
your money on storage. You can restore data from
OBS to a DR or test host on the cloud.

30 Huawei Confidential
 Scenario: Big Data Analytics
⚫ OBS enables inexpensive big data solutions that feature high performance with zero service
interruptions. It eliminates the need for capacity expansion. Such solutions are designed for scenarios
that involve mass data storage and analysis, query of historical data details, analysis of numerous
behavior logs, and statistical analysis of public transactions.

31 Huawei Confidential

• You can migrate data to OBS with Data Express Service (DES), and then use
Huawei Cloud big data services like MapReduce Service (MRS) or open-source
computing frameworks such as Hadoop and Spark to analyze data stored in OBS.
Such analysis results will be returned to your programs or applications on Elastic
Cloud Servers (ECSs).
 Contents

1. Elastic Volume Service

2. Object Storage Service

3. Scalable File Service

4. Cloud Backup and Recovery Service

32 Huawei Confidential
What Is SFS
⚫ Scalable File Service (SFS) provides scalable, high-performance (NAS) file storage. With SFS,
you can enjoy shared file access spanning multiple Elastic Cloud Servers (ECSs), Bare Metal
Servers (BMSs), and containers created on Cloud Container Engine (CCE).
⚫ You can access SFS on the management console or via APIs by sending HTTPS requests.

33 Huawei Confidential
 SFS Basic Concepts

Common Internet File System Portable Operating System Interface

File
NFS CIFS POSIX
System

Network File System A file system provides users

with shared file storage service
through NFS

34 Huawei Confidential

• NFS: Network File System (NFS) is a distributed file system protocol that allows
different computers and operating systems to share data over a network. After
the NFS client is installed on multiple ECSs, mount the file system to implement
file sharing between ECSs. The NFS protocol is recommended for Linux clients.

• CIFS: Common Internet File System (CIFS) is a protocol used for network file
access. Using the CIFS protocol, network files can be shared between hosts
running Windows. The CIFS protocol is recommended for Windows clients.

• File System: A file system provides users with shared file storage service through
NFS. It is used for accessing network files remotely. After a user creates a mount
point on the management console, the file system can be mounted to multiple
servers and is accessible through the standard POSIX.

• POSIX: Portable Operating System Interface (POSIX) is a set of interrelated

standards specified by Institute of Electrical and Electronics Engineers (IEEE) to
define the application programming interface (API) for software compatible with
variants of the UNIX operating system. POSIX is intended to achieve software
portability at the source code level.
SFS functions

• Compatible with NFSv3, SFS meets your demands in • ECS instances can access file shares among AZs within the
various system environments. same region.

• Storage can be scaled up or down on demand to dynamically

adapt to service changes without interrupting application • A file system can be exclusively shared by ECSs within a
services. designated VPC.

35 Huawei Confidential
SFS advantages
⚫ Compared with traditional file sharing storage, SFS has the following advantages:

File sharing
Easy operation
Elastic scaling
Superior and low costs
performance and Seamless
reliability integration
Servers in multiple availability
zones (AZs) of a same region can In an intuitive graphical user
Storage can be scaled up or
access the same file system interface (GUI), you can create
down on demand to
concurrently and share files. and manage file systems with
dynamically adapt to service
The service enables file system SFS supports Network File System ease. SFS slashes the cost as it
changes without interrupting
performance to increase as capacity (NFS). With this standard protocol, is charged on a pay-per-use
applications.
grows, and delivers a high data a broad range of mainstream basis.

durability to support rapid service applications can read and write data

growth. in the file system.

36 Huawei Confidential
File System Types
⚫ SFS provides two types of file systems: SFS Capacity-Oriented and SFS Turbo. SFS Turbo is
classified into SFS Turbo Standard and SFS Turbo Performance.

Type description Highlight Application Scenario Remarks

Not applicable to latency-sensitive services,

such as massive small files and random small
SFS Powerful support Cost-sensitive workloads which
Large capacity, I/Os.
for massive data require large-capacity scalability,
Capacity- and high-bandwidth
high bandwidth,
such as media processing, file
Only internal network access is supported.
Oriented and low cost Public network access is not supported.
applications sharing, HPC, and data backup
SFS Capacity-Oriented file systems is not
support CBR
Workloads dealing with massive
small files, such as code storage,
Supports massive Low latency and SFS Turbo file systems can be backed up
log storage, web services, and
small files, low tenant exclusive using CBR
SFS Turbo latency, and high Large capacity and
virtual desktop
Off-cloud access (via VPN, Direct Connect, or
Autonomous driving, AI generated
IOPS applications low cost other methods)
content, and EDA in chip design

37 Huawei Confidential
SFS configuration process

1. create SFS file system

ECS BMS ECS BMS

Windows Linux
2. mount the file system to a mount
Linux or Windows host
VPC

SFS

38 Huawei Confidential
 Mounting an NFS File System to ECSs
⚫ After creating a file system, you need to mount the file system to servers so that they can
share the file system。CentOS mounting is used as an example：
 Log in to the ECS as user root. Run the following command to install the NFS software package.
sudo yum -y install nfs-utils
 （optional）Run the following command to check whether the domain name in the file system mount point can
be resolved. SFS Turbo file systems do not require domain name resolution.
nslookup File system domain name
 Run the following command to create a local path for mounting the file system.
mkdir Local path
 Run the following command to mount the file system to the ECS that belongs to the same VPC as the file
system
mount -t nfs -o vers=3,timeo=600,noresvport,nolock Mount point Local path
 Run the following command to view the mounted file system.
mount -l
39 Huawei Confidential

• CIFS file systems cannot be mounted to Linux servers.

• An SFS Capacity-Oriented file system can use either NFS or CIFS. It cannot use
both protocols.

• In this section, ECSs are used as example servers. Operations on BMSs and
containers (CCE) are the same as those on ECSs.
Mounting a CIFS File System to ECSs
⚫ After creating a file system, you need to mount the file system to ECSs so that they can share the file
system.
⚫ This section uses Windows Server 2012 as an example to
describe how to mount a CIFS file system.
 You have created a file system and have obtained the mount point
of the file system.
 At least one ECS that belongs to the same VPC as the file system
exists.
 The IP address of the DNS server for resolving the domain names of
the file systems has been configured on the ECSs. For details, see
Configuring DNS.
 You need to mount the file system as user Administrator. You cannot
switch to another user to mount the file system.

40 Huawei Confidential
Data Protection
⚫ Encryption:
 SFS supports server-side encryption, which allows you to encrypt the data stored in SFS file systems.
When data is accessed, SFS automatically decrypts the data and then returns it to you.
 You can create a file system that is encrypted or not, but you cannot change the encryption settings
of an existing file system.

⚫ Backup:
 A backup is a complete copy of an SFS Turbo file system at a specific time. It records all
configuration data and service data at that time. For example, if a file system is faulty or encounters
a logical error (accidental deletion, hacker attacks, and virus infection), you can use data backups to
restore data quickly.

41 Huawei Confidential
SFS vs OBS vs EVS
Dimensio
SFS OBS EVS
n
SFS provides on-demand high- OBS provides massive, secure, reliable, EVS provides scalable block storage that
performance file storage, which can be and cost-effective data storage for users features high reliability and high
Concept shared by multiple ECSs to store data of any type and size performance to meet various service
requirements.

Data Stores files. Data is sorted and Stores objects. Files can be stored directly Stores binary data and cannot directly store
storage displayed in files and folders to OBS. The files automatically generate files. To store files, you need to format the
logic corresponding system metadata file system first

SFS file systems can be accessed only OBS buckets can be accessed through the EVS disks can be used and accessed from
Access after being mounted to ECSs or BMSs Internet or Direct Connect. transmission applications only after being attached to
method through NFS or CIFS protocols HTTP and HTTPS are used ECSs or BMSs and initialized

Capacity PB-scale EB-scale TB-scale

Latency 3~10 ms 10 ms Sub-millisecond level

GB/s TB/s MB/s

Bandwidth

Gene sequencing, image rendering, Big data analysis, static website hosting, Industrial design, energy exploration, critical
Application media processing, file sharing, content online video on demand (VoD), gene clustered applications, enterprise application
Scenario management, and web services sequencing, and intelligent video systems, and development and testing
surveillance

42 Huawei Confidential
Scenario - File Sharing
⚫ SFS applies to scenarios where there are a large number of departments or employees in an enterprise
and the same documents need to be shared and accessed. The enterprise file storage hosted by SFS
provides multiple file storage services, featuring high reliability, low latency, and high bandwidth. Users
do not need to care about the underlying hardware infrastructure, avoiding the complexity of hardware
deployment and maintenance.
VPC-1
...
Workspace Workspace Workspace

AZ-1 ...
ECS ECS ECS

AZ-2 ...
ECS ECS ECS
SFS
AZ-3 ...
ECS ECS ECS

43 Huawei Confidential
Scenario - video rendering
⚫ The high-bandwidth and large-capacity SFS file service meets the shared file storage requirements of
video editing, transcoding, synthesis, HD video, and 4K video on demand scenarios. It supports multi-
layer HD video editing and 4K video editing.
• Shared storage performance:
administration The rendering cluster accesses the shared storage to
host read and write rendering materials at the same time.
Configuration delivery This is a high-bandwidth scenario. The storage
bandwidth of the shared storage must be greater
Customer Customer than 10 GB/s.
A B • The rendering performance of cloud hosts is
50 power-on 100 creations stable:
Submitting
a Task Customers are charged based on the rendering
design duration. Therefore, cloud host rendering processing
agency A+B EC EC EC must be stable and fluctuate slightly between
MEC ME C ME C SFS
different hosts so that customers can trust the cloud
S S S host.
• Short batch operation time:
The time for batch operations must be as short as
50 shutdowns 100 Deletes possible to reduce the waiting time.

44 Huawei Confidential
 Contents

1. Elastic Volume Service

2. Object Storage Service

3. Scalable File Service

4. Cloud Backup and Recovery Service

45 Huawei Confidential
What Is CBR
⚫ Cloud Backup and Recovery (CBR) enables you to easily back up Elastic Cloud Servers (ECSs),
Bare Metal Servers (BMSs), Elastic Volume Service (EVS) disks, SFS Turbo file systems, local
files and directories, and on-premises VMware virtual environments.
⚫ In case of a virus attack, accidental deletion, or software or hardware fault, you can use the
backup to restore data to any point when the data was backed up.

46 Huawei Confidential
CBR Architecture
⚫ A backup is a copy of a specific block of data.
⚫ CBR stores backups in vaults. Before creating a backup, you need to create at least one vault and associate the
resources you want to back up with the vaults. Then the resources can be backed up to the associated vaults
⚫ There are backup policies and replication policies.
 A backup policy defines when you want to take a backup and for how long you would retain each backup.
 A replication policy defines when you want to replicate from backup vaults and for how long you would retain each replica.
Backup replicas are stored in replication vaults.

CBR involves backups, vaults, and

policies

47 Huawei Confidential
 Backup Options
⚫ CBR supports one-off backup and periodic backup.
 A one-off backup task is manually created and is executed only once.
 Periodic backup tasks are automatically executed based on a user-defined backup policy.

48 Huawei Confidential

• You can also use the two backup options together if needed. For example, you
can associate resources with a vault and apply a backup policy to the vault to
execute periodic backup for all the resources in the vault. Additionally, you can
perform a one-off backup for the most important resources to enhance data
security.
 Advantages

Reliable Efficient Easy to Use Secure

CBR offers crash-consistent Incremental forever CBR is easier to use than If the disks are encrypted,
backup for multiple disks on backups shorten the time conventional backup their backups are also
a server and application- required for backup by systems. You can complete encrypted to ensure data
consistent backup for 95%. With Instant Restore, backup in just three steps, security. You can also
database servers. CBR offers an RPO of as and no professional replicate backups across
low as 1 hour and an RTO backup skills are required regions to implement
of only several minutes. remote disaster recovery.

49 Huawei Confidential

• Recovery Point Objective (RPO) specifies the maximum acceptable period in

which data might be lost.

• Recovery Time Objective (RTO) specifies the maximum acceptable amount of

time for restoring the entire system after a disaster occurs.
Scenarios: Data Backup and Restoration
⚫ You can use CBR to quickly restore data to the latest backup point if any of the following
incidents occur:
 Hacker or virus attacks
 Accidental deletion
 Application update errors
 System breakdown

50 Huawei Confidential
 Quiz

1. (True or false) Before attaching an EVS disk to an ECS, you must stop the ECS.
True

False

2. (Multiple-choice) Which of the following is not an OBS function?

A. Cross-region replication

B. Versioning

C. URL validation

D. Mounting in block storage mode

51 Huawei Confidential

• False. You do not need to stop the ECS when attaching an EVS disk.

• D. EVS disks are attached to ECSs for use.

 Summary

⚫ Where there is data, there is a need for data storage. After studying the
content presented here, we should have a new understanding of storage
types and we should understand HUAWEI CLOUD storage services a little
better. As more and more enterprises migrate to the cloud, we are more
able to better meet their storage requirements if we understand the
positioning, principles, and usages of various storage services, for example,
which storage services are suitable for video cloud and which are the best
for databases.

52 Huawei Confidential
 More Information

Huawei iLearning
 https://e.huawei.com/cn/talent/cert/#/careerCert

HUAWEI CLOUD Help Center

 https://support.huaweicloud.com/help-novice.html

HUAWEI CLOUD Academy

 https://edu.huaweicloud.com/

53 Huawei Confidential
 Acronyms and Abbreviations
⚫ AK/SK: Access Key ID/Secret Access Key
⚫ API: Application Programming Interface
⚫ AZ: Availability Zone
⚫ BMS: Bare Metal Server
⚫ CAD/CAE: Computer Aided Design/Computer Aided Engineering
⚫ CIFS: Common Internet File System
⚫ DES: Data Express Service
⚫ DHCP: Dynamic Host Configuration Protocol
⚫ ECS: Elastic Cloud Server
⚫ EVS: Elastic Volume Service
⚫ HA: High Available

54 Huawei Confidential
 Acronyms and Abbreviations
⚫ HPC: High Performance Computing
⚫ HTTP: Hypertext Transfer Protocol
⚫ HTTPS: Hypertext Transfer Protocol over Secure Sockets Layer
⚫ IAM: Identity and Access Management
⚫ IOPS: Input/Output Operations per Second
⚫ NAS: Network Attached Storage
⚫ NFS: Network File System
⚫ OBS: Object Storage Service
⚫ POSIX: Portable Operating System Interface
⚫ SCSI: Small Computer System Interface
⚫ SDK: Software Development Kit

55 Huawei Confidential
 Acronyms and Abbreviations
⚫ SFS: Scalable File Service
⚫ SSD: Solid-State Drive
⚫ VBD: Virtual Block Device
⚫ VPC: Virtual Private Cloud

56 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright© 2023 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ
materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference
purpose only and constitutes neither an offer nor an acceptance.
Huawei may change the information at any time without notice.
HUAWEI CLOUD O&M Basics
 Foreword

⚫ HUAWEI CLOUD not only provides resource services to meet enterprise

needs to migrate their service systems to the cloud, but also ensures the
normal running of the service systems on the cloud to meet the enterprise
governance requirements.
⚫ This section will help you understand HUAWEI CLOUD O&M.

2 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Gain basic knowledge about O&M, monitoring, and auditing.
 Understand the positioning, principles, and usage of common governance
services on HUAWEI CLOUD.

3 Huawei Confidential
 Contents

1. O&M Basic Concepts and Principles

2. Identity and Access Management (IAM)

3. Simple Message Notification (SMN)

4. Cloud Eye Service (CES)

5. Log Tank Service (LTS)

6. Cloud Trace Service (CTS)

4 Huawei Confidential
 What Is O&M?
⚫ O&M refers to operations and maintenance. It includes monitoring and managing devices and service
systems to ensure services run normally. O&M also includes handling various problems and
summarizing maintenance experiences to improve O&M efficiency and quality.
⚫ O&M is essentially the operations and maintenance of devices and services such as servers and
networks in each phase of their lifecycles, to achieve an optimum level of cost, stability, and efficiency.

O&M
O&M engineer
O&M Data center

5 Huawei Confidential

• O&M focuses on various environments where the service system runs. It does not
focus on programming, but on the use and management of these system
platforms.

• In the ICT industry, those who perform O&M operations are typically referred to
as O&M engineers.
 Responsibilities of O&M Personnel
⚫ O&M personnel are responsible for planning information, networks, and services based on
service requirements and ensuring the long-term stability and availability of services by using
various means, including but not limited to the following:

Troubleshooting
Network System Service
and
monitoring alarms scheduling
upgrade

O&M Engineer

6 Huawei Confidential

• O&M personnel stabilize the infrastructure, basic services, and online services that
the enterprise Internet services rely on, perform routine inspection to detect
potential risks, optimize the overall architecture to prevent common operation
failures, and connect multiple data centers to improve the DR capability of
services. By using technical means such as monitoring and log analysis, O&M
personnel can detect and respond to service faults in a timely manner to
minimize service interruption and meet enterprise availability requirements for
Internet services.

• To be an excellent O&M engineer, one needs to have comprehensive technical

knowledge and troubleshooting experience, and have a strong sense of
responsibility for their work.

• In the common organizational structure of the Internet industry, O&M,

development, and testing are basic technical positions. In terms of the phase,
development and testing personnel are engaged in the work before software or
services are launched, while O&M (except O&M development) personnel are
engaged in the work after the software or services are launched. O&M can be
further classified into IT operations, network O&M, service O&M, and O&M
development.
 Era of Automated O&M
⚫ Traditional manual O&M is being gradually replaced by automated O&M platforms. Responsibilities of
O&M personnel and development personnel are converging. The concept of integrated O&M and
development (DevOps) is becoming more and more popular and is being used by most enterprises.

Traditional O&M Automated O&M

• Manual operations are changed to
automatic operations (by running
• Traditional O&M requires manual
scripts or using automatic tools).
operations or processing.
When a fault occurs, the fault can be
• Because the problem needs to be
automatically detected and quickly

VS
handled manually, it takes some
responded, reducing the
time to respond and solve the
troubleshooting time and error rate
problem.
and improving O&M efficiency.
• Traditional O&M can be
• This ensures the consistency of
performed flexibly based on
operations and reduces the
actual conditions, but human
occurrence of human errors.
errors are prone to occur.
• It requires certain technical costs, but
• It takes a lot of manpower.
it can reduce labor costs and improve
efficiency.

7 Huawei Confidential

• After more than a decade of development, IT operations is now facing a new

direction: automation, which is an inevitable result of IT technology development.
Nowadays, the complexity of IT systems requires digital and automated O&M.
Automated O&M refers to the automation of daily and repeated work in IT
operations and the transformation from manual work to automation.
Automation is the sublimation of IT operations. IT operations automation is not
only a maintenance process, but also a management improvement process. It is
the highest level of IT operations and also the development trend in the future.

• DevOps is a group of processes, methods, and systems that are used to promote
communication, collaboration, and integration between development, technical
operation (O&M), and quality assurance (QA) departments. DevOps greatly
reduces the gap between O&M and development and the delivery time.
 O&M Changes in the Cloud Era
Traditional O&M Cloud O&M

IaaS PaaS SaaS

Data Data Data Data

Application Application Application Application

Running environment Running environment Running environment Running environment

Managed by users
Middleware Middleware Middleware Middleware

OS OS OS OS

Virtualization Virtualization Virtualization Virtualization

Server Server Server Server

Managed by cloud
service providers
Storage Storage Storage Storage

Network Network Network Network

Data center Data center Data center Data center

8 Huawei Confidential

• Compared with traditional O&M, cloud O&M greatly reduces the enterprise O&M
costs. The O&M management services provided on the public cloud enable users
to complete routine O&M at little or no cost. All these services are based on
automatic O&M technologies.
 Common O&M Services on HUAWEI CLOUD
• Huawei Cloud shared security responsibility model.

9 Huawei Confidential

• Huawei Cloud: Ensure the security of cloud services and provide secure clouds.
Huawei Cloud's security responsibilities include ensuring the security of our IaaS,
PaaS, and SaaS services, as well as the physical environments of the Huawei
Cloud data centers where our IaaS, PaaS, and SaaS services operate. Huawei
Cloud is responsible for not only the security functions and performance of our
infrastructure, cloud services, and technologies, but also for the overall cloud
O&M security and, in the broader sense, the security and compliance of our
infrastructure and services.

• Tenant: Use the cloud securely. Tenants of Huawei Cloud are responsible for the
secure and effective management of the tenant-customized configurations of
cloud services including IaaS, PaaS, and SaaS. This includes but is not limited to
virtual networks, the OS of virtual machine hosts and guests, virtual firewalls, API
Gateway, advanced security services, all types of cloud services, tenant data,
identity accounts, and key management.
 Contents

1. O&M Basic Concepts and Principles

2. Identity and Access Management (IAM)

3. Simple Message Notification (SMN)

4. Cloud Eye Service (CES)

5. Log Tank Service (LTS)

6. Cloud Trace Service (CTS)

10 Huawei Confidential
 What Is IAM?
⚫ Identity and Access Management (IAM) helps you manage your users and control
their access to HUAWEI CLOUD services and resources.
⚫ If you want to share resources with others but do not want to share your account
and password, you can create an IAM user.

11 Huawei Confidential

• A typical enterprise has multiple IT administrators, each responsible for

managing different resources. It's more secure to not give every administrator
super administrator permissions. Thanks to HUAWEI CLOUD IAM, an enterprise
administrator can create multiple users with separate permissions.

• Credentials authenticate a user on the HUAWEI CLOUD console or APIs.

Credentials include a password and access keys. The enterprise administrator
manages both their own credentials and the credentials of IAM users they create.
IAM Permissions
⚫ IAM is a global service deployed for all regions. When you set the authorization scope to Global
services, users have permission to access IAM in all regions.
⚫ You can grant permissions by using roles and policies.
 Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job
responsibilities. Only a limited number of service-level roles are available for authorization. Cloud services
depend on each other. When you grant permissions using roles, you also need to attach any existing role
dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
 Policies: A fine-grained authorization strategy that defines permissions required to perform operations on
specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least
privilege access. For example, you can grant users only permission to manage ECSs of a certain type. A majority
of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions.

12 Huawei Confidential
 Agency
⚫ A trust relationship that you can establish between your account and another account or a cloud
service to delegate resource access.
 Account delegation: You can delegate another account to implement O&M on your resources based on
assigned permissions.
 Cloud service delegation: Huawei Cloud services interwork with each other, and some cloud services are
dependent on other services. You can create an agency to delegate a cloud service to access other services.

13 Huawei Confidential

• You can delegate more professional, efficient accounts or other cloud services to
manage specific resources in your account
 Differences Between IAM Projects and Enterprise Projects
⚫ IAM projects group and physically isolate resources in the same region. Resources cannot be
transferred between IAM projects. They can only be deleted and then provisioned again.
⚫ Enterprise projects group and logically isolate resources. An enterprise project can contain resources
from multiple regions, and resources can be added to or removed from enterprise projects. Enterprise
projects can be used to grant permissions to use specific cloud resources.

Region A Region B
Enterprise project A Enterprise project B

Default project A Default project B

Move in/out

Region A- Region B- Region A- Region B-

IAM project IAM project IAM project IAM project Resource 1 Resource 1 Resource 2 Resource 2
A-1 A-2 B-1 B-2

14 Huawei Confidential

• Project: A region corresponds to a project. Default projects are defined to group

and physically isolate resources (including computing, storage, and network
resources) across regions. You can grant users permissions in a default project to
access all resources in the region associated with the project.

• Enterprise Project: Enterprise projects allow you to group and manage resources
across regions. Resources in enterprise projects are logically isolated from each
other. An enterprise project can contain resources of multiple regions, and you
can easily add resources to or remove resources from enterprise projects.
Refined Permissions Management
⚫ You can grant IAM users permissions to manage different resources in your account. As
shown in the following figure, you can grant Charlie permission to manage Virtual Private
Cloud (VPC) resources in project B, and only grant James permission to view VPC resources
in project B.

15 Huawei Confidential
Federated Identity Authentication
⚫ Enterprises with identity authentication systems can access Huawei Cloud through single
sign-on (SSO), eliminating the need to create users on Huawei Cloud.
⚫ If your enterprise has an identity system, you can create an identity provider (IdP) in IAM to
provide single sign-on (SSO) access to Huawei Cloud for employees in your enterprise. The
identity provider establishes a trust relationship between your enterprise and Huawei Cloud,
allowing the employees to access Huawei Cloud using their existing accounts

16 Huawei Confidential
Application Scenario - IAM
Functional Permissions
⚫ Assume that company A has purchased different Policy
Team Description
resources on HUAWEI CLOUD, and has multiple Resource O&M
Tenant Administrator
Full permissions for all
team cloud services
functional teams that need to use one or more Full permissions for
Accounting
Billing Center,
types of resources. Company A can use IAM to management BSS Administrator
Resource Center, and
team My Account
assign the permissions required for the O&M
Resource
personnel to use resources. monitoring Tenant Guest Read-only permissions
team
ECS FullAccess
Computing Full permissions for
CCE FullAccess
O&M team AutoScaling FullAccess
ECS, CCE, AS

VPC FullAccess
Network O&M Full permissions for
EIP FullAccess
team ELB FullAccess
VPC, ELB,

Database O&M RDS FullAccess Full permissions for

team DDS FullAccess RDS, DDS
Anti-DDoS Administrator Full permissions for
Security O&M
CAD Administrator Anti-DDoS, DDoS,
team KMS Administrator DEW

17 Huawei Confidential
 Contents

1. O&M Basic Concepts and Principles

2. Identity and Access Management (IAM)

3. Simple Message Notification (SMN)

4. Cloud Eye Service (CES)

5. Log Tank Service (LTS)

6. Cloud Trace Service (CTS)

18 Huawei Confidential
What Is SMN?
⚫ Simple Message Notification (SMN) is a reliable and flexible large-scale message notification
service. It enables you to efficiently send messages to various endpoints, such as phone
numbers, and email addresses.
⚫ SMN offers a publish/subscribe model to achieve one-to-multiple message subscriptions and
notifications in a variety of message types.
Multiple services can be integrated to meet service
integration and automation requirements.

Cloud Service

User SMN
Push messages to different types of terminals
and support multiple protocols (SMS, email,
and HTTP/HTTPS). Mobile

19 Huawei Confidential
 SMN Basic Concepts

A topic is a specified event to publish messages and subscribe to

Topic notifications. It serves as a message sending channel, where
Management publishers and subscribers can interact with each other.

To deliver messages published to a topic to endpoints, you must add

Subscriptions the subscription endpoints to the topic. Endpoints can be email
addresses, phone numbers, and HTTP/HTTPS URLs. After you add
Management endpoints to the topic and the subscribers confirm the subscription,
they are able to receive messages published to the topic.

Message Message templates contain fixed and changeable content and can
Template be used to create and send messages more quickly. When you use a
Management template to publish a message, you can specify values for different
variables in the template.

20 Huawei Confidential

• Topic Management: After a topic is created, the system generates a topic URN,
which uniquely identifies the topic and cannot be changed. The topic you created
is displayed in the topic list.

• Subscriptions Management: You can add multiple subscriptions to each topic.

After you add a subscription, SMN sends a confirmation message to the
subscription endpoint. The message contains a link for confirming the
subscription. The subscription confirmation link is valid within 48 hours. Confirm
the subscription on your mobile phone, mailbox, or other endpoints in time.

• Message Template Management: Message templates are identified by name, but

you can create different templates with the same name as long as they are
configured for different protocols. All template messages must include a Default
template or they cannot be sent out. The Default template is used anytime a
template has not been configured for a given protocol, but as long as there is a
template for the protocol, then any subscriber who selected that protocol when
they subscribed will receive a message using the corresponding template.
 SMN Architecture
⚫ SMN involves two roles: publisher and subscriber.
 A publisher publishes messages to a topic, and SMN then delivers the messages to subscribers in
the topic.
 The subscribers can be email addresses, phone numbers, and URLs.

Cloud

email
Topic
CES
Email、SMS、 deliver phone
publishe Http(S)、
FunctionGraph
OBS URL
...
FunctionGraph
AS
......

Publisher SMN subscriber

21 Huawei Confidential

• A topic is a collection of messages and a logical access point, through which the
publisher and the subscriber can interact with each other. Each topic has a
unique name. The topic creator can configure topic policies to grant other users
or cloud services permissions to perform certain operations to a topic, for
example, querying subscriptions or publishing messages.
SMN Advantages

Item Advantages

SMN provides three basic APIs to create topics, add subscriptions, and publish
Simplicity messages and can be quickly integrated with your services.

SMN stores messages in multiple data centers and supports transparent topic
migration. Once a message fails to deliver, SMN saves it in a message queue
Stability and reliability and tries to deliver it again.
If one service node is faulty, your requests are automatically processed by
another available node.

Multiple message You publish a message once, and SMN delivers it to endpoints in various
types message types.

SMN isolates data based on topics and does not allow any unauthorized users
Security
to access message queues, thereby protecting your service data.

22 Huawei Confidential
Application Scenario - SMN
⚫ System notifications
 After events or alarms are triggered, SMN can send notifications to specified users by
email, SMS message, or HTTP/HTTPS message. For example, Cloud Trace Service (CTS)
detects key cloud service operations and uses SMN to notify you and other users.

⚫ Integrating with cloud services

 SMN can function as a message middleware to directly connect cloud services, improving
service efficiency. For example, Cloud Eye does not have to be integrated with Object
Storage Service (OBS) to interact with each other. Instead, they can be connected by
SMN, so faults in one service will not affect the other.

⚫ Off-peak traffic control

 If there is a discrepancy between processing capabilities of the upstream and
downstream systems, SMN can cache data to reduce downstream pressure to reduce
breakdowns, enhance availability, and mitigate complexity in the system 。

23 Huawei Confidential
 Contents

1. O&M Basic Concepts and Principles

2. Identity and Access Management (IAM)

3. Simple Message Notification (SMN)

4. Cloud Eye Service (CES)

5. Log Tank Service (LTS)

6. Cloud Trace Service (CTS)

24 Huawei Confidential
What Is Cloud Eye
⚫ Cloud Eye is a multi-dimensional resource monitoring service. You can use Cloud Eye to
monitor resources, set alarm rules, identify resource exceptions, and quickly respond to
resource changes.

Insufficient data

Cloud
Eye
return to norma

user SMN
An alarm is
generated

25 Huawei Confidential
 Cloud Eye Architecture
⚫ Cloud Eye is a multi-dimensional resource monitoring service.
⚫ Cloud Eye Provides cloud monitoring services for users in terms of computing, storage,
network, and security. provides multiple cloud services, including Elastic Cloud Server (ECS),
cloud database, cloud storage, cloud network, and cloud security, to meet enterprise
requirements in different scenarios..

26 Huawei Confidential

• Cloud Eye provides the following functions:

• Automatic monitoring: Monitoring starts automatically after you created

resources such as Elastic Cloud Servers (ECSs). On the Cloud Eye console, you can
view the service status and set alarm rules for these resources.

• Server monitoring: After you install the Agent (Telescope) on an ECS and Bare
Metal Server (BMS), you can collect 60-second granularity ECS and BMS
monitoring data in real-time. Cloud Eye provides 40 metrics, such as CPU,
memory, and disk metrics.

• Flexible alarm rule configuration: You can create alarm rules for multiple
resources at the same time. After you create an alarm rule, you can modify,
enable, disable, or delete it at any time.

• Real-time notification: You can enable Alarm Notification when creating alarm
rules. When the cloud service status changes and metrics reach the thresholds
specified in alarm rules, Cloud Eye notifies you by emails, or by sending messages
to server addresses, allowing you to monitor the cloud resource status and
changes in real time.

• Monitoring panel: The panel enables you to view cross-service and cross-
dimension monitoring data. It displays key metrics, providing an overview of the
service status and monitoring details that you can use for troubleshooting.

• Resource group: A resource group allows you to add and monitor correlated
resources and provides a collective health status for all resources that it contains.
 Cloud Eye Advantages
⚫ Cloud Eye provides the following Advantages functions:

Real-time Visualized Multiple Batch Creation

Automatic
Monitoring Monitoring Notification of Alarm Rules
Provisioning
Types

Free

27 Huawei Confidential

• Automatic Provisioning: Cloud Eye is automatically provisioned for all users. You
can use the Cloud Eye console or APIs to view cloud service statuses and set
alarm rules.

• Reliable Real-time Monitoring: Raw data is reported to Cloud Eye in real time for
monitoring of cloud services.Alarms are generated and notifications are sent to
you in real time.

• Visualized Monitoring: You can create monitoring panels and graphs to compare
multiple metrics. The graphs automatically refresh to display the latest data.

• Multiple Notification Types: You can enable Alarm Notification when creating
alarm rules. When the metric reaches the threshold specified in an alarm rule,
Cloud Eye notifies you by emails, or by sending HTTP/HTTPS messages to an IP
address of your choice, allowing you to keep track of the statuses of cloud
services and enabling you to build smart alarm handling programs.

• Batch Creation of Alarm Rules: Alarm templates allow you to create alarm rules
in batches for multiple cloud services.
 Monitoring Panels
⚫ Panels serve as custom monitoring platforms and allow you to view core metrics and
compare the performance data of different services.
⚫ After you create a panel, you can add graphs to the panel to monitor cloud services.

28 Huawei Confidential

• Each panel supports up to 24 graphs. You can add up to 50 metrics to one graph.
Monitoring comparison between different services, dimensions, and metrics is
supported.
Server Monitoring
⚫ Server monitoring includes basic monitoring, process monitoring, and OS monitoring for servers.
 Basic monitoring covers metrics automatically reported by ECSs.
 OS monitoring provides proactive and fine-grained OS monitoring for ECSs or BMSs, and it requires the Agent
to be installed on all servers that will be monitored. OS monitoring supports metrics such as CPU usage and
memory usage (Linux).
 Process monitoring provides monitoring of active processes on hosts. By default, Cloud Eye collects CPU usage,
memory usage, and number of opened files of active processes.

29 Huawei Confidential
Event Monitoring
⚫ In event monitoring, you can query system events that are automatically reported to Cloud
Eye and custom events reported to Cloud Eye through the API.
⚫ Events are key operations on cloud service resources that are stored and monitored by Cloud
Eye. You can view events to see operations performed by specific users on specific resources,
such as deleting or rebooting an ECS.

30 Huawei Confidential
Cloud Service Monitoring
⚫ Cloud Eye provides multiple built-in metrics based on the attribute of each service.
After you enabled one cloud service on the cloud platform, the system automatically
associates its metrics based on the service type. Monitoring of these metrics helps
you accurately grasp the service running status.

31 Huawei Confidential
Custom Monitoring
⚫ The Custom Monitoring page displays all custom metrics reported by you. You can use
simple API requests to report collected monitoring data of those metrics to Cloud Eye for
processing and display.

32 Huawei Confidential
 Alarm Function
⚫ Alarm rules allow you to monitor the performance of resources and their running status. You
can set alarm rules for key metrics of cloud services.
⚫ When the conditions in the alarm rule are met, Cloud Eye sends emailsor SMS messages, or
sends HTTP/HTTPS messages, enabling you to quickly respond to resource changes.
⚫ Cloud Eye invokes SMN APIs to send notifications. This requires you to create a topic and
add subscriptions to this topic on the SMN console.

33 Huawei Confidential

• If no alarm notification topic is created, alarm notifications will be sent to the

default email address of the login account.
 Application Scenario – Cloud Eye
⚫ Crowdsourcing platforms, as knowledge worker sharing platforms, use the
Internet to allocate jobs and connect employers with service providers. Many
service providers provide customized solutions for enterprises, public
institutions, and individuals to transform ideas, wisdom, and skills into
business value and social value.
⚫ The core databases use the BMS clusters to deploy the database clusters.
Web-Servers and API-Servers are deployed on ECSs. Web-Servers provide
website search, category, store, and transaction services, and API-Servers are
basic interfaces for connecting services with databases. The running statuses
of BMSs and ECSs are critical to the entire service. CPU, memory, and disk
usages affect the overall service status. Therefore, you need to use the server
monitoring and event monitoring functions to monitor the running statuses
of ECSs and BMSs at any time.

34 Huawei Confidential

• Services like VPC, NAT Gateway, and ELB provide basic network support. The
network status affects the connectivity between services. Therefore, you need to
use the cloud service monitoring function to monitor the running status of each
service system at any time.
 Contents

1. O&M Basic Concepts and Principles

2. Identity and Access Management (IAM)

3. Simple Message Notification (SMN)

4. Cloud Eye Service (CES)

5. Log Tank Service (LTS)

6. Cloud Trace Service (CTS)

35 Huawei Confidential
 What Is Log Tank Service?
⚫ Log Tank Service (LTS) enables you to collect logs from hosts and cloud services for
centralized management, and analyze large volumes of logs efficiently, securely, and in real
time.
⚫ LTS provides you with the insights for optimizing the availability and performance of cloud
services and applications. It allows you to make faster data-driven decisions, perform device
O&M with ease, and analyze service trend.

36 Huawei Confidential

• Real-time log ingestion: You can ingest logs from hosts and cloud services using
ICAgent, APIs, or SDKs.

• Log transfer: Log transfer is to create log copies in destination cloud services. You
can transfer logs to Object Storage Service (OBS), or Data Ingestion Service (DIS)
for long-term storage.
LTS Architecture
⚫ LTS collects logs from hosts and cloud services, and displays them on the LTS console in an
intuitive and orderly manner. You can transfer logs for long-term storage. Collected logs can be
quickly queried by keyword or fuzzy match. You can analyze real-time logs for security diagnosis
and analysis, or obtain operations statistics, such as cloud service visits and clicks.

37 Huawei Confidential
 LTS Basic Concepts

A log group is the basic unit in LTS for log

Log groups management. You can set log retention duration
for a log group.
Log Tank Service
(LTS)

A log stream is the basic unit for reading and writing logs.
Log streams You can create log streams in a log group for finer log
management.

ICAgent is the log collection tool of LTS. Install

ICAgent
ICAgent on a host from which you want to collect logs.

38 Huawei Confidential

• Log groups: Log Tank Service (LTS) collects log data from hosts and cloud
services. By processing massive amounts of logs efficiently, securely, and in real
time, LTS provides useful insights for you to optimize the availability and
performance of cloud services and applications. It also helps you efficiently
perform real-time decision-making, device O&M, and service trend analysis. Log
groups can be created in two ways. They are automatically created when other
services are connected to LTS, or you can create one manually by following the
steps described here.

• Log streams: A log stream is the basic unit for reading and writing logs. You can
separate different types of logs (such as operation logs and access logs) into
different log streams for easier management. Sorting logs into different log
streams makes it easier to find specific logs when you need them. Up to 100 log
streams can be created in a log group.

• ICAgent: Before installing ICAgent, ensure that the time and time zone of your
local browser are consistent with those of the host.
 Log Ingestion
⚫ LTS enables you to ingest logs from cloud services in real time using multiple means such as ICAgent,
APIs, or SDKs. Ingested logs are displayed on the LTS console in an intuitive and orderly manner. You
can query logs that you need quickly and with ease.
 Cloud service: LTS supports log ingestion from cloud services. Click a cloud service to configure access to it.
 Self-built software: Configure the paths of the host logs to be collected in a log stream.
 API: You can use LTS APIs to report logs to LTS.
 Other: You can use an agency to map the log stream of a delegator account to that of a delegated account.

39 Huawei Confidential

• Self-built software: ICAgent will collect logs based on the ingestion configurations
and send the logs to LTS.
 Host Management and Host Groups
⚫ Host groups allow you to configure host log ingestion efficiently. You can sort multiple hosts
to a host group and associate the host group with log ingestion configurations. The ingestion
configurations will be applied to all the hosts in the host group, saving you the trouble of
configuring the hosts individually.

40 Huawei Confidential

• When there is a new host, simply add it to a host group and the host will
automatically inherit the log ingestion configurations associated with the host
group.

• You can also use host groups to modify the log collection paths for multiple
hosts at one go.
Log Search and View
log
log log log Background processing

RAW Logs Real-Time Logs Visualization Quick Search

View log groups on the log page

logs download

With quick analysis, you can

easily calculate the percentage of
occurrences for specific fields in
logs.

41 Huawei Confidential
 Log Structuring
⚫ Log data can be structured or unstructured. Structured data is quantitative data or can be defined by
unified data models. It has a fixed length and format. Unstructured data has no pre-defined data
models and cannot be fit into two-dimensional tables of databases.

42 Huawei Confidential

• During log structuring, logs with fixed or similar formats are extracted from a log
stream based on your defined structuring method and irrelevant logs are filtered
out. You can then use SQL syntax to query and analyze the structured logs.
Log Alarms
⚫ LTS allows you to collect statistics on log keywords and set alarm rules to monitor them. By
checking the number of keyword occurrences in a specified period, you can have a real-time
view of the service running.
⚫ You can configure keyword alarm rules to query and monitor log data. When alarm rules are
met, alarms will be triggered. You can view the alarms on the LTS console.

43 Huawei Confidential
 Log Transfer
⚫ Logs reported from hosts and cloud services are
retained in LTS for seven days by default. You
can set the retention period to be 1 to 365 days.
Retained logs are deleted once the retention
period is over. For long-term storage, you can
transfer logs to other cloud services.
⚫ You can transfer logs to OBS, DIS, or DMS
based on your service scenario.

44 Huawei Confidential

• Log transfer refers to when logs are replicated to other cloud services. Retained
logs are deleted once the retention period is over, but the logs that have been
transferred to other services are not affected.

• Transferring Logs to OBS: OBS is suitable for long-term storage.

• Transferring Logs to DIS: DIS provides both log storage and big data analysis.DIS
can perform offline analysis, and transmit a large number of log files to the
cloud for backup, query, and machine learning. You can also use it for data
recovery and fault analysis after data loss or exceptions. In addition, a large
number of small text files can be combined and transferred into large files to
improve data processing performance.

• Transferring Logs to DMS: You can use DMS APIs to process logs in real time.
Application Scenario – LTS
⚫ O&M logs of enterprise applications are distributed on different VMs, including application
run logs and middleware logs. The logs are scattered and large in scale, providing a
centralized management platform for enterprise logs.
⚫ Advantages:
◼ Fully managed: provides log collection, storage,
search, and dumping for multiple cloud services.
◼ Massive log management: 100 TB logs can be
accessed every day, and billions of logs can be
searched in seconds.
◼ High cost-effectiveness: Low maintenance costs
and on-demand charging, easily coping with
peak log traffic.

45 Huawei Confidential
 Contents

1. O&M Basic Concepts and Principles

2. Identity and Access Management (IAM)

3. Simple Message Notification (SMN)

4. Cloud Eye Service (CES)

5. Log Tank Service (LTS)

6. Cloud Trace Service (CTS)

46 Huawei Confidential
What Is Audit?
⚫ The log audit module is a core component necessary for information security audit and an important
part for the information systems of enterprises and public institutions to provide security risk
management and control.
⚫ Through auditing the financial statements and actual operation of the enterprise, the authenticity,
legality and efficiency of the financial revenue and expenditure of the enterprise can be ensured, and
the purpose of ensuring the healthy operation of the enterprise and promoting the long-term
development of the enterprise can be achieved. In the ICT industry, audits are also used to ensure the
healthy operation of the entire information system.
Generally speaking, the audit of institutions, organizations, and enterprises is mainly based on the
following two things:

Enterprise financial
Actual operation
statements

47 Huawei Confidential
 What Is Cloud Trace Service?
⚫ Cloud Trace Service (CTS) is a log audit service for Huawei Cloud security. It allows
you to collect, store, and query resource operation records. You can use these
records to perform security analysis, track resource changes, audit compliance, and
locate faults.

48 Huawei Confidential

• CTS provides the following functions:

▫ Trace recording: CTS records operations performed on the management

console or by calling APIs, as well as operations triggered by each
interconnected service.

▫ Trace query: Operation records of the last seven days can be queried on the
management console from multiple dimensions, such as the trace type,
trace source, resource type, filter, operator and trace status.

▫ Trace transfer: Traces are transferred to Object Storage Service (OBS)

buckets on a regular basis for long-term storage. In this process, traces are
compressed into trace files by service.

▫ Trace file encryption: Trace files are encrypted using keys provided by Data
Encryption Workshop (DEW) during transfer.
CTS Advantages

Traditional Audit CTS

• Traditional IT environments cannot
• Real-time recording: Quickly collects
systematically record operations and
operation events and views them on the
API records in real time, such as server,
management console after resource

VS
database, and operating system
changes are complete.
violations.
• Entire records: Records operations
• System configuration changes need to
performed by the management console,
be manually collected by IT personnel.
open APIs, and internal operations
• Traditional audit content is manually
triggered by the system.
recorded and stored without multiple
• Reliable and low-cost: Event files are
copies. Therefore, it is not suitable for
periodically generated and stored for a
long-term storage.
long time (for example, dumped to OBS).

49 Huawei Confidential
CTS Basic Concepts
Trackers Traces Trace List
• The trace list displays traces generated
• Traces are operation logs of cloud in the last seven days. These traces
• When you enable CTS for the first
service resources and are captured record operations on cloud service
time, a management tracker
and stored by CTS. You can view resources, including creation,
named system is created
traces to get to know details of modification, and deletion, but query
automatically. You can also
operations performed on specific operations are not recorded. There are
manually create multiple data
resources. two types of traces。
trackers on the Tracker List page.
• here are two types of traces:  Management traces: record details
• Th management tracker identifies
 Management traces: Traces about creating, configuring, and
and associates with all cloud
reported by cloud services. deleting cloud service resources in
services your tenant account is
 Data traces: Traces of read and your tenant account.
using, and records all operations
write operations reported by  Data traces: record operations on
of your tenant account.
OBS. data in OBS buckets, such as data
upload and download.

50 Huawei Confidential
 CTS security analysis
⚫ Each trace generated by CTS records the user, time, and IP address of an operation request.
You can perform security analysis and detect users' behavior patterns to determine whether
to configure Key Event Notification.

Region Configuring
Enabling CTS an OBS

Bucket
OBS
users
Sending a message
notification
CTS
Configuring Carry out data
Key Event analysis
Notifications
Perform malicious damage
analysis on logs.

51 Huawei Confidential

• How security analysis works:

▫ Log in to the system as a user and enable CTS. CTS records all operation
logs of the account.

▫ Operation logs are stored in OBS buckets.

▫ The Analytics can download logs from buckets for analysis.

▫ The final result can be reported to the SMN service.

 Resource Change
⚫ Each trace generated by CTS records a resource change and change results. You can
collect statistics on resource usage and perform backtracking operations based on
these records.
3、All operations
1、All change
in your account are
operations are
stored permanently.
recorded by CTS.
Configure key Configure an View trace
Enable CTS event OBS bucket details
notification

2、Configure key 4、Querying resource

event notification change details by
for key operations. viewing traces.

52 Huawei Confidential

• The working principle of resource change is as follows:

▫ All change operations performed by users on cloud services have been

recorded by the audit service.

▫ You can also configure key operation message notifications to obtain the
latest service status in a timely manner.

▫ All changes under the account will be stored for a long time.

▫ Users can query detailed information about resource changes based on logs.
 Fault Locating
⚫ Traces generated by CTS record the cause of a fault. You can easily rectify the fault
based on the cause. For example, you may delete a system disk when expanding an
ECS, causing an expansion failure.

All changes All Query the Obtain detailed

informantion,includi
1 2 3 4 5
or operations impact
ng who performs Rectify the
operations in are results by
the operation at fault
your account recorded by resource
are affected. CTS name. what time

53 Huawei Confidential

• Working principle of fault locating:

▫ Users perform changes or misoperations under their own accounts that

may cause related faults.

▫ The audit service records all these operations.

▫ In this case, you can search for the resource name to query the impact
result.

▫ Users can obtain detailed information, including the operator and specific
time.

▫ Users can correct the incorrect operation based on the information.

 Application Scenario - Using CTS to Monitor Resources
⚫ With CTS, you can record operations performed by public cloud accounts on cloud service
resources and their results in real time.
 You can create a CTS trigger in FunctionGraph to obtain subscribed resource operation information,
use user-defined functions to analyze and process the resource operation information, and generate
alarm logs.
 SMN sends alarms to service personnel through SMS messages and emails.

⚫ Case:
 With CTS, you can quickly analyze logs and filter logs based on specified IP addresses.
 Function computing based on the serverless non-service architecture provides data processing, analysis, event
triggering, and elastic scaling, requiring no O&M and paying on demand.
 Provides log and alarm functions together with SMN.

54 Huawei Confidential

• CTS mines data in audit logs for service health analysis, risk analysis, resource
tracing, and cost analysis. It also opens audit data to customers so that they can
explore data value.

• CTS allows you to set search criteria to accurately search for operations and
details when an issue occurs, reducing the time and labor costs for detecting,
locating, and resolving the issue.
 Quiz

1. (True or false) Cloud Eye is a free cloud service.

True

False

2. (Multiple-choice) Which of the following are scenarios of CTS?

A. Resource tracking

B. Compliance auditing

C. Fault locating

D. Security analysis

55 Huawei Confidential

• True. Cloud Eye is free. You can use Cloud Eye to monitor and manage your
purchased cloud services.

• ABCD
 Summary

⚫ O&M services play an important role in ensuring that platforms are secure
and operate normally. We can use CTS to better manage platforms, and
use Cloud Eye to monitor platforms in real time. With LTS, we can obtain
logs in real time and evaluate and eliminate potential risks.

56 Huawei Confidential
 More Information

Huawei iLearning
 https://e.huawei.com/cn/talent/cert/#/careerCert

HUAWEI CLOUD Help Center

 https://support.huaweicloud.com/help-novice.html

HUAWEI CLOUD Academy

 https://edu.huaweicloud.com/

57 Huawei Confidential
 Acronyms and Abbreviations
⚫ API：Application Programming Interface
⚫ AZ：Availability Zone
⚫ AS：Auto Scaling
⚫ BMS：Bare Metal Server
⚫ BSS：Business Support System
⚫ CBR：Cloud Backup and Recovery
⚫ CTS：Cloud Trace Service
⚫ CES：Cloud Eye Service
⚫ CAD：Cloud Anti-DDoS
⚫ DES：Data Express Service
⚫ DSS：Dedicated Distributed Storage Service

58 Huawei Confidential
 Acronyms and Abbreviations
⚫ DHCP：Dynamic Host Configuration Protocol
⚫ ECS：Elastic Cloud Server
⚫ EVS：Elastic Volume Service
⚫ HA：High Available
⚫ HTTP：Hypertext Transfer Protocol
⚫ HTTPS：Hypertext Transfer Protocol over Secure Sockets Layer
⚫ IAM：Identity and Access Management
⚫ IDP：Identity Provider
⚫ IOPS：Input/Output Per Second
⚫ KMS：Key Management Service
⚫ LTS： Log Tank Service

59 Huawei Confidential
 Acronyms and Abbreviations
⚫ OBS：Object Storage Service
⚫ O&M： Operations and Maintenance
⚫ POSIX：Portable Operating System Interface
⚫ RTO：Recovery time objective
⚫ RPO：Recovery Point Objective
⚫ SDK：Software Development Kit
⚫ SFS：Scalable File Service
⚫ SSD：Solid-State Drive
⚫ SDRS：Storage Disaster Recovery Service
⚫ SP：Service Provider
⚫ SAML：Secturity Assertion Markup Language

60 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright© 2023 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ
materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference
purpose only and constitutes neither an offer nor an acceptance.
Huawei may change the information at any time without notice.
Database, Security, and other Services
 Foreword

⚫ In addition to compute, storage, and networking services, enterprises need

database services, security services, Content Delivery Network (CDN), API
services, and EI services. These services help users quickly deploy services on
the cloud to meet the requirements of various service scenarios, simplify
service deployment, and facilitate O&M.
⚫ This chapter describes the database service, security service, CDN, API, and
EI services.

2 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Understand the basic concepts.
 Understand the service positioning, principles, and functions.

3 Huawei Confidential
 Contents

1. Database Services
◼ Database Basics
 RDS for MySQL
 RDS for PostgreSQL
 GaussDB

2. Security Services

3. Content Delivery Network (CDN)

4. API Services

5. EI Services
4 Huawei Confidential
 Databases and Instances

⚫ A database is a collection of files

Database that contain data organized using a student
given model.

teacher

⚫ An instance contains a set of Level 2023

background processes and memory Student
Instance structures. It is the data Information family
management software that connects Database head
users and the operating system (OS).

5 Huawei Confidential

• We all know that data can be stored in multiple media formats, such as in
memory or saved to disks. In fact, a database is also a medium for storing data.

• To be more specific, a database stores electronic documents, and you can add,
intercept, update, and delete data in these documents.

• All operations on the data of databases, such as defining data, querying data,
maintaining data, and managing database operations, are performed using
database instances. Your applications only interact with the databases only
through the instances.

• The smallest management unit of RDS is a database instance. A database

instance is an isolated database environment running in the cloud. You can use
RDS to create and manage database instances running various DB engines.
 Database Types

A relational database organizes data using a

relational model. Complying with ACID
characteristics. Data is stored in rows and
columns. A user retrieves data from a
database through a query, which is a type of A non-relational database refers to a
command that qualifies certain areas of the non-relational data storage system not
database. A relational model can be simply compliant with ACID properties.
understood as a two-dimensional table
model, and a relational database is a way of
organizing data consisting of two-
dimensional tables and their relationships.

Relational database Non-relational database

6 Huawei Confidential

• ACID stands for atomicity, consistency, isolation, and durability.

▫ Atomicity: Atomicity is the guarantee that series of database operations in

an atomic transaction will either all occur or none will occur. If an error
occurs during transaction execution, the transaction will be rolled back to
the state from before it was committed.

▫ Consistency: A consistent transaction will not violate integrity constraints

placed on the data by the database rules. That is, executing a transaction
cannot destroy the integrity or consistency of database data.

▫ Isolation: Isolation means that concurrent transactions are executed

sequentially. It guarantees the individuality of each transaction and
prevents them from being affected by other transactions.

▫ Durability: Once a transaction is committed, it will remain in the system

even in the event of a system failure.
 Differences Between Cloud and Other Database Solutions
On-premises
databases

</>
$ $
Server procurement, hardware and
Equipment room hosting fees High DBA costs
operating systems deployment

Databases built
on ECSs

</>
Rent
$
Purchase and installation of ECS rental fees High DBA costs
database software

Cloud
Databases

</>
$
No need to purchase or install Just pay for the Focus on architecture design
any software or hardware databases and performance optimization

7 Huawei Confidential

• If customers want to build their own databases, they need to purchase hardware
such as database servers and switches. If the hardware is damaged or replaced,
the cost of repairing or replacing it is typically at least 30% of the project budget.
It costs at least 3000 CNY per year to host 1U of cabinet space. If there are two
1U servers and a 1U intranet switch required for databases, the total hosting fee
would be 9,000 CNY (3,000 x 3) in a year. The monthly salary of a junior DBA
engineer is at least 5,000 CNY per month. If building the databases occupies 30%
of the engineer's workload, the yearly labor cost is 18,000 CNY (5,000 x 12 x
30%). The sunk cost of this project is considerable. Open-source databases
cannot be optimized. To ensure database reliability, customers have to prepare
backup resources, which means more money. Public network traffic and domain
name transfer are not free either.
• If customers want to deploy databases on ECSs, they need to purchase
primary/standby ECS instances. Physical devices are provided by the service
provider. Customers do not need to pay for the equipment room. They only need
to hire DBA engineers to operate and maintain the database services. Elastic
resources are provided. But open-source databases cannot be optimized, and
backup represents a separate cost, along with traffic over a public network.
• Using cloud databases, customers only need to pay for the DB instances. The
service provider provides the physical devices and maintains databases at its own
cost. Resources are elastic and there is no charge for any public network traffic.
Even the domain name generated for the DB instance is free, and regular
updates help keep your instances updated to the latest MySQL version.
 HUAWEI CLOUD Database Portfolio
⚫ GaussDB is an open-source database designed for small and medium enterprises to achieve the
ultimate in cost-effectiveness. GaussDB is a Huawei-developed database that meets the high reliability
and performance requirements of governments and enterprises.

Relational database services Non-relational database services

GaussDB(for openGauss) RDS for GaussDB(for Mongo)

MySQL
OLTP DDS GaussDB(for Cassandra)
GaussDB(for MySQL) Community
Edition GaussDB(for Redis)
RDS for
OLAP GaussDB(DWS) PostgreSQL GaussDB(for Influx)

Database tools
Distributed Database Data Replication Database and
Data Admin Service
Middleware Service Application Migration
(DAS)
(DDM) (DRS) UGO

Huawei-developed Open-source

8 Huawei Confidential

• Introduction to HUAWEI CLOUD database services:

▫ PostgreSQL is an object-relational database management system (ORDBMS)
derived from the POSTGRES package based on the 4.2 version written at
the University of California, Berkeley. Many leading POSTGRES concepts
were not around until fairly late in the development of business databases.
▫ NoSQL refers to non-relational databases. Traditional relational databases
are unable to keep up with the ultra-large-scale processing and massive
concurrent SNS website requests involved with Internet Web 2.0 websites.
NoSQL databases are designed to address the challenges of handling the
multiple data types involved in large-scale data collections, especially where
big data applications are concerned. NoSQL databases come in a variety of
types based on different data models. The main types are key-value pair,
wide column, document, and graph.
▫ Distributed Database Middleware (DDM) works with the RDS service to
remove a single node's dependency on hardware, facilitate capacity
expansion to address data growth challenges, and ensure fast response to
query requests. DDM eliminates the bottlenecks in capacity and
performance and ensures that concurrent access is possible for a massive
amount of data.
▫ Data Replication Service (DRS) is a stable, secure, and efficient cloud service
for online database migration and real-time database synchronization. DRS
simplifies data transmission between databases and reduces data transfer
costs.
▫ Data Admin Service (DAS) enables you to manage DB instances on a web-
based console, simplifying database management and improving efficiency
and security.
 Architecture and Advantages of RDS
• RDS is a reliable and scalable cloud database service that is easy to manage.

Advantages

• Relax with High Availability and Durability

• More Flexibility and Lower Upfront Costs

• Optimized for Performance and Security

• Simple Deployment and Maintenance

9 Huawei Confidential

• Relax with High Availability and Durability :

▫ Ensure business continuity with quick failover to a standby instance and

automated data backups to a different availability zone.

• Simple Deployment and Maintenance :

▫ Launch a production-ready MySQL database in minutes Eliminate time-

consuming operational tasks with automated patch updates, backups,
monitoring, and scaling

• More Flexibility and Lower Upfront Costs :

▫ Cost-effective pricing, with no hardware investment needed. Fully utilize

storage with pay-per-use pricing, or save money with pre-allocated
packages.

• Optimized for Performance and Security :

▫ Scale quickly to handle increasing concurrency and demand. Protect data

with end-to-end server security and data encryption.
 Contents

1. Database Services
 Database Basics
◼ RDS for MySQL
 RDS for PostgreSQL
 GaussDB

2. Security Services

3. Content Delivery Network (CDN)

4. API Services

5. EI Services
10 Huawei Confidential
 RDS for MySQL
⚫ MySQL is one of the world's most popular open-source relational databases. It works with the
Linux, Apache, and Perl/PHP/Python to establish a LAMP model for efficient web solutions.
⚫ RDS for MySQL is reliable, secure, scalable, inexpensive, and easy to manage.

Immediately Reliable Secure

ready for use

Open
source Scalable Easy to Inexpensive
manage

11 Huawei Confidential

• RDS for MySQL includes a comprehensive performance monitoring system, multi-

level security protection measures, and a professional database management
platform that allow you to easily set up and scale up databases. On the RDS for
MySQL console, you can perform necessary tasks and no programming is
required. The console simplifies operations and reduces routine O&M workloads,
so you can stay focused on application and service development.

▫ It uses a stable architecture and supports a range of web applications. It is

also a cost-effective solution for small and medium enterprises.

▫ A web-based console is available for you to monitor a comprehensive range

of performance metrics.

▫ You can flexibly scale resources based on your service requirements but you
still pay only for what you use.
 Advantages of RDS for MySQL

Performance Security
Security
Group

⚫ Huawei enhanced MySQL kernel (HWSQL) provides ⚫ First in China to earn ISO/IEC 27034 and CSA STAR
3 times higher performance in high-concurrency V4 certifications.
scenarios.

A fault occurs.
Primary instance
Backup Purchase Scaling Standby instance

Standby instance Primary

⚫ Primary/standby switchover within seconds, lower RTO, instance
automated backup and restoration, backups saved for ⚫ Scale instance specifications and storage in just minutes
2 years, no data lost. and view monitoring metrics in real time.

12 Huawei Confidential

• Huawei Cloud RDS presents a significant edge over traditional databases. With
RDS, you can deploy enterprise-grade MySQL databases without any worries
about setup, configuration, maintenance, backups, or uptime.
 RDS for MySQL Features - Cross-AZ HA

Primary/standby instances across AZs

HA Functions
⚫ Cross-AZ HA supports switchover in seconds.

Primary Standby ⚫ Up to 5 read replicas can be created for offloading

read traffic.

⚫ Standby DB instances are invisible to users. Users can

access DB instances through virtual IP addresses.

⚫ Read replicas cannot exist alone and must come with

single or primary/standby DB instances.

Replica 1 Replica 2 Replica 3 Replica 4 Replica 5

13 Huawei Confidential

• Cross-AZ HA is an effective disaster recovery mechanism. When your database

services have high reliability requirements, you can deploy the primary and
standby databases across AZs to achieve AZ-level DR and ensure system
reliability.
 RDS for MySQL Features - Read/Write Splitting

Application Functions
⚫ A single read/write splitting address is provided,
Write Read transparent to applications.
request request ⚫ Read-only permissions can be configured for each node.
Unified address for ⚫ Instance health check is performed. If a DB instance
read/write splitting (proxy) breaks down or the latency exceeds what is supported,
read requests are no longer allocated to the instance.

Write
request
Read Read Read
Advantages
HA request request request ⚫ A single read/write splitting address is provided, and
read/write splitting does not require application
reconstruction.
Primary Standby Replica 4 Replica 4 Replica 4 ⚫ The read weight assigned to a read replica is
configurable.

14 Huawei Confidential

• Read/write splitting enables read and write requests to be automatically routed

through a read/write splitting address. You can enable read/write splitting after
read replicas are created. Write requests are automatically routed to the primary
DB instance and read requests are routed to read replicas by user-defined
weights.
 RDS for MySQL Feature - Point-In-Time Recovery (PITR)

Full data backup + Binlog backup Functions

Current time ⚫ Instance-level restoration in seconds is supported.
Automated Automated Automated Automated
backup backup backup backup
⚫ Automated backups can be configured to be saved for up
Binlog Binlog Binlog Binlog to 732 days (approximately 2 years).
(every 5 minutes)
⚫ You can restore data to any point in time at least 5
1 2 3 4
minutes ago and restore the data to a new DB instance or
OBS
to the original DB instance.
Point-in-Time Recovery (PITR)
Latest restorable time Advantages
Latest automated ⚫ The backup retention period is up to 732 days.
Latest Binlog
backup
1 2 3 backup ⚫ RDS provides free backup space approximately equal to
OBS your purchased storage space.

15 Huawei Confidential

• You can use backups to restore data to any point in time. Binlog is a binary log
used to record MySQL DB table structure changes and table data changes.
 Application Scenarios of RDS for MySQL

Users of other cloud vendors

Fast-growing start-ups

Internet, e-commerce, and game enterprises

IoT enterprises

IoT
High performance

RDS
High throughput

High availability

16 Huawei Confidential

• RDS for MySQL is mainly used in the following scenarios:

▫ Users of public cloud platforms other than HUAWEI CLOUD generally use
RDS for MySQL.

▫ Start-ups choose RDS for MySQL in the early stages because they need
ways to support fast growth on a limited budget.

▫ MySQL is used widely by Internet, e-commerce, and game enterprises.

When migrating databases to the cloud, these types of enterprises choose
RDS for MySQL.

▫ IoT applications tend to be very large scale and they need to be extremely
reliable. RDS for MySQL is the first choice for IoT enterprises because it
allows for a large number of concurrent connections and does not require
customers to reconstruct their applications.
 Contents

1. Database Services
 Database Basics
 RDS for MySQL
◼ RDS for PostgreSQL
 GaussDB

2. Security Services

3. Content Delivery Network (CDN)

4. API Services

5. EI Services
17 Huawei Confidential
 What Is RDS for PostgreSQL?
⚫ RDS for PostgreSQL is a typical open-source relational database that excels in data reliability
and integrity. It supports Internet e-commerce, geographic location application systems,
financial insurance systems, complex data object processing, and other applications.

18 Huawei Confidential

• PostgreSQL is based on Postgres, which was developed at the University of

California, Berkeley. After more than 30 years of development, PostgreSQL has
become the most powerful open-source database in the world. It has earned a
reputation for reliability, stability, and data consistency, and has become the
preferred open-source relational database for many enterprises.

• PostgreSQL is an open source object-relational database management system

focused on extensibility and standards compliance. It is known as the most
advanced open source database. RDS for PostgreSQL is designed for enterprise-
oriented OLTP scenarios and supports NoSQL (JSON, XML, or hstore) and GIS
data types. It has earned a reputation for reliability and data integrity, and is
suitable for websites, location-based applications, and complex data object
processing.

• RDS for PostgreSQL supports the Postgres plugin, which provides excellent spatial
performance.

• RDS for PostgreSQL is a cost-effective solution for a range of different scenarios.

You can flexibly scale resources based on service requirements and you only pay
for what you use.
RDS for PostgreSQL Features
Reliability, stability, data
consistency, and integrity
Always the most important
features for database products

Powerful concurrency control 1 Diversified data types

Support for four transaction isolation levels Support for not only traditional data types, but also
defined in ANSI SQL-92 binary large objects, arrays, spatial data types, network
7 2 data types, JSON, and XML, all of which can be
customized

Excellent performance
and abundant indexes
Various third-party plugins
Query optimizers, parallel computing, complex
query optimization, hash aggregation, hash 3 Geographic information, space, heterogeneous
JOIN, subquery, analysis query, function 6 database access, machine learning, text retrieval,
image, time series, multi-dimension, word
processing, and other analysis functions
segmentation, blockchain, column storage, and
Indexes: B-tree, GiST, GIN, SP-GiST, Hash, Brin,
similarity algorithms, all of which can be
rum, bloom, and bitmap
customized

5 4
High security Open architecture
Field encryption Support for functions, operators, indexes, and languages,
Permission control based on databases, schemas, extending functions and maintaining kernel stability
tables, and columns
Identity authentication and certificate

19 Huawei Confidential
 RDS for PostgreSQL Features - High Availability
Benefits of the HA cluster architecture:
⚫ You can choose a failover policy to prioritize reliability or
availability.
⚫ DB instances can be deployed in one AZ or across AZs and can
AZ 1 AZ 2 automatically fail over within a cluster.
⚫ You can manually switch a primary instance to standby to simulate
App 1 App 2 a fault.
⚫ A read replica can automatically associate itself with a new
primary node.
⚫ A switchover can be completed in seconds.
Failover ⚫ The standby database does not handle traffic. It only ensures RTO.
⚫ A Huawei-developed HA Monitor module is used.
Primary Standby ⚫ Virtual IP addresses can be switched completely invisibly to the
applications.
⚫ Multiple primary/standby switchovers can be performed.
⚫ Automatic fault detection is provided.

20 Huawei Confidential

• RTO stands for Recovery Time Objective. It is the length of time from when an IT
system breaks down and services stop to when the system recovers.

• HA Monitor is an HA monitoring module.

 RDS for PostgreSQL Features - Point-In-Time Recovery(PITR)

⚫ Backup cycle: 7 to 732 days

App
⚫ Pay-per-use: Free EVS storage space equal
to the requested storage and virtually
limitlessly expandable
Backup (full/incremental) ⚫ Reliability: Up to 11 nines of data reliability

OBS
⚫ Security encryption: KMS encryption and
RDS
multiple protections
Data archived in OBS can be restored to
Restore (any point in time)
any point in time.

21 Huawei Confidential

• RDS stands for Relational Database Service.

• EVS stands for Elastic Volume Service.

• OBS stands for Object Storage Service.

RDS for PostgreSQL Features - Enhanced Features
⚫ Read Replica
 Up to five read replicas can be added to an existing DB
instance to offload read-heavy database workloads.

⚫ Logical Replication Subscription

 All logical slots can be replicated from the primary instance
to the standby instance.

⚫ Scheduled Tasks
 Tasks can be run automatically during off-peak hours
based on a schedule that you control.

22 Huawei Confidential
RDS for PostgreSQL Features - Multilayer Network Security
⚫ Network Isolation and Security Group:
 Leverage Virtual Private Cloud (VPC) to isolate tenant networks and security group rules to control traffic to and from specific IP
addresses and ports, keeping your database safe.

⚫ Network Isolation and Security Group:

 Leverage Virtual Private Cloud (VPC) to isolate tenant networks and
security group rules to control traffic to and from specific IP addresses and
ports, keeping your database safe.
⚫ SSL:
 Use TLS and SSL to encrypt data during transmission, ensuring the security
and integrity of your data.
⚫ Audit:
 Use Cloud Trace Service (CTS) to record operations associated with RDS for
PostgreSQL for later query, audit, and backtrack operations.
⚫ Certifications:
 RDS for PostgreSQL has 15+ security certifications such as ISO 27001, CSA,
Trusted Cloud Service (TRUCS), and CCSP Level 3.

23 Huawei Confidential
RDS for PostgreSQL Features - Support for 70+ Plugins
⚫ Multiple Types of Geospatial Data:
 Support PostGIS for 2D and 3D models, with space
objects, indexes, operation functions, and operators.

⚫ Time Series Data:

 Support the TimescaleDB time-series database
plugin, partition tables, and BRIN indexes.

⚫ Search Indexes:
 Provide a wide range of indexes, including
function- and condition-based indexes, for faster
full-text search.

24 Huawei Confidential
RDS for PostgreSQL Features - Professional Database O&M
Platform
⚫ Instance Management:
 Manage your instances with ease using flexible console-based
capabilities.
⚫ Real-Time Monitoring:
 View key operational metrics of your instances, including
vCPU/storage utilization, I/O activity, and instance connections, and
define custom alarm rules as needed.
⚫ Backup and Restoration:
 Restore data from backups to any point in time. Backups can be
saved for up to 732 days.
⚫ Automated Failover:
 Maintain the uptime of your workloads with automated failover.

25 Huawei Confidential
 Application Scenarios of RDS for PostgreSQL
Internet

• Utilize Spatial and Geographic Objects

ELB
RDS for PostgreSQL supports the PostGIS extender plugin for
Application server cluster location-based applications providing excellent spatial performance.
It provides spatial features including space objects, indexes,
operation functions, and operators.
Web application Web application Web application
server server server • Advantages
 Extra types: Supports various types of spatial data including
points, lines, planes, grids, and three-dimensional data.
 Efficient Spatial Analysis: Provides efficient spatial analysis
Hot data History data functions and works with OBS for unlimited object storage.
RDS for PostgreSQL DDS
 Simple Spatial Operations: Reduces the code complexity for
location applications, making spatial operations easier.

OBS

26 Huawei Confidential

• Mixed-mode operations combining OLTP and OLAP are supported.

• Multiple data models are applicable to spatiotemporal, geographic,

heterogeneous, image, text retrieval, time series, stream computing, and multi-
dimensional scenarios.

• Huawei provides you with a reliable database service and keeps your data
consistent.

• To replace Oracle databases, there are two solutions available:

▫ Use RDS for PostgreSQL Enhanced Edition.

▫ Use RDS for PostgreSQL Community Edition and Oracle plug-ins.

 Contents

1. Database Services
 Database Basics
 RDS for MySQL
 RDS for PostgreSQL
◼ GaussDB

2. Security Services

3. Content Delivery Network (CDN)

4. API Services

5. EI Services
27 Huawei Confidential
What Is GaussDB
⚫ GaussDB is a distributed relational database from Huawei. It supports intra-city cross-AZ
deployment with zero data loss. With a distributed architecture, GaussDB supports petabytes
of storage and contains more than 1,000 nodes per DB instance. It is highly available, secure,
and scalable and provides services including quick deployment, backup, restoration,
monitoring, and alarm reporting for enterprises.
New distributed applications
⚫ Migrating Data from Centralized DB to Distributed Large-scale
Scalability
DB Is Driving Digital Transformation. cluster
Cloud Autonomy

Distributed DB
Universal hardware

28 Huawei Confidential
Key Components of the GaussDB Distributed Architecture
Component Description
OM(Operation Manager): Provides management
OM
APIs and tools for routine O&M and configurations
CM(Cluster Manager): Manages and monitors the
running status of functional units and physical
CM
resources in a distributed system, ensuring the
stable running of the entire system
OM CM CMS CN CN GTM ETCD
GTM(Global Transaction Manager): Generates and
GTM maintains globally unique information based on
global transaction IDs
Network channel
CN(Coordinator Node): Receives access requests
from applications and returns execution results to
CN
DN DN DN DN clients. A CN also splits tasks and schedules task
shards on each data node
...
DN(Data Node): Stores data, executes data queries,
DN and returns the results to a CN
Storage Storage Storage Storage
ETCD(Editable Text Configuration Daemon): Ensures
ETCD the consistency of replicas as an arbitration compo

Storage Storage resource, used for persistent data storage

29 Huawei Confidential
 Advantages of GaussDB

Performace Availability
Security
Group

⚫ A DB instance with 32 nodes can reach up ⚫ You can deploy a DB instance within a single AZ, across
to 15 million tpmC. According to the TPC-H AZs, or across regions as required. GaussDB supports
benchmark test for performance. RPO=0，RTO<10 s.

Scalability Purchase Security

⚫ Global consistency of distributed transactions ⚫ GaussDB provides end-to-end data security with access
breaks through the performance bottlenecks of control, encryption authentication, database audit, d
traditional databases. Compute and storage can be dynamic data masking, and the Always Encrypted
scaled separately and flexibly. feature, all ensuring you data remains safe and secure.
30 Huawei Confidential

• Huawei Cloud RDS presents a significant edge over traditional databases. With
RDS, you can deploy enterprise-grade MySQL databases without any worries
about setup, configuration, maintenance, backups, or uptime.
 Advantages of GaussDB
Powerful
Comput Online
Scaling

Security
Group

⚫ Powerful Compute 6th Gen Intel Core processors ⚫ Excellent linear performance scaling and online
and Kunpeng processors redistribution of new shards .

Security
and Powerful
Reliabilit Comput

⚫ Based on a shared-nothing architecture, data is sharded

⚫ Service faults are automatically monitored and automatically. GTM-lite technology is used to ensure
recovered from, ensuring service continuity and zero strong consistency for transactions and to eliminate
data loss. performance bottlenecks on the central node.
31 Huawei Confidential

• Huawei Cloud RDS presents a significant edge over traditional databases. With
RDS, you can deploy enterprise-grade MySQL databases without any worries
about setup, configuration, maintenance, backups, or uptime.
Application Scenarios of GaussDB
⚫ CDR query
⚫ Transaction applications
 GaussDB can process petabytes of data and use
 The distributed, highly scalable architecture of
the memory analysis technology to query
GaussDB makes it an ideal fit for highly concurrent
massive volumes of data when data is being
online transactions containing a large volume of data
written to databases. Therefore, it is suitable for
from government, finance, e-commerce, O2O, telecom
the Call Detail Record (CDR) query service in the
customer relationship management (CRM), and billing.
security, telecom, finance, and Internet of things
GaussDB supports different deployment models.
(IoT) sector

32 Huawei Confidential
Centralized openGauss Kernel Completely Open-Source

⚫ Incubation phase for internal use -> Production phase for joint innovation ->
OpenGauss centralized version (open source)
Open source
Production

Internal use

2001–2011 2011–2019 2019–2020 2020–Now

• Introduced • OpenGauss centralized
• Bank G's core data warehouse and • GaussDB launched globally
enterprise-class in- version (open source)
GaussDB(DWS) on HUAWEI CLOUD on May 15, 2019.
memory databases. used.
were deployed for commercial use. • Partner ecosystem
• Z Bank's core service system replaced established.
the commercial database. • Compatible with mainstream
• 30,000+ sets of Huawei's 40+ flagship ecosystems in the industry
products deployed commercially for 70+ and completed
carriers worldwide, and a user base of interconnection with finance
over 2 billion. and other industries.

33 Huawei Confidential
 Contents
1. Database Services
2. Security Services
◼ Customer Requirements on Cloud Security
 HSS
 WAF
 DEW
3. Content Delivery Network (CDN)
4. API Services
5. EI Services

34 Huawei Confidential
Customer Requirements on Cloud Security
Key Security Requirements for Enterprise
CSA Top Threats
Cloudification
⚫ Data Leakage ⚫ Advanced persistent
Continuous Controllable O&M Data
threat (APT)
⚫ Insufficient identity, services confidentiality
credential, and access ⚫ Data loss
⚫ Configure
management ⚫ Defend against security policies. ⚫ Prevent data
⚫ Insufficient due diligence network Detect and breach. Data is
⚫ Insecure ports and APIs
attackers and eliminate risks. accessible only
⚫ Abuse and nefarious use
⚫ System vulnerabilities of cloud services hackers. Comply Audit and trace to authorized
with laws and operations. staff.
⚫ Account hijacking ⚫ Denial of service (DoS) regulations.

⚫ Malicious insiders ⚫ Shared technology

vulnerabilities

35 Huawei Confidential
HUAWEI CLOUD Security Services
⚫ Build a series of top-quality security services for ensuring data security.
Compute Management
Data Security
security security
Data Encryption Host Security Cloud Trace Service
Workshop (DEW) Service (HSS) (CTS)

Database Security Container Guard Log Tank Service

Service (DBSS) Service (CGS) (LTS)
Dat
a security Cloud Certificate
App Cyber security Manager (CCM)

Web Application Cloud Firewall Cloud Bastion Host

Firewall (WAF) (CFW) (CBH)

Vulnerability Scan Advanced Anti- Situation Awareness

Service (VSS) DDoS (AAD) (SA)

36 Huawei Confidential
 Contents
1. Database Services
2. Security Services
 Customer Requirements on Cloud Security
◼ HSS
 WAF
 DEW
3. Content Delivery Network (CDN)
4. API Services
5. EI Services

37 Huawei Confidential
 What Is HSS
⚫ Host Security Service (HSS) is designed to protect server workloads in hybrid clouds and
multi-cloud data centers. It provides host security functions and Web Tamper Protection
(WTP).
⚫ HSS can help you remotely check and manage your servers and containers in a unified
manner.

38 Huawei Confidential

• HSS protects your system integrity, enhances application security, monitors user
operations, and detects intrusion

• Host Security Service (HSS) helps you identify and manage the assets on your
servers, eliminate risks, and defend against intrusions and web page tampering.
There are also advanced protection and security operations functions available to
help you easily detect and handle threats.

• Install the HSS agent on your servers, and you will be able to check the server
protection status and risks in a region on the HSS console.
 Advantages of HSS

Centralized All-Round
Management Protection

⚫ You can check for and fix a range of ⚫ HSS protects servers against intrusions by
security issues on a single console, WTP
prevention, defense, and post-intrusion
easily managing your servers. scan.
⚫ The third-generation web anti-
tampering technology and kernel-level
All-Round
Protection
event triggering technology are used. Lightweight Agent
⚫ The tampering detection and recovery

⚫ HSS blocks attacks with pinpoint technologies are used. ⚫ The third-generation web anti-tampering
accuracy by using advanced detection technology and kernel-level event triggering
technologies and diverse libraries. technology are used.

39 Huawei Confidential

• You can install the agent on Huawei Cloud ECSs, BMSs, offline servers, and third-
party cloud servers in the same region to manage them all on a single console.

• On the security console, you can view the sources of server risks in a region,
handle them according to displayed suggestions, and use filter, search, and batch
processing functions to quickly analyze the risks of all servers in the region.

• The tampering detection and recovery technologies are used. Files modified only
by authorized users are backed up on local and remote servers in real time, and
will be used to recover tampered websites (if any) detected by HSS.
 What Is HSS
⚫ Host Security Service (HSS) helps you identify and manage the assets on your servers, eliminate risks,
and defend against intrusions and web page tampering. There are also advanced protection and
security operations functions available to help you easily detect and handle threats.
⚫ Install the HSS agent on your servers, and you will be able to check the server protection status and
risks in a region on the HSS console.

40 Huawei Confidential

• HSS protects your system integrity, enhances application security, monitors user
operations, and detects intrusion

• Host Security Service (HSS) helps you identify and manage the assets on your
servers, eliminate risks, and defend against intrusions and web page tampering.
There are also advanced protection and security operations functions available to
help you easily detect and handle threats.

• Install the HSS agent on your servers, and you will be able to check the server
protection status and risks in a region on the HSS console.
 Application Scenarios of HSS

Intrusion Security
detection compliance

Proactive Centralized
security management

Account Risk
protection assessment

41 Huawei Confidential

• HSS applications:

▫ DJCP Multi-level Protection Scheme (MLPS) compliance, The intrusion

detection function of HSS protects accounts and systems on cloud servers,
helping companies meet compliance standards.

▫ Centralized management: You can manage servers, security configurations,

and security events all from the HSS console. You can reduce security risks
from a single convenient portal and keep management costs down.

▫ Risk assessment: HSS scans your servers for risks, including unsafe accounts,
ports, software vulnerabilities, and weak passwords, and prompts you to
eliminate any security risks identified and harden the system in a timely
manner.

▫ Account protection: Accounts are protected before, during, and after a

security event. You can also use 2FA to block brute-force attacks on
accounts, enhancing the security of your cloud servers.

▫ Proactive defense: You can count and scan your server assets, check and fix
vulnerabilities and unsafe settings, and proactively protect your network,
applications, and files from attacks.

▫ Intrusion detection: You can scan all possible attack vectors to detect and
fight APTs and other threats in real time, protecting your system from their
impacts.
 Contents
1. Database Services
2. Security Services
 Customer Requirements on Cloud Security
 HSS
◼ WAF
 DEW
3. Content Delivery Network (CDN)
4. API Services
5. EI Services

42 Huawei Confidential
 What Is WAF
⚫ Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP
and HTTPS requests to detect and block the following attacks: Structured Query Language
(SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file
inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC)
attacks, malicious crawlers, and cross-site request forgery (CSRF) .

HUAWEI CLOUD
Internet/VPN/DC

Dedicated WAF
instances (Optional) Internal Web
load balancer applications and
websites

43 Huawei Confidential

• After you purchase a WAF instance, add your website domain to the WAF
instance on the WAF console. All public network traffic for your website then
goes to WAF first. WAF identifies and filters out the illegitimate traffic, and
routes only the legitimate traffic to your origin server to ensure site security.
 Advantages of WAF
⚫ WAF examines web traffic from multiple dimensions to accurately identify malicious requests
and filter attacks, reducing the risks of data being tampered with or stolen.

Precisely and Efficiently Zero-Day Vulnerabilities Strong Protection for User

Identify Threats Patched Fast Data Privacy

⚫ WAF uses rule and AI dual engines ⚫ A specialized security team

⚫ Sensitive information, such as

and integrates our latest security provides 24/7 service support to fix accounts and passwords, in attack

rules and best practices. zero-day vulnerabilities within 2 logs can be anonymized.
⚫ PCI-DSS checks for SSL encryption
hours. are available.
⚫ The minimum TLS protocol
version and cipher suite can be
configured.

44 Huawei Confidential

• Basic web protection:

• Backed by an extensive preset reputation database, WAF can defend against the
Open Web Application Security Project (OWASP) top 10 threats, vulnerability
exploits, web shells, and other threats.
• WAF detects and blocks varied attacks, such as SQL injection, XSS attacks, remote
overflow vulnerabilities, file inclusion, Bash vulnerabilities, remote command
execution, directory traversal, sensitive file access, and command/code injection.
• WAF provides web shell detection, protecting web applications from web shells.
• Precise identification:
▫ WAF uses a wide range of techniques to identify attacks. For example, WAF
uses a dual-engine architecture, combining built-in semantic analysis
engine and regex engine. WAF enables users to configure blacklist and
whitelist rules, so WAF has a low false positive rate.
▫ WAF can automatically decode common codes no matter how many times
they are encoded. WAF can decode a wide range of code types, including
url_encode, Unicode, XML, C-OCT, hexadecimal, HTML escape, and base64
code, case confusion, JavaScript, shell, and PHP concatenation confusion.
▫ WAF deep inspection identifies and blocks evasion attacks, including those
that use homomorphic character obfuscation, command injection with
deformed wildcard characters, UTF7, data URI scheme, and other
techniques.
▫ WAF header detection inspects all header fields in received requests.
 How WAF Works
⚫ After a website is connected to WAF, all website access requests are forwarded to
WAF first. Then, WAF inspects the traffic, filters out malicious traffic, and routes only
normal traffic to the origin server, keeping the origin server secure, stable, and
available.

45 Huawei Confidential

• To enable WAF, after purchasing a WAF instance, go to the WAF console and
connect the website to be protected to the WAF instance. After that, all website
access requests go to WAF first. Then, WAF inspects the traffic, filters out attacks,
and routes only normal traffic to the origin server, keeping the origin server
secure, stable, and available.

• The process of forwarding website traffic to the origin server through WAF is
called back-to-source. WAF inspects traffic originating from the client and uses
WAF back-to-source IP addresses to forward normal traffic to the origin server.
To the origin server, source IP addresses of all requests are the WAF back-to-
source IP addresses. In this way, the IP address of the origin server is hidden from
the client.
 WAF Application Scenarios

Web page
Common Data leakage
tampering
protection prevention
prevention

Protection for online

Protection against zero-
shopping mall
day vulnerabilities
promotion activities

46 Huawei Confidential

• WAF application scenarios:

▫ Common protection: WAF helps users defend against common web attacks,
such as command injection and sensitive file access.
▫ Protection for online shopping mall promotion activities: Countless
malicious requests may be sent to service interfaces during online
promotions. WAF allows configurable rate limiting policies to defend
against CC attacks. This prevents services from breaking down due to many
concurrent requests, ensuring response to legitimate requests.
▫ Protection against zero-day vulnerabilities: Services cannot recover quickly
from impact of zero-day vulnerabilities in third-party web frameworks and
plug-ins.
▫ Data leakage prevention: WAF prevents malicious actors from using
methods such as SQL injection and web shells to bypass application security
and gain remote access to web databases.
▫ Web page tampering prevention: WAF ensures that attackers cannot leave
backdoors on your web servers or tamper with your web page content,
preventing damage to your credibility.
 Contents
1. Database Services
2. Security Services
 Customer Requirements on Cloud Security
 HSS
 WAF
◼ DEW
3. Content Delivery Network (CDN)
4. API Services
5. EI Services

47 Huawei Confidential
 What Is DEW?
⚫ Data Encryption Workshop (DEW) is a cloud data encryption service. It consists of the following
services: Key Management Service (KMS), Cloud Secret Management Service (CSMS), Key Pair Service
(KPS), and Dedicated Hardware Security Module (Dedicated HSM).
⚫ It helps you secure your data and keys, simplifying key management. DEW uses HSMs to protect the
security of your keys, and can be integrated with other Huawei Cloud services to address data security,
key security, and key management issues.
Cloud
platform

Virtual Encryption
HSM chip

Tenant CLI/Manager API API

ECS ECS

48 Huawei Confidential

• Data is a core enterprise asset, and data breaches can result in immeasurable
losses. DEW can encrypt customer data and protect it from data leaks.

• DEW uses HSMs to protect your keys, and can be integrated with other HUAWEI
CLOUD services to address data security, key security, and key management
issues. You can also develop your own encryption applications based on DEW.
DEW Services
⚫ DEW consists of the following services: Key Management Service (KMS), Cloud Secret
Management Service (CSMS), Key Pair Service (KPS), and Dedicated Hardware Security
Module (Dedicated HSM).

49 Huawei Confidential
 Application Scenario
Sensitive data
Sensitive Data encryption
Encryption

User access
Browser Dedicated HSM
• Government public services, Internet Application
APP instance
enterprises, and system applications that server
contain immense sensitive information. APP
Web server
Encryption
Other ports Database resource pool

Finance Mobile payment Sensitive data

encryption

• System applications for payment and

prepayment with transportation card, on Internet Dedicated
Frontend Liquidation, finance, HSM
e-commerce platforms, and through payment
system and payment instance
other means. systems
POS payment Encryption
resource pool

50 Huawei Confidential

• After a Dedicated HSM instance is purchased, you can use the UKey provided by
Dedicated HSM to initialize and manage the instance. You can fully control the
key generation, storage, and access authentication.

• Applications:

▫ Sensitive data encryption: government public services, Internet enterprises,

and system applications that contain immense volumes of sensitive
information

▫ Payment: payment and prepayment applications, such as transportation

cards and e-commerce platforms

▫ Verification: Dedicated HSM can ensure the confidentiality and integrity of

electronic contracts, invoices, insurance policies, and medical records during
transmission and storage.
 Contents
1. Database Services
2. Security Services
3. Content Delivery Network (CDN)
4. API Services
5. EI Services

51 Huawei Confidential
Pain Points

Poor user experience Large bandwidth consumption

Slow access and high costs
Download or access failures Without CDN, everything must be
Video freezing fetched from origin servers, which
Website, download, wastes bandwidth and costs money.
and VOD
High concurrency Heavy O&M workload
Traffic bursts and concurrent Limited bandwidth
downloads when e-commerce A huge number of concurrent requests
promotions, popular games, or Inefficient O&M
hit TV series go online

52 Huawei Confidential
 What Is CDN
⚫ Content Delivery Network (CDN) is a smart virtual network on the Internet infrastructure. CDN can
cache origin content on nodes closer to users, so content can load faster. CDN speeds up site response
and improves site availability. It breaks through the bottlenecks caused by low bandwidth, heavy access
traffic, and uneven distribution of edge nodes.

53 Huawei Confidential

• Huawei Cloud CDN caches origin content on edge nodes across the globe. Users
can get content from the nearest nodes instead of from the origin server far way
from them. This reduces latency and improves user experience. Using preset
policies (including content types, geological locations, and network loads), CDN
provides users with the IP address of a node that responds the fastest. Users get
the requested content faster than would have otherwise been possible.
HUAWEI CLOUD Global CND Node Information
⚫ Huawei Cloud CDN has over 2000 edge nodes in the Chinese mainland and over 800 edge nodes outside the
Chinese mainland. The network-wide bandwidth reaches 150 Tbit/s. The edge nodes are connected to the
networks of top carriers in China such as China Telecom, China Unicom, China Mobile, and China Education
and Research Network (CERNET), as well as many small- and medium-sized carriers. CDN covers more than
130 countries and regions. It deploys nodes on networks of over 1600 carriers. CDN schedules user requests
to the most appropriate nodes, accelerating content delivery.

54 Huawei Confidential
Advantages of CDN

High-Performance
Global Network Precise Scheduling Ease of Use Security
Cache

Configure domains Improve cache hit ratio Protect your resources

Get content delivered Enhance user access
with CDN in several and shorten access with network-wide
from 2800+ edge nodes experience with
steps, customize them queues with HTTPS transmission,
from popular carriers in accurate, evolving IP
on the console, and proprietary AICache, anti-leeching, referer
six continents. geolocation database
call open APIs for app multi-level cache validation, URL
Bandwidth reaches 150 and dynamic node
integration and cross- scheduling, and fast, validation, and access
Tbit/s network-wide. adjustment.
cloud management. massive SSD storage. control.

55 Huawei Confidential
Application Scenarios of CDN
⚫ CDN is useful for download clients, game clients, app stores, and websites that provide download services based on
HTTP or HTTPS. An increasing number of new services need to update software in real time. Conventional
download services need to provide even more and larger downloads. If origin servers have to handle all these
requests, it places tremendous strain on these servers and results in bottlenecks. CDN can distribute content to edge
nodes, ease the pressure on origin servers, and speed up downloads.

56 Huawei Confidential
 Contents
1. Database Services
2. Security Services
3. Content Delivery Network (CDN)
4. API Services
5. EI Services

57 Huawei Confidential
 What Is APIG
⚫ API Gateway (APIG) is your cloud native gateway service. With APIG, you can build, manage,
and deploy APIs at any scale to package your capabilities. With just a few clicks, you can
integrate internal systems, monetize service capabilities, and selectively expose capabilities
with minimal costs and risks.
⚫ APIG helps you monetize service capabilities and reduce R&D investment, and enables you to
focus on core enterprise services to improve operational efficiency.

58 Huawei Confidential

• To monetize your capabilities (VM clusters, data, and microservice clusters), you
can open them up by creating APIs in APIG. Then you can provide the APIs for
API callers using offline channels.

• You can also obtain open APIs from APIG to reduce your development time and
costs.
Product Functions
Refined Operation Security
API Lifecycle Quality
Request Protection
Management Assurance
Throttling
Available Function
Higher
Out-of-the- Invocation
Performanc
Box e APIG support SSL
APIG combines transfer, strict
synchronous and Hosting open APIs
APIG provides access control, IP
asynchronous of all Huawei Cloud
full-lifecycle API address
traffic control and services, APIG helps
management, blacklist/whitelist,
multiple improve the quality
including design, authentication,
algorithms to process system with
development, anti-replay, anti-
throttle requests ensured reliability
test, publish, attack, and
at the second level. and stability.
and O&M. multiple audit rules
You can quickly APIG integrates the nodes APIG seamlessly works
create APIs by for security, load balancing, with FunctionGraph,
configuring the inbound traffic governance, enabling you to
required and microservice selectively expose
settings on the governance, improving FunctionGraph
APIG console. performance while reducing functions in the form of
deployment and O&M costs. APIs

59 Huawei Confidential
 API open platform
All-round industry open API platform
Education Large enterprises Finance
Digital Industrial • API Arts is an integrated solution
government Internet
platform for API lifecycle management.
Analytics layer
API running Developer • It enables developers to efficiently
Custom API reports
dashboard community implement one-stop experience in API
Governance layer design, API development, API testing,
API API API
API design implementatio manageme consumptio API assets API hosting, API O&M, and API
n nt n
monetization. With API contracts as

Core capabilities
methodologies
Expert service

Application development

anchors, API Arts ensures high data

Running layer
consistency in API phases and provides

Service change
API Gateway (APIG)

management
ROMA Connect API opening, authorization, publishing, developers with a user-friendly end-to-
and debugging
end solution for the entire API process.
and access

Production layer
• With API Arts, developers can efficiently,
Software standardize, and accurately cultivate
Software building Software testing
development
and protect their APIs, and easily
Application
deployment
Cloud native Application O&M participate in the API economy.

60 Huawei Confidential

• API O&M personnel：

▫ Provides cloud-native API gateways to flexibly connect to any backend,

meeting unified microservice governance requirements.

▫ Provides SLA assurance for ultra-high concurrency.

▫ Provides full-stack security assurance to ensure service security at the

protocol layer, access layer, audit layer, and backend integration layer.

• API O&M personnel：

▫ Provides cloud-native API gateways to flexibly connect to any backend,

meeting unified microservice governance requirements.

▫ Provides SLA assurance for ultra-high concurrency.

▫ Provides full-stack security assurance to ensure service security at the

protocol layer, access layer, audit layer, and backend integration layer.

• API Manager：

▫ One-stop overview of enterprise API asset subscription, usage, and

evaluation.

• API customers and partners：

▫ Quickly access API assets through the Marketplace.

▫ Reuse API assets on the Developer Portal.

 Application Scenarios of API
⚫ With the rapid development of enterprises and rapid service changes, internal systems of enterprises
need to change along with service requirements. However, internal systems of enterprises depend on
each other. To maintain system universality and stability, it is difficult to cope with service changes.

Strong coupling

architecture
Coupling of

Layered
services and data
leads to complex
data risk and
fault locating.

Non-
standardized

Efficient R&D
Non-standardized
services, leading to
continuity risks
and high learning
costs

61 Huawei Confidential

• API Gateway uses RESTful APIs to simplify the service architecture. Standardized
APIs are used to quickly decouple internal systems and separate front-end and
back-end systems. In addition, existing capabilities are reused to avoid resource
waste caused by repeated development.
 Contents
1. Database Services
2. Security Services
3. Content Delivery Network (CDN)
4. API Services
5. EI Services

62 Huawei Confidential
 One-Stop AI Development Platform ModelArts
⚫ ModelArts is a one-stop AI development platform geared toward developers and data scientists of
all skill levels. It enables you to rapidly build, train, and deploy models anywhere (from the cloud
to the edge), and manage full-lifecycle AI workflows. ModelArts accelerates AI development and
fosters AI innovation with key capabilities, including data preprocessing and auto labeling,
distributed training, automated model building, and one-click workflow execution.
20,000+ 40%+ E2E AI platform

Prefabricated models Training efficiency Continuous iteration

Industry UseCases

Visual quality Production Sound Workwear Intelligent

inspection scheduling detection identification sales

General Suites
NLP OCR Vision Speech ...
suite suite suite suite

63 Huawei Confidential

• ModelArts covers all stages of AI development, including data processing,

algorithm development, and model training and deployment. The underlying
technologies of ModelArts support various heterogeneous computing resources,
allowing developers to flexibly select and use resources. In addition, ModelArts
supports popular open-source AI development frameworks such as TensorFlow,
PyTorch, and MindSpore. ModelArts also allows you to use customized algorithm
frameworks tailored to your needs.
• AI engineers face challenges in the installation and configuration of various AI
tools, data preparation, and model training. To address these challenges, the
one-stop AI development platform ModelArts is provided. The platform
integrates data preparation, algorithm development, model training, and model
deployment into the production environment, allowing AI engineers to perform
one-stop AI development.
• ModelArts has the following features:
▫ Data governance: Manages data preparation, such as data filtering and
labeling, and dataset versions.
▫ Rapid and simplified model training: Enables high-performance distributed
training and simplifies coding with the self-developed MoXing deep
learning framework.
▫ Cloud-edge-device synergy: Deploys models in various production
environments such as devices, the edge, and the cloud, and supports real-
time and batch inference.
▫ Auto learning: Enables model building without coding and supports image
classification, object detection, and predictive analytic.
 Introduction to MRS
⚫ MapReduce Service (MRS) is provided on Huawei Cloud for you to manage Hadoop-based components. With MRS,
you can deploy a Hadoop cluster with a few clicks. MRS provides enterprise-level big data clusters on the cloud.
Tenants can fully control clusters and easily run big data components such as Storm, Hadoop, Spark, HBase, and
Kafka. MRS is fully compatible with open source APIs, and incorporates advantages of Huawei Cloud computing and
storage and big data industry experience to provide customers with a full-stack big data platform featuring high
performance, low cost, flexibility, and ease-of-use. .
Real- Specialized data
Real-time Real-time stream processing time marts
synchroniz loading
Batch loading Real-time loading Real-time
ation
OLAP
IoT Real-time data Time series
Offline data lake databases
Logical data lake
lake Batch-stream Simple
Batch T+1 -> T+0 50x
60,000+ convergence
Real-time data timeliness On- retrieval
processing nodes deployed faster
Batch decision- Cross-lake lakehouse demand
Complex
Files synchroniz Interactive making query... collaboration loading
Incremental retrieval
ation query...
update... In-memory
databases
Graph
Service DBs databases
Data storage Original data Detail data Summary data Mart layer …
…

64 Huawei Confidential

• Big data is a huge challenge facing the Internet era as the data volume and types
increase rapidly. Conventional data processing technologies, such as single-node
storage and relational databases, are unable to solve the emerging big data
problems. In this case, the Apache Software Foundation (ASF) has launched an
open source Hadoop big data processing solution. Hadoop is an open source
distributed computing platform that can fully utilize computing and storage
capabilities of clusters to process massive amounts of data. If enterprises deploy
Hadoop systems by themselves, the disadvantages include high costs, long
deployment period, difficult maintenance, and inflexible use.
 Introduction to GaussDB(DWS) Data Warehouse
⚫ GaussDB(DWS) is an online data processing database that runs on the Huawei Cloud infrastructure to provide
scalable, fully-managed, and out-of-the-box analytic database service, freeing you from complex database
management and monitoring. It is a native cloud service based on the Huawei converged data warehouse GaussDB,
and is fully compatible with the standard ANSI SQL 99 and SQL 2003, as well as the PostgreSQL and Oracle
ecosystems. GaussDB(DWS) provides competitive solutions for PB-level big data analysis in various industries

Enterprise data Data Hybrid

Data mart IoT analysis
warehouse exploration workloads

OperationSelf-service Supervision Real-time One database,

and reporting User profile
s analysis analysis monitoring dual purposes

Anti-
ERP BI report Online query Precision marketing
fraud

GaussDB(DWS)

P ar t n e r P u bl i c H y br i d E dge
cloud cloud cloud cloud

65 Huawei Confidential

• Advantages:

▫ Seamless migration: GaussDB(DWS) provides various migration tools to

ensure seamless migration of popular data analysis systems such as
Teradata, Oracle, MySQL, SQL Server, PostgreSQL, Greenplum, and Impala.

▫ Compatible with conventional data warehouses: GaussDB(DWS) supports

the SQL 2003 standard and stored procedures. It is compatible with some
Oracle syntax and data structures, and can be seamlessly interconnected
with common BI tools, saving service migration efforts.

▫ Secure and reliable: GaussDB(DWS) supports data encryption and connects

to DBSS to ensure data security on the cloud. In addition, GaussDB(DWS)
supports automatic full and incremental backup of data, improving data
reliability.
 Introduction to GES
⚫ Graph Engine Service (GES) uses the Huawei-developed EYWA kernel to facilitate query and analysis of
multi-relational graph data structures. It is specifically suited for scenarios requiring analysis of rich
relationship data, including social relationship analysis, marketing and recommendations, public
opinions and social listening, information communication, and anti-fraud.

66 Huawei Confidential

• GES has the following functions:

▫ Extensive Algorithms: Algorithms such as PageRank, K-core, Shortest Path,

Label Propagation, Triangle Count, and Link Prediction are all supported.

▫ Visualized Graph Analysis: A wizard-based exploration environment is

included, along with visualized query results.

▫ Query/Analysis APIs: GES provides APIs for graph query, metrics statistics,
Gremlin query, Cypher query, graph algorithms, and graph and backup
management.

▫ Good Compatibility: Compatible with open source Apache TinkerPop

Gremlin 3.4.

▫ Graph Management: GES provides graph overview, graph management,

graph backup, and metadata management functions.
Introduction to DataArts Studio
⚫ DataArts Studio is a one-stop data operations platform that drives digital transformation. It allows you
to perform many operations, such as integrating and developing data, designing data architecture,
controlling data quality, managing data assets, creating data services, and ensuring data security.
Incorporating big data storage, computing and analytical engines, it can also construct industry
knowledge bases and help your enterprise build an intelligent end-to-end data system. This system can
eliminate data silos, unify data standards, accelerate data monetization, and accelerate your
enterprise's digital transformation.
Data development (IDE) Governmen
DataArts Studio t
Data lifecycle
Finance
GaussDB Data Data
Data Data Data Analysis, Prediction & Data Application &
... Migration Storage Conversion Sharing
Visualization Enablement Carrie
CDM/CDL/DIS LakeFormation DWS/MRS/DLI/CSS/GES/ EI Gallery r
Messages IoT Files DataArts Studio RTD
/DRS/ROMA FDI /OBS CloudTable/DLV/MLS/LTS /TICS/EDS
Enterprise
Data governance (catalog/quality/security/...)
DataArts Studio
Internet

67 Huawei Confidential
 Huawei EI Service Panorama - Artificial Intelligence
⚫ HUAWEI CLOUD provides comprehensive AI and big data cloud services to facilitate the
intelligent upgrades of governments and enterprises and build ubiquitous and pervasive AI.

ModelArts Image Recognition Optical Character Recognition

(OCR)

Natural Language Processing Content Moderation Image Search

(NLP) (IS)

Conversational Bot Service

Speech Interaction Service Graph Engine Service (CBS)
(SIS) (GES)

68 Huawei Confidential

• HUAWEI CLOUD EI includes AI services and big data services. This slide
introduces the former.
HUAWEI CLOUD EI Service Panorama - Big Data
⚫ HUAWEI CLOUD provides comprehensive AI and big data cloud services to facilitate the
intelligent upgrades of governments and enterprises and build ubiquitous and pervasive AI.

Data Lake Insight DataArts Studio Data Lake Visualization

(DLI) (DLV)

Data Warehouse Service Data Lake Insight

Cloud Search Service
(DWS) (DLI)
(CSS)

MapReduce Service
(MRS) Data Ingestion Service
Blockchain Service (DIS)

69 Huawei Confidential
 Quiz
1. (True or false) Read replicas of RDS for MySQL can exist independently only when
you have purchased a single-node system or active/standby.
True

False

2. (Multiple-Answer Question)Which of the following are the application scenarios

for HUAWEI CLOUD CDN?
A. Website acceleration

B. File download acceleration

C. VOD acceleration

D. ECS running acceleration

70 Huawei Confidential

• False. The read replicas of RDS for MySQL cannot exist independently.

• ABC. CDN mainly accelerates applications. It cannot accelerate cloud servers.

 Summary

This course introduces database services, security services, CDN, API,and EI services of
HUAWEI CLOUD, including:
⚫ Relational and non-relational database types, and the application scenarios and
key features of different databases.
⚫ Basic concepts and importance of security services.
⚫ Functions and working rules of theAPI,CDN and Enterprise Intelligence (EI) services.

After completing this course, you will have a comprehensive understanding of

HUAWEI CLOUD and can better help enterprises accelerate cloud migration and
business innovation.
71 Huawei Confidential
 More Information

Huawei iLearning
 https://e.huawei.com/cn/talent/cert/#/careerCert

HUAWEI CLOUD Help Center

 https://support.huaweicloud.com/help-novice.html

HUAWEI CLOUD Academy

 https://edu.huaweicloud.com/

72 Huawei Confidential
 Acronyms and Abbreviations
⚫ AZ: availability zone
⚫ APP: application
⚫ API: application programming interface
⚫ APT: advanced persistent threat
⚫ CDN: content delivery network
⚫ CPU: central processing unit
⚫ CSA: cloud security alliance
⚫ DDoS attack: distributed denial-of-service attack
⚫ DDS: document database service
⚫ DDM: distributed database middleware

73 Huawei Confidential
 Acronyms and Abbreviations
⚫ DAS: data admin service
⚫ DWS: data warehouse service
⚫ DEW: data encryption workshop
⚫ EI: enterprise intelligence
⚫ ELB: elastic load balance
⚫ HA: highly available
⚫ HSS: host security service
⚫ IT: Internet technology
⚫ IAM: identity and access management
⚫ KMS: key management system

74 Huawei Confidential
 Acronyms and Abbreviations
⚫ LAMP: Linux+Apache+PHP+MySQL (a set of open-source software usually used to build
dynamic websites)
⚫ OLAP: online analytical processing
⚫ OLTP: online transaction processing
⚫ OBS: object storage service
⚫ PITR: point-in-time recovery
⚫ RTO: recovery time object
⚫ UGC: user generated content
⚫ VIP: virtual IP address
⚫ WAF: web application firewall

75 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright© 2023 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ
materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference
purpose only and constitutes neither an offer nor an acceptance.
Huawei may change the information at any time without notice.