VPC

Virtual Private Cloud (VPC) is a custom network environment that consists of VPC vRouters and VPC networks. With VPC, enterprise users can build a logically isolated private cloud.

VPC vRouter and VPC Network

VPC consists of VPC vRouters and VPC networks.
  • A VPC vRouter is a virtual router that you can directly create by attaching a vRouter offering. By default, a VPC vRouter has two types of network: public network and management network.
  • A VPC network can be used as a VPC private network, and can be attached to a VPC vRouter.
The VPC network topology is shown in VPC Network Topology.
Figure 1. VPC Network Topology


VPC Features

VPC has the following feature benefits:
  • Flexible network configuration: Different VPC networks can be flexibly attached to the VPC vRouters. You can customize an independent IP range and an independent gateway for each VPC network. VPC vRouters allow you to attach or detach gateways, and also to dynamically configure your route tables and route entries.
  • Secure and reliable isolation: Different VPC networks in different VPCs are logically isolated. That is, the VPC networks support VLAN and VXLAN for logical layer 2 isolation, and different VPCs of different accounts will not affect each other.
  • Multi-subnet interconnection: Multiple VPC networks under the same VPC can communicate privately and securely with one another.
  • Network traffic optimization: VPC supports distributed route features, indicating that VPC can optimize the east-west network traffic, and reduce the network latency effectively.
  • VPC vRouter HA: In a VPC vRouter HA group, you can deploy two VPC vRouters according to the active-standby policy. When the active VPC vRouter is abnormal, the standby VPC vRouter will automatically take over to work properly, thus ensuring your business continuity.

VPC Network Service

The VPC network, which acts as a private network, provides a group of network services by using VPC vRouters.
  • DHCP: By default, the VPC network provides distributed DHCP services by using the flat network service module.
  • DNS: A VPC vRouter can act as a DNS server to provide DNS services. The DNS address in a VPC vRouter VM instance is the IP address of the VPC vRouter. Note that the DNS address that you set is forwarded by the VPC vRouter.
  • SNAT: A VPC vRouter can provide the source network address translation (SNAT) services for VM instances. Then, the VM instances can directly access the Internet by using SNAT.
  • Route table: Through the route table, you can manage and customize routes.
  • Security group: The security group service is provided by the security group network service module. You can configure and manage firewalls for VM instances by using iptables.
  • Elastic IP address (EIP): You can bind an EIP to a VPC network. Then, the public network can interconnect with the private network of the VM instance.
  • Port forwarding: The port forwarding service allows a public IP address to interconnect with the private IP address of a VM instance. To be more specific, you can create port forwarding rules to allow external networks to reach specific ports of your VM instances.
  • Load balancing: The load balancing service distributes your inbound traffics from a public IP address to a group of backend VM instances. Then, this service will automatically check and isolate the VM instances that are unavailable.
  • IPsec tunnel: The IPsec tunnel can be used to achieve interconnection between different virtual private networks (VPNs).
  • Dynamic routing: The VPC vRouter supports the Open Shortest Path First (OSPF) routing protocol, which is used to distribute routing information within a single autonomous system.
  • Multicast routing: The VPC vRouter forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side.
  • VPC firewall: The VPC firewall filters the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security.
  • Netflow: The Netflow service monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output format are supported: Netflow V5 and Netflow V9.

Basic Deployment Procedure of VPC Private Network

  1. Create an L2 public network, and attach it the corresponding cluster.
  2. Create an L3 public network.
  3. Create an L2 management network, and attach it to corresponding cluster.
  4. Create an L3 management network, and use it for communicating with the physical resources, such as a host primary storage, and backup storage.
  5. Add a vRouter image.
  6. Create a vRouter offering.
  7. Create a VPC vRouter by attaching a vRouter offering. The VPC vRouter can provide a group of network services.
  8. Create an L2 private network, and attach it to the corresponding cluster. Note that the L2 private network is used for creating a VPC L3 network.
  9. Create a VPC L3 network by specifying a VPC vRouter. Note that the IP range cannot be overlapped.
  10. Create VM instances by using the VPC network.
Note:
  • If your condition does not permit, the management network and the public network can share the same network.
  • In consideration of security and stability, we recommend that you deploy the management network independently, and isolate it from the public network.
  • When you create a VPC network, you can specify a VPC vRouter. Or, you can attach the VPC vRouter to the VPC network after creating the VPC network.