. Ensure they have space before and after. */.ullinks,ul.simple{list-style-type:none}.attention,.danger,.ddexpand,.dlexpand,.example,.fastpath,.important,.liexpand,.linklist,.note,.notice,.olchildlink,.relconcepts,.relinfo,.relref,.reltasks,.remember,.restriction,.section,.sliexpand,.stepexpand,.substepexpand,.tip,.ulchildlink,.warning{margin-top:1em;margin-bottom:1em}.linklistwithchild,.sublinklist{margin-top:1em;margin-right:1.5em;margin-bottom:1em}.breadcrumb{font-size:smaller;margin-bottom:1em}.prereq{margin-right:20px}/*! Set heading sizes, getting smaller for deeper nesting */.topictitle1{font-size:1.34em;margin-top:0;margin-bottom:.1em}.topictitle2,.topictitle3,.topictitle4,.topictitle5,.topictitle6,.sectiontitle{font-size:1.17em}.topictitle2{margin-top:1pc;margin-bottom:.45em}.topictitle3{margin-top:1pc;margin-bottom:.17em;font-weight:700}.topictitle4{margin-top:.83em;font-weight:700}.topictitle5{font-weight:700}.topictitle6{font-style:italic}.sectiontitle{margin-top:1em;margin-bottom:0;color:#000;font-weight:700}/*! All note formats have the same default presentation */.attentiontitle,.bold,.cautiontitle,.dangertitle,.dlterm,.fastpathtitle,.firstcol,.importanttitle,.notelisttitle,.notetitle,.noticetitle,.parmname,.remembertitle,.restrictiontitle,.tiptitle,.uicontrol,.warningtitle{font-weight:700}.caution{font-weight:700;margin-bottom:1em}/*! Simple lists do not get a bullet *//*! Used on the first column of a table, when rowheader="firstcol" is used *//*! Various basic phrase styles */.boldItalic{font-weight:700;font-style:italic}.shortcut,.underlined{text-decoration:underline}/*! 2008-10-27 keyword采用跟随上下文的样式
+*//*! Default of bold for definition list terms *//*! Use CSS to expand lists with @compact="no" */.dltermexpand{font-weight:700;margin-top:1em}[compact="yes"]>li{margin-top:0}[compact="no"]>li{margin-top:.53em}/*! Align images based on @align on topic/image */div.imageleft,.text-align-left{text-align:left}div.imagecenter,.text-align-center{text-align:center}div.imageright,.text-align-right{text-align:right}div.imagejustify,.text-align-justify{text-align:justify}.cellrowborder{border-right:0;border-top:0;border-left:1px solid;border-bottom:1px solid}.row-nocellborder{border-left:hidden;border-right:0;border-top:0;border-bottom:1px solid}.cell-norowborder{border-top:0;border-bottom:hidden;border-right:0;border-left:1px solid}.nocellnorowborder{border:0;border-left:hidden;border-bottom:hidden}pre.codeblock,pre.screen{padding:5px;border:outset;background-color:#ccc;margin-top:2px;margin-bottom:2px;white-space:pre}
\ No newline at end of file
diff --git a/docs/vpc/umn/public_sys-resources/danger_3.0-en-us.png b/docs/vpc/umn/public_sys-resources/danger_3.0-en-us.png
new file mode 100644
index 000000000..47a9c7235
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/danger_3.0-en-us.png differ
diff --git a/docs/vpc/umn/public_sys-resources/delta.gif b/docs/vpc/umn/public_sys-resources/delta.gif
new file mode 100644
index 000000000..0d1b1f674
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/delta.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/deltaend.gif b/docs/vpc/umn/public_sys-resources/deltaend.gif
new file mode 100644
index 000000000..cc7da0fc8
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/deltaend.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-arrowdn.gif b/docs/vpc/umn/public_sys-resources/icon-arrowdn.gif
new file mode 100644
index 000000000..84eec9be2
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-arrowdn.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-arrowrt.gif b/docs/vpc/umn/public_sys-resources/icon-arrowrt.gif
new file mode 100644
index 000000000..39583d168
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-arrowrt.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-caution.gif b/docs/vpc/umn/public_sys-resources/icon-caution.gif
new file mode 100644
index 000000000..079c79b26
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-caution.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-danger.gif b/docs/vpc/umn/public_sys-resources/icon-danger.gif
new file mode 100644
index 000000000..079c79b26
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-danger.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-huawei.gif b/docs/vpc/umn/public_sys-resources/icon-huawei.gif
new file mode 100644
index 000000000..a31d60f89
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-huawei.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-note.gif b/docs/vpc/umn/public_sys-resources/icon-note.gif
new file mode 100644
index 000000000..31be2b039
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-note.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-notice.gif b/docs/vpc/umn/public_sys-resources/icon-notice.gif
new file mode 100644
index 000000000..409070650
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-notice.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-tip.gif b/docs/vpc/umn/public_sys-resources/icon-tip.gif
new file mode 100644
index 000000000..c47bae05c
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-tip.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/icon-warning.gif b/docs/vpc/umn/public_sys-resources/icon-warning.gif
new file mode 100644
index 000000000..079c79b26
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/icon-warning.gif differ
diff --git a/docs/vpc/umn/public_sys-resources/note_3.0-en-us.png b/docs/vpc/umn/public_sys-resources/note_3.0-en-us.png
new file mode 100644
index 000000000..57a0e1f53
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/note_3.0-en-us.png differ
diff --git a/docs/vpc/umn/public_sys-resources/notice_3.0-en-us.png b/docs/vpc/umn/public_sys-resources/notice_3.0-en-us.png
new file mode 100644
index 000000000..fa4b64990
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/notice_3.0-en-us.png differ
diff --git a/docs/vpc/umn/public_sys-resources/popup.js b/docs/vpc/umn/public_sys-resources/popup.js
new file mode 100644
index 000000000..a550862ed
--- /dev/null
+++ b/docs/vpc/umn/public_sys-resources/popup.js
@@ -0,0 +1 @@
+var i=0;var dhtmlgoodies_tooltipFlag=false;var dhtmlgoodies_tooltip="";var dhtmlgoodies_tooltipShadow="";var dhtmlgoodies_shadowSize=3;var dhtmlgoodies_tooltipMaxWidth=500;var dhtmlgoodies_tooltipMinWidth=100;var dhtmlgoodies_iframe=false;var timeId;var clickFlag=false;var tooltip_is_msie=(navigator.userAgent.indexOf("MSIE")>=0&&navigator.userAgent.indexOf("opera")==-1&&document.all)?true:false;var xPos;var yPos;window.document.onmousemove=function(a){a=a||window.event;if(a.pageX){xPos=a.pageX;yPos=a.pageY}else{if(document.body!==null&&typeof document.body!=="undefined"){xPos=a.clientX+document.body.scrollLeft-document.body.clientLeft;yPos=a.clientY+document.body.scrollTop-document.body.clientTop}}};function showTooltip(e){if(document.body===null||typeof document.body==="undefined"){return}if(i==0){return}clickFlag=true;var f=Json.parse("jsonData."+e);var a=Math.max(document.body.clientWidth,document.documentElement.clientWidth)-20;if(!dhtmlgoodies_tooltipFlag){dhtmlgoodies_tooltip=document.createElement("DIV");dhtmlgoodies_tooltip.id="dhtmlgoodies_tooltip";dhtmlgoodies_tooltipShadow=document.createElement("DIV");dhtmlgoodies_tooltipShadow.id="dhtmlgoodies_tooltipShadow";document.body.appendChild(dhtmlgoodies_tooltip);document.body.appendChild(dhtmlgoodies_tooltipShadow);if(tooltip_is_msie){dhtmlgoodies_iframe=document.createElement("IFRAME");dhtmlgoodies_iframe.frameborder="5";dhtmlgoodies_iframe.style.backgroundColor="#FFFFFF";dhtmlgoodies_iframe.src="#";dhtmlgoodies_iframe.style.zIndex=100;dhtmlgoodies_iframe.style.position="absolute";document.body.appendChild(dhtmlgoodies_iframe)}}dhtmlgoodies_tooltip.style.display="block";dhtmlgoodies_tooltipShadow.style.display="block";if(tooltip_is_msie){dhtmlgoodies_iframe.style.display="block"}var b=Math.max(document.body.scrollTop,document.documentElement.scrollTop);if(navigator.userAgent.toLowerCase().indexOf("safari")>=0){b=0}var c=xPos+10;dhtmlgoodies_tooltip.style.width=null;dhtmlgoodies_tooltip.innerHTML=f;dhtmlgoodies_tooltip.style.left=c+"px";if(tooltip_is_msie){dhtmlgoodies_tooltip.style.top=yPos+20+b+"px"}else{dhtmlgoodies_tooltip.style.top=yPos+20+"px"}dhtmlgoodies_tooltipShadow.style.left=c+dhtmlgoodies_shadowSize+"px";if(tooltip_is_msie){dhtmlgoodies_tooltipShadow.style.top=yPos+20+b+dhtmlgoodies_shadowSize+"px"}else{dhtmlgoodies_tooltipShadow.style.top=yPos+20+dhtmlgoodies_shadowSize+"px"}if(dhtmlgoodies_tooltip.offsetWidth>dhtmlgoodies_tooltipMaxWidth){dhtmlgoodies_tooltip.style.width=dhtmlgoodies_tooltipMaxWidth+"px"}var d=dhtmlgoodies_tooltip.offsetWidth;if(d
a){dhtmlgoodies_tooltip.style.left=(dhtmlgoodies_tooltipShadow.style.left.replace("px","")-((c+d)-a))+"px";dhtmlgoodies_tooltipShadow.style.left=(dhtmlgoodies_tooltipShadow.style.left.replace("px","")-((c+d)-a)+dhtmlgoodies_shadowSize)+"px"}if(tooltip_is_msie){dhtmlgoodies_iframe.style.left=dhtmlgoodies_tooltip.style.left;dhtmlgoodies_iframe.style.top=dhtmlgoodies_tooltip.style.top;dhtmlgoodies_iframe.style.width=dhtmlgoodies_tooltip.offsetWidth+"px";dhtmlgoodies_iframe.style.height=dhtmlgoodies_tooltip.offsetHeight+"px"}}function hideTooltip(){i=0;clickFlag=false;if((dhtmlgoodies_tooltip!==null&&typeof dhtmlgoodies_tooltip!=="undefined")&&+(dhtmlgoodies_tooltip.style!==null&&typeof dhtmlgoodies_tooltip.style!=="undefined")){dhtmlgoodies_tooltip.style.display="none";dhtmlgoodies_tooltipShadow.style.display="none";if(tooltip_is_msie){dhtmlgoodies_iframe.style.display="none"}}if(timeId!==null&&typeof timeId!=="undefined"&&timeId!=""){clearTimeout(timeId)}}function showText(a){i=1;timeId=setTimeout(function(){showTooltip(a)},500)}function showText2(a){if(!clickFlag){i=1;showTooltip(a);i=0;if(timeId!==null&&typeof timeId!=="undefined"&&timeId!=""){clearTimeout(timeId)}}}function anchorScroll(b){var d=document.getElementsByName(b);if(d!=null&&d.length>0){var c=d[0];var a=c.getBoundingClientRect().left+(document.body.scrollLeft||(document.documentElement&&document.documentElement.scrollLeft));var e=c.getBoundingClientRect().top+(document.body.scrollTop||(document.documentElement&&document.documentElement.scrollTop));window.scrollTo(a,e-30)}};
\ No newline at end of file
diff --git a/docs/vpc/umn/public_sys-resources/warning_3.0-en-us.png b/docs/vpc/umn/public_sys-resources/warning_3.0-en-us.png
new file mode 100644
index 000000000..def5c3565
Binary files /dev/null and b/docs/vpc/umn/public_sys-resources/warning_3.0-en-us.png differ
diff --git a/docs/vpc/umn/route_0001.html b/docs/vpc/umn/route_0001.html
new file mode 100644
index 000000000..06dd71e11
--- /dev/null
+++ b/docs/vpc/umn/route_0001.html
@@ -0,0 +1,99 @@
+
+
+Route Table Overview
+A custom route is a user-defined routing rule added to a VPC.
+
Route Table
A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
+
Figure 1 Route table
+
+
Default Route Table and Custom Route Table
When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. You can add, delete, and modify routes in the default route table, but you cannot delete the route table. When you create a VPN, Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. If you want to modify or delete the route, you can associate your subnet with a custom route table and replicate the route to the custom route table to modify or delete it.
+
If you do not want to use the default route table, you can now create a custom route table and associate it with the subnet. You can delete the custom route table if it is no longer required.
+
The custom route table associated with a subnet affects only the outbound traffic. The default route table determines the inbound traffic.
+
+
For details about how to create a custom route table, see section Creating a Custom Route Table.
+
+
Route
A route is configured with the destination, next hop type, and next hop to determine where network traffic is directed. Routes are classified into system routes and custom routes.
+
- System routes: These routes are automatically added by the system and cannot be modified or deleted.
After a route table is created, the system automatically adds the following system routes to the route table, so that instances in a VPC can communicate with each other.
- Routes whose destination is 100.64.0.0/10 or 198.19.128.0/20.
- Routes whose destination is a subnet CIDR block.
In addition to the preceding system routes, the system automatically adds a route whose destination is 127.0.0.0/8. This is the local loopback address.
+
+
+
- Custom routes: These are routes that you can add, modify, and delete. The destination of a custom route cannot overlap with that of a system route.
You can add a custom route and configure the destination, next hop type, and next hop in the route to determine where network traffic is directed.
Table 1 lists the supported types of next hops.
+
Table 1 Next hop typeNext Hop Type
+ |
+Description
+ |
+Supported Route Table
+ |
+
|---|
+
+Server
+ |
+Traffic intended for the destination is forwarded to an ECS in the VPC.
+ |
+- Default route table
- Custom route table
+ |
+
+Extension NIC
+ |
+Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC.
+ |
+- Default route table
- Custom route table
+ |
+
+VPN connection
+ |
+Traffic intended for the destination is forwarded to a VPN gateway.
+ |
+Custom route table
+ |
+
+Direct Connect gateway
+ |
+Traffic intended for the destination is forwarded to a Direct Connect gateway.
+ |
+Custom route table
+ |
+
+NAT gateway
+ |
+Traffic intended for the destination is forwarded to a NAT gateway.
+ |
+- Default route table
- Custom route table
+ |
+
+VPC peering connection
+ |
+Traffic intended for the destination is forwarded to a VPC peering connection.
+ |
+- Default route table
- Custom route table
+ |
+
+Virtual IP address
+ |
+Traffic intended for the destination is forwarded to a virtual IP address and then sent to active and standby ECSs to which the virtual IP address is bound.
+ |
+- Default route table
- Custom route table
+ |
+
+
+
+
+
If you specify the destination when creating a resource, a system route is delivered. If you do not specify a destination when creating a resource, a custom route that can be modified or deleted is delivered.
+
For example, when you create a NAT gateway, the system automatically delivers a custom route without a specific destination (0.0.0.0/0 is used by default). In this case, you can change the destination. However, when you create a VPN connection or Direct Connect gateway, you need to specify the remote subnet, that is, the destination of a route. In this case, the system delivers this system route. Do not modify the route destination on the Route Tables page. If you do, the destination will be inconsistent with the configured remote subnet. To modify the route destination, go to the specific resource page and modify the remote subnet, then the route destination will be changed accordingly.
+
+
+
+
Custom Route Table Configuration Process
Figure 2 shows the process of creating and configuring a custom route table.
+
Figure 2 Route table configuration process
+
- For details about how to create a custom route table, see Creating a Custom Route Table.
- For details about how to add a custom route, see Adding a Custom Route.
- For details about how to associate a subnet with a route table, see Associating a Subnet with a Route Table. After the association, the routes in the route table control the routing for the subnet.
+
+
Notes and Constraints
- A maximum of 10 route tables, including the default one, can be created for each VPC.
- A maximum of 200 routes can be added to each route table.
- The default route table cannot be deleted.
- The system route cannot be modified or deleted.
- The routes delivered by the VPN service to the default route table cannot be modified, replicated, or deleted.
- The routes delivered by the Direct Connect service to the default route table cannot be modified or deleted.
- If the Direct Connect service is enabled in the self-service mode, the routes delivered to the default route table can be replicated to the custom route table.
- If the Direct Connect service is enabled by call or email, the routes delivered to the default route table cannot be replicated to the custom route table.
+ - Black hole routes cannot be replicated.
- When you add a custom route to a default route table, the next hop type cannot be set to VPN connection or Direct Connect gateway.
+
+
Shared Bandwidth
+
+
+
diff --git a/docs/vpc/umn/vpc010004.html b/docs/vpc/umn/vpc010004.html
new file mode 100644
index 000000000..09eac6c5c
--- /dev/null
+++ b/docs/vpc/umn/vpc010004.html
@@ -0,0 +1,15 @@
+
+
+Shared Bandwidth Overview
+Shared bandwidth allows multiple EIPs to share the same bandwidth. All ECSs, BMSs, and load balancers that have EIPs bound in the same region can share a bandwidth.
+
When you host a large number of applications on the cloud, if each EIP uses an independent bandwidth, a lot of bandwidths are required, increasing O&M workload. If all EIPs share the same bandwidth, VPCs and the region-level bandwidth can be managed in a unified manner, simplifying O&M statistics and network operations cost settlement.
+
- Easy to Manage
Region-level bandwidth sharing and multiplexing simplify O&M statistics, management, and operations cost settlement.
+ - Flexible Operations
You can add EIPs to a shared bandwidth or remove them from a shared bandwidth regardless of the instances to which they are bound.
+
+
Assigning a Shared Bandwidth
+Scenarios
Assign a shared bandwidth for use with EIPs.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the upper right corner, click Assign Shared Bandwidth. On the displayed page, configure parameters as prompted.
+
Figure 1 Assigning Shared Bandwidth
+
+
Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Region
+ |
+Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.
+ |
+eu-de
+ |
+
+Bandwidth
+ |
+The bandwidth size in Mbit/s. The value ranges from starting with 5 Mbit/s. The maximum bandwidth can be 1000 Mbit/s.
+ |
+10
+ |
+
+Bandwidth Name
+ |
+The name of the shared bandwidth.
+ |
+Bandwidth-001
+ |
+
+
+
+
+
- Click Create Now.
+
+
Adding EIPs to a Shared Bandwidth
+Scenarios
Add EIPs to a shared bandwidth and the EIPs can then share that bandwidth. You can add multiple EIPs to a shared bandwidth at the same time.
+
+
Notes and Constraints
- After an EIP is added to a shared bandwidth, the original bandwidth used by the EIP will become invalid and the EIP will start to use the shared bandwidth.
- The EIP's original dedicated bandwidth will be deleted.
- Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the shared bandwidth list, locate the row that contains the shared bandwidth to which you want to add EIPs. In the Operation column, choose More > Add EIP, and select the EIPs to be added.
Figure 1 Add EIP
+ - Click OK.
+
+
Removing EIPs from a Shared Bandwidth
+Scenarios
Remove EIPs that are no longer required from a shared bandwidth if needed.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the shared bandwidth list, locate the row that contains the bandwidth from which EIPs are to be removed, choose More > Remove EIP in the Operation column, and select the EIPs to be removed in the displayed dialog box.
Figure 1 Remove EIP
+ - Click OK.
+
+
Modifying a Shared Bandwidth
+Scenarios
You can modify the name and size of a shared bandwidth as required.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the shared bandwidth list, locate the row that contains the shared bandwidth you want to modify, click Modify Bandwidth in the Operation column, and modify the bandwidth settings.
Figure 1 Modify Bandwidth
+ - Click Next.
- Click Submit.
+
+
Deleting a Shared Bandwidth
+Scenarios
Delete a shared bandwidth when it is no longer required.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the shared bandwidth list, locate the row that contains the shared bandwidth you want to delete, click More in the Operation column, and then click Delete.
- In the displayed dialog box, click Yes.
+
+
Monitoring
+
+
+
diff --git a/docs/vpc/umn/vpc010012.html b/docs/vpc/umn/vpc010012.html
new file mode 100644
index 000000000..cc2bd7ca5
--- /dev/null
+++ b/docs/vpc/umn/vpc010012.html
@@ -0,0 +1,124 @@
+
+
+Supported Metrics
+Description
This section describes the namespace, list, and measurement dimensions of EIP and bandwidth metrics that you can check on Cloud Eye. You can use APIs or the Cloud Eye console to query the metrics of the monitored metrics and alarms generated for EIPs and bandwidths.
+
+
+
Monitoring Metrics
+
Table 1 EIP and bandwidth metricsID
+ |
+Name
+ |
+Description
+ |
+Value Range
+ |
+Monitored Object
+ |
+Monitoring Interval (Raw Data)
+ |
+
|---|
+
+upstream_bandwidth
+ |
+Outbound Bandwidth
+ |
+Network rate of outbound traffic
+Unit: bit/s
+ |
+≥ 0 bit/s
+ |
+Bandwidth or EIP
+ |
+1 minute
+ |
+
+downstream_bandwidth
+ |
+Inbound Bandwidth
+ |
+Network rate of inbound traffic
+Unit: bit/s
+ |
+≥ 0 bit/s
+ |
+Bandwidth or EIP
+ |
+1 minute
+ |
+
+up_stream
+ |
+Outbound Traffic
+ |
+Network traffic going out of the cloud platform
+Unit: byte
+ |
+≥ 0 bytes
+ |
+Bandwidth or EIP
+ |
+1 minute
+ |
+
+down_stream
+ |
+Inbound Traffic
+ |
+Network traffic going into the cloud platform
+Unit: byte
+ |
+≥ 0 bytes
+ |
+Bandwidth or EIP
+ |
+1 minute
+ |
+
+
+
+
+
+
Dimensions
+
Key
+ |
+Value
+ |
+
|---|
+
+publicip_id
+ |
+EIP ID
+ |
+
+bandwidth_id
+ |
+Bandwidth ID
+ |
+
+
+
+
+
If a monitored object has multiple dimensions, all dimensions are mandatory when you use APIs to query the metrics.
- Query a monitoring metric:
dim.0=bandwidth_id,530cd6b0-86d7-4818-837f-935f6a27414d&dim.1=publicip_id,3773b058-5b4f-4366-9035-9bbd9964714a
+ - Query monitoring metrics in batches:
"dimensions": [
+{
+"name": "bandwidth_id",
+"value": "530cd6b0-86d7-4818-837f-935f6a27414d"
+}
+{
+"name": "publicip_id",
+"value": "3773b058-5b4f-4366-9035-9bbd9964714a"
+}
+],
+
+
+
+
+
Viewing Metrics
+Scenarios
View related metrics to see bandwidth and EIP usage information.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Hover on the upper left corner to display Service List and choose Management & Governance > Cloud Eye.
- Click Cloud Service Monitoring on the left of the page, and choose Elastic IP and Bandwidth.
- Locate the row that contains the target bandwidth or EIP and click View Metric in the Operation column to check the bandwidth or EIP monitoring information.
+
+
Creating an Alarm Rule
+Scenarios
You can configure alarm rules to customize the monitored objects and notification policies. You can learn your resource statuses at any time.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Hover on the upper left corner to display Service List and choose Management & Governance > Cloud Eye.
- In the left navigation pane on the left, choose Alarm Management > Alarm Rules.
- On the Alarm Rules page, click Create Alarm Rule and set required parameters, or modify an existing alarm rule.
- After the parameters are set, click Create.
After the alarm rule is created, the system automatically notifies you if an alarm is triggered for the VPC service.
+ For more information about alarm rules, see the Cloud Eye User Guide.
+
+
+
+
Basic Concepts
+
+
+
diff --git a/docs/vpc/umn/vpc_Concepts_0003.html b/docs/vpc/umn/vpc_Concepts_0003.html
new file mode 100644
index 000000000..3450877fb
--- /dev/null
+++ b/docs/vpc/umn/vpc_Concepts_0003.html
@@ -0,0 +1,13 @@
+
+
+Elastic IP
+The Elastic IP (EIP) service enables your cloud resources to communicate with the Internet using static public IP addresses and scalable bandwidths. EIPs can be bound to or unbound from ECSs, BMSs, virtual IP addresses, NAT gateways, or load balancers.
+
Each EIP can be used by only one cloud resource at a time.
Figure 1 Accessing the Internet using an EIP
+
+
SNAT
+In addition to services provided by the system, some ECSs need to access the Internet to obtain information or download software. You can bind EIPs to virtual NICs (ports) of ECSs to enable the ECSs to access the Internet. However, assigning an EIP to each ECS consumes already-limited IPv4 addresses, incurs additional costs, and may increase the attack surface for a virtual environment. Therefore, SNAT is introduced to enable multiple ECSs to share one EIP.
+
On a public cloud, an EIP can be assigned to an ECS that serves as the SNAT router or gateway for other ECSs from the same subnet or VPC.
+
For details about how to configure SNAT, see Configuring an SNAT Server.
+
Security Group
+A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted within a VPC. After a security group is created, you can create various access rules for the security group, these rules will apply to all cloud resources added to this security group.
+
Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between cloud resources in the group. Your cloud resources in this security group can communicate with each other already without adding additional rules.
+
Shared SNAT
+The VPC service provides free SNAT function, which allows ECSs to use a limited number of public IP addresses to gain one-way access to the Internet for operations, such as updating software. However, Internet users cannot directly access the ECSs.
+
Figure 1 shows how shared SNAT works. The SNAT device forwards traffic from ECSs to the Internet and the response traffic from the Internet to the ECSs. When forwarding ECS traffic to the Internet, the SNAT device converts the source IP addresses (ECS private IP addresses) in the data packets into the public IP addresses set on the SNAT device. When processing the response packets from the Internet to the ECSs, the SNAT device changes the public IP addresses in the response data packets to the private IP addresses of the ECSs.
+
Figure 1 SNAT function
+
- To enable shared SNAT using the API, set enable_snat to true by following the instructions provided in Neutron > Routers > Update router in the Native OpenStack API Reference.
- To enable shared SNAT on the management console:
- Log in to the management console.
- On the console homepage, under Network, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC for which shared SNAT is to be enabled, and click Modify.
- In the displayed dialog box, enable Shared SNAT.
- Click OK.
+
+
After being configured for a VPC, shared SNAT takes effect for the whole VPC. If EIPs are bound to ECSs in a VPC for which shared SNAT is configured, Internet traffic is preferentially forwarded using the EIPs. If you want to prevent an ECS from connecting to the Internet, you can configure an outbound rule for the security group associated with the ECS.
+
For example:
+
To prevent an ECS from connecting to the Internet but allow the ECS to access 192.168.10.0/24, configure the following rule for the security group associated with the ECS:
+
- Delete the default outbound rule that allows all outgoing data packets from the security group.
After this rule is deleted, ECSs associated with this security group are not allowed to access any network, including the internal networks in the VPC of the ECSs.
+Figure 2 Deleting the default outbound rule from the security group
+ - Add the required outbound rule.
The following shows the added outbound rule that allows the ECS to access the 192.168.10.0/24 CIDR block.
Figure 3 Adding an outbound rule for the security group
+
The differences between shared SNAT and custom routes are as follows:
+- Shared SNAT provides the SNAT function for a specified VPC through an API or the management console and enables all ECSs in the VPC to gain one-way access to the Internet.
- A custom route enables ECSs to access the Internet through an SNAT server that has an EIP bound. The ECSs' access requests are routed to the SNAT server based on the route table.
- Shared SNAT takes effect for the whole VPC by default, while a custom route takes effect for the VPC or subnet for which routes have been configured.
- A custom route has a higher priority than a shared SNAT.
+
+
VPC Peering Connection
+A VPC peering connection is a network connection between two VPCs in one region that enables you to route traffic between them using private IP addresses. ECSs in either VPC can communicate with each other just as if they were in the same region. You can create a VPC peering connection between your own VPCs, or between your VPC and another account's VPC within the same region. However, you cannot create a VPC peering connection between VPCs in different regions.
+
Each account can have a maximum of 50 VPC peering connections in each region by default.
+
+
For details about VPC peering connections, see VPC Peering Connection.
+
Virtual IP Address
+A virtual IP address can be shared among multiple ECSs. An ECS can have both private and virtual IP addresses, and you can access the ECS through either IP address. A virtual IP address has the same network access capabilities as a private IP address, including layer 2 and layer 3 communication in VPCs, access between VPCs using VPC peering connections, as well as access through EIPs, VPN connections, and Direct Connect connections.
+
You can bind ECSs deployed in active/standby mode with the same virtual IP address, and then bind an EIP to the virtual IP address. Virtual IP addresses can work together with Keepalived to ensure high availability and disaster recovery. If the active ECS is faulty, the standby ECS automatically takes over services from the active one.
+
Networking
Virtual IP addresses are used for high availability and can work together with Keepalived to make active/standby ECS switchover possible. This way if one ECS goes down for some reason, the other one can take over and services continue uninterrupted. ECSs can be configured for HA or as load balancing clusters.
+
- Networking mode 1: HA
If you want to improve service availability and avoid single points of failure, you can deploy ECSs in the active/standby mode or deploy one active ECS and multiple standby ECSs. In this arrangement, the ECSs all use the same virtual IP address. If the active ECS becomes faulty, a standby ECS takes over services from the active ECS and services continue uninterrupted.
+Figure 1 Networking diagram of the HA mode
+- In this configuration, a single virtual IP address is bound to two ECSs in the same subnet.
- Keepalived is then used to configure the two ECSs to work in the active/standby mode. Follow industry standards for configuring Keepalived. The details are not included here.
+ - Networking mode 2: HA load balancing cluster
If you want to build a high-availability load balancing cluster, use Keepalived and configure LVS nodes as direct routers.
+Figure 2 HA load balancing cluster
+- Bind a single virtual IP address to two ECSs.
- Configure the two ECSs as LVS nodes working as direct routers and use Keepalived to configure the nodes in the active/standby mode. The two ECSs will evenly forward requests to different backend servers.
- Configure two more ECSs as backend servers.
- Disable the source/destination check for the two backend servers.
+
Follow industry standards for configuring Keepalived. The details are not included here.
+
+
+
Application Scenarios
- Accessing the virtual IP address through an EIP
If your application has high availability requirements and needs to provide services through the Internet, it is recommended that you bind an EIP to a virtual IP address.
+ - Using a VPN, Direct Connect, or VPC peering connection to access a virtual IP address
To ensure high availability and access to the Internet, use a VPN for security and Direct Connect for a stable connection. The VPC peering connection is needed so that the VPCs in the same region can communicate with each other.
+
+
+
VPC Flow Log
+
+
+
diff --git a/docs/vpc/umn/vpc_FlowLog02_0001.html b/docs/vpc/umn/vpc_FlowLog02_0001.html
new file mode 100644
index 000000000..a56632966
--- /dev/null
+++ b/docs/vpc/umn/vpc_FlowLog02_0001.html
@@ -0,0 +1,16 @@
+
+
+VPC Flow Log Overview
+A VPC flow log records information about the traffic going to and from a VPC. VPC flow logs help you monitor network traffic, analyze network attacks, and determine whether security group and firewall rules require modification.
+
VPC flow logs must be used together with the Log Tank Service (LTS). Before you create a VPC flow log, you need to create a log group and a log topic in LTS. Figure 1 shows the process for configuring the VPC flow log function.
+
Figure 1 Configuring the VPC flow log function
+
+
Notes and Constraints
- Currently, only C3, M3, and S2 ECSs support VPC flow logs.
- By default, you can create a maximum of 10 VPC flow logs.
- By default, a maximum of 400,000 flow log records are supported.
+
+
Creating a VPC Flow Log
+Scenarios
A VPC flow log records information about the traffic going to and from a VPC.
+
+
Prerequisites
Ensure that the following operations have been performed on the LTS console:
+
- Create a log group.
- Create a log topic.
+
For more information about the LTS service, see the Log Tank Service User Guide.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose VPC Flow Logs.
- In the upper right corner, click Create VPC Flow Log. On the displayed page, configure parameters as prompted.
Figure 1 Create VPC Flow Log
+
+
Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+The VPC flow log name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+flowlog-495d
+ |
+
+Resource Type
+ |
+The type of resources whose traffic is to be logged. You can select NIC, Subnet, or VPC.
+ |
+NIC
+ |
+
+Resource
+ |
+The specific NIC whose traffic is to be logged.
+ NOTE: We recommend that you select an ECS that is in the running state. If an ECS in the stopped state is selected, restart the ECS after creating the VPC flow log for accurately recording the information about the traffic going to and from the ECS NIC.
+
+ |
+N/A
+ |
+
+Filter
+ |
+- All traffic: specifies that both accepted and rejected traffic of the specified resource will be logged.
- Accepted traffic: specifies that only accepted traffic of the specified resource will be logged. Accepted traffic refers to the traffic permitted by the security group or firewall.
- Rejected traffic: specifies that only rejected traffic of the specified resource will be logged. Rejected traffic refers to the traffic denied by the firewall.
+ |
+All
+ |
+
+Log Group
+ |
+The log group created in LTS.
+ |
+lts-group-wule
+ |
+
+Log Topic
+ |
+The log topic created in LTS.
+ |
+LogTopic1
+ |
+
+Description
+ |
+Supplementary information about the VPC flow log. This parameter is optional.
+The VPC flow log description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
+
Only two flow logs, each with a different filter, can be created for a single resource under the same log group and log topic. Each VPC flow log must be unique.
+
+ - Click OK.
+
+
Viewing a VPC Flow Log
+Scenarios
View information about your flow log record.
+
The capture window is approximately 10 minutes, which indicates that a flow log record will be generated every 10 minutes. After creating a VPC flow log, you need to wait about 10 minutes before you can view the flow log record.
+
If an ECS is in the stopped state, its flow log records will not be displayed.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose VPC Flow Logs.
- Locate the target VPC flow log and click View Log Record in the Operation column to view information about the flow log record in LTS.
Figure 1 Viewing a log record
+Figure 2 Flow log record
+The flow log record is in the following format:
+<version> <project-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>
+Example 1: The following is an example of a flow log record in which data was recorded during the capture window:
+1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd 192.168.0.154 192.168.3.25 38929 53 17 1 96 1548752136 1548752736 ACCEPT OK
+Value 1 indicates the VPC flow log version. Traffic with a size of 96 bytes to NIC 1d515d18-1b36-47dc-a983-bd6512aed4bd during the past 10 minutes (from 16:55:36 to 17:05:36 on January 29, 2019) was allowed. A data packet was transmitted over the UDP protocol from source IP address 192.168.0.154 and port 38929 to destination IP address 192.168.3.25 and port 53.
+Example 2: The following is an example of a flow log record in which no data was recorded during the capture window:
+1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd - - - - - - - 1431280876 1431280934 - NODATA
+Example 3: The following is an example of a flow log record in which data was skipped during the capture window:
+1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd - - - - - - - 1431280876 1431280934 - SKIPDATA
+Table 1 describes the fields of a flow log record.
+
+Table 1 Log field descriptionField
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+version
+ |
+The VPC flow log version.
+ |
+1
+ |
+
+project-id
+ |
+The project ID.
+ |
+5f67944957444bd6bb4fe3b367de8f3d
+ |
+
+interface-id
+ |
+The ID of the NIC for which the traffic is recorded.
+ |
+1d515d18-1b36-47dc-a983-bd6512aed4bd
+ |
+
+srcaddr
+ |
+The source IP address.
+ |
+192.168.0.154
+ |
+
+dstaddr
+ |
+The destination IP address.
+ |
+192.168.3.25
+ |
+
+srcport
+ |
+The source port.
+ |
+38929
+ |
+
+dstport
+ |
+The destination port.
+ |
+53
+ |
+
+protocol
+ |
+The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. For details, see Assigned Internet Protocol Numbers.
+ |
+17
+ |
+
+packets
+ |
+The number of packets transferred during the capture window.
+ |
+1
+ |
+
+bytes
+ |
+The number of bytes transferred during the capture window.
+ |
+96
+ |
+
+start
+ |
+The time, in Unix seconds, of the start of the capture window.
+ |
+1548752136
+ |
+
+end
+ |
+The time, in Unix seconds, of the end of the capture window.
+ |
+1548752736
+ |
+
+action
+ |
+The action associated with the traffic:
+- ACCEPT: The recorded traffic was allowed by the security groups or firewalls.
- REJECT: The recorded traffic was denied by the firewalls.
+ |
+ACCEPT
+ |
+
+log-status
+ |
+The logging status of the VPC flow log:
+- OK: Data is logging normally to the chosen destinations.
- NODATA: There was no traffic of the Filter setting to or from the NIC during the capture window.
- SKIPDATA: Some flow log records were skipped during the capture window. This may be caused by an internal capacity constraint or an internal error.
+Example:
+When Filter is set to Accepted traffic, if there is accepted traffic, the value of log-status is OK. If there is no accepted traffic, the value of log-status is NODATA regardless of whether there is rejected traffic. If some accepted traffic is abnormally skipped, the value of log-status is SKIPDATA.
+ |
+OK
+ |
+
+
+
+
+
You can enter a keyword on the log topic details page on the LTS console to search for flow log records.
+
+
Enabling or Disabling VPC Flow Log
+Scenarios
After a VPC flow log is created, the VPC flow log is automatically enabled. If you do not need to record traffic data, you can disable the corresponding VPC flow log. The disabled VPC flow log can be enabled again.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose VPC Flow Logs.
- Locate the VPC flow log to be enabled or disabled, and click Enable or Disable in the Operation column.
- Click Yes.
+
+
Deleting a VPC Flow Log
+Scenarios
Delete a VPC flow log that is not required. Deleting a VPC flow log will not delete the existing flow log records in LTS.
+
If a NIC that uses a VPC flow log is deleted, the flow log will be automatically deleted. However, the flow log records are not deleted.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose VPC Flow Logs.
- Locate the row that contains the VPC flow log to be deleted and click Delete in the Operation column.
Figure 1 Deleting a VPC flow log
+ - Click Yes in the displayed dialog box.
+
+
Security Group
+
+
+
diff --git a/docs/vpc/umn/vpc_SecurityGroup02_0001.html b/docs/vpc/umn/vpc_SecurityGroup02_0001.html
new file mode 100644
index 000000000..ca2702325
--- /dev/null
+++ b/docs/vpc/umn/vpc_SecurityGroup02_0001.html
@@ -0,0 +1,27 @@
+
+
+Security Group Overview
+Security Group
A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted within a VPC. After a security group is created, you can create various access rules for the security group, these rules will apply to all cloud resources added to this security group.
+
Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between cloud resources in the group. Your cloud resources in this security group can communicate with each other already without adding additional rules. You can directly use the default security group. For details, see Default Security Groups and Security Group Rules.
+
You can also create custom security groups to meet your specific service requirements. For details, see Creating a Security Group.
+
+
Security Group Basics
- You can associate instances, such as servers and extension NICs, with one or more security groups.
You can change the security groups that are associated with instances, such as servers or extension NICs. By default, when you create an instance, it is associated with the default security group of its VPC unless you specify another security group.
+ - You need to add security group rules to allow instances in the same security group to communicate with each other.
- Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. If you add, modify, or delete a security group rule, or create or delete an instance in the security group, the connection tracking of all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic.
+In addition, if the inbound or outbound traffic of an instance has no packets for a long time, the traffic will be considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both directions, the connection tracking timeout period is 180s. If one or more packets are received in one direction but no packet is received in the other direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked.
+
+
If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs.
+
+
+
Security Group Rules
After you create a security group, you can add rules to the security group. A rule applies either to inbound traffic or outbound traffic. After you add cloud resources to the security group, they are protected by the rules of the group.
+
Each security group has its default rules. For details, see Table 1. You can also customize security group rules. For details, see Adding a Security Group Rule.
+
+
Security Group Constraints
- By default, you can create a maximum of 100 security groups in your cloud account.
- By default, you can add up to 50 security group rules to a security group.
- By default, you can add an ECS or an extension NIC to a maximum of five security groups. In such a case, the rules of all the selected security groups are aggregated to take effect.
- When creating a private network load balancer, you need to select a desired security group. Do not delete the default security group rules or ensure that the following requirements are met:
- Outbound rules: only allow data packets to the selected security group or only data packets from the peer load balancer.
- Inbound rules: only allow data packets from the selected security group or only data packets from the peer load balancer.
+
+
+
Default Security Groups and Security Group Rules
+Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between cloud resources in the group. Your cloud resources in this security group can communicate with each other already without adding additional rules.
+
Figure 1 shows the default security group rules. The following uses access between ECSs as an example.
+
Figure 1 Default security group
+
Table 1 describes the default rules for the default security group.
+
+
Table 1 Default security group rulesDirection
+ |
+Protocol
+ |
+Port/Range
+ |
+Source/Destination
+ |
+Description
+ |
+
|---|
+
+Outbound
+ |
+All
+ |
+All
+ |
+Destination: 0.0.0.0/0
+ |
+Allows all outbound traffic.
+ |
+
+Inbound
+ |
+All
+ |
+All
+ |
+Source: the current security group (for example, sg-xxxxx)
+ |
+Allows communications among ECSs within the security group and denies all inbound traffic (incoming data packets).
+ |
+
+
+
+
+
Security Group Configuration Examples
+Common security group configurations are presented here. The examples in this section allow all outgoing data packets by default. This section will only describe how to configure inbound rules.
+
+
You can use the default security group or create a security group in advance. For details, see sections Creating a Security Group and Adding a Security Group Rule.
+
Allowing External Access to a Specified Port
+
+
Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network
- Example scenario:
Resources on an ECS in a security group need to be copied to an ECS associated with another security group. The two ECSs are in the same VPC. We recommend that you enable private network communication between the ECSs and then copy the resources.
+ - Security group configuration:
Within a given VPC, ECSs in the same security group can communicate with one another by default. However, ECSs in different security groups cannot communicate with each other by default. To enable these ECSs to communicate with each other, you need to add certain security group rules.
+You can add an inbound rule to the security groups containing the ECSs to allow access from ECSs in the other security group. The required rule is as follows.
+
+Direction
+ |
+Protocol/Application
+ |
+Port
+ |
+Source
+ |
+
|---|
+
+Inbound
+ |
+Used for communication through an internal network
+ |
+Port or port range
+ |
+ID of another security group
+ |
+
+
+
+
+
+
Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group
- Example scenario:
To prevent ECSs from being attacked, you can change the port for remote login and configure security group rules that allow only specified IP addresses to remotely access the ECSs.
+ - Security group configuration:
To allow IP address 192.168.20.2 to remotely access Linux ECSs in a security group over the SSH protocol (port 22), you can configure the following security group rule.
+
+Direction
+ |
+Protocol
+ |
+Port
+ |
+Source
+ |
+
|---|
+
+Inbound
+ |
+SSH
+ |
+22
+ |
+IPv4 CIDR block or ID of another security group
+For example, 192.168.20.2/32
+ |
+
+
+
+
+
+
Remotely Connecting to Linux ECSs Using SSH
+
+
Remotely Connecting to Windows ECSs Using RDP
+
+
Enabling Communication Between ECSs
+
+
Hosting a Website on ECSs
+
+
Enabling an ECS to Function as a DNS Server
+
+
Uploading or Downloading Files Using FTP
+
+
Creating a Security Group
+Scenarios
To improve ECS access security, you can create security groups, define security group rules, and add ECSs in a VPC to different security groups. We recommend that you allocate ECSs that have different Internet access policies to different security groups.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click Create Security Group.
- In the Create Security Group area, set the parameters as prompted. Table 1 lists the parameters to be configured.
Figure 1 Create Security Group
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+The security group name. This parameter is mandatory.
+The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ NOTE: You can change the security group name after a security group is created. It is recommended that you give each security group a different name.
+
+ |
+sg-318b
+ |
+
+Description
+ |
+Supplementary information about the security group. This parameter is optional.
+The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Adding a Security Group Rule
+Scenarios
A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC.
+
If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule.
+
- Inbound rules control incoming traffic to cloud resources in the security group.
- Outbound rules control outgoing traffic from cloud resources in the security group.
+
For details about the default security group rules, see Default Security Groups and Security Group Rules. For details about security group rule configuration examples, see Security Group Configuration Examples.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the target security group and click Manage Rule in the Operation column to switch to the page for managing inbound and outbound rules.
- On the Inbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an inbound rule.
You can click + to add more inbound rules.
+Figure 1 Add Inbound Rule
+
+Table 1 Inbound rule parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Protocol & Port
+
+ |
+Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.
+ |
+22, or 22-30
+ |
+
+Source
+ |
+The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ If the source is a security group, this rule will apply to all instances associated with the selected security group.
+ |
+0.0.0.0/0
+ |
+
+Description
+ |
+Supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- On the Outbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an outbound rule.
You can click + to add more outbound rules.
+Figure 2 Add Outbound Rule
+
+Table 2 Outbound rule parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Protocol & Port
+
+ |
+Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535.
+ |
+22, or 22-30
+ |
+
+Destination
+ |
+The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ |
+0.0.0.0/0
+ |
+
+Description
+ |
+Supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Fast-Adding Security Group Rules
+Scenarios
You can add multiple security group rules with different protocols and ports at the same time.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the target security group and click Manage Rule in the Operation column to switch to the page for managing inbound and outbound rules.
- On the Inbound Rules tab, click Fast-Add Rule. In the displayed dialog box, select the protocols and ports you wish to add all at once.
Figure 1 Fast-Add Inbound Rule
+
+ - On the Outbound Rules tab, click Fast-Add Rule. In the displayed dialog box, select required protocols and ports to add multiple rules at a time.
+
Figure 2 Fast-Add Outbound Rule
+
+ - Click OK.
+
+
Replicating a Security Group Rule
+Scenarios
Replicate an existing security group rule to generate a new rule. When replicating a security group rule, you can make changes so that it is not a perfect copy.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- On the displayed page, locate the row that contains the security group rule to be replicated, and click Replicate in the Operation column.
You can also modify the security group rule as required to quickly generate a new rule.
+ - Click OK.
+
+
Modifying a Security Group Rule
+Scenarios
You can modify the port, protocol, and IP address of a security group rule to meet your specific requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- On the displayed page, locate the row that contains the security group rule to be modified, and click Modify in the Operation column.
- Modify the rule and click Confirm.
+
+
Deleting a Security Group Rule
+Scenarios
If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule and add a new one.
+
Security group rules use whitelists. Deleting a security group rule may result in ECS access failures.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- If you do not need a security group rule, locate the row that contains the target rule, and click Delete.
- Click Yes in the displayed dialog box.
+
Deleting multiple security group rules at once
+
You can also select multiple security group rules and click Delete above the security group rule list to delete multiple rules at a time.
+
+
Importing and Exporting Security Group Rules
+Scenarios
If you want to quickly apply the rules of one security group to another, or if you want to modify multiple rules of the current security group at once, you can import or export existing rules.
+
Security group rules are imported or exported to an Excel file.
+
+
Notes and Constraints
When modifying exported security group rules, you can only modify existing fields in the exported file based on the template and cannot add new fields or modify the field names. Otherwise, the file will fail to be imported.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- Export and import security group rules.
- Click
to export all rules of the current security group to an Excel file. - Click
to import security group rules from an Excel file into the current security group.Table 1 describes the parameters in the template for importing rules.
+
Table 1 Template parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Direction
+ |
+The direction in which the security group rule takes effect.
+- Inbound rules control incoming traffic to cloud resources in the security group.
- Outbound rules control outgoing traffic from cloud resources in the security group.
+ |
+Inbound
+ |
+
+Protocol & Port
+ |
+Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.
+ |
+22, or 22-30
+ |
+
+Source
+ |
+The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ |
+0.0.0.0/0
+ |
+
+Destination
+ |
+The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ |
+0.0.0.0/0
+ |
+
+Description
+ |
+Supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+-
+ |
+
+Last Modified
+ |
+The time when the security group was modified.
+ |
+-
+ |
+
+
+
+
+
+
+
+
+
Deleting a Security Group
+Scenarios
This section describes how to delete security groups that you are no longer required.
+
+
Notes and Constraints
- The default security group cannot be deleted.
- If a security group is associated with resources other than servers and extension NICs, the security group cannot be deleted.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the row that contains the target security group, click More in the Operation column, and click Delete.
- Click Yes in the displayed dialog box.
+
+
Adding Instances to and Removing Them from a Security Group
+Scenarios
After a security group is created, you can add instances to the security group to protect the instances. You can also remove them from the security group as required.
+
You can add multiple instances to or remove them from a security group.
+
+
Adding Instances to a Security Group
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click Manage Instance in the Operation column.
- On the Servers tab, click Add and add one or more servers to the current security group.
- On the Extension NICs tab, click Add and add one or more extension NICs to the current security group.
- Click OK.
+
+
Removing Instances from a Security Group
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click Manage Instance in the Operation column.
- On the Servers tab, locate the target server and click Remove in the Operation column to remove the server from current security group.
- On the Extension NICs tab, locate the target extension NIC and click Remove in the Operation column to remove the NIC from the current security group.
- Click Yes.
+
Removing multiple instances from a security group
+
Select multiple servers and click Remove above the server list to remove the selected servers from the current security group all at once.
+
Select multiple extension NICs and click Remove above the extension NIC list to remove the selected extension NICs from the current security group all at once.
+
+
Modifying a Security Group
+Scenarios
Modify the name and description of a created security group.
+
+
Procedure
Method 1
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the target security group and choose More > Modify in the Operation column.
- Modify the name and description of the security group as required.
- Click OK.
+
Method 2
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- On the displayed page, click
on the right of Name and edit the security group name. - Click √ to save the security group name.
- Click on the right of Description and edit the security group description.
- Click √ to save the security group description.
+
+
Viewing the Security Group of an ECS
+Scenarios
View inbound and outbound rules of a security group used by an ECS.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Under Compute, click Elastic Cloud Server.
- On the Elastic Cloud Server page, click the name of the target ECS.
- Click the Security Groups tab and view information about the security group used by the ECS.
+
+
Changing the Security Group of an ECS
+Scenarios
Change the security group associated with an ECS NIC.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select your region and project. - Under Computing, click Elastic Cloud Server.
- In the ECS list, locate the row that contains the target ECS. Click More in the Operation column and select Manage Network > Change Security Group.
The Change Security Group dialog box is displayed.
+Figure 1 Change Security Group
+ - Select the target NIC and security groups as prompted.
You can select multiple security groups. In such a case, the rules of all the selected security groups will be aggregated to apply on the ECS.
+To create a security group, click Create Security Group.
+ Using multiple security groups may deteriorate ECS network performance. You are suggested to select no more than five security groups.
+
+ - Click OK.
+
+
Security
+
+
+
diff --git a/docs/vpc/umn/vpc_SecurityGroup_0001.html b/docs/vpc/umn/vpc_SecurityGroup_0001.html
new file mode 100644
index 000000000..764238aec
--- /dev/null
+++ b/docs/vpc/umn/vpc_SecurityGroup_0001.html
@@ -0,0 +1,43 @@
+
+
+Security Group
+
+
+
diff --git a/docs/vpc/umn/vpc_SecurityGroup_0004.html b/docs/vpc/umn/vpc_SecurityGroup_0004.html
new file mode 100644
index 000000000..66fda64eb
--- /dev/null
+++ b/docs/vpc/umn/vpc_SecurityGroup_0004.html
@@ -0,0 +1,15 @@
+
+
+Replicating a Security Group Rule
+Scenarios
Replicate an existing security group rule to generate a new rule. When replicating a security group rule, you can make changes so that it is not a perfect copy.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- On the displayed page, locate the row that contains the security group rule to be replicated, and click Replicate in the Operation column.
You can also modify the security group rule as required to quickly generate a new rule.
+ - Click OK.
+
+
Modifying a Security Group Rule
+Scenarios
You can modify the port, protocol, and IP address of a security group rule to meet your specific requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- On the displayed page, locate the row that contains the security group rule to be modified, and click Modify in the Operation column.
- Modify the rule and click Confirm.
+
+
Deleting a Security Group Rule
+Scenarios
If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule and add a new one.
+
Security group rules use whitelists. Deleting a security group rule may result in ECS access failures.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- If you do not need a security group rule, locate the row that contains the target rule, and click Delete.
- Click Yes in the displayed dialog box.
+
Deleting multiple security group rules at once
+
You can also select multiple security group rules and click Delete above the security group rule list to delete multiple rules at a time.
+
+
Importing and Exporting Security Group Rules
+Scenarios
If you want to quickly apply the rules of one security group to another, or if you want to modify multiple rules of the current security group at once, you can import or export existing rules.
+
Security group rules are imported or exported to an Excel file.
+
+
Notes and Constraints
When modifying exported security group rules, you can only modify existing fields in the exported file based on the template and cannot add new fields or modify the field names. Otherwise, the file will fail to be imported.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- Export and import security group rules.
- Click to export all rules of the current security group to an Excel file.
- Click to import security group rules from an Excel file into the current security group.
Table 1 describes the parameters in the template for importing rules.
+
Table 1 Template parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Direction
+ |
+The direction in which the security group rule takes effect.
+- Inbound rules control incoming traffic to cloud resources in the security group.
- Outbound rules control outgoing traffic from cloud resources in the security group.
+ |
+Inbound
+ |
+
+Protocol & Port
+ |
+Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.
+ |
+22, or 22-30
+ |
+
+Source
+ |
+The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ |
+0.0.0.0/0
+ |
+
+Destination
+ |
+The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ |
+0.0.0.0/0
+ |
+
+Description
+ |
+Supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+-
+ |
+
+Last Modified
+ |
+The time when the security group was modified.
+ |
+-
+ |
+
+
+
+
+
+
+
+
+
Deleting a Security Group
+Scenarios
This section describes how to delete security groups that you are no longer required.
+
+
Notes and Constraints
- The default security group cannot be deleted.
- If a security group is associated with resources other than servers and extension NICs, the security group cannot be deleted.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the row that contains the target security group, click More in the Operation column, and click Delete.
- Click Yes in the displayed dialog box.
+
+
Modifying a Security Group
+Scenarios
Modify the name and description of a created security group.
+
+
Procedure
Method 1
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the target security group and choose More > Modify in the Operation column.
- Modify the name and description of the security group as required.
- Click OK.
+
Method 2
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- On the displayed page, click on the right of Name and edit the security group name.
- Click √ to save the security group name.
- Click on the right of Description and edit the security group description.
- Click √ to save the security group description.
+
+
Viewing the Security Group of an ECS
+Scenarios
View inbound and outbound rules of a security group used by an ECS.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Under Compute, click Elastic Cloud Server.
- On the Elastic Cloud Server page, click the name of the target ECS.
- Click the Security Groups tab and view information about the security group used by the ECS.
+
+
Firewall
+
+
+
diff --git a/docs/vpc/umn/vpc_acl02_0001.html b/docs/vpc/umn/vpc_acl02_0001.html
new file mode 100644
index 000000000..83842df60
--- /dev/null
+++ b/docs/vpc/umn/vpc_acl02_0001.html
@@ -0,0 +1,82 @@
+
+
+Firewall Overview
+A firewall is an optional layer of security for your subnets. After you associate one or more subnets with a firewall, you can control traffic in and out of the subnets.
+
Figure 1 shows how a firewall works.
+
Figure 1 Security groups and firewalls
+
Similar to security groups, firewalls control access to subnets and add an additional layer of defense to your subnets. Security groups only have the "allow" rules, but firewalls have both "allow" and "deny" rules. You can use firewalls together with security groups to implement comprehensive and fine-grained access control.
+
Differences Between Security Groups and Firewalls summarizes the basic differences between security groups and firewalls.
+
Firewall Basics
- Your VPC does not come with a firewall, but you can create a firewall and associate it with a VPC subnet if required. By default, each firewall denies all inbound traffic to and outbound traffic from the associated subnet until you add rules.
- You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time.
- Each newly created firewall is in the Inactive state until you associate subnets with it.
+
+
Default Firewall Rules
By default, each firewall has preset rules that allow the following packets:
+
- Packets whose source and destination are in the same subnet
- Broadcast packets with the destination 255.255.255.255/32, which is used to configure host startup information.
- Multicast packets with the destination 224.0.0.0/24, which is used by routing protocols.
- Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata.
- Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16)
- A firewall denies all traffic in and out of a subnet excepting the preceding ones. Table 1 shows the default firewall rules. You cannot modify or delete the default rules.
+
Table 1 Default firewall rulesDirection
+ |
+Priority
+ |
+Action
+ |
+Protocol
+ |
+Source
+ |
+Destination
+ |
+Description
+ |
+
|---|
+
+Inbound
+ |
+*
+ |
+Deny
+ |
+All
+ |
+0.0.0.0/0
+ |
+0.0.0.0/0
+ |
+Denies all inbound traffic.
+ |
+
+Outbound
+ |
+*
+ |
+Deny
+ |
+All
+ |
+0.0.0.0/0
+ |
+0.0.0.0/0
+ |
+Denies all outbound traffic.
+ |
+
+
+
+
+
+
Rule Priorities
- Each firewall rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority.
- If multiple firewall rules conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.
+
+
Application Scenarios
- If the application layer needs to provide services for users, traffic must be allowed to reach the application layer from all IP addresses. However, you also need to prevent illegal access from malicious users.
Solution: You can add firewall rules to deny access from suspect IP addresses.
+ - How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm?
Solution: You can add firewall rules to deny access traffic from a specific port and protocol, for example, TCP port 445.
+ - No defense is required for the east-west traffic between subnets, but access control is required for north-south traffic.
Solution: You can add firewall rules to protect north-south traffic.
+ - For frequently accessed applications, a security rule sequence may need to be adjusted to improve performance.
Solution: A firewall allows you to adjust the rule sequence so that frequently used rules are applied before other rules.
+
+
+
Configuration Procedure
Figure 2 shows the procedure for configuring a firewall.
+
Figure 2 firewall configuration procedure
+
- Create a firewall by following the steps described in Creating a Firewall.
- Add firewall rules by following the steps described in Adding a Firewall Rule.
- Associate subnets with the firewall by following the steps described in Associating Subnets with a Firewall. After subnets are associated with the firewall, the subnets will be protected by the configured firewall rules.
+
+
Firewall Configuration Examples
+This section provides examples for configuring firewalls.
+
+
Denying Access from a Specific Port
You might want to block TCP 445 to protect against the WannaCry ransomware attacks. You can add a firewall rule to deny all incoming traffic from TCP port 445.
+
+
Firewall Configuration
+
Table 1 lists the inbound rule required.
+
Table 1 firewall rulesDirection
+ |
+Action
+ |
+Protocol
+ |
+Source
+ |
+Source Port Range
+ |
+Destination
+ |
+Destination Port Range
+ |
+Description
+ |
+
|---|
+
+Inbound
+ |
+Deny
+ |
+TCP
+ |
+0.0.0.0/0
+ |
+1-65535
+ |
+0.0.0.0/0
+ |
+445
+ |
+Denies inbound traffic from any IP address through TCP port 445.
+ |
+
+Inbound
+ |
+Allow
+ |
+All
+ |
+0.0.0.0/0
+ |
+1-65535
+ |
+0.0.0.0/0
+ |
+All
+ |
+Allows all inbound traffic.
+ |
+
+
+
+
+
- By default, a firewall denies all inbound traffic. You need to allow all inbound traffic if necessary.
- If you want a deny rule to be matched first, insert the deny rule above the allow rule. For details, see Changing the Sequence of a Firewall Rule.
+
+
+
Allowing Access from Specific Ports and Protocols
In this example, an ECS in a subnet is used as the web server, and you need to allow inbound traffic from HTTP port 80 and HTTPS port 443 and allow all outbound traffic regardless of the port. You need to configure both the firewall rules and security group rules to allow the traffic.
+
Firewall Configuration
+
Table 2 lists the inbound rule required.
+
+
Table 2 firewall rulesDirection
+ |
+Action
+ |
+Protocol
+ |
+Source
+ |
+Source Port Range
+ |
+Destination
+ |
+Destination Port Range
+ |
+Description
+ |
+
|---|
+
+Inbound
+ |
+Allow
+ |
+TCP
+ |
+0.0.0.0/0
+ |
+1-65535
+ |
+0.0.0.0/0
+ |
+80
+ |
+Allows inbound HTTP traffic from any IP address to ECSs in the subnet through port 80.
+ |
+
+Inbound
+ |
+Allow
+ |
+TCP
+ |
+0.0.0.0/0
+ |
+1-65535
+ |
+0.0.0.0/0
+ |
+443
+ |
+Allows inbound HTTPS traffic from any IP address to ECSs in the subnet through port 443.
+ |
+
+Outbound
+ |
+Allow
+ |
+All
+ |
+0.0.0.0/0
+ |
+All
+ |
+0.0.0.0/0
+ |
+All
+ |
+Allows all outbound traffic from the subnet.
+ |
+
+
+
+
+
Security group configuration
+
Table 3 lists the inbound and outbound security group rules required.
+
+
Table 3 Security group rulesDirection
+ |
+Protocol/Application
+ |
+Port
+ |
+Source/Destination
+ |
+Description
+ |
+
|---|
+
+Inbound
+ |
+TCP
+ |
+80
+ |
+Source: 0.0.0.0/0
+ |
+Allows inbound HTTP traffic from any IP address to ECSs associated with the security group through port 80.
+ |
+
+Inbound
+ |
+TCP
+ |
+443
+ |
+Source: 0.0.0.0/0
+ |
+Allows inbound HTTPS traffic from any IP address to ECSs associated with the security group through port 443.
+ |
+
+Outbound
+ |
+All
+ |
+All
+ |
+Destination: 0.0.0.0/0
+ |
+Allows all outbound traffic from the security group.
+ |
+
+
+
+
+
A firewall adds an additional layer of security. Even if the security group rules allow more traffic than that actually required, the firewall rules allow only access from HTTP port 80 and HTTPS port 443 and deny other inbound traffic.
+
+
Creating a Firewall
+Scenarios
You can create a custom firewall, but any newly created firewall will be disabled by default. It will not have any inbound or outbound rules, or have any subnets associated. Each user can create up to 200 firewalls by default.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- In the right pane displayed, click Create firewall.
- In the displayed dialog box, enter firewall information as prompted. Table 1 lists the parameters to be configured.
Figure 1 Create Firewall
+
+Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+The firewall name. This parameter is mandatory.
+The name contains a maximum of 64 characters, which may consist of letters, digits, underscores (_), and hyphens (-). The name cannot contain spaces.
+ |
+fw-92d3
+ |
+
+Description
+ |
+Supplementary information about the firewall. This parameter is optional.
+The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Adding a Firewall Rule
+Scenarios
Add an inbound or outbound rule based on your network security requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, click Add Rule to add an inbound or outbound rule.
- Click + to add more rules.
- Locate the row that contains the firewall rule and click Replicate in the Operation column to replicate an existing rule.
+Figure 1 Add Inbound Rule
+
+
Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Action
+ |
+The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be Allow or Deny.
+ |
+Allow
+ |
+
+Protocol
+ |
+The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be TCP, UDP, All, or ICMP. If ICMP or All is selected, you do not need to specify port information.
+ |
+TCP
+ |
+
+Source
+ |
+The source from which the traffic is allowed. The source can be an IP address or IP address range.
+The default value is 0.0.0.0/0, which indicates that traffic from all IP addresses is allowed.
+For example:
+- xxx.xxx.xxx.xxx/32 (IP address)
- xxx.xxx.xxx.0/24 (IP address range)
- 0.0.0.0/0 (all IP addresses)
+ |
+0.0.0.0/0
+ |
+
+Source Port Range
+ |
+The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, 1-100.
+You must specify this parameter if TCP or UDP is selected for Protocol.
+ |
+22, or 22-30
+ |
+
+Destination
+ |
+The destination to which the traffic is allowed. The destination can be an IP address or IP address range.
+The default value is 0.0.0.0/0, which indicates that traffic to all IP addresses is allowed.
+For example:
+- xxx.xxx.xxx.xxx/32 (IP address)
- xxx.xxx.xxx.0/24 (IP address range)
- 0.0.0.0/0 (all IP addresses)
+ |
+0.0.0.0/0
+ |
+
+Destination Port Range
+ |
+The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, 1-100.
+You must specify this parameter if TCP or UDP is selected for Protocol.
+ |
+22, or 22-30
+ |
+
+Description
+ |
+Supplementary information about the firewall rule. This parameter is optional.
+The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
+
- Click OK.
+
+
Associating Subnets with a Firewall
+Scenarios
On the page showing firewall details, associate desired subnets with a firewall. After a firewall is associated with a subnet, the firewall denies all traffic to and from the subnet until you add rules to allow traffic.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the displayed page, click the Associated Subnets tab.
- On the Associated Subnets page, click Associate.
- On the displayed page, select the subnets to be associated with the firewall, and click OK.
+
Subnets that have already been associated with firewalls will not be displayed on the page for you to select. One-click subnet association and disassociation are not currently supported. Furthermore, a subnet can only be associated with one firewall. If you want to reassociate a subnet that has already been associated with another firewall, you must first disassociate the subnet from the original firewall.
+
+
+
Disassociating a Subnet from a Firewall
+Scenarios
Disassociate a subnet from a firewall when necessary.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the displayed page, click the Associated Subnets tab.
- On the Associated Subnets page, locate the row that contains the target subnet and click Disassociate in the Operation column.
- Click Yes in the displayed dialog box.
+
Disassociating subnets from a firewall
+
Select multiple subnets and click Disassociate above the subnet list to disassociate the subnets from the current firewall at a time.
+
+
Changing the Sequence of a Firewall Rule
+Scenarios
If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.
+
If multiple firewall rules conflict, only the rule with the highest priority takes effect.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, locate the target rule, click More in the Operation column, and select Insert Rule Above or Insert Rule Below.
- In the displayed dialog box, configure required parameters and click OK.
The rule is inserted. The procedure for inserting an outbound rule is the same as that for inserting an inbound rule.
+
+
+
Modifying a Firewall Rule
+Scenarios
Modify an inbound or outbound firewall rule based on your network security requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, locate the row that contains the target rule and click Modify in the Operation column. In the displayed dialog box, configure parameters as prompted. Table 1 lists the parameters to be configured.
Figure 1 Modify Rule
+
+Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Action
+ |
+The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be Allow or Deny.
+ |
+Allow
+ |
+
+Protocol
+ |
+The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be TCP, UDP, All, or ICMP. If ICMP or All is selected, you do not need to specify port information.
+ |
+TCP
+ |
+
+Source
+ |
+The source from which the traffic is allowed. The source can be an IP address or IP address range.
+The default value is 0.0.0.0/0, which indicates that traffic from all IP addresses is allowed.
+For example:
+- xxx.xxx.xxx.xxx/32 (IP address)
- xxx.xxx.xxx.0/24 (IP address range)
- 0.0.0.0/0 (all IP addresses)
+ |
+0.0.0.0/0
+ |
+
+Source Port Range
+ |
+The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, 1-100.
+You must specify this parameter if TCP or UDP is selected for Protocol.
+ |
+22, or 22-30
+ |
+
+Destination
+ |
+The destination to which the traffic is allowed. The destination can be an IP address or IP address range.
+The default value is 0.0.0.0/0, which indicates that traffic to all IP addresses is allowed.
+For example:
+- xxx.xxx.xxx.xxx/32 (IP address)
- xxx.xxx.xxx.0/24 (IP address range)
- 0.0.0.0/0 (all IP addresses)
+ |
+0.0.0.0/0
+ |
+
+Destination Port Range
+ |
+The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, 1-100.
+You must specify this parameter if TCP or UDP is selected for Protocol.
+ |
+22, or 22-30
+ |
+
+Description
+ |
+Supplementary information about the firewall rule. This parameter is optional.
+The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click Confirm.
+
+
Enabling or Disabling a Firewall Rule
+Scenarios
Enable or disable an inbound or outbound rule based on your network security requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, locate the row that contains the target rule, and click More and then Enable or Disable in the Operation column.
- Click Yes in the displayed dialog box.
The rule is enabled or disabled. The procedure for enabling or disabling an outbound rule is the same as that for enabling or disabling an inbound rule.
+
+
+
Deleting a Firewall Rule
+Scenarios
Delete an inbound or outbound rule based on your network security requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, locate the row that contains the target rule and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
Deleting multiple Firewall rules at a time
+
You can also select multiple firewall rules and click Delete above the firewall rule list to delete multiple rules at a time.
+
+
Viewing a Firewall
+Scenarios
View details about a firewall.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the displayed page, click the Inbound Rules, Outbound Rules, and Associated Subnets tabs one by one to view details about inbound rules, outbound rules, and subnet associations.
+
+
Modifying a Firewall
+Scenarios
Modify the name and description of a firewall.
+
+
+
Enabling or Disabling a Firewall
+Scenarios
After a firewall is created, you may need to enable it based on network security requirements. You can also disable an enabled firewall if need. Before enabling a firewall, ensure that subnets have been associated with the firewall and that inbound and outbound rules have been added to the firewall.
+
When a firewall is disabled, custom rules will become invalid. Disabling a firewall may interrupt network traffic. For information about the default firewall rules, see Default Firewall Rules.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the row that contains the target firewall in the right pane, click More in the Operation column, and click Enable or Disable.
- Click Yes in the displayed dialog box.
+
+
Deleting a Firewall
+Scenarios
Delete a firewall when it is no longer required.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall in the right pane, click More in the Operation column, and click Delete.
- Click Yes.
After a firewall is deleted, associated subnets are disassociated and added rules are deleted from the firewall.
+
+
+
+
Differences Between Security Groups and Firewalls
+You can configure security groups and firewall to increase the security of ECSs in your VPC.
+
- Security groups operate at the ECS level.
- Firewalls operate at the subnet level.
+
For details, see Figure 1.
+
Figure 1 Security groups and firewalls
+
Table 1 describes the differences between security groups and firewalls.
+
+
Table 1 Differences between security groups and firewallsCategory
+ |
+Security Group
+ |
+Firewall
+ |
+
|---|
+
+Targets
+ |
+Operates at the ECS level.
+ |
+Operates at the subnet level.
+ |
+
+Rules
+ |
+Supports both Allow and Deny rules.
+ |
+Supports both Allow and Deny rules.
+ |
+
+Priority
+ |
+If there are conflicting rules, they are combined and applied together.
+ |
+If rules conflict, the rule with the highest priority takes effect.
+ |
+
+Usage
+ |
+Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs.
+ |
+Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets.
+ |
+
+Packets
+ |
+Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported.
+ |
+Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported.
+ |
+
+
+
+
+
Firewall
+
+
+
diff --git a/docs/vpc/umn/vpc_acl_0003.html b/docs/vpc/umn/vpc_acl_0003.html
new file mode 100644
index 000000000..8312da44c
--- /dev/null
+++ b/docs/vpc/umn/vpc_acl_0003.html
@@ -0,0 +1,16 @@
+
+
+Disassociating a Subnet from a Firewall
+Scenarios
Disassociate a subnet from a firewall when necessary.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the displayed page, click the Associated Subnets tab.
- On the Associated Subnets page, locate the row that contains the target subnet and click Disassociate in the Operation column.
- Click Yes in the displayed dialog box.
+
Disassociating subnets from a firewall
+
Select multiple subnets and click Disassociate above the subnet list to disassociate the subnets from the current firewall at a time.
+
+
Changing the Sequence of a Firewall Rule
+Scenarios
If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.
+
If multiple firewall rules conflict, only the rule with the highest priority takes effect.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, locate the target rule, click More in the Operation column, and select Insert Rule Above or Insert Rule Below.
- In the displayed dialog box, configure required parameters and click OK.
The rule is inserted. The procedure for inserting an outbound rule is the same as that for inserting an inbound rule.
+
+
+
Modifying a Firewall Rule
+Scenarios
Modify an inbound or outbound firewall rule based on your network security requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, locate the row that contains the target rule and click Modify in the Operation column. In the displayed dialog box, configure parameters as prompted. Table 1 lists the parameters to be configured.
Figure 1 Modify Rule
+
+Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Action
+ |
+The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be Allow or Deny.
+ |
+Allow
+ |
+
+Protocol
+ |
+The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be TCP, UDP, All, or ICMP. If ICMP or All is selected, you do not need to specify port information.
+ |
+TCP
+ |
+
+Source
+ |
+The source from which the traffic is allowed. The source can be an IP address or IP address range.
+The default value is 0.0.0.0/0, which indicates that traffic from all IP addresses is allowed.
+For example:
+- xxx.xxx.xxx.xxx/32 (IP address)
- xxx.xxx.xxx.0/24 (IP address range)
- 0.0.0.0/0 (all IP addresses)
+ |
+0.0.0.0/0
+ |
+
+Source Port Range
+ |
+The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, 1-100.
+You must specify this parameter if TCP or UDP is selected for Protocol.
+ |
+22, or 22-30
+ |
+
+Destination
+ |
+The destination to which the traffic is allowed. The destination can be an IP address or IP address range.
+The default value is 0.0.0.0/0, which indicates that traffic to all IP addresses is allowed.
+For example:
+- xxx.xxx.xxx.xxx/32 (IP address)
- xxx.xxx.xxx.0/24 (IP address range)
- 0.0.0.0/0 (all IP addresses)
+ |
+0.0.0.0/0
+ |
+
+Destination Port Range
+ |
+The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, 1-100.
+You must specify this parameter if TCP or UDP is selected for Protocol.
+ |
+22, or 22-30
+ |
+
+Description
+ |
+Supplementary information about the firewall rule. This parameter is optional.
+The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click Confirm.
+
+
Enabling or Disabling a Firewall Rule
+Scenarios
Enable or disable an inbound or outbound rule based on your network security requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, locate the row that contains the target rule, and click More and then Enable or Disable in the Operation column.
- Click Yes in the displayed dialog box.
The rule is enabled or disabled. The procedure for enabling or disabling an outbound rule is the same as that for enabling or disabling an inbound rule.
+
+
+
Deleting a Firewall Rule
+Scenarios
Delete an inbound or outbound rule based on your network security requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the Inbound Rules or Outbound Rules tab, locate the row that contains the target rule and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
Deleting multiple Firewall rules at a time
+
You can also select multiple firewall rules and click Delete above the firewall rule list to delete multiple rules at a time.
+
+
Viewing a Firewall
+Scenarios
View details about a firewall.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall and click its name to switch to the page showing details of that particular firewall.
- On the displayed page, click the Inbound Rules, Outbound Rules, and Associated Subnets tabs one by one to view details about inbound rules, outbound rules, and subnet associations.
+
+
Modifying a Firewall
+Scenarios
Modify the name and description of a firewall.
+
+
+
Enabling or Disabling a Firewall
+Scenarios
After a firewall is created, you may need to enable it based on network security requirements. You can also disable an enabled firewall if need. Before enabling a firewall, ensure that subnets have been associated with the firewall and that inbound and outbound rules have been added to the firewall.
+
When a firewall is disabled, custom rules will become invalid. Disabling a firewall may interrupt network traffic. For information about the default firewall rules, see Default Firewall Rules.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the row that contains the target firewall in the right pane, click More in the Operation column, and click Enable or Disable.
- Click Yes in the displayed dialog box.
+
+
Deleting a Firewall
+Scenarios
Delete a firewall when it is no longer required.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > firewalls.
- Locate the target firewall in the right pane, click More in the Operation column, and click Delete.
- Click Yes.
After a firewall is deleted, associated subnets are disassociated and added rules are deleted from the firewall.
+
+
+
+
Shared Bandwidth
+
+
+
diff --git a/docs/vpc/umn/vpc_bandwidth02_0001.html b/docs/vpc/umn/vpc_bandwidth02_0001.html
new file mode 100644
index 000000000..22b8e769a
--- /dev/null
+++ b/docs/vpc/umn/vpc_bandwidth02_0001.html
@@ -0,0 +1,15 @@
+
+
+Shared Bandwidth Overview
+Shared bandwidth allows multiple EIPs to share the same bandwidth. All ECSs, BMSs, and load balancers that have EIPs bound in the same region can share a bandwidth.
+
When you host a large number of applications on the cloud, if each EIP uses an independent bandwidth, a lot of bandwidths are required, increasing O&M workload. If all EIPs share the same bandwidth, VPCs and the region-level bandwidth can be managed in a unified manner, simplifying O&M statistics and network operations cost settlement.
+
- Easy to Manage
Region-level bandwidth sharing and multiplexing simplify O&M statistics, management, and operations cost settlement.
+ - Flexible Operations
You can add EIPs to a shared bandwidth or remove them from a shared bandwidth regardless of the instances to which they are bound.
+
+
Assigning a Shared Bandwidth
+Scenarios
Assign a shared bandwidth for use with EIPs.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the upper right corner, click Assign Shared Bandwidth. On the displayed page, configure parameters as prompted.
+
Figure 1 Assigning Shared Bandwidth
+
+
Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Region
+ |
+Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.
+ |
+eu-de
+ |
+
+Bandwidth
+ |
+The bandwidth size in Mbit/s. The value ranges from starting with 5 Mbit/s. The maximum bandwidth can be 1000 Mbit/s.
+ |
+10
+ |
+
+Bandwidth Name
+ |
+The name of the shared bandwidth.
+ |
+Bandwidth-001
+ |
+
+
+
+
+
- Click Create Now.
+
+
Adding EIPs to a Shared Bandwidth
+Scenarios
Add EIPs to a shared bandwidth and the EIPs can then share that bandwidth. You can add multiple EIPs to a shared bandwidth at the same time.
+
+
Notes and Constraints
- After an EIP is added to a shared bandwidth, the original bandwidth used by the EIP will become invalid and the EIP will start to use the shared bandwidth.
- The EIP's original dedicated bandwidth will be deleted.
- Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the shared bandwidth list, locate the row that contains the shared bandwidth to which you want to add EIPs. In the Operation column, choose More > Add EIP, and select the EIPs to be added.
Figure 1 Add EIP
+ - Click OK.
+
+
Removing EIPs from a Shared Bandwidth
+Scenarios
Remove EIPs that are no longer required from a shared bandwidth if needed.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the shared bandwidth list, locate the row that contains the bandwidth from which EIPs are to be removed, choose More > Remove EIP in the Operation column, and select the EIPs to be removed in the displayed dialog box.
Figure 1 Remove EIP
+ - Click OK.
+
+
Modifying a Shared Bandwidth
+Scenarios
You can modify the name and size of a shared bandwidth as required.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the shared bandwidth list, locate the row that contains the shared bandwidth you want to modify, click Modify Bandwidth in the Operation column, and modify the bandwidth settings.
Figure 1 Modify Bandwidth
+ - Click Next.
- Click Submit.
+
+
Deleting a Shared Bandwidth
+Scenarios
Delete a shared bandwidth when it is no longer required.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the navigation pane on the left, choose Elastic IP and Bandwidth > Shared Bandwidths.
- In the shared bandwidth list, locate the row that contains the shared bandwidth you want to delete, click More in the Operation column, and then click Delete.
- In the displayed dialog box, click Yes.
+
+
Direct Connect
+Direct Connect allows you to establish a dedicated network connection between your data center and the cloud platform. With Direct Connect, you can establish a private connection between the cloud platform and your data center, office, or collocation environment, which can reduce your network latency and provide a more consistent network experience than Internet-based connections.
+
For more information about Direct Connect, see the Direct Connect User Guide.
+
Direct Connect
+Direct Connect allows you to establish a dedicated network connection between your data center and the cloud platform. With Direct Connect, you can establish a private connection between the cloud platform and your data center, office, or collocation environment, which can reduce your network latency and provide a more consistent network experience than Internet-based connections.
+
For more information about Direct Connect, see the Direct Connect User Guide.
+
EIP
+
+
+
diff --git a/docs/vpc/umn/vpc_eip02_0001.html b/docs/vpc/umn/vpc_eip02_0001.html
new file mode 100644
index 000000000..341a16f05
--- /dev/null
+++ b/docs/vpc/umn/vpc_eip02_0001.html
@@ -0,0 +1,110 @@
+
+
+Assigning an EIP and Binding It to an ECS
+Scenarios
You can assign an EIP and bind it to an ECS so that the ECS can access the Internet.
+
EIPs for dedicated load balancers:
- In the eu-de region, if you choose to assign an EIP when you create a dedicated load balancer on the management console or using APIs, EIPs for dedicated load balancers (5_gray) will be assigned.
- Do not bind EIPs of this type to non-dedicated load balancers.
- Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect.
+
+
+
+
Assigning an EIP
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, click Assign EIP.
- Set the parameters as prompted.
Figure 1 Assign EIP
+
+Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Region
+ |
+Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.
+ |
+eu-de
+ |
+
+EIP Type
+ |
+- Dynamic BGP: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails.
- Mail BGP: EIPs with port 25, 465, or 587 enabled are used.
+The selected EIP type cannot be changed after the EIP is assigned.
+ |
+Dynamic BGP
+ |
+
+Bandwidth
+ |
+The bandwidth size in Mbit/s.
+ |
+100
+ |
+
+Bandwidth Name
+ |
+The name of the bandwidth.
+ |
+bandwidth
+ |
+
+Tag
+ |
+The EIP tags. Each tag contains a key and value pair.
+The tag key and value must meet the requirements listed in Table 2.
+ |
+- Key: Ipv4_key1
- Value: 192.168.12.10
+ |
+
+Quantity
+ |
+The number of EIPs you want to purchase.
+ |
+1
+ |
+
+
+
+
Table 2 EIP tag requirementsParameter
+ |
+Requirement
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each EIP.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+Ipv4_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+192.168.12.10
+ |
+
+
+
+
- Click Create Now.
- Click Submit.
+
+
+
Follow-Up Procedure
After an ECS with an EIP bound is created, the system generates a domain name in the format of ecs-xx-xx-xx-xx.compute.xxx.com for the EIP by default. xx-xx-xx-xx indicates the EIP, and xxx indicates the domain name of the cloud service provider. You can use the domain name to access the ECS.
+
You can use any of the following commands to obtain the domain name of an EIP:
- ping -a EIP
- nslookup [-qt=ptr] EIP
- dig -x EIP
+
+
+
Unbinding an EIP from an ECS and Releasing the EIP
+Scenarios
If you no longer need an EIP, unbind it from the ECS and release the EIP to avoid wasting network resources.
+
+
Notes and Constraints
- EIP assigned together with your load balancers will also be displayed in the EIP list on the VPC console. On the EIP console or using EIP APIs, you cannot bind EIPs to or unbind them from dedicated load balancers, but you can bind EIPs to or unbind them from shared load balancers.
- You can only release EIPs that are not bound to any resources.
+
+
Procedure
Unbinding a single EIP
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, locate the row that contains the target EIP, and click Unbind.
- Click Yes in the displayed dialog box.
+
Releasing a single EIP- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, locate the row that contains the target EIP, click More and then Release in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Unbinding multiple EIPs at once
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, select the EIPs to be unbound.
- Click the Unbind button located above the EIP list.
- Click Yes in the displayed dialog box.
+
Releasing multiple EIPs at once
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, select the EIPs to be released.
- Click the Release button located above the EIP list.
- Click Yes in the displayed dialog box.
+
+
Managing EIP Tags
+Scenarios
Tags can be added to EIPs to facilitate EIP identification and administration. You can add a tag to an EIP when assigning the EIP. Alternatively, you can add a tag to an assigned EIP on the EIP details page. A maximum of 20 tags can be added to each EIP.
+
+
A tag consists of a key and value pair. Table 1 lists the tag key and value requirements.
+
+
Table 1 EIP tag requirementsParameter
+ |
+Requirement
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each EIP.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+Ipv4_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+192.168.12.10
+ |
+
+
+
+
+
Procedure
Searching for EIPs by tag key and value on the page showing the EIP list- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- In the upper right corner of the EIP list, click Search by Tag.
- In the displayed area, enter the tag key and value of the EIP you are looking for.
You must specify both the tag key and value. The system will display the EIPs that contain the tag you specified.
+ - Click + to add another tag key and value.
You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for EIPs, the system will display only the EIPs that contain all of the tags you specified.
+ - Click Search.
The system displays the EIPs you are looking for based on the entered tag keys and values.
+
+
+
Adding, deleting, editing, and viewing tags on the Tags tab of an EIP- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, locate the EIP whose tags you want to manage, and click the EIP name.
- On the page showing EIP details, click the Tags tab and perform desired operations on tags.
- View tags.
On the Tags tab, you can view details about tags added to the current EIP, including the number of tags and the key and value of each tag.
+ - Add a tag.
Click Add Tag in the upper left corner. In the displayed Add Tag dialog box, enter the tag key and value, and click OK.
+ - Edit a tag.
Locate the row that contains the tag you want to edit, and click Edit in the Operation column. Enter the new tag value, and click OK.
+The tag key cannot be modified.
+ - Delete a tag.
Locate the row that contains the tag you want to delete, and click Delete in the Operation column. In the displayed dialog box, click Yes.
+
+
+
+
+
Modifying an EIP Bandwidth
+Scenarios
Modify the EIP bandwidth name or size.
+
This section describes how to modify the dedicated bandwidth or shared bandwidth of an EIP. For details about how to modify a shared bandwidth, see Modifying a Shared Bandwidth.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- Locate the row that contains the target EIP in the EIP list, click More in the Operation column, and select Modify Bandwidth.
- Modify the bandwidth parameters as prompted.
+ - Click Next.
- Click Submit.
+
+
EIP
+
+
+
diff --git a/docs/vpc/umn/vpc_eip_0001.html b/docs/vpc/umn/vpc_eip_0001.html
new file mode 100644
index 000000000..636f0cc89
--- /dev/null
+++ b/docs/vpc/umn/vpc_eip_0001.html
@@ -0,0 +1,23 @@
+
+
+Unbinding an EIP from an ECS and Releasing the EIP
+Scenarios
If you no longer need an EIP, unbind it from the ECS and release the EIP to avoid wasting network resources.
+
+
Notes and Constraints
- EIP assigned together with your load balancers will also be displayed in the EIP list on the VPC console. On the EIP console or using EIP APIs, you cannot bind EIPs to or unbind them from dedicated load balancers, but you can bind EIPs to or unbind them from shared load balancers.
- You can only release EIPs that are not bound to any resources.
+
+
Procedure
Unbinding a single EIP
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, locate the row that contains the target EIP, and click Unbind.
- Click Yes in the displayed dialog box.
+
Releasing a single EIP- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, locate the row that contains the target EIP, click More and then Release in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Unbinding multiple EIPs at once
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, select the EIPs to be unbound.
- Click the Unbind button located above the EIP list.
- Click Yes in the displayed dialog box.
+
Releasing multiple EIPs at once
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, select the EIPs to be released.
- Click the Release button located above the EIP list.
- Click Yes in the displayed dialog box.
+
+
FAQs
+
+
+
diff --git a/docs/vpc/umn/vpc_faq_00001.html b/docs/vpc/umn/vpc_faq_00001.html
new file mode 100644
index 000000000..b23db9979
--- /dev/null
+++ b/docs/vpc/umn/vpc_faq_00001.html
@@ -0,0 +1,11 @@
+
+
+Are There Different Routing Priorities of the VPN and Custom Routes in the Same VPC?
+No. The routing priority of custom routes and that of VPNs are the same.
+
What Are the Priorities of the Shared SNAT and Custom Route If Both Are Configured for an ECS to Enable the ECS to Access the Internet?
+The priority of a custom route is higher than that of shared SNAT.
+
What Is Virtual Private Cloud?
+The Virtual Private Cloud (VPC) service enables you to provision logically isolated, configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improving cloud resource security and simplifying network deployment.
+
Within your own VPC, you can create security groups and VPNs, configure IP address ranges, specify bandwidth sizes, manage the networks in the VPC, and make changes to these networks as needed, quickly and securely. You can also define rules for communication between ECSs in the same security group or in different security groups.
+
Figure 1 VPC components
+
Which CIDR Blocks Are Available for the VPC Service?
+The following table lists the private CIDR blocks that you can specify when creating a VPC. Consider the following when selecting a VPC CIDR block:
- Number of IP addresses: Reserve sufficient IP addresses in case of business growth.
- IP address range: Avoid IP address conflicts if you need to connect a VPC to an on-premises data center or connect two VPCs.
+
+
The VPC service supports the following CIDR blocks:
+
VPC CIDR Block
+ |
+IP Address Range
+ |
+Maximum Number of IP Addresses
+ |
+
|---|
+
+10.0.0.0/8-24
+ |
+10.0.0.0-10.255.255.255
+ |
+2^24-2=16777214
+ |
+
+172.16.0.0/12-24
+ |
+172.16.0.0-172.31.255.255
+ |
+2^20-2=1048574
+ |
+
+192.168.0.0/16-24
+ |
+192.168.0.0-192.168.255.255
+ |
+2^16-2=65534
+ |
+
+
+
+
+
+
Can Subnets Communicate with Each Other?
+Subnets in the same VPC can communicate with each other, but subnets in different VPCs cannot communicate with each other by default. However, you can create VPC peering connections to enable subnets in different VPCs to communicate with each other.
+
If subnets have firewalls associated, firewall rules should allow communication between the subnets.
+
+
What Subnet CIDR Blocks Are Available?
+A subnet CIDR block must be included in its VPC CIDR block. Supported VPC CIDR blocks are 10.0.0.0/8–24, 172.16.0.0/12–24, and 192.168.0.0/16–24. The allowed block size of a subnet is between the netmask of its VPC CIDR block and the /29 netmask.
+
How Many Subnets Can I Create?
+Each account can have a maximum of 100 subnets. If the number of subnets cannot meet your service requirements, request a quota increase. For details, see What Is a Quota?
+
What Is the Bandwidth Size Range?
+The bandwidth range is from 1 Mbit/s to 1,000 Mbit/s.
+
What Bandwidth Types Are Available?
+There are dedicated bandwidth and shared bandwidth. A dedicated bandwidth can only be used by one EIP, but a shared bandwidth can be used by multiple EIPs.
+
What Are EIPs?
+The Elastic IP (EIP) service enables your cloud resources to communicate with the Internet using static public IP addresses and scalable bandwidths. EIPs can be bound to or unbound from ECSs, BMSs, virtual IP addresses, NAT gateways, or load balancers.
+
Each EIP can be used by only one cloud resource at a time.
Figure 1 Accessing the Internet using an EIP
+
+
Can I Bind an EIP to Multiple ECSs?
+Each EIP can be bound to only one ECS at a time.
+
How Do I Access an ECS with an EIP Bound from the Internet?
+Each ECS is automatically added to a security group after being created to ensure its security. The security group denies access traffic from the Internet by default. To allow external access to ECSs in the security group, add an inbound rule to the security group.
+
You can set Protocol to TCP, UDP, ICMP, or All as required on the page for creating a security group rule.
+
- If the ECS needs to be accessible over the Internet and the IP address used to access the ECS over the Internet has been configured on the ECS, or the ECS does not need to be accessible over the Internet, set Source to the IP address range containing the IP address that is allowed to access the ECS over the Internet.
- If the ECS needs to be accessible over the Internet and the IP address used to access the ECS over the Internet has not been configured on the ECS, it is recommended that you retain the default setting 0.0.0.0/0 for Source, and then set allowed ports to improve network security.
- Allocate ECSs that have different Internet access policies to different security groups.
The default source IP address 0.0.0.0/0 indicates that all IP addresses can access ECSs in the security group.
+
+
+
Can I Change the Security Group of an ECS?
+Yes. Log in to the ECS console, switch to the page showing ECS details, and change the security group of the ECS.
+
How Many Security Groups Can I Create?
+Each account can have up to 100 security groups and 5000 security group rules.
+
When you create an ECS, you can select multiple security groups, but it is recommended that you select no more than five.
+
What Is a Quota?
+What Is a Quota?
A quota limits the quantity of a resource available to users, thereby preventing spikes in the usage of the resource. For example, a VPC quota limits the number of VPCs that can be created.
+
You can also request for an increased quota if your existing quota cannot meet your service requirements.
+
+
How Do I View My Quotas?
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - In the upper right corner of the page, click
.The Service Quota page is displayed.
+ - View the used and total quota of each type of resources on the displayed page.
If a quota cannot meet service requirements, apply for a higher quota.
+
+
+
How Do I Apply for a Higher Quota?
The system does not support online quota adjustment. If you need to adjust a quota, call the hotline or send an email to the customer service mailbox. Customer service personnel will timely process your request for quota adjustment and inform you of the real-time progress by making a call or sending an email.
+
Before dialing the hotline number or sending an email, make sure that the following information has been obtained:
+
- Domain name, project name, and project ID, which can be obtained by performing the following operations:
Log in to the management console using the cloud account, click the username in the upper right corner, select My Credentials from the drop-down list, and obtain the domain name, project name, and project ID on the My Credentials page.
+ - Quota information, which includes:
- Service name
- Quota type
- Required quota
+
+
Learn how to obtain the service hotline and email address.
+
+
Does a VPN Allow Communication Between Two VPCs?
+If the two VPCs are in the same region, you can use a VPC peering connection to enable communication between them.
+
If the two VPCs are in different regions, you can use a VPN to enable communication between the VPCs. The CIDR blocks of the two VPCs are the local and remote subnets, respectively.
+
How Do I Configure a Security Group for Multi-Channel Protocols?
+ECS Configuration
The TFTP daemon determines whether a configuration file specifies the port range. If you use a TFTP configuration file that allows the data channel ports to be configurable, it is a good practice to configure a small range of ports that are not listened on.
+
+
Security Group Configuration
You can configure port 69 and configure data channel ports used by TFTP for the security group. In RFC1350, the TFTP protocol specifies that ports available to data channels range from 0 to 65535. However, not all these ports are used by the TFTP daemon processes of different applications. You can configure a smaller range of ports for the TFTP daemon.
+
The following figure provides an example of the security group rule configuration if the ports used by data channels range from 60001 to 60100.
+
Figure 1 Security group rules
+
+
Why Are Internet or Internal Domain Names in the Cloud Inaccessible Through Domain Names When My ECS Has Multiple NICs?
+
+
When an ECS has more than one NIC, if different DNS server addresses are configured for the subnets used by the NICs, the ECS cannot access the Internet or domain names in the cloud.
+
You can resolve this issue by configuring the same DNS server address for the subnets used by the same ECS. You can perform the following steps to modify DNS server addresses of subnets in a VPC:
+
- Log in to the management console.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC for which a subnet is to be modified and click the VPC name.
- In the subnet list, locate the row that contains the subnet to be modified, click Modify. On the displayed page, change the DNS server address as prompted.
- Click OK.
+
Can a Route Table Span Multiple VPCs?
+A route table cannot span multiple VPCs.
+
A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. A VPC has a default route table and can have multiple custom route tables.
+
Each subnet in a VPC must be associated with a route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets in a VPC with the same route table.
+
How Many Routes Can a Route Table Contain?
+Currently, a route table can contain 100 routes.
+
Are There Any Restrictions on Using a Route Table?
+- An ECS providing SNAT must have Unbind IP from MAC enabled.
- The destination of each route in a route table must be unique. The next hop must be a private IP address or a virtual IP address in the VPC. Otherwise, the route table will not take effect.
- If a virtual IP address is set to be the next hop in a route, EIPs bound with the virtual IP address in the VPC will become invalid.
+
Will a Route Table Be Billed?
+The route table function itself is free, but you are charged for the ECSs and bandwidth that you use together with the route table function.
+
Do the Same Routing Priorities Apply to Direct Connect Connections and Custom Routes in the Same VPC?
+No. Direct Connect connections and custom routes are used in different scenarios, so the routing priorities are different.
+
Are There Any Constraints on Using VPC Peering Connections?
+- If two VPCs connected by a VPC peering connection overlap with each other, there will be route conflicts and the VPC peering connection may not be usable.
After a VPC peering connection is created, the ping command can be used to check whether two VPCs can communicate with each other, but cannot be used to check whether the gateway of the peer subnet is connected.
+ - If two VPCs overlap with each other, you can only create a VPC peering connection to enable communication between specific (non-overlapping) subnets in the VPCs. Ensure that the subnets to be peered do not overlap.
- If there are three VPCs, A, B, and C, and VPC A is peered with both VPC B and VPC C, but VPC B and VPC C overlap with each other, you cannot configure routes with the same destinations for VPC A.
- You cannot have more than one VPC peering connection between the same two VPCs at the same time.
- A VPC peering connection between VPCs in different regions will not take effect.
- You cannot use the EIPs in a VPC to access resources in a peered VPC. For example, VPC A is peered with VPC B, and VPC B has EIPs that can be used to access the Internet, you cannot use EIPs in VPC B to access the Internet from VPC A.
- If you request a VPC peering connection with a VPC of another account, the connection takes effect only after the peer account accept the request. If you request a VPC peering connection with a VPC of your own, the system automatically accepts the request and activates the connection.
- To ensure security, do not accept VPC peering connections from unknown accounts.
- The owner either of a VPC in a peering connection can delete the VPC peering connection at any time. If a VPC peering connection is deleted by one of its owners, all information about this connection will also be deleted immediately, including routes added for the VPC peering connection.
- After a VPC peering connection is established, the local and peer accounts must add routes to the route tables of the local and peer VPCs to enable communication between the two VPCs.
- You cannot delete a VPC that has routes configured for a VPC peering connection.
+
Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection?
+- Check whether the VPC IDs are correctly configured for the VPC peering connection.
- Check whether the VPCs have routes that point to the CIDR block of the other VPC.
- Check whether the VPCs have routes that point to the subnet CIDR block of the other VPC if the two VPCs have overlapping CIDR blocks.
- Check whether the VPCs contain overlapping subnets.
- Check whether required security group rules have been configured for the ECSs that need to communicate with each other and whether restriction rules have been added to the iptables or firewalls used by the ECSs.
- If a message indicating that this route already exists is displayed when you add a route for a VPC peering connection, check whether the destination of a VPN, Direct Connect, or VPC peering connection route already exists.
- If the route destination of the VPC peering connection overlaps with that of a Direct Connect or VPN connection, the route may be invalid.
- If VPCs in a VPC peering connection cannot communicate with each other after all these possible faults have been rectified, contact customer service.
+
How Many VPC Peering Connections Can I Create?
+Each account can have a maximum of 50 VPC peering connections in each region by default.
+
+
How Many Routes Can Be Added in a VPC?
+By default, a maximum of 100 routes can be added for a VPC. The routes include custom routes and those added for Direct Connect and VPC peering connections.
+
How Many Firewalls Can I Create?
+You can create up to 200 firewalls. It is recommended that you configure no more than 20 inbound or outbound rules for each firewall. If you configure more than 20 inbound or outbound rules for a firewall, forwarding performance will deteriorate.
+
What Are the Priorities of the Custom Route and EIP If Both Are Configured for an ECS to Enable the ECS to Access the Internet?
+The priority of an EIP is higher than that of a custom route in a VPC route table. For example:
+
The VPC route table of an ECS has a custom route with 0.0.0.0/0 as the destination and NAT gateway as the next hop.
+
If an ECS in the VPC has an EIP bound, the VPC route table will have a policy-based route with 0.0.0.0/0 as the destination, which has a higher priority than its custom route. In this case, traffic is forwarded to the EIP and cannot reach the NAT gateway.
+
Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified?
+- Security groups are stateful. Responses to outbound traffic are allowed to go in to the instance regardless of inbound security group rules, and vice versa. Security groups use connection tracking to track traffic to and from instances. If a security group rule is added, deleted, or modified, or an instance in the security group is created or deleted, the connection tracking for all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered to be new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and ensure the security of incoming traffic.
- A modified firewall rule will not immediately take effect for its existing connections. It takes about 120 seconds for the new rule to take effect, and traffic will be interrupted during this period. To ensure that the traffic is immediately interrupted after the rule is changed, it is recommended that you configure security group rules.
+
How Can I Delete a Subnet That Is Being Used by Other Resources?
+The VPC service allows you to create private, isolated virtual networks. In a VPC, you can manage private IP address ranges, subnets, route tables, and gateways. ECSs, BMSs, databases, and some applications can use subnets created in VPCs.
+
A subnet cannot be deleted if it is being used by other resources. You must delete all resources in the subnet before you can delete the subnet.
+
You can view all resources of your account on the console homepage and check the resources that are in the subnet you want to delete.
+
The resources may include:
+
- ECS
- BMS
- CCE cluster
- RDS instance
- MRS cluster
- DCS instance
- Load balancer
- VPN
- Private IP address
- Custom route
- NAT gateway
+
How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC?
+Users with IPv6 clients can call APIs to assign IPv6 EIPs and bind the EIPs to ECSs. Then, the users can use the EIP to access the ECSs in the VPC over the Internet.
+
For details, see Floating IP Address (IPv6) > Creating a Floating IP Address in the Virtual Private Cloud API Reference. The NAT64 gateway in the data center will convert the IPv6 EIP to the IPv4 address. (The last 32 bits of the obtained IPv6 EIP is the IPv4 EIP.)
+
After users who use IPv6 clients bind an IPv6 EIP to an ECS, the data flow is shown in Figure 1.
+
Figure 1 IPv6 data flow
+
The IPv6 service has the following restrictions:
+
- ECSs use IPv4 addresses and cannot directly access public IPv6 addresses. Therefore, only public IPv6 addresses can access ECSs. That means ECSs cannot use IPv4 EIPs that are converted from IPv6 address to access the Internet. To enable the ECSs to access the Internet, you must bind IPv4 EIPs to them.
- Data packets from an IPv6 network on the Internet are converted to IPv4 packets on the NAT64 gateway. Both the source IP address and port number will be converted. (The source IP address is invisible.)
- The IPv6 client can access only the EIP and the ELB service.
- Only one EIP (IPv6 or IPv4) can be bound to each NIC.
- You can only make API calls to use an EIP to obtain the IPv6 address. The management console displays only IPv4 addresses.
- The security group function does not apply to IPv6 clients.
- Resources in internal networks on the cloud can access IPv4 addresses converted by NAT64 gateway.
- The public cloud does not provide IP spoofing protection for IPv6 traffic from the Internet.
- Currently, the Anti-DDoS service does not protect IPv6 addresses.
+
Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict?
+Security group rules use the whitelist mechanism. If multiple security group rules conflict, the rules are aggregated to take effect.
+
What Are the Differences Between the Network ID and Subnet ID of a Subnet?
+- The network ID of the subnet is the neutron_network_id in the subnet fields in Subnet > Creating a Subnet in the Virtual Private Cloud API Reference.
Parameter neutron_network_id indicates the network ID (native OpenStack API). This uniquely identifies a subnet on the management console.
+ - The subnet ID of the subnet is the neutron_subnet_id in the subnet fields in Subnet > Creating a Subnet in the Virtual Private Cloud API Reference.
Parameter neutron_subnet_id indicates the subnet ID (native OpenStack API).
+
+
Change History
+
+
Release Date
+ |
+What's New
+ |
+
|---|
+
+2022-06-25
+ |
+Added the following content:
+
+ |
+
+2022-02-15
+ |
+Added the following content:
+
+ |
+
+2021-12-15
+ |
+Modified the following content:
+
+ |
+
+2021-08-25
+ |
+Modified the following content:
+Deleted the content related to the IP address group.
+ |
+
+2021-06-18
+ |
+Modified the following content:
+
+ |
+
+2020-02-25
+ |
+Added the following content:
+
+Modified the following content:
+- Modified the steps in section EIP.
+ |
+
+2020-02-12
+ |
+Added the following content:
+Added description that VPC flow logs support S2 ECSs in section VPC Flow Log.
+ |
+
+2020-01-08
+ |
+Added the following content:
+
+Modified the following content:
+- Added Subnet and VPC as the type of resources whose traffic is to be logged in VPC Flow Log.
+
+Deleted the following content:
+- Deleted section "Deleting a VPN".
+ |
+
+2019-09-10
+ |
+Added the following content:
+
+Deleted the following content:
+- Deleted the concepts of VPN, IPsec VPN, remote gateway, remote subnet, region, and project in section Basic Concepts.
- Deleted the FAQs related to VPN in section FAQs.
+- Deleted the content related to "Configuring a VPC for ECSs That Access the Internet Through a VPN" in section Getting Started.
+Modified the following content:
+
+ |
+
+2019-02-23
+ |
+Added the following content:
+
+ |
+
+2019-02-22
+ |
+Added the following content:
+
+ |
+
+2019-02-15
+ |
+Added the following content:
+
+ |
+
+2019-02-11
+ |
+Deleted the following content:
+
+ |
+
+2019-01-31
+ |
+Accepted in OTC-4.0.
+ |
+
+2019-01-30
+ |
+Modified the following content:
+
+Added the following content:
+
+Deleted the following content:
+
+ |
+
+2018-12-30
+ |
+Modified the following content:
+- Modified the description about how to switch to the security group and firewall pages based on the changes made on the management console.
+Added the following content:
+- Added section Firewall Overview.
- Added section Firewall Configuration Examples.
+ |
+
+2018-11-30
+ |
+Added the following content:
+- Added parameter NTP Server Address to the description about how to create a subnet.
+Modified the following content:
+- Updated the document based on changes made to the firewall console pages.
- Added description about how to delete multiple firewall rules at a time and how to disassociate multiple subnets from a firewall at a time.
- Changed parameter Any to All.
+
+ |
+
+2018-09-18
+ |
+Accepted in OTC-3.2/AGile-09.2018.
+ |
+
+2018-09-06
+ |
+Modified the following content:
+- Modified the content and changed some screenshots in the document based on the latest management console.
+ |
+
+2018-08-30
+ |
+This release incorporates the following change:
+- Added section Adding Instances to and Removing Them from a Security Group.
+ |
+
+2018-07-30
+ |
+This release incorporates the following changes:
+- Optimized the sections related to security groups:
- Added section Replicating a Security Group Rule.
- Added section Modifying a Security Group Rule.
- Modified section Deleting a Security Group Rule and added description about how to delete multiple security group rules at a time.
- Added section Importing and Exporting Security Group Rules.
+ - Modified the VPN sections. The details are as follows:
- Modified the step for switching to the VPN console.
- Deleted sections related to VPNs. An independent VPN user guide will be provided.
- Deleted section VPN Best Practice.
+
+ |
+
+2018-06-30
+ |
+This release incorporates the following changes: - Optimized sections under Product Introduction.
- Optimized sections under Security Group.
- Optimized section Security Group Overview.
+- Optimized section Default Security Groups and Security Group Rules.
- Optimized section Creating a Security Group.
- Optimized section Adding a Security Group Rule.
- Optimized section Fast-Adding Security Group Rules.
- Added security group configuration examples.
- Added section Viewing the Security Group of an ECS.
- Added section Changing the Security Group of an ECS.
+ - Categorized FAQs.
+ |
+
+2018-06-11
+ |
+This release incorporates the following changes:
+- Added section Monitoring.
- Modified tag description.
+ |
+
+2018-05-23
+ |
+Accepted in OTC 3.1.
+ |
+
+2018-04-28
+ |
+This release incorporates the following changes:
+- Added description about VPN tagging.
- Added the IPv6 address description.
- Added section Exporting VPC Information.
- Modified the bandwidth range.
- Modified the VPN modification snapshot.
+ |
+
+2018-03-30
+ |
+This release incorporates the following change:
+Deleted the IPv6 address description.
+ |
+
+2018-02-28
+ |
+This release incorporates the following change:
+Added the description that the security group description can contain a maximum of 128 characters.
+ |
+
+2018-01-30
+ |
+This release incorporates the following changes:
+- Added description about the function of unbinding and releasing EIPs in batches.
- Added description about the function that the negotiation mode of the IKE policy in the VPN can be configured.
- Added the description that the security group description can contain a maximum of 64 characters.
+ |
+
+2017-11-30
+ |
+This release incorporates the following changes:
+- Updated screenshots and steps based on the latest management console pages.
- Added description to indicate that subnets can be created without specifying the AZ.
+ |
+
+2017-10-30
+ |
+This release incorporates the following changes:
+- Added description about the fast security group rule adding function.
- Added ECS security group configuration examples.
+ |
+
+2017-09-30
+ |
+This release incorporates the following changes:
+- Added description to indicate that the peer project ID needs to be configured when a tenant creates a VPC peering connection with the VPC of another tenant.
- Modified description in sections Adding a Security Group Rule and Deleting a Security Group Rule based on changes made to the network console.
+ |
+
+2017-08-30
+ |
+This release incorporates the following changes:
+- Added section Managing Subnet Tags.
- Added description about the VPC, subnet, and EIP tags.
- Added section Security Group Overview.
+ |
+
+2017-07-30
+ |
+This release incorporates the following changes:
+- Added description about how to enable shared SNAT on the management console.
- Added section Managing VPC Tags.
- Added section Managing EIP Tags.
- Changed the number of routes allowed in a route table by default to 100.
- Updated procedures in sections VPC and Subnet and Custom Route based on changes made to the network console.
- Added description about the multi-project feature.
+ |
+
+2017-06-30
+ |
+This release incorporates the following change:
+- Added description about the virtual IP address feature.
+ |
+
+2017-05-30
+ |
+This release incorporates the following change:
+- Added FAQ How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC.
+ |
+
+2017-04-28
+ |
+This release incorporates the following change:
+- Added description about how to add DNS server addresses during subnet information modification.
+ |
+
+2017-03-30
+ |
+This release incorporates the following changes:
+- Added description about the firewall function.
- Added description about the shared SNAT function.
+ |
+
+2017-02-28
+ |
+This release incorporates the following change:
+- Deleted description about the button for disabling the DHCP function.
+ |
+
+2017-02-24
+ |
+This release incorporates the following change:
+- Added description about the VPC peering function.
+ |
+
+2017-01-12
+ |
+This release incorporates the following change:
+- Added description about the custom route table function.
+ |
+
+2016-10-19
+ |
+This release incorporates the following change:
+- Updated the Help Center URL of the VPN service.
+ |
+
+2016-07-15
+ |
+This release incorporates the following changes:
+- Modified the VPN authentication algorithm.
- Optimized the traffic metering function.
+ |
+
+2016-03-14
+ |
+This issue is the first official release.
+ |
+
+
+
+
+
Glossary
+For details about the terms involved in this document, see Glossary.
+
Monitoring
+
+
+
diff --git a/docs/vpc/umn/vpc_monitor02_0001.html b/docs/vpc/umn/vpc_monitor02_0001.html
new file mode 100644
index 000000000..e54a4bf5c
--- /dev/null
+++ b/docs/vpc/umn/vpc_monitor02_0001.html
@@ -0,0 +1,124 @@
+
+
+Supported Metrics
+Description
This section describes the namespace, list, and measurement dimensions of EIP and bandwidth metrics that you can check on Cloud Eye. You can use APIs or the Cloud Eye console to query the metrics of the monitored metrics and alarms generated for EIPs and bandwidths.
+
+
+
Monitoring Metrics
+
Table 1 EIP and bandwidth metricsID
+ |
+Name
+ |
+Description
+ |
+Value Range
+ |
+Monitored Object
+ |
+Monitoring Interval (Raw Data)
+ |
+
|---|
+
+upstream_bandwidth
+ |
+Outbound Bandwidth
+ |
+Network rate of outbound traffic
+Unit: bit/s
+ |
+≥ 0 bit/s
+ |
+Bandwidth or EIP
+ |
+1 minute
+ |
+
+downstream_bandwidth
+ |
+Inbound Bandwidth
+ |
+Network rate of inbound traffic
+Unit: bit/s
+ |
+≥ 0 bit/s
+ |
+Bandwidth or EIP
+ |
+1 minute
+ |
+
+up_stream
+ |
+Outbound Traffic
+ |
+Network traffic going out of the cloud platform
+Unit: byte
+ |
+≥ 0 bytes
+ |
+Bandwidth or EIP
+ |
+1 minute
+ |
+
+down_stream
+ |
+Inbound Traffic
+ |
+Network traffic going into the cloud platform
+Unit: byte
+ |
+≥ 0 bytes
+ |
+Bandwidth or EIP
+ |
+1 minute
+ |
+
+
+
+
+
+
Dimensions
+
Key
+ |
+Value
+ |
+
|---|
+
+publicip_id
+ |
+EIP ID
+ |
+
+bandwidth_id
+ |
+Bandwidth ID
+ |
+
+
+
+
+
If a monitored object has multiple dimensions, all dimensions are mandatory when you use APIs to query the metrics.
- Query a monitoring metric:
dim.0=bandwidth_id,530cd6b0-86d7-4818-837f-935f6a27414d&dim.1=publicip_id,3773b058-5b4f-4366-9035-9bbd9964714a
+ - Query monitoring metrics in batches:
"dimensions": [
+{
+"name": "bandwidth_id",
+"value": "530cd6b0-86d7-4818-837f-935f6a27414d"
+}
+{
+"name": "publicip_id",
+"value": "3773b058-5b4f-4366-9035-9bbd9964714a"
+}
+],
+
+
+
+
+
Viewing Metrics
+Scenarios
View related metrics to see bandwidth and EIP usage information.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Hover on the upper left corner to display Service List and choose Management & Governance > Cloud Eye.
- Click Cloud Service Monitoring on the left of the page, and choose Elastic IP and Bandwidth.
- Locate the row that contains the target bandwidth or EIP and click View Metric in the Operation column to check the bandwidth or EIP monitoring information.
+
+
Creating an Alarm Rule
+Scenarios
You can configure alarm rules to customize the monitored objects and notification policies. You can learn your resource statuses at any time.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Hover on the upper left corner to display Service List and choose Management & Governance > Cloud Eye.
- In the left navigation pane on the left, choose Alarm Management > Alarm Rules.
- On the Alarm Rules page, click Create Alarm Rule and set required parameters, or modify an existing alarm rule.
- After the parameters are set, click Create.
After the alarm rule is created, the system automatically notifies you if an alarm is triggered for the VPC service.
+ For more information about alarm rules, see the Cloud Eye User Guide.
+
+
+
+
Operation Guide (New Console Edition)
+
+
+
diff --git a/docs/vpc/umn/vpc_oldui_0000.html b/docs/vpc/umn/vpc_oldui_0000.html
new file mode 100644
index 000000000..034d85bb3
--- /dev/null
+++ b/docs/vpc/umn/vpc_oldui_0000.html
@@ -0,0 +1,30 @@
+
+
+Operation Guide (Old Console Edition)
+
+
+
diff --git a/docs/vpc/umn/vpc_peering02_0000.html b/docs/vpc/umn/vpc_peering02_0000.html
new file mode 100644
index 000000000..c7e334531
--- /dev/null
+++ b/docs/vpc/umn/vpc_peering02_0000.html
@@ -0,0 +1,31 @@
+
+
+VPC Peering Connection
+
+
+
diff --git a/docs/vpc/umn/vpc_peering02_0001.html b/docs/vpc/umn/vpc_peering02_0001.html
new file mode 100644
index 000000000..15a9da507
--- /dev/null
+++ b/docs/vpc/umn/vpc_peering02_0001.html
@@ -0,0 +1,18 @@
+
+
+VPC Peering Connection Creation Procedure
+A VPC peering connection is a network connection between two VPCs in one region that enables you to route traffic between them using private IP addresses. ECSs in either VPC can communicate with each other just as if they were in the same region. You can create a VPC peering connection between your own VPCs, or between your VPC and another account's VPC within the same region. However, you cannot create a VPC peering connection between VPCs in different regions.
+
- Creating a VPC peering connection between VPCs in your account
Figure 1 Creating a VPC peering connection between VPCs in your account
+If you create a VPC peering connection between two VPCs in your account, the system accepts the connection by default. You need to add routes for the local and peer VPCs to enable communication between the two VPCs.
+ - Creating a VPC peering connection with a VPC in another account
Figure 2 Creating a VPC peering connection with a VPC in another account
+If you create a VPC peering connection between your VPC and a VPC that is in another account, the VPC peering connection will be in the Awaiting acceptance state. After the owner of the peer account accepts the connection, the connection status changes to Accepted. The owners of both the local and peer accounts must configure the routes required by the VPC peering connection to enable communication between the two VPCs.
+If the local and peer VPCs have overlapping CIDR blocks, the routes added for the VPC peering connection may become invalid. Before creating a VPC peering connection between two VPCs that have overlapping CIDR blocks, ensure that none of the subnets in the two VPCs overlap. If none of the subnets in the two VPCs overlap, the VPC peering connection you created enables communication between subnets in the two VPCs.
+After a VPC peering connection is created, you can use the ping command to check whether the local network is connected. The ping command cannot be used to check whether the gateway of the peer subnet is connected.
+
+
VPC Peering Connection Configuration Plans
+To enable two VPCs in the same region to communicate with each other, you can create a VPC peering connection between them. The VPC and subnet CIDR blocks must meet the requirements in
Table 1.
+
Table 1 Requirements for VPC and subnet CIDR blocksRequirement
+ |
+Description
+ |
+
|---|
+
+- VPC CIDR blocks do not overlap.
- There are no requirements on subnet CIDR blocks.
+ |
+A VPC peering connection can enable communications between the entire VPC CIDR blocks. The destination of a route is a VPC CIDR block.
+For details, see Route Configurations for Connecting Entire VPCs.
+ |
+
+- VPC CIDR blocks overlap.
- Subnet CIDR blocks connected by a VPC peering connection cannot overlap.
+ |
+A VPC peering connection can enable communications between subnets in the VPCs. The destination of a route is a subnet CIDR block.
+For details, see Route Configurations for Connecting Specific Subnets.
+ |
+
+
+
+
+
+
Route Configurations for Connecting Entire VPCs
- Connections can be:
- Between two VPCs
- Among multiple VPCs
+ - If you need to configure routes that point to entire VPCs, none of the VPCs involved in VPC peering connections can overlap. Otherwise, VPC peering connections will not take effect because the routes will be unreachable.
- The destination of the route that points to an entire VPC is the CIDR block of the peer VPC, and the next hop is the VPC peering connection ID.
+
+
Route Configurations for Connecting Specific Subnets
If VPCs connected by a VPC peering connection have overlapping CIDR blocks, the connection can only enable communications between non-overlapping subnets in the VPCs. If subnets in the two VPCs of a VPC peering connection overlap with each other, the connection will not take effect. When you create a VPC peering connection, ensure that the VPCs involved do not contain overlapping subnets.
+
For example, VPC 1 and VPC 2 have matching CIDR blocks, but the subnets in the two VPCs do not overlap. A VPC peering connection can be created between pairs of subnets that do not overlap with each other. The route table is used to control the specific subnets that the VPC peering connection is created for. Figure 1 shows a VPC peering connection created between two subnets. Routes are required to enable communication between Subnet A in VPC 1 and Subnet X in VPC 2.
+
Figure 1 VPC peering connection between Subnet A and Subnet X
+
Figure 2 shows the routes configured for the VPC peering connection between Subnet A and Subnet X. After the routes are configured, Subnet A and Subnet X can communicate with each other.
+
Figure 2 Route tables for the VPC peering connection between Subnet A and Subnet X
+
If two VPCs have overlapping subnets, a VPC peering connection created between the two subnets will not take effect, and the subnets cannot communicate with each other.
+
As shown in
Figure 3, a VPC peering connection is created between subnet A of VPC1 and subnet X of VPC2. Subnet B of VPC1 and subnet X of VPC2 overlap with each other. If the destination of a route in the route table of VPC1 is set to the CIDR block of subnet X in VPC2, this route will conflict with the system route of subnet B in VPC1. Subnet A preferentially accesses subnet B and the VPC peering connection does not take effect.
Figure 3 Invalid VPC peering connection
+
+
If peering connections are used to link VPC 1 to multiple VPCs, for example, VPC 2, VPC 3, and VPC 4, the subnets of VPC 1 cannot overlap with those of VPC 2, VPC 3, and VPC 4. If VPC 2, VPC 3, and VPC 4 have overlapping subnets, a VPC peering connection can be created between only one of these overlapping subnets and a subnet of VPC 1. If a VPC peering connection is created between a subnet and the other N subnets, none of the subnets can overlap.
+
+
Creating a VPC Peering Connection with Another VPC in Your Account
+Scenarios
To create a VPC peering connection, first create a request to peer with another VPC. You can request a VPC peering connection with another VPC in your account, but the two VPCs must be in the same region. The system automatically accepts the request.
+
+
Prerequisites
Two VPCs in the same region have been created.
+
+
Creating a VPC Peering Connection
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the right pane displayed, click Create VPC Peering Connection.
- Configure parameters as prompted. You must select My account for Account. Table 1 lists the parameters to be configured.
Figure 1 Create VPC Peering Connection
+
+Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+The name of the VPC peering connection.
+The name contains a maximum of 64 characters, which consist of letters, digits, hyphens (-), and underscores (_).
+ |
+peering-001
+ |
+
+Local VPC
+ |
+The local VPC. You can select one from the drop-down list.
+ |
+vpc_002
+ |
+
+Local VPC CIDR Block
+ |
+The CIDR block for the local VPC.
+ |
+192.168.10.0/24
+ |
+
+Account
+ |
+The account to which the peer VPC belongs.
+- My account: The VPC peering connection will be created between two VPCs, in the same region, in your account.
- Another account: The VPC peering connection will be created between your VPC and a VPC in another account, in the same region.
+ |
+My account
+ |
+
+Peer Project
+ |
+The peer project name. The project name of the current project is used by default.
+ |
+aaa
+ |
+
+Peer VPC
+ |
+The peer VPC. You can select one from the drop-down list if the VPC peering connection is created between two VPCs in your own account.
+ |
+vpc_fab1
+ |
+
+Peer VPC CIDR Block
+ |
+The CIDR block for the peer VPC.
+The local and peer VPCs cannot have matching or overlapping CIDR blocks. Otherwise, the routes added for the VPC peering connection may not take effect.
+ |
+192.168.2.0/24
+ |
+
+
+
+
- Click OK.
+
+
Adding Routes for the VPC Peering Connection
If you request a VPC peering connection with another VPC in your own account, the system automatically accepts the request. To enable communication between the two VPCs, you need to add local and peer routes for the VPC peering connection.
+
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- Locate the target VPC peering connection in the connection list.
Figure 2 VPC peering connection list
+ - Click the name of the VPC peering connection to switch to the page showing details about the connection.
- In the displayed Local Routes area, click Add Local Route. In the displayed dialog box, add a local route. Table 2 lists the parameters to be configured.
Figure 3 Add Local Route
+
+Table 2 Route parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Destination
+ |
+Specifies the destination address. Set it to the peer VPC or subnet CIDR block.
+ |
+192.168.2.0/24
+ |
+
+Next Hop
+ |
+Specifies the next hop address. The default value is the VPC peering connection ID. Keep the default value.
+ |
+d1a7863b-9d5e-4d27-8eaf-ab14d2a9148b
+ |
+
+
+
+
- Click OK to switch to the page showing the VPC peering connection details.
- On the displayed page, click the Peer Routes tab.
- In the displayed Peer Routes area, click Add Peer Route and add a route.
- Click OK.
+
After a VPC peering connection is created, the two VPCs can communicate with each other through private IP addresses. You can run the ping command to check whether the two VPCs can communicate with each other.
+
If two VPCs cannot communicate with each other, check the configuration by following the instructions provided in Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection?
+
+
+
Creating a VPC Peering Connection with a VPC in Another Account
+Scenarios
The VPC service also allows you to create a VPC peering connection with a VPC in another account. The two VPCs must be in the same region. If you request a VPC peering connection with a VPC in another account in the same region, the owner of the peer account must accept the request to activate the connection.
+
+
Creating a VPC Peering Connection
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the right pane displayed, click Create VPC Peering Connection.
- Configure parameters as prompted. You must select Another account for Account.
Figure 1 Create VPC Peering Connection
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+Specifies the name of the VPC peering connection.
+The name contains a maximum of 64 characters, which consist of letters, digits, hyphens (-), and underscores (_).
+ |
+peering-001
+ |
+
+Local VPC
+ |
+Specifies the local VPC. You can select one from the drop-down list.
+ |
+vpc_002
+ |
+
+Account
+ |
+Specifies the account to which the VPC to peer with belongs.
+- My account: The VPC peering connection will be created between two VPCs, in the same region, in your account.
- Another account: The VPC peering connection will be created between your VPC and a VPC in another account, in the same region.
+ |
+Another account
+ |
+
+Peer Project ID
+ |
+This parameter is available only when Another account is selected.
+For details about how to obtain the peer project ID, see Obtaining the Peer Project ID.
+ |
+-
+ |
+
+Peer VPC ID
+ |
+This parameter is available only when Another account is selected.
+For details about how to obtain the peer VPC ID, see Obtaining the Peer VPC ID.
+ |
+65d062b3-40fa-4204-8181-3538f527d2ab
+ |
+
+
+
+
- Click OK.
+
+
Accepting a VPC Peering Connection Request
To request a VPC peering connection with a VPC in another account, the owner of the peer account must accept the request to activate the connection.
+
- The owner of the peer account logs in to the management console.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the VPC peering connection list, locate the row that contains the target VPC peering connection and click Accept Request in the Operation column.
Figure 2 VPC peering connection list
+ - Click Yes in the displayed dialog box.
+
+
Refusing a VPC Peering Connection
The owner of the peer account can reject any VPC peering connection request that they receive. If a VPC peering connection request is rejected, the connection will not be established. You must delete the rejected VPC peering connection request before creating a VPC peering connection between the same VPCs as those in the rejected request.
+
- The owner of the peer account logs in to the management console.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the VPC peering connection list, locate the row that contains the target VPC peering connection and click Reject Request in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Adding Routes for the VPC Peering Connection
If you request a VPC peering connection with a VPC in another account, the owner of the peer account must accept the request. To enable communication between the two VPCs, you need to add routes for the VPC peering connection. The owner of the local account can add only the local route because the owner does not have the required permission to perform operations on the peer VPC. The owner of the peer account must add the peer route. The procedure for adding a local route and a peer route is the same.
+
- Log in to the management console.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- Locate the target VPC peering connection in the connection list.
- Click the name of the VPC peering connection to switch to the page showing details about the connection.
- On the displayed page, click the Local Routes tab.
- In the displayed Local Routes area, click Add Local Route. In the displayed dialog box, add a local route. Table 2 lists the parameters to be configured.
Figure 3 Add Local Route
+
+Table 2 Route parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Destination
+ |
+Specifies the destination address. Set it to the peer VPC or subnet CIDR block.
+ |
+192.168.2.0/24
+ |
+
+Next Hop
+ |
+Specifies the next hop address. The default value is the VPC peering connection ID. Keep the default value.
+ |
+d1a7863b-9d5e-4d27-8eaf-ab14d2a9148b
+ |
+
+
+
+
- Click OK.
+
After the VPC peering connection is created, the two VPCs can communicate with each other through private IP addresses. You can run the ping command to check whether the two VPCs can communicate with each other.
+
If two VPCs cannot communicate with each other, check the configuration by following the instructions provided in Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection?
+
+
Obtaining the Peer Project ID
- The owner of the peer account logs in to the management console.
- Select My Credentials from the username drop-down list.
- On the Projects tab, obtain the required project ID.
+
+
Obtaining the Peer VPC ID
- The owner of the peer account logs in to the management console.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- Click the target VPC name and view VPC ID on the VPC details page.
+
+
Viewing VPC Peering Connections
+Scenarios
The owners of both the local and peer accounts can view information about the created VPC peering connections and those that are still waiting to be accepted.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name.
Figure 1 VPC peering connection list
+ - Click the VPC peering connection name. On the displayed page, view detailed information about the VPC peering connection.
+
+
Modifying a VPC Peering Connection
+Scenarios
The owners of both the local and peer accounts can modify a VPC peering connection in any state. The VPC peering connection name can be changed.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name.
Figure 1 VPC peering connection list
+ - Locate the target VPC peering connection and click Modify in the Operation column. In the displayed dialog box, modify information about the VPC peering connection.
- Click OK.
+
+
Deleting a VPC Peering Connection
+Scenarios
The owners of both the local and peer accounts can delete a VPC peering connection in any state. After a VPC peering connection is deleted, routes configured for the connection will be automatically deleted as well.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name.
Figure 1 VPC peering connection list
+ - Locate the target VPC peering connection and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Viewing Routes Configured for a VPC Peering Connection
+Scenarios
After routes are added for a VPC peering connection, the owners of both the local and peer accounts can view information about the routes on the page showing details about the VPC peering connection.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- Locate the target VPC peering connection in the connection list.
- Click the name of the VPC peering connection to switch to the page showing details about the connection.
- On the displayed page, click the Local Routes tab and view information about the local route added for the VPC peering connection.
- On the page showing details about the VPC peering connection, click the Peer Routes tab and view information about the peer route added for the VPC peering connection.
+
+
Deleting a VPC Peering Route
+Scenarios
After routes are added for a VPC peering connection, the owners of both the local and peer accounts can delete the routes on the page showing details about the peering connection.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- Locate the target VPC peering connection in the connection list.
- Click the name of the VPC peering connection to switch to the page showing details about the connection.
- On the displayed page, click the Local Routes tab and view information about the local route added for the VPC peering connection.
- On the Local Routes page, locate the target local route, and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
- On the page showing details about the VPC peering connection, click the Peer Routes tab and view information about the peer route added for the VPC peering connection.
- On the Peer Routes page, locate the target peer route, and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
+
VPC Peering Connection
+
+
+
diff --git a/docs/vpc/umn/vpc_peering_0001.html b/docs/vpc/umn/vpc_peering_0001.html
new file mode 100644
index 000000000..01029298d
--- /dev/null
+++ b/docs/vpc/umn/vpc_peering_0001.html
@@ -0,0 +1,15 @@
+
+
+Viewing VPC Peering Connections
+Scenarios
The owners of both the local and peer accounts can view information about the created VPC peering connections and those that are still waiting to be accepted.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name.
Figure 1 VPC peering connection list
+ - Click the VPC peering connection name. On the displayed page, view detailed information about the VPC peering connection.
+
+
Modifying a VPC Peering Connection
+Scenarios
The owners of both the local and peer accounts can modify a VPC peering connection in any state. The VPC peering connection name can be changed.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name.
Figure 1 VPC peering connection list
+ - Locate the target VPC peering connection and click Modify in the Operation column. In the displayed dialog box, modify information about the VPC peering connection.
- Click OK.
+
+
Deleting a VPC Peering Connection
+Scenarios
The owners of both the local and peer accounts can delete a VPC peering connection in any state. After a VPC peering connection is deleted, routes configured for the connection will be automatically deleted as well.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name.
Figure 1 VPC peering connection list
+ - Locate the target VPC peering connection and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Viewing Routes Configured for a VPC Peering Connection
+Scenarios
After routes are added for a VPC peering connection, the owners of both the local and peer accounts can view information about the routes on the page showing details about the VPC peering connection.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click VPC Peering.
- Locate the target VPC peering connection in the connection list.
- Click the name of the VPC peering connection to switch to the page showing details about the connection.
- On the displayed page, click the Local Routes tab and view information about the local route added for the VPC peering connection.
- On the page showing details about the VPC peering connection, click the Peer Routes tab and view information about the peer route added for the VPC peering connection.
+
+
Deleting a VPC Peering Route
+Scenarios
After routes are added for a VPC peering connection, the owners of both the local and peer accounts can delete the routes on the Route Tables page.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the connection list, locate the VPC peering connection that you need to delete routes.
- Click the name of the VPC peering connection to switch to the page showing details about the connection.
- Delete the route added to the route table of the local VPC:
- Click the Local Routes tab and then click the Route Tables hyperlink.
The Summary tab of the default route table for the local VPC is displayed.
+ - Locate the row that contains the route to be deleted and click Delete in the Operation column.
- Click Yes.
+ - Delete the route added to the route table of the peer VPC:
- Click the Peer Routes tab and then click the Route Tables hyperlink.
The Summary tab of the default route table for the peer VPC is displayed.
+ - Locate the row that contains the route to be deleted and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
+
+
User Permissions
+The cloud system provides two types of user permissions by default: user management and resource management. User management refers to the management of users, user groups, and user group rights. Resource management refers to the control operations that can be performed by users on cloud service resources.
+
For further details, see Permissions.
+
Service Overview
+
+
+
diff --git a/docs/vpc/umn/vpc_qs_0000.html b/docs/vpc/umn/vpc_qs_0000.html
new file mode 100644
index 000000000..1bc143c25
--- /dev/null
+++ b/docs/vpc/umn/vpc_qs_0000.html
@@ -0,0 +1,15 @@
+
+
+Getting Started
+
+
+
diff --git a/docs/vpc/umn/vpc_qs_0002.html b/docs/vpc/umn/vpc_qs_0002.html
new file mode 100644
index 000000000..582837fb1
--- /dev/null
+++ b/docs/vpc/umn/vpc_qs_0002.html
@@ -0,0 +1,16 @@
+
+
+Typical Application Scenarios
+A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required.
+
Click 
in the lower right corner of the console to switch between the new and the old consoles. The old edition does not have the function of associating a subnet with a route table.
+
This document provides two sets of operation guides. The "Getting Started" chapter uses the new console edition as an example.
+
+
+
+
Configuring a VPC for ECSs That Do Not Require Internet Access
+
+
+
diff --git a/docs/vpc/umn/vpc_qs_0004.html b/docs/vpc/umn/vpc_qs_0004.html
new file mode 100644
index 000000000..6a4fe9a83
--- /dev/null
+++ b/docs/vpc/umn/vpc_qs_0004.html
@@ -0,0 +1,49 @@
+
+
+Overview
+If your ECSs do not require Internet access or need to access the Internet using IP addresses on the default network (100.64.0.0/11) with limited bandwidth (for example, the ECSs functioning as the database nodes or server nodes for deploying a website), you can follow the procedure shown in Figure 1 to configure a VPC for the ECSs.
+
Figure 1 Configuring the network
+
Table 1 describes the different tasks in the procedure for configuring the network.
+
+
Table 1 Configuration process descriptionTask
+ |
+Description
+ |
+
|---|
+
+Create a VPC.
+ |
+This task is mandatory.
+After the VPC is created, you can create other required network resources in the VPC based on your service requirements.
+ |
+
+Create another subnet for the VPC.
+ |
+This task is optional.
+If the default subnet cannot meet your requirements, you can create one.
+The new subnet is used to assign IP addresses to NICs added to the ECS.
+ |
+
+Create a security group.
+ |
+This task is mandatory.
+You can create a security group and add ECSs in the VPC to the security group to improve ECS access security.
+After a security group is created, it has a default rule, which allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules.
+ |
+
+Add a security group rule.
+ |
+This task is optional.
+If the default rule meets your service requirements, you do not need to add rules to the security group.
+ |
+
+
+
+
+
Step 1: Create a VPC
+Scenarios
A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required.
+
You can create a VPC by following the procedure provided in this section. Then, create subnets, security groups, and assign EIPs by following the procedure provided in subsequent sections based on your actual network requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- Click Create VPC.
- On the Create VPC page, set parameters as prompted.
A default subnet will be created together with a VPC and you can also click Add Subnet to create more subnets for the VPC.
+
+Table 1 VPC parameter descriptionsCategory
+ |
+Parameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Basic Information
+ |
+Region
+ |
+Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.
+ |
+eu-de
+ |
+
+Basic Information
+ |
+Name
+ |
+The VPC name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+VPC-001
+ |
+
+Basic Information
+ |
+CIDR Block
+ |
+The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC).
+The following CIDR blocks are supported:
+10.0.0.0/8-24
+172.16.0.0/12-24
+192.168.0.0/16-24
+ |
+192.168.0.0/16
+ |
+
+Default Subnet
+ |
+Name
+ |
+The subnet name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+Subnet
+ |
+
+Default Subnet
+ |
+CIDR Block
+ |
+The CIDR block for the subnet. This value must be within the VPC CIDR block.
+ |
+192.168.0.0/24
+ |
+
+Default Subnet
+ |
+Associated Route Table
+ |
+The default route table to which the subnet will be associated. You can change the route table to a custom route table on the Subnets page.
+ |
+Default
+ |
+
+Default Subnet/Advanced Settings
+ |
+Gateway
+ |
+The gateway address of the subnet.
+ |
+192.168.0.1
+ |
+
+Default Subnet/Advanced Settings
+ |
+DNS Server Address
+ |
+By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+100.125.x.x
+ |
+
+Default Subnet/Advanced Settings
+ |
+NTP Server Address
+ |
+The IP address of the NTP server. This parameter is optional.
+You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added.
+A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+192.168.2.1
+ |
+
+Default Subnet/Advanced Settings
+ |
+Tag
+ |
+The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet.
+The tag key and value must meet the requirements listed in Table 3.
+ |
+- Key: subnet_key1
- Value: subnet-01
+ |
+
+Default Subnet/Advanced Settings
+ |
+Description
+ |
+Supplementary information about the subnet. This parameter is optional.
+The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
Table 2 VPC tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for the same VPC and can be the same for different VPCs.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc-01
+ |
+
+
+
+
Table 3 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
- Click Create Now.
+
+
Step 2: Create a Subnet for the VPC
+Scenarios
A VPC comes with a default subnet. If the default subnet cannot meet your requirements, you can create one.
+
The subnet is configured with DHCP by default. When an ECS in this subnet starts, the ECS automatically obtains an IP address using DHCP.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Subnets.
- Click Create Subnet.
The Create Subnet page is displayed.
+ - Set the parameters as prompted.
Figure 1 Create Subnet
+
+
+Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+VPC
+ |
+The VPC for which you want to create a subnet.
+ |
+-
+ |
+
+Name
+ |
+The subnet name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+Subnet
+ |
+
+CIDR Block
+ |
+The CIDR block for the subnet. This value must be within the VPC CIDR block.
+ |
+192.168.0.0/24
+ |
+
+Associated Route Table
+ |
+The default route table to which the subnet will be associated. You can change the route table to a custom route table on the Subnets page.
+ |
+Default
+ |
+
+Advanced Settings
+ |
+Two options are available, Default and Custom. You can set Advanced Settings to Custom to configure advanced subnet parameters.
+ |
+-
+ |
+
+Gateway
+
+ |
+The gateway address of the subnet.
+ |
+192.168.0.1
+ |
+
+DNS Server Address
+ |
+By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+100.125.x.x
+ |
+
+NTP Server Address
+ |
+The IP address of the NTP server. This parameter is optional.
+You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added.
+A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+192.168.2.1
+ |
+
+Tag
+ |
+The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet.
+The tag key and value must meet the requirements listed in Table 2.
+ |
+- Key: subnet_key1
- Value: subnet-01
+ |
+
+
+
+
Table 2 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
- Click OK.
+
+
Precautions
When a subnet is created, there are five reserved IP addresses, which cannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP addresses are reserved:
+
- 192.168.0.0: Network ID. This address is the beginning of the private IP address range and will not be assigned to any instance.
- 192.168.0.1: Gateway address.
- 192.168.0.253: Reserved for the system interface. This IP address is used by the VPC for external communication.
- 192.168.0.254: DHCP service address.
- 192.168.0.255: Network broadcast address.
+
If you configured the default settings under Advanced Settings during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings.
+
+
Step 3: Create a Security Group
+Scenarios
To improve ECS access security, you can create security groups, define security group rules, and add ECSs in a VPC to different security groups. We recommend that you allocate ECSs that have different Internet access policies to different security groups.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click Create Security Group.
- In the Create Security Group area, set the parameters as prompted. Table 1 lists the parameters to be configured.
Figure 1 Create Security Group
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+The security group name. This parameter is mandatory.
+The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ NOTE: You can change the security group name after a security group is created. It is recommended that you give each security group a different name.
+
+ |
+sg-318b
+ |
+
+Description
+ |
+Supplementary information about the security group. This parameter is optional.
+The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Step 4: Add a Security Group Rule
+Scenarios
A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC.
+
If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule.
+
- Inbound rules control incoming traffic to cloud resources in the security group.
- Outbound rules control outgoing traffic from cloud resources in the security group.
+
For details about the default security group rules, see Default Security Groups and Security Group Rules. For details about security group rule configuration examples, see Security Group Configuration Examples.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the target security group and click Manage Rule in the Operation column to switch to the page for managing inbound and outbound rules.
- On the Inbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an inbound rule.
You can click + to add more inbound rules.
+Figure 1 Add Inbound Rule
+
+Table 1 Inbound rule parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Protocol & Port
+
+ |
+Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.
+ |
+22, or 22-30
+ |
+
+Source
+ |
+The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ If the source is a security group, this rule will apply to all instances associated with the selected security group.
+ |
+0.0.0.0/0
+ |
+
+Description
+ |
+Supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- On the Outbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an outbound rule.
You can click + to add more outbound rules.
+Figure 2 Add Outbound Rule
+
+Table 2 Outbound rule parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Protocol & Port
+
+ |
+Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535.
+ |
+22, or 22-30
+ |
+
+Destination
+ |
+The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ |
+0.0.0.0/0
+ |
+
+Description
+ |
+Supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Step 1: Create a VPC
+Scenarios
A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required.
+
You can create a VPC by following the procedure provided in this section. Then, create subnets, security groups, and assign EIPs by following the procedure provided in subsequent sections based on your actual network requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- Click Create VPC.
- On the Create VPC page, set parameters as prompted.
A default subnet will be created together with a VPC and you can also click Add Subnet to create more subnets for the VPC.
+
+Table 1 VPC parameter descriptionsCategory
+ |
+Parameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Basic Information
+ |
+Region
+ |
+Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.
+ |
+eu-de
+ |
+
+Basic Information
+ |
+Name
+ |
+The VPC name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+VPC-001
+ |
+
+Basic Information
+ |
+CIDR Block
+ |
+The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC).
+The following CIDR blocks are supported:
+10.0.0.0/8-24
+172.16.0.0/12-24
+192.168.0.0/16-24
+ |
+192.168.0.0/16
+ |
+
+Default Subnet
+ |
+Name
+ |
+The subnet name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+Subnet
+ |
+
+Default Subnet
+ |
+CIDR Block
+ |
+The CIDR block for the subnet. This value must be within the VPC CIDR block.
+ |
+192.168.0.0/24
+ |
+
+Default Subnet
+ |
+Associated Route Table
+ |
+The default route table to which the subnet will be associated. You can change the route table to a custom route table on the Subnets page.
+ |
+Default
+ |
+
+Default Subnet/Advanced Settings
+ |
+Gateway
+ |
+The gateway address of the subnet.
+ |
+192.168.0.1
+ |
+
+Default Subnet/Advanced Settings
+ |
+DNS Server Address
+ |
+By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+100.125.x.x
+ |
+
+Default Subnet/Advanced Settings
+ |
+NTP Server Address
+ |
+The IP address of the NTP server. This parameter is optional.
+You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added.
+A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+192.168.2.1
+ |
+
+Default Subnet/Advanced Settings
+ |
+Tag
+ |
+The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet.
+The tag key and value must meet the requirements listed in Table 3.
+ |
+- Key: subnet_key1
- Value: subnet-01
+ |
+
+Default Subnet/Advanced Settings
+ |
+Description
+ |
+Supplementary information about the subnet. This parameter is optional.
+The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
Table 2 VPC tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for the same VPC and can be the same for different VPCs.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc-01
+ |
+
+
+
+
Table 3 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
- Click Create Now.
+
+
Step 2: Create a Subnet for the VPC
+Scenarios
A VPC comes with a default subnet. If the default subnet cannot meet your requirements, you can create one.
+
The subnet is configured with DHCP by default. When an ECS in this subnet starts, the ECS automatically obtains an IP address using DHCP.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Subnets.
- Click Create Subnet.
The Create Subnet page is displayed.
+ - Set the parameters as prompted.
Figure 1 Create Subnet
+
+
+Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+VPC
+ |
+The VPC for which you want to create a subnet.
+ |
+-
+ |
+
+Name
+ |
+The subnet name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+Subnet
+ |
+
+CIDR Block
+ |
+The CIDR block for the subnet. This value must be within the VPC CIDR block.
+ |
+192.168.0.0/24
+ |
+
+Associated Route Table
+ |
+The default route table to which the subnet will be associated. You can change the route table to a custom route table on the Subnets page.
+ |
+Default
+ |
+
+Advanced Settings
+ |
+Two options are available, Default and Custom. You can set Advanced Settings to Custom to configure advanced subnet parameters.
+ |
+-
+ |
+
+Gateway
+
+ |
+The gateway address of the subnet.
+ |
+192.168.0.1
+ |
+
+DNS Server Address
+ |
+By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+100.125.x.x
+ |
+
+NTP Server Address
+ |
+The IP address of the NTP server. This parameter is optional.
+You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added.
+A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+192.168.2.1
+ |
+
+Tag
+ |
+The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet.
+The tag key and value must meet the requirements listed in Table 2.
+ |
+- Key: subnet_key1
- Value: subnet-01
+ |
+
+
+
+
Table 2 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
- Click OK.
+
+
Precautions
When a subnet is created, there are five reserved IP addresses, which cannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP addresses are reserved:
+
- 192.168.0.0: Network ID. This address is the beginning of the private IP address range and will not be assigned to any instance.
- 192.168.0.1: Gateway address.
- 192.168.0.253: Reserved for the system interface. This IP address is used by the VPC for external communication.
- 192.168.0.254: DHCP service address.
- 192.168.0.255: Network broadcast address.
+
If you configured the default settings under Advanced Settings during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings.
+
+
Step 3: Assign an EIP and Bind It to an ECS
+Scenarios
You can assign an EIP and bind it to an ECS so that the ECS can access the Internet.
+
EIPs for dedicated load balancers:
- In the eu-de region, if you choose to assign an EIP when you create a dedicated load balancer on the management console or using APIs, EIPs for dedicated load balancers (5_gray) will be assigned.
- Do not bind EIPs of this type to non-dedicated load balancers.
- Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect.
+
+
+
+
Assigning an EIP
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- On the displayed page, click Assign EIP.
- Set the parameters as prompted.
Figure 1 Assign EIP
+
+Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Region
+ |
+Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.
+ |
+eu-de
+ |
+
+EIP Type
+ |
+- Dynamic BGP: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails.
- Mail BGP: EIPs with port 25, 465, or 587 enabled are used.
+The selected EIP type cannot be changed after the EIP is assigned.
+ |
+Dynamic BGP
+ |
+
+Bandwidth
+ |
+The bandwidth size in Mbit/s.
+ |
+100
+ |
+
+Bandwidth Name
+ |
+The name of the bandwidth.
+ |
+bandwidth
+ |
+
+Tag
+ |
+The EIP tags. Each tag contains a key and value pair.
+The tag key and value must meet the requirements listed in Table 2.
+ |
+- Key: Ipv4_key1
- Value: 192.168.12.10
+ |
+
+Quantity
+ |
+The number of EIPs you want to purchase.
+ |
+1
+ |
+
+
+
+
Table 2 EIP tag requirementsParameter
+ |
+Requirement
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each EIP.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+Ipv4_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+192.168.12.10
+ |
+
+
+
+
- Click Create Now.
- Click Submit.
+
+
+
Follow-Up Procedure
After an ECS with an EIP bound is created, the system generates a domain name in the format of ecs-xx-xx-xx-xx.compute.xxx.com for the EIP by default. xx-xx-xx-xx indicates the EIP, and xxx indicates the domain name of the cloud service provider. You can use the domain name to access the ECS.
+
You can use any of the following commands to obtain the domain name of an EIP:
- ping -a EIP
- nslookup [-qt=ptr] EIP
- dig -x EIP
+
+
+
Step 4: Create a Security Group
+Scenarios
To improve ECS access security, you can create security groups, define security group rules, and add ECSs in a VPC to different security groups. We recommend that you allocate ECSs that have different Internet access policies to different security groups.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click Create Security Group.
- In the Create Security Group area, set the parameters as prompted. Table 1 lists the parameters to be configured.
Figure 1 Create Security Group
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+The security group name. This parameter is mandatory.
+The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ NOTE: You can change the security group name after a security group is created. It is recommended that you give each security group a different name.
+
+ |
+sg-318b
+ |
+
+Description
+ |
+Supplementary information about the security group. This parameter is optional.
+The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Step 5: Add a Security Group Rule
+Scenarios
A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC.
+
If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule.
+
- Inbound rules control incoming traffic to cloud resources in the security group.
- Outbound rules control outgoing traffic from cloud resources in the security group.
+
For details about the default security group rules, see Default Security Groups and Security Group Rules. For details about security group rule configuration examples, see Security Group Configuration Examples.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the target security group and click Manage Rule in the Operation column to switch to the page for managing inbound and outbound rules.
- On the Inbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an inbound rule.
You can click + to add more inbound rules.
+Figure 1 Add Inbound Rule
+
+Table 1 Inbound rule parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Protocol & Port
+
+ |
+Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.
+ |
+22, or 22-30
+ |
+
+Source
+ |
+The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ If the source is a security group, this rule will apply to all instances associated with the selected security group.
+ |
+0.0.0.0/0
+ |
+
+Description
+ |
+Supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- On the Outbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an outbound rule.
You can click + to add more outbound rules.
+Figure 2 Add Outbound Rule
+
+Table 2 Outbound rule parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Protocol & Port
+
+ |
+Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535.
+ |
+22, or 22-30
+ |
+
+Destination
+ |
+The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: - xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (IPv4 address range)
- 0.0.0.0/0 (all IPv4 addresses)
- sg-abc (security group)
+ |
+0.0.0.0/0
+ |
+
+Description
+ |
+Supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Overview
+If your ECSs need to access the Internet (for example, the ECSs functioning as the service nodes for deploying a website), you can follow the procedure shown in Figure 1 to bind EIPs to the ECSs.
+
Figure 1 Configuring the network
+
Table 1 describes the different tasks in the procedure for configuring the network.
+
+
Table 1 Configuration process descriptionTask
+ |
+Description
+ |
+
|---|
+
+Create a VPC.
+ |
+This task is mandatory.
+A created VPC comes with a default subnet you specified.
+After the VPC is created, you can create other required network resources in the VPC based on your service requirements.
+ |
+
+Create another subnet for the VPC.
+ |
+This task is optional.
+If the default subnet cannot meet your requirements, you can create one.
+The new subnet is used to assign IP addresses to NICs added to the ECS.
+ |
+
+Assign an EIP and bind it to an ECS.
+ |
+This task is mandatory.
+You can assign an EIP and bind it to an ECS so that the ECS can access the Internet.
+ |
+
+Create a security group.
+ |
+This task is mandatory.
+You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule, which allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules.
+ |
+
+Add a security group rule.
+ |
+This task is optional.
+If the default rule does not meet your service requirements, you can add security group rules.
+ |
+
+
+
+
+
VPC and Other Services
+- ECS
The VPC service provides an isolated virtual network for ECSs. You can configure and manage the network as required. There are multiple connectivity options for ECSs to access the Internet. You can also define rules for communication between ECSs in the same security group or in different security groups.
+ - ELB
ELB uses the EIPs and bandwidths associated with the VPC service.
+ - Cloud Eye
You can use Cloud Eye to monitor the status of your VPCs without adding plug-ins.
+
+
Route Table
+
+
+
diff --git a/docs/vpc/umn/vpc_route02_0001.html b/docs/vpc/umn/vpc_route02_0001.html
new file mode 100644
index 000000000..9fbd86d44
--- /dev/null
+++ b/docs/vpc/umn/vpc_route02_0001.html
@@ -0,0 +1,11 @@
+
+
+Route Table Overview
+A custom route is a user-defined routing rule added to a VPC.
+
Configuring an SNAT Server
+Scenarios
To use the route table function provided by the VPC service, you need to configure SNAT on an ECS to enable other ECSs that do not have EIPs bound in a VPC to access the Internet through this ECS.
+
The configured SNAT takes effect for all subnets in a VPC.
+
+
Prerequisites
- You have an ECS where SNAT is to be configured.
- The ECS where SNAT is to be configured runs the Linux OS.
- The ECS where SNAT is to be configured has only one network interface card (NIC).
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Compute, click Elastic Cloud Server.
- On the displayed page, locate the target ECS in the ECS list and click the ECS name to switch to the page showing ECS details.
- On the displayed ECS details page, click the NICs tab.
- Click the NIC IP address. In the displayed area showing the NIC details, disable the source/destination check function.
By default, the source/destination check is enabled. When this check is enabled, the system checks whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. If SNAT is used, the SNAT server needs to forward packets. This mechanism prevents the packet sender from receiving returned packets. Therefore, you need to disable the source/destination check for SNAT servers.
+ - Bind an EIP.
+
- On the ECS console, use the remote login function to log in to the ECS where you plan to configure SNAT.
- Run the following command and enter the password of user root to switch to user root:
su - root
+ - Run the following command to check whether the ECS can successfully connect to the Internet:
Before running the command, you must disable the response iptables rule on the ECS where SNAT is configured and enable the security group rules.
+
+ping www.google.com
+The ECS can access the Internet if the following information is displayed:
[root@localhost ~]# ping www.google.com
+PING www.a.shifen.com (xxx.xxx.xxx.xxx) 56(84) bytes of data.
+64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms
+64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms
+64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms
+
- Run the following command to check whether IP forwarding of the Linux OS is enabled:
cat /proc/sys/net/ipv4/ip_forward
+In the command output,
1 indicates it is enabled, and
0 indicates it is disabled. The default value is
0.
- If IP forwarding in Linux is enabled, go to step 14.
- If IP forwarding in Linux is disabled, perform step 12 to enable IP forwarding in Linux.
+
Many OSs support packet routing. Before forwarding packets, OSs change source IP addresses in the packets to OS IP addresses. Therefore, the forwarded packets contain the IP address of the public sender so that the response packets can be sent back along the same path to the initial packet sender. This method is called SNAT. The OSs need to keep track of the packets where IP addresses have been changed to ensure that the destination IP addresses in the packets can be rewritten and that packets can be forwarded to the initial packet sender. To achieve these purposes, you need to enable the IP forwarding function and configure SNAT rules.
+ - Use the vi editor to open the /etc/sysctl.conf file, change the value of net.ipv4.ip_forward to 1, and enter :wq to save the change and exit.
- Run the following command to make the change take effect:
sysctl -p /etc/sysctl.conf
+ - Configure SNAT.
Run the following command to enable all ECSs on the network (for example, 192.168.1.0/24) to access the Internet using the SNAT function: Figure 1 shows the example command.
+iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ip
+Figure 1 Configuring SNAT
+ - To ensure that the rule will not be lost after the restart, write the rule into the /etc/rc.local file.
- Run the following command to switch to the /etc/sysctl.conf file:
vi /etc/rc.local
+ - Perform 14 to configure SNAT.
- Run the following command to save the configuration and exit:
:wq
+ - Run the following command to add the execute permission for the rc.local file:
# chmod +x /etc/rc.local
+
+ - To ensure that the configuration takes effect, run the iptables -L command to check whether the configured rules conflict with each other.
+
+ - Run the following command to check whether the operation is successful: If information similar to Figure 2 (for example, 192.168.1.0/24) is displayed, the operation was successful.
iptables -t nat --list
+Figure 2 Verifying configuration
+ - Add a route. For details, see section Adding a Custom Route.
Set the destination to 0.0.0.0/0, and the next hop to the private or virtual IP address of the ECS where SNAT is deployed. For example, the next hop is 192.168.1.4.
+
+
After these operations are complete, if the network communication still fails, check your security group and firewall configuration to see whether required traffic is allowed.
+
+
Adding a Custom Route
+Scenarios
If ECSs in a VPC need to access the Internet, add a custom route to enable the ECSs to access the Internet through an ECS that has an EIP bound.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC to which a route is to be added and click the VPC name.
- On the Route Tables tab, click Add Route.
- Set route details on the displayed page.
- Destination indicates the destination CIDR block. The default value is 0.0.0.0/0. If the traffic originates from a VPC, the destination can be a subnet CIDR block in this VPC. If the traffic originates from outside the VPC, the destination CIDR block cannot conflict with any of the subnet CIDR blocks in this VPC. The destination of each route must be unique.
- Next Hop: indicates the IP address of the next hop. Set it to a private IP address or a virtual IP address in a VPC.
+ If the next hop is a virtual IP address, an EIP must be bound to the virtual IP address. Otherwise, access to the Internet through this virtual IP address is not possible. (A custom route is used to forward traffic from the virtual IP address to the Internet.)
+
+ - Click OK.
+
+
Querying a Route Table
+Scenarios
You can query information about a route table or all route tables.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC that the route to be queried belongs to and click the VPC name.
- View information about a single route or all routes in the route list.
+
+
Modifying a Route
+Scenarios
Change the destination and next hop of the route.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC to which the route to be modified belongs and click the VPC name.
- Click the Route Tables tab. On the displayed page, locate the row that contains the route to be modified, and click Modify in the Operation column. Modify the route information in the displayed dialog box.
- Click OK.
+
+
Deleting a Route
+Scenarios
Delete a route if it is no longer required.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC that the route to be deleted belongs to and click the VPC name.
- Click the Route Tables tab. On the displayed page, locate the row that contains the route to be deleted, and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Route Table
+
+
+
diff --git a/docs/vpc/umn/vpc_route_0004.html b/docs/vpc/umn/vpc_route_0004.html
new file mode 100644
index 000000000..50249f4d6
--- /dev/null
+++ b/docs/vpc/umn/vpc_route_0004.html
@@ -0,0 +1,47 @@
+
+
+Configuring an SNAT Server
+Scenarios
To use the route table function provided by the VPC service, you need to configure SNAT on an ECS to enable other ECSs that do not have EIPs bound in a VPC to access the Internet through this ECS.
+
The configured SNAT takes effect for all subnets in a VPC.
+
+
Prerequisites
- You have an ECS where SNAT is to be configured.
- The ECS where SNAT is to be configured runs the Linux OS.
- The ECS where SNAT is to be configured has only one network interface card (NIC).
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Compute, click Elastic Cloud Server.
- On the displayed page, locate the target ECS in the ECS list and click the ECS name to switch to the page showing ECS details.
- On the displayed ECS details page, click the NICs tab.
- Click the NIC IP address. In the displayed area showing the NIC details, disable the source/destination check function.
By default, the source/destination check is enabled. When this check is enabled, the system checks whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. If SNAT is used, the SNAT server needs to forward packets. This mechanism prevents the packet sender from receiving returned packets. Therefore, you need to disable the source/destination check for SNAT servers.
+ - Bind an EIP.
+
- On the ECS console, use the remote login function to log in to the ECS where you plan to configure SNAT.
- Run the following command and enter the password of user root to switch to user root:
su - root
+ - Run the following command to check whether the ECS can successfully connect to the Internet:
Before running the command, you must disable the response iptables rule on the ECS where SNAT is configured and enable the security group rules.
+
+ping www.google.com
+The ECS can access the Internet if the following information is displayed:
[root@localhost ~]# ping www.google.com
+PING www.a.shifen.com (xxx.xxx.xxx.xxx) 56(84) bytes of data.
+64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms
+64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms
+64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms
+
- Run the following command to check whether IP forwarding of the Linux OS is enabled:
cat /proc/sys/net/ipv4/ip_forward
+In the command output,
1 indicates it is enabled, and
0 indicates it is disabled. The default value is
0.
- If IP forwarding in Linux is enabled, go to step 14.
- If IP forwarding in Linux is disabled, perform step 12 to enable IP forwarding in Linux.
+
Many OSs support packet routing. Before forwarding packets, OSs change source IP addresses in the packets to OS IP addresses. Therefore, the forwarded packets contain the IP address of the public sender so that the response packets can be sent back along the same path to the initial packet sender. This method is called SNAT. The OSs need to keep track of the packets where IP addresses have been changed to ensure that the destination IP addresses in the packets can be rewritten and that packets can be forwarded to the initial packet sender. To achieve these purposes, you need to enable the IP forwarding function and configure SNAT rules.
+ - Use the vi editor to open the /etc/sysctl.conf file, change the value of net.ipv4.ip_forward to 1, and enter :wq to save the change and exit.
- Run the following command to make the change take effect:
sysctl -p /etc/sysctl.conf
+ - Configure SNAT.
Run the following command to enable all ECSs on the network (for example, 192.168.1.0/24) to access the Internet using the SNAT function: Figure 1 shows the example command.
+iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ip
+Figure 1 Configuring SNAT
+ - To ensure that the rule will not be lost after the restart, write the rule into the /etc/rc.local file.
- Run the following command to switch to the /etc/sysctl.conf file:
vi /etc/rc.local
+ - Perform 14 to configure SNAT.
- Run the following command to save the configuration and exit:
:wq
+ - Run the following command to add the execute permission for the rc.local file:
# chmod +x /etc/rc.local
+
+ - To ensure that the configuration takes effect, run the iptables -L command to check whether the configured rules conflict with each other.
+
+ - Run the following command to check whether the operation is successful: If information similar to Figure 2 (for example, 192.168.1.0/24) is displayed, the operation was successful.
iptables -t nat --list
+Figure 2 Verifying configuration
+ - Add a route. For details, see section Adding a Custom Route.
Set the destination to 0.0.0.0/0, and the next hop to the private or virtual IP address of the ECS where SNAT is deployed. For example, the next hop is 192.168.1.4.
+
+
After these operations are complete, if the network communication still fails, check your security group and firewall configuration to see whether required traffic is allowed.
+
+
Creating a Custom Route Table
+Scenarios
You can create a custom route table if you do not want to use the default one.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Route Tables.
- In the upper right corner, click Create Route Table. On the displayed page, configure parameters as prompted.
Figure 1 Create Route Table
+
+
Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+The name of the route table. This parameter is mandatory.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+rtb-001
+ |
+
+VPC
+ |
+The VPC that the route table belongs to. This parameter is mandatory.
+ |
+vpc-001
+ |
+
+Description
+ |
+Supplementary information about the route table. This parameter is optional.
+The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+-
+ |
+
+Route Settings
+ |
+The route information. This parameter is optional.
+You can add a route when creating the route table or after the route table is created. For details, see Adding a Custom Route.
+You can click + to add more routes.
+ |
+-
+ |
+
+
+
+
+
- Click OK.
A message is displayed. You can determine whether to associate the route table with subnets immediately as prompted. If you want to associate immediately, perform the following operations:
+- Click Associate Subnet. The Associated Subnets page is displayed.
- Click Associate Subnet and select the target subnets to be associated.
- Click OK.
+
+
+
Adding a Custom Route
+Scenarios
Each route table contains a default system route, which indicates that ECSs in a VPC can communicate with each other. You can add custom routes as required to forward the traffic destined for the destination to the specified next hop.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Route Tables.
- In the route table list, click the name of the route table to which you want to add a route.
- Click Add Route and set parameters as prompted.
You can click + to add more routes.
+Figure 1 Add Route
+
+
Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Destination
+ |
+The destination CIDR block.
+The destination of each route must be unique. The destination cannot overlap with any subnet CIDR block in the VPC.
+ |
+192.168.0.0/16
+ |
+
+Next Hop Type
+ |
+Set the type of the next hop. For details about the supported resource types, see Table 1.
+ NOTE: When you add a custom route to or modify a custom route in a default route table, the next hop type cannot be set to VPN connection or Direct Connect gateway.
+
+ |
+ECS
+ |
+
+Next Hop
+ |
+Set the next hop. The resources in the drop-down list box are displayed based on the selected next hop type.
+ |
+ecs-001
+ |
+
+Description
+ |
+Supplementary information about the route. This parameter is optional.
+The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+-
+ |
+
+
+
+
+
- Click OK.
+
+
Associating a Subnet with a Route Table
+Scenarios
After a route table is associated with a subnet, the routes in the route table control the routing for the subnet and apply to all cloud resources in the subnet. Determine the impact on services before performing this operation.
+
+
Notes and Constraints
A subnet can only be associated with one route table.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Route Tables.
- In the route table list, locate the row that contains the target route table and click Associate Subnet in the Operation column.
- Select the subnet to be associated.
Figure 1 Associate Subnet
+ - Click OK.
+
+
Changing the Route Table Associated with a Subnet
+Scenarios
You can change the route table associated with the subnet to another one in the VPC. If the route table for a subnet is changed, routes in the new route table will apply to all cloud resources in the subnet. Determine the impact on services before performing this operation.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Route Tables.
- In the route table list, click the name of the target route table.
- On the Associated Subnets tab page, click Change Route Table in the Operation column and select a new route table as prompted.
- Click OK.
After the route table for a subnet is changed, routes in the new route table will apply to all cloud resources in the subnet.
+
+
+
Viewing a Route Table
+Scenarios
You can view details about a route table.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC that is associated with the route table to be queried and click the VPC name.
- View details about the route table.
+
+
Deleting a Route Table
+Scenarios
You can delete custom route tables but cannot delete the default route table.
+
+
Prerequisites
Before deleting a route table, ensure that no subnet has been associated with the custom route table. If there is an associated subnet, associate the subnet with another route table by clicking Change Route Table and then delete the custom route table.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Route Tables.
- In the route table list, locate the row that contains the route table to be deleted and click Delete in the Operation column.
- Click Yes.
+
+
Modifying a Route
+Scenarios
Modify a route.
+
+
Notes and Constraints
- The system route cannot be modified.
- The routes delivered by the VPN, Direct Connect services to the default route table cannot be modified.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Route Tables.
- In the route table list, click the name of the target route table.
- Locate the row that contains the route to be modified and click Modify in the Operation column.
- Modify the route information in the displayed dialog box.
+
Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Destination
+ |
+The destination CIDR block.
+The destination of each route must be unique. The destination cannot overlap with any subnet CIDR block in the VPC.
+ |
+192.168.0.0/16
+ |
+
+Next Hop Type
+ |
+Set the type of the next hop. For details about the supported resource types, see Table 1.
+ NOTE: When you add a custom route to or modify a custom route in a default route table, the next hop type cannot be set to VPN connection or Direct Connect gateway.
+
+ |
+ECS
+ |
+
+Next Hop
+ |
+Set the next hop. The resources in the drop-down list box are displayed based on the selected next hop type.
+ |
+ecs-001
+ |
+
+Description
+ |
+Supplementary information about the route. This parameter is optional.
+The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+-
+ |
+
+
+
+
- Click OK.
+
+
Deleting a Route
+Scenarios
Delete a route if it is no longer required.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC that the route to be deleted belongs to and click the VPC name.
- Click the Route Tables tab. On the displayed page, locate the row that contains the route to be deleted, and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Replicating a Route
+Scenarios
You can replicate a created route as required.
+
+
Notes and Constraints
- The routes delivered by the VPN service to the default route table cannot be replicated.
- The routes delivered to the default route table by the Direct Connect service that is enabled by call or email cannot be replicated.
- Black hole routes cannot be replicated.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Route Tables.
- In the route table list, locate the row that contains the target route table and click Replicate Route in the Operation column.
- Select the target route table and then the route to be replicated as prompted.
The routes listed on the page are those that do not exist in the target route table. You can select one or more routes to replicate to the target route table.
+ - Click OK.
+
+
Exporting Route Table Information
+Scenarios
Information about all route tables under your account can be exported as an Excel file to a local directory. This file records the name, ID, VPC, type, and number of associated subnets of the route tables.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Route Tables.
- On the displayed page, click
in the upper right of the route table list.The system will automatically export information about all route tables under your account in the current region as an Excel file to a local directory.
+
+
+
Security
+
+
+
diff --git a/docs/vpc/umn/vpc_use_0001.html b/docs/vpc/umn/vpc_use_0001.html
new file mode 100644
index 000000000..a24179c69
--- /dev/null
+++ b/docs/vpc/umn/vpc_use_0001.html
@@ -0,0 +1,14 @@
+
+
+Document Usage Instructions
+Instructions for using this document are as follows:
+
- To facilitate your operations, the management console may provide more than one way for you to perform a task or an operation. This document describes only the main way.
- You can click next to some parameter values to quickly edit the values. This document does not describe this function.
- Click
in the lower right corner of the console to switch between the new and the old consoles. The old edition does not have the function of associating a subnet with a route table.This document provides two sets of operation guides. (The "Getting Started" chapter uses the new console edition as an example.)
+
+
Virtual IP Address
+
+
+
diff --git a/docs/vpc/umn/vpc_vip02_0001.html b/docs/vpc/umn/vpc_vip02_0001.html
new file mode 100644
index 000000000..2ffdb3319
--- /dev/null
+++ b/docs/vpc/umn/vpc_vip02_0001.html
@@ -0,0 +1,36 @@
+
+
+Virtual IP Address Overview
+What Is a Virtual IP Address?
A virtual IP address can be shared among multiple ECSs. An ECS can have both private and virtual IP addresses, and you can access the ECS through either IP address. A virtual IP address has the same network access capabilities as a private IP address, including layer 2 and layer 3 communication in VPCs, access between VPCs using VPC peering connections, as well as access through EIPs, VPN connections, and Direct Connect connections.
+
You can bind ECSs deployed in active/standby mode with the same virtual IP address, and then bind an EIP to the virtual IP address. Virtual IP addresses can work together with Keepalived to ensure high availability and disaster recovery. If the active ECS is faulty, the standby ECS automatically takes over services from the active one.
+
+
Networking
Virtual IP addresses are used for high availability and can work together with Keepalived to make active/standby ECS switchover possible. This way if one ECS goes down for some reason, the other one can take over and services continue uninterrupted. ECSs can be configured for HA or as load balancing clusters.
+
- Networking mode 1: HA
If you want to improve service availability and avoid single points of failure, you can deploy ECSs in the active/standby mode or deploy one active ECS and multiple standby ECSs. In this arrangement, the ECSs all use the same virtual IP address. If the active ECS becomes faulty, a standby ECS takes over services from the active ECS and services continue uninterrupted.
+Figure 1 Networking diagram of the HA mode
+- In this configuration, a single virtual IP address is bound to two ECSs in the same subnet.
- Keepalived is then used to configure the two ECSs to work in the active/standby mode. Follow industry standards for configuring Keepalived. The details are not included here.
+ - Networking mode 2: HA load balancing cluster
If you want to build a high-availability load balancing cluster, use Keepalived and configure LVS nodes as direct routers.
+Figure 2 HA load balancing cluster
+- Bind a single virtual IP address to two ECSs.
- Configure the two ECSs as LVS nodes working as direct routers and use Keepalived to configure the nodes in the active/standby mode. The two ECSs will evenly forward requests to different backend servers.
- Configure two more ECSs as backend servers.
- Disable the source/destination check for the two backend servers.
+
Follow industry standards for configuring Keepalived. The details are not included here.
+
+
+
Application Scenarios
- Accessing the virtual IP address through an EIP
If your application has high availability requirements and needs to provide services through the Internet, it is recommended that you bind an EIP to a virtual IP address.
+ - Using a VPN, Direct Connect, or VPC peering connection to access a virtual IP address
To ensure high availability and access to the Internet, use a VPN for security and Direct Connect for a stable connection. The VPC peering connection is needed so that the VPCs in the same region can communicate with each other.
+
+
+
Precautions
- Virtual IP addresses are not recommended when multiple NICs in the same subnet are configured on an ECS. It is too easy for there to be route conflicts on the ECS, which would cause communication failure using the virtual IP address.
- IP forwarding must be disabled on the standby ECS. Perform the following operations to confirm whether the IP forwarding is disabled on the standby ECS:
- Log in to standby ECS and run the following command to check whether the IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
+In the command output, 1 indicates it is enabled, and 0 indicates it is disabled. The default value is 0.
+- If the command output is 1, perform 2 and 3 to disable the IP forwarding.
- If the command output is 0, no further action is required.
+ - Use the vi editor to open the /etc/sysctl.conf file, change the value of net.ipv4.ip_forward to 0, and enter :wq to save the change and exit. You can also use the sed command to modify the configuration. A command example is as follows:
sed -i '/net.ipv4.ip_forward/s/1/0/g' /etc/sysctl.conf
+ - Run the following command to make the change take effect:
sysctl -p /etc/sysctl.conf
+
+ - The virtual IP address can use only the default security group, which cannot be changed to a custom security group.
- It is recommended that no more than eight virtual IP addresses be bound to an ECS.
- It is recommended that no more than 10 ECSs be bound to a virtual IP address.
+
+
Assigning a Virtual IP Address
+Scenarios
If an ECS requires a virtual IP address or if a virtual IP address needs to be reserved, you can assign a virtual IP address from the subnet.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC containing the subnet where a virtual IP address is to be assigned, and click the VPC name.
- On the Subnets tab, click the name of the subnet where a virtual IP address is to be assigned.
- Click the Virtual IP Addresses tab and click Assign Virtual IP Address.
- Select a virtual IP address assignment mode.
- Automatic: The system assigns an IP address automatically.
- Manual: You can specify an IP address.
+ - Select Manual and enter a virtual IP address.
- Click OK.
+
You can then query the assigned virtual IP address in the IP address list.
+
+
Binding a Virtual IP Address to an EIP or ECS
+Scenarios
You can bind a virtual IP address to an EIP so that you can access the ECSs bound with the same virtual IP address from the Internet. These ECSs can work in the active/standby mode to improve fault tolerance.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC containing the virtual IP address and click the VPC name.
- On the Subnets tab, click the name of the subnet that the virtual IP address belongs to.
- Click the Virtual IP Addresses tab.
- To bind a virtual IP address to an EIP, locate the row that contains the virtual IP address and click Bind to EIP in the Operation column.
- To bind a virtual IP address to an ECS, locate the row that contains the virtual IP address and click More > Bind to Server in the Operation column.
+ - Select the desired EIP, or ECS and its NIC.
- If the ECS has multiple NICs, bind the virtual IP address to the primary NIC.
- Multiple virtual IP addresses can be bound to an ECS NIC.
+
+ - Click OK.
- Manually configure the virtual IP address bound to an ECS.
After a virtual IP address is bound to an ECS NIC, you need to manually configure the virtual IP address on the ECS.
+Linux OS (CentOS 7.2 64bit is used as an example.)
- Run the following command to obtain the NIC to which the virtual IP address is to be bound and the connection of the NIC:
nmcli connection
+Information similar to the following is displayed:
+
+The command output in this example is described as follows:
+- eth0 in the DEVICE column indicates the NIC to which the virtual IP address is to be bound.
- Wired connection 1 in the NAME column indicates the connection of the NIC.
+ - Run the following command to add the virtual IP address for the target connection:
nmcli connection modify "CONNECTION" ipv4.addresses VIP
+Configure the parameters as follows:
+- CONNECTION: connection of the NIC obtained in 10.a.
- VIP: virtual IP address to be added.
- If you add multiple virtual IP addresses at a time, separate them with commas (,).
- If a virtual IP address already exists and you need to add a new one, the command must contain both the new and original virtual IP addresses.
+
+Example commands:
- Adding a single virtual IP address: nmcli connection modify "Wired connection 1" ipv4.addresses 172.16.0.125
- Adding multiple virtual IP addresses: nmcli connection modify "Wired connection 1" ipv4.addresses 172.16.0.125,172.16.0.126
+
- Run the following command to make the configuration take effect:
nmcli connection up "CONNECTION"
+In this example, run the following command:
+nmcli connection up "Wired connection 1"
+Information similar to the following is displayed:
+
+ - Run the following command to check whether the virtual IP address has been bound:
ip a
+Information similar to the following is displayed. In the command output, the virtual IP address 172.16.0.125 is bound to NIC eth0.
+
+
+
+Windows OS (Windows Server is used as an example here.)
+- In Control Panel, click Network and Sharing Center, and click the corresponding local connection.
- On the displayed page, click Properties.
- On the Network tab page, select Internet Protocol Version 4 (TCP/IPv4).
- Click Properties.
- Select Use the following IP address and set IP address to the private IP address of the ECS, for example, 10.0.0.101.
Figure 1 Configuring private IP address
+ - Click Advanced.
- On the IP Settings tab, click Add in the IP addresses area.
Add the virtual IP address. For example, 10.0.0.154.
+Figure 2 Configuring virtual IP address
+ - Click OK.
- In the Start menu, open the Windows command line window and run the following command to check whether the virtual IP address has been configured:
ipconfig /all
+In the command output, IPv4 Address is the virtual IP address 10.0.0.154, indicating that the virtual IP address of the ECS NIC has been correctly configured.
+
+
+
+
+
Binding a Virtual IP Address to an EIP
+Scenarios
This section describes how to bind a virtual IP address to an EIP.
+
+
Prerequisites
- You have assigned an EIP.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- Locate the row that contains the EIP to be bound to the virtual IP address, and click Bind in the Operation column.
- In the Bind EIP dialog box, set Instance Type to Virtual IP address.
- In the virtual IP address list, select the virtual IP address to be bound and click OK.
+
+
Using a VPN to Access a Virtual IP Address
+Procedure
- Configure the ECS networking based on Networking.
- Create a VPN.
+
The VPN can be used to access the virtual IP address of the ECS.
+
+
Using a Direct Connect Connection to Access the Virtual IP Address
+Procedure
- Configure the ECS networking based on Networking.
- Create a Direct Connect connection.
+
The created Direct Connect connection can be used to access the virtual IP address of the ECS.
+
+
Using a VPC Peering Connection to Access the Virtual IP Address
+Procedure
- Configure the ECS networking based on Networking.
- Create a VPC peering connection.
+
You can access the virtual IP address of the ECS through the VPC peering connection.
+
+
Disabling Source and Destination Check (HA Load Balancing Cluster Scenario)
+- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Under Compute, click Elastic Cloud Server.
- In the ECS list, click the ECS name.
- On the displayed ECS details page, click the NICs tab.
- Check that Source/Destination Check is disabled.
+
Releasing a Virtual IP Address
+Scenarios
If you no longer need a virtual IP address or a reserved virtual IP address, you can release it to avoid wasting resources.
+
+
Prerequisites
Before deleting a virtual IP address, ensure that the virtual IP address has been unbound from the following resources:
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC containing the subnet from which a virtual IP address is to be released, and click the VPC name.
- On the Subnets tab, click the name of the subnet from which a virtual IP address is to be released.
- Click the Virtual IP Addresses tab, locate the row that contains the virtual IP address to be released, click More in the Operation column, and select Release.
- Click Yes in the displayed dialog box.
+
+
Virtual IP Address
+
+
+
diff --git a/docs/vpc/umn/vpc_vip_0001.html b/docs/vpc/umn/vpc_vip_0001.html
new file mode 100644
index 000000000..3331658e7
--- /dev/null
+++ b/docs/vpc/umn/vpc_vip_0001.html
@@ -0,0 +1,36 @@
+
+
+Virtual IP Address Overview
+What Is a Virtual IP Address?
A virtual IP address can be shared among multiple ECSs. An ECS can have both private and virtual IP addresses, and you can access the ECS through either IP address. A virtual IP address has the same network access capabilities as a private IP address, including layer 2 and layer 3 communication in VPCs, access between VPCs using VPC peering connections, as well as access through EIPs, VPN connections, and Direct Connect connections.
+
You can bind ECSs deployed in active/standby mode with the same virtual IP address, and then bind an EIP to the virtual IP address. Virtual IP addresses can work together with Keepalived to ensure high availability and disaster recovery. If the active ECS is faulty, the standby ECS automatically takes over services from the active one.
+
+
Networking
Virtual IP addresses are used for high availability and can work together with Keepalived to make active/standby ECS switchover possible. This way if one ECS goes down for some reason, the other one can take over and services continue uninterrupted. ECSs can be configured for HA or as load balancing clusters.
+
- Networking mode 1: HA
If you want to improve service availability and avoid single points of failure, you can deploy ECSs in the active/standby mode or deploy one active ECS and multiple standby ECSs. In this arrangement, the ECSs all use the same virtual IP address. If the active ECS becomes faulty, a standby ECS takes over services from the active ECS and services continue uninterrupted.
+Figure 1 Networking diagram of the HA mode
+- In this configuration, a single virtual IP address is bound to two ECSs in the same subnet.
- Keepalived is then used to configure the two ECSs to work in the active/standby mode. Follow industry standards for configuring Keepalived. The details are not included here.
+ - Networking mode 2: HA load balancing cluster
If you want to build a high-availability load balancing cluster, use Keepalived and configure LVS nodes as direct routers.
+Figure 2 HA load balancing cluster
+- Bind a single virtual IP address to two ECSs.
- Configure the two ECSs as LVS nodes working as direct routers and use Keepalived to configure the nodes in the active/standby mode. The two ECSs will evenly forward requests to different backend servers.
- Configure two more ECSs as backend servers.
- Disable the source/destination check for the two backend servers.
+
Follow industry standards for configuring Keepalived. The details are not included here.
+
+
+
Application Scenarios
- Accessing the virtual IP address through an EIP
If your application has high availability requirements and needs to provide services through the Internet, it is recommended that you bind an EIP to a virtual IP address.
+ - Using a VPN, Direct Connect, or VPC peering connection to access a virtual IP address
To ensure high availability and access to the Internet, use a VPN for security and Direct Connect for a stable connection. The VPC peering connection is needed so that the VPCs in the same region can communicate with each other.
+
+
+
Notes and Constraints
- Virtual IP addresses are not recommended when multiple NICs in the same subnet are configured on an ECS. It is too easy for there to be route conflicts on the ECS, which would cause communication failure using the virtual IP address.
- IP forwarding must be disabled on the standby ECS. Perform the following operations to confirm whether the IP forwarding is disabled on the standby ECS:
- Log in to standby ECS and run the following command to check whether the IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
+In the command output, 1 indicates it is enabled, and 0 indicates it is disabled. The default value is 0.
+- If the command output is 1, perform 2 and 3 to disable the IP forwarding.
- If the command output is 0, no further action is required.
+ - Use the vi editor to open the /etc/sysctl.conf file, change the value of net.ipv4.ip_forward to 0, and enter :wq to save the change and exit. You can also use the sed command to modify the configuration. A command example is as follows:
sed -i '/net.ipv4.ip_forward/s/1/0/g' /etc/sysctl.conf
+ - Run the following command to make the change take effect:
sysctl -p /etc/sysctl.conf
+
+ - Each virtual IP address can be bound to only one EIP.
- It is recommended that no more than eight virtual IP addresses be bound to an ECS.
- It is recommended that no more than 10 ECSs be bound to a virtual IP address.
+
+
Assigning a Virtual IP Address
+Scenarios
If an ECS requires a virtual IP address or if a virtual IP address needs to be reserved, you can assign a virtual IP address from the subnet.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC containing the subnet where a virtual IP address is to be assigned, and click the VPC name.
- On the Subnets tab, click the name of the subnet where a virtual IP address is to be assigned.
- Click the Virtual IP Addresses tab and click Assign Virtual IP Address.
- Select a virtual IP address assignment mode.
- Automatic: The system assigns an IP address automatically.
- Manual: You can specify an IP address.
+ - Select Manual and enter a virtual IP address.
- Click OK.
+
You can then query the assigned virtual IP address in the IP address list.
+
+
Binding a Virtual IP Address to an EIP
+Scenarios
This section describes how to bind a virtual IP address to an EIP.
+
+
Prerequisites
- You have assigned an EIP.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Elastic IP.
- Locate the row that contains the EIP to be bound to the virtual IP address, and click Bind in the Operation column.
- In the Bind EIP dialog box, set Instance Type to Virtual IP address.
- In the virtual IP address list, select the virtual IP address to be bound and click OK.
+
+
Using a VPN to Access a Virtual IP Address
+Procedure
- Configure the ECS networking based on Networking.
- Create a VPN.
+
The VPN can be used to access the virtual IP address of the ECS.
+
+
Using a Direct Connect Connection to Access the Virtual IP Address
+Procedure
- Configure the ECS networking based on Networking.
- Create a Direct Connect connection.
+
The created Direct Connect connection can be used to access the virtual IP address of the ECS.
+
+
Using a VPC Peering Connection to Access the Virtual IP Address
+Procedure
- Configure the ECS networking based on Networking.
- Create a VPC peering connection.
+
You can access the virtual IP address of the ECS through the VPC peering connection.
+
+
Disabling Source and Destination Check (HA Load Balancing Cluster Scenario)
+- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Under Compute, click Elastic Cloud Server.
- In the ECS list, click the ECS name.
- On the displayed ECS details page, click the NICs tab.
- Check that Source/Destination Check is disabled.
+
Releasing a Virtual IP Address
+Scenarios
If you no longer need a virtual IP address or a reserved virtual IP address, you can release it to avoid wasting resources.
+
+
Prerequisites
Before deleting a virtual IP address, ensure that the virtual IP address has been unbound from the following resources:
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC containing the subnet from which a virtual IP address is to be released, and click the VPC name.
- On the Subnets tab, click the name of the subnet from which a virtual IP address is to be released.
- Click the Virtual IP Addresses tab, locate the row that contains the virtual IP address to be released, click More in the Operation column, and select Release.
- Click Yes in the displayed dialog box.
+
+
VPC and Subnet
+
+
+
diff --git a/docs/vpc/umn/vpc_vpc02_0002.html b/docs/vpc/umn/vpc_vpc02_0002.html
new file mode 100644
index 000000000..17af8fd86
--- /dev/null
+++ b/docs/vpc/umn/vpc_vpc02_0002.html
@@ -0,0 +1,195 @@
+
+
+Creating a VPC
+Scenarios
A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required.
+
You can create a VPC by following the procedure provided in this section. Then, create subnets, security groups, and assign EIPs by following the procedure provided in subsequent sections based on your actual network requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- Click Create VPC.
- On the Create VPC page, set parameters as prompted.
A default subnet will be created together with a VPC and you can also click Add Subnet to create more subnets for the VPC.
+
+Table 1 VPC parameter descriptionsCategory
+ |
+Parameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Basic Information
+ |
+Region
+ |
+Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.
+ |
+eu-de
+ |
+
+Basic Information
+ |
+Name
+ |
+The VPC name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+VPC-001
+ |
+
+Basic Information
+ |
+CIDR Block
+ |
+The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC).
+The following CIDR blocks are supported:
+10.0.0.0/8-24
+172.16.0.0/12-24
+192.168.0.0/16-24
+ |
+192.168.0.0/16
+ |
+
+Default Subnet
+ |
+Name
+ |
+The subnet name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+Subnet
+ |
+
+Default Subnet
+ |
+CIDR Block
+ |
+The CIDR block for the subnet. This value must be within the VPC CIDR block.
+ |
+192.168.0.0/24
+ |
+
+Default Subnet
+ |
+Associated Route Table
+ |
+The default route table to which the subnet will be associated. You can change the route table to a custom route table on the Subnets page.
+ |
+Default
+ |
+
+Default Subnet/Advanced Settings
+ |
+Gateway
+ |
+The gateway address of the subnet.
+ |
+192.168.0.1
+ |
+
+Default Subnet/Advanced Settings
+ |
+DNS Server Address
+ |
+By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+100.125.x.x
+ |
+
+Default Subnet/Advanced Settings
+ |
+NTP Server Address
+ |
+The IP address of the NTP server. This parameter is optional.
+You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added.
+A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+192.168.2.1
+ |
+
+Default Subnet/Advanced Settings
+ |
+Tag
+ |
+The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet.
+The tag key and value must meet the requirements listed in Table 3.
+ |
+- Key: subnet_key1
- Value: subnet-01
+ |
+
+Default Subnet/Advanced Settings
+ |
+Description
+ |
+Supplementary information about the subnet. This parameter is optional.
+The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
Table 2 VPC tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for the same VPC and can be the same for different VPCs.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc-01
+ |
+
+
+
+
Table 3 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
- Click Create Now.
+
+
Modifying a VPC
+Scenarios
Change the VPC name and CIDR block.
+
If the VPC CIDR block conflicts with the CIDR block of a VPN created in the VPC, you can modify its CIDR block.
+
+
Notes and Constraints
- When modifying the VPC CIDR block:
- The VPC CIDR block to be modified must be in the supported CIDR blocks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255
- If the VPC has subnets, the VPC CIDR block to be modified must contain all subnet CIDR blocks.
+
+
When modifying the VPC CIDR block:
- The VPC CIDR block to be modified must be in the supported CIDR blocks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255
- If the VPC has subnets, the VPC CIDR block to be modified must contain all subnet CIDR blocks.
+
+
+
Procedure
Modifying the VPC CIDR Block
+
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the row that contains the VPC to be modified and click Edit CIDR Block in the Operation column.
- Set a new CIDR block.
Figure 1 Edit CIDR Block
+ - Click OK.
+
Modifying a VPC
+
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- Modify the basic information about a VPC using either of the following methods :
+
+
+
Creating a Subnet for the VPC
+Scenarios
A VPC comes with a default subnet. If the default subnet cannot meet your requirements, you can create one.
+
The subnet is configured with DHCP by default. When an ECS in this subnet starts, the ECS automatically obtains an IP address using DHCP.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC for which a subnet is to be created and click the VPC name.
- On the displayed Subnets tab, click Create Subnet.
- Set the parameters as prompted.
Figure 1 Create Subnet
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+Specifies the subnet name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+Subnet
+ |
+
+CIDR Block
+ |
+Specifies the CIDR block for the subnet. This value must be within the VPC CIDR block.
+ |
+192.168.0.0/24
+ |
+
+Gateway
+ |
+Specifies the gateway address of the subnet.
+ |
+192.168.0.1
+ |
+
+DNS Server Address
+ |
+By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+100.125.x.x
+ |
+
+NTP Server Address
+ |
+Specifies the IP address of the NTP server. This parameter is optional.
+You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added.
+A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+192.168.2.1
+ |
+
+Tag
+ |
+Specifies the subnet tag, which consists of a key and value pair. You can add a maximum of ten tags to each subnet.
+The tag key and value must meet the requirements listed in Table 2.
+ |
+- Key: subnet_key1
- Value: subnet-01
+ |
+
+
+
+
Table 2 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
- Click OK.
+
+
Precautions
When a subnet is created, there are five reserved IP addresses, which cannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP addresses are reserved:
+
- 192.168.0.0: Network ID. This address is the beginning of the private IP address range and will not be assigned to any instance.
- 192.168.0.1: Gateway address.
- 192.168.0.253: Reserved for the system interface. This IP address is used by the VPC for external communication.
- 192.168.0.254: DHCP service address.
- 192.168.0.255: Network broadcast address.
+
If you configured the default settings under Advanced Settings during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings.
+
+
Modifying a Subnet
+Scenarios
Modify the subnet name, NTP server address, and DNS server address.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC for which a subnet is to be modified and click the VPC name.
- In the subnet list, locate the target subnet and click Modify. Modify the parameters as prompted.
Figure 1 Modify Subnet
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+Specifies the subnet name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+Subnet
+ |
+
+DNS Server Address
+ |
+By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+100.125.x.x
+ |
+
+NTP Server Address
+ |
+Specifies the IP address of the NTP server. This parameter is optional.
+You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added.
+A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ NOTE: - If you add or change the NTP server addresses of a subnet, you need to renew the DHCP lease for or restart all the ECSs in the subnet to make the change take effect immediately.
- If the NTP server addresses have been cleared out, restarting the ECSs will not help. You must renew the DHCP lease for all ECSs to make the change take effect immediately.
+
+ |
+192.168.2.1
+ |
+
+
+
+
- Click OK.
+
+
Deleting a Subnet
+Scenarios
You can delete a subnet to release network resources if the subnet is no longer required.
+
+
Prerequisites
You can delete a subnet only if there are no resources in the subnet. If there are resources in the subnet, you must delete those resources before you can delete the subnet.
+
You can view all resources of your account on the console homepage and check the resources that are in the subnet you want to delete.
+
The resources may include:
+
- ECS
- BMS
- CCE cluster
- RDS instance
- MRS cluster
- DCS instance
- Load balancer
- VPN
- Private IP address
- Custom route
- NAT gateway
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC from which a subnet is to be deleted and click the VPC name.
- On the Subnets page, locate the target subnet and click Delete.
- Click Yes in the displayed dialog box.
+
+
Deleting a VPC
+Scenarios
You can delete a VPC if the VPC is no longer required.
+
You can delete a VPC only if there are no resources in the VPC. If there are resources in the VPC, you must delete those resources before you can delete the VPC.
+
A VPC cannot be deleted if it contains subnets, Direct Connect connections, custom routes, VPC peering connections, or VPNs. To delete the VPC, you must first delete or disable the following resources.
+
+
+
Notes and Constraints
If there are any EIPs or security groups, the last VPC cannot be deleted.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the row that contains the VPC to be deleted and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Managing VPC Tags
+Scenarios
A VPC tag identifies a VPC. Tags can be added to VPCs to facilitate VPC identification and management. You can add a tag to a VPC when creating the VPC, or you can add a tag to a created VPC on the VPC details page. A maximum of 20 tags can be added to each VPC.
+
+
A tag consists of a key and value pair. Table 1 lists the tag key and value requirements.
+
+
Table 1 VPC tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for the same VPC and can be the same for different VPCs.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc-01
+ |
+
+
+
+
+
Procedure
Search for VPCs by tag key and value on the page showing the VPC list.- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- In the upper right corner of the VPC list, click Search by Tag.
- In the displayed area, enter the tag key and value of the VPC you are looking for.
Both the tag key and value must be specified. The system automatically displays the VPCs you are looking for if both the tag key and value are matched.
+ - Click + to add more tag keys and values.
You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for VPCs, the VPCs containing all specified tags will be displayed.
+ - Click Search.
The system displays the VPCs you are looking for based on the entered tag keys and values.
+
+
+
Add, delete, edit, and view tags on the Tags tab of a VPC.- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC whose tags are to be managed and click the VPC name.
The page showing details about the particular VPC is displayed.
+ - Click the Tags tab and perform desired operations on tags.
- View tags.
On the Tags tab, you can view details about tags added to the current VPC, including the number of tags and the key and value of each tag.
+ - Add a tag.
Click Add Tag in the upper left corner. In the displayed Add Tag dialog box, enter the tag key and value, and click OK.
+ - Edit a tag.
Locate the row that contains the tag you want to edit and click Edit in the Operation column. In the Edit Tag dialog box, change the tag value and click OK.
+ - Delete a tag.
Locate the row that contains the tag you want to delete, and click Delete in the Operation column. In the displayed dialog box, click Yes.
+
+
+
+
+
Managing Subnet Tags
+Scenarios
A subnet tag identifies a subnet. Tags can be added to subnets to facilitate subnet identification and administration. You can add a tag to a subnet when creating the subnet, or you can add a tag to a created subnet on the subnet details page. A maximum of 20 tags can be added to each subnet.
+
A tag consists of a key and value pair.
Table 1 lists the tag key and value requirements.
+
Table 1 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
+
+
+
Procedure
Search for subnets by tag key and value on the page showing the subnet list.- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - Under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC containing the target subnet and click the VPC name.
- In the upper right corner of the subnet list, click Search by Tag.
- Enter the tag key of the subnet to be queried.
Both the tag key and value must be specified. The system automatically displays the subnets you are looking for if both the tag key and value are matched.
+ - Click + to specify additional tag keys and values.
You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for subnets, the subnets containing all specified tags will be displayed.
+ - Click Search.
The system displays the subnets you are looking for based on the entered tag keys and values.
+
+
+
Add, delete, edit, and view tags on the Tags tab of a subnet.- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - Under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC containing the target subnet and click the VPC name.
- Click the name of the target subnet.
- On the subnet details page, click the Tags tab and perform desired operations on tags.
- View tags.
On the Tags tab, you can view details about tags added to the current subnet, including the number of tags and the key and value of each tag.
+ - Add a tag.
Click Add Tag in the upper left corner. In the displayed Add Tag dialog box, enter the tag key and value, and click OK.
+ - Edit a tag.
Locate the row that contains the tag to be edited, and click Edit in the Operation column. Enter the new tag key and value, and click OK.
+ - Delete a tag.
Locate the row that contains the tag to be deleted, and click Delete in the Operation column. In the displayed Delete Tag dialog box, click Yes.
+
+
+
+
+
Exporting VPC List
+Scenarios
Information about all VPCs under your account can be exported as an Excel file to a local directory. This file records the names, ID, status, IP address ranges of VPCs, and the number of subnets.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- In the upper right corner of the VPC list, click
.The system will automatically export information about all VPCs under your account in the current region. They will be exported in Excel format.
+
+
+
Modifying a Subnet
+Scenarios
Modify the subnet name, NTP server address, and DNS server address.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Subnets.
- In the subnet list, locate the target subnet and click its name.
- On the subnet details page, modify required parameters.
+
Table 1 Parameter descriptionsParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+The subnet name.
+The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ |
+Subnet
+ |
+
+DNS Server Address
+ |
+By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+100.125.x.x
+ |
+
+NTP Server Address
+ |
+The IP address of the NTP server. This parameter is optional.
+You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added.
+A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ NOTE: - If you add or change the NTP server addresses of a subnet, you need to renew the DHCP lease for or restart all the ECSs in the subnet to make the change take effect immediately.
- If the NTP server addresses have been cleared out, restarting the ECSs will not help. You must renew the DHCP lease for all ECSs to make the change take effect immediately.
+
+ |
+192.168.2.1
+ |
+
+
+
+
- Click OK.
+
+
Deleting a Subnet
+Scenarios
You can delete a subnet to release network resources if the subnet is no longer required.
+
+
Prerequisites
You can delete a subnet only if there are no resources in the subnet. If there are resources in the subnet, you must delete those resources before you can delete the subnet.
+
You can view all resources of your account on the console homepage and check the resources that are in the subnet you want to delete.
+
The resources may include:
+
- ECS
- BMS
- CCE cluster
- RDS instance
- MRS cluster
- DCS instance
- Load balancer
- VPN
- Private IP address
- Custom route
- NAT gateway
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- In the subnet list, locate the row that contains the subnet you want to delete and click Delete in the Operation column.
A confirmation dialog box is displayed.
+ - Click Yes.
+
+
Deleting a VPC
+Scenarios
You can delete a VPC if the VPC is no longer required.
+
You can delete a VPC only if there are no resources in the VPC. If there are resources in the VPC, you must delete those resources before you can delete the VPC.
+
A VPC cannot be deleted if it contains subnets, Direct Connect connections, custom routes, VPC peering connections, or VPNs. To delete the VPC, you must first delete or disable the following resources.
+
+
+
Notes and Constraints
If there are any EIPs or security groups, the last VPC cannot be deleted.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the row that contains the VPC to be deleted and click Delete in the Operation column.
- Click Yes in the displayed dialog box.
+
+
Managing VPC Tags
+Scenarios
A VPC tag identifies a VPC. Tags can be added to VPCs to facilitate VPC identification and management. You can add a tag to a VPC when creating the VPC, or you can add a tag to a created VPC on the VPC details page. A maximum of 20 tags can be added to each VPC.
+
+
A tag consists of a key and value pair. Table 1 lists the tag key and value requirements.
+
+
Table 1 VPC tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for the same VPC and can be the same for different VPCs.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc-01
+ |
+
+
+
+
+
Procedure
Search for VPCs by tag key and value on the page showing the VPC list.- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- In the upper right corner of the VPC list, click Search by Tag.
- In the displayed area, enter the tag key and value of the VPC you are looking for.
Both the tag key and value must be specified. The system automatically displays the VPCs you are looking for if both the tag key and value are matched.
+ - Click + to add more tag keys and values.
You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for VPCs, the VPCs containing all specified tags will be displayed.
+ - Click Search.
The system displays the VPCs you are looking for based on the entered tag keys and values.
+
+
+
Add, delete, edit, and view tags on the Tags tab of a VPC.- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC whose tags are to be managed and click the VPC name.
The page showing details about the particular VPC is displayed.
+ - Click the Tags tab and perform desired operations on tags.
- View tags.
On the Tags tab, you can view details about tags added to the current VPC, including the number of tags and the key and value of each tag.
+ - Add a tag.
Click Add Tag in the upper left corner. In the displayed Add Tag dialog box, enter the tag key and value, and click OK.
+ - Edit a tag.
Locate the row that contains the tag you want to edit and click Edit in the Operation column. In the Edit Tag dialog box, change the tag value and click OK.
+ - Delete a tag.
Locate the row that contains the tag you want to delete, and click Delete in the Operation column. In the displayed dialog box, click Yes.
+
+
+
+
+
Managing Subnet Tags
+Scenarios
A subnet tag identifies a subnet. Tags can be added to subnets to facilitate subnet identification and administration. You can add a tag to a subnet when creating the subnet, or you can add a tag to a created subnet on the subnet details page. A maximum of 20 tags can be added to each subnet.
+
A tag consists of a key and value pair.
Table 1 lists the tag key and value requirements.
+
Table 1 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
+
+
+
Procedure
Search for subnets by tag key and value on the page showing the subnet list.- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Subnets.
- In the upper right corner of the subnet list, click Search by Tag.
- Enter the tag key of the subnet to be queried.
Both the tag key and value must be specified. The system automatically displays the subnets you are looking for if both the tag key and value are matched.
+ - Click + to add another tag key and value.
You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for subnets, the subnets containing all specified tags will be displayed.
+ - Click Search.
The system displays the subnets you are looking for based on the entered tag keys and values.
+
+
+
Add, delete, edit, and view tags on the Tags tab of a subnet.- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Subnets.
- In the subnet list, locate the target subnet and click its name.
- On the subnet details page, click the Tags tab and perform desired operations on tags.
- View tags.
On the Tags tab, you can view details about tags added to the current subnet, including the number of tags and the key and value of each tag.
+ - Add a tag.
Click Add Tag in the upper left corner. In the displayed Add Tag dialog box, enter the tag key and value, and click OK.
+ - Edit a tag.
Locate the row that contains the tag you want to edit, and click Edit in the Operation column. Enter the new tag key and value, and click OK.
+ - Delete a tag.
Locate the row that contains the tag you want to delete, and click Delete in the Operation column. In the displayed dialog box, click Yes.
+
+
+
+
+
Exporting VPC List
+Scenarios
Information about all VPCs under your account can be exported as an Excel file to a local directory. This file records the names, ID, status, IP address ranges of VPCs, and the number of subnets.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- In the upper right corner of the VPC list, click .
The system will automatically export information about all VPCs under your account in the current region. They will be exported in Excel format.
+
+
+
