Here are four ways to play VPC

Here are four ways to play VPC

The Internet is awash with software, ARM hostingapps, and mobile apps that are getting easier to use and more complex to develop. Developers are also using more components. Larger applications will use component decoupling and system layering to reduce the negative effects of tight coupling.

This section describes how to layer and isolate components in a VPC, four typical application modes of VPCS, and how to implement these modes based on whether the VPC subnet is connected to the Internet, whether the VPCS on cloud platforms are connected, and whether the local data center is connected to cloud VPCS.

What does VPC do

A VPC provides users with an independent network environment and flexible and definable subnet segments. In addition, users can add new subnet segments to existing VPCS at any time to ensure unlimited IP address supply. In addition, users can use VPNS to connect to local data centers and migrate services to the cloud.

Tip 1: Connect to the Internet in the VPC.

A VPC uses subnets to isolate resource management. Initially, resources in subnets cannot be connected to the Internet. Therefore, all enterprise resources and services can be accessed only from the Intranet. Cloud platfrom provider However, if the teacher resources can only be accessed through the Intranet, it is obviously not because our country wants, and the Web applications created by our students and other service personnel need to be exposed to the public network, which also requires the resources in the VPC subnet to have the ability to access the Internet.

problem

Resources in the VPC subnet can connect to the Internet.

solution

Constrain EIP; For each cloud host resource in the VPC subnet;

Resources in the VPC subnet are routed to the NAT gateway through the NAT gateway and connected to the Internet through the EIP binding.

Concrete realization

(Figure: Cloud hosts on the VPC subnet connect to the Internet through an EIP or NAT gateway)

Create a VPC and subnet subnet-a, and deploy related resources such as cloud hosts.

Select the EIP mode, apply the EIP and bind it to the cloud host UHost. Then the cloud host UHost can connect to the Internet through the EIP. This mode is the simplest configuration, but you must bind the EIP to each cloud host UHost. virtual private cloudIf the resources are large, this method is not recommended.

Select the NAT gateway, create a NAT gateway in the VPC, and select subnet A for connection. In this case, all resources on subnet a are routed to the NAT gateway and connected to the Internet through the EIP bound to the NAT gateway. This method can meet the requirement of connecting the resources in the subnet to the Internet through a configuration.

The cloud host can be bound to either the EIP mode or the Nat gateway mode.

Application scenario

We choose to provide personal blog Web services through UHost, a cloud host. When creating the cloud host UHost, we select the subnet 192.168.1.0u002F24 deployed on VPC1 and apply for an EIP to bind to the cloud host UHost to provide external network access. Users on the Internet can access the blog site directly through this EIP.

Second, isolate Intranet and extranet system components using the VPC subnet

A single cloud host can be difficult to meet the needs of a general application, such as setting up a high-availability enterprise blog, which often requires multiple cloud hosts, load balancing, EIP, some configuration information, blog data, and cloud database services. The Web services that users can access need to be connected to the public network. User data and log data are only used for the connection between the internal system and the Web server. Therefore, they need to be deployed on different subnets based on the layered resources connected to the external network.

requirement

Due to business requirements, resources and components are divided into Internet accessible and Internet inaccessible for isolation.

solution

Create subnet-a (for Internet connection) and Subnet-b (for Intranet) in a VPC, connect only subnet-a, and open the Internet through NAT Gateway. Subnet-b is not connected to the NAT gateway, and the resource is not bound to the EIP.

Concrete realization

Create a VPC.

Create two subnets, subnet a and Subnet b. Subnet a is the front-end access subnet for deploying cloud hosts. Subnet b is the database subnet where cloud databases are deployed.

Configure NAT gateway, and connect front-end device access subnet subnet-A, so that it can be connected to the Internet of China, and provide a front-end access service function for external work; The database management subnet subnet-b can be accessed only from the VPC. The front-end connects to the cloud host UHost in the subnet. The back-end server and cloud database in the main service subnet in the back-end can be connected to the enterprise services and perform data information operations.

Through the above configuration, not only the access to the Internet is realized, but also the cloud database can only be accessed by the enterprise Intranet, thus ensuring the security of the cloud database.

Application scenario: The back-end service subnet temporarily connects to the Internet.

As mentioned above, the database private subnet can only access the Intranet, but it still encounters the situation that the cloud database version update, vulnerability repair and so on need to access the Internet. Based on this temporary requirement, we can connect to the Internet through the whitelisted mode of Nat Gateway. Add subnet-b to the NAT gateway configuration, but use whitelisting mode, allowing only specific ports to be opened on a given database, and avoiding full exposure to the Internet as much as possible.

You only need to connect to the subnet that needs to be accessed by the external network through the NAT gateway, and implement fine-grained access control through the whitelist mode and port forwarding rule configuration.

Third, connect multiple VPCS in the cloud platform

When building a business, resources are deployed in different vpcs based on production, development, testing, and so on, and sometimes vpcs need to be opened in different environments. Due to insufficient consideration of variables in VPC planning, VPC Settings may be too small, or resources cannot be properly allocated among VPCS and cannot be easily redeployed. Therefore, multiple VPCS may need to be connected.

requirement

Due to the separation of production and test environments, the pre-planning of VPCs is insufficient, and multiple VPCs need to be connected in the cloud platform.

solution

The UCloud cloud platform supports multi-VPC connections across regions and projects, which can be operated and configured directly from the console.

Concrete realization

In the cloud platform VPC configuration, you can select multiple VPCS to communicate with them.

All traffic in VPC1 will be routed to virtual NAT gateway 1, and all traffic in VPC2 will be routed to virtual NAT gateway 2.

The UCloud cloud platform automatically connects VPC1 and VPC2 to the network, so that traffic data can be transferred between the two VPCS.

This process no longer requires us to configure the routing table, but to facilitate the flow of data, we can analyze the virtual routing table implemented at the low end. The virtual routing table in VPC1 is:

The virtual routing table in VPC2 is:

The specific configuration management method can be relatively simple, as shown in the following figure.

Tip 4: Connect the local enterprise network to the cloud VPC

requirement

User services are deployed in multiple geographic locations or local data centers and need to be connected between the service local network and a cloud-based VPC.

solution

Use VPN and private line access UConnect to connect the VPC subnet of the local data center to the VPC subnet of the UCloud cloud platform.

Use cross-domain UDPNs to connect multiple VPC subnetworks of the UCloud cloud platform.

Concrete realization

Deploy public and private subnets in the cloud to deploy cloud platform resources required by services.

Configure an IPSec VPN on the cloud resource. Configure the cloud gateway address and the local (peer) gateway address provided by the customer.

Install VPN software on the customer's local, and configure the customer's local gateway and cloud gateway.

Configure a VPN tunnel on the cloud and the customer's local VPN, connect to the specified subnet, and test that the traffic is normal.

Application scenario

There are many types of cross-geographic VPC connections, including in terms of location:

Connectivity between cloud platforms: Multiple VPCS are distributed in multiple areas of the UCloud cloud platform.

Hybrid cloud architecture (basic) : A VPC that connects enterprise customers to the local economic data information center and UCloud cloud platform VPCS

Hybrid cloud architecture: There are multiple VPCS on the cloud platform and VPCS in the local data center

vpc computer network

3