diff --git a/umn/source/_static/images/en-us_image_0000001117669274.png b/umn/source/_static/images/en-us_image_0000001117669274.png new file mode 100644 index 0000000..76633c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001117669274.png differ diff --git a/umn/source/_static/images/en-us_image_0000001117669524.png b/umn/source/_static/images/en-us_image_0000001117669524.png new file mode 100644 index 0000000..7a8a4ae Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001117669524.png differ diff --git a/umn/source/_static/images/en-us_image_0000001151300782.png b/umn/source/_static/images/en-us_image_0000001151300782.png new file mode 100644 index 0000000..eb1ae9b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001151300782.png differ diff --git a/umn/source/_static/images/en-us_image_0000001163949251.png b/umn/source/_static/images/en-us_image_0000001163949251.png new file mode 100644 index 0000000..c3db78d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001163949251.png differ diff --git a/umn/source/_static/images/en-us_image_0000001166028070.png b/umn/source/_static/images/en-us_image_0000001166028070.png new file mode 100644 index 0000000..fc4cfb7 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001166028070.png differ diff --git a/umn/source/_static/images/en-us_image_0000001179761510.png b/umn/source/_static/images/en-us_image_0000001179761510.png new file mode 100644 index 0000000..a118f82 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001179761510.png differ diff --git a/umn/source/_static/images/en-us_image_0000001197228903.png b/umn/source/_static/images/en-us_image_0000001197228903.png new file mode 100644 index 0000000..6ef66ec Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001197228903.png differ diff --git a/umn/source/_static/images/en-us_image_0000001197426329.png b/umn/source/_static/images/en-us_image_0000001197426329.png new file mode 100644 index 0000000..eacf181 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001197426329.png differ diff --git a/umn/source/_static/images/en-us_image_0000001206933138.png b/umn/source/_static/images/en-us_image_0000001206933138.png new file mode 100644 index 0000000..452d4e6 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001206933138.png differ diff --git a/umn/source/_static/images/en-us_image_0000001207093220.png b/umn/source/_static/images/en-us_image_0000001207093220.png new file mode 100644 index 0000000..a26a279 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001207093220.png differ diff --git a/umn/source/_static/images/en-us_image_0000001207253746.png b/umn/source/_static/images/en-us_image_0000001207253746.png new file mode 100644 index 0000000..a26a279 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001207253746.png differ diff --git a/umn/source/_static/images/en-us_image_0000001211006359.png b/umn/source/_static/images/en-us_image_0000001211006359.png new file mode 100644 index 0000000..ff5a995 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001211006359.png differ diff --git a/umn/source/_static/images/en-us_image_0000001211445065.png b/umn/source/_static/images/en-us_image_0000001211445065.png new file mode 100644 index 0000000..9d7396e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001211445065.png differ diff --git a/umn/source/_static/images/en-us_image_0000001222749226.png b/umn/source/_static/images/en-us_image_0000001222749226.png new file mode 100644 index 0000000..806c94c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001222749226.png differ diff --git a/umn/source/_static/images/en-us_image_0000001222749910.png b/umn/source/_static/images/en-us_image_0000001222749910.png new file mode 100644 index 0000000..806c94c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001222749910.png differ diff --git a/umn/source/_static/images/en-us_image_0000001225081545.png b/umn/source/_static/images/en-us_image_0000001225081545.png new file mode 100644 index 0000000..36dbd79 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001225081545.png differ diff --git a/umn/source/_static/images/en-us_image_0000001229959315.png b/umn/source/_static/images/en-us_image_0000001229959315.png new file mode 100644 index 0000000..4c0b0da Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001229959315.png differ diff --git a/umn/source/_static/images/en-us_image_0000001230120807.png b/umn/source/_static/images/en-us_image_0000001230120807.png new file mode 100644 index 0000000..e78ee83 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001230120807.png differ diff --git a/umn/source/_static/images/en-us_image_0000001237013856.png b/umn/source/_static/images/en-us_image_0000001237013856.png new file mode 100644 index 0000000..a8cc681 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001237013856.png differ diff --git a/umn/source/_static/images/en-us_image_0000001237328110.png b/umn/source/_static/images/en-us_image_0000001237328110.png new file mode 100644 index 0000000..7bdebfc Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001237328110.png differ diff --git a/umn/source/_static/images/en-us_image_0000001251773147.png b/umn/source/_static/images/en-us_image_0000001251773147.png new file mode 100644 index 0000000..ef869a0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001251773147.png differ diff --git a/umn/source/_static/images/en-us_image_0000001267230305.png b/umn/source/_static/images/en-us_image_0000001267230305.png new file mode 100644 index 0000000..806c94c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001267230305.png differ diff --git a/umn/source/_static/images/en-us_image_0000001267350317.png b/umn/source/_static/images/en-us_image_0000001267350317.png new file mode 100644 index 0000000..806c94c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001267350317.png differ diff --git a/umn/source/_static/images/en-us_image_0000001281210233.png b/umn/source/_static/images/en-us_image_0000001281210233.png new file mode 100644 index 0000000..0f4622a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001281210233.png differ diff --git a/umn/source/_static/images/en-us_image_0000001286573614.png b/umn/source/_static/images/en-us_image_0000001286573614.png new file mode 100644 index 0000000..eb1ae9b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286573614.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338933333.png b/umn/source/_static/images/en-us_image_0000001338933333.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338933333.png differ diff --git a/umn/source/_static/images/en-us_image_0093507575.png b/umn/source/_static/images/en-us_image_0093507575.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0093507575.png differ diff --git a/umn/source/_static/images/en-us_image_0118498947.png b/umn/source/_static/images/en-us_image_0118498947.png new file mode 100644 index 0000000..863c101 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0118498947.png differ diff --git a/umn/source/_static/images/en-us_image_0118498992.png b/umn/source/_static/images/en-us_image_0118498992.png new file mode 100644 index 0000000..1259f9b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0118498992.png differ diff --git a/umn/source/_static/images/en-us_image_0118499109.png b/umn/source/_static/images/en-us_image_0118499109.png new file mode 100644 index 0000000..98a1a04 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0118499109.png differ diff --git a/umn/source/_static/images/en-us_image_0118499140.png b/umn/source/_static/images/en-us_image_0118499140.png new file mode 100644 index 0000000..e3f8303 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0118499140.png differ diff --git a/umn/source/_static/images/en-us_image_0118499144.png b/umn/source/_static/images/en-us_image_0118499144.png new file mode 100644 index 0000000..218b59b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0118499144.png differ diff --git a/umn/source/_static/images/en-us_image_0122999741.png b/umn/source/_static/images/en-us_image_0122999741.png new file mode 100644 index 0000000..faf01e7 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0122999741.png differ diff --git a/umn/source/_static/images/en-us_image_0129304042.png b/umn/source/_static/images/en-us_image_0129304042.png new file mode 100644 index 0000000..0114f73 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0129304042.png differ diff --git a/umn/source/_static/images/en-us_image_0129473334.png b/umn/source/_static/images/en-us_image_0129473334.png new file mode 100644 index 0000000..9083ba2 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0129473334.png differ diff --git a/umn/source/_static/images/en-us_image_0141273034.png b/umn/source/_static/images/en-us_image_0141273034.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0141273034.png differ diff --git a/umn/source/_static/images/en-us_image_0142359884.png b/umn/source/_static/images/en-us_image_0142359884.png new file mode 100644 index 0000000..32461aa Binary files /dev/null and b/umn/source/_static/images/en-us_image_0142359884.png differ diff --git a/umn/source/_static/images/en-us_image_0142360062.png b/umn/source/_static/images/en-us_image_0142360062.png new file mode 100644 index 0000000..f5a39cd Binary files /dev/null and b/umn/source/_static/images/en-us_image_0142360062.png differ diff --git a/umn/source/_static/images/en-us_image_0142360094.png b/umn/source/_static/images/en-us_image_0142360094.png new file mode 100644 index 0000000..0b46392 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0142360094.png differ diff --git a/umn/source/_static/images/en-us_image_0148244691.png b/umn/source/_static/images/en-us_image_0148244691.png new file mode 100644 index 0000000..833927c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0148244691.png differ diff --git a/umn/source/_static/images/en-us_image_0152238989.png b/umn/source/_static/images/en-us_image_0152238989.png new file mode 100644 index 0000000..1efaac3 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0152238989.png differ diff --git a/umn/source/_static/images/en-us_image_0152667656.png b/umn/source/_static/images/en-us_image_0152667656.png new file mode 100644 index 0000000..9723235 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0152667656.png differ diff --git a/umn/source/_static/images/en-us_image_0152668782.png b/umn/source/_static/images/en-us_image_0152668782.png new file mode 100644 index 0000000..9b32890 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0152668782.png differ diff --git a/umn/source/_static/images/en-us_image_0152727234.png b/umn/source/_static/images/en-us_image_0152727234.png new file mode 100644 index 0000000..35e2831 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0152727234.png differ diff --git a/umn/source/_static/images/en-us_image_0162329244.png b/umn/source/_static/images/en-us_image_0162329244.png new file mode 100644 index 0000000..a142304 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162329244.png differ diff --git a/umn/source/_static/images/en-us_image_0162332046.png b/umn/source/_static/images/en-us_image_0162332046.png new file mode 100644 index 0000000..b9dc61f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162332046.png differ diff --git a/umn/source/_static/images/en-us_image_0162335382.png b/umn/source/_static/images/en-us_image_0162335382.png new file mode 100644 index 0000000..dddc7ef Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162335382.png differ diff --git a/umn/source/_static/images/en-us_image_0162335561.png b/umn/source/_static/images/en-us_image_0162335561.png new file mode 100644 index 0000000..fb27912 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162335561.png differ diff --git a/umn/source/_static/images/en-us_image_0162335565.png b/umn/source/_static/images/en-us_image_0162335565.png new file mode 100644 index 0000000..fc5a60b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162335565.png differ diff --git a/umn/source/_static/images/en-us_image_0162336264.png b/umn/source/_static/images/en-us_image_0162336264.png new file mode 100644 index 0000000..7381018 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162336264.png differ diff --git a/umn/source/_static/images/en-us_image_0162391155.png b/umn/source/_static/images/en-us_image_0162391155.png new file mode 100644 index 0000000..8dc4f6f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162391155.png differ diff --git a/umn/source/_static/images/en-us_image_0162391187.png b/umn/source/_static/images/en-us_image_0162391187.png new file mode 100644 index 0000000..7a75567 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162391187.png differ diff --git a/umn/source/_static/images/en-us_image_0163203842.png b/umn/source/_static/images/en-us_image_0163203842.png new file mode 100644 index 0000000..ae668d9 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0163203842.png differ diff --git a/umn/source/_static/images/en-us_image_0167573711.png b/umn/source/_static/images/en-us_image_0167573711.png new file mode 100644 index 0000000..113f966 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0167573711.png differ diff --git a/umn/source/_static/images/en-us_image_0167839112.png b/umn/source/_static/images/en-us_image_0167839112.png new file mode 100644 index 0000000..754024d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0167839112.png differ diff --git a/umn/source/_static/images/en-us_image_0167840073.png b/umn/source/_static/images/en-us_image_0167840073.png new file mode 100644 index 0000000..6120e8e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0167840073.png differ diff --git a/umn/source/_static/images/en-us_image_0173155793.png b/umn/source/_static/images/en-us_image_0173155793.png new file mode 100644 index 0000000..20a33ec Binary files /dev/null and b/umn/source/_static/images/en-us_image_0173155793.png differ diff --git a/umn/source/_static/images/en-us_image_0173155804.png b/umn/source/_static/images/en-us_image_0173155804.png new file mode 100644 index 0000000..64883ba Binary files /dev/null and b/umn/source/_static/images/en-us_image_0173155804.png differ diff --git a/umn/source/_static/images/en-us_image_0173155870.png b/umn/source/_static/images/en-us_image_0173155870.png new file mode 100644 index 0000000..5210081 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0173155870.png differ diff --git a/umn/source/_static/images/en-us_image_0184026531.png b/umn/source/_static/images/en-us_image_0184026531.png new file mode 100644 index 0000000..1303a51 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0184026531.png differ diff --git a/umn/source/_static/images/en-us_image_0185346582.png b/umn/source/_static/images/en-us_image_0185346582.png new file mode 100644 index 0000000..f5a39cd Binary files /dev/null and b/umn/source/_static/images/en-us_image_0185346582.png differ diff --git a/umn/source/_static/images/en-us_image_0191544038.png b/umn/source/_static/images/en-us_image_0191544038.png new file mode 100644 index 0000000..671ce59 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0191544038.png differ diff --git a/umn/source/_static/images/en-us_image_0191577030.png b/umn/source/_static/images/en-us_image_0191577030.png new file mode 100644 index 0000000..0b7d9f0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0191577030.png differ diff --git a/umn/source/_static/images/en-us_image_0191588554.png b/umn/source/_static/images/en-us_image_0191588554.png new file mode 100644 index 0000000..26cc55b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0191588554.png differ diff --git a/umn/source/_static/images/en-us_image_0191594527.png b/umn/source/_static/images/en-us_image_0191594527.png new file mode 100644 index 0000000..5ed929e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0191594527.png differ diff --git a/umn/source/_static/images/en-us_image_0194358487.png b/umn/source/_static/images/en-us_image_0194358487.png new file mode 100644 index 0000000..381bf7e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0194358487.png differ diff --git a/umn/source/_static/images/en-us_image_0194358495.png b/umn/source/_static/images/en-us_image_0194358495.png new file mode 100644 index 0000000..0fbd7a2 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0194358495.png differ diff --git a/umn/source/_static/images/en-us_image_0194358504.png b/umn/source/_static/images/en-us_image_0194358504.png new file mode 100644 index 0000000..db13c4f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0194358504.png differ diff --git a/umn/source/_static/images/en-us_image_0209273220.png b/umn/source/_static/images/en-us_image_0209273220.png new file mode 100644 index 0000000..5442e65 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0209273220.png differ diff --git a/umn/source/_static/images/en-us_image_0209583952.png b/umn/source/_static/images/en-us_image_0209583952.png new file mode 100644 index 0000000..0d5e35d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0209583952.png differ diff --git a/umn/source/_static/images/en-us_image_0209606948.png b/umn/source/_static/images/en-us_image_0209606948.png new file mode 100644 index 0000000..08c093b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0209606948.png differ diff --git a/umn/source/_static/images/en-us_image_0209608153.png b/umn/source/_static/images/en-us_image_0209608153.png new file mode 100644 index 0000000..ce84b5c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0209608153.png differ diff --git a/umn/source/_static/images/en-us_image_0209608154.png b/umn/source/_static/images/en-us_image_0209608154.png new file mode 100644 index 0000000..f795997 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0209608154.png differ diff --git a/umn/source/_static/images/en-us_image_0211552164.png b/umn/source/_static/images/en-us_image_0211552164.png new file mode 100644 index 0000000..64d89e2 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0211552164.png differ diff --git a/umn/source/_static/images/en-us_image_0211560998.png b/umn/source/_static/images/en-us_image_0211560998.png new file mode 100644 index 0000000..5932315 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0211560998.png differ diff --git a/umn/source/_static/images/en-us_image_0226222517.png b/umn/source/_static/images/en-us_image_0226222517.png new file mode 100644 index 0000000..3322328 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226222517.png differ diff --git a/umn/source/_static/images/en-us_image_0226223279.png b/umn/source/_static/images/en-us_image_0226223279.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226223279.png differ diff --git a/umn/source/_static/images/en-us_image_0226788663.png b/umn/source/_static/images/en-us_image_0226788663.png new file mode 100644 index 0000000..a26a279 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226788663.png differ diff --git a/umn/source/_static/images/en-us_image_0226820247.png b/umn/source/_static/images/en-us_image_0226820247.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226820247.png differ diff --git a/umn/source/_static/images/en-us_image_0226820250.png b/umn/source/_static/images/en-us_image_0226820250.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226820250.png differ diff --git a/umn/source/_static/images/en-us_image_0226820252.png b/umn/source/_static/images/en-us_image_0226820252.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226820252.png differ diff --git a/umn/source/_static/images/en-us_image_0226820452.png b/umn/source/_static/images/en-us_image_0226820452.png new file mode 100644 index 0000000..7a75567 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226820452.png differ diff --git a/umn/source/_static/images/en-us_image_0226820455.png b/umn/source/_static/images/en-us_image_0226820455.png new file mode 100644 index 0000000..504d761 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226820455.png differ diff --git a/umn/source/_static/images/en-us_image_0226820459.png b/umn/source/_static/images/en-us_image_0226820459.png new file mode 100644 index 0000000..504d761 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226820459.png differ diff --git a/umn/source/_static/images/en-us_image_0226820796.png b/umn/source/_static/images/en-us_image_0226820796.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226820796.png differ diff --git a/umn/source/_static/images/en-us_image_0226829583.png b/umn/source/_static/images/en-us_image_0226829583.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226829583.png differ diff --git a/umn/source/_static/images/en-us_image_0226829586.png b/umn/source/_static/images/en-us_image_0226829586.png new file mode 100644 index 0000000..34aac26 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226829586.png differ diff --git a/umn/source/_static/images/en-us_image_0226829587.png b/umn/source/_static/images/en-us_image_0226829587.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226829587.png differ diff --git a/umn/source/_static/images/en-us_image_0226829589.png b/umn/source/_static/images/en-us_image_0226829589.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226829589.png differ diff --git a/umn/source/_static/images/en-us_image_0226829591.png b/umn/source/_static/images/en-us_image_0226829591.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226829591.png differ diff --git a/umn/source/_static/images/en-us_image_0226829595.png b/umn/source/_static/images/en-us_image_0226829595.png new file mode 100644 index 0000000..6120e8e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0226829595.png differ diff --git a/umn/source/_static/images/en-us_image_0233469654.png b/umn/source/_static/images/en-us_image_0233469654.png new file mode 100644 index 0000000..f5a39cd Binary files /dev/null and b/umn/source/_static/images/en-us_image_0233469654.png differ diff --git a/umn/source/_static/images/en-us_image_0239476777.png b/umn/source/_static/images/en-us_image_0239476777.png new file mode 100644 index 0000000..8aadcff Binary files /dev/null and b/umn/source/_static/images/en-us_image_0239476777.png differ diff --git a/umn/source/_static/images/en-us_image_0240332622.png b/umn/source/_static/images/en-us_image_0240332622.png new file mode 100644 index 0000000..f795997 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0240332622.png differ diff --git a/umn/source/_static/images/en-us_image_0275513364.png b/umn/source/_static/images/en-us_image_0275513364.png new file mode 100644 index 0000000..1909444 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0275513364.png differ diff --git a/umn/source/_static/images/en-us_image_0284920908.png b/umn/source/_static/images/en-us_image_0284920908.png new file mode 100644 index 0000000..6ada97c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0284920908.png differ diff --git a/umn/source/_static/images/en-us_image_0284993717.png b/umn/source/_static/images/en-us_image_0284993717.png new file mode 100644 index 0000000..f4b88a2 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0284993717.png differ diff --git a/umn/source/_static/images/en-us_image_0285048674.png b/umn/source/_static/images/en-us_image_0285048674.png new file mode 100644 index 0000000..2d9597b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0285048674.png differ diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst new file mode 100644 index 0000000..62bee9c --- /dev/null +++ b/umn/source/change_history.rst @@ -0,0 +1,297 @@ +:original_name: vpc_faq_0103.html + +.. _vpc_faq_0103: + +Change History +============== + ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Release Date | What's New | ++===================================+==================================================================================================================================================================================================================================================================================================================================================+ +| 2022-06-25 | Added the following content: | +| | | +| | - Modified constraints on EIPs dedicated for dedicated load balancers in :ref:`Assigning an EIP and Binding It to an ECS ` (:ref:`Assigning an EIP and Binding It to an ECS `). | +| | - Modified constraints on EIP binding to load balancers in :ref:`Unbinding an EIP from an ECS and Releasing the EIP ` (:ref:`Unbinding an EIP from an ECS and Releasing the EIP `). | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-02-15 | Added the following content: | +| | | +| | - Added constraints on EIPs dedicated for dedicated load balancers in :ref:`Assigning an EIP and Binding It to an ECS ` (:ref:`Assigning an EIP and Binding It to an ECS `). | +| | - Added description about the default reverse domain name of an EIP in\ :ref:`Step 3: Assign an EIP and Bind It to an ECS ` and :ref:`Assigning an EIP and Binding It to an ECS `. | +| | - Added constraints on EIPs dedicated for dedicated load balancers in :ref:`Assigning an EIP and Binding It to an ECS ` (:ref:`Assigning an EIP and Binding It to an ECS `) and :ref:`Adding EIPs to a Shared Bandwidth ` (:ref:`Adding EIPs to a Shared Bandwidth `). | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2021-12-15 | Modified the following content: | +| | | +| | - Added description about how to switch between the old and new console editions in :ref:`Document Usage Instructions `. | +| | - Added :ref:`Operation Guide (New Console Edition) ` and :ref:`Operation Guide (Old Console Edition) `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2021-08-25 | Modified the following content: | +| | | +| | Deleted the content related to the IP address group. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2021-06-18 | Modified the following content: | +| | | +| | - Updated screenshots and deleted the **Bandwidth Type** parameter in :ref:`Step 3: Assign an EIP and Bind It to an ECS ` and :ref:`Assigning an EIP and Binding It to an ECS ` (:ref:`Assigning an EIP and Binding It to an ECS `). | +| | - Updated screenshots in :ref:`Assigning a Shared Bandwidth ` (:ref:`Assigning a Shared Bandwidth `) and :ref:`Modifying a Shared Bandwidth ` (:ref:`Modifying a Shared Bandwidth `). | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2020-02-25 | Added the following content: | +| | | +| | - Added section :ref:`Shared Bandwidth `. | +| | | +| | Modified the following content: | +| | | +| | - Modified the steps in section :ref:`EIP `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2020-02-12 | Added the following content: | +| | | +| | Added description that VPC flow logs support S2 ECSs in section :ref:`VPC Flow Log `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2020-01-08 | Added the following content: | +| | | +| | - Added function and namespace description and optimized information in tables in :ref:`Supported Metrics `. | +| | - Added section :ref:`Region and AZ `. | +| | - Added the example of allowing external access to a specified port in the section :ref:`Security Group Configuration Examples `. | +| | | +| | Modified the following content: | +| | | +| | - Added **Subnet** and **VPC** as the type of resources whose traffic is to be logged in :ref:`VPC Flow Log `. | +| | | +| | - Updated screenshots in :ref:`Adding a Security Group Rule ` and :ref:`Fast-Adding Security Group Rules `. | +| | - Optimized figure examples in this document. | +| | - Optimized descriptions in section :ref:`Firewall Configuration Examples `. | +| | - Optimized descriptions in section :ref:`Default Firewall Rules `. | +| | - Changed the position of section :ref:`Security `. | +| | - Optimized :ref:`What Is a Quota? `. | +| | | +| | Deleted the following content: | +| | | +| | - Deleted section "Deleting a VPN". | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-09-10 | Added the following content: | +| | | +| | - Added section :ref:`VPC Flow Log `. | +| | | +| | Deleted the following content: | +| | | +| | - Deleted the concepts of VPN, IPsec VPN, remote gateway, remote subnet, region, and project in section :ref:`Basic Concepts `. | +| | - Deleted the FAQs related to VPN in section :ref:`FAQs `. | +| | | +| | - Deleted the content related to "Configuring a VPC for ECSs That Access the Internet Through a VPN" in section :ref:`Getting Started `. | +| | | +| | Modified the following content: | +| | | +| | - Optimized section :ref:`Service Overview ` and added the product advantage description to section :ref:`What Is Virtual Private Cloud? `. | +| | - Added section :ref:`Security Group Configuration Examples `. The security group configuration examples are integrated into one section and the original independent sections are deleted. | +| | - Modified the description about how to switch to the **EIPs** page in section :ref:`EIP `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-02-23 | Added the following content: | +| | | +| | - Added the description about batch subnet creation in section :ref:`VPC and Subnet `. | +| | - Added precautions about disabling a firewall in section :ref:`Enabling or Disabling a Firewall `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-02-22 | Added the following content: | +| | | +| | - Added the **Assign EIP** screenshot in section :ref:`Assigning an EIP and Binding It to an ECS `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-02-15 | Added the following content: | +| | | +| | - Added the Anti-DDoS service restriction in section :ref:`How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC? `. | +| | - Added section :ref:`Modifying a Security Group `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-02-11 | Deleted the following content: | +| | | +| | - Deleted the console screenshot from section :ref:`Assigning an EIP and Binding It to an ECS `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-01-31 | Accepted in OTC-4.0. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-01-30 | Modified the following content: | +| | | +| | - Modified the table listing the parameters for creating a VPC in section :ref:`VPC and Subnet `. | +| | - Modified the table listing the parameters for modifying a security group rule in :ref:`Adding a Security Group Rule `. | +| | - Added the link to the default security group rule introduction in section :ref:`Adding a Security Group Rule `. | +| | - Modified the format of the exported file to Excel in sections :ref:`Exporting VPC List ` and :ref:`Importing and Exporting Security Group Rules `. | +| | - Changed the number of characters allowed for the **Description** field to **255** in section :ref:`Creating a Firewall `. | +| | - Modified the steps in section :ref:`Managing EIP Tags `. | +| | - Added the **Monitoring Period** column to the table listing metrics in section :ref:`Supported Metrics `. | +| | - Changed the maximum bandwidth size allowed to 1000 Mbit/s in section :ref:`What Is the Bandwidth Size Range? `. | +| | - Modified the table listing subnet parameters in section :ref:`Modifying a Subnet `. | +| | - Updated the security group description in section :ref:`Security Group `. | +| | - Updated the VPC peering connection description in section :ref:`VPC Peering Connection `. | +| | - Updated the firewall description in section :ref:`Firewall `. | +| | - Updated the console screenshots in section :ref:`Adding a Firewall Rule `. | +| | - Updated the console screenshots in section :ref:`Modifying a Firewall Rule `. | +| | | +| | Added the following content: | +| | | +| | - Added section :ref:`Security Group Configuration Examples `. | +| | - Added section :ref:`Route Table Overview `. | +| | - Added section :ref:`Modifying an EIP Bandwidth `. | +| | - Added description about disassociating and releasing multiple EIPs at a time in section :ref:`Unbinding an EIP from an ECS and Releasing the EIP `. | +| | | +| | Deleted the following content: | +| | | +| | - Deleted description about the transitive peering relationships from section :ref:`Are There Any Constraints on Using VPC Peering Connections? `. | +| | - Deleted section **Viewing Routes Configured for a VPC Peering Connection in the VPC Peering Route Table**. | +| | - Deleted section **Deleting a Route from the VPC Peering Route Table**. | +| | - Deleted description about the **Reject** action from section :ref:`Adding a Firewall Rule `. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-12-30 | Modified the following content: | +| | | +| | - Modified the description about how to switch to the security group and firewall pages based on the changes made on the management console. | +| | | +| | Added the following content: | +| | | +| | - Added section **Firewall** **Overview**. | +| | - Added section **Firewall** **Configuration Examples**. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-11-30 | Added the following content: | +| | | +| | - Added parameter **NTP Server Address** to the description about how to create a subnet. | +| | | +| | Modified the following content: | +| | | +| | - Updated the document based on changes made to the firewall console pages. | +| | | +| | - Added description about how to delete multiple firewall rules at a time and how to disassociate multiple subnets from a firewall at a time. | +| | - Changed parameter **Any** to **All**. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-09-18 | Accepted in OTC-3.2/AGile-09.2018. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-09-06 | Modified the following content: | +| | | +| | - Modified the content and changed some screenshots in the document based on the latest management console. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-08-30 | This release incorporates the following change: | +| | | +| | - Added section **Adding Instances to and Removing Them from a Security Group**. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-07-30 | This release incorporates the following changes: | +| | | +| | - Optimized the sections related to security groups: | +| | | +| | - Added section **Replicating a Security Group Rule**. | +| | - Added section **Modifying a Security Group Rule**. | +| | - Modified section **Deleting a Security Group Rule** and added description about how to delete multiple security group rules at a time. | +| | - Added section **Importing and Exporting Security Group Rules**. | +| | | +| | - Modified the VPN sections. The details are as follows: | +| | | +| | - Modified the step for switching to the VPN console. | +| | - Deleted sections related to VPNs. An independent VPN user guide will be provided. | +| | - Deleted section **VPN Best Practice**. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-06-30 | This release incorporates the following changes: | +| | | +| | - Optimized sections under **Product Introduction**. | +| | - Optimized sections under **Security Group**. | +| | | +| | - Optimized section **Security Group Overview**. | +| | | +| | - Optimized section **Default Security Groups and Security Group Rules**. | +| | - Optimized section **Creating a Security Group**. | +| | - Optimized section **Adding a Security Group Rule**. | +| | - Optimized section **Fast-Adding Security Group Rules**. | +| | - Added security group configuration examples. | +| | - Added section **Viewing the Security Group of an ECS**. | +| | - Added section **Changing the Security Group of an ECS**. | +| | | +| | - Categorized FAQs. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-06-11 | This release incorporates the following changes: | +| | | +| | - Added section **Monitoring**. | +| | - Modified tag description. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-05-23 | Accepted in OTC 3.1. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-04-28 | This release incorporates the following changes: | +| | | +| | - Added description about VPN tagging. | +| | - Added the IPv6 address description. | +| | - Added section **Exporting VPC Information**. | +| | - Modified the bandwidth range. | +| | - Modified the VPN modification snapshot. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-03-30 | This release incorporates the following change: | +| | | +| | Deleted the IPv6 address description. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-02-28 | This release incorporates the following change: | +| | | +| | Added the description that the security group description can contain a maximum of 128 characters. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-01-30 | This release incorporates the following changes: | +| | | +| | - Added description about the function of unbinding and releasing EIPs in batches. | +| | - Added description about the function that the negotiation mode of the IKE policy in the VPN can be configured. | +| | - Added the description that the security group description can contain a maximum of 64 characters. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-11-30 | This release incorporates the following changes: | +| | | +| | - Updated screenshots and steps based on the latest management console pages. | +| | - Added description to indicate that subnets can be created without specifying the AZ. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-10-30 | This release incorporates the following changes: | +| | | +| | - Added description about the fast security group rule adding function. | +| | - Added ECS security group configuration examples. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-09-30 | This release incorporates the following changes: | +| | | +| | - Added description to indicate that the peer project ID needs to be configured when a tenant creates a VPC peering connection with the VPC of another tenant. | +| | - Modified description in sections **Adding a Security Group Rule** and **Deleting a Security Group Rule** based on changes made to the network console. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-08-30 | This release incorporates the following changes: | +| | | +| | - Added section **Managing Subnet Tags**. | +| | - Added description about the VPC, subnet, and EIP tags. | +| | - Added section **Security Group Overview**. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-07-30 | This release incorporates the following changes: | +| | | +| | - Added description about how to enable shared SNAT on the management console. | +| | - Added section **Managing VPC Tags**. | +| | - Added section **Managing EIP Tags**. | +| | - Changed the number of routes allowed in a route table by default to **100**. | +| | - Updated procedures in sections **VPC and Subnet** and **Custom Route** based on changes made to the network console. | +| | - Added description about the multi-project feature. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-06-30 | This release incorporates the following change: | +| | | +| | - Added description about the virtual IP address feature. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-05-30 | This release incorporates the following change: | +| | | +| | - Added FAQ **How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC**. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-04-28 | This release incorporates the following change: | +| | | +| | - Added description about how to add DNS server addresses during subnet information modification. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-03-30 | This release incorporates the following changes: | +| | | +| | - Added description about the firewall function. | +| | - Added description about the shared SNAT function. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-02-28 | This release incorporates the following change: | +| | | +| | - Deleted description about the button for disabling the DHCP function. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-02-24 | This release incorporates the following change: | +| | | +| | - Added description about the VPC peering function. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2017-01-12 | This release incorporates the following change: | +| | | +| | - Added description about the custom route table function. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2016-10-19 | This release incorporates the following change: | +| | | +| | - Updated the Help Center URL of the VPN service. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2016-07-15 | This release incorporates the following changes: | +| | | +| | - Modified the VPN authentication algorithm. | +| | - Optimized the traffic metering function. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2016-03-14 | This issue is the first official release. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/faqs/bandwidth/index.rst b/umn/source/faqs/bandwidth/index.rst new file mode 100644 index 0000000..6c4f6eb --- /dev/null +++ b/umn/source/faqs/bandwidth/index.rst @@ -0,0 +1,18 @@ +:original_name: faq_bandwidth.html + +.. _faq_bandwidth: + +Bandwidth +========= + +- :ref:`What Bandwidth Types Are Available? ` +- :ref:`What Are the Differences Between a Dedicated Bandwidth and a Shared Bandwidth? Can a Dedicated Bandwidth Be Changed to a Shared Bandwidth or the Other Way Around? ` +- :ref:`What Is the Bandwidth Size Range? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + what_bandwidth_types_are_available + what_are_the_differences_between_a_dedicated_bandwidth_and_a_shared_bandwidth_can_a_dedicated_bandwidth_be_changed_to_a_shared_bandwidth_or_the_other_way_around + what_is_the_bandwidth_size_range diff --git a/umn/source/faqs/bandwidth/what_are_the_differences_between_a_dedicated_bandwidth_and_a_shared_bandwidth_can_a_dedicated_bandwidth_be_changed_to_a_shared_bandwidth_or_the_other_way_around.rst b/umn/source/faqs/bandwidth/what_are_the_differences_between_a_dedicated_bandwidth_and_a_shared_bandwidth_can_a_dedicated_bandwidth_be_changed_to_a_shared_bandwidth_or_the_other_way_around.rst new file mode 100644 index 0000000..769141c --- /dev/null +++ b/umn/source/faqs/bandwidth/what_are_the_differences_between_a_dedicated_bandwidth_and_a_shared_bandwidth_can_a_dedicated_bandwidth_be_changed_to_a_shared_bandwidth_or_the_other_way_around.rst @@ -0,0 +1,15 @@ +:original_name: faq_bandwidth_0003.html + +.. _faq_bandwidth_0003: + +What Are the Differences Between a Dedicated Bandwidth and a Shared Bandwidth? Can a Dedicated Bandwidth Be Changed to a Shared Bandwidth or the Other Way Around? +================================================================================================================================================================== + +Dedicated bandwidth: The bandwidth can only be used by one EIP and the EIP can only be used by one cloud resource, such as an ECS, a NAT gateway, or a load balancer. + +Shared bandwidth: The bandwidth can be shared by multiple EIPs. Adding an EIP to or removing an EIP from a shared bandwidth does not affect your workloads. + +A dedicated bandwidth cannot be changed to a shared bandwidth or the other way around. You can purchase a shared bandwidth for your EIPs. + +- After you add an EIP to a shared bandwidth, the EIP will use the shared bandwidth. +- After you remove an EIP from a shared bandwidth, the EIP will use the dedicated bandwidth. diff --git a/umn/source/faqs/bandwidth/what_bandwidth_types_are_available.rst b/umn/source/faqs/bandwidth/what_bandwidth_types_are_available.rst new file mode 100644 index 0000000..7df0e75 --- /dev/null +++ b/umn/source/faqs/bandwidth/what_bandwidth_types_are_available.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0012.html + +.. _vpc_faq_0012: + +What Bandwidth Types Are Available? +=================================== + +There are dedicated bandwidth and shared bandwidth. A dedicated bandwidth can only be used by one EIP, but a shared bandwidth can be used by multiple EIPs. diff --git a/umn/source/faqs/bandwidth/what_is_the_bandwidth_size_range.rst b/umn/source/faqs/bandwidth/what_is_the_bandwidth_size_range.rst new file mode 100644 index 0000000..99e5e2d --- /dev/null +++ b/umn/source/faqs/bandwidth/what_is_the_bandwidth_size_range.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0011.html + +.. _vpc_faq_0011: + +What Is the Bandwidth Size Range? +================================= + +The bandwidth range is from 1 Mbit/s to 1,000 Mbit/s. diff --git a/umn/source/faqs/connectivity/are_there_any_constraints_on_using_vpc_peering_connections.rst b/umn/source/faqs/connectivity/are_there_any_constraints_on_using_vpc_peering_connections.rst new file mode 100644 index 0000000..8cc5623 --- /dev/null +++ b/umn/source/faqs/connectivity/are_there_any_constraints_on_using_vpc_peering_connections.rst @@ -0,0 +1,30 @@ +:original_name: vpc_faq_0068.html + +.. _vpc_faq_0068: + +Are There Any Constraints on Using VPC Peering Connections? +=========================================================== + +- If two VPCs connected by a VPC peering connection overlap with each other, there will be route conflicts and the VPC peering connection may not be usable. + + After a VPC peering connection is created, the ping command can be used to check whether two VPCs can communicate with each other, but cannot be used to check whether the gateway of the peer subnet is connected. + +- If two VPCs overlap with each other, you can only create a VPC peering connection to enable communication between specific (non-overlapping) subnets in the VPCs. Ensure that the subnets to be peered do not overlap. + +- If there are three VPCs, A, B, and C, and VPC A is peered with both VPC B and VPC C, but VPC B and VPC C overlap with each other, you cannot configure routes with the same destinations for VPC A. + +- You cannot have more than one VPC peering connection between the same two VPCs at the same time. + +- A VPC peering connection between VPCs in different regions will not take effect. + +- You cannot use the EIPs in a VPC to access resources in a peered VPC. For example, VPC A is peered with VPC B, and VPC B has EIPs that can be used to access the Internet, you cannot use EIPs in VPC B to access the Internet from VPC A. + +- If you request a VPC peering connection with a VPC of another account, the connection takes effect only after the peer account accept the request. If you request a VPC peering connection with a VPC of your own, the system automatically accepts the request and activates the connection. + +- To ensure security, do not accept VPC peering connections from unknown accounts. + +- The owner either of a VPC in a peering connection can delete the VPC peering connection at any time. If a VPC peering connection is deleted by one of its owners, all information about this connection will also be deleted immediately, including routes added for the VPC peering connection. + +- After a VPC peering connection is established, the local and peer accounts must add routes to the route tables of the local and peer VPCs to enable communication between the two VPCs. + +- You cannot delete a VPC that has routes configured for a VPC peering connection. diff --git a/umn/source/faqs/connectivity/does_a_vpn_allow_communication_between_two_vpcs.rst b/umn/source/faqs/connectivity/does_a_vpn_allow_communication_between_two_vpcs.rst new file mode 100644 index 0000000..3948f81 --- /dev/null +++ b/umn/source/faqs/connectivity/does_a_vpn_allow_communication_between_two_vpcs.rst @@ -0,0 +1,10 @@ +:original_name: vpc_faq_0058.html + +.. _vpc_faq_0058: + +Does a VPN Allow Communication Between Two VPCs? +================================================ + +If the two VPCs are in the same region, you can use a VPC peering connection to enable communication between them. + +If the two VPCs are in different regions, you can use a VPN to enable communication between the VPCs. The CIDR blocks of the two VPCs are the local and remote subnets, respectively. diff --git a/umn/source/faqs/connectivity/how_does_an_ipv6_client_on_the_internet_access_the_ecs_that_has_an_eip_bound_in_a_vpc.rst b/umn/source/faqs/connectivity/how_does_an_ipv6_client_on_the_internet_access_the_ecs_that_has_an_eip_bound_in_a_vpc.rst new file mode 100644 index 0000000..1edcf79 --- /dev/null +++ b/umn/source/faqs/connectivity/how_does_an_ipv6_client_on_the_internet_access_the_ecs_that_has_an_eip_bound_in_a_vpc.rst @@ -0,0 +1,32 @@ +:original_name: vpc_faq_0076.html + +.. _vpc_faq_0076: + +How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC? +====================================================================================== + +Users with IPv6 clients can call APIs to assign IPv6 EIPs and bind the EIPs to ECSs. Then, the users can use the EIP to access the ECSs in the VPC over the Internet. + +For details, see **Floating IP Address (IPv6)** > **Creating a Floating IP Address** in the `Virtual Private Cloud API Reference `__. The NAT64 gateway in the data center will convert the IPv6 EIP to the IPv4 address. (The last 32 bits of the obtained IPv6 EIP is the IPv4 EIP.) + +After users who use IPv6 clients bind an IPv6 EIP to an ECS, the data flow is shown in :ref:`Figure 1 `. + +.. _vpc_faq_0076__en-us_topic_0118499049_fig1038524023539: + +.. figure:: /_static/images/en-us_image_0118499144.png + :alt: **Figure 1** IPv6 data flow + + + **Figure 1** IPv6 data flow + +The IPv6 service has the following restrictions: + +- ECSs use IPv4 addresses and cannot directly access public IPv6 addresses. Therefore, only public IPv6 addresses can access ECSs. That means ECSs cannot use IPv4 EIPs that are converted from IPv6 address to access the Internet. To enable the ECSs to access the Internet, you must bind IPv4 EIPs to them. +- Data packets from an IPv6 network on the Internet are converted to IPv4 packets on the NAT64 gateway. Both the source IP address and port number will be converted. (The source IP address is invisible.) +- The IPv6 client can access only the EIP and the ELB service. +- Only one EIP (IPv6 or IPv4) can be bound to each NIC. +- You can only make API calls to use an EIP to obtain the IPv6 address. The management console displays only IPv4 addresses. +- The security group function does not apply to IPv6 clients. +- Resources in internal networks on the cloud can access IPv4 addresses converted by NAT64 gateway. +- The public cloud does not provide IP spoofing protection for IPv6 traffic from the Internet. +- Currently, the Anti-DDoS service does not protect IPv6 addresses. diff --git a/umn/source/faqs/connectivity/how_many_vpc_peering_connections_can_i_create.rst b/umn/source/faqs/connectivity/how_many_vpc_peering_connections_can_i_create.rst new file mode 100644 index 0000000..7aa5274 --- /dev/null +++ b/umn/source/faqs/connectivity/how_many_vpc_peering_connections_can_i_create.rst @@ -0,0 +1,14 @@ +:original_name: vpc_faq_0070.html + +.. _vpc_faq_0070: + +How Many VPC Peering Connections Can I Create? +============================================== + +Each account can have a maximum of 50 VPC peering connections in each region by default. + +- VPC peering connections between VPCs in one account: Each account can create a maximum of 50 VPC peering connections in one region. + +- VPC peering connections between VPCs of different accounts: Accepted VPC peering connections use the quotas of both accounts. To-be-accepted VPC peering connections only use the quotas of accounts that request the connections. + + An account can create VPC peering connections with different accounts if the account has enough quota. diff --git a/umn/source/faqs/connectivity/index.rst b/umn/source/faqs/connectivity/index.rst new file mode 100644 index 0000000..e0b2131 --- /dev/null +++ b/umn/source/faqs/connectivity/index.rst @@ -0,0 +1,28 @@ +:original_name: faq_connection.html + +.. _faq_connection: + +Connectivity +============ + +- :ref:`Does a VPN Allow Communication Between Two VPCs? ` +- :ref:`Why Are Internet or Internal Domain Names in the Cloud Inaccessible Through Domain Names When My ECS Has Multiple NICs? ` +- :ref:`Are There Any Constraints on Using VPC Peering Connections? ` +- :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? ` +- :ref:`How Many VPC Peering Connections Can I Create? ` +- :ref:`What Are the Priorities of the Custom Route and EIP If Both Are Configured for an ECS to Enable the ECS to Access the Internet? ` +- :ref:`What Are the Priorities of the Shared SNAT and Custom Route If Both Are Configured for an ECS to Enable the ECS to Access the Internet? ` +- :ref:`How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + does_a_vpn_allow_communication_between_two_vpcs + why_are_internet_or_internal_domain_names_in_the_cloud_inaccessible_through_domain_names_when_my_ecs_has_multiple_nics + are_there_any_constraints_on_using_vpc_peering_connections + why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection + how_many_vpc_peering_connections_can_i_create + what_are_the_priorities_of_the_custom_route_and_eip_if_both_are_configured_for_an_ecs_to_enable_the_ecs_to_access_the_internet + what_are_the_priorities_of_the_shared_snat_and_custom_route_if_both_are_configured_for_an_ecs_to_enable_the_ecs_to_access_the_internet + how_does_an_ipv6_client_on_the_internet_access_the_ecs_that_has_an_eip_bound_in_a_vpc diff --git a/umn/source/faqs/connectivity/what_are_the_priorities_of_the_custom_route_and_eip_if_both_are_configured_for_an_ecs_to_enable_the_ecs_to_access_the_internet.rst b/umn/source/faqs/connectivity/what_are_the_priorities_of_the_custom_route_and_eip_if_both_are_configured_for_an_ecs_to_enable_the_ecs_to_access_the_internet.rst new file mode 100644 index 0000000..cbdbb86 --- /dev/null +++ b/umn/source/faqs/connectivity/what_are_the_priorities_of_the_custom_route_and_eip_if_both_are_configured_for_an_ecs_to_enable_the_ecs_to_access_the_internet.rst @@ -0,0 +1,12 @@ +:original_name: vpc_faq_0073.html + +.. _vpc_faq_0073: + +What Are the Priorities of the Custom Route and EIP If Both Are Configured for an ECS to Enable the ECS to Access the Internet? +=============================================================================================================================== + +The priority of an EIP is higher than that of a custom route in a VPC route table. For example: + +The VPC route table of an ECS has a custom route with 0.0.0.0/0 as the destination and NAT gateway as the next hop. + +If an ECS in the VPC has an EIP bound, the VPC route table will have a policy-based route with 0.0.0.0/0 as the destination, which has a higher priority than its custom route. In this case, traffic is forwarded to the EIP and cannot reach the NAT gateway. diff --git a/umn/source/faqs/connectivity/what_are_the_priorities_of_the_shared_snat_and_custom_route_if_both_are_configured_for_an_ecs_to_enable_the_ecs_to_access_the_internet.rst b/umn/source/faqs/connectivity/what_are_the_priorities_of_the_shared_snat_and_custom_route_if_both_are_configured_for_an_ecs_to_enable_the_ecs_to_access_the_internet.rst new file mode 100644 index 0000000..2fbdbe7 --- /dev/null +++ b/umn/source/faqs/connectivity/what_are_the_priorities_of_the_shared_snat_and_custom_route_if_both_are_configured_for_an_ecs_to_enable_the_ecs_to_access_the_internet.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_00002.html + +.. _vpc_faq_00002: + +What Are the Priorities of the Shared SNAT and Custom Route If Both Are Configured for an ECS to Enable the ECS to Access the Internet? +======================================================================================================================================= + +The priority of a custom route is higher than that of shared SNAT. diff --git a/umn/source/faqs/connectivity/why_are_internet_or_internal_domain_names_in_the_cloud_inaccessible_through_domain_names_when_my_ecs_has_multiple_nics.rst b/umn/source/faqs/connectivity/why_are_internet_or_internal_domain_names_in_the_cloud_inaccessible_through_domain_names_when_my_ecs_has_multiple_nics.rst new file mode 100644 index 0000000..c2dbf10 --- /dev/null +++ b/umn/source/faqs/connectivity/why_are_internet_or_internal_domain_names_in_the_cloud_inaccessible_through_domain_names_when_my_ecs_has_multiple_nics.rst @@ -0,0 +1,18 @@ +:original_name: vpc_faq_0060.html + +.. _vpc_faq_0060: + +Why Are Internet or Internal Domain Names in the Cloud Inaccessible Through Domain Names When My ECS Has Multiple NICs? +======================================================================================================================= + +When an ECS has more than one NIC, if different DNS server addresses are configured for the subnets used by the NICs, the ECS cannot access the Internet or domain names in the cloud. + +You can resolve this issue by configuring the same DNS server address for the subnets used by the same ECS. You can perform the following steps to modify DNS server addresses of subnets in a VPC: + +#. Log in to the management console. + +2. On the console homepage, under **Network**, click **Virtual Private Cloud**. +3. In the navigation pane on the left, click **Virtual Private Cloud**. +4. On the **Virtual Private Cloud** page, locate the VPC for which a subnet is to be modified and click the VPC name. +5. In the subnet list, locate the row that contains the subnet to be modified, click **Modify**. On the displayed page, change the DNS server address as prompted. +6. Click **OK**. diff --git a/umn/source/faqs/connectivity/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst b/umn/source/faqs/connectivity/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst new file mode 100644 index 0000000..2d3d58f --- /dev/null +++ b/umn/source/faqs/connectivity/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst @@ -0,0 +1,15 @@ +:original_name: vpc_faq_0069.html + +.. _vpc_faq_0069: + +Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? +======================================================================================== + +#. Check whether the VPC IDs are correctly configured for the VPC peering connection. +#. Check whether the VPCs have routes that point to the CIDR block of the other VPC. +#. Check whether the VPCs have routes that point to the subnet CIDR block of the other VPC if the two VPCs have overlapping CIDR blocks. +#. Check whether the VPCs contain overlapping subnets. +#. Check whether required security group rules have been configured for the ECSs that need to communicate with each other and whether restriction rules have been added to the iptables or firewalls used by the ECSs. +#. If a message indicating that this route already exists is displayed when you add a route for a VPC peering connection, check whether the destination of a VPN, Direct Connect, or VPC peering connection route already exists. +#. If the route destination of the VPC peering connection overlaps with that of a Direct Connect or VPN connection, the route may be invalid. +#. If VPCs in a VPC peering connection cannot communicate with each other after all these possible faults have been rectified, contact customer service. diff --git a/umn/source/faqs/eip/can_i_bind_an_eip_to_multiple_ecss.rst b/umn/source/faqs/eip/can_i_bind_an_eip_to_multiple_ecss.rst new file mode 100644 index 0000000..b812843 --- /dev/null +++ b/umn/source/faqs/eip/can_i_bind_an_eip_to_multiple_ecss.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0019.html + +.. _vpc_faq_0019: + +Can I Bind an EIP to Multiple ECSs? +=================================== + +Each EIP can be bound to only one ECS at a time. diff --git a/umn/source/faqs/eip/how_do_i_access_an_ecs_with_an_eip_bound_from_the_internet.rst b/umn/source/faqs/eip/how_do_i_access_an_ecs_with_an_eip_bound_from_the_internet.rst new file mode 100644 index 0000000..446cce6 --- /dev/null +++ b/umn/source/faqs/eip/how_do_i_access_an_ecs_with_an_eip_bound_from_the_internet.rst @@ -0,0 +1,18 @@ +:original_name: vpc_faq_0020.html + +.. _vpc_faq_0020: + +How Do I Access an ECS with an EIP Bound from the Internet? +=========================================================== + +Each ECS is automatically added to a security group after being created to ensure its security. The security group denies access traffic from the Internet by default. To allow external access to ECSs in the security group, add an inbound rule to the security group. + +You can set **Protocol** to **TCP**, **UDP**, **ICMP**, or **All** as required on the page for creating a security group rule. + +- If the ECS needs to be accessible over the Internet and the IP address used to access the ECS over the Internet has been configured on the ECS, or the ECS does not need to be accessible over the Internet, set **Source** to the IP address range containing the IP address that is allowed to access the ECS over the Internet. +- If the ECS needs to be accessible over the Internet and the IP address used to access the ECS over the Internet has not been configured on the ECS, it is recommended that you retain the default setting **0.0.0.0/0** for **Source**, and then set allowed ports to improve network security. +- Allocate ECSs that have different Internet access policies to different security groups. + + .. note:: + + The default source IP address **0.0.0.0/0** indicates that all IP addresses can access ECSs in the security group. diff --git a/umn/source/faqs/eip/index.rst b/umn/source/faqs/eip/index.rst new file mode 100644 index 0000000..1eeff13 --- /dev/null +++ b/umn/source/faqs/eip/index.rst @@ -0,0 +1,18 @@ +:original_name: faq_eip.html + +.. _faq_eip: + +EIP +=== + +- :ref:`What Are EIPs? ` +- :ref:`Can I Bind an EIP to Multiple ECSs? ` +- :ref:`How Do I Access an ECS with an EIP Bound from the Internet? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + what_are_eips + can_i_bind_an_eip_to_multiple_ecss + how_do_i_access_an_ecs_with_an_eip_bound_from_the_internet diff --git a/umn/source/faqs/eip/what_are_eips.rst b/umn/source/faqs/eip/what_are_eips.rst new file mode 100644 index 0000000..5ef8997 --- /dev/null +++ b/umn/source/faqs/eip/what_are_eips.rst @@ -0,0 +1,17 @@ +:original_name: vpc_faq_0013.html + +.. _vpc_faq_0013: + +What Are EIPs? +============== + +The Elastic IP (EIP) service enables your cloud resources to communicate with the Internet using static public IP addresses and scalable bandwidths. EIPs can be bound to or unbound from ECSs, BMSs, virtual IP addresses, NAT gateways, or load balancers. + +Each EIP can be used by only one cloud resource at a time. + + +.. figure:: /_static/images/en-us_image_0209583952.png + :alt: **Figure 1** Accessing the Internet using an EIP + + + **Figure 1** Accessing the Internet using an EIP diff --git a/umn/source/faqs/general/index.rst b/umn/source/faqs/general/index.rst new file mode 100644 index 0000000..64c90fb --- /dev/null +++ b/umn/source/faqs/general/index.rst @@ -0,0 +1,14 @@ +:original_name: faq_common.html + +.. _faq_common: + +General +======= + +- :ref:`What Is a Quota? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + what_is_a_quota diff --git a/umn/source/faqs/general/what_is_a_quota.rst b/umn/source/faqs/general/what_is_a_quota.rst new file mode 100644 index 0000000..0f38fed --- /dev/null +++ b/umn/source/faqs/general/what_is_a_quota.rst @@ -0,0 +1,51 @@ +:original_name: vpc_faq_0051.html + +.. _vpc_faq_0051: + +What Is a Quota? +================ + + +What Is a Quota? +---------------- + +A quota limits the quantity of a resource available to users, thereby preventing spikes in the usage of the resource. For example, a VPC quota limits the number of VPCs that can be created. + +You can also request for an increased quota if your existing quota cannot meet your service requirements. + +How Do I View My Quotas? +------------------------ + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. In the upper right corner of the page, click |image2|. + + The **Service Quota** page is displayed. + +#. View the used and total quota of each type of resources on the displayed page. + + If a quota cannot meet service requirements, apply for a higher quota. + +How Do I Apply for a Higher Quota? +---------------------------------- + +The system does not support online quota adjustment. If you need to adjust a quota, call the hotline or send an email to the customer service mailbox. Customer service personnel will timely process your request for quota adjustment and inform you of the real-time progress by making a call or sending an email. + +Before dialing the hotline number or sending an email, make sure that the following information has been obtained: + +- Domain name, project name, and project ID, which can be obtained by performing the following operations: + + Log in to the management console using the cloud account, click the username in the upper right corner, select **My Credentials** from the drop-down list, and obtain the domain name, project name, and project ID on the **My Credentials** page. + +- Quota information, which includes: + + - Service name + - Quota type + - Required quota + +`Learn how to obtain the service hotline and email address. `__ + +.. |image1| image:: /_static/images/en-us_image_0275513364.png +.. |image2| image:: /_static/images/en-us_image_0152727234.png diff --git a/umn/source/faqs/index.rst b/umn/source/faqs/index.rst new file mode 100644 index 0000000..af8bb61 --- /dev/null +++ b/umn/source/faqs/index.rst @@ -0,0 +1,26 @@ +:original_name: vpc_faq_0000.html + +.. _vpc_faq_0000: + +FAQs +==== + +- :ref:`General ` +- :ref:`VPC and Subnet ` +- :ref:`EIP ` +- :ref:`Bandwidth ` +- :ref:`Connectivity ` +- :ref:`Routing ` +- :ref:`Security ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + general/index + vpc_and_subnet/index + eip/index + bandwidth/index + connectivity/index + routing/index + security/index diff --git a/umn/source/faqs/routing/are_there_any_restrictions_on_using_a_route_table.rst b/umn/source/faqs/routing/are_there_any_restrictions_on_using_a_route_table.rst new file mode 100644 index 0000000..aae830b --- /dev/null +++ b/umn/source/faqs/routing/are_there_any_restrictions_on_using_a_route_table.rst @@ -0,0 +1,10 @@ +:original_name: vpc_faq_0064.html + +.. _vpc_faq_0064: + +Are There Any Restrictions on Using a Route Table? +================================================== + +- An ECS providing SNAT must have **Unbind IP from MAC** enabled. +- The destination of each route in a route table must be unique. The next hop must be a private IP address or a virtual IP address in the VPC. Otherwise, the route table will not take effect. +- If a virtual IP address is set to be the next hop in a route, EIPs bound with the virtual IP address in the VPC will become invalid. diff --git a/umn/source/faqs/routing/are_there_different_routing_priorities_of_the_vpn_and_custom_routes_in_the_same_vpc.rst b/umn/source/faqs/routing/are_there_different_routing_priorities_of_the_vpn_and_custom_routes_in_the_same_vpc.rst new file mode 100644 index 0000000..35752a2 --- /dev/null +++ b/umn/source/faqs/routing/are_there_different_routing_priorities_of_the_vpn_and_custom_routes_in_the_same_vpc.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_00001.html + +.. _vpc_faq_00001: + +Are There Different Routing Priorities of the VPN and Custom Routes in the Same VPC? +==================================================================================== + +No. The routing priority of custom routes and that of VPNs are the same. diff --git a/umn/source/faqs/routing/can_a_route_table_span_multiple_vpcs.rst b/umn/source/faqs/routing/can_a_route_table_span_multiple_vpcs.rst new file mode 100644 index 0000000..7e5b6d7 --- /dev/null +++ b/umn/source/faqs/routing/can_a_route_table_span_multiple_vpcs.rst @@ -0,0 +1,12 @@ +:original_name: vpc_faq_0062.html + +.. _vpc_faq_0062: + +Can a Route Table Span Multiple VPCs? +===================================== + +A route table cannot span multiple VPCs. + +A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. A VPC has a default route table and can have multiple custom route tables. + +Each subnet in a VPC must be associated with a route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets in a VPC with the same route table. diff --git a/umn/source/faqs/routing/do_the_same_routing_priorities_apply_to_direct_connect_connections_and_custom_routes_in_the_same_vpc.rst b/umn/source/faqs/routing/do_the_same_routing_priorities_apply_to_direct_connect_connections_and_custom_routes_in_the_same_vpc.rst new file mode 100644 index 0000000..82fdaa0 --- /dev/null +++ b/umn/source/faqs/routing/do_the_same_routing_priorities_apply_to_direct_connect_connections_and_custom_routes_in_the_same_vpc.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0066.html + +.. _vpc_faq_0066: + +Do the Same Routing Priorities Apply to Direct Connect Connections and Custom Routes in the Same VPC? +===================================================================================================== + +No. Direct Connect connections and custom routes are used in different scenarios, so the routing priorities are different. diff --git a/umn/source/faqs/routing/how_many_routes_can_a_route_table_contain.rst b/umn/source/faqs/routing/how_many_routes_can_a_route_table_contain.rst new file mode 100644 index 0000000..f5fa5de --- /dev/null +++ b/umn/source/faqs/routing/how_many_routes_can_a_route_table_contain.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0063.html + +.. _vpc_faq_0063: + +How Many Routes Can a Route Table Contain? +========================================== + +Currently, a route table can contain 100 routes. diff --git a/umn/source/faqs/routing/how_many_routes_can_be_added_in_a_vpc.rst b/umn/source/faqs/routing/how_many_routes_can_be_added_in_a_vpc.rst new file mode 100644 index 0000000..6a2923b --- /dev/null +++ b/umn/source/faqs/routing/how_many_routes_can_be_added_in_a_vpc.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0071.html + +.. _vpc_faq_0071: + +How Many Routes Can Be Added in a VPC? +====================================== + +By default, a maximum of 100 routes can be added for a VPC. The routes include custom routes and those added for Direct Connect and VPC peering connections. diff --git a/umn/source/faqs/routing/index.rst b/umn/source/faqs/routing/index.rst new file mode 100644 index 0000000..695078d --- /dev/null +++ b/umn/source/faqs/routing/index.rst @@ -0,0 +1,26 @@ +:original_name: faq_route.html + +.. _faq_route: + +Routing +======= + +- :ref:`Can a Route Table Span Multiple VPCs? ` +- :ref:`How Many Routes Can a Route Table Contain? ` +- :ref:`Are There Any Restrictions on Using a Route Table? ` +- :ref:`Will a Route Table Be Billed? ` +- :ref:`Do the Same Routing Priorities Apply to Direct Connect Connections and Custom Routes in the Same VPC? ` +- :ref:`Are There Different Routing Priorities of the VPN and Custom Routes in the Same VPC? ` +- :ref:`How Many Routes Can Be Added in a VPC? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + can_a_route_table_span_multiple_vpcs + how_many_routes_can_a_route_table_contain + are_there_any_restrictions_on_using_a_route_table + will_a_route_table_be_billed + do_the_same_routing_priorities_apply_to_direct_connect_connections_and_custom_routes_in_the_same_vpc + are_there_different_routing_priorities_of_the_vpn_and_custom_routes_in_the_same_vpc + how_many_routes_can_be_added_in_a_vpc diff --git a/umn/source/faqs/routing/will_a_route_table_be_billed.rst b/umn/source/faqs/routing/will_a_route_table_be_billed.rst new file mode 100644 index 0000000..9ec35d3 --- /dev/null +++ b/umn/source/faqs/routing/will_a_route_table_be_billed.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0065.html + +.. _vpc_faq_0065: + +Will a Route Table Be Billed? +============================= + +The route table function itself is free, but you are charged for the ECSs and bandwidth that you use together with the route table function. diff --git a/umn/source/faqs/security/can_i_change_the_security_group_of_an_ecs.rst b/umn/source/faqs/security/can_i_change_the_security_group_of_an_ecs.rst new file mode 100644 index 0000000..08fe2fa --- /dev/null +++ b/umn/source/faqs/security/can_i_change_the_security_group_of_an_ecs.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0039.html + +.. _vpc_faq_0039: + +Can I Change the Security Group of an ECS? +========================================== + +Yes. Log in to the ECS console, switch to the page showing ECS details, and change the security group of the ECS. diff --git a/umn/source/faqs/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst b/umn/source/faqs/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst new file mode 100644 index 0000000..347adf9 --- /dev/null +++ b/umn/source/faqs/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst @@ -0,0 +1,9 @@ +:original_name: vpc_faq_0074.html + +.. _vpc_faq_0074: + +Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? +==================================================================================================================== + +- Security groups are stateful. Responses to outbound traffic are allowed to go in to the instance regardless of inbound security group rules, and vice versa. Security groups use connection tracking to track traffic to and from instances. If a security group rule is added, deleted, or modified, or an instance in the security group is created or deleted, the connection tracking for all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered to be new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and ensure the security of incoming traffic. +- A modified firewall rule will not immediately take effect for its existing connections. It takes about 120 seconds for the new rule to take effect, and traffic will be interrupted during this period. To ensure that the traffic is immediately interrupted after the rule is changed, it is recommended that you configure security group rules. diff --git a/umn/source/faqs/security/how_do_i_configure_a_security_group_for_multi-channel_protocols.rst b/umn/source/faqs/security/how_do_i_configure_a_security_group_for_multi-channel_protocols.rst new file mode 100644 index 0000000..c4c2407 --- /dev/null +++ b/umn/source/faqs/security/how_do_i_configure_a_security_group_for_multi-channel_protocols.rst @@ -0,0 +1,25 @@ +:original_name: vpc_faq_0059.html + +.. _vpc_faq_0059: + +How Do I Configure a Security Group for Multi-Channel Protocols? +================================================================ + +ECS Configuration +----------------- + +The TFTP daemon determines whether a configuration file specifies the port range. If you use a TFTP configuration file that allows the data channel ports to be configurable, it is a good practice to configure a small range of ports that are not listened on. + +Security Group Configuration +---------------------------- + +You can configure port 69 and configure data channel ports used by TFTP for the security group. In RFC1350, the TFTP protocol specifies that ports available to data channels range from 0 to 65535. However, not all these ports are used by the TFTP daemon processes of different applications. You can configure a smaller range of ports for the TFTP daemon. + +The following figure provides an example of the security group rule configuration if the ports used by data channels range from 60001 to 60100. + + +.. figure:: /_static/images/en-us_image_0129473334.png + :alt: **Figure 1** Security group rules + + + **Figure 1** Security group rules diff --git a/umn/source/faqs/security/how_many_firewalls_can_i_create.rst b/umn/source/faqs/security/how_many_firewalls_can_i_create.rst new file mode 100644 index 0000000..ab1055c --- /dev/null +++ b/umn/source/faqs/security/how_many_firewalls_can_i_create.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0072.html + +.. _vpc_faq_0072: + +How Many Firewalls Can I Create? +================================ + +You can create up to 200 firewalls. It is recommended that you configure no more than 20 inbound or outbound rules for each firewall. If you configure more than 20 inbound or outbound rules for a firewall, forwarding performance will deteriorate. diff --git a/umn/source/faqs/security/how_many_security_groups_can_i_create.rst b/umn/source/faqs/security/how_many_security_groups_can_i_create.rst new file mode 100644 index 0000000..b84715f --- /dev/null +++ b/umn/source/faqs/security/how_many_security_groups_can_i_create.rst @@ -0,0 +1,10 @@ +:original_name: vpc_faq_0040.html + +.. _vpc_faq_0040: + +How Many Security Groups Can I Create? +====================================== + +Each account can have up to 100 security groups and 5000 security group rules. + +When you create an ECS, you can select multiple security groups, but it is recommended that you select no more than five. diff --git a/umn/source/faqs/security/index.rst b/umn/source/faqs/security/index.rst new file mode 100644 index 0000000..787188c --- /dev/null +++ b/umn/source/faqs/security/index.rst @@ -0,0 +1,24 @@ +:original_name: faq_security.html + +.. _faq_security: + +Security +======== + +- :ref:`Can I Change the Security Group of an ECS? ` +- :ref:`How Many Security Groups Can I Create? ` +- :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? ` +- :ref:`How Many Firewalls Can I Create? ` +- :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? ` +- :ref:`Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + can_i_change_the_security_group_of_an_ecs + how_many_security_groups_can_i_create + how_do_i_configure_a_security_group_for_multi-channel_protocols + how_many_firewalls_can_i_create + does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified + which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict diff --git a/umn/source/faqs/security/which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict.rst b/umn/source/faqs/security/which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict.rst new file mode 100644 index 0000000..0a37bad --- /dev/null +++ b/umn/source/faqs/security/which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0077.html + +.. _vpc_faq_0077: + +Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict? +=================================================================================== + +Security group rules use the whitelist mechanism. If multiple security group rules conflict, the rules are aggregated to take effect. diff --git a/umn/source/faqs/vpc_and_subnet/can_subnets_communicate_with_each_other.rst b/umn/source/faqs/vpc_and_subnet/can_subnets_communicate_with_each_other.rst new file mode 100644 index 0000000..38e7aeb --- /dev/null +++ b/umn/source/faqs/vpc_and_subnet/can_subnets_communicate_with_each_other.rst @@ -0,0 +1,12 @@ +:original_name: vpc_faq_0005.html + +.. _vpc_faq_0005: + +Can Subnets Communicate with Each Other? +======================================== + +Subnets in the same VPC can communicate with each other, but subnets in different VPCs cannot communicate with each other by default. However, you can create VPC peering connections to enable subnets in different VPCs to communicate with each other. + +.. note:: + + If subnets have firewalls associated, firewall rules should allow communication between the subnets. diff --git a/umn/source/faqs/vpc_and_subnet/how_can_i_delete_a_subnet_that_is_being_used_by_other_resources.rst b/umn/source/faqs/vpc_and_subnet/how_can_i_delete_a_subnet_that_is_being_used_by_other_resources.rst new file mode 100644 index 0000000..10cb287 --- /dev/null +++ b/umn/source/faqs/vpc_and_subnet/how_can_i_delete_a_subnet_that_is_being_used_by_other_resources.rst @@ -0,0 +1,26 @@ +:original_name: vpc_faq_0075.html + +.. _vpc_faq_0075: + +How Can I Delete a Subnet That Is Being Used by Other Resources? +================================================================ + +The VPC service allows you to create private, isolated virtual networks. In a VPC, you can manage private IP address ranges, subnets, route tables, and gateways. ECSs, BMSs, databases, and some applications can use subnets created in VPCs. + +A subnet cannot be deleted if it is being used by other resources. You must delete all resources in the subnet before you can delete the subnet. + +You can view all resources of your account on the console homepage and check the resources that are in the subnet you want to delete. + +The resources may include: + +- ECS +- BMS +- CCE cluster +- RDS instance +- MRS cluster +- DCS instance +- Load balancer +- VPN +- Private IP address +- Custom route +- NAT gateway diff --git a/umn/source/faqs/vpc_and_subnet/how_many_subnets_can_i_create.rst b/umn/source/faqs/vpc_and_subnet/how_many_subnets_can_i_create.rst new file mode 100644 index 0000000..ef992c8 --- /dev/null +++ b/umn/source/faqs/vpc_and_subnet/how_many_subnets_can_i_create.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0009.html + +.. _vpc_faq_0009: + +How Many Subnets Can I Create? +============================== + +Each account can have a maximum of 100 subnets. If the number of subnets cannot meet your service requirements, request a quota increase. For details, see :ref:`What Is a Quota? ` diff --git a/umn/source/faqs/vpc_and_subnet/index.rst b/umn/source/faqs/vpc_and_subnet/index.rst new file mode 100644 index 0000000..7b92fde --- /dev/null +++ b/umn/source/faqs/vpc_and_subnet/index.rst @@ -0,0 +1,26 @@ +:original_name: faq_vpc.html + +.. _faq_vpc: + +VPC and Subnet +============== + +- :ref:`What Is Virtual Private Cloud? ` +- :ref:`Which CIDR Blocks Are Available for the VPC Service? ` +- :ref:`Can Subnets Communicate with Each Other? ` +- :ref:`What Subnet CIDR Blocks Are Available? ` +- :ref:`How Many Subnets Can I Create? ` +- :ref:`How Can I Delete a Subnet That Is Being Used by Other Resources? ` +- :ref:`What Are the Differences Between the Network ID and Subnet ID of a Subnet? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + what_is_virtual_private_cloud + which_cidr_blocks_are_available_for_the_vpc_service + can_subnets_communicate_with_each_other + what_subnet_cidr_blocks_are_available + how_many_subnets_can_i_create + how_can_i_delete_a_subnet_that_is_being_used_by_other_resources + what_are_the_differences_between_the_network_id_and_subnet_id_of_a_subnet diff --git a/umn/source/faqs/vpc_and_subnet/what_are_the_differences_between_the_network_id_and_subnet_id_of_a_subnet.rst b/umn/source/faqs/vpc_and_subnet/what_are_the_differences_between_the_network_id_and_subnet_id_of_a_subnet.rst new file mode 100644 index 0000000..d549e18 --- /dev/null +++ b/umn/source/faqs/vpc_and_subnet/what_are_the_differences_between_the_network_id_and_subnet_id_of_a_subnet.rst @@ -0,0 +1,14 @@ +:original_name: vpc_faq_0094.html + +.. _vpc_faq_0094: + +What Are the Differences Between the Network ID and Subnet ID of a Subnet? +========================================================================== + +- The network ID of the subnet is the **neutron_network_id** in the **subnet** fields in **Subnet** > **Creating a Subnet** in the *Virtual Private Cloud API Reference*. + + Parameter **neutron_network_id** indicates the network ID (native OpenStack API). This uniquely identifies a subnet on the management console. + +- The subnet ID of the subnet is the **neutron_subnet_id** in the **subnet** fields in **Subnet** > **Creating a Subnet** in the *Virtual Private Cloud API Reference*. + + Parameter **neutron_subnet_id** indicates the subnet ID (native OpenStack API). diff --git a/umn/source/faqs/vpc_and_subnet/what_is_virtual_private_cloud.rst b/umn/source/faqs/vpc_and_subnet/what_is_virtual_private_cloud.rst new file mode 100644 index 0000000..61e8b4f --- /dev/null +++ b/umn/source/faqs/vpc_and_subnet/what_is_virtual_private_cloud.rst @@ -0,0 +1,17 @@ +:original_name: vpc_faq_0001.html + +.. _vpc_faq_0001: + +What Is Virtual Private Cloud? +============================== + +The Virtual Private Cloud (VPC) service enables you to provision logically isolated, configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improving cloud resource security and simplifying network deployment. + +Within your own VPC, you can create security groups and VPNs, configure IP address ranges, specify bandwidth sizes, manage the networks in the VPC, and make changes to these networks as needed, quickly and securely. You can also define rules for communication between ECSs in the same security group or in different security groups. + + +.. figure:: /_static/images/en-us_image_0209606948.png + :alt: **Figure 1** VPC components + + + **Figure 1** VPC components diff --git a/umn/source/faqs/vpc_and_subnet/what_subnet_cidr_blocks_are_available.rst b/umn/source/faqs/vpc_and_subnet/what_subnet_cidr_blocks_are_available.rst new file mode 100644 index 0000000..47da76c --- /dev/null +++ b/umn/source/faqs/vpc_and_subnet/what_subnet_cidr_blocks_are_available.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0006.html + +.. _vpc_faq_0006: + +What Subnet CIDR Blocks Are Available? +====================================== + +A subnet CIDR block must be included in its VPC CIDR block. Supported VPC CIDR blocks are **10.0.0.0/8–24**, **172.16.0.0/12–24**, and **192.168.0.0/16–24**. The allowed block size of a subnet is between the netmask of its VPC CIDR block and the /29 netmask. diff --git a/umn/source/faqs/vpc_and_subnet/which_cidr_blocks_are_available_for_the_vpc_service.rst b/umn/source/faqs/vpc_and_subnet/which_cidr_blocks_are_available_for_the_vpc_service.rst new file mode 100644 index 0000000..32287a9 --- /dev/null +++ b/umn/source/faqs/vpc_and_subnet/which_cidr_blocks_are_available_for_the_vpc_service.rst @@ -0,0 +1,23 @@ +:original_name: vpc_faq_0004.html + +.. _vpc_faq_0004: + +Which CIDR Blocks Are Available for the VPC Service? +==================================================== + +The following table lists the private CIDR blocks that you can specify when creating a VPC. Consider the following when selecting a VPC CIDR block: + +- Number of IP addresses: Reserve sufficient IP addresses in case of business growth. +- IP address range: Avoid IP address conflicts if you need to connect a VPC to an on-premises data center or connect two VPCs. + +The VPC service supports the following CIDR blocks: + ++-------------------+-----------------------------+--------------------------------+ +| VPC CIDR Block | IP Address Range | Maximum Number of IP Addresses | ++===================+=============================+================================+ +| 10.0.0.0/8-24 | 10.0.0.0-10.255.255.255 | 2^24-2=16777214 | ++-------------------+-----------------------------+--------------------------------+ +| 172.16.0.0/12-24 | 172.16.0.0-172.31.255.255 | 2^20-2=1048574 | ++-------------------+-----------------------------+--------------------------------+ +| 192.168.0.0/16-24 | 192.168.0.0-192.168.255.255 | 2^16-2=65534 | ++-------------------+-----------------------------+--------------------------------+ diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/index.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/index.rst new file mode 100644 index 0000000..1d37017 --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/index.rst @@ -0,0 +1,24 @@ +:original_name: en-us_topic_0017816228.html + +.. _en-us_topic_0017816228: + +Configuring a VPC for ECSs That Access the Internet Using EIPs +============================================================== + +- :ref:`Overview ` +- :ref:`Step 1: Create a VPC ` +- :ref:`Step 2: Create a Subnet for the VPC ` +- :ref:`Step 3: Assign an EIP and Bind It to an ECS ` +- :ref:`Step 4: Create a Security Group ` +- :ref:`Step 5: Add a Security Group Rule ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + overview + step_1_create_a_vpc + step_2_create_a_subnet_for_the_vpc + step_3_assign_an_eip_and_bind_it_to_an_ecs + step_4_create_a_security_group + step_5_add_a_security_group_rule diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/overview.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/overview.rst new file mode 100644 index 0000000..f811a25 --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/overview.rst @@ -0,0 +1,50 @@ +:original_name: vpc_qs_0022.html + +.. _vpc_qs_0022: + +Overview +======== + +If your ECSs need to access the Internet (for example, the ECSs functioning as the service nodes for deploying a website), you can follow the procedure shown in :ref:`Figure 1 ` to bind EIPs to the ECSs. + +.. _vpc_qs_0022__en-us_topic_0118499056_fe457c1ec47c84d6fa3b87210d5b284eb: + +.. figure:: /_static/images/en-us_image_0162332046.png + :alt: **Figure 1** Configuring the network + + + **Figure 1** Configuring the network + +:ref:`Table 1 ` describes the different tasks in the procedure for configuring the network. + +.. _vpc_qs_0022__en-us_topic_0118499056_t5143cea7d59f4c31b1c56ab35e86f71f: + +.. table:: **Table 1** Configuration process description + + +--------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Task | Description | + +======================================+===============================================================================================================================================================================================================================================================================================+ + | Create a VPC. | This task is mandatory. | + | | | + | | A created VPC comes with a default subnet you specified. | + | | | + | | After the VPC is created, you can create other required network resources in the VPC based on your service requirements. | + +--------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Create another subnet for the VPC. | This task is optional. | + | | | + | | If the default subnet cannot meet your requirements, you can create one. | + | | | + | | The new subnet is used to assign IP addresses to NICs added to the ECS. | + +--------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Assign an EIP and bind it to an ECS. | This task is mandatory. | + | | | + | | You can assign an EIP and bind it to an ECS so that the ECS can access the Internet. | + +--------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Create a security group. | This task is mandatory. | + | | | + | | You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. After a security group is created, it has a default rule, which allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. | + +--------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Add a security group rule. | This task is optional. | + | | | + | | If the default rule does not meet your service requirements, you can add security group rules. | + +--------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_1_create_a_vpc.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_1_create_a_vpc.rst new file mode 100644 index 0000000..85c47af --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_1_create_a_vpc.rst @@ -0,0 +1,130 @@ +:original_name: vpc_qs_0009.html + +.. _vpc_qs_0009: + +Step 1: Create a VPC +==================== + +Scenarios +--------- + +A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. + +You can create a VPC by following the procedure provided in this section. Then, create subnets, security groups, and assign EIPs by following the procedure provided in subsequent sections based on your actual network requirements. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. Click **Create VPC**. + +#. On the **Create VPC** page, set parameters as prompted. + + A default subnet will be created together with a VPC and you can also click **Add Subnet** to create more subnets for the VPC. + + .. table:: **Table 1** VPC parameter descriptions + + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Category | Parameter | Description | Example Value | + +==================================+========================+=========================================================================================================================================================================================================================================================================================================+=====================+ + | Basic Information | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Name | The VPC name. | VPC-001 | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | + | | | | | + | | | The following CIDR blocks are supported: | | + | | | | | + | | | 10.0.0.0/8-24 | | + | | | | | + | | | 172.16.0.0/12-24 | | + | | | | | + | | | 192.168.0.0/16-24 | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Name | The subnet name. | Subnet | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | | + | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | | + | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | | - Value: subnet-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | + | | | | | + | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + + .. table:: **Table 2** VPC tag key and value requirements + + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+============================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for the same VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + + .. _vpc_qs_0009__en-us_topic_0118498853_en-us_topic_0118498861_table6536185812515: + + .. table:: **Table 3** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +#. Click **Create Now**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_2_create_a_subnet_for_the_vpc.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_2_create_a_subnet_for_the_vpc.rst new file mode 100644 index 0000000..0be4978 --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_2_create_a_subnet_for_the_vpc.rst @@ -0,0 +1,112 @@ +:original_name: vpc_qs_0010.html + +.. _vpc_qs_0010: + +Step 2: Create a Subnet for the VPC +=================================== + +Scenarios +--------- + +A VPC comes with a default subnet. If the default subnet cannot meet your requirements, you can create one. + +The subnet is configured with DHCP by default. When an ECS in this subnet starts, the ECS automatically obtains an IP address using DHCP. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Subnets**. + +5. Click **Create Subnet**. + + The **Create Subnet** page is displayed. + +6. Set the parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0000001197228903.png + :alt: **Figure 1** Create Subnet + + + **Figure 1** Create Subnet + + .. table:: **Table 1** Parameter descriptions + + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+=============================================================================================================================================================================================================================================+=======================+ + | VPC | The VPC for which you want to create a subnet. | - | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Name | The subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings | Two options are available, **Default** and **Custom**. You can set **Advanced Settings** to **Custom** to configure advanced subnet parameters. | - | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | - Value: subnet-01 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + + .. _vpc_qs_0010__en-us_topic_0118498982_en-us_topic_0118498823_table42131827173915: + + .. table:: **Table 2** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +Precautions +----------- + +When a subnet is created, there are five reserved IP addresses, which cannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP addresses are reserved: + +- 192.168.0.0: Network ID. This address is the beginning of the private IP address range and will not be assigned to any instance. +- 192.168.0.1: Gateway address. +- 192.168.0.253: Reserved for the system interface. This IP address is used by the VPC for external communication. +- 192.168.0.254: DHCP service address. +- 192.168.0.255: Network broadcast address. + +If you configured the default settings under **Advanced Settings** during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_3_assign_an_eip_and_bind_it_to_an_ecs.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_3_assign_an_eip_and_bind_it_to_an_ecs.rst new file mode 100644 index 0000000..587cf5a --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_3_assign_an_eip_and_bind_it_to_an_ecs.rst @@ -0,0 +1,123 @@ +:original_name: vpc_qs_0011.html + +.. _vpc_qs_0011: + +Step 3: Assign an EIP and Bind It to an ECS +=========================================== + +Scenarios +--------- + +You can assign an EIP and bind it to an ECS so that the ECS can access the Internet. + +.. note:: + + EIPs for dedicated load balancers: + + - In the **eu-de** region, if you choose to assign an EIP when you create a dedicated load balancer on the management console or using APIs, EIPs for dedicated load balancers (**5_gray**) will be assigned. + - Do not bind EIPs of this type to non-dedicated load balancers. + - Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect. + +Assigning an EIP +---------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. On the displayed page, click **Assign EIP**. + +#. Set the parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0000001117669274.png + :alt: **Figure 1** Assign EIP + + + **Figure 1** Assign EIP + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================================================================================================================================+=========================+ + | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | EIP Type | - **Dynamic BGP**: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails. | Dynamic BGP | + | | - **Mail BGP**: EIPs with port 25, 465, or 587 enabled are used. | | + | | | | + | | The selected EIP type cannot be changed after the EIP is assigned. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Bandwidth | The bandwidth size in Mbit/s. | 100 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Bandwidth Name | The name of the bandwidth. | bandwidth | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Tag | The EIP tags. Each tag contains a key and value pair. | - Key: Ipv4_key1 | + | | | - Value: 192.168.12.10 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Quantity | The number of EIPs you want to purchase. | 1 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + + .. _vpc_qs_0011__en-us_topic_0118499041_en-us_topic_0118498850_table36606052153313: + + .. table:: **Table 2** EIP tag requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirement | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | Ipv4_key1 | + | | - Must be unique for each EIP. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | 192.168.12.10 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +#. Click **Create Now**. + +#. Click **Submit**. + +Binding an EIP +-------------- + +#. On the **EIPs** page, locate the row that contains the target EIP, and click **Bind**. + +#. Select the instance to which you want to bind the EIP. + + + .. figure:: /_static/images/en-us_image_0000001166028070.png + :alt: **Figure 2** Bind EIP + + + **Figure 2** Bind EIP + +#. Click **OK**. + +An IPv6 client on the Internet can access the ECS that has an EIP bound in a VPC. For details about the implementation and constraints, see :ref:`How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC? ` + +Follow-Up Procedure +------------------- + +After an ECS with an EIP bound is created, the system generates a domain name in the format of **ecs-**\ *xx-xx-xx-xx*\ **.compute.**\ *xxx*\ **.com** for the EIP by default. *xx-xx-xx-xx* indicates the EIP, and xxx indicates the domain name of the cloud service provider. You can use the domain name to access the ECS. + +You can use any of the following commands to obtain the domain name of an EIP: + +- ping -a *EIP* +- nslookup [-qt=ptr] *EIP* +- dig -x *EIP* + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst new file mode 100644 index 0000000..51a27be --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst @@ -0,0 +1,57 @@ +:original_name: vpc_qs_0012.html + +.. _vpc_qs_0012: + +Step 4: Create a Security Group +=============================== + +Scenarios +--------- + +To improve ECS access security, you can create security groups, define security group rules, and add ECSs in a VPC to different security groups. We recommend that you allocate ECSs that have different Internet access policies to different security groups. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +5. On the **Security Groups** page, click **Create Security Group**. + +6. In the **Create Security Group** area, set the parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0000001197426329.png + :alt: **Figure 1** Create Security Group + + + **Figure 1** Create Security Group + + .. _vpc_qs_0012__en-us_topic_0118646265_en-us_topic_0118534004_table65377617111335: + + .. table:: **Table 1** Parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=======================+ + | Name | The security group name. This parameter is mandatory. | sg-318b | + | | | | + | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + | | | | + | | .. note:: | | + | | | | + | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group. This parameter is optional. | N/A | + | | | | + | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst new file mode 100644 index 0000000..bc05a6f --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst @@ -0,0 +1,101 @@ +:original_name: vpc_qs_0013.html + +.. _vpc_qs_0013: + +Step 5: Add a Security Group Rule +================================= + +Scenarios +--------- + +A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. + +If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule. + +- Inbound rules control incoming traffic to cloud resources in the security group. +- Outbound rules control outgoing traffic from cloud resources in the security group. + +For details about the default security group rules, see :ref:`Default Security Groups and Security Group Rules `. For details about security group rule configuration examples, see :ref:`Security Group Configuration Examples `. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +#. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + +#. On the **Inbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an inbound rule. + + You can click **+** to add more inbound rules. + + + .. figure:: /_static/images/en-us_image_0284920908.png + :alt: **Figure 1** Add Inbound Rule + + + **Figure 1** Add Inbound Rule + + .. table:: **Table 1** Inbound rule parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=======================+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + | | | | + | | If the source is a security group, this rule will apply to all instances associated with the selected security group. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. On the **Outbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an outbound rule. + + You can click **+** to add more outbound rules. + + + .. figure:: /_static/images/en-us_image_0284993717.png + :alt: **Figure 2** Add Outbound Rule + + + **Figure 2** Add Outbound Rule + + .. table:: **Table 2** Outbound rule parameter description + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================+=======================+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/index.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/index.rst new file mode 100644 index 0000000..8f4a5b5 --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/index.rst @@ -0,0 +1,22 @@ +:original_name: vpc_qs_0003.html + +.. _vpc_qs_0003: + +Configuring a VPC for ECSs That Do Not Require Internet Access +============================================================== + +- :ref:`Overview ` +- :ref:`Step 1: Create a VPC ` +- :ref:`Step 2: Create a Subnet for the VPC ` +- :ref:`Step 3: Create a Security Group ` +- :ref:`Step 4: Add a Security Group Rule ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + overview + step_1_create_a_vpc + step_2_create_a_subnet_for_the_vpc + step_3_create_a_security_group + step_4_add_a_security_group_rule diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst new file mode 100644 index 0000000..becbe17 --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst @@ -0,0 +1,46 @@ +:original_name: vpc_qs_0004.html + +.. _vpc_qs_0004: + +Overview +======== + +If your ECSs do not require Internet access or need to access the Internet using IP addresses on the default network (100.64.0.0/11) with limited bandwidth (for example, the ECSs functioning as the database nodes or server nodes for deploying a website), you can follow the procedure shown in :ref:`Figure 1 ` to configure a VPC for the ECSs. + +.. _vpc_qs_0004__en-us_topic_0118498946_fd87108563a6848bba1a0f0295fef3515: + +.. figure:: /_static/images/en-us_image_0162329244.png + :alt: **Figure 1** Configuring the network + + + **Figure 1** Configuring the network + +:ref:`Table 1 ` describes the different tasks in the procedure for configuring the network. + +.. _vpc_qs_0004__en-us_topic_0118498946_t1b39acc5d1d449eabbea2aab68bfab25: + +.. table:: **Table 1** Configuration process description + + +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Task | Description | + +====================================+=================================================================================================================================================================================+ + | Create a VPC. | This task is mandatory. | + | | | + | | After the VPC is created, you can create other required network resources in the VPC based on your service requirements. | + +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Create another subnet for the VPC. | This task is optional. | + | | | + | | If the default subnet cannot meet your requirements, you can create one. | + | | | + | | The new subnet is used to assign IP addresses to NICs added to the ECS. | + +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Create a security group. | This task is mandatory. | + | | | + | | You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. | + | | | + | | After a security group is created, it has a default rule, which allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. | + +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Add a security group rule. | This task is optional. | + | | | + | | If the default rule meets your service requirements, you do not need to add rules to the security group. | + +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_1_create_a_vpc.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_1_create_a_vpc.rst new file mode 100644 index 0000000..b30bc31 --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_1_create_a_vpc.rst @@ -0,0 +1,130 @@ +:original_name: vpc_qs_0005.html + +.. _vpc_qs_0005: + +Step 1: Create a VPC +==================== + +Scenarios +--------- + +A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. + +You can create a VPC by following the procedure provided in this section. Then, create subnets, security groups, and assign EIPs by following the procedure provided in subsequent sections based on your actual network requirements. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. Click **Create VPC**. + +#. On the **Create VPC** page, set parameters as prompted. + + A default subnet will be created together with a VPC and you can also click **Add Subnet** to create more subnets for the VPC. + + .. table:: **Table 1** VPC parameter descriptions + + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Category | Parameter | Description | Example Value | + +==================================+========================+=========================================================================================================================================================================================================================================================================================================+=====================+ + | Basic Information | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Name | The VPC name. | VPC-001 | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | + | | | | | + | | | The following CIDR blocks are supported: | | + | | | | | + | | | 10.0.0.0/8-24 | | + | | | | | + | | | 172.16.0.0/12-24 | | + | | | | | + | | | 192.168.0.0/16-24 | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Name | The subnet name. | Subnet | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | | + | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | | + | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | | - Value: subnet-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | + | | | | | + | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + + .. table:: **Table 2** VPC tag key and value requirements + + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+============================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for the same VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + + .. _vpc_qs_0005__en-us_topic_0118499007_en-us_topic_0118498861_table6536185812515: + + .. table:: **Table 3** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +#. Click **Create Now**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_2_create_a_subnet_for_the_vpc.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_2_create_a_subnet_for_the_vpc.rst new file mode 100644 index 0000000..e886b04 --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_2_create_a_subnet_for_the_vpc.rst @@ -0,0 +1,112 @@ +:original_name: vpc_qs_0006.html + +.. _vpc_qs_0006: + +Step 2: Create a Subnet for the VPC +=================================== + +Scenarios +--------- + +A VPC comes with a default subnet. If the default subnet cannot meet your requirements, you can create one. + +The subnet is configured with DHCP by default. When an ECS in this subnet starts, the ECS automatically obtains an IP address using DHCP. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Subnets**. + +5. Click **Create Subnet**. + + The **Create Subnet** page is displayed. + +6. Set the parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0000001197228903.png + :alt: **Figure 1** Create Subnet + + + **Figure 1** Create Subnet + + .. table:: **Table 1** Parameter descriptions + + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+=============================================================================================================================================================================================================================================+=======================+ + | VPC | The VPC for which you want to create a subnet. | - | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Name | The subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings | Two options are available, **Default** and **Custom**. You can set **Advanced Settings** to **Custom** to configure advanced subnet parameters. | - | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | - Value: subnet-01 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + + .. _vpc_qs_0006__en-us_topic_0118498844_en-us_topic_0118498823_table42131827173915: + + .. table:: **Table 2** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +Precautions +----------- + +When a subnet is created, there are five reserved IP addresses, which cannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP addresses are reserved: + +- 192.168.0.0: Network ID. This address is the beginning of the private IP address range and will not be assigned to any instance. +- 192.168.0.1: Gateway address. +- 192.168.0.253: Reserved for the system interface. This IP address is used by the VPC for external communication. +- 192.168.0.254: DHCP service address. +- 192.168.0.255: Network broadcast address. + +If you configured the default settings under **Advanced Settings** during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst new file mode 100644 index 0000000..29eeb2c --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst @@ -0,0 +1,57 @@ +:original_name: vpc_qs_0007.html + +.. _vpc_qs_0007: + +Step 3: Create a Security Group +=============================== + +Scenarios +--------- + +To improve ECS access security, you can create security groups, define security group rules, and add ECSs in a VPC to different security groups. We recommend that you allocate ECSs that have different Internet access policies to different security groups. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +5. On the **Security Groups** page, click **Create Security Group**. + +6. In the **Create Security Group** area, set the parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0000001197426329.png + :alt: **Figure 1** Create Security Group + + + **Figure 1** Create Security Group + + .. _vpc_qs_0007__en-us_topic_0118646263_en-us_topic_0118534004_table65377617111335: + + .. table:: **Table 1** Parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=======================+ + | Name | The security group name. This parameter is mandatory. | sg-318b | + | | | | + | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + | | | | + | | .. note:: | | + | | | | + | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group. This parameter is optional. | N/A | + | | | | + | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst new file mode 100644 index 0000000..3fdef9c --- /dev/null +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst @@ -0,0 +1,101 @@ +:original_name: vpc_qs_0008.html + +.. _vpc_qs_0008: + +Step 4: Add a Security Group Rule +================================= + +Scenarios +--------- + +A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. + +If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule. + +- Inbound rules control incoming traffic to cloud resources in the security group. +- Outbound rules control outgoing traffic from cloud resources in the security group. + +For details about the default security group rules, see :ref:`Default Security Groups and Security Group Rules `. For details about security group rule configuration examples, see :ref:`Security Group Configuration Examples `. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +#. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + +#. On the **Inbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an inbound rule. + + You can click **+** to add more inbound rules. + + + .. figure:: /_static/images/en-us_image_0284920908.png + :alt: **Figure 1** Add Inbound Rule + + + **Figure 1** Add Inbound Rule + + .. table:: **Table 1** Inbound rule parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=======================+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + | | | | + | | If the source is a security group, this rule will apply to all instances associated with the selected security group. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. On the **Outbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an outbound rule. + + You can click **+** to add more outbound rules. + + + .. figure:: /_static/images/en-us_image_0284993717.png + :alt: **Figure 2** Add Outbound Rule + + + **Figure 2** Add Outbound Rule + + .. table:: **Table 2** Outbound rule parameter description + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================+=======================+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/getting_started/index.rst b/umn/source/getting_started/index.rst new file mode 100644 index 0000000..d72d691 --- /dev/null +++ b/umn/source/getting_started/index.rst @@ -0,0 +1,18 @@ +:original_name: vpc_qs_0000.html + +.. _vpc_qs_0000: + +Getting Started +=============== + +- :ref:`Typical Application Scenarios ` +- :ref:`Configuring a VPC for ECSs That Do Not Require Internet Access ` +- :ref:`Configuring a VPC for ECSs That Access the Internet Using EIPs ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + typical_application_scenarios + configuring_a_vpc_for_ecss_that_do_not_require_internet_access/index + configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/index diff --git a/umn/source/getting_started/typical_application_scenarios.rst b/umn/source/getting_started/typical_application_scenarios.rst new file mode 100644 index 0000000..240187e --- /dev/null +++ b/umn/source/getting_started/typical_application_scenarios.rst @@ -0,0 +1,22 @@ +:original_name: vpc_qs_0002.html + +.. _vpc_qs_0002: + +Typical Application Scenarios +============================= + +A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. + +- If your ECSs, for example, ECSs that function as databases, do not need to access the Internet or need to access the Internet using specific IP addresses with limited bandwidth, you can configure a VPC for the ECSs by following the instructions described in :ref:`Configuring a VPC for ECSs That Do Not Require Internet Access `. +- If your ECSs, for example, ECSs where websites are deployed, need to communicate with the Internet, you can bind EIPs to them. To configure a VPC for these ECSs, follow the instructions provided in :ref:`Configuring a VPC for ECSs That Access the Internet Using EIPs `. + +.. note:: + + Click |image1| in the lower right corner of the console to switch between the new and the old consoles. The old edition does not have the function of associating a subnet with a route table. + + This document provides two sets of operation guides. The "Getting Started" chapter uses the new console edition as an example. + + - If you use the new console edition, see :ref:`Operation Guide (New Console Edition) `. + - If you use the old console edition, see :ref:`Operation Guide (Old Console Edition) `. + +.. |image1| image:: /_static/images/en-us_image_0000001207253746.png diff --git a/umn/source/glossary.rst b/umn/source/glossary.rst new file mode 100644 index 0000000..9133640 --- /dev/null +++ b/umn/source/glossary.rst @@ -0,0 +1,8 @@ +:original_name: vpc_faq_0106.html + +.. _vpc_faq_0106: + +Glossary +======== + +For details about the terms involved in this document, see `Glossary `__. diff --git a/umn/source/index.rst b/umn/source/index.rst index aa133e8..cf324b4 100644 --- a/umn/source/index.rst +++ b/umn/source/index.rst @@ -2,3 +2,13 @@ Virtual Private Cloud - User Guide ================================== +.. toctree:: + :maxdepth: 1 + + service_overview/index + getting_started/index + operation_guide_new_console_edition/index + operation_guide_old_console_edition/index + faqs/index + change_history + glossary diff --git a/umn/source/operation_guide_new_console_edition/direct_connect.rst b/umn/source/operation_guide_new_console_edition/direct_connect.rst new file mode 100644 index 0000000..20ced42 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/direct_connect.rst @@ -0,0 +1,10 @@ +:original_name: vpc_dc_0000.html + +.. _vpc_dc_0000: + +Direct Connect +============== + +Direct Connect allows you to establish a dedicated network connection between your data center and the cloud platform. With Direct Connect, you can establish a private connection between the cloud platform and your data center, office, or collocation environment, which can reduce your network latency and provide a more consistent network experience than Internet-based connections. + +For more information about Direct Connect, see the *Direct Connect User Guide*. diff --git a/umn/source/operation_guide_new_console_edition/eip/assigning_an_eip_and_binding_it_to_an_ecs.rst b/umn/source/operation_guide_new_console_edition/eip/assigning_an_eip_and_binding_it_to_an_ecs.rst new file mode 100644 index 0000000..f57b53c --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/eip/assigning_an_eip_and_binding_it_to_an_ecs.rst @@ -0,0 +1,123 @@ +:original_name: en-us_topic_0013748738.html + +.. _en-us_topic_0013748738: + +Assigning an EIP and Binding It to an ECS +========================================= + +Scenarios +--------- + +You can assign an EIP and bind it to an ECS so that the ECS can access the Internet. + +.. note:: + + EIPs for dedicated load balancers: + + - In the **eu-de** region, if you choose to assign an EIP when you create a dedicated load balancer on the management console or using APIs, EIPs for dedicated load balancers (**5_gray**) will be assigned. + - Do not bind EIPs of this type to non-dedicated load balancers. + - Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect. + +Assigning an EIP +---------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. On the displayed page, click **Assign EIP**. + +#. Set the parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0000001117669274.png + :alt: **Figure 1** Assign EIP + + + **Figure 1** Assign EIP + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================================================================================================================================+=========================+ + | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | EIP Type | - **Dynamic BGP**: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails. | Dynamic BGP | + | | - **Mail BGP**: EIPs with port 25, 465, or 587 enabled are used. | | + | | | | + | | The selected EIP type cannot be changed after the EIP is assigned. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Bandwidth | The bandwidth size in Mbit/s. | 100 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Bandwidth Name | The name of the bandwidth. | bandwidth | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Tag | The EIP tags. Each tag contains a key and value pair. | - Key: Ipv4_key1 | + | | | - Value: 192.168.12.10 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Quantity | The number of EIPs you want to purchase. | 1 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + + .. _en-us_topic_0013748738__en-us_topic_0118498850_table36606052153313: + + .. table:: **Table 2** EIP tag requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirement | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | Ipv4_key1 | + | | - Must be unique for each EIP. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | 192.168.12.10 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +#. Click **Create Now**. + +#. Click **Submit**. + +Binding an EIP +-------------- + +#. On the **EIPs** page, locate the row that contains the target EIP, and click **Bind**. + +#. Select the instance to which you want to bind the EIP. + + + .. figure:: /_static/images/en-us_image_0000001166028070.png + :alt: **Figure 2** Bind EIP + + + **Figure 2** Bind EIP + +#. Click **OK**. + +An IPv6 client on the Internet can access the ECS that has an EIP bound in a VPC. For details about the implementation and constraints, see :ref:`How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC? ` + +Follow-Up Procedure +------------------- + +After an ECS with an EIP bound is created, the system generates a domain name in the format of **ecs-**\ *xx-xx-xx-xx*\ **.compute.**\ *xxx*\ **.com** for the EIP by default. *xx-xx-xx-xx* indicates the EIP, and xxx indicates the domain name of the cloud service provider. You can use the domain name to access the ECS. + +You can use any of the following commands to obtain the domain name of an EIP: + +- ping -a *EIP* +- nslookup [-qt=ptr] *EIP* +- dig -x *EIP* + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/eip/index.rst b/umn/source/operation_guide_new_console_edition/eip/index.rst new file mode 100644 index 0000000..41e3858 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/eip/index.rst @@ -0,0 +1,20 @@ +:original_name: vpc_eip_0000.html + +.. _vpc_eip_0000: + +EIP +=== + +- :ref:`Assigning an EIP and Binding It to an ECS ` +- :ref:`Unbinding an EIP from an ECS and Releasing the EIP ` +- :ref:`Managing EIP Tags ` +- :ref:`Modifying an EIP Bandwidth ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + assigning_an_eip_and_binding_it_to_an_ecs + unbinding_an_eip_from_an_ecs_and_releasing_the_eip + managing_eip_tags + modifying_an_eip_bandwidth diff --git a/umn/source/operation_guide_new_console_edition/eip/managing_eip_tags.rst b/umn/source/operation_guide_new_console_edition/eip/managing_eip_tags.rst new file mode 100644 index 0000000..c7a254c --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/eip/managing_eip_tags.rst @@ -0,0 +1,93 @@ +:original_name: en-us_topic_0068145818.html + +.. _en-us_topic_0068145818: + +Managing EIP Tags +================= + +Scenarios +--------- + +Tags can be added to EIPs to facilitate EIP identification and administration. You can add a tag to an EIP when assigning the EIP. Alternatively, you can add a tag to an assigned EIP on the EIP details page. A maximum of 20 tags can be added to each EIP. + +A tag consists of a key and value pair. :ref:`Table 1 ` lists the tag key and value requirements. + +.. _en-us_topic_0068145818__en-us_topic_0118499005_ted9687ca14074ef785241145365a6175: + +.. table:: **Table 1** EIP tag requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirement | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | Ipv4_key1 | + | | - Must be unique for each EIP. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | 192.168.12.10 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +Procedure +--------- + +**Searching for EIPs by tag key and value on the page showing the EIP list** + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. In the upper right corner of the EIP list, click **Search by Tag**. + +#. In the displayed area, enter the tag key and value of the EIP you are looking for. + + You must specify both the tag key and value. The system will display the EIPs that contain the tag you specified. + +#. Click **+** to add another tag key and value. + + You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for EIPs, the system will display only the EIPs that contain all of the tags you specified. + +#. Click **Search**. + + The system displays the EIPs you are looking for based on the entered tag keys and values. + +**Adding, deleting, editing, and viewing tags on the Tags tab of an EIP** + +#. Log in to the management console. +#. Click |image2| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Elastic IP**. +#. On the displayed page, locate the EIP whose tags you want to manage, and click the EIP name. +#. On the page showing EIP details, click the **Tags** tab and perform desired operations on tags. + + - View tags. + + On the **Tags** tab, you can view details about tags added to the current EIP, including the number of tags and the key and value of each tag. + + - Add a tag. + + Click **Add Tag** in the upper left corner. In the displayed **Add Tag** dialog box, enter the tag key and value, and click **OK**. + + - Edit a tag. + + Locate the row that contains the tag you want to edit, and click **Edit** in the **Operation** column. Enter the new tag value, and click **OK**. + + The tag key cannot be modified. + + - Delete a tag. + + Locate the row that contains the tag you want to delete, and click **Delete** in the **Operation** column. In the displayed dialog box, click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/eip/modifying_an_eip_bandwidth.rst b/umn/source/operation_guide_new_console_edition/eip/modifying_an_eip_bandwidth.rst new file mode 100644 index 0000000..4601c21 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/eip/modifying_an_eip_bandwidth.rst @@ -0,0 +1,34 @@ +:original_name: en-us_topic_0013748743.html + +.. _en-us_topic_0013748743: + +Modifying an EIP Bandwidth +========================== + +Scenarios +--------- + +Modify the EIP bandwidth name or size. + +.. note:: + + This section describes how to modify the dedicated bandwidth or shared bandwidth of an EIP. For details about how to modify a shared bandwidth, see :ref:`Modifying a Shared Bandwidth `. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. Locate the row that contains the target EIP in the EIP list, click **More** in the **Operation** column, and select **Modify Bandwidth**. + +#. Modify the bandwidth parameters as prompted. + +#. Click **Next**. + +#. Click **Submit**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/eip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst b/umn/source/operation_guide_new_console_edition/eip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst new file mode 100644 index 0000000..205c6f0 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/eip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst @@ -0,0 +1,60 @@ +:original_name: vpc_eip_0001.html + +.. _vpc_eip_0001: + +Unbinding an EIP from an ECS and Releasing the EIP +================================================== + +Scenarios +--------- + +If you no longer need an EIP, unbind it from the ECS and release the EIP to avoid wasting network resources. + +Notes and Constraints +--------------------- + +- EIP assigned together with your load balancers will also be displayed in the EIP list on the VPC console. On the EIP console or using EIP APIs, you cannot bind EIPs to or unbind them from dedicated load balancers, but you can bind EIPs to or unbind them from shared load balancers. +- You can only release EIPs that are not bound to any resources. + +Procedure +--------- + +**Unbinding a single EIP** + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Elastic IP**. +#. On the displayed page, locate the row that contains the target EIP, and click **Unbind**. +#. Click **Yes** in the displayed dialog box. + +**Releasing a single EIP** + +#. Log in to the management console. + +2. Click |image2| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Elastic IP**. +4. On the displayed page, locate the row that contains the target EIP, click **More** and then **Release** in the **Operation** column. +5. Click **Yes** in the displayed dialog box. + +**Unbinding multiple EIPs at once** + +#. Log in to the management console. +#. Click |image3| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Elastic IP**. +#. On the displayed page, select the EIPs to be unbound. +#. Click the **Unbind** button located above the EIP list. +#. Click **Yes** in the displayed dialog box. + +**Releasing multiple EIPs at once** + +#. Log in to the management console. +#. Click |image4| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Elastic IP**. +#. On the displayed page, select the EIPs to be released. +#. Click the **Release** button located above the EIP list. +#. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png +.. |image3| image:: /_static/images/en-us_image_0141273034.png +.. |image4| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/index.rst b/umn/source/operation_guide_new_console_edition/index.rst new file mode 100644 index 0000000..4ac0003 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/index.rst @@ -0,0 +1,32 @@ +:original_name: vpc_newui_0000.html + +.. _vpc_newui_0000: + +Operation Guide (New Console Edition) +===================================== + +- :ref:`VPC and Subnet ` +- :ref:`Security ` +- :ref:`EIP ` +- :ref:`Shared Bandwidth ` +- :ref:`Route Table ` +- :ref:`VPC Peering Connection ` +- :ref:`VPC Flow Log ` +- :ref:`Direct Connect ` +- :ref:`Virtual IP Address ` +- :ref:`Monitoring ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + vpc_and_subnet/index + security/index + eip/index + shared_bandwidth/index + route_table/index + vpc_peering_connection/index + vpc_flow_log/index + direct_connect + virtual_ip_address/index + monitoring/index diff --git a/umn/source/operation_guide_new_console_edition/monitoring/creating_an_alarm_rule.rst b/umn/source/operation_guide_new_console_edition/monitoring/creating_an_alarm_rule.rst new file mode 100644 index 0000000..1580b78 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/monitoring/creating_an_alarm_rule.rst @@ -0,0 +1,34 @@ +:original_name: vpc010014.html + +.. _vpc010014: + +Creating an Alarm Rule +====================== + +Scenarios +--------- + +You can configure alarm rules to customize the monitored objects and notification policies. You can learn your resource statuses at any time. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. Hover on the upper left corner to display **Service List** and choose **Management & Governance** > **Cloud Eye**. + +4. In the left navigation pane on the left, choose **Alarm Management** > **Alarm Rules**. + +5. On the **Alarm Rules** page, click **Create Alarm Rule** and set required parameters, or modify an existing alarm rule. + +6. After the parameters are set, click **Create**. + + After the alarm rule is created, the system automatically notifies you if an alarm is triggered for the VPC service. + + .. note:: + + For more information about alarm rules, see the *Cloud Eye User Guide*. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/monitoring/index.rst b/umn/source/operation_guide_new_console_edition/monitoring/index.rst new file mode 100644 index 0000000..ab8aed5 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/monitoring/index.rst @@ -0,0 +1,18 @@ +:original_name: vpc010011.html + +.. _vpc010011: + +Monitoring +========== + +- :ref:`Supported Metrics ` +- :ref:`Viewing Metrics ` +- :ref:`Creating an Alarm Rule ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + supported_metrics + viewing_metrics + creating_an_alarm_rule diff --git a/umn/source/operation_guide_new_console_edition/monitoring/supported_metrics.rst b/umn/source/operation_guide_new_console_edition/monitoring/supported_metrics.rst new file mode 100644 index 0000000..da82622 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/monitoring/supported_metrics.rst @@ -0,0 +1,79 @@ +:original_name: vpc010012.html + +.. _vpc010012: + +Supported Metrics +================= + +Description +----------- + +This section describes the namespace, list, and measurement dimensions of EIP and bandwidth metrics that you can check on Cloud Eye. You can use APIs or the Cloud Eye console to query the metrics of the monitored metrics and alarms generated for EIPs and bandwidths. + +Namespace +--------- + +SYS.VPC + +Monitoring Metrics +------------------ + +.. table:: **Table 1** EIP and bandwidth metrics + + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + | ID | Name | Description | Value Range | Monitored Object | Monitoring Interval (Raw Data) | + +======================+====================+=================================================+=============+==================+================================+ + | upstream_bandwidth | Outbound Bandwidth | Network rate of outbound traffic | ≥ 0 bit/s | Bandwidth or EIP | 1 minute | + | | | | | | | + | | | Unit: bit/s | | | | + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + | downstream_bandwidth | Inbound Bandwidth | Network rate of inbound traffic | ≥ 0 bit/s | Bandwidth or EIP | 1 minute | + | | | | | | | + | | | Unit: bit/s | | | | + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + | up_stream | Outbound Traffic | Network traffic going out of the cloud platform | ≥ 0 bytes | Bandwidth or EIP | 1 minute | + | | | | | | | + | | | Unit: byte | | | | + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + | down_stream | Inbound Traffic | Network traffic going into the cloud platform | ≥ 0 bytes | Bandwidth or EIP | 1 minute | + | | | | | | | + | | | Unit: byte | | | | + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + +Dimensions +---------- + +============ ============ +Key Value +============ ============ +publicip_id EIP ID +bandwidth_id Bandwidth ID +============ ============ + +If a monitored object has multiple dimensions, all dimensions are mandatory when you use APIs to query the metrics. + +- Query a monitoring metric: + + dim.0=bandwidth_id,530cd6b0-86d7-4818-837f-935f6a27414d&dim.1=publicip_id,3773b058-5b4f-4366-9035-9bbd9964714a + +- Query monitoring metrics in batches: + + "dimensions": [ + + { + + "name": "bandwidth_id", + + "value": "530cd6b0-86d7-4818-837f-935f6a27414d" + + } + + { + + "name": "publicip_id", + + "value": "3773b058-5b4f-4366-9035-9bbd9964714a" + + } + + ], diff --git a/umn/source/operation_guide_new_console_edition/monitoring/viewing_metrics.rst b/umn/source/operation_guide_new_console_edition/monitoring/viewing_metrics.rst new file mode 100644 index 0000000..99442c8 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/monitoring/viewing_metrics.rst @@ -0,0 +1,23 @@ +:original_name: vpc010013.html + +.. _vpc010013: + +Viewing Metrics +=============== + +Scenarios +--------- + +View related metrics to see bandwidth and EIP usage information. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. Hover on the upper left corner to display **Service List** and choose **Management & Governance** > **Cloud Eye**. +4. Click **Cloud Service Monitoring** on the left of the page, and choose **Elastic IP and Bandwidth**. +5. Locate the row that contains the target bandwidth or EIP and click **View Metric** in the **Operation** column to check the bandwidth or EIP monitoring information. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/adding_a_custom_route.rst b/umn/source/operation_guide_new_console_edition/route_table/adding_a_custom_route.rst new file mode 100644 index 0000000..3923d5d --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/adding_a_custom_route.rst @@ -0,0 +1,61 @@ +:original_name: vpc_route_0006.html + +.. _vpc_route_0006: + +Adding a Custom Route +===================== + +Scenarios +--------- + +Each route table contains a default system route, which indicates that ECSs in a VPC can communicate with each other. You can add custom routes as required to forward the traffic destined for the destination to the specified next hop. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Route Tables**. + +#. In the route table list, click the name of the route table to which you want to add a route. + +#. Click **Add Route** and set parameters as prompted. + + You can click **+** to add more routes. + + + .. figure:: /_static/images/en-us_image_0173155793.png + :alt: **Figure 1** Add Route + + + **Figure 1** Add Route + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+===================================================================================================================================================================+=======================+ + | Destination | The destination CIDR block. | 192.168.0.0/16 | + | | | | + | | The destination of each route must be unique. The destination cannot overlap with any subnet CIDR block in the VPC. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Next Hop Type | Set the type of the next hop. For details about the supported resource types, see :ref:`Table 1 `. | ECS | + | | | | + | | .. note:: | | + | | | | + | | When you add a custom route to or modify a custom route in a default route table, the next hop type cannot be set to VPN connection or Direct Connect gateway. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Next Hop | Set the next hop. The resources in the drop-down list box are displayed based on the selected next hop type. | ecs-001 | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the route. This parameter is optional. | - | + | | | | + | | The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/associating_a_subnet_with_a_route_table.rst b/umn/source/operation_guide_new_console_edition/route_table/associating_a_subnet_with_a_route_table.rst new file mode 100644 index 0000000..f3be9de --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/associating_a_subnet_with_a_route_table.rst @@ -0,0 +1,42 @@ +:original_name: vpc_route_0007.html + +.. _vpc_route_0007: + +Associating a Subnet with a Route Table +======================================= + +Scenarios +--------- + +After a route table is associated with a subnet, the routes in the route table control the routing for the subnet and apply to all cloud resources in the subnet. Determine the impact on services before performing this operation. + +Notes and Constraints +--------------------- + +A subnet can only be associated with one route table. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Route Tables**. + +#. In the route table list, locate the row that contains the target route table and click **Associate Subnet** in the **Operation** column. + +#. Select the subnet to be associated. + + + .. figure:: /_static/images/en-us_image_0173155870.png + :alt: **Figure 1** Associate Subnet + + + **Figure 1** Associate Subnet + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/changing_the_route_table_associated_with_a_subnet.rst b/umn/source/operation_guide_new_console_edition/route_table/changing_the_route_table_associated_with_a_subnet.rst new file mode 100644 index 0000000..e864816 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/changing_the_route_table_associated_with_a_subnet.rst @@ -0,0 +1,32 @@ +:original_name: vpc_route_0008.html + +.. _vpc_route_0008: + +Changing the Route Table Associated with a Subnet +================================================= + +Scenarios +--------- + +You can change the route table associated with the subnet to another one in the VPC. If the route table for a subnet is changed, routes in the new route table will apply to all cloud resources in the subnet. Determine the impact on services before performing this operation. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Route Tables**. + +#. In the route table list, click the name of the target route table. + +#. On the **Associated Subnets** tab page, click **Change Route Table** in the **Operation** column and select a new route table as prompted. + +#. Click **OK**. + + After the route table for a subnet is changed, routes in the new route table will apply to all cloud resources in the subnet. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/configuring_an_snat_server.rst b/umn/source/operation_guide_new_console_edition/route_table/configuring_an_snat_server.rst new file mode 100644 index 0000000..0bf20d6 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/configuring_an_snat_server.rst @@ -0,0 +1,141 @@ +:original_name: vpc_route_0004.html + +.. _vpc_route_0004: + +Configuring an SNAT Server +========================== + +Scenarios +--------- + +To use the route table function provided by the VPC service, you need to configure SNAT on an ECS to enable other ECSs that do not have EIPs bound in a VPC to access the Internet through this ECS. + +The configured SNAT takes effect for all subnets in a VPC. + +Prerequisites +------------- + +- You have an ECS where SNAT is to be configured. +- The ECS where SNAT is to be configured runs the Linux OS. +- The ECS where SNAT is to be configured has only one network interface card (NIC). + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Compute**, click **Elastic Cloud Server**. + +4. On the displayed page, locate the target ECS in the ECS list and click the ECS name to switch to the page showing ECS details. + +5. On the displayed ECS details page, click the **NICs** tab. + +6. Click the NIC IP address. In the displayed area showing the NIC details, disable the source/destination check function. + + By default, the source/destination check is enabled. When this check is enabled, the system checks whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. If SNAT is used, the SNAT server needs to forward packets. This mechanism prevents the packet sender from receiving returned packets. Therefore, you need to disable the source/destination check for SNAT servers. + +7. Bind an EIP. + + - Bind an EIP with the private IP address of the ECS. For details, see :ref:`Assigning an EIP and Binding It to an ECS `. + - Bind an EIP with the virtual IP address of the ECS. For details, see :ref:`Binding a Virtual IP Address to an EIP or ECS `. + +8. On the ECS console, use the remote login function to log in to the ECS where you plan to configure SNAT. + +9. Run the following command and enter the password of user **root** to switch to user **root**: + + **su - root** + +10. Run the following command to check whether the ECS can successfully connect to the Internet: + + .. note:: + + Before running the command, you must disable the response iptables rule on the ECS where SNAT is configured and enable the security group rules. + + **ping www.google.com** + + The ECS can access the Internet if the following information is displayed: + + .. code-block:: console + + [root@localhost ~]# ping www.google.com + PING www.a.shifen.com (xxx.xxx.xxx.xxx) 56(84) bytes of data. + 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms + 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms + 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms + +11. Run the following command to check whether IP forwarding of the Linux OS is enabled: + + **cat /proc/sys/net/ipv4/ip_forward** + + In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. + + - If IP forwarding in Linux is enabled, go to step :ref:`14 `. + - If IP forwarding in Linux is disabled, perform step :ref:`12 ` to enable IP forwarding in Linux. + + Many OSs support packet routing. Before forwarding packets, OSs change source IP addresses in the packets to OS IP addresses. Therefore, the forwarded packets contain the IP address of the public sender so that the response packets can be sent back along the same path to the initial packet sender. This method is called SNAT. The OSs need to keep track of the packets where IP addresses have been changed to ensure that the destination IP addresses in the packets can be rewritten and that packets can be forwarded to the initial packet sender. To achieve these purposes, you need to enable the IP forwarding function and configure SNAT rules. + +12. .. _vpc_route_0004__en-us_topic_0118499009_li3948189019612: + + Use the vi editor to open the **/etc/sysctl.conf** file, change the value of **net.ipv4.ip_forward** to **1**, and enter **:wq** to save the change and exit. + +13. Run the following command to make the change take effect: + + **sysctl -p /etc/sysctl.conf** + +14. .. _vpc_route_0004__en-us_topic_0118499009_li2168883919851: + + Configure SNAT. + + Run the following command to enable all ECSs on the network (for example, 192.168.1.0/24) to access the Internet using the SNAT function: :ref:`Figure 1 ` shows the example command. + + **iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ip** + + .. _vpc_route_0004__en-us_topic_0118499009_fig27328760201321: + + .. figure:: /_static/images/en-us_image_0118498992.png + :alt: **Figure 1** Configuring SNAT + + + **Figure 1** Configuring SNAT + + .. note:: + + - To ensure that the rule will not be lost after the restart, write the rule into the **/etc/rc.local** file. + + a. Run the following command to switch to the **/etc/sysctl.conf** file: + + **vi /etc/rc.local** + + b. Perform :ref:`14 ` to configure SNAT. + + c. Run the following command to save the configuration and exit: + + **:wq** + + d. Run the following command to add the execute permission for the **rc.local** file: + + **# chmod +x /etc/rc.local** + + - To ensure that the configuration takes effect, run the **iptables -L** command to check whether the configured rules conflict with each other. + +15. Run the following command to check whether the operation is successful: If information similar to :ref:`Figure 2 ` (for example, 192.168.1.0/24) is displayed, the operation was successful. + + **iptables -t nat --list** + + .. _vpc_route_0004__en-us_topic_0118499009_fig8358771201535: + + .. figure:: /_static/images/en-us_image_0118499109.png + :alt: **Figure 2** Verifying configuration + + + **Figure 2** Verifying configuration + +16. Add a route. For details, see section :ref:`Adding a Custom Route `. + + Set the destination to **0.0.0.0/0**, and the next hop to the private or virtual IP address of the ECS where SNAT is deployed. For example, the next hop is **192.168.1.4**. + +After these operations are complete, if the network communication still fails, check your security group and firewall configuration to see whether required traffic is allowed. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/creating_a_custom_route_table.rst b/umn/source/operation_guide_new_console_edition/route_table/creating_a_custom_route_table.rst new file mode 100644 index 0000000..ddfb053 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/creating_a_custom_route_table.rst @@ -0,0 +1,63 @@ +:original_name: vpc_route_0005.html + +.. _vpc_route_0005: + +Creating a Custom Route Table +============================= + +Scenarios +--------- + +You can create a custom route table if you do not want to use the default one. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Route Tables**. + +#. In the upper right corner, click **Create Route Table**. On the displayed page, configure parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0173155804.png + :alt: **Figure 1** Create Route Table + + + **Figure 1** Create Route Table + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================================+=======================+ + | Name | The name of the route table. This parameter is mandatory. | rtb-001 | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | VPC | The VPC that the route table belongs to. This parameter is mandatory. | vpc-001 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the route table. This parameter is optional. | - | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Route Settings | The route information. This parameter is optional. | - | + | | | | + | | You can add a route when creating the route table or after the route table is created. For details, see :ref:`Adding a Custom Route `. | | + | | | | + | | You can click **+** to add more routes. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + + A message is displayed. You can determine whether to associate the route table with subnets immediately as prompted. If you want to associate immediately, perform the following operations: + + a. Click **Associate Subnet**. The **Associated Subnets** page is displayed. + b. Click **Associate Subnet** and select the target subnets to be associated. + c. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/deleting_a_route.rst b/umn/source/operation_guide_new_console_edition/route_table/deleting_a_route.rst new file mode 100644 index 0000000..c3b97e0 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/deleting_a_route.rst @@ -0,0 +1,25 @@ +:original_name: vpc_route_0012.html + +.. _vpc_route_0012: + +Deleting a Route +================ + +Scenarios +--------- + +Delete a route if it is no longer required. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, click **Virtual Private Cloud**. +5. On the **Virtual Private Cloud** page, locate the VPC that the route to be deleted belongs to and click the VPC name. +6. Click the **Route Tables** tab. On the displayed page, locate the row that contains the route to be deleted, and click **Delete** in the **Operation** column. +7. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/deleting_a_route_table.rst b/umn/source/operation_guide_new_console_edition/route_table/deleting_a_route_table.rst new file mode 100644 index 0000000..520838f --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/deleting_a_route_table.rst @@ -0,0 +1,28 @@ +:original_name: vpc_route_0010.html + +.. _vpc_route_0010: + +Deleting a Route Table +====================== + +Scenarios +--------- + +You can delete custom route tables but cannot delete the default route table. + +Prerequisites +------------- + +Before deleting a route table, ensure that no subnet has been associated with the custom route table. If there is an associated subnet, associate the subnet with another route table by clicking **Change Route Table** and then delete the custom route table. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, choose **Route Tables**. +#. In the route table list, locate the row that contains the route table to be deleted and click **Delete** in the **Operation** column. +#. Click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/exporting_route_table_information.rst b/umn/source/operation_guide_new_console_edition/route_table/exporting_route_table_information.rst new file mode 100644 index 0000000..6e7a7c2 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/exporting_route_table_information.rst @@ -0,0 +1,29 @@ +:original_name: vpc_route_0014.html + +.. _vpc_route_0014: + +Exporting Route Table Information +================================= + +Scenarios +--------- + +Information about all route tables under your account can be exported as an Excel file to a local directory. This file records the name, ID, VPC, type, and number of associated subnets of the route tables. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. Under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Route Tables**. + +#. On the displayed page, click |image2| in the upper right of the route table list. + + The system will automatically export information about all route tables under your account in the current region as an Excel file to a local directory. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0185346582.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/index.rst b/umn/source/operation_guide_new_console_edition/route_table/index.rst new file mode 100644 index 0000000..c91cf91 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/index.rst @@ -0,0 +1,36 @@ +:original_name: vpc_route_0000.html + +.. _vpc_route_0000: + +Route Table +=========== + +- :ref:`Route Table Overview ` +- :ref:`Configuring an SNAT Server ` +- :ref:`Creating a Custom Route Table ` +- :ref:`Adding a Custom Route ` +- :ref:`Associating a Subnet with a Route Table ` +- :ref:`Changing the Route Table Associated with a Subnet ` +- :ref:`Viewing a Route Table ` +- :ref:`Deleting a Route Table ` +- :ref:`Modifying a Route ` +- :ref:`Deleting a Route ` +- :ref:`Replicating a Route ` +- :ref:`Exporting Route Table Information ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + route_table_overview + configuring_an_snat_server + creating_a_custom_route_table + adding_a_custom_route + associating_a_subnet_with_a_route_table + changing_the_route_table_associated_with_a_subnet + viewing_a_route_table + deleting_a_route_table + modifying_a_route + deleting_a_route + replicating_a_route + exporting_route_table_information diff --git a/umn/source/operation_guide_new_console_edition/route_table/modifying_a_route.rst b/umn/source/operation_guide_new_console_edition/route_table/modifying_a_route.rst new file mode 100644 index 0000000..35e6a6c --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/modifying_a_route.rst @@ -0,0 +1,54 @@ +:original_name: vpc_route_0011.html + +.. _vpc_route_0011: + +Modifying a Route +================= + +Scenarios +--------- + +Modify a route. + +Notes and Constraints +--------------------- + +- The system route cannot be modified. +- The routes delivered by the VPN, Direct Connect services to the default route table cannot be modified. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, choose **Route Tables**. +#. In the route table list, click the name of the target route table. +#. Locate the row that contains the route to be modified and click **Modify** in the **Operation** column. +#. Modify the route information in the displayed dialog box. + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+===================================================================================================================================================================+=======================+ + | Destination | The destination CIDR block. | 192.168.0.0/16 | + | | | | + | | The destination of each route must be unique. The destination cannot overlap with any subnet CIDR block in the VPC. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Next Hop Type | Set the type of the next hop. For details about the supported resource types, see :ref:`Table 1 `. | ECS | + | | | | + | | .. note:: | | + | | | | + | | When you add a custom route to or modify a custom route in a default route table, the next hop type cannot be set to VPN connection or Direct Connect gateway. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Next Hop | Set the next hop. The resources in the drop-down list box are displayed based on the selected next hop type. | ecs-001 | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the route. This parameter is optional. | - | + | | | | + | | The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/replicating_a_route.rst b/umn/source/operation_guide_new_console_edition/route_table/replicating_a_route.rst new file mode 100644 index 0000000..e79c80b --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/replicating_a_route.rst @@ -0,0 +1,39 @@ +:original_name: vpc_route_0013.html + +.. _vpc_route_0013: + +Replicating a Route +=================== + +Scenarios +--------- + +You can replicate a created route as required. + +Notes and Constraints +--------------------- + +- The routes delivered by the VPN service to the default route table cannot be replicated. +- The routes delivered to the default route table by the Direct Connect service that is enabled by call or email cannot be replicated. +- Black hole routes cannot be replicated. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Route Tables**. + +#. In the route table list, locate the row that contains the target route table and click **Replicate Route** in the **Operation** column. + +#. Select the target route table and then the route to be replicated as prompted. + + The routes listed on the page are those that do not exist in the target route table. You can select one or more routes to replicate to the target route table. + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/route_table/route_table_overview.rst b/umn/source/operation_guide_new_console_edition/route_table/route_table_overview.rst new file mode 100644 index 0000000..e6ecf39 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/route_table_overview.rst @@ -0,0 +1,119 @@ +:original_name: route_0001.html + +.. _route_0001: + +Route Table Overview +==================== + +A custom route is a user-defined routing rule added to a VPC. + +Route Table +----------- + +A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. + + +.. figure:: /_static/images/en-us_image_0167573711.png + :alt: **Figure 1** Route table + + + **Figure 1** Route table + +Default Route Table and Custom Route Table +------------------------------------------ + +When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. You can add, delete, and modify routes in the default route table, but you cannot delete the route table. When you create a VPN, Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. If you want to modify or delete the route, you can associate your subnet with a custom route table and replicate the route to the custom route table to modify or delete it. + +If you do not want to use the default route table, you can now create a custom route table and associate it with the subnet. You can delete the custom route table if it is no longer required. + +.. note:: + + The custom route table associated with a subnet affects only the outbound traffic. The default route table determines the inbound traffic. + +For details about how to create a custom route table, see section :ref:`Creating a Custom Route Table `. + +Route +----- + +A route is configured with the destination, next hop type, and next hop to determine where network traffic is directed. Routes are classified into system routes and custom routes. + +- System routes: These routes are automatically added by the system and cannot be modified or deleted. + + After a route table is created, the system automatically adds the following system routes to the route table, so that instances in a VPC can communicate with each other. + + - Routes whose destination is 100.64.0.0/10 or 198.19.128.0/20. + - Routes whose destination is a subnet CIDR block. + + .. note:: + + In addition to the preceding system routes, the system automatically adds a route whose destination is 127.0.0.0/8. This is the local loopback address. + +- Custom routes: These are routes that you can add, modify, and delete. The destination of a custom route cannot overlap with that of a system route. + + You can add a custom route and configure the destination, next hop type, and next hop in the route to determine where network traffic is directed. :ref:`Table 1 ` lists the supported types of next hops. + + .. _route_0001__en-us_topic_0121831807_table1727714140542: + + .. table:: **Table 1** Next hop type + + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop Type | Description | Supported Route Table | + +========================+==============================================================================================================================================================+========================+ + | Server | Traffic intended for the destination is forwarded to an ECS in the VPC. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Extension NIC | Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | VPN connection | Traffic intended for the destination is forwarded to a VPN gateway. | Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Direct Connect gateway | Traffic intended for the destination is forwarded to a Direct Connect gateway. | Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | NAT gateway | Traffic intended for the destination is forwarded to a NAT gateway. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | VPC peering connection | Traffic intended for the destination is forwarded to a VPC peering connection. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Virtual IP address | Traffic intended for the destination is forwarded to a virtual IP address and then sent to active and standby ECSs to which the virtual IP address is bound. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + + .. note:: + + If you specify the destination when creating a resource, a system route is delivered. If you do not specify a destination when creating a resource, a custom route that can be modified or deleted is delivered. + + For example, when you create a NAT gateway, the system automatically delivers a custom route without a specific destination (0.0.0.0/0 is used by default). In this case, you can change the destination. However, when you create a VPN connection or Direct Connect gateway, you need to specify the remote subnet, that is, the destination of a route. In this case, the system delivers this system route. Do not modify the route destination on the **Route Tables** page. If you do, the destination will be inconsistent with the configured remote subnet. To modify the route destination, go to the specific resource page and modify the remote subnet, then the route destination will be changed accordingly. + +Custom Route Table Configuration Process +---------------------------------------- + +:ref:`Figure 2 ` shows the process of creating and configuring a custom route table. + +.. _route_0001__en-us_topic_0121831807_fig16862186152219: + +.. figure:: /_static/images/en-us_image_0163203842.png + :alt: **Figure 2** Route table configuration process + + + **Figure 2** Route table configuration process + +#. For details about how to create a custom route table, see :ref:`Creating a Custom Route Table `. +#. For details about how to add a custom route, see :ref:`Adding a Custom Route `. +#. For details about how to associate a subnet with a route table, see :ref:`Associating a Subnet with a Route Table `. After the association, the routes in the route table control the routing for the subnet. + +Notes and Constraints +--------------------- + +- A maximum of 10 route tables, including the default one, can be created for each VPC. +- A maximum of 200 routes can be added to each route table. +- The default route table cannot be deleted. +- The system route cannot be modified or deleted. +- The routes delivered by the VPN service to the default route table cannot be modified, replicated, or deleted. +- The routes delivered by the Direct Connect service to the default route table cannot be modified or deleted. + + - If the Direct Connect service is enabled in the self-service mode, the routes delivered to the default route table can be replicated to the custom route table. + - If the Direct Connect service is enabled by call or email, the routes delivered to the default route table cannot be replicated to the custom route table. + +- Black hole routes cannot be replicated. +- When you add a custom route to a default route table, the next hop type cannot be set to VPN connection or Direct Connect gateway. diff --git a/umn/source/operation_guide_new_console_edition/route_table/viewing_a_route_table.rst b/umn/source/operation_guide_new_console_edition/route_table/viewing_a_route_table.rst new file mode 100644 index 0000000..f0c7a9e --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/route_table/viewing_a_route_table.rst @@ -0,0 +1,24 @@ +:original_name: vpc_route_0009.html + +.. _vpc_route_0009: + +Viewing a Route Table +===================== + +Scenarios +--------- + +You can view details about a route table. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, click **Virtual Private Cloud**. +5. On the **Virtual Private Cloud** page, locate the VPC that is associated with the route table to be queried and click the VPC name. +6. View details about the route table. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/differences_between_security_groups_and_firewalls.rst b/umn/source/operation_guide_new_console_edition/security/differences_between_security_groups_and_firewalls.rst new file mode 100644 index 0000000..8bbfa76 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/differences_between_security_groups_and_firewalls.rst @@ -0,0 +1,41 @@ +:original_name: en-us_topic_0052003963.html + +.. _en-us_topic_0052003963: + +Differences Between Security Groups and Firewalls +================================================= + +You can configure security groups and firewall to increase the security of ECSs in your VPC. + +- Security groups operate at the ECS level. +- Firewalls operate at the subnet level. + +For details, see :ref:`Figure 1 `. + +.. _en-us_topic_0052003963__en-us_topic_0118534001_fig9582182315479: + +.. figure:: /_static/images/en-us_image_0148244691.png + :alt: **Figure 1** Security groups and firewalls + + + **Figure 1** Security groups and firewalls + +:ref:`Table 1 ` describes the differences between security groups and firewalls. + +.. _en-us_topic_0052003963__en-us_topic_0118534001_table53053071174845: + +.. table:: **Table 1** Differences between security groups and firewalls + + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Category | Security Group | Firewall | + +==========+================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================================+ + | Targets | Operates at the ECS level. | Operates at the subnet level. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rules | Supports both **Allow** and **Deny** rules. | Supports both **Allow** and **Deny** rules. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Usage | Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. | Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/adding_a_firewall_rule.rst b/umn/source/operation_guide_new_console_edition/security/firewall/adding_a_firewall_rule.rst new file mode 100644 index 0000000..610fb8c --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/adding_a_firewall_rule.rst @@ -0,0 +1,82 @@ +:original_name: en-us_topic_0051746702.html + +.. _en-us_topic_0051746702: + +Adding a Firewall Rule +====================== + +Scenarios +--------- + +Add an inbound or outbound rule based on your network security requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + +6. On the **Inbound Rules** or **Outbound Rules** tab, click **Add Rule** to add an inbound or outbound rule. + + - Click **+** to add more rules. + - Locate the row that contains the firewall rule and click **Replicate** in the **Operation** column to replicate an existing rule. + + + .. figure:: /_static/images/en-us_image_0152238989.png + :alt: **Figure 1** Add Inbound Rule + + + **Figure 1** Add Inbound Rule + + .. table:: **Table 1** Parameter descriptions + + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+================================================================================================================================================================================================================================================================+=======================+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be **TCP**, **UDP**, **All**, or **ICMP**. If **ICMP** or **All** is selected, you do not need to specify port information. | TCP | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | The default value is **0.0.0.0/0**, which indicates that traffic from all IP addresses is allowed. | | + | | | | + | | For example: | | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IP address) | | + | | - xxx.xxx.xxx.0/24 (IP address range) | | + | | - 0.0.0.0/0 (all IP addresses) | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | The default value is **0.0.0.0/0**, which indicates that traffic to all IP addresses is allowed. | | + | | | | + | | For example: | | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IP address) | | + | | - xxx.xxx.xxx.0/24 (IP address range) | | + | | - 0.0.0.0/0 (all IP addresses) | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/associating_subnets_with_a_firewall.rst b/umn/source/operation_guide_new_console_edition/security/firewall/associating_subnets_with_a_firewall.rst new file mode 100644 index 0000000..38d6f78 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/associating_subnets_with_a_firewall.rst @@ -0,0 +1,30 @@ +:original_name: en-us_topic_0051746700.html + +.. _en-us_topic_0051746700: + +Associating Subnets with a Firewall +=================================== + +Scenarios +--------- + +On the page showing firewall details, associate desired subnets with a firewall. After a firewall is associated with a subnet, the firewall denies all traffic to and from the subnet until you add rules to allow traffic. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the displayed page, click the **Associated Subnets** tab. +7. On the **Associated Subnets** page, click **Associate**. +8. On the displayed page, select the subnets to be associated with the firewall, and click **OK**. + +.. note:: + + Subnets that have already been associated with firewalls will not be displayed on the page for you to select. One-click subnet association and disassociation are not currently supported. Furthermore, a subnet can only be associated with one firewall. If you want to reassociate a subnet that has already been associated with another firewall, you must first disassociate the subnet from the original firewall. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/changing_the_sequence_of_a_firewall_rule.rst b/umn/source/operation_guide_new_console_edition/security/firewall/changing_the_sequence_of_a_firewall_rule.rst new file mode 100644 index 0000000..92047c9 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/changing_the_sequence_of_a_firewall_rule.rst @@ -0,0 +1,34 @@ +:original_name: vpc_acl_0004.html + +.. _vpc_acl_0004: + +Changing the Sequence of a Firewall Rule +======================================== + +Scenarios +--------- + +If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule. + +If multiple firewall rules conflict, only the rule with the highest priority takes effect. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + +6. On the **Inbound Rules** or **Outbound Rules** tab, locate the target rule, click **More** in the **Operation** column, and select **Insert Rule Above** or **Insert Rule Below**. + +7. In the displayed dialog box, configure required parameters and click **OK**. + + The rule is inserted. The procedure for inserting an outbound rule is the same as that for inserting an inbound rule. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/creating_a_firewall.rst b/umn/source/operation_guide_new_console_edition/security/firewall/creating_a_firewall.rst new file mode 100644 index 0000000..f7cf344 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/creating_a_firewall.rst @@ -0,0 +1,53 @@ +:original_name: en-us_topic_0051746698.html + +.. _en-us_topic_0051746698: + +Creating a Firewall +=================== + +Scenarios +--------- + +You can create a custom firewall, but any newly created firewall will be disabled by default. It will not have any inbound or outbound rules, or have any subnets associated. Each user can create up to 200 firewalls by default. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. In the right pane displayed, click **Create firewall**. + +6. In the displayed dialog box, enter firewall information as prompted. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0129304042.png + :alt: **Figure 1** Create Firewall + + + **Figure 1** Create Firewall + + .. _en-us_topic_0051746698__en-us_topic_0118499011_table145313414319: + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================+=======================+ + | Name | The firewall name. This parameter is mandatory. | fw-92d3 | + | | | | + | | The name contains a maximum of 64 characters, which may consist of letters, digits, underscores (_), and hyphens (-). The name cannot contain spaces. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/deleting_a_firewall.rst b/umn/source/operation_guide_new_console_edition/security/firewall/deleting_a_firewall.rst new file mode 100644 index 0000000..f118b0b --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/deleting_a_firewall.rst @@ -0,0 +1,28 @@ +:original_name: vpc_acl_0012.html + +.. _vpc_acl_0012: + +Deleting a Firewall +=================== + +Scenarios +--------- + +Delete a firewall when it is no longer required. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall in the right pane, click **More** in the **Operation** column, and click **Delete**. +6. Click **Yes**. + + .. note:: + + After a firewall is deleted, associated subnets are disassociated and added rules are deleted from the firewall. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/deleting_a_firewall_rule.rst b/umn/source/operation_guide_new_console_edition/security/firewall/deleting_a_firewall_rule.rst new file mode 100644 index 0000000..1c0160b --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/deleting_a_firewall_rule.rst @@ -0,0 +1,29 @@ +:original_name: vpc_acl_0007.html + +.. _vpc_acl_0007: + +Deleting a Firewall Rule +======================== + +Scenarios +--------- + +Delete an inbound or outbound rule based on your network security requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the **Inbound Rules** or **Outbound Rules** tab, locate the row that contains the target rule and click **Delete** in the **Operation** column. +7. Click **Yes** in the displayed dialog box. + +**Deleting multiple Firewall rules at a time** + +You can also select multiple firewall rules and click **Delete** above the firewall rule list to delete multiple rules at a time. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/disassociating_a_subnet_from_a_firewall.rst b/umn/source/operation_guide_new_console_edition/security/firewall/disassociating_a_subnet_from_a_firewall.rst new file mode 100644 index 0000000..b92a28c --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/disassociating_a_subnet_from_a_firewall.rst @@ -0,0 +1,30 @@ +:original_name: vpc_acl_0003.html + +.. _vpc_acl_0003: + +Disassociating a Subnet from a Firewall +======================================= + +Scenarios +--------- + +Disassociate a subnet from a firewall when necessary. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the displayed page, click the **Associated Subnets** tab. +7. On the **Associated Subnets** page, locate the row that contains the target subnet and click **Disassociate** in the **Operation** column. +8. Click **Yes** in the displayed dialog box. + +**Disassociating subnets from a firewall** + +Select multiple subnets and click **Disassociate** above the subnet list to disassociate the subnets from the current firewall at a time. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/enabling_or_disabling_a_firewall.rst b/umn/source/operation_guide_new_console_edition/security/firewall/enabling_or_disabling_a_firewall.rst new file mode 100644 index 0000000..5d475da --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/enabling_or_disabling_a_firewall.rst @@ -0,0 +1,26 @@ +:original_name: vpc_acl_0011.html + +.. _vpc_acl_0011: + +Enabling or Disabling a Firewall +================================ + +Scenarios +--------- + +After a firewall is created, you may need to enable it based on network security requirements. You can also disable an enabled firewall if need. Before enabling a firewall, ensure that subnets have been associated with the firewall and that inbound and outbound rules have been added to the firewall. + +When a firewall is disabled, custom rules will become invalid. Disabling a firewall may interrupt network traffic. For information about the default firewall rules, see :ref:`Default Firewall Rules `. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the row that contains the target firewall in the right pane, click **More** in the **Operation** column, and click **Enable** or **Disable**. +6. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/enabling_or_disabling_a_firewall_rule.rst b/umn/source/operation_guide_new_console_edition/security/firewall/enabling_or_disabling_a_firewall_rule.rst new file mode 100644 index 0000000..65cb052 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/enabling_or_disabling_a_firewall_rule.rst @@ -0,0 +1,32 @@ +:original_name: vpc_acl_0006.html + +.. _vpc_acl_0006: + +Enabling or Disabling a Firewall Rule +===================================== + +Scenarios +--------- + +Enable or disable an inbound or outbound rule based on your network security requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + +6. On the **Inbound Rules** or **Outbound Rules** tab, locate the row that contains the target rule, and click **More** and then **Enable** or **Disable** in the **Operation** column. + +7. Click **Yes** in the displayed dialog box. + + The rule is enabled or disabled. The procedure for enabling or disabling an outbound rule is the same as that for enabling or disabling an inbound rule. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/firewall_configuration_examples.rst b/umn/source/operation_guide_new_console_edition/security/firewall/firewall_configuration_examples.rst new file mode 100644 index 0000000..a7c5a84 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/firewall_configuration_examples.rst @@ -0,0 +1,84 @@ +:original_name: acl_0002.html + +.. _acl_0002: + +Firewall Configuration Examples +=============================== + +This section provides examples for configuring firewalls. + +- :ref:`Denying Access from a Specific Port ` +- :ref:`Allowing Access from Specific Ports and Protocols ` + +.. _acl_0002__en-us_topic_0144643911_section11312173319432: + +Denying Access from a Specific Port +----------------------------------- + +You might want to block TCP 445 to protect against the WannaCry ransomware attacks. You can add a firewall rule to deny all incoming traffic from TCP port 445. + +Firewall Configuration + +:ref:`Table 1 ` lists the inbound rule required. + +.. _acl_0002__en-us_topic_0144643911_table553618145582: + +.. table:: **Table 1** firewall rules + + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------+ + | Direction | Action | Protocol | Source | Source Port Range | Destination | Destination Port Range | Description | + +===========+========+==========+===========+===================+=============+========================+==================================================================+ + | Inbound | Deny | TCP | 0.0.0.0/0 | 1-65535 | 0.0.0.0/0 | 445 | Denies inbound traffic from any IP address through TCP port 445. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------+ + | Inbound | Allow | All | 0.0.0.0/0 | 1-65535 | 0.0.0.0/0 | All | Allows all inbound traffic. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------+ + +.. note:: + + - By default, a firewall denies all inbound traffic. You need to allow all inbound traffic if necessary. + - If you want a deny rule to be matched first, insert the deny rule above the allow rule. For details, see :ref:`Changing the Sequence of a Firewall Rule `. + +.. _acl_0002__en-us_topic_0144643911_section61291659102216: + +Allowing Access from Specific Ports and Protocols +------------------------------------------------- + +In this example, an ECS in a subnet is used as the web server, and you need to allow inbound traffic from HTTP port 80 and HTTPS port 443 and allow all outbound traffic regardless of the port. You need to configure both the firewall rules and security group rules to allow the traffic. + +Firewall Configuration + +:ref:`Table 2 ` lists the inbound rule required. + +.. _acl_0002__en-us_topic_0144643911_table195634095313: + +.. table:: **Table 2** firewall rules + + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ + | Direction | Action | Protocol | Source | Source Port Range | Destination | Destination Port Range | Description | + +===========+========+==========+===========+===================+=============+========================+==========================================================================================+ + | Inbound | Allow | TCP | 0.0.0.0/0 | 1-65535 | 0.0.0.0/0 | 80 | Allows inbound HTTP traffic from any IP address to ECSs in the subnet through port 80. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ + | Inbound | Allow | TCP | 0.0.0.0/0 | 1-65535 | 0.0.0.0/0 | 443 | Allows inbound HTTPS traffic from any IP address to ECSs in the subnet through port 443. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ + | Outbound | Allow | All | 0.0.0.0/0 | All | 0.0.0.0/0 | All | Allows all outbound traffic from the subnet. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ + +**Security group configuration** + +:ref:`Table 3 ` lists the inbound and outbound security group rules required. + +.. _acl_0002__en-us_topic_0144643911_table30323767195135: + +.. table:: **Table 3** Security group rules + + +-----------+----------------------+------+------------------------+---------------------------------------------------------------------------------------------------------------+ + | Direction | Protocol/Application | Port | Source/Destination | Description | + +===========+======================+======+========================+===============================================================================================================+ + | Inbound | TCP | 80 | Source: 0.0.0.0/0 | Allows inbound HTTP traffic from any IP address to ECSs associated with the security group through port 80. | + +-----------+----------------------+------+------------------------+---------------------------------------------------------------------------------------------------------------+ + | Inbound | TCP | 443 | Source: 0.0.0.0/0 | Allows inbound HTTPS traffic from any IP address to ECSs associated with the security group through port 443. | + +-----------+----------------------+------+------------------------+---------------------------------------------------------------------------------------------------------------+ + | Outbound | All | All | Destination: 0.0.0.0/0 | Allows all outbound traffic from the security group. | + +-----------+----------------------+------+------------------------+---------------------------------------------------------------------------------------------------------------+ + +A firewall adds an additional layer of security. Even if the security group rules allow more traffic than that actually required, the firewall rules allow only access from HTTP port 80 and HTTPS port 443 and deny other inbound traffic. diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/firewall_overview.rst b/umn/source/operation_guide_new_console_edition/security/firewall/firewall_overview.rst new file mode 100644 index 0000000..0146493 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/firewall_overview.rst @@ -0,0 +1,102 @@ +:original_name: acl_0001.html + +.. _acl_0001: + +Firewall Overview +================= + +A firewall is an optional layer of security for your subnets. After you associate one or more subnets with a firewall, you can control traffic in and out of the subnets. + +:ref:`Figure 1 ` shows how a firewall works. + +.. _acl_0001__en-us_topic_0144643910_fig9582182315479: + +.. figure:: /_static/images/en-us_image_0148244691.png + :alt: **Figure 1** Security groups and firewalls + + + **Figure 1** Security groups and firewalls + +Similar to security groups, firewalls control access to subnets and add an additional layer of defense to your subnets. Security groups only have the "allow" rules, but firewalls have both "allow" and "deny" rules. You can use firewalls together with security groups to implement comprehensive and fine-grained access control. + +:ref:`Differences Between Security Groups and Firewalls ` summarizes the basic differences between security groups and firewalls. + +Firewall Basics +--------------- + +- Your VPC does not come with a firewall, but you can create a firewall and associate it with a VPC subnet if required. By default, each firewall denies all inbound traffic to and outbound traffic from the associated subnet until you add rules. +- You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time. +- Each newly created firewall is in the **Inactive** state until you associate subnets with it. + +.. _acl_0001__en-us_topic_0144643910_section99541345213: + +Default Firewall Rules +---------------------- + +By default, each firewall has preset rules that allow the following packets: + +- Packets whose source and destination are in the same subnet + +- Broadcast packets with the destination 255.255.255.255/32, which is used to configure host startup information. + +- Multicast packets with the destination 224.0.0.0/24, which is used by routing protocols. + +- Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata. + +- Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16) + +- A firewall denies all traffic in and out of a subnet excepting the preceding ones. :ref:`Table 1 ` shows the default firewall rules. You cannot modify or delete the default rules. + + .. _acl_0001__en-us_topic_0144643910_table1034601475112: + + .. table:: **Table 1** Default firewall rules + + +-----------+----------+--------+----------+-----------+-------------+------------------------------+ + | Direction | Priority | Action | Protocol | Source | Destination | Description | + +===========+==========+========+==========+===========+=============+==============================+ + | Inbound | \* | Deny | All | 0.0.0.0/0 | 0.0.0.0/0 | Denies all inbound traffic. | + +-----------+----------+--------+----------+-----------+-------------+------------------------------+ + | Outbound | \* | Deny | All | 0.0.0.0/0 | 0.0.0.0/0 | Denies all outbound traffic. | + +-----------+----------+--------+----------+-----------+-------------+------------------------------+ + +Rule Priorities +--------------- + +- Each firewall rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority. +- If multiple firewall rules conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule. + +Application Scenarios +--------------------- + +- If the application layer needs to provide services for users, traffic must be allowed to reach the application layer from all IP addresses. However, you also need to prevent illegal access from malicious users. + + Solution: You can add firewall rules to deny access from suspect IP addresses. + +- How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm? + + Solution: You can add firewall rules to deny access traffic from a specific port and protocol, for example, TCP port 445. + +- No defense is required for the east-west traffic between subnets, but access control is required for north-south traffic. + + Solution: You can add firewall rules to protect north-south traffic. + +- For frequently accessed applications, a security rule sequence may need to be adjusted to improve performance. + + Solution: A firewall allows you to adjust the rule sequence so that frequently used rules are applied before other rules. + +Configuration Procedure +----------------------- + +:ref:`Figure 2 ` shows the procedure for configuring a firewall. + +.. _acl_0001__en-us_topic_0144643910_fig1643183218163: + +.. figure:: /_static/images/en-us_image_0162335382.png + :alt: **Figure 2** firewall configuration procedure + + + **Figure 2** firewall configuration procedure + +#. Create a firewall by following the steps described in :ref:`Creating a Firewall `. +#. Add firewall rules by following the steps described in :ref:`Adding a Firewall Rule `. +#. Associate subnets with the firewall by following the steps described in :ref:`Associating Subnets with a Firewall `. After subnets are associated with the firewall, the subnets will be protected by the configured firewall rules. diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/index.rst b/umn/source/operation_guide_new_console_edition/security/firewall/index.rst new file mode 100644 index 0000000..7350f36 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/index.rst @@ -0,0 +1,40 @@ +:original_name: vpc_acl_0000.html + +.. _vpc_acl_0000: + +Firewall +======== + +- :ref:`Firewall Overview ` +- :ref:`Firewall Configuration Examples ` +- :ref:`Creating a Firewall ` +- :ref:`Adding a Firewall Rule ` +- :ref:`Associating Subnets with a Firewall ` +- :ref:`Disassociating a Subnet from a Firewall ` +- :ref:`Changing the Sequence of a Firewall Rule ` +- :ref:`Modifying a Firewall Rule ` +- :ref:`Enabling or Disabling a Firewall Rule ` +- :ref:`Deleting a Firewall Rule ` +- :ref:`Viewing a Firewall ` +- :ref:`Modifying a Firewall ` +- :ref:`Enabling or Disabling a Firewall ` +- :ref:`Deleting a Firewall ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + firewall_overview + firewall_configuration_examples + creating_a_firewall + adding_a_firewall_rule + associating_subnets_with_a_firewall + disassociating_a_subnet_from_a_firewall + changing_the_sequence_of_a_firewall_rule + modifying_a_firewall_rule + enabling_or_disabling_a_firewall_rule + deleting_a_firewall_rule + viewing_a_firewall + modifying_a_firewall + enabling_or_disabling_a_firewall + deleting_a_firewall diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/modifying_a_firewall.rst b/umn/source/operation_guide_new_console_edition/security/firewall/modifying_a_firewall.rst new file mode 100644 index 0000000..8bc1c7d --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/modifying_a_firewall.rst @@ -0,0 +1,29 @@ +:original_name: vpc_acl_0010.html + +.. _vpc_acl_0010: + +Modifying a Firewall +==================== + +Scenarios +--------- + +Modify the name and description of a firewall. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the displayed page, click |image2| on the right of **Name** and edit the firewall name. +7. Click Y to save the new firewall name. +8. Click |image3| on the right of Description and edit the firewall description. +9. Click Y to save the new firewall description. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0142359884.png +.. |image3| image:: /_static/images/en-us_image_0142359884.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/modifying_a_firewall_rule.rst b/umn/source/operation_guide_new_console_edition/security/firewall/modifying_a_firewall_rule.rst new file mode 100644 index 0000000..2d16a9d --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/modifying_a_firewall_rule.rst @@ -0,0 +1,81 @@ +:original_name: vpc_acl_0005.html + +.. _vpc_acl_0005: + +Modifying a Firewall Rule +========================= + +Scenarios +--------- + +Modify an inbound or outbound firewall rule based on your network security requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + +6. On the **Inbound Rules** or **Outbound Rules** tab, locate the row that contains the target rule and click **Modify** in the **Operation** column. In the displayed dialog box, configure parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0285048674.png + :alt: **Figure 1** Modify Rule + + + **Figure 1** Modify Rule + + .. _vpc_acl_0005__en-us_topic_0118498887_table59686157164549: + + .. table:: **Table 1** Parameter descriptions + + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+================================================================================================================================================================================================================================================================+=======================+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be **TCP**, **UDP**, **All**, or **ICMP**. If **ICMP** or **All** is selected, you do not need to specify port information. | TCP | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | The default value is **0.0.0.0/0**, which indicates that traffic from all IP addresses is allowed. | | + | | | | + | | For example: | | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IP address) | | + | | - xxx.xxx.xxx.0/24 (IP address range) | | + | | - 0.0.0.0/0 (all IP addresses) | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | The default value is **0.0.0.0/0**, which indicates that traffic to all IP addresses is allowed. | | + | | | | + | | For example: | | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IP address) | | + | | - xxx.xxx.xxx.0/24 (IP address range) | | + | | - 0.0.0.0/0 (all IP addresses) | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/firewall/viewing_a_firewall.rst b/umn/source/operation_guide_new_console_edition/security/firewall/viewing_a_firewall.rst new file mode 100644 index 0000000..1fdc2c4 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/firewall/viewing_a_firewall.rst @@ -0,0 +1,24 @@ +:original_name: vpc_acl_0009.html + +.. _vpc_acl_0009: + +Viewing a Firewall +================== + +Scenarios +--------- + +View details about a firewall. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the displayed page, click the **Inbound Rules**, **Outbound Rules**, and **Associated Subnets** tabs one by one to view details about inbound rules, outbound rules, and subnet associations. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/index.rst b/umn/source/operation_guide_new_console_edition/security/index.rst new file mode 100644 index 0000000..3b3fdc2 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/index.rst @@ -0,0 +1,18 @@ +:original_name: vpc_SecurityGroup_0000.html + +.. _vpc_SecurityGroup_0000: + +Security +======== + +- :ref:`Security Group ` +- :ref:`Firewall ` +- :ref:`Differences Between Security Groups and Firewalls ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + security_group/index + firewall/index + differences_between_security_groups_and_firewalls diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/adding_a_security_group_rule.rst b/umn/source/operation_guide_new_console_edition/security/security_group/adding_a_security_group_rule.rst new file mode 100644 index 0000000..ddd1ed3 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/adding_a_security_group_rule.rst @@ -0,0 +1,101 @@ +:original_name: en-us_topic_0030969470.html + +.. _en-us_topic_0030969470: + +Adding a Security Group Rule +============================ + +Scenarios +--------- + +A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. + +If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule. + +- Inbound rules control incoming traffic to cloud resources in the security group. +- Outbound rules control outgoing traffic from cloud resources in the security group. + +For details about the default security group rules, see :ref:`Default Security Groups and Security Group Rules `. For details about security group rule configuration examples, see :ref:`Security Group Configuration Examples `. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +#. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + +#. On the **Inbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an inbound rule. + + You can click **+** to add more inbound rules. + + + .. figure:: /_static/images/en-us_image_0284920908.png + :alt: **Figure 1** Add Inbound Rule + + + **Figure 1** Add Inbound Rule + + .. table:: **Table 1** Inbound rule parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=======================+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + | | | | + | | If the source is a security group, this rule will apply to all instances associated with the selected security group. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. On the **Outbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an outbound rule. + + You can click **+** to add more outbound rules. + + + .. figure:: /_static/images/en-us_image_0284993717.png + :alt: **Figure 2** Add Outbound Rule + + + **Figure 2** Add Outbound Rule + + .. table:: **Table 2** Outbound rule parameter description + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================+=======================+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst b/umn/source/operation_guide_new_console_edition/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst new file mode 100644 index 0000000..88aa884 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst @@ -0,0 +1,48 @@ +:original_name: SecurityGroup_0017.html + +.. _SecurityGroup_0017: + +Adding Instances to and Removing Them from a Security Group +=========================================================== + +Scenarios +--------- + +After a security group is created, you can add instances to the security group to protect the instances. You can also remove them from the security group as required. + +You can add multiple instances to or remove them from a security group. + +Adding Instances to a Security Group +------------------------------------ + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click **Manage Instance** in the **Operation** column. +6. On the **Servers** tab, click **Add** and add one or more servers to the current security group. +7. On the **Extension NICs** tab, click **Add** and add one or more extension NICs to the current security group. +8. Click **OK**. + +Removing Instances from a Security Group +---------------------------------------- + +#. Log in to the management console. + +2. Click |image2| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click **Manage Instance** in the **Operation** column. +6. On the **Servers** tab, locate the target server and click **Remove** in the **Operation** column to remove the server from current security group. +7. On the **Extension NICs** tab, locate the target extension NIC and click **Remove** in the **Operation** column to remove the NIC from the current security group. +8. Click **Yes**. + +**Removing multiple instances from a security group** + +Select multiple servers and click **Remove** above the server list to remove the selected servers from the current security group all at once. + +Select multiple extension NICs and click **Remove** above the extension NIC list to remove the selected extension NICs from the current security group all at once. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/changing_the_security_group_of_an_ecs.rst b/umn/source/operation_guide_new_console_edition/security/security_group/changing_the_security_group_of_an_ecs.rst new file mode 100644 index 0000000..005cedc --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/changing_the_security_group_of_an_ecs.rst @@ -0,0 +1,45 @@ +:original_name: SecurityGroup_0006.html + +.. _SecurityGroup_0006: + +Changing the Security Group of an ECS +===================================== + +Scenarios +--------- + +Change the security group associated with an ECS NIC. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select your region and project. + +#. Under **Computing**, click **Elastic Cloud Server**. + +#. In the ECS list, locate the row that contains the target ECS. Click **More** in the **Operation** column and select **Manage Network** > **Change Security Group**. + + The **Change Security Group** dialog box is displayed. + + + .. figure:: /_static/images/en-us_image_0122999741.png + :alt: **Figure 1** Change Security Group + + + **Figure 1** Change Security Group + +#. Select the target NIC and security groups as prompted. + + You can select multiple security groups. In such a case, the rules of all the selected security groups will be aggregated to apply on the ECS. + + To create a security group, click **Create Security Group**. + + .. note:: + + Using multiple security groups may deteriorate ECS network performance. You are suggested to select no more than five security groups. + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0093507575.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/creating_a_security_group.rst b/umn/source/operation_guide_new_console_edition/security/security_group/creating_a_security_group.rst new file mode 100644 index 0000000..ff7b8a2 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/creating_a_security_group.rst @@ -0,0 +1,57 @@ +:original_name: en-us_topic_0013748715.html + +.. _en-us_topic_0013748715: + +Creating a Security Group +========================= + +Scenarios +--------- + +To improve ECS access security, you can create security groups, define security group rules, and add ECSs in a VPC to different security groups. We recommend that you allocate ECSs that have different Internet access policies to different security groups. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +5. On the **Security Groups** page, click **Create Security Group**. + +6. In the **Create Security Group** area, set the parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0000001197426329.png + :alt: **Figure 1** Create Security Group + + + **Figure 1** Create Security Group + + .. _en-us_topic_0013748715__en-us_topic_0118534004_table65377617111335: + + .. table:: **Table 1** Parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=======================+ + | Name | The security group name. This parameter is mandatory. | sg-318b | + | | | | + | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + | | | | + | | .. note:: | | + | | | | + | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group. This parameter is optional. | N/A | + | | | | + | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/default_security_groups_and_security_group_rules.rst b/umn/source/operation_guide_new_console_edition/security/security_group/default_security_groups_and_security_group_rules.rst new file mode 100644 index 0000000..8dea558 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/default_security_groups_and_security_group_rules.rst @@ -0,0 +1,32 @@ +:original_name: SecurityGroup_0003.html + +.. _SecurityGroup_0003: + +Default Security Groups and Security Group Rules +================================================ + +Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between cloud resources in the group. Your cloud resources in this security group can communicate with each other already without adding additional rules. + +:ref:`Figure 1 ` shows the default security group rules. The following uses access between ECSs as an example. + +.. _securitygroup_0003__en-us_topic_0118534003_fig997718156161: + +.. figure:: /_static/images/en-us_image_0000001230120807.png + :alt: **Figure 1** Default security group + + + **Figure 1** Default security group + +:ref:`Table 1 ` describes the default rules for the default security group. + +.. _securitygroup_0003__en-us_topic_0118534003_table493045171919: + +.. table:: **Table 1** Default security group rules + + +-----------+----------+------------+--------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------+ + | Direction | Protocol | Port/Range | Source/Destination | Description | + +===========+==========+============+==============================================================+====================================================================================================================+ + | Outbound | All | All | Destination: 0.0.0.0/0 | Allows all outbound traffic. | + +-----------+----------+------------+--------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------+ + | Inbound | All | All | Source: the current security group (for example, sg-*xxxxx*) | Allows communications among ECSs within the security group and denies all inbound traffic (incoming data packets). | + +-----------+----------+------------+--------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/deleting_a_security_group.rst b/umn/source/operation_guide_new_console_edition/security/security_group/deleting_a_security_group.rst new file mode 100644 index 0000000..a54f0ed --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/deleting_a_security_group.rst @@ -0,0 +1,30 @@ +:original_name: vpc_SecurityGroup_0008.html + +.. _vpc_SecurityGroup_0008: + +Deleting a Security Group +========================= + +Scenarios +--------- + +This section describes how to delete security groups that you are no longer required. + +Notes and Constraints +--------------------- + +- The default security group cannot be deleted. +- If a security group is associated with resources other than servers and extension NICs, the security group cannot be deleted. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, locate the row that contains the target security group, click **More** in the **Operation** column, and click **Delete**. +6. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/deleting_a_security_group_rule.rst b/umn/source/operation_guide_new_console_edition/security/security_group/deleting_a_security_group_rule.rst new file mode 100644 index 0000000..a0d75ec --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/deleting_a_security_group_rule.rst @@ -0,0 +1,33 @@ +:original_name: vpc_SecurityGroup_0006.html + +.. _vpc_SecurityGroup_0006: + +Deleting a Security Group Rule +============================== + +Scenarios +--------- + +If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule and add a new one. + +.. note:: + + Security group rules use whitelists. Deleting a security group rule may result in ECS access failures. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click the security group name. +6. If you do not need a security group rule, locate the row that contains the target rule, and click **Delete**. +7. Click **Yes** in the displayed dialog box. + +**Deleting multiple security group rules at once** + +You can also select multiple security group rules and click **Delete** above the security group rule list to delete multiple rules at a time. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/fast-adding_security_group_rules.rst b/umn/source/operation_guide_new_console_edition/security/security_group/fast-adding_security_group_rules.rst new file mode 100644 index 0000000..8608ba2 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/fast-adding_security_group_rules.rst @@ -0,0 +1,46 @@ +:original_name: SecurityGroup_0004.html + +.. _SecurityGroup_0004: + +Fast-Adding Security Group Rules +================================ + +Scenarios +--------- + +You can add multiple security group rules with different protocols and ports at the same time. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +5. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + +6. On the **Inbound Rules** tab, click **Fast-Add Rule**. In the displayed dialog box, select the protocols and ports you wish to add all at once. + + + .. figure:: /_static/images/en-us_image_0211552164.png + :alt: **Figure 1** Fast-Add Inbound Rule + + + **Figure 1** Fast-Add Inbound Rule + +7. On the **Outbound Rules** tab, click **Fast-Add Rule**. In the displayed dialog box, select required protocols and ports to add multiple rules at a time. + + + .. figure:: /_static/images/en-us_image_0211560998.png + :alt: **Figure 2** Fast-Add Outbound Rule + + + **Figure 2** Fast-Add Outbound Rule + +8. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/importing_and_exporting_security_group_rules.rst b/umn/source/operation_guide_new_console_edition/security/security_group/importing_and_exporting_security_group_rules.rst new file mode 100644 index 0000000..1e0c1a2 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/importing_and_exporting_security_group_rules.rst @@ -0,0 +1,76 @@ +:original_name: vpc_SecurityGroup_0007.html + +.. _vpc_SecurityGroup_0007: + +Importing and Exporting Security Group Rules +============================================ + +Scenarios +--------- + +If you want to quickly apply the rules of one security group to another, or if you want to modify multiple rules of the current security group at once, you can import or export existing rules. + +Security group rules are imported or exported to an Excel file. + +Notes and Constraints +--------------------- + +When modifying exported security group rules, you can only modify existing fields in the exported file based on the template and cannot add new fields or modify the field names. Otherwise, the file will fail to be imported. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click the security group name. +6. Export and import security group rules. + + - Click |image2| to export all rules of the current security group to an Excel file. + + - Click |image3| to import security group rules from an Excel file into the current security group. + + :ref:`Table 1 ` describes the parameters in the template for importing rules. + + .. _vpc_securitygroup_0007__en-us_topic_0123534210_table111445216564: + + .. table:: **Table 1** Template parameters + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================+=======================+ + | Direction | The direction in which the security group rule takes effect. | Inbound | + | | | | + | | - Inbound rules control incoming traffic to cloud resources in the security group. | | + | | - Outbound rules control outgoing traffic from cloud resources in the security group. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | - | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Last Modified | The time when the security group was modified. | - | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0142360062.png +.. |image3| image:: /_static/images/en-us_image_0142360094.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/index.rst b/umn/source/operation_guide_new_console_edition/security/security_group/index.rst new file mode 100644 index 0000000..9483c13 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/index.rst @@ -0,0 +1,42 @@ +:original_name: vpc_SecurityGroup_0001.html + +.. _vpc_SecurityGroup_0001: + +Security Group +============== + +- :ref:`Security Group Overview ` +- :ref:`Default Security Groups and Security Group Rules ` +- :ref:`Security Group Configuration Examples ` +- :ref:`Creating a Security Group ` +- :ref:`Adding a Security Group Rule ` +- :ref:`Fast-Adding Security Group Rules ` +- :ref:`Replicating a Security Group Rule ` +- :ref:`Modifying a Security Group Rule ` +- :ref:`Deleting a Security Group Rule ` +- :ref:`Importing and Exporting Security Group Rules ` +- :ref:`Deleting a Security Group ` +- :ref:`Adding Instances to and Removing Them from a Security Group ` +- :ref:`Modifying a Security Group ` +- :ref:`Viewing the Security Group of an ECS ` +- :ref:`Changing the Security Group of an ECS ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + security_group_overview + default_security_groups_and_security_group_rules + security_group_configuration_examples + creating_a_security_group + adding_a_security_group_rule + fast-adding_security_group_rules + replicating_a_security_group_rule + modifying_a_security_group_rule + deleting_a_security_group_rule + importing_and_exporting_security_group_rules + deleting_a_security_group + adding_instances_to_and_removing_them_from_a_security_group + modifying_a_security_group + viewing_the_security_group_of_an_ecs + changing_the_security_group_of_an_ecs diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/modifying_a_security_group.rst b/umn/source/operation_guide_new_console_edition/security/security_group/modifying_a_security_group.rst new file mode 100644 index 0000000..db7531a --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/modifying_a_security_group.rst @@ -0,0 +1,41 @@ +:original_name: vpc_SecurityGroup_0010.html + +.. _vpc_SecurityGroup_0010: + +Modifying a Security Group +========================== + +**Scenarios** +------------- + +Modify the name and description of a created security group. + +Procedure +--------- + +**Method 1** + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +#. On the **Security Groups** page, locate the target security group and choose **More** > **Modify** in the **Operation** column. +#. Modify the name and description of the security group as required. +#. Click **OK**. + +**Method 2** + +#. Log in to the management console. +#. Click |image2| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +#. On the **Security Groups** page, click the security group name. +#. On the displayed page, click |image3| on the right of **Name** and edit the security group name. +#. Click **Y** to save the security group name. +#. Click |image4| on the right of **Description** and edit the security group description. +#. Click **Y** to save the security group description. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png +.. |image3| image:: /_static/images/en-us_image_0239476777.png +.. |image4| image:: /_static/images/en-us_image_0239476777.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/modifying_a_security_group_rule.rst b/umn/source/operation_guide_new_console_edition/security/security_group/modifying_a_security_group_rule.rst new file mode 100644 index 0000000..beda16e --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/modifying_a_security_group_rule.rst @@ -0,0 +1,25 @@ +:original_name: vpc_SecurityGroup_0005.html + +.. _vpc_SecurityGroup_0005: + +Modifying a Security Group Rule +=============================== + +Scenarios +--------- + +You can modify the port, protocol, and IP address of a security group rule to meet your specific requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click the security group name. +6. On the displayed page, locate the row that contains the security group rule to be modified, and click **Modify** in the **Operation** column. +7. Modify the rule and click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/replicating_a_security_group_rule.rst b/umn/source/operation_guide_new_console_edition/security/security_group/replicating_a_security_group_rule.rst new file mode 100644 index 0000000..ccc7571 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/replicating_a_security_group_rule.rst @@ -0,0 +1,32 @@ +:original_name: vpc_SecurityGroup_0004.html + +.. _vpc_SecurityGroup_0004: + +Replicating a Security Group Rule +================================= + +**Scenarios** +------------- + +Replicate an existing security group rule to generate a new rule. When replicating a security group rule, you can make changes so that it is not a perfect copy. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +5. On the **Security Groups** page, click the security group name. + +6. On the displayed page, locate the row that contains the security group rule to be replicated, and click **Replicate** in the **Operation** column. + + You can also modify the security group rule as required to quickly generate a new rule. + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/security_group_configuration_examples.rst b/umn/source/operation_guide_new_console_edition/security/security_group/security_group_configuration_examples.rst new file mode 100644 index 0000000..006f6e0 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/security_group_configuration_examples.rst @@ -0,0 +1,195 @@ +:original_name: en-us_topic_0081124350.html + +.. _en-us_topic_0081124350: + +Security Group Configuration Examples +===================================== + +Common security group configurations are presented here. The examples in this section allow all outgoing data packets by default. This section will only describe how to configure inbound rules. + +- .. _en-us_topic_0081124350__en-us_topic_0118534011_li2921164192410: + + :ref:`Allowing External Access to a Specified Port ` + +- :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network ` + +- :ref:`Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group ` + +- :ref:`Remotely Connecting to Linux ECSs Using SSH ` + +- :ref:`Remotely Connecting to Windows ECSs Using RDP ` + +- :ref:`Enabling Communication Between ECSs ` + +- :ref:`Hosting a Website on ECSs ` + +- :ref:`Enabling an ECS to Function as a DNS Server ` + +- :ref:`Uploading or Downloading Files Using FTP ` + +You can use the default security group or create a security group in advance. For details, see sections :ref:`Creating a Security Group ` and :ref:`Adding a Security Group Rule `. + +Allowing External Access to a Specified Port +-------------------------------------------- + +- Example scenario: + + After services are deployed, you can add security group rules to allow external access to a specified port (for example, 1100). + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound TCP 1100 0.0.0.0/0 + ========= ======== ==== ========= + +.. _en-us_topic_0081124350__en-us_topic_0118534011_section14197522283: + +Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network +----------------------------------------------------------------------------------------------------- + +- Example scenario: + + Resources on an ECS in a security group need to be copied to an ECS associated with another security group. The two ECSs are in the same VPC. We recommend that you enable private network communication between the ECSs and then copy the resources. + +- Security group configuration: + + Within a given VPC, ECSs in the same security group can communicate with one another by default. However, ECSs in different security groups cannot communicate with each other by default. To enable these ECSs to communicate with each other, you need to add certain security group rules. + + You can add an inbound rule to the security groups containing the ECSs to allow access from ECSs in the other security group. The required rule is as follows. + + +-----------+----------------------------------------------------+--------------------+------------------------------+ + | Direction | Protocol/Application | Port | Source | + +===========+====================================================+====================+==============================+ + | Inbound | Used for communication through an internal network | Port or port range | ID of another security group | + +-----------+----------------------------------------------------+--------------------+------------------------------+ + +.. _en-us_topic_0081124350__en-us_topic_0118534011_section17693183118306: + +Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group +--------------------------------------------------------------------------- + +- Example scenario: + + To prevent ECSs from being attacked, you can change the port for remote login and configure security group rules that allow only specified IP addresses to remotely access the ECSs. + +- Security group configuration: + + To allow IP address **192.168.20.2** to remotely access Linux ECSs in a security group over the SSH protocol (port 22), you can configure the following security group rule. + + +-----------------+-----------------+-----------------+-------------------------------------------------+ + | Direction | Protocol | Port | Source | + +=================+=================+=================+=================================================+ + | Inbound | SSH | 22 | IPv4 CIDR block or ID of another security group | + | | | | | + | | | | For example, 192.168.20.2/32 | + +-----------------+-----------------+-----------------+-------------------------------------------------+ + +.. _en-us_topic_0081124350__en-us_topic_0118534011_section115069253338: + +Remotely Connecting to Linux ECSs Using SSH +------------------------------------------- + +- Example scenario: + + After creating Linux ECSs, you can add a security group rule to enable remote SSH access to the ECSs. + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound SSH 22 0.0.0.0/0 + ========= ======== ==== ========= + +.. _en-us_topic_0081124350__en-us_topic_0118534011_section168046312349: + +Remotely Connecting to Windows ECSs Using RDP +--------------------------------------------- + +- Example scenario: + + After creating Windows ECSs, you can add a security group rule to enable remote RDP access to the ECSs. + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound RDP 3389 0.0.0.0/0 + ========= ======== ==== ========= + +.. _en-us_topic_0081124350__en-us_topic_0118534011_section34721049193411: + +Enabling Communication Between ECSs +----------------------------------- + +- Example scenario: + + After creating ECSs, you need to add a security group rule so that you can run the **ping** command to test communication between the ECSs. + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound ICMP All 0.0.0.0/0 + ========= ======== ==== ========= + +.. _en-us_topic_0081124350__en-us_topic_0118534011_section1517991516357: + +Hosting a Website on ECSs +------------------------- + +- Example scenario: + + If you deploy a website on your ECSs and require that your website be accessed over HTTP or HTTPS, you can add rules to the security group used by the ECSs that function as the web servers. + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound HTTP 80 0.0.0.0/0 + Inbound HTTPS 443 0.0.0.0/0 + ========= ======== ==== ========= + +.. _en-us_topic_0081124350__en-us_topic_0118534011_section2910346123520: + +Enabling an ECS to Function as a DNS Server +------------------------------------------- + +- Example scenario: + + If you need to use an ECS as a DNS server, you must allow TCP and UDP access from port 53 to the DNS server. You can add the following rules to the security group associated with the ECS. + +- Security group rules: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound TCP 53 0.0.0.0/0 + Inbound UDP 53 0.0.0.0/0 + ========= ======== ==== ========= + +.. _en-us_topic_0081124350__en-us_topic_0118534011_section5964121693610: + +Uploading or Downloading Files Using FTP +---------------------------------------- + +- Example scenario: + + If you want to use File Transfer Protocol (FTP) to upload files to or download files from ECSs, you need to add a security group rule. + + .. note:: + + You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly. + +- Security group rule: + + ========= ======== ===== ========= + Direction Protocol Port Source + ========= ======== ===== ========= + Inbound TCP 20-21 0.0.0.0/0 + ========= ======== ===== ========= diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/security_group_overview.rst b/umn/source/operation_guide_new_console_edition/security/security_group/security_group_overview.rst new file mode 100644 index 0000000..37c2b04 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/security_group_overview.rst @@ -0,0 +1,52 @@ +:original_name: en-us_topic_0073379079.html + +.. _en-us_topic_0073379079: + +Security Group Overview +======================= + +Security Group +-------------- + +A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted within a VPC. After a security group is created, you can create various access rules for the security group, these rules will apply to all cloud resources added to this security group. + +Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between cloud resources in the group. Your cloud resources in this security group can communicate with each other already without adding additional rules. You can directly use the default security group. For details, see :ref:`Default Security Groups and Security Group Rules `. + +You can also create custom security groups to meet your specific service requirements. For details, see :ref:`Creating a Security Group `. + +Security Group Basics +--------------------- + +- You can associate instances, such as servers and extension NICs, with one or more security groups. + + You can change the security groups that are associated with instances, such as servers or extension NICs. By default, when you create an instance, it is associated with the default security group of its VPC unless you specify another security group. + +- You need to add security group rules to allow instances in the same security group to communicate with each other. + +- Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. + + Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. If you add, modify, or delete a security group rule, or create or delete an instance in the security group, the connection tracking of all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic. + + In addition, if the inbound or outbound traffic of an instance has no packets for a long time, the traffic will be considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both directions, the connection tracking timeout period is 180s. If one or more packets are received in one direction but no packet is received in the other direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked. + +.. note:: + + If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs. + +Security Group Rules +-------------------- + +After you create a security group, you can add rules to the security group. A rule applies either to inbound traffic or outbound traffic. After you add cloud resources to the security group, they are protected by the rules of the group. + +Each security group has its default rules. For details, see :ref:`Table 1 `. You can also customize security group rules. For details, see :ref:`Adding a Security Group Rule `. + +Security Group Constraints +-------------------------- + +- By default, you can create a maximum of 100 security groups in your cloud account. +- By default, you can add up to 50 security group rules to a security group. +- By default, you can add an ECS or an extension NIC to a maximum of five security groups. In such a case, the rules of all the selected security groups are aggregated to take effect. +- When creating a private network load balancer, you need to select a desired security group. Do not delete the default security group rules or ensure that the following requirements are met: + + - Outbound rules: only allow data packets to the selected security group or only data packets from the peer load balancer. + - Inbound rules: only allow data packets from the selected security group or only data packets from the peer load balancer. diff --git a/umn/source/operation_guide_new_console_edition/security/security_group/viewing_the_security_group_of_an_ecs.rst b/umn/source/operation_guide_new_console_edition/security/security_group/viewing_the_security_group_of_an_ecs.rst new file mode 100644 index 0000000..89a12cc --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/security/security_group/viewing_the_security_group_of_an_ecs.rst @@ -0,0 +1,23 @@ +:original_name: vpc_SecurityGroup_0011.html + +.. _vpc_SecurityGroup_0011: + +Viewing the Security Group of an ECS +==================================== + +Scenarios +--------- + +View inbound and outbound rules of a security group used by an ECS. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. Under **Compute**, click **Elastic Cloud Server**. +4. On the **Elastic Cloud Server** page, click the name of the target ECS. +5. Click the **Security Groups** tab and view information about the security group used by the ECS. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst b/umn/source/operation_guide_new_console_edition/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst new file mode 100644 index 0000000..82eb3c3 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst @@ -0,0 +1,42 @@ +:original_name: vpc010006.html + +.. _vpc010006: + +Adding EIPs to a Shared Bandwidth +================================= + +Scenarios +--------- + +Add EIPs to a shared bandwidth and the EIPs can then share that bandwidth. You can add multiple EIPs to a shared bandwidth at the same time. + +Notes and Constraints +--------------------- + +- After an EIP is added to a shared bandwidth, the original bandwidth used by the EIP will become invalid and the EIP will start to use the shared bandwidth. +- The EIP's original dedicated bandwidth will be deleted. +- Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Elastic IP**. + +4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. + +5. In the shared bandwidth list, locate the row that contains the shared bandwidth to which you want to add EIPs. In the **Operation** column, choose **More** > **Add EIP**, and select the EIPs to be added. + + + .. figure:: /_static/images/en-us_image_0000001211006359.png + :alt: **Figure 1** Add EIP + + + **Figure 1** Add EIP + +6. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/shared_bandwidth/assigning_a_shared_bandwidth.rst b/umn/source/operation_guide_new_console_edition/shared_bandwidth/assigning_a_shared_bandwidth.rst new file mode 100644 index 0000000..9d0ad9a --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/shared_bandwidth/assigning_a_shared_bandwidth.rst @@ -0,0 +1,47 @@ +:original_name: vpc010005.html + +.. _vpc010005: + +Assigning a Shared Bandwidth +============================ + +Scenarios +--------- + +Assign a shared bandwidth for use with EIPs. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. + +#. In the upper right corner, click **Assign Shared Bandwidth**. On the displayed page, configure parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0000001163949251.png + :alt: **Figure 1** Assigning Shared Bandwidth + + + **Figure 1** Assigning Shared Bandwidth + + .. table:: **Table 1** Parameter descriptions + + +----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+ + | Parameter | Description | Example Value | + +================+=========================================================================================================================================================================================================================================================================================================+===============+ + | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+ + | Bandwidth | The bandwidth size in Mbit/s. The value ranges from starting with 5 Mbit/s. The maximum bandwidth can be 1000 Mbit/s. | 10 | + +----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+ + | Bandwidth Name | The name of the shared bandwidth. | Bandwidth-001 | + +----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+ + +#. Click **Create Now**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/shared_bandwidth/deleting_a_shared_bandwidth.rst b/umn/source/operation_guide_new_console_edition/shared_bandwidth/deleting_a_shared_bandwidth.rst new file mode 100644 index 0000000..4b053a5 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/shared_bandwidth/deleting_a_shared_bandwidth.rst @@ -0,0 +1,29 @@ +:original_name: vpc010009.html + +.. _vpc010009: + +Deleting a Shared Bandwidth +=========================== + +Scenarios +--------- + +Delete a shared bandwidth when it is no longer required. + +Prerequisites +------------- + +Before deleting a shared bandwidth, remove all the EIPs associated with it. For details, see :ref:`Removing EIPs from a Shared Bandwidth `. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Elastic IP**. +4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. +5. In the shared bandwidth list, locate the row that contains the shared bandwidth you want to delete, click **More** in the **Operation** column, and then click **Delete**. +6. In the displayed dialog box, click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/shared_bandwidth/index.rst b/umn/source/operation_guide_new_console_edition/shared_bandwidth/index.rst new file mode 100644 index 0000000..0fd79c8 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/shared_bandwidth/index.rst @@ -0,0 +1,24 @@ +:original_name: vpc010003.html + +.. _vpc010003: + +Shared Bandwidth +================ + +- :ref:`Shared Bandwidth Overview ` +- :ref:`Assigning a Shared Bandwidth ` +- :ref:`Adding EIPs to a Shared Bandwidth ` +- :ref:`Removing EIPs from a Shared Bandwidth ` +- :ref:`Modifying a Shared Bandwidth ` +- :ref:`Deleting a Shared Bandwidth ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + shared_bandwidth_overview + assigning_a_shared_bandwidth + adding_eips_to_a_shared_bandwidth + removing_eips_from_a_shared_bandwidth + modifying_a_shared_bandwidth + deleting_a_shared_bandwidth diff --git a/umn/source/operation_guide_new_console_edition/shared_bandwidth/modifying_a_shared_bandwidth.rst b/umn/source/operation_guide_new_console_edition/shared_bandwidth/modifying_a_shared_bandwidth.rst new file mode 100644 index 0000000..3a7d977 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/shared_bandwidth/modifying_a_shared_bandwidth.rst @@ -0,0 +1,37 @@ +:original_name: vpc010008.html + +.. _vpc010008: + +Modifying a Shared Bandwidth +============================ + +Scenarios +--------- + +You can modify the name and size of a shared bandwidth as required. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Elastic IP**. + +4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. + +5. In the shared bandwidth list, locate the row that contains the shared bandwidth you want to modify, click **Modify Bandwidth** in the **Operation** column, and modify the bandwidth settings. + + + .. figure:: /_static/images/en-us_image_0000001117669524.png + :alt: **Figure 1** Modify Bandwidth + + + **Figure 1** Modify Bandwidth + +6. Click **Next**. + +7. Click **Submit**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/shared_bandwidth/removing_eips_from_a_shared_bandwidth.rst b/umn/source/operation_guide_new_console_edition/shared_bandwidth/removing_eips_from_a_shared_bandwidth.rst new file mode 100644 index 0000000..febf7c0 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/shared_bandwidth/removing_eips_from_a_shared_bandwidth.rst @@ -0,0 +1,35 @@ +:original_name: vpc010007.html + +.. _vpc010007: + +Removing EIPs from a Shared Bandwidth +===================================== + +Scenarios +--------- + +Remove EIPs that are no longer required from a shared bandwidth if needed. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Elastic IP**. + +4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. + +5. In the shared bandwidth list, locate the row that contains the bandwidth from which EIPs are to be removed, choose **More** > **Remove EIP** in the **Operation** column, and select the EIPs to be removed in the displayed dialog box. + + + .. figure:: /_static/images/en-us_image_0000001211445065.png + :alt: **Figure 1** Remove EIP + + + **Figure 1** Remove EIP + +6. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/shared_bandwidth/shared_bandwidth_overview.rst b/umn/source/operation_guide_new_console_edition/shared_bandwidth/shared_bandwidth_overview.rst new file mode 100644 index 0000000..7d05eba --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/shared_bandwidth/shared_bandwidth_overview.rst @@ -0,0 +1,18 @@ +:original_name: vpc010004.html + +.. _vpc010004: + +Shared Bandwidth Overview +========================= + +Shared bandwidth allows multiple EIPs to share the same bandwidth. All ECSs, BMSs, and load balancers that have EIPs bound in the same region can share a bandwidth. + +When you host a large number of applications on the cloud, if each EIP uses an independent bandwidth, a lot of bandwidths are required, increasing O&M workload. If all EIPs share the same bandwidth, VPCs and the region-level bandwidth can be managed in a unified manner, simplifying O&M statistics and network operations cost settlement. + +- Easy to Manage + + Region-level bandwidth sharing and multiplexing simplify O&M statistics, management, and operations cost settlement. + +- Flexible Operations + + You can add EIPs to a shared bandwidth or remove them from a shared bandwidth regardless of the instances to which they are bound. diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/assigning_a_virtual_ip_address.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/assigning_a_virtual_ip_address.rst new file mode 100644 index 0000000..9823614 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/assigning_a_virtual_ip_address.rst @@ -0,0 +1,35 @@ +:original_name: vpc_vip_0002.html + +.. _vpc_vip_0002: + +Assigning a Virtual IP Address +============================== + +Scenarios +--------- + +If an ECS requires a virtual IP address or if a virtual IP address needs to be reserved, you can assign a virtual IP address from the subnet. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Virtual Private Cloud**. +5. On the **Virtual Private Cloud** page, locate the VPC containing the subnet where a virtual IP address is to be assigned, and click the VPC name. +6. On the **Subnets** tab, click the name of the subnet where a virtual IP address is to be assigned. +7. Click the **Virtual IP Addresses** tab and click **Assign Virtual IP Address**. +8. Select a virtual IP address assignment mode. + + - **Automatic**: The system assigns an IP address automatically. + - **Manual**: You can specify an IP address. + +9. Select **Manual** and enter a virtual IP address. +10. Click **OK**. + +You can then query the assigned virtual IP address in the IP address list. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst new file mode 100644 index 0000000..8208cce --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst @@ -0,0 +1,29 @@ +:original_name: vpc_vip_0003.html + +.. _vpc_vip_0003: + +Binding a Virtual IP Address to an EIP +====================================== + +Scenarios +--------- + +This section describes how to bind a virtual IP address to an EIP. + +Prerequisites +------------- + +- You have assigned an EIP. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Elastic IP**. +4. Locate the row that contains the EIP to be bound to the virtual IP address, and click **Bind** in the **Operation** column. +5. In the **Bind EIP** dialog box, set **Instance Type** to **Virtual IP address**. +6. In the virtual IP address list, select the virtual IP address to be bound and click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst new file mode 100644 index 0000000..76f06d9 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst @@ -0,0 +1,135 @@ +:original_name: en-us_topic_0067802474.html + +.. _en-us_topic_0067802474: + +Binding a Virtual IP Address to an EIP or ECS +============================================= + +Scenarios +--------- + +You can bind a virtual IP address to an EIP so that you can access the ECSs bound with the same virtual IP address from the Internet. These ECSs can work in the active/standby mode to improve fault tolerance. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Virtual Private Cloud**. +5. On the **Virtual Private Cloud** page, locate the VPC containing the virtual IP address and click the VPC name. +6. On the **Subnets** tab, click the name of the subnet that the virtual IP address belongs to. +7. Click the **IP Addresses** tab, locate the row that contains the virtual IP address to be bound to an EIP or ECS, and choose **Bind to EIP** or **Bind to Server** in the **Operation** column. +8. Select the desired EIP, or ECS and its NIC. + + .. note:: + + - If the ECS has multiple NICs, bind the virtual IP address to the primary NIC. + - Multiple virtual IP addresses can be bound to an ECS NIC. + +9. Click **OK**. + +10. Manually configure the virtual IP address bound to an ECS. + + After a virtual IP address is bound to an ECS NIC, you need to manually configure the virtual IP address on the ECS. + + **Linux OS** (CentOS 7.2 64bit is used as an example.) + + a. .. _en-us_topic_0067802474__en-us_topic_0118499077_li528316578916: + + Run the following command to obtain the NIC to which the virtual IP address is to be bound and the connection of the NIC: + + **nmcli connection** + + Information similar to the following is displayed: + + |image2| + + The command output in this example is described as follows: + + - **eth0** in the **DEVICE** column indicates the NIC to which the virtual IP address is to be bound. + - **Wired connection 1** in the **NAME** column indicates the connection of the NIC. + + b. Run the following command to add the virtual IP address for the target connection: + + **nmcli connection modify "**\ *CONNECTION*\ **" ipv4.addresses** *VIP* + + Configure the parameters as follows: + + - CONNECTION: connection of the NIC obtained in :ref:`10.a `. + - VIP: virtual IP address to be added. + + - If you add multiple virtual IP addresses at a time, separate them with commas (,). + - If a virtual IP address already exists and you need to add a new one, the command must contain both the new and original virtual IP addresses. + + Example commands: + + - Adding a single virtual IP address: **nmcli connection modify "Wired connection 1" ipv4.addresses** **172.16.0.125** + - Adding multiple virtual IP addresses: **nmcli connection modify "Wired connection 1" ipv4.addresses** **172.16.0.125,172.16.0.126** + + c. Run the following command to make the configuration take effect: + + **nmcli connection up "**\ *CONNECTION*\ **"** + + In this example, run the following command: + + **nmcli connection up "Wired connection 1"** + + Information similar to the following is displayed: + + |image3| + + d. Run the following command to check whether the virtual IP address has been bound: + + **ip a** + + Information similar to the following is displayed. In the command output, the virtual IP address 172.16.0.125 is bound to NIC eth0. + + |image4| + + **Windows OS** (Windows Server is used as an example here.) + + a. In **Control Panel**, click **Network and Sharing Center**, and click the corresponding local connection. + + b. On the displayed page, click **Properties**. + + c. On the **Network** tab page, select **Internet Protocol Version 4 (TCP/IPv4)**. + + d. Click **Properties**. + + e. Select **Use the following IP address** and set **IP address** to the private IP address of the ECS, for example, 10.0.0.101. + + + .. figure:: /_static/images/en-us_image_0000001179761510.png + :alt: **Figure 1** Configuring private IP address + + + **Figure 1** Configuring private IP address + + f. Click **Advanced**. + + g. On the **IP Settings** tab, click **Add** in the **IP addresses** area. + + Add the virtual IP address. For example, 10.0.0.154. + + + .. figure:: /_static/images/en-us_image_0000001225081545.png + :alt: **Figure 2** Configuring virtual IP address + + + **Figure 2** Configuring virtual IP address + + h. Click **OK**. + + i. In the **Start** menu, open the Windows command line window and run the following command to check whether the virtual IP address has been configured: + + **ipconfig /all** + + In the command output, **IPv4 Address** is the virtual IP address 10.0.0.154, indicating that the virtual IP address of the ECS NIC has been correctly configured. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001281210233.png +.. |image3| image:: /_static/images/en-us_image_0000001237328110.png +.. |image4| image:: /_static/images/en-us_image_0000001237013856.png diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst new file mode 100644 index 0000000..08a5406 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst @@ -0,0 +1,16 @@ +:original_name: vpc_vip_0008.html + +.. _vpc_vip_0008: + +Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) +=========================================================================== + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. Under **Compute**, click **Elastic Cloud Server**. +4. In the ECS list, click the ECS name. +5. On the displayed ECS details page, click the **NICs** tab. +6. Check that **Source/Destination Check** is disabled. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/index.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/index.rst new file mode 100644 index 0000000..f075cf5 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/index.rst @@ -0,0 +1,30 @@ +:original_name: vpc_vip_0000.html + +.. _vpc_vip_0000: + +Virtual IP Address +================== + +- :ref:`Virtual IP Address Overview ` +- :ref:`Assigning a Virtual IP Address ` +- :ref:`Binding a Virtual IP Address to an EIP or ECS ` +- :ref:`Binding a Virtual IP Address to an EIP ` +- :ref:`Using a VPN to Access a Virtual IP Address ` +- :ref:`Using a Direct Connect Connection to Access the Virtual IP Address ` +- :ref:`Using a VPC Peering Connection to Access the Virtual IP Address ` +- :ref:`Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) ` +- :ref:`Releasing a Virtual IP Address ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + virtual_ip_address_overview + assigning_a_virtual_ip_address + binding_a_virtual_ip_address_to_an_eip_or_ecs + binding_a_virtual_ip_address_to_an_eip + using_a_vpn_to_access_a_virtual_ip_address + using_a_direct_connect_connection_to_access_the_virtual_ip_address + using_a_vpc_peering_connection_to_access_the_virtual_ip_address + disabling_source_and_destination_check_ha_load_balancing_cluster_scenario + releasing_a_virtual_ip_address diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/releasing_a_virtual_ip_address.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/releasing_a_virtual_ip_address.rst new file mode 100644 index 0000000..ca48083 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/releasing_a_virtual_ip_address.rst @@ -0,0 +1,36 @@ +:original_name: vpc_vip_0009.html + +.. _vpc_vip_0009: + +Releasing a Virtual IP Address +============================== + +Scenarios +--------- + +If you no longer need a virtual IP address or a reserved virtual IP address, you can release it to avoid wasting resources. + +Prerequisites +------------- + +Before deleting a virtual IP address, ensure that the virtual IP address has been unbound from the following resources: + +- ECS +- EIP +- CCE cluster + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Virtual Private Cloud**. +5. On the **Virtual Private Cloud** page, locate the VPC containing the subnet from which a virtual IP address is to be released, and click the VPC name. +6. On the **Subnets** tab, click the name of the subnet from which a virtual IP address is to be released. +7. Click the **Virtual IP Addresses** tab, locate the row that contains the virtual IP address to be released, click **More** in the **Operation** column, and select **Release**. +8. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_direct_connect_connection_to_access_the_virtual_ip_address.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_direct_connect_connection_to_access_the_virtual_ip_address.rst new file mode 100644 index 0000000..8fba76c --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_direct_connect_connection_to_access_the_virtual_ip_address.rst @@ -0,0 +1,14 @@ +:original_name: vpc_vip_0005.html + +.. _vpc_vip_0005: + +Using a Direct Connect Connection to Access the Virtual IP Address +================================================================== + +Procedure +--------- + +#. Configure the ECS networking based on :ref:`Networking `. +#. Create a Direct Connect connection. + +The created Direct Connect connection can be used to access the virtual IP address of the ECS. diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_vpc_peering_connection_to_access_the_virtual_ip_address.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_vpc_peering_connection_to_access_the_virtual_ip_address.rst new file mode 100644 index 0000000..b842d85 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_vpc_peering_connection_to_access_the_virtual_ip_address.rst @@ -0,0 +1,14 @@ +:original_name: vpc_vip_0006.html + +.. _vpc_vip_0006: + +Using a VPC Peering Connection to Access the Virtual IP Address +=============================================================== + +Procedure +--------- + +#. Configure the ECS networking based on :ref:`Networking `. +#. Create a :ref:`VPC peering connection `. + +You can access the virtual IP address of the ECS through the VPC peering connection. diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_vpn_to_access_a_virtual_ip_address.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_vpn_to_access_a_virtual_ip_address.rst new file mode 100644 index 0000000..9054e22 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/using_a_vpn_to_access_a_virtual_ip_address.rst @@ -0,0 +1,14 @@ +:original_name: vpc_vip_0004.html + +.. _vpc_vip_0004: + +Using a VPN to Access a Virtual IP Address +========================================== + +Procedure +--------- + +#. Configure the ECS networking based on :ref:`Networking `. +#. Create a VPN. + +The VPN can be used to access the virtual IP address of the ECS. diff --git a/umn/source/operation_guide_new_console_edition/virtual_ip_address/virtual_ip_address_overview.rst b/umn/source/operation_guide_new_console_edition/virtual_ip_address/virtual_ip_address_overview.rst new file mode 100644 index 0000000..58c5c76 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/virtual_ip_address/virtual_ip_address_overview.rst @@ -0,0 +1,94 @@ +:original_name: vpc_vip_0001.html + +.. _vpc_vip_0001: + +Virtual IP Address Overview +=========================== + +What Is a Virtual IP Address? +----------------------------- + +A virtual IP address can be shared among multiple ECSs. An ECS can have both private and virtual IP addresses, and you can access the ECS through either IP address. A virtual IP address has the same network access capabilities as a private IP address, including layer 2 and layer 3 communication in VPCs, access between VPCs using VPC peering connections, as well as access through EIPs, VPN connections, and Direct Connect connections. + +You can bind ECSs deployed in active/standby mode with the same virtual IP address, and then bind an EIP to the virtual IP address. Virtual IP addresses can work together with Keepalived to ensure high availability and disaster recovery. If the active ECS is faulty, the standby ECS automatically takes over services from the active one. + +.. _vpc_vip_0001__en-us_topic_0118498951_section766193134213: + +Networking +---------- + +Virtual IP addresses are used for high availability and can work together with Keepalived to make active/standby ECS switchover possible. This way if one ECS goes down for some reason, the other one can take over and services continue uninterrupted. ECSs can be configured for HA or as load balancing clusters. + +- **Networking mode 1**: HA + + If you want to improve service availability and avoid single points of failure, you can deploy ECSs in the active/standby mode or deploy one active ECS and multiple standby ECSs. In this arrangement, the ECSs all use the same virtual IP address. If the active ECS becomes faulty, a standby ECS takes over services from the active ECS and services continue uninterrupted. + + + .. figure:: /_static/images/en-us_image_0209608153.png + :alt: **Figure 1** Networking diagram of the HA mode + + + **Figure 1** Networking diagram of the HA mode + + - In this configuration, a single virtual IP address is bound to two ECSs in the same subnet. + - Keepalived is then used to configure the two ECSs to work in the active/standby mode. Follow industry standards for configuring Keepalived. The details are not included here. + +- **Networking mode 2**: HA load balancing cluster + + If you want to build a high-availability load balancing cluster, use Keepalived and configure LVS nodes as direct routers. + + + .. figure:: /_static/images/en-us_image_0240332622.png + :alt: **Figure 2** HA load balancing cluster + + + **Figure 2** HA load balancing cluster + + - Bind a single virtual IP address to two ECSs. + - Configure the two ECSs as LVS nodes working as direct routers and use Keepalived to configure the nodes in the active/standby mode. The two ECSs will evenly forward requests to different backend servers. + - Configure two more ECSs as backend servers. + - Disable the source/destination check for the two backend servers. + + Follow industry standards for configuring Keepalived. The details are not included here. + +Application Scenarios +--------------------- + +- Accessing the virtual IP address through an EIP + + If your application has high availability requirements and needs to provide services through the Internet, it is recommended that you bind an EIP to a virtual IP address. + +- Using a VPN, Direct Connect, or VPC peering connection to access a virtual IP address + + To ensure high availability and access to the Internet, use a VPN for security and Direct Connect for a stable connection. The VPC peering connection is needed so that the VPCs in the same region can communicate with each other. + +Notes and Constraints +--------------------- + +- Virtual IP addresses are not recommended when multiple NICs in the same subnet are configured on an ECS. It is too easy for there to be route conflicts on the ECS, which would cause communication failure using the virtual IP address. +- IP forwarding must be disabled on the standby ECS. Perform the following operations to confirm whether the IP forwarding is disabled on the standby ECS: + + #. Log in to standby ECS and run the following command to check whether the IP forwarding is enabled: + + cat /proc/sys/net/ipv4/ip_forward + + In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. + + - If the command output is **1**, perform :ref:`2 ` and :ref:`3 ` to disable the IP forwarding. + - If the command output is **0**, no further action is required. + + #. .. _vpc_vip_0001__en-us_topic_0118498951_en-us_topic_0206027322_en-us_topic_0095139658_li1473585332417: + + Use the vi editor to open the **/etc/sysctl.conf** file, change the value of **net.ipv4.ip_forward** to **0**, and enter **:wq** to save the change and exit. You can also use the **sed** command to modify the configuration. A command example is as follows: + + sed -i '/net.ipv4.ip_forward/s/1/0/g' /etc/sysctl.conf + + #. .. _vpc_vip_0001__en-us_topic_0118498951_en-us_topic_0206027322_en-us_topic_0095139658_li88984711254: + + Run the following command to make the change take effect: + + sysctl -p /etc/sysctl.conf + +- Each virtual IP address can be bound to only one EIP. +- It is recommended that no more than eight virtual IP addresses be bound to an ECS. +- It is recommended that no more than 10 ECSs be bound to a virtual IP address. diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/creating_a_subnet_for_the_vpc.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/creating_a_subnet_for_the_vpc.rst new file mode 100644 index 0000000..b9228b8 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/creating_a_subnet_for_the_vpc.rst @@ -0,0 +1,112 @@ +:original_name: en-us_topic_0013748726.html + +.. _en-us_topic_0013748726: + +Creating a Subnet for the VPC +============================= + +Scenarios +--------- + +A VPC comes with a default subnet. If the default subnet cannot meet your requirements, you can create one. + +The subnet is configured with DHCP by default. When an ECS in this subnet starts, the ECS automatically obtains an IP address using DHCP. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Subnets**. + +5. Click **Create Subnet**. + + The **Create Subnet** page is displayed. + +6. Set the parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0000001197228903.png + :alt: **Figure 1** Create Subnet + + + **Figure 1** Create Subnet + + .. table:: **Table 1** Parameter descriptions + + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+=============================================================================================================================================================================================================================================+=======================+ + | VPC | The VPC for which you want to create a subnet. | - | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Name | The subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings | Two options are available, **Default** and **Custom**. You can set **Advanced Settings** to **Custom** to configure advanced subnet parameters. | - | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | - Value: subnet-01 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + + .. _en-us_topic_0013748726__en-us_topic_0118498823_table42131827173915: + + .. table:: **Table 2** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +Precautions +----------- + +When a subnet is created, there are five reserved IP addresses, which cannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP addresses are reserved: + +- 192.168.0.0: Network ID. This address is the beginning of the private IP address range and will not be assigned to any instance. +- 192.168.0.1: Gateway address. +- 192.168.0.253: Reserved for the system interface. This IP address is used by the VPC for external communication. +- 192.168.0.254: DHCP service address. +- 192.168.0.255: Network broadcast address. + +If you configured the default settings under **Advanced Settings** during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/creating_a_vpc.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/creating_a_vpc.rst new file mode 100644 index 0000000..c714358 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/creating_a_vpc.rst @@ -0,0 +1,130 @@ +:original_name: en-us_topic_0013935842.html + +.. _en-us_topic_0013935842: + +Creating a VPC +============== + +Scenarios +--------- + +A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. + +You can create a VPC by following the procedure provided in this section. Then, create subnets, security groups, and assign EIPs by following the procedure provided in subsequent sections based on your actual network requirements. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. Click **Create VPC**. + +#. On the **Create VPC** page, set parameters as prompted. + + A default subnet will be created together with a VPC and you can also click **Add Subnet** to create more subnets for the VPC. + + .. table:: **Table 1** VPC parameter descriptions + + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Category | Parameter | Description | Example Value | + +==================================+========================+=========================================================================================================================================================================================================================================================================================================+=====================+ + | Basic Information | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Name | The VPC name. | VPC-001 | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | + | | | | | + | | | The following CIDR blocks are supported: | | + | | | | | + | | | 10.0.0.0/8-24 | | + | | | | | + | | | 172.16.0.0/12-24 | | + | | | | | + | | | 192.168.0.0/16-24 | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Name | The subnet name. | Subnet | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | | + | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | | + | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | | - Value: subnet-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | + | | | | | + | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + + .. table:: **Table 2** VPC tag key and value requirements + + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+============================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for the same VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + + .. _en-us_topic_0013935842__en-us_topic_0118498861_table6536185812515: + + .. table:: **Table 3** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +#. Click **Create Now**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/deleting_a_subnet.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/deleting_a_subnet.rst new file mode 100644 index 0000000..957c4d0 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/deleting_a_subnet.rst @@ -0,0 +1,51 @@ +:original_name: vpc_vpc_0002.html + +.. _vpc_vpc_0002: + +Deleting a Subnet +================= + +Scenarios +--------- + +You can delete a subnet to release network resources if the subnet is no longer required. + +Prerequisites +------------- + +You can delete a subnet only if there are no resources in the subnet. If there are resources in the subnet, you must delete those resources before you can delete the subnet. + +You can view all resources of your account on the console homepage and check the resources that are in the subnet you want to delete. + +The resources may include: + +- ECS +- BMS +- CCE cluster +- RDS instance +- MRS cluster +- DCS instance +- Load balancer +- VPN +- Private IP address +- Custom route +- NAT gateway + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Virtual Private Cloud**. + +5. In the subnet list, locate the row that contains the subnet you want to delete and click **Delete** in the **Operation** column. + + A confirmation dialog box is displayed. + +6. Click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/deleting_a_vpc.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/deleting_a_vpc.rst new file mode 100644 index 0000000..77afe95 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/deleting_a_vpc.rst @@ -0,0 +1,39 @@ +:original_name: vpc_vpc_0003.html + +.. _vpc_vpc_0003: + +Deleting a VPC +============== + +Scenarios +--------- + +You can delete a VPC if the VPC is no longer required. + +You can delete a VPC only if there are no resources in the VPC. If there are resources in the VPC, you must delete those resources before you can delete the VPC. + +A VPC cannot be deleted if it contains subnets, Direct Connect connections, custom routes, VPC peering connections, or VPNs. To delete the VPC, you must first delete or disable the following resources. + +- Subnets. For details, see section :ref:`Deleting a Subnet `. +- VPNs. For details, see *Virtual Private Network User Guide*. +- Direct Connect connections. For details, see the *Direct Connect User Guide*. +- Custom routes. For details, see section :ref:`Deleting a Route `. +- VPC peering connections. For details, see section :ref:`Deleting a VPC Peering Connection `. + +Notes and Constraints +--------------------- + +If there are any EIPs or security groups, the last VPC cannot be deleted. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, click **Virtual Private Cloud**. +5. On the **Virtual Private Cloud** page, locate the row that contains the VPC to be deleted and click **Delete** in the **Operation** column. +6. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/exporting_vpc_list.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/exporting_vpc_list.rst new file mode 100644 index 0000000..802da92 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/exporting_vpc_list.rst @@ -0,0 +1,29 @@ +:original_name: vpc_vpc_0006.html + +.. _vpc_vpc_0006: + +Exporting VPC List +================== + +Scenarios +--------- + +Information about all VPCs under your account can be exported as an Excel file to a local directory. This file records the names, ID, status, IP address ranges of VPCs, and the number of subnets. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Virtual Private Cloud**. + +5. In the upper right corner of the VPC list, click |image2|. + + The system will automatically export information about all VPCs under your account in the current region. They will be exported in Excel format. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0233469654.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/index.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/index.rst new file mode 100644 index 0000000..dea873c --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/index.rst @@ -0,0 +1,30 @@ +:original_name: en-us_topic_0030969460.html + +.. _en-us_topic_0030969460: + +VPC and Subnet +============== + +- :ref:`Creating a VPC ` +- :ref:`Modifying a VPC ` +- :ref:`Creating a Subnet for the VPC ` +- :ref:`Modifying a Subnet ` +- :ref:`Deleting a Subnet ` +- :ref:`Deleting a VPC ` +- :ref:`Managing VPC Tags ` +- :ref:`Managing Subnet Tags ` +- :ref:`Exporting VPC List ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + creating_a_vpc + modifying_a_vpc + creating_a_subnet_for_the_vpc + modifying_a_subnet + deleting_a_subnet + deleting_a_vpc + managing_vpc_tags + managing_subnet_tags + exporting_vpc_list diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/managing_subnet_tags.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/managing_subnet_tags.rst new file mode 100644 index 0000000..5c67bdc --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/managing_subnet_tags.rst @@ -0,0 +1,94 @@ +:original_name: vpc_vpc_0005.html + +.. _vpc_vpc_0005: + +Managing Subnet Tags +==================== + +Scenarios +--------- + +A subnet tag identifies a subnet. Tags can be added to subnets to facilitate subnet identification and administration. You can add a tag to a subnet when creating the subnet, or you can add a tag to a created subnet on the subnet details page. A maximum of 20 tags can be added to each subnet. + +A tag consists of a key and value pair. :ref:`Table 1 ` lists the tag key and value requirements. + +.. _vpc_vpc_0005__en-us_topic_0118498932_ted9687ca14074ef785241145365a6175: + +.. table:: **Table 1** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +Procedure +--------- + +**Search for subnets by tag key and value on the page showing the subnet list.** + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. Under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Subnets**. + +#. In the upper right corner of the subnet list, click **Search by Tag**. + +#. Enter the tag key of the subnet to be queried. + + Both the tag key and value must be specified. The system automatically displays the subnets you are looking for if both the tag key and value are matched. + +#. Click **+** to add another tag key and value. + + You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for subnets, the subnets containing all specified tags will be displayed. + +#. Click **Search**. + + The system displays the subnets you are looking for based on the entered tag keys and values. + +**Add, delete, edit, and view tags on the Tags tab of a subnet.** + +#. Log in to the management console. +#. Click |image2| in the upper left corner and select the desired region and project. +#. Under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Subnets**. +#. In the subnet list, locate the target subnet and click its name. +#. On the subnet details page, click the **Tags** tab and perform desired operations on tags. + + - View tags. + + On the **Tags** tab, you can view details about tags added to the current subnet, including the number of tags and the key and value of each tag. + + - Add a tag. + + Click **Add Tag** in the upper left corner. In the displayed **Add Tag** dialog box, enter the tag key and value, and click **OK**. + + - Edit a tag. + + Locate the row that contains the tag you want to edit, and click **Edit** in the **Operation** column. Enter the new tag key and value, and click **OK**. + + - Delete a tag. + + Locate the row that contains the tag you want to delete, and click **Delete** in the **Operation** column. In the displayed dialog box, click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/managing_vpc_tags.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/managing_vpc_tags.rst new file mode 100644 index 0000000..dcb52db --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/managing_vpc_tags.rst @@ -0,0 +1,101 @@ +:original_name: vpc_vpc_0004.html + +.. _vpc_vpc_0004: + +Managing VPC Tags +================= + +Scenarios +--------- + +A VPC tag identifies a VPC. Tags can be added to VPCs to facilitate VPC identification and management. You can add a tag to a VPC when creating the VPC, or you can add a tag to a created VPC on the VPC details page. A maximum of 20 tags can be added to each VPC. + +A tag consists of a key and value pair. :ref:`Table 1 ` lists the tag key and value requirements. + +.. _vpc_vpc_0004__en-us_topic_0118498924_ted9687ca14074ef785241145365a6175: + +.. table:: **Table 1** VPC tag key and value requirements + + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+============================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for the same VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + +Procedure +--------- + +**Search for VPCs by tag key and value on the page showing the VPC list.** + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. In the upper right corner of the VPC list, click **Search by Tag**. + +#. In the displayed area, enter the tag key and value of the VPC you are looking for. + + Both the tag key and value must be specified. The system automatically displays the VPCs you are looking for if both the tag key and value are matched. + +#. Click + to add more tag keys and values. + + You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for VPCs, the VPCs containing all specified tags will be displayed. + +#. Click **Search**. + + The system displays the VPCs you are looking for based on the entered tag keys and values. + +**Add, delete, edit, and view tags on the Tags tab of a VPC.** + +#. Log in to the management console. + +#. Click |image2| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. On the **Virtual Private Cloud** page, locate the VPC whose tags are to be managed and click the VPC name. + + The page showing details about the particular VPC is displayed. + +#. Click the **Tags** tab and perform desired operations on tags. + + - View tags. + + On the **Tags** tab, you can view details about tags added to the current VPC, including the number of tags and the key and value of each tag. + + - Add a tag. + + Click **Add Tag** in the upper left corner. In the displayed **Add Tag** dialog box, enter the tag key and value, and click **OK**. + + - Edit a tag. + + Locate the row that contains the tag you want to edit and click **Edit** in the **Operation** column. In the **Edit Tag** dialog box, change the tag value and click **OK**. + + - Delete a tag. + + Locate the row that contains the tag you want to delete, and click **Delete** in the **Operation** column. In the displayed dialog box, click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/modifying_a_subnet.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/modifying_a_subnet.rst new file mode 100644 index 0000000..85c682e --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/modifying_a_subnet.rst @@ -0,0 +1,48 @@ +:original_name: vpc_vpc_0001.html + +.. _vpc_vpc_0001: + +Modifying a Subnet +================== + +Scenarios +--------- + +Modify the subnet name, NTP server address, and DNS server address. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Subnets**. +#. In the subnet list, locate the target subnet and click its name. +#. On the subnet details page, modify required parameters. + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================================================================================================================================+=======================+ + | Name | The subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + | | | | + | | .. note:: | | + | | | | + | | - If you add or change the NTP server addresses of a subnet, you need to renew the DHCP lease for or restart all the ECSs in the subnet to make the change take effect immediately. | | + | | - If the NTP server addresses have been cleared out, restarting the ECSs will not help. You must renew the DHCP lease for all ECSs to make the change take effect immediately. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_and_subnet/modifying_a_vpc.rst b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/modifying_a_vpc.rst new file mode 100644 index 0000000..5195f19 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_and_subnet/modifying_a_vpc.rst @@ -0,0 +1,71 @@ +:original_name: en-us_topic_0030969462.html + +.. _en-us_topic_0030969462: + +Modifying a VPC +=============== + +Scenarios +--------- + +Change the VPC name and CIDR block. + +If the VPC CIDR block conflicts with the CIDR block of a VPN created in the VPC, you can modify its CIDR block. + +Notes and Constraints +--------------------- + +- When modifying the VPC CIDR block: + + - The VPC CIDR block to be modified must be in the supported CIDR blocks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255 + - If the VPC has subnets, the VPC CIDR block to be modified must contain all subnet CIDR blocks. + +When modifying the VPC CIDR block: + +- The VPC CIDR block to be modified must be in the supported CIDR blocks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255 +- If the VPC has subnets, the VPC CIDR block to be modified must contain all subnet CIDR blocks. + +Procedure +--------- + +**Modifying the VPC CIDR Block** + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. On the **Virtual Private Cloud** page, locate the row that contains the VPC to be modified and click **Edit CIDR Block** in the **Operation** column. + +#. Set a new CIDR block. + + + .. figure:: /_static/images/en-us_image_0000001151300782.png + :alt: **Figure 1** Modify CIDR Block + + + **Figure 1** Modify CIDR Block + +#. Click **OK**. + +**Modifying a VPC** + +#. Log in to the management console. +#. Click |image2| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. Modify the basic information about a VPC using either of the following methods : + + - In the VPC list, click |image3| on the right of the VPC name to change the VPC name. + + - In the VPC list, click the VPC name. + + On the VPC details page, click |image4| next to the VPC name or description to change the VPC name or description. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png +.. |image3| image:: /_static/images/en-us_image_0000001267230305.png +.. |image4| image:: /_static/images/en-us_image_0000001267350317.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_flow_log/creating_a_vpc_flow_log.rst b/umn/source/operation_guide_new_console_edition/vpc_flow_log/creating_a_vpc_flow_log.rst new file mode 100644 index 0000000..8aa5800 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_flow_log/creating_a_vpc_flow_log.rst @@ -0,0 +1,79 @@ +:original_name: FlowLog_0003.html + +.. _FlowLog_0003: + +Creating a VPC Flow Log +======================= + +Scenarios +--------- + +A VPC flow log records information about the traffic going to and from a VPC. + +Prerequisites +------------- + +Ensure that the following operations have been performed on the LTS console: + +- Create a log group. +- Create a log topic. + +For more information about the LTS service, see the *Log Tank Service User Guide*. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **VPC Flow Logs**. + +5. In the upper right corner, click **Create VPC Flow Log**. On the displayed page, configure parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0191544038.png + :alt: **Figure 1** Create VPC Flow Log + + + **Figure 1** Create VPC Flow Log + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+============================================================================================================================================================================================================================================================+=======================+ + | Name | The VPC flow log name. | flowlog-495d | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Resource Type | The type of resources whose traffic is to be logged. You can select **NIC**, **Subnet**, or **VPC**. | NIC | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Resource | The specific NIC whose traffic is to be logged. | N/A | + | | | | + | | .. note:: | | + | | | | + | | We recommend that you select an ECS that is in the running state. If an ECS in the stopped state is selected, restart the ECS after creating the VPC flow log for accurately recording the information about the traffic going to and from the ECS NIC. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Filter | - **All traffic**: specifies that both accepted and rejected traffic of the specified resource will be logged. | All | + | | - **Accepted traffic**: specifies that only accepted traffic of the specified resource will be logged. Accepted traffic refers to the traffic permitted by the security group or firewall. | | + | | - **Rejected traffic**: specifies that only rejected traffic of the specified resource will be logged. Rejected traffic refers to the traffic denied by the firewall. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Log Group | The log group created in LTS. | lts-group-wule | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Log Topic | The log topic created in LTS. | LogTopic1 | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the VPC flow log. This parameter is optional. | N/A | + | | | | + | | The VPC flow log description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + + .. note:: + + Only two flow logs, each with a different filter, can be created for a single resource under the same log group and log topic. Each VPC flow log must be unique. + +6. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_flow_log/deleting_a_vpc_flow_log.rst b/umn/source/operation_guide_new_console_edition/vpc_flow_log/deleting_a_vpc_flow_log.rst new file mode 100644 index 0000000..53aaec4 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_flow_log/deleting_a_vpc_flow_log.rst @@ -0,0 +1,39 @@ +:original_name: FlowLog_0005.html + +.. _FlowLog_0005: + +Deleting a VPC Flow Log +======================= + +Scenarios +--------- + +Delete a VPC flow log that is not required. Deleting a VPC flow log will not delete the existing flow log records in LTS. + +.. note:: + + If a NIC that uses a VPC flow log is deleted, the flow log will be automatically deleted. However, the flow log records are not deleted. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **VPC Flow Logs**. + +5. Locate the row that contains the VPC flow log to be deleted and click **Delete** in the **Operation** column. + + + .. figure:: /_static/images/en-us_image_0191594527.png + :alt: **Figure 1** Deleting a VPC flow log + + + **Figure 1** Deleting a VPC flow log + +6. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst b/umn/source/operation_guide_new_console_edition/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst new file mode 100644 index 0000000..9b76cf9 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst @@ -0,0 +1,25 @@ +:original_name: FlowLog_0006.html + +.. _FlowLog_0006: + +Enabling or Disabling VPC Flow Log +================================== + +Scenarios +--------- + +After a VPC flow log is created, the VPC flow log is automatically enabled. If you do not need to record traffic data, you can disable the corresponding VPC flow log. The disabled VPC flow log can be enabled again. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **VPC Flow Logs**. +5. Locate the VPC flow log to be enabled or disabled, and click **Enable** or **Disable** in the **Operation** column. +6. Click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_flow_log/index.rst b/umn/source/operation_guide_new_console_edition/vpc_flow_log/index.rst new file mode 100644 index 0000000..0c5fe10 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_flow_log/index.rst @@ -0,0 +1,22 @@ +:original_name: FlowLog_0001.html + +.. _FlowLog_0001: + +VPC Flow Log +============ + +- :ref:`VPC Flow Log Overview ` +- :ref:`Creating a VPC Flow Log ` +- :ref:`Viewing a VPC Flow Log ` +- :ref:`Enabling or Disabling VPC Flow Log ` +- :ref:`Deleting a VPC Flow Log ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + vpc_flow_log_overview + creating_a_vpc_flow_log + viewing_a_vpc_flow_log + enabling_or_disabling_vpc_flow_log + deleting_a_vpc_flow_log diff --git a/umn/source/operation_guide_new_console_edition/vpc_flow_log/viewing_a_vpc_flow_log.rst b/umn/source/operation_guide_new_console_edition/vpc_flow_log/viewing_a_vpc_flow_log.rst new file mode 100644 index 0000000..9d6d8c3 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_flow_log/viewing_a_vpc_flow_log.rst @@ -0,0 +1,123 @@ +:original_name: FlowLog_0004.html + +.. _FlowLog_0004: + +Viewing a VPC Flow Log +====================== + +Scenarios +--------- + +View information about your flow log record. + +The capture window is approximately 10 minutes, which indicates that a flow log record will be generated every 10 minutes. After creating a VPC flow log, you need to wait about 10 minutes before you can view the flow log record. + +.. note:: + + If an ECS is in the stopped state, its flow log records will not be displayed. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **VPC Flow Logs**. + +5. Locate the target VPC flow log and click **View Log Record** in the **Operation** column to view information about the flow log record in LTS. + + + .. figure:: /_static/images/en-us_image_0191577030.png + :alt: **Figure 1** Viewing a log record + + + **Figure 1** Viewing a log record + + + .. figure:: /_static/images/en-us_image_0191588554.png + :alt: **Figure 2** Flow log record + + + **Figure 2** Flow log record + + The flow log record is in the following format: + + .. code-block:: + + + + Example 1: The following is an example of a flow log record in which data was recorded during the capture window: + + .. code-block:: + + 1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd 192.168.0.154 192.168.3.25 38929 53 17 1 96 1548752136 1548752736 ACCEPT OK + + Value **1** indicates the VPC flow log version. Traffic with a size of 96 bytes to NIC **1d515d18-1b36-47dc-a983-bd6512aed4bd** during the past 10 minutes (from 16:55:36 to 17:05:36 on January 29, 2019) was allowed. A data packet was transmitted over the UDP protocol from source IP address **192.168.0.154** and port **38929** to destination IP address **192.168.3.25** and port **53**. + + Example 2: The following is an example of a flow log record in which no data was recorded during the capture window: + + .. code-block:: + + 1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd - - - - - - - 1431280876 1431280934 - NODATA + + Example 3: The following is an example of a flow log record in which data was skipped during the capture window: + + .. code-block:: + + 1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd - - - - - - - 1431280876 1431280934 - SKIPDATA + + :ref:`Table 1 ` describes the fields of a flow log record. + + .. _flowlog_0004__en-us_topic_0151016582_table1313851722313: + + .. table:: **Table 1** Log field description + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Field | Description | Example Value | + +=======================+===============================================================================================================================================================================================================================================================================================================================================+======================================+ + | version | The VPC flow log version. | 1 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | project-id | The project ID. | 5f67944957444bd6bb4fe3b367de8f3d | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | interface-id | The ID of the NIC for which the traffic is recorded. | 1d515d18-1b36-47dc-a983-bd6512aed4bd | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | srcaddr | The source IP address. | 192.168.0.154 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | dstaddr | The destination IP address. | 192.168.3.25 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | srcport | The source port. | 38929 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | dstport | The destination port. | 53 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | protocol | The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. For details, see `Assigned Internet Protocol Numbers `__. | 17 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | packets | The number of packets transferred during the capture window. | 1 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | bytes | The number of bytes transferred during the capture window. | 96 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | start | The time, in Unix seconds, of the start of the capture window. | 1548752136 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | end | The time, in Unix seconds, of the end of the capture window. | 1548752736 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | action | The action associated with the traffic: | ACCEPT | + | | | | + | | - **ACCEPT**: The recorded traffic was allowed by the security groups or firewalls. | | + | | - **REJECT**: The recorded traffic was denied by the firewalls. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | log-status | The logging status of the VPC flow log: | OK | + | | | | + | | - **OK**: Data is logging normally to the chosen destinations. | | + | | - **NODATA**: There was no traffic of the **Filter** setting to or from the NIC during the capture window. | | + | | - **SKIPDATA**: Some flow log records were skipped during the capture window. This may be caused by an internal capacity constraint or an internal error. | | + | | | | + | | Example: | | + | | | | + | | When **Filter** is set to **Accepted traffic**, if there is accepted traffic, the value of **log-status** is **OK**. If there is no accepted traffic, the value of **log-status** is **NODATA** regardless of whether there is rejected traffic. If some accepted traffic is abnormally skipped, the value of **log-status** is **SKIPDATA**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + +You can enter a keyword on the log topic details page on the LTS console to search for flow log records. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_flow_log/vpc_flow_log_overview.rst b/umn/source/operation_guide_new_console_edition/vpc_flow_log/vpc_flow_log_overview.rst new file mode 100644 index 0000000..f2343c1 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_flow_log/vpc_flow_log_overview.rst @@ -0,0 +1,25 @@ +:original_name: FlowLog_0002.html + +.. _FlowLog_0002: + +VPC Flow Log Overview +===================== + +A VPC flow log records information about the traffic going to and from a VPC. VPC flow logs help you monitor network traffic, analyze network attacks, and determine whether security group and firewall rules require modification. + +VPC flow logs must be used together with the Log Tank Service (LTS). Before you create a VPC flow log, you need to create a log group and a log topic in LTS. :ref:`Figure 1 ` shows the process for configuring the VPC flow log function. + +.. _flowlog_0002__en-us_topic_0151014680_fig1535115691415: + +.. figure:: /_static/images/en-us_image_0162336264.png + :alt: **Figure 1** Configuring the VPC flow log function + + + **Figure 1** Configuring the VPC flow log function + +Notes and Constraints +--------------------- + +- Currently, only C3, M3, and S2 ECSs support VPC flow logs. +- By default, you can create a maximum of 10 VPC flow logs. +- By default, a maximum of 400,000 flow log records are supported. diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst new file mode 100644 index 0000000..cf8df32 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst @@ -0,0 +1,223 @@ +:original_name: en-us_topic_0046655038.html + +.. _en-us_topic_0046655038: + +Creating a VPC Peering Connection with a VPC in Another Account +=============================================================== + +Scenarios +--------- + +The VPC service also allows you to create a VPC peering connection with a VPC in another account. The two VPCs must be in the same region. If you request a VPC peering connection with a VPC in another account in the same region, the owner of the peer account must accept the request to activate the connection. + +Creating a VPC Peering Connection +--------------------------------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the right pane displayed, click **Create VPC Peering Connection**. + +6. Configure parameters as prompted. You must select **Another account** for **Account**. + + + .. figure:: /_static/images/en-us_image_0167840073.png + :alt: **Figure 1** Create VPC Peering Connection + + + **Figure 1** Create VPC Peering Connection + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================================+======================================+ + | Name | The name of the VPC peering connection. | peering-001 | + | | | | + | | The name contains a maximum of 64 characters, which consist of letters, digits, hyphens (-), and underscores (_). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC | The local VPC. You can select one from the drop-down list. | vpc_002 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Account | The account to which the VPC to peer with belongs. | Another account | + | | | | + | | - **My account**: The VPC peering connection will be created between two VPCs, in the same region, in your account. | | + | | - **Another account**: The VPC peering connection will be created between your VPC and a VPC in another account, in the same region. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer Project ID | This parameter is available only when **Another account** is selected. | N/A | + | | | | + | | For details about how to obtain the peer project ID, see :ref:`Obtaining the Peer Project ID `. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer VPC ID | This parameter is available only when **Another account** is selected. | 65d062b3-40fa-4204-8181-3538f527d2ab | + | | | | + | | For details about how to obtain the peer VPC ID, see :ref:`Obtaining the Peer VPC ID `. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + +7. Click **OK**. + +Accepting a VPC Peering Connection Request +------------------------------------------ + +To request a VPC peering connection with a VPC in another account, the owner of the peer account must accept the request to activate the connection. + +#. The owner of the peer account logs in to the management console. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **VPC Peering**. + +#. In the VPC peering connection list, locate the row that contains the target VPC peering connection and click **Accept Request** in the **Operation** column. + + + .. figure:: /_static/images/en-us_image_0162391155.png + :alt: **Figure 2** VPC peering connection list + + + **Figure 2** VPC peering connection list + +#. Click **Yes** in the displayed dialog box. + +Refusing a VPC Peering Connection +--------------------------------- + +The owner of the peer account can reject any VPC peering connection request that they receive. If a VPC peering connection request is rejected, the connection will not be established. You must delete the rejected VPC peering connection request before creating a VPC peering connection between the same VPCs as those in the rejected request. + +#. The owner of the peer account logs in to the management console. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **VPC Peering**. +#. In the VPC peering connection list, locate the row that contains the target VPC peering connection and click **Reject Request** in the **Operation** column. +#. Click **Yes** in the displayed dialog box. + +Adding Routes for a VPC Peering Connection +------------------------------------------ + +If you request a VPC peering connection with a VPC in another account, the owner of the peer account must accept the request. To enable communication between the two VPCs, the owners of both the local and peer accounts need to add routes on the **Route Tables** page for the VPC peering connection. The owner of the local account can add only the local route because the owner does not have the required permission to perform operations on the peer VPC. The owner of the peer account must add the peer route. The procedure for adding a local route and a peer route is the same. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **VPC Peering**. + +#. Locate the VPC peering connection that you want to configure routes for in the connection list and click the connection name. + + The page showing the VPC peering connection details is displayed. + +#. Add routes for the VPC peering connection to the route table of the local VPC: + + a. Click the **Local Routes** tab and then click the **Route Tables** hyperlink. + + The **Summary** tab of the default route table for the local VPC is displayed. + + b. Click the **Associated Subnets** tab to view the subnets associated with the default route table. + + - If there is the subnet to be connected by the VPC peering connection, + + #. Click the **Summary** tab of the route table and click **Add Route** to add a route to the default route table. + + :ref:`Table 2 ` describes the route parameters. + + - If the subnet to be connected by the VPC peering connection is not there, + + #. Return to the VPC list and switch to the subnet list of the VPC. + + #. Locate the row that contains the target subnet to be connected by the VPC peering connection, and click the route table name in the **Route Table** column. + + The **Summary** tab of the route table associated with the subnet is displayed. + + #. Click **Add Route** to add a route to the route table. + + :ref:`Table 2 ` describes the route parameters. + + .. _en-us_topic_0046655038__en-us_topic_0118498933_table97163496270: + + .. table:: **Table 2** Parameter description + + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================================================+========================+ + | Destination | The peer VPC CIDR block, subnet CIDR block, or ECS IP address. For details, see :ref:`VPC Peering Connection Configuration Plans `. | 192.168.0.0/16 | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop Type | The next hop type. Select **VPC peering connection**. | VPC peering connection | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop | The next hop address. Select the name of the current VPC peering connection. | peering-001 | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Description | Supplementary information about the route. This parameter is optional. | - | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + +#. Add routes for the VPC peering connection to the route table of the peer VPC: + + a. Click the **Peer Routes** tab and then click the **Route Tables** hyperlink. + + The **Summary** tab of the default route table for the peer VPC is displayed. + + b. Click the **Associated Subnets** tab to view the subnets associated with the default route table. + + - If there is the subnet to be connected by the VPC peering connection, + + #. Click the **Summary** tab of the route table and click **Add Route** to add a route to the default route table. + + :ref:`Table 3 ` describes the route parameters. + + #. Click **OK**. + + - If the subnet to be connected by the VPC peering connection is not there, + + #. Return to the VPC list and switch to the subnet list of the VPC. + + #. Locate the row that contains the target subnet to be connected by the VPC peering connection, and click the route table name in the **Route Table** column. + + The **Summary** tab of the route table associated with the subnet is displayed. + + #. Click **Add Route** to add a route to the route table. + + :ref:`Table 3 ` describes the route parameters. + + #. Click **OK**. + + .. _en-us_topic_0046655038__en-us_topic_0118498933_table13697163914393: + + .. table:: **Table 3** Parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Parameter | Description | Example Value | + +=======================+==============================================================================================================================================================+========================+ + | Destination | The local VPC CIDR block, subnet CIDR block, or ECS IP address. For details, see :ref:`VPC Peering Connection Configuration Plans `. | 192.168.2.0/16 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop Type | The next hop type. Select **VPC peering connection**. | VPC peering connection | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop | The next hop address. Select the name of the current VPC peering connection. | peering-001 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Description | Supplementary information about the route. This parameter is optional. | - | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + +After a VPC peering connection is created, the two VPCs can communicate with each other through private IP addresses. You can run the **ping** command to check whether the two VPCs can communicate with each other. + +If two VPCs cannot communicate with each other, check the configuration by following the instructions provided in :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? ` + +.. _en-us_topic_0046655038__en-us_topic_0118498933_section41291933224121: + +Obtaining the Peer Project ID +----------------------------- + +#. The owner of the peer account logs in to the management console. +#. Select **My Credentials** from the username drop-down list. +#. On the **Projects** tab, obtain the required project ID. + +.. _en-us_topic_0046655038__en-us_topic_0118498933_section19734314164713: + +Obtaining the Peer VPC ID +------------------------- + +#. The owner of the peer account logs in to the management console. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. Click the target VPC name and view VPC ID on the VPC details page. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst new file mode 100644 index 0000000..d2ef281 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst @@ -0,0 +1,180 @@ +:original_name: en-us_topic_0046655037.html + +.. _en-us_topic_0046655037: + +Creating a VPC Peering Connection with Another VPC in Your Account +================================================================== + +Scenarios +--------- + +To create a VPC peering connection, first create a request to peer with another VPC. You can request a VPC peering connection with another VPC in your account, but the two VPCs must be in the same region. The system automatically accepts the request. + +Prerequisites +------------- + +Two VPCs in the same region have been created. + +Creating a VPC Peering Connection +--------------------------------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the right pane displayed, click **Create VPC Peering Connection**. + +6. Configure parameters as prompted. You must select **My account** for **Account**. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0167839112.png + :alt: **Figure 1** Create VPC Peering Connection + + + **Figure 1** Create VPC Peering Connection + + .. _en-us_topic_0046655037__en-us_topic_0118498960_table1215761020244: + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+==========================================================================================================================================================+=======================+ + | Name | The name of the VPC peering connection. | peering-001 | + | | | | + | | The name contains a maximum of 64 characters, which consist of letters, digits, hyphens (-), and underscores (_). | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Local VPC | The local VPC. You can select one from the drop-down list. | vpc_002 | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Local VPC CIDR Block | The CIDR block for the local VPC. | 192.168.10.0/24 | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Account | The account to which the peer VPC belongs. | My account | + | | | | + | | - **My account**: The VPC peering connection will be created between two VPCs, in the same region, in your account. | | + | | - **Another account**: The VPC peering connection will be created between your VPC and a VPC in another account, in the same region. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Peer Project | The peer project name. The project name of the current project is used by default. | aaa | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Peer VPC | The peer VPC. You can select one from the drop-down list if the VPC peering connection is created between two VPCs in your own account. | vpc_fab1 | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Peer VPC CIDR Block | The CIDR block for the peer VPC. | 192.168.2.0/24 | + | | | | + | | The local and peer VPCs cannot have matching or overlapping CIDR blocks. Otherwise, the routes added for the VPC peering connection may not take effect. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +Adding Routes for a VPC Peering Connection +------------------------------------------ + +If you request a VPC peering connection with another VPC in your own account, the system automatically accepts the request. To enable communication between the two VPCs, you need to add local and peer routes on the **Route Tables** page for the VPC peering connection. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **VPC Peering**. + +#. Locate the VPC peering connection that you want to configure routes for in the connection list and click the connection name. + + The page showing the VPC peering connection details is displayed. + +#. Add routes for the VPC peering connection to the route table of the local VPC: + + a. Click the **Local Routes** tab and then click the **Route Tables** hyperlink. + + The **Summary** tab of the default route table for the local VPC is displayed. + + b. Click the **Associated Subnets** tab to view the subnets associated with the default route table. + + - If there is the subnet to be connected by the VPC peering connection, + + #. Click the **Summary** tab of the route table and click **Add Route** to add a route to the default route table. + + :ref:`Table 2 ` describes the route parameters. + + - If the subnet to be connected by the VPC peering connection is not there, + + #. Return to the VPC list and switch to the subnet list of the VPC. + + #. Locate the row that contains the target subnet to be connected by the VPC peering connection, and click the route table name in the **Route Table** column. + + The **Summary** tab of the route table associated with the subnet is displayed. + + #. Click **Add Route** to add a route to the route table. + + :ref:`Table 2 ` describes the route parameters. + + .. _en-us_topic_0046655037__en-us_topic_0118498960_table97163496270: + + .. table:: **Table 2** Parameter description + + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================================================+========================+ + | Destination | The peer VPC CIDR block, subnet CIDR block, or ECS IP address. For details, see :ref:`VPC Peering Connection Configuration Plans `. | 192.168.0.0/16 | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop Type | The next hop type. Select **VPC peering connection**. | VPC peering connection | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop | The next hop address. Select the name of the current VPC peering connection. | peering-001 | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Description | Supplementary information about the route. This parameter is optional. | - | + | | | | + | | The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + +5. Add routes for the VPC peering connection to the route table of the peer VPC: + + a. Click the **Peer Routes** tab and then click the **Route Tables** hyperlink. + + The **Summary** tab of the default route table for the peer VPC is displayed. + + b. Click the **Associated Subnets** tab to view the subnets associated with the default route table. + + - If there is the subnet to be connected by the VPC peering connection, + + #. Click the **Summary** tab of the route table and click **Add Route** to add a route to the default route table. + + :ref:`Table 3 ` describes the route parameters. + + #. Click **OK**. + + - If the subnet to be connected by the VPC peering connection is not there, + + #. Return to the VPC list and switch to the subnet list of the VPC. + + #. Locate the row that contains the target subnet to be connected by the VPC peering connection, and click the route table name in the **Route Table** column. + + The **Summary** tab of the route table associated with the subnet is displayed. + + #. Click **Add Route** to add a route to the route table. + + :ref:`Table 3 ` describes the route parameters. + + #. Click **OK**. + + .. _en-us_topic_0046655037__en-us_topic_0118498960_table13697163914393: + + .. table:: **Table 3** Parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Parameter | Description | Example Value | + +=======================+==============================================================================================================================================================+========================+ + | Destination | The local VPC CIDR block, subnet CIDR block, or ECS IP address. For details, see :ref:`VPC Peering Connection Configuration Plans `. | 192.168.2.0/16 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop Type | The next hop type. Select **VPC peering connection**. | VPC peering connection | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop | The next hop address. Select the name of the current VPC peering connection. | peering-001 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Description | Supplementary information about the route. This parameter is optional. | - | + | | | | + | | The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + +After a VPC peering connection is created, the two VPCs can communicate with each other through private IP addresses. You can run the **ping** command to check whether the two VPCs can communicate with each other. + +If two VPCs cannot communicate with each other, check the configuration by following the instructions provided in :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? ` + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/deleting_a_vpc_peering_connection.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/deleting_a_vpc_peering_connection.rst new file mode 100644 index 0000000..34313da --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/deleting_a_vpc_peering_connection.rst @@ -0,0 +1,37 @@ +:original_name: vpc_peering_0003.html + +.. _vpc_peering_0003: + +Deleting a VPC Peering Connection +================================= + +Scenarios +--------- + +The owners of both the local and peer accounts can delete a VPC peering connection in any state. After a VPC peering connection is deleted, routes configured for the connection will be automatically deleted as well. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name. + + + .. figure:: /_static/images/en-us_image_0162391187.png + :alt: **Figure 1** VPC peering connection list + + + **Figure 1** VPC peering connection list + +6. Locate the target VPC peering connection and click **Delete** in the **Operation** column. + +7. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/deleting_a_vpc_peering_route.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/deleting_a_vpc_peering_route.rst new file mode 100644 index 0000000..f078cd5 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/deleting_a_vpc_peering_route.rst @@ -0,0 +1,41 @@ +:original_name: vpc_peering_0006.html + +.. _vpc_peering_0006: + +Deleting a VPC Peering Route +============================ + +Scenarios +--------- + +After routes are added for a VPC peering connection, the owners of both the local and peer accounts can delete the routes on the **Route Tables** page. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the connection list, locate the VPC peering connection that you need to delete routes. +#. Click the name of the VPC peering connection to switch to the page showing details about the connection. +#. Delete the route added to the route table of the local VPC: + + a. Click the **Local Routes** tab and then click the **Route Tables** hyperlink. + + The **Summary** tab of the default route table for the local VPC is displayed. + + b. Locate the row that contains the route to be deleted and click **Delete** in the **Operation** column. + + c. Click **Yes**. + +#. Delete the route added to the route table of the peer VPC: + + a. Click the **Peer Routes** tab and then click the **Route Tables** hyperlink. + + The **Summary** tab of the default route table for the peer VPC is displayed. + + b. Locate the row that contains the route to be deleted and click **Delete** in the **Operation** column. + + c. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/index.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/index.rst new file mode 100644 index 0000000..1708859 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/index.rst @@ -0,0 +1,30 @@ +:original_name: vpc_peering_0000.html + +.. _vpc_peering_0000: + +VPC Peering Connection +====================== + +- :ref:`VPC Peering Connection Creation Procedure ` +- :ref:`VPC Peering Connection Configuration Plans ` +- :ref:`Creating a VPC Peering Connection with Another VPC in Your Account ` +- :ref:`Creating a VPC Peering Connection with a VPC in Another Account ` +- :ref:`Viewing VPC Peering Connections ` +- :ref:`Modifying a VPC Peering Connection ` +- :ref:`Deleting a VPC Peering Connection ` +- :ref:`Viewing Routes Configured for a VPC Peering Connection ` +- :ref:`Deleting a VPC Peering Route ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + vpc_peering_connection_creation_procedure + vpc_peering_connection_configuration_plans + creating_a_vpc_peering_connection_with_another_vpc_in_your_account + creating_a_vpc_peering_connection_with_a_vpc_in_another_account + viewing_vpc_peering_connections + modifying_a_vpc_peering_connection + deleting_a_vpc_peering_connection + viewing_routes_configured_for_a_vpc_peering_connection + deleting_a_vpc_peering_route diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/modifying_a_vpc_peering_connection.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/modifying_a_vpc_peering_connection.rst new file mode 100644 index 0000000..0c5220d --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/modifying_a_vpc_peering_connection.rst @@ -0,0 +1,37 @@ +:original_name: vpc_peering_0002.html + +.. _vpc_peering_0002: + +Modifying a VPC Peering Connection +================================== + +Scenarios +--------- + +The owners of both the local and peer accounts can modify a VPC peering connection in any state. The VPC peering connection name can be changed. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name. + + + .. figure:: /_static/images/en-us_image_0162391187.png + :alt: **Figure 1** VPC peering connection list + + + **Figure 1** VPC peering connection list + +6. Locate the target VPC peering connection and click **Modify** in the **Operation** column. In the displayed dialog box, modify information about the VPC peering connection. + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst new file mode 100644 index 0000000..217dd5f --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst @@ -0,0 +1,26 @@ +:original_name: vpc_peering_0004.html + +.. _vpc_peering_0004: + +Viewing Routes Configured for a VPC Peering Connection +====================================================== + +Scenarios +--------- + +After routes are added for a VPC peering connection, the owners of both the local and peer accounts can view information about the routes on the page showing details about the VPC peering connection. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, click **VPC Peering**. +5. Locate the target VPC peering connection in the connection list. +6. Click the name of the VPC peering connection to switch to the page showing details about the connection. +7. On the displayed page, click the **Local Routes** tab and view information about the local route added for the VPC peering connection. +8. On the page showing details about the VPC peering connection, click the **Peer Routes** tab and view information about the peer route added for the VPC peering connection. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/viewing_vpc_peering_connections.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/viewing_vpc_peering_connections.rst new file mode 100644 index 0000000..b7d7af7 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/viewing_vpc_peering_connections.rst @@ -0,0 +1,35 @@ +:original_name: vpc_peering_0001.html + +.. _vpc_peering_0001: + +Viewing VPC Peering Connections +=============================== + +Scenarios +--------- + +The owners of both the local and peer accounts can view information about the created VPC peering connections and those that are still waiting to be accepted. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name. + + + .. figure:: /_static/images/en-us_image_0162391187.png + :alt: **Figure 1** VPC peering connection list + + + **Figure 1** VPC peering connection list + +6. Click the VPC peering connection name. On the displayed page, view detailed information about the VPC peering connection. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/vpc_peering_connection_configuration_plans.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/vpc_peering_connection_configuration_plans.rst new file mode 100644 index 0000000..213c8ef --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/vpc_peering_connection_configuration_plans.rst @@ -0,0 +1,78 @@ +:original_name: en-us_topic_0046809840.html + +.. _en-us_topic_0046809840: + +VPC Peering Connection Configuration Plans +========================================== + +To enable two VPCs in the same region to communicate with each other, you can create a VPC peering connection between them. The VPC and subnet CIDR blocks must meet the requirements in :ref:`Table 1 `. + +.. _en-us_topic_0046809840__en-us_topic_0118499087_table461583720304: + +.. table:: **Table 1** Requirements for VPC and subnet CIDR blocks + + +-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+ + | Requirement | Description | + +=============================================================================+=====================================================================================================================================================+ + | - VPC CIDR blocks do not overlap. | A VPC peering connection can enable communications between the entire VPC CIDR blocks. The destination of a route is a VPC CIDR block. | + | - There are no requirements on subnet CIDR blocks. | | + | | For details, see :ref:`Route Configurations for Connecting Entire VPCs `. | + +-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+ + | - VPC CIDR blocks overlap. | A VPC peering connection can enable communications between subnets in the VPCs. The destination of a route is a subnet CIDR block. | + | - Subnet CIDR blocks connected by a VPC peering connection cannot overlap. | | + | | For details, see :ref:`Route Configurations for Connecting Specific Subnets `. | + +-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+ + +.. _en-us_topic_0046809840__en-us_topic_0118499087_section11900751101219: + +Route Configurations for Connecting Entire VPCs +----------------------------------------------- + +- Connections can be: + + - Between two VPCs + - Among multiple VPCs + +- If you need to configure routes that point to entire VPCs, none of the VPCs involved in VPC peering connections can overlap. Otherwise, VPC peering connections will not take effect because the routes will be unreachable. +- The destination of the route that points to an entire VPC is the CIDR block of the peer VPC, and the next hop is the VPC peering connection ID. + +.. _en-us_topic_0046809840__en-us_topic_0118499087_section1370341061310: + +Route Configurations for Connecting Specific Subnets +---------------------------------------------------- + +If VPCs connected by a VPC peering connection have overlapping CIDR blocks, the connection can only enable communications between non-overlapping subnets in the VPCs. If subnets in the two VPCs of a VPC peering connection overlap with each other, the connection will not take effect. When you create a VPC peering connection, ensure that the VPCs involved do not contain overlapping subnets. + +For example, VPC 1 and VPC 2 have matching CIDR blocks, but the subnets in the two VPCs do not overlap. A VPC peering connection can be created between pairs of subnets that do not overlap with each other. The route table is used to control the specific subnets that the VPC peering connection is created for. :ref:`Figure 1 ` shows a VPC peering connection created between two subnets. Routes are required to enable communication between Subnet A in VPC 1 and Subnet X in VPC 2. + +.. _en-us_topic_0046809840__en-us_topic_0118499087_fig95191521148: + +.. figure:: /_static/images/en-us_image_0194358487.png + :alt: **Figure 1** VPC peering connection between Subnet A and Subnet X + + + **Figure 1** VPC peering connection between Subnet A and Subnet X + +:ref:`Figure 2 ` shows the routes configured for the VPC peering connection between Subnet A and Subnet X. After the routes are configured, Subnet A and Subnet X can communicate with each other. + +.. _en-us_topic_0046809840__en-us_topic_0118499087_fig13211186151514: + +.. figure:: /_static/images/en-us_image_0194358495.png + :alt: **Figure 2** Route tables for the VPC peering connection between Subnet A and Subnet X + + + **Figure 2** Route tables for the VPC peering connection between Subnet A and Subnet X + +If two VPCs have overlapping subnets, a VPC peering connection created between the two subnets will not take effect, and the subnets cannot communicate with each other. + +As shown in :ref:`Figure 3 `, a VPC peering connection is created between subnet A of VPC1 and subnet X of VPC2. Subnet B of VPC1 and subnet X of VPC2 overlap with each other. If the destination of a route in the route table of VPC1 is set to the CIDR block of subnet X in VPC2, this route will conflict with the system route of subnet B in VPC1. Subnet A preferentially accesses subnet B and the VPC peering connection does not take effect. + +.. _en-us_topic_0046809840__en-us_topic_0118499087_fig1253173812157: + +.. figure:: /_static/images/en-us_image_0194358504.png + :alt: **Figure 3** Invalid VPC peering connection + + + **Figure 3** Invalid VPC peering connection + +If peering connections are used to link VPC 1 to multiple VPCs, for example, VPC 2, VPC 3, and VPC 4, the subnets of VPC 1 cannot overlap with those of VPC 2, VPC 3, and VPC 4. If VPC 2, VPC 3, and VPC 4 have overlapping subnets, a VPC peering connection can be created between only one of these overlapping subnets and a subnet of VPC 1. If a VPC peering connection is created between a subnet and the other *N* subnets, none of the subnets can overlap. diff --git a/umn/source/operation_guide_new_console_edition/vpc_peering_connection/vpc_peering_connection_creation_procedure.rst b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/vpc_peering_connection_creation_procedure.rst new file mode 100644 index 0000000..c6b39f4 --- /dev/null +++ b/umn/source/operation_guide_new_console_edition/vpc_peering_connection/vpc_peering_connection_creation_procedure.rst @@ -0,0 +1,34 @@ +:original_name: en-us_topic_0046655036.html + +.. _en-us_topic_0046655036: + +VPC Peering Connection Creation Procedure +========================================= + +A VPC peering connection is a network connection between two VPCs in one region that enables you to route traffic between them using private IP addresses. ECSs in either VPC can communicate with each other just as if they were in the same region. You can create a VPC peering connection between your own VPCs, or between your VPC and another account's VPC within the same region. However, you cannot create a VPC peering connection between VPCs in different regions. + +- Creating a VPC peering connection between VPCs in your account + + + .. figure:: /_static/images/en-us_image_0162335561.png + :alt: **Figure 1** Creating a VPC peering connection between VPCs in your account + + + **Figure 1** Creating a VPC peering connection between VPCs in your account + + If you create a VPC peering connection between two VPCs in your account, the system accepts the connection by default. You need to add routes for the local and peer VPCs to enable communication between the two VPCs. + +- Creating a VPC peering connection with a VPC in another account + + + .. figure:: /_static/images/en-us_image_0162335565.png + :alt: **Figure 2** Creating a VPC peering connection with a VPC in another account + + + **Figure 2** Creating a VPC peering connection with a VPC in another account + + If you create a VPC peering connection between your VPC and a VPC that is in another account, the VPC peering connection will be in the **Awaiting acceptance** state. After the owner of the peer account accepts the connection, the connection status changes to **Accepted**. The owners of both the local and peer accounts must configure the routes required by the VPC peering connection to enable communication between the two VPCs. + + If the local and peer VPCs have overlapping CIDR blocks, the routes added for the VPC peering connection may become invalid. Before creating a VPC peering connection between two VPCs that have overlapping CIDR blocks, ensure that none of the subnets in the two VPCs overlap. If none of the subnets in the two VPCs overlap, the VPC peering connection you created enables communication between subnets in the two VPCs. + + After a VPC peering connection is created, you can use the ping command to check whether the local network is connected. The ping command cannot be used to check whether the gateway of the peer subnet is connected. diff --git a/umn/source/operation_guide_old_console_edition/direct_connect.rst b/umn/source/operation_guide_old_console_edition/direct_connect.rst new file mode 100644 index 0000000..5dfb4fe --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/direct_connect.rst @@ -0,0 +1,10 @@ +:original_name: vpc_dc02_0001.html + +.. _vpc_dc02_0001: + +Direct Connect +============== + +Direct Connect allows you to establish a dedicated network connection between your data center and the cloud platform. With Direct Connect, you can establish a private connection between the cloud platform and your data center, office, or collocation environment, which can reduce your network latency and provide a more consistent network experience than Internet-based connections. + +For more information about Direct Connect, see the *Direct Connect User Guide*. diff --git a/umn/source/operation_guide_old_console_edition/eip/assigning_an_eip_and_binding_it_to_an_ecs.rst b/umn/source/operation_guide_old_console_edition/eip/assigning_an_eip_and_binding_it_to_an_ecs.rst new file mode 100644 index 0000000..7ae14bb --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/eip/assigning_an_eip_and_binding_it_to_an_ecs.rst @@ -0,0 +1,123 @@ +:original_name: vpc_eip02_0001.html + +.. _vpc_eip02_0001: + +Assigning an EIP and Binding It to an ECS +========================================= + +Scenarios +--------- + +You can assign an EIP and bind it to an ECS so that the ECS can access the Internet. + +.. note:: + + EIPs for dedicated load balancers: + + - In the **eu-de** region, if you choose to assign an EIP when you create a dedicated load balancer on the management console or using APIs, EIPs for dedicated load balancers (**5_gray**) will be assigned. + - Do not bind EIPs of this type to non-dedicated load balancers. + - Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect. + +Assigning an EIP +---------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. On the displayed page, click **Assign EIP**. + +#. Set the parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0000001117669274.png + :alt: **Figure 1** Assign EIP + + + **Figure 1** Assign EIP + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================================================================================================================================+=========================+ + | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | EIP Type | - **Dynamic BGP**: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails. | Dynamic BGP | + | | - **Mail BGP**: EIPs with port 25, 465, or 587 enabled are used. | | + | | | | + | | The selected EIP type cannot be changed after the EIP is assigned. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Bandwidth | The bandwidth size in Mbit/s. | 100 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Bandwidth Name | The name of the bandwidth. | bandwidth | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Tag | The EIP tags. Each tag contains a key and value pair. | - Key: Ipv4_key1 | + | | | - Value: 192.168.12.10 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + | Quantity | The number of EIPs you want to purchase. | 1 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+ + + .. _vpc_eip02_0001__en-us_topic_0118498850_table36606052153313: + + .. table:: **Table 2** EIP tag requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirement | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | Ipv4_key1 | + | | - Must be unique for each EIP. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | 192.168.12.10 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +#. Click **Create Now**. + +#. Click **Submit**. + +Binding an EIP +-------------- + +#. On the **EIPs** page, locate the row that contains the target EIP, and click **Bind**. + +#. Select the instance to which you want to bind the EIP. + + + .. figure:: /_static/images/en-us_image_0000001166028070.png + :alt: **Figure 2** Bind EIP + + + **Figure 2** Bind EIP + +#. Click **OK**. + +An IPv6 client on the Internet can access the ECS that has an EIP bound in a VPC. For details about the implementation and constraints, see :ref:`How Does an IPv6 Client on the Internet Access the ECS That Has an EIP Bound in a VPC? ` + +Follow-Up Procedure +------------------- + +After an ECS with an EIP bound is created, the system generates a domain name in the format of **ecs-**\ *xx-xx-xx-xx*\ **.compute.**\ *xxx*\ **.com** for the EIP by default. *xx-xx-xx-xx* indicates the EIP, and xxx indicates the domain name of the cloud service provider. You can use the domain name to access the ECS. + +You can use any of the following commands to obtain the domain name of an EIP: + +- ping -a *EIP* +- nslookup [-qt=ptr] *EIP* +- dig -x *EIP* + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/eip/index.rst b/umn/source/operation_guide_old_console_edition/eip/index.rst new file mode 100644 index 0000000..9b20f37 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/eip/index.rst @@ -0,0 +1,20 @@ +:original_name: vpc_eip02_0000.html + +.. _vpc_eip02_0000: + +EIP +=== + +- :ref:`Assigning an EIP and Binding It to an ECS ` +- :ref:`Unbinding an EIP from an ECS and Releasing the EIP ` +- :ref:`Managing EIP Tags ` +- :ref:`Modifying an EIP Bandwidth ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + assigning_an_eip_and_binding_it_to_an_ecs + unbinding_an_eip_from_an_ecs_and_releasing_the_eip + managing_eip_tags + modifying_an_eip_bandwidth diff --git a/umn/source/operation_guide_old_console_edition/eip/managing_eip_tags.rst b/umn/source/operation_guide_old_console_edition/eip/managing_eip_tags.rst new file mode 100644 index 0000000..c47119c --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/eip/managing_eip_tags.rst @@ -0,0 +1,93 @@ +:original_name: vpc_eip02_0003.html + +.. _vpc_eip02_0003: + +Managing EIP Tags +================= + +Scenarios +--------- + +Tags can be added to EIPs to facilitate EIP identification and administration. You can add a tag to an EIP when assigning the EIP. Alternatively, you can add a tag to an assigned EIP on the EIP details page. A maximum of 20 tags can be added to each EIP. + +A tag consists of a key and value pair. :ref:`Table 1 ` lists the tag key and value requirements. + +.. _vpc_eip02_0003__en-us_topic_0118499005_ted9687ca14074ef785241145365a6175: + +.. table:: **Table 1** EIP tag requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirement | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | Ipv4_key1 | + | | - Must be unique for each EIP. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | 192.168.12.10 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +Procedure +--------- + +**Searching for EIPs by tag key and value on the page showing the EIP list** + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. In the upper right corner of the EIP list, click **Search by Tag**. + +#. In the displayed area, enter the tag key and value of the EIP you are looking for. + + You must specify both the tag key and value. The system will display the EIPs that contain the tag you specified. + +#. Click **+** to add another tag key and value. + + You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for EIPs, the system will display only the EIPs that contain all of the tags you specified. + +#. Click **Search**. + + The system displays the EIPs you are looking for based on the entered tag keys and values. + +**Adding, deleting, editing, and viewing tags on the Tags tab of an EIP** + +#. Log in to the management console. +#. Click |image2| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Elastic IP**. +#. On the displayed page, locate the EIP whose tags you want to manage, and click the EIP name. +#. On the page showing EIP details, click the **Tags** tab and perform desired operations on tags. + + - View tags. + + On the **Tags** tab, you can view details about tags added to the current EIP, including the number of tags and the key and value of each tag. + + - Add a tag. + + Click **Add Tag** in the upper left corner. In the displayed **Add Tag** dialog box, enter the tag key and value, and click **OK**. + + - Edit a tag. + + Locate the row that contains the tag you want to edit, and click **Edit** in the **Operation** column. Enter the new tag value, and click **OK**. + + The tag key cannot be modified. + + - Delete a tag. + + Locate the row that contains the tag you want to delete, and click **Delete** in the **Operation** column. In the displayed dialog box, click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/eip/modifying_an_eip_bandwidth.rst b/umn/source/operation_guide_old_console_edition/eip/modifying_an_eip_bandwidth.rst new file mode 100644 index 0000000..1a27bdc --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/eip/modifying_an_eip_bandwidth.rst @@ -0,0 +1,34 @@ +:original_name: vpc_eip02_0004.html + +.. _vpc_eip02_0004: + +Modifying an EIP Bandwidth +========================== + +Scenarios +--------- + +Modify the EIP bandwidth name or size. + +.. note:: + + This section describes how to modify the dedicated bandwidth or shared bandwidth of an EIP. For details about how to modify a shared bandwidth, see :ref:`Modifying a Shared Bandwidth `. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. Locate the row that contains the target EIP in the EIP list, click **More** in the **Operation** column, and select **Modify Bandwidth**. + +#. Modify the bandwidth parameters as prompted. + +#. Click **Next**. + +#. Click **Submit**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/eip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst b/umn/source/operation_guide_old_console_edition/eip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst new file mode 100644 index 0000000..772e299 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/eip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst @@ -0,0 +1,60 @@ +:original_name: vpc_eip02_0002.html + +.. _vpc_eip02_0002: + +Unbinding an EIP from an ECS and Releasing the EIP +================================================== + +Scenarios +--------- + +If you no longer need an EIP, unbind it from the ECS and release the EIP to avoid wasting network resources. + +Notes and Constraints +--------------------- + +- EIP assigned together with your load balancers will also be displayed in the EIP list on the VPC console. On the EIP console or using EIP APIs, you cannot bind EIPs to or unbind them from dedicated load balancers, but you can bind EIPs to or unbind them from shared load balancers. +- You can only release EIPs that are not bound to any resources. + +Procedure +--------- + +**Unbinding a single EIP** + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Elastic IP**. +#. On the displayed page, locate the row that contains the target EIP, and click **Unbind**. +#. Click **Yes** in the displayed dialog box. + +**Releasing a single EIP** + +#. Log in to the management console. + +2. Click |image2| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Elastic IP**. +4. On the displayed page, locate the row that contains the target EIP, click **More** and then **Release** in the **Operation** column. +5. Click **Yes** in the displayed dialog box. + +**Unbinding multiple EIPs at once** + +#. Log in to the management console. +#. Click |image3| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Elastic IP**. +#. On the displayed page, select the EIPs to be unbound. +#. Click the **Unbind** button located above the EIP list. +#. Click **Yes** in the displayed dialog box. + +**Releasing multiple EIPs at once** + +#. Log in to the management console. +#. Click |image4| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Elastic IP**. +#. On the displayed page, select the EIPs to be released. +#. Click the **Release** button located above the EIP list. +#. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png +.. |image3| image:: /_static/images/en-us_image_0141273034.png +.. |image4| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/index.rst b/umn/source/operation_guide_old_console_edition/index.rst new file mode 100644 index 0000000..59f889f --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/index.rst @@ -0,0 +1,32 @@ +:original_name: vpc_oldui_0000.html + +.. _vpc_oldui_0000: + +Operation Guide (Old Console Edition) +===================================== + +- :ref:`VPC and Subnet ` +- :ref:`Security ` +- :ref:`EIP ` +- :ref:`Shared Bandwidth ` +- :ref:`Route Table ` +- :ref:`VPC Peering Connection ` +- :ref:`VPC Flow Log ` +- :ref:`Direct Connect ` +- :ref:`Virtual IP Address ` +- :ref:`Monitoring ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + vpc_and_subnet/index + security/index + eip/index + shared_bandwidth/index + route_table/index + vpc_peering_connection/index + vpc_flow_log/index + direct_connect + virtual_ip_address/index + monitoring/index diff --git a/umn/source/operation_guide_old_console_edition/monitoring/creating_an_alarm_rule.rst b/umn/source/operation_guide_old_console_edition/monitoring/creating_an_alarm_rule.rst new file mode 100644 index 0000000..dfcc52c --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/monitoring/creating_an_alarm_rule.rst @@ -0,0 +1,34 @@ +:original_name: vpc_monitor02_0003.html + +.. _vpc_monitor02_0003: + +Creating an Alarm Rule +====================== + +Scenarios +--------- + +You can configure alarm rules to customize the monitored objects and notification policies. You can learn your resource statuses at any time. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. Hover on the upper left corner to display **Service List** and choose **Management & Governance** > **Cloud Eye**. + +4. In the left navigation pane on the left, choose **Alarm Management** > **Alarm Rules**. + +5. On the **Alarm Rules** page, click **Create Alarm Rule** and set required parameters, or modify an existing alarm rule. + +6. After the parameters are set, click **Create**. + + After the alarm rule is created, the system automatically notifies you if an alarm is triggered for the VPC service. + + .. note:: + + For more information about alarm rules, see the *Cloud Eye User Guide*. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/monitoring/index.rst b/umn/source/operation_guide_old_console_edition/monitoring/index.rst new file mode 100644 index 0000000..6136150 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/monitoring/index.rst @@ -0,0 +1,18 @@ +:original_name: vpc_monitor02_0000.html + +.. _vpc_monitor02_0000: + +Monitoring +========== + +- :ref:`Supported Metrics ` +- :ref:`Viewing Metrics ` +- :ref:`Creating an Alarm Rule ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + supported_metrics + viewing_metrics + creating_an_alarm_rule diff --git a/umn/source/operation_guide_old_console_edition/monitoring/supported_metrics.rst b/umn/source/operation_guide_old_console_edition/monitoring/supported_metrics.rst new file mode 100644 index 0000000..5a04b87 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/monitoring/supported_metrics.rst @@ -0,0 +1,79 @@ +:original_name: vpc_monitor02_0001.html + +.. _vpc_monitor02_0001: + +Supported Metrics +================= + +Description +----------- + +This section describes the namespace, list, and measurement dimensions of EIP and bandwidth metrics that you can check on Cloud Eye. You can use APIs or the Cloud Eye console to query the metrics of the monitored metrics and alarms generated for EIPs and bandwidths. + +Namespace +--------- + +SYS.VPC + +Monitoring Metrics +------------------ + +.. table:: **Table 1** EIP and bandwidth metrics + + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + | ID | Name | Description | Value Range | Monitored Object | Monitoring Interval (Raw Data) | + +======================+====================+=================================================+=============+==================+================================+ + | upstream_bandwidth | Outbound Bandwidth | Network rate of outbound traffic | ≥ 0 bit/s | Bandwidth or EIP | 1 minute | + | | | | | | | + | | | Unit: bit/s | | | | + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + | downstream_bandwidth | Inbound Bandwidth | Network rate of inbound traffic | ≥ 0 bit/s | Bandwidth or EIP | 1 minute | + | | | | | | | + | | | Unit: bit/s | | | | + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + | up_stream | Outbound Traffic | Network traffic going out of the cloud platform | ≥ 0 bytes | Bandwidth or EIP | 1 minute | + | | | | | | | + | | | Unit: byte | | | | + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + | down_stream | Inbound Traffic | Network traffic going into the cloud platform | ≥ 0 bytes | Bandwidth or EIP | 1 minute | + | | | | | | | + | | | Unit: byte | | | | + +----------------------+--------------------+-------------------------------------------------+-------------+------------------+--------------------------------+ + +Dimensions +---------- + +============ ============ +Key Value +============ ============ +publicip_id EIP ID +bandwidth_id Bandwidth ID +============ ============ + +If a monitored object has multiple dimensions, all dimensions are mandatory when you use APIs to query the metrics. + +- Query a monitoring metric: + + dim.0=bandwidth_id,530cd6b0-86d7-4818-837f-935f6a27414d&dim.1=publicip_id,3773b058-5b4f-4366-9035-9bbd9964714a + +- Query monitoring metrics in batches: + + "dimensions": [ + + { + + "name": "bandwidth_id", + + "value": "530cd6b0-86d7-4818-837f-935f6a27414d" + + } + + { + + "name": "publicip_id", + + "value": "3773b058-5b4f-4366-9035-9bbd9964714a" + + } + + ], diff --git a/umn/source/operation_guide_old_console_edition/monitoring/viewing_metrics.rst b/umn/source/operation_guide_old_console_edition/monitoring/viewing_metrics.rst new file mode 100644 index 0000000..54f97e5 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/monitoring/viewing_metrics.rst @@ -0,0 +1,23 @@ +:original_name: vpc_monitor02_0002.html + +.. _vpc_monitor02_0002: + +Viewing Metrics +=============== + +Scenarios +--------- + +View related metrics to see bandwidth and EIP usage information. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. Hover on the upper left corner to display **Service List** and choose **Management & Governance** > **Cloud Eye**. +4. Click **Cloud Service Monitoring** on the left of the page, and choose **Elastic IP and Bandwidth**. +5. Locate the row that contains the target bandwidth or EIP and click **View Metric** in the **Operation** column to check the bandwidth or EIP monitoring information. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/route_table/adding_a_custom_route.rst b/umn/source/operation_guide_old_console_edition/route_table/adding_a_custom_route.rst new file mode 100644 index 0000000..86cf28e --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/route_table/adding_a_custom_route.rst @@ -0,0 +1,33 @@ +:original_name: vpc_route02_0003.html + +.. _vpc_route02_0003: + +Adding a Custom Route +===================== + +Scenarios +--------- + +If ECSs in a VPC need to access the Internet, add a custom route to enable the ECSs to access the Internet through an ECS that has an EIP bound. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. On the **Virtual Private Cloud** page, locate the VPC to which a route is to be added and click the VPC name. +#. On the **Route Tables** tab, click **Add Route**. +#. Set route details on the displayed page. + + - **Destination** indicates the destination CIDR block. The default value is **0.0.0.0/0**. If the traffic originates from a VPC, the destination can be a subnet CIDR block in this VPC. If the traffic originates from outside the VPC, the destination CIDR block cannot conflict with any of the subnet CIDR blocks in this VPC. The destination of each route must be unique. + - **Next Hop**: indicates the IP address of the next hop. Set it to a private IP address or a virtual IP address in a VPC. + + .. note:: + + If the next hop is a virtual IP address, an EIP must be bound to the virtual IP address. Otherwise, access to the Internet through this virtual IP address is not possible. (A custom route is used to forward traffic from the virtual IP address to the Internet.) + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0226820252.png diff --git a/umn/source/operation_guide_old_console_edition/route_table/configuring_an_snat_server.rst b/umn/source/operation_guide_old_console_edition/route_table/configuring_an_snat_server.rst new file mode 100644 index 0000000..463f5df --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/route_table/configuring_an_snat_server.rst @@ -0,0 +1,141 @@ +:original_name: vpc_route02_0002.html + +.. _vpc_route02_0002: + +Configuring an SNAT Server +========================== + +Scenarios +--------- + +To use the route table function provided by the VPC service, you need to configure SNAT on an ECS to enable other ECSs that do not have EIPs bound in a VPC to access the Internet through this ECS. + +The configured SNAT takes effect for all subnets in a VPC. + +Prerequisites +------------- + +- You have an ECS where SNAT is to be configured. +- The ECS where SNAT is to be configured runs the Linux OS. +- The ECS where SNAT is to be configured has only one network interface card (NIC). + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Compute**, click **Elastic Cloud Server**. + +4. On the displayed page, locate the target ECS in the ECS list and click the ECS name to switch to the page showing ECS details. + +5. On the displayed ECS details page, click the **NICs** tab. + +6. Click the NIC IP address. In the displayed area showing the NIC details, disable the source/destination check function. + + By default, the source/destination check is enabled. When this check is enabled, the system checks whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. If SNAT is used, the SNAT server needs to forward packets. This mechanism prevents the packet sender from receiving returned packets. Therefore, you need to disable the source/destination check for SNAT servers. + +7. Bind an EIP. + + - Bind an EIP with the private IP address of the ECS. For details, see :ref:`Assigning an EIP and Binding It to an ECS `. + - Bind an EIP with the virtual IP address of the ECS. For details, see :ref:`Binding a Virtual IP Address to an EIP or ECS `. + +8. On the ECS console, use the remote login function to log in to the ECS where you plan to configure SNAT. + +9. Run the following command and enter the password of user **root** to switch to user **root**: + + **su - root** + +10. Run the following command to check whether the ECS can successfully connect to the Internet: + + .. note:: + + Before running the command, you must disable the response iptables rule on the ECS where SNAT is configured and enable the security group rules. + + **ping www.google.com** + + The ECS can access the Internet if the following information is displayed: + + .. code-block:: console + + [root@localhost ~]# ping www.google.com + PING www.a.shifen.com (xxx.xxx.xxx.xxx) 56(84) bytes of data. + 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms + 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms + 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms + +11. Run the following command to check whether IP forwarding of the Linux OS is enabled: + + **cat /proc/sys/net/ipv4/ip_forward** + + In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. + + - If IP forwarding in Linux is enabled, go to step :ref:`14 `. + - If IP forwarding in Linux is disabled, perform step :ref:`12 ` to enable IP forwarding in Linux. + + Many OSs support packet routing. Before forwarding packets, OSs change source IP addresses in the packets to OS IP addresses. Therefore, the forwarded packets contain the IP address of the public sender so that the response packets can be sent back along the same path to the initial packet sender. This method is called SNAT. The OSs need to keep track of the packets where IP addresses have been changed to ensure that the destination IP addresses in the packets can be rewritten and that packets can be forwarded to the initial packet sender. To achieve these purposes, you need to enable the IP forwarding function and configure SNAT rules. + +12. .. _vpc_route02_0002__en-us_topic_0118499009_li3948189019612: + + Use the vi editor to open the **/etc/sysctl.conf** file, change the value of **net.ipv4.ip_forward** to **1**, and enter **:wq** to save the change and exit. + +13. Run the following command to make the change take effect: + + **sysctl -p /etc/sysctl.conf** + +14. .. _vpc_route02_0002__en-us_topic_0118499009_li2168883919851: + + Configure SNAT. + + Run the following command to enable all ECSs on the network (for example, 192.168.1.0/24) to access the Internet using the SNAT function: :ref:`Figure 1 ` shows the example command. + + **iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ip** + + .. _vpc_route02_0002__en-us_topic_0118499009_fig27328760201321: + + .. figure:: /_static/images/en-us_image_0118498992.png + :alt: **Figure 1** Configuring SNAT + + + **Figure 1** Configuring SNAT + + .. note:: + + - To ensure that the rule will not be lost after the restart, write the rule into the **/etc/rc.local** file. + + a. Run the following command to switch to the **/etc/sysctl.conf** file: + + **vi /etc/rc.local** + + b. Perform :ref:`14 ` to configure SNAT. + + c. Run the following command to save the configuration and exit: + + **:wq** + + d. Run the following command to add the execute permission for the **rc.local** file: + + **# chmod +x /etc/rc.local** + + - To ensure that the configuration takes effect, run the **iptables -L** command to check whether the configured rules conflict with each other. + +15. Run the following command to check whether the operation is successful: If information similar to :ref:`Figure 2 ` (for example, 192.168.1.0/24) is displayed, the operation was successful. + + **iptables -t nat --list** + + .. _vpc_route02_0002__en-us_topic_0118499009_fig8358771201535: + + .. figure:: /_static/images/en-us_image_0118499109.png + :alt: **Figure 2** Verifying configuration + + + **Figure 2** Verifying configuration + +16. Add a route. For details, see section :ref:`Adding a Custom Route `. + + Set the destination to **0.0.0.0/0**, and the next hop to the private or virtual IP address of the ECS where SNAT is deployed. For example, the next hop is **192.168.1.4**. + +After these operations are complete, if the network communication still fails, check your security group and firewall configuration to see whether required traffic is allowed. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/route_table/deleting_a_route.rst b/umn/source/operation_guide_old_console_edition/route_table/deleting_a_route.rst new file mode 100644 index 0000000..02934db --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/route_table/deleting_a_route.rst @@ -0,0 +1,24 @@ +:original_name: vpc_route02_0006.html + +.. _vpc_route02_0006: + +Deleting a Route +================ + +Scenarios +--------- + +Delete a route if it is no longer required. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. On the **Virtual Private Cloud** page, locate the VPC that the route to be deleted belongs to and click the VPC name. +#. Click the **Route Tables** tab. On the displayed page, locate the row that contains the route to be deleted, and click **Delete** in the **Operation** column. +#. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0226820247.png diff --git a/umn/source/operation_guide_old_console_edition/route_table/index.rst b/umn/source/operation_guide_old_console_edition/route_table/index.rst new file mode 100644 index 0000000..6aeb808 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/route_table/index.rst @@ -0,0 +1,24 @@ +:original_name: vpc_route02_0000.html + +.. _vpc_route02_0000: + +Route Table +=========== + +- :ref:`Route Table Overview ` +- :ref:`Configuring an SNAT Server ` +- :ref:`Adding a Custom Route ` +- :ref:`Querying a Route Table ` +- :ref:`Modifying a Route ` +- :ref:`Deleting a Route ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + route_table_overview + configuring_an_snat_server + adding_a_custom_route + querying_a_route_table + modifying_a_route + deleting_a_route diff --git a/umn/source/operation_guide_old_console_edition/route_table/modifying_a_route.rst b/umn/source/operation_guide_old_console_edition/route_table/modifying_a_route.rst new file mode 100644 index 0000000..48edb56 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/route_table/modifying_a_route.rst @@ -0,0 +1,24 @@ +:original_name: vpc_route02_0005.html + +.. _vpc_route02_0005: + +Modifying a Route +================= + +Scenarios +--------- + +Change the destination and next hop of the route. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. On the **Virtual Private Cloud** page, locate the VPC to which the route to be modified belongs and click the VPC name. +#. Click the **Route Tables** tab. On the displayed page, locate the row that contains the route to be modified, and click **Modify** in the **Operation** column. Modify the route information in the displayed dialog box. +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0226223279.png diff --git a/umn/source/operation_guide_old_console_edition/route_table/querying_a_route_table.rst b/umn/source/operation_guide_old_console_edition/route_table/querying_a_route_table.rst new file mode 100644 index 0000000..fdc79d8 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/route_table/querying_a_route_table.rst @@ -0,0 +1,23 @@ +:original_name: vpc_route02_0004.html + +.. _vpc_route02_0004: + +Querying a Route Table +====================== + +Scenarios +--------- + +You can query information about a route table or all route tables. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. On the **Virtual Private Cloud** page, locate the VPC that the route to be queried belongs to and click the VPC name. +#. View information about a single route or all routes in the route list. + +.. |image1| image:: /_static/images/en-us_image_0226820250.png diff --git a/umn/source/operation_guide_old_console_edition/route_table/route_table_overview.rst b/umn/source/operation_guide_old_console_edition/route_table/route_table_overview.rst new file mode 100644 index 0000000..f44aae1 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/route_table/route_table_overview.rst @@ -0,0 +1,8 @@ +:original_name: vpc_route02_0001.html + +.. _vpc_route02_0001: + +Route Table Overview +==================== + +A custom route is a user-defined routing rule added to a VPC. diff --git a/umn/source/operation_guide_old_console_edition/security/differences_between_security_groups_and_firewalls.rst b/umn/source/operation_guide_old_console_edition/security/differences_between_security_groups_and_firewalls.rst new file mode 100644 index 0000000..07c6c43 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/differences_between_security_groups_and_firewalls.rst @@ -0,0 +1,41 @@ +:original_name: vpc_acl02_0015.html + +.. _vpc_acl02_0015: + +Differences Between Security Groups and Firewalls +================================================= + +You can configure security groups and firewall to increase the security of ECSs in your VPC. + +- Security groups operate at the ECS level. +- Firewalls operate at the subnet level. + +For details, see :ref:`Figure 1 `. + +.. _vpc_acl02_0015__en-us_topic_0118534001_fig9582182315479: + +.. figure:: /_static/images/en-us_image_0148244691.png + :alt: **Figure 1** Security groups and firewalls + + + **Figure 1** Security groups and firewalls + +:ref:`Table 1 ` describes the differences between security groups and firewalls. + +.. _vpc_acl02_0015__en-us_topic_0118534001_table53053071174845: + +.. table:: **Table 1** Differences between security groups and firewalls + + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Category | Security Group | Firewall | + +==========+================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================================+ + | Targets | Operates at the ECS level. | Operates at the subnet level. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rules | Supports both **Allow** and **Deny** rules. | Supports both **Allow** and **Deny** rules. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Usage | Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. | Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. | + +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/adding_a_firewall_rule.rst b/umn/source/operation_guide_old_console_edition/security/firewall/adding_a_firewall_rule.rst new file mode 100644 index 0000000..bdab32b --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/adding_a_firewall_rule.rst @@ -0,0 +1,82 @@ +:original_name: vpc_acl02_0004.html + +.. _vpc_acl02_0004: + +Adding a Firewall Rule +====================== + +Scenarios +--------- + +Add an inbound or outbound rule based on your network security requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + +6. On the **Inbound Rules** or **Outbound Rules** tab, click **Add Rule** to add an inbound or outbound rule. + + - Click **+** to add more rules. + - Locate the row that contains the firewall rule and click **Replicate** in the **Operation** column to replicate an existing rule. + + + .. figure:: /_static/images/en-us_image_0152238989.png + :alt: **Figure 1** Add Inbound Rule + + + **Figure 1** Add Inbound Rule + + .. table:: **Table 1** Parameter descriptions + + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+================================================================================================================================================================================================================================================================+=======================+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be **TCP**, **UDP**, **All**, or **ICMP**. If **ICMP** or **All** is selected, you do not need to specify port information. | TCP | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | The default value is **0.0.0.0/0**, which indicates that traffic from all IP addresses is allowed. | | + | | | | + | | For example: | | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IP address) | | + | | - xxx.xxx.xxx.0/24 (IP address range) | | + | | - 0.0.0.0/0 (all IP addresses) | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | The default value is **0.0.0.0/0**, which indicates that traffic to all IP addresses is allowed. | | + | | | | + | | For example: | | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IP address) | | + | | - xxx.xxx.xxx.0/24 (IP address range) | | + | | - 0.0.0.0/0 (all IP addresses) | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/associating_subnets_with_a_firewall.rst b/umn/source/operation_guide_old_console_edition/security/firewall/associating_subnets_with_a_firewall.rst new file mode 100644 index 0000000..c5bb100 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/associating_subnets_with_a_firewall.rst @@ -0,0 +1,30 @@ +:original_name: vpc_acl02_0005.html + +.. _vpc_acl02_0005: + +Associating Subnets with a Firewall +=================================== + +Scenarios +--------- + +On the page showing firewall details, associate desired subnets with a firewall. After a firewall is associated with a subnet, the firewall denies all traffic to and from the subnet until you add rules to allow traffic. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the displayed page, click the **Associated Subnets** tab. +7. On the **Associated Subnets** page, click **Associate**. +8. On the displayed page, select the subnets to be associated with the firewall, and click **OK**. + +.. note:: + + Subnets that have already been associated with firewalls will not be displayed on the page for you to select. One-click subnet association and disassociation are not currently supported. Furthermore, a subnet can only be associated with one firewall. If you want to reassociate a subnet that has already been associated with another firewall, you must first disassociate the subnet from the original firewall. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/changing_the_sequence_of_a_firewall_rule.rst b/umn/source/operation_guide_old_console_edition/security/firewall/changing_the_sequence_of_a_firewall_rule.rst new file mode 100644 index 0000000..5b97bc7 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/changing_the_sequence_of_a_firewall_rule.rst @@ -0,0 +1,34 @@ +:original_name: vpc_acl02_0007.html + +.. _vpc_acl02_0007: + +Changing the Sequence of a Firewall Rule +======================================== + +Scenarios +--------- + +If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule. + +If multiple firewall rules conflict, only the rule with the highest priority takes effect. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + +6. On the **Inbound Rules** or **Outbound Rules** tab, locate the target rule, click **More** in the **Operation** column, and select **Insert Rule Above** or **Insert Rule Below**. + +7. In the displayed dialog box, configure required parameters and click **OK**. + + The rule is inserted. The procedure for inserting an outbound rule is the same as that for inserting an inbound rule. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/creating_a_firewall.rst b/umn/source/operation_guide_old_console_edition/security/firewall/creating_a_firewall.rst new file mode 100644 index 0000000..a8969d4 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/creating_a_firewall.rst @@ -0,0 +1,53 @@ +:original_name: vpc_acl02_0003.html + +.. _vpc_acl02_0003: + +Creating a Firewall +=================== + +Scenarios +--------- + +You can create a custom firewall, but any newly created firewall will be disabled by default. It will not have any inbound or outbound rules, or have any subnets associated. Each user can create up to 200 firewalls by default. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. In the right pane displayed, click **Create firewall**. + +6. In the displayed dialog box, enter firewall information as prompted. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0129304042.png + :alt: **Figure 1** Create Firewall + + + **Figure 1** Create Firewall + + .. _vpc_acl02_0003__en-us_topic_0118499011_table145313414319: + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================+=======================+ + | Name | The firewall name. This parameter is mandatory. | fw-92d3 | + | | | | + | | The name contains a maximum of 64 characters, which may consist of letters, digits, underscores (_), and hyphens (-). The name cannot contain spaces. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/deleting_a_firewall.rst b/umn/source/operation_guide_old_console_edition/security/firewall/deleting_a_firewall.rst new file mode 100644 index 0000000..dffa15a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/deleting_a_firewall.rst @@ -0,0 +1,28 @@ +:original_name: vpc_acl02_0014.html + +.. _vpc_acl02_0014: + +Deleting a Firewall +=================== + +Scenarios +--------- + +Delete a firewall when it is no longer required. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall in the right pane, click **More** in the **Operation** column, and click **Delete**. +6. Click **Yes**. + + .. note:: + + After a firewall is deleted, associated subnets are disassociated and added rules are deleted from the firewall. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/deleting_a_firewall_rule.rst b/umn/source/operation_guide_old_console_edition/security/firewall/deleting_a_firewall_rule.rst new file mode 100644 index 0000000..86787ce --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/deleting_a_firewall_rule.rst @@ -0,0 +1,29 @@ +:original_name: vpc_acl02_0010.html + +.. _vpc_acl02_0010: + +Deleting a Firewall Rule +======================== + +Scenarios +--------- + +Delete an inbound or outbound rule based on your network security requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the **Inbound Rules** or **Outbound Rules** tab, locate the row that contains the target rule and click **Delete** in the **Operation** column. +7. Click **Yes** in the displayed dialog box. + +**Deleting multiple Firewall rules at a time** + +You can also select multiple firewall rules and click **Delete** above the firewall rule list to delete multiple rules at a time. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/disassociating_a_subnet_from_a_firewall.rst b/umn/source/operation_guide_old_console_edition/security/firewall/disassociating_a_subnet_from_a_firewall.rst new file mode 100644 index 0000000..9e63878 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/disassociating_a_subnet_from_a_firewall.rst @@ -0,0 +1,30 @@ +:original_name: vpc_acl02_0006.html + +.. _vpc_acl02_0006: + +Disassociating a Subnet from a Firewall +======================================= + +Scenarios +--------- + +Disassociate a subnet from a firewall when necessary. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the displayed page, click the **Associated Subnets** tab. +7. On the **Associated Subnets** page, locate the row that contains the target subnet and click **Disassociate** in the **Operation** column. +8. Click **Yes** in the displayed dialog box. + +**Disassociating subnets from a firewall** + +Select multiple subnets and click **Disassociate** above the subnet list to disassociate the subnets from the current firewall at a time. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/enabling_or_disabling_a_firewall.rst b/umn/source/operation_guide_old_console_edition/security/firewall/enabling_or_disabling_a_firewall.rst new file mode 100644 index 0000000..13691b7 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/enabling_or_disabling_a_firewall.rst @@ -0,0 +1,26 @@ +:original_name: vpc_acl02_0013.html + +.. _vpc_acl02_0013: + +Enabling or Disabling a Firewall +================================ + +Scenarios +--------- + +After a firewall is created, you may need to enable it based on network security requirements. You can also disable an enabled firewall if need. Before enabling a firewall, ensure that subnets have been associated with the firewall and that inbound and outbound rules have been added to the firewall. + +When a firewall is disabled, custom rules will become invalid. Disabling a firewall may interrupt network traffic. For information about the default firewall rules, see :ref:`Default Firewall Rules `. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the row that contains the target firewall in the right pane, click **More** in the **Operation** column, and click **Enable** or **Disable**. +6. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/enabling_or_disabling_a_firewall_rule.rst b/umn/source/operation_guide_old_console_edition/security/firewall/enabling_or_disabling_a_firewall_rule.rst new file mode 100644 index 0000000..56ea4c4 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/enabling_or_disabling_a_firewall_rule.rst @@ -0,0 +1,32 @@ +:original_name: vpc_acl02_0009.html + +.. _vpc_acl02_0009: + +Enabling or Disabling a Firewall Rule +===================================== + +Scenarios +--------- + +Enable or disable an inbound or outbound rule based on your network security requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + +6. On the **Inbound Rules** or **Outbound Rules** tab, locate the row that contains the target rule, and click **More** and then **Enable** or **Disable** in the **Operation** column. + +7. Click **Yes** in the displayed dialog box. + + The rule is enabled or disabled. The procedure for enabling or disabling an outbound rule is the same as that for enabling or disabling an inbound rule. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/firewall_configuration_examples.rst b/umn/source/operation_guide_old_console_edition/security/firewall/firewall_configuration_examples.rst new file mode 100644 index 0000000..98027dd --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/firewall_configuration_examples.rst @@ -0,0 +1,84 @@ +:original_name: vpc_acl02_0002.html + +.. _vpc_acl02_0002: + +Firewall Configuration Examples +=============================== + +This section provides examples for configuring firewalls. + +- :ref:`Denying Access from a Specific Port ` +- :ref:`Allowing Access from Specific Ports and Protocols ` + +.. _vpc_acl02_0002__en-us_topic_0144643911_section11312173319432: + +Denying Access from a Specific Port +----------------------------------- + +You might want to block TCP 445 to protect against the WannaCry ransomware attacks. You can add a firewall rule to deny all incoming traffic from TCP port 445. + +Firewall Configuration + +:ref:`Table 1 ` lists the inbound rule required. + +.. _vpc_acl02_0002__en-us_topic_0144643911_table553618145582: + +.. table:: **Table 1** firewall rules + + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------+ + | Direction | Action | Protocol | Source | Source Port Range | Destination | Destination Port Range | Description | + +===========+========+==========+===========+===================+=============+========================+==================================================================+ + | Inbound | Deny | TCP | 0.0.0.0/0 | 1-65535 | 0.0.0.0/0 | 445 | Denies inbound traffic from any IP address through TCP port 445. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------+ + | Inbound | Allow | All | 0.0.0.0/0 | 1-65535 | 0.0.0.0/0 | All | Allows all inbound traffic. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------+ + +.. note:: + + - By default, a firewall denies all inbound traffic. You need to allow all inbound traffic if necessary. + - If you want a deny rule to be matched first, insert the deny rule above the allow rule. For details, see :ref:`Changing the Sequence of a Firewall Rule `. + +.. _vpc_acl02_0002__en-us_topic_0144643911_section61291659102216: + +Allowing Access from Specific Ports and Protocols +------------------------------------------------- + +In this example, an ECS in a subnet is used as the web server, and you need to allow inbound traffic from HTTP port 80 and HTTPS port 443 and allow all outbound traffic regardless of the port. You need to configure both the firewall rules and security group rules to allow the traffic. + +Firewall Configuration + +:ref:`Table 2 ` lists the inbound rule required. + +.. _vpc_acl02_0002__en-us_topic_0144643911_table195634095313: + +.. table:: **Table 2** firewall rules + + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ + | Direction | Action | Protocol | Source | Source Port Range | Destination | Destination Port Range | Description | + +===========+========+==========+===========+===================+=============+========================+==========================================================================================+ + | Inbound | Allow | TCP | 0.0.0.0/0 | 1-65535 | 0.0.0.0/0 | 80 | Allows inbound HTTP traffic from any IP address to ECSs in the subnet through port 80. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ + | Inbound | Allow | TCP | 0.0.0.0/0 | 1-65535 | 0.0.0.0/0 | 443 | Allows inbound HTTPS traffic from any IP address to ECSs in the subnet through port 443. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ + | Outbound | Allow | All | 0.0.0.0/0 | All | 0.0.0.0/0 | All | Allows all outbound traffic from the subnet. | + +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ + +**Security group configuration** + +:ref:`Table 3 ` lists the inbound and outbound security group rules required. + +.. _vpc_acl02_0002__en-us_topic_0144643911_table30323767195135: + +.. table:: **Table 3** Security group rules + + +-----------+----------------------+------+------------------------+---------------------------------------------------------------------------------------------------------------+ + | Direction | Protocol/Application | Port | Source/Destination | Description | + +===========+======================+======+========================+===============================================================================================================+ + | Inbound | TCP | 80 | Source: 0.0.0.0/0 | Allows inbound HTTP traffic from any IP address to ECSs associated with the security group through port 80. | + +-----------+----------------------+------+------------------------+---------------------------------------------------------------------------------------------------------------+ + | Inbound | TCP | 443 | Source: 0.0.0.0/0 | Allows inbound HTTPS traffic from any IP address to ECSs associated with the security group through port 443. | + +-----------+----------------------+------+------------------------+---------------------------------------------------------------------------------------------------------------+ + | Outbound | All | All | Destination: 0.0.0.0/0 | Allows all outbound traffic from the security group. | + +-----------+----------------------+------+------------------------+---------------------------------------------------------------------------------------------------------------+ + +A firewall adds an additional layer of security. Even if the security group rules allow more traffic than that actually required, the firewall rules allow only access from HTTP port 80 and HTTPS port 443 and deny other inbound traffic. diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/firewall_overview.rst b/umn/source/operation_guide_old_console_edition/security/firewall/firewall_overview.rst new file mode 100644 index 0000000..1558cf4 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/firewall_overview.rst @@ -0,0 +1,102 @@ +:original_name: vpc_acl02_0001.html + +.. _vpc_acl02_0001: + +Firewall Overview +================= + +A firewall is an optional layer of security for your subnets. After you associate one or more subnets with a firewall, you can control traffic in and out of the subnets. + +:ref:`Figure 1 ` shows how a firewall works. + +.. _vpc_acl02_0001__en-us_topic_0144643910_fig9582182315479: + +.. figure:: /_static/images/en-us_image_0148244691.png + :alt: **Figure 1** Security groups and firewalls + + + **Figure 1** Security groups and firewalls + +Similar to security groups, firewalls control access to subnets and add an additional layer of defense to your subnets. Security groups only have the "allow" rules, but firewalls have both "allow" and "deny" rules. You can use firewalls together with security groups to implement comprehensive and fine-grained access control. + +:ref:`Differences Between Security Groups and Firewalls ` summarizes the basic differences between security groups and firewalls. + +Firewall Basics +--------------- + +- Your VPC does not come with a firewall, but you can create a firewall and associate it with a VPC subnet if required. By default, each firewall denies all inbound traffic to and outbound traffic from the associated subnet until you add rules. +- You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time. +- Each newly created firewall is in the **Inactive** state until you associate subnets with it. + +.. _vpc_acl02_0001__en-us_topic_0144643910_section99541345213: + +Default Firewall Rules +---------------------- + +By default, each firewall has preset rules that allow the following packets: + +- Packets whose source and destination are in the same subnet + +- Broadcast packets with the destination 255.255.255.255/32, which is used to configure host startup information. + +- Multicast packets with the destination 224.0.0.0/24, which is used by routing protocols. + +- Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata. + +- Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16) + +- A firewall denies all traffic in and out of a subnet excepting the preceding ones. :ref:`Table 1 ` shows the default firewall rules. You cannot modify or delete the default rules. + + .. _vpc_acl02_0001__en-us_topic_0144643910_table1034601475112: + + .. table:: **Table 1** Default firewall rules + + +-----------+----------+--------+----------+-----------+-------------+------------------------------+ + | Direction | Priority | Action | Protocol | Source | Destination | Description | + +===========+==========+========+==========+===========+=============+==============================+ + | Inbound | \* | Deny | All | 0.0.0.0/0 | 0.0.0.0/0 | Denies all inbound traffic. | + +-----------+----------+--------+----------+-----------+-------------+------------------------------+ + | Outbound | \* | Deny | All | 0.0.0.0/0 | 0.0.0.0/0 | Denies all outbound traffic. | + +-----------+----------+--------+----------+-----------+-------------+------------------------------+ + +Rule Priorities +--------------- + +- Each firewall rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority. +- If multiple firewall rules conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule. + +Application Scenarios +--------------------- + +- If the application layer needs to provide services for users, traffic must be allowed to reach the application layer from all IP addresses. However, you also need to prevent illegal access from malicious users. + + Solution: You can add firewall rules to deny access from suspect IP addresses. + +- How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm? + + Solution: You can add firewall rules to deny access traffic from a specific port and protocol, for example, TCP port 445. + +- No defense is required for the east-west traffic between subnets, but access control is required for north-south traffic. + + Solution: You can add firewall rules to protect north-south traffic. + +- For frequently accessed applications, a security rule sequence may need to be adjusted to improve performance. + + Solution: A firewall allows you to adjust the rule sequence so that frequently used rules are applied before other rules. + +Configuration Procedure +----------------------- + +:ref:`Figure 2 ` shows the procedure for configuring a firewall. + +.. _vpc_acl02_0001__en-us_topic_0144643910_fig1643183218163: + +.. figure:: /_static/images/en-us_image_0162335382.png + :alt: **Figure 2** firewall configuration procedure + + + **Figure 2** firewall configuration procedure + +#. Create a firewall by following the steps described in :ref:`Creating a Firewall `. +#. Add firewall rules by following the steps described in :ref:`Adding a Firewall Rule `. +#. Associate subnets with the firewall by following the steps described in :ref:`Associating Subnets with a Firewall `. After subnets are associated with the firewall, the subnets will be protected by the configured firewall rules. diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/index.rst b/umn/source/operation_guide_old_console_edition/security/firewall/index.rst new file mode 100644 index 0000000..5e4ef2f --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/index.rst @@ -0,0 +1,40 @@ +:original_name: vpc_acl02_0000.html + +.. _vpc_acl02_0000: + +Firewall +======== + +- :ref:`Firewall Overview ` +- :ref:`Firewall Configuration Examples ` +- :ref:`Creating a Firewall ` +- :ref:`Adding a Firewall Rule ` +- :ref:`Associating Subnets with a Firewall ` +- :ref:`Disassociating a Subnet from a Firewall ` +- :ref:`Changing the Sequence of a Firewall Rule ` +- :ref:`Modifying a Firewall Rule ` +- :ref:`Enabling or Disabling a Firewall Rule ` +- :ref:`Deleting a Firewall Rule ` +- :ref:`Viewing a Firewall ` +- :ref:`Modifying a Firewall ` +- :ref:`Enabling or Disabling a Firewall ` +- :ref:`Deleting a Firewall ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + firewall_overview + firewall_configuration_examples + creating_a_firewall + adding_a_firewall_rule + associating_subnets_with_a_firewall + disassociating_a_subnet_from_a_firewall + changing_the_sequence_of_a_firewall_rule + modifying_a_firewall_rule + enabling_or_disabling_a_firewall_rule + deleting_a_firewall_rule + viewing_a_firewall + modifying_a_firewall + enabling_or_disabling_a_firewall + deleting_a_firewall diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/modifying_a_firewall.rst b/umn/source/operation_guide_old_console_edition/security/firewall/modifying_a_firewall.rst new file mode 100644 index 0000000..3c2359c --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/modifying_a_firewall.rst @@ -0,0 +1,29 @@ +:original_name: vpc_acl02_0012.html + +.. _vpc_acl02_0012: + +Modifying a Firewall +==================== + +Scenarios +--------- + +Modify the name and description of a firewall. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the displayed page, click |image2| on the right of **Name** and edit the firewall name. +7. Click Y to save the new firewall name. +8. Click |image3| on the right of Description and edit the firewall description. +9. Click Y to save the new firewall description. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0142359884.png +.. |image3| image:: /_static/images/en-us_image_0142359884.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/modifying_a_firewall_rule.rst b/umn/source/operation_guide_old_console_edition/security/firewall/modifying_a_firewall_rule.rst new file mode 100644 index 0000000..3db9c2c --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/modifying_a_firewall_rule.rst @@ -0,0 +1,81 @@ +:original_name: vpc_acl02_0008.html + +.. _vpc_acl02_0008: + +Modifying a Firewall Rule +========================= + +Scenarios +--------- + +Modify an inbound or outbound firewall rule based on your network security requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. + +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + +6. On the **Inbound Rules** or **Outbound Rules** tab, locate the row that contains the target rule and click **Modify** in the **Operation** column. In the displayed dialog box, configure parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0285048674.png + :alt: **Figure 1** Modify Rule + + + **Figure 1** Modify Rule + + .. _vpc_acl02_0008__en-us_topic_0118498887_table59686157164549: + + .. table:: **Table 1** Parameter descriptions + + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+================================================================================================================================================================================================================================================================+=======================+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be **TCP**, **UDP**, **All**, or **ICMP**. If **ICMP** or **All** is selected, you do not need to specify port information. | TCP | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | The default value is **0.0.0.0/0**, which indicates that traffic from all IP addresses is allowed. | | + | | | | + | | For example: | | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IP address) | | + | | - xxx.xxx.xxx.0/24 (IP address range) | | + | | - 0.0.0.0/0 (all IP addresses) | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | The default value is **0.0.0.0/0**, which indicates that traffic to all IP addresses is allowed. | | + | | | | + | | For example: | | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IP address) | | + | | - xxx.xxx.xxx.0/24 (IP address range) | | + | | - 0.0.0.0/0 (all IP addresses) | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/firewall/viewing_a_firewall.rst b/umn/source/operation_guide_old_console_edition/security/firewall/viewing_a_firewall.rst new file mode 100644 index 0000000..0f5c051 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/firewall/viewing_a_firewall.rst @@ -0,0 +1,24 @@ +:original_name: vpc_acl02_0011.html + +.. _vpc_acl02_0011: + +Viewing a Firewall +================== + +Scenarios +--------- + +View details about a firewall. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **firewalls**. +5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. +6. On the displayed page, click the **Inbound Rules**, **Outbound Rules**, and **Associated Subnets** tabs one by one to view details about inbound rules, outbound rules, and subnet associations. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/index.rst b/umn/source/operation_guide_old_console_edition/security/index.rst new file mode 100644 index 0000000..c95086a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/index.rst @@ -0,0 +1,18 @@ +:original_name: vpc_security02_0000.html + +.. _vpc_security02_0000: + +Security +======== + +- :ref:`Security Group ` +- :ref:`Firewall ` +- :ref:`Differences Between Security Groups and Firewalls ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + security_group/index + firewall/index + differences_between_security_groups_and_firewalls diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/adding_a_security_group_rule.rst b/umn/source/operation_guide_old_console_edition/security/security_group/adding_a_security_group_rule.rst new file mode 100644 index 0000000..093b1fc --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/adding_a_security_group_rule.rst @@ -0,0 +1,101 @@ +:original_name: vpc_SecurityGroup02_0005.html + +.. _vpc_SecurityGroup02_0005: + +Adding a Security Group Rule +============================ + +Scenarios +--------- + +A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. + +If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule. + +- Inbound rules control incoming traffic to cloud resources in the security group. +- Outbound rules control outgoing traffic from cloud resources in the security group. + +For details about the default security group rules, see :ref:`Default Security Groups and Security Group Rules `. For details about security group rule configuration examples, see :ref:`Security Group Configuration Examples `. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +#. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + +#. On the **Inbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an inbound rule. + + You can click **+** to add more inbound rules. + + + .. figure:: /_static/images/en-us_image_0284920908.png + :alt: **Figure 1** Add Inbound Rule + + + **Figure 1** Add Inbound Rule + + .. table:: **Table 1** Inbound rule parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=======================+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + | | | | + | | If the source is a security group, this rule will apply to all instances associated with the selected security group. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. On the **Outbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an outbound rule. + + You can click **+** to add more outbound rules. + + + .. figure:: /_static/images/en-us_image_0284993717.png + :alt: **Figure 2** Add Outbound Rule + + + **Figure 2** Add Outbound Rule + + .. table:: **Table 2** Outbound rule parameter description + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================+=======================+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst b/umn/source/operation_guide_old_console_edition/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst new file mode 100644 index 0000000..adbe0ae --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst @@ -0,0 +1,48 @@ +:original_name: vpc_SecurityGroup02_0012.html + +.. _vpc_SecurityGroup02_0012: + +Adding Instances to and Removing Them from a Security Group +=========================================================== + +Scenarios +--------- + +After a security group is created, you can add instances to the security group to protect the instances. You can also remove them from the security group as required. + +You can add multiple instances to or remove them from a security group. + +Adding Instances to a Security Group +------------------------------------ + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click **Manage Instance** in the **Operation** column. +6. On the **Servers** tab, click **Add** and add one or more servers to the current security group. +7. On the **Extension NICs** tab, click **Add** and add one or more extension NICs to the current security group. +8. Click **OK**. + +Removing Instances from a Security Group +---------------------------------------- + +#. Log in to the management console. + +2. Click |image2| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click **Manage Instance** in the **Operation** column. +6. On the **Servers** tab, locate the target server and click **Remove** in the **Operation** column to remove the server from current security group. +7. On the **Extension NICs** tab, locate the target extension NIC and click **Remove** in the **Operation** column to remove the NIC from the current security group. +8. Click **Yes**. + +**Removing multiple instances from a security group** + +Select multiple servers and click **Remove** above the server list to remove the selected servers from the current security group all at once. + +Select multiple extension NICs and click **Remove** above the extension NIC list to remove the selected extension NICs from the current security group all at once. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/changing_the_security_group_of_an_ecs.rst b/umn/source/operation_guide_old_console_edition/security/security_group/changing_the_security_group_of_an_ecs.rst new file mode 100644 index 0000000..c6860a4 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/changing_the_security_group_of_an_ecs.rst @@ -0,0 +1,45 @@ +:original_name: vpc_SecurityGroup02_0015.html + +.. _vpc_SecurityGroup02_0015: + +Changing the Security Group of an ECS +===================================== + +Scenarios +--------- + +Change the security group associated with an ECS NIC. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select your region and project. + +#. Under **Computing**, click **Elastic Cloud Server**. + +#. In the ECS list, locate the row that contains the target ECS. Click **More** in the **Operation** column and select **Manage Network** > **Change Security Group**. + + The **Change Security Group** dialog box is displayed. + + + .. figure:: /_static/images/en-us_image_0122999741.png + :alt: **Figure 1** Change Security Group + + + **Figure 1** Change Security Group + +#. Select the target NIC and security groups as prompted. + + You can select multiple security groups. In such a case, the rules of all the selected security groups will be aggregated to apply on the ECS. + + To create a security group, click **Create Security Group**. + + .. note:: + + Using multiple security groups may deteriorate ECS network performance. You are suggested to select no more than five security groups. + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0093507575.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/creating_a_security_group.rst b/umn/source/operation_guide_old_console_edition/security/security_group/creating_a_security_group.rst new file mode 100644 index 0000000..5d0810f --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/creating_a_security_group.rst @@ -0,0 +1,57 @@ +:original_name: vpc_SecurityGroup02_0004.html + +.. _vpc_SecurityGroup02_0004: + +Creating a Security Group +========================= + +Scenarios +--------- + +To improve ECS access security, you can create security groups, define security group rules, and add ECSs in a VPC to different security groups. We recommend that you allocate ECSs that have different Internet access policies to different security groups. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +5. On the **Security Groups** page, click **Create Security Group**. + +6. In the **Create Security Group** area, set the parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0000001197426329.png + :alt: **Figure 1** Create Security Group + + + **Figure 1** Create Security Group + + .. _vpc_securitygroup02_0004__en-us_topic_0118534004_table65377617111335: + + .. table:: **Table 1** Parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=======================+ + | Name | The security group name. This parameter is mandatory. | sg-318b | + | | | | + | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + | | | | + | | .. note:: | | + | | | | + | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group. This parameter is optional. | N/A | + | | | | + | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/default_security_groups_and_security_group_rules.rst b/umn/source/operation_guide_old_console_edition/security/security_group/default_security_groups_and_security_group_rules.rst new file mode 100644 index 0000000..fb28f0a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/default_security_groups_and_security_group_rules.rst @@ -0,0 +1,32 @@ +:original_name: vpc_SecurityGroup02_0002.html + +.. _vpc_SecurityGroup02_0002: + +Default Security Groups and Security Group Rules +================================================ + +Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between cloud resources in the group. Your cloud resources in this security group can communicate with each other already without adding additional rules. + +:ref:`Figure 1 ` shows the default security group rules. The following uses access between ECSs as an example. + +.. _vpc_securitygroup02_0002__en-us_topic_0118534003_fig997718156161: + +.. figure:: /_static/images/en-us_image_0000001230120807.png + :alt: **Figure 1** Default security group + + + **Figure 1** Default security group + +:ref:`Table 1 ` describes the default rules for the default security group. + +.. _vpc_securitygroup02_0002__en-us_topic_0118534003_table493045171919: + +.. table:: **Table 1** Default security group rules + + +-----------+----------+------------+--------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------+ + | Direction | Protocol | Port/Range | Source/Destination | Description | + +===========+==========+============+==============================================================+====================================================================================================================+ + | Outbound | All | All | Destination: 0.0.0.0/0 | Allows all outbound traffic. | + +-----------+----------+------------+--------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------+ + | Inbound | All | All | Source: the current security group (for example, sg-*xxxxx*) | Allows communications among ECSs within the security group and denies all inbound traffic (incoming data packets). | + +-----------+----------+------------+--------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/deleting_a_security_group.rst b/umn/source/operation_guide_old_console_edition/security/security_group/deleting_a_security_group.rst new file mode 100644 index 0000000..c60a6c1 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/deleting_a_security_group.rst @@ -0,0 +1,30 @@ +:original_name: vpc_SecurityGroup02_0011.html + +.. _vpc_SecurityGroup02_0011: + +Deleting a Security Group +========================= + +Scenarios +--------- + +This section describes how to delete security groups that you are no longer required. + +Notes and Constraints +--------------------- + +- The default security group cannot be deleted. +- If a security group is associated with resources other than servers and extension NICs, the security group cannot be deleted. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, locate the row that contains the target security group, click **More** in the **Operation** column, and click **Delete**. +6. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/deleting_a_security_group_rule.rst b/umn/source/operation_guide_old_console_edition/security/security_group/deleting_a_security_group_rule.rst new file mode 100644 index 0000000..9b9b43c --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/deleting_a_security_group_rule.rst @@ -0,0 +1,33 @@ +:original_name: vpc_SecurityGroup02_0009.html + +.. _vpc_SecurityGroup02_0009: + +Deleting a Security Group Rule +============================== + +Scenarios +--------- + +If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule and add a new one. + +.. note:: + + Security group rules use whitelists. Deleting a security group rule may result in ECS access failures. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click the security group name. +6. If you do not need a security group rule, locate the row that contains the target rule, and click **Delete**. +7. Click **Yes** in the displayed dialog box. + +**Deleting multiple security group rules at once** + +You can also select multiple security group rules and click **Delete** above the security group rule list to delete multiple rules at a time. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/fast-adding_security_group_rules.rst b/umn/source/operation_guide_old_console_edition/security/security_group/fast-adding_security_group_rules.rst new file mode 100644 index 0000000..23e6f6b --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/fast-adding_security_group_rules.rst @@ -0,0 +1,46 @@ +:original_name: vpc_SecurityGroup02_0006.html + +.. _vpc_SecurityGroup02_0006: + +Fast-Adding Security Group Rules +================================ + +Scenarios +--------- + +You can add multiple security group rules with different protocols and ports at the same time. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +5. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + +6. On the **Inbound Rules** tab, click **Fast-Add Rule**. In the displayed dialog box, select the protocols and ports you wish to add all at once. + + + .. figure:: /_static/images/en-us_image_0211552164.png + :alt: **Figure 1** Fast-Add Inbound Rule + + + **Figure 1** Fast-Add Inbound Rule + +7. On the **Outbound Rules** tab, click **Fast-Add Rule**. In the displayed dialog box, select required protocols and ports to add multiple rules at a time. + + + .. figure:: /_static/images/en-us_image_0211560998.png + :alt: **Figure 2** Fast-Add Outbound Rule + + + **Figure 2** Fast-Add Outbound Rule + +8. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/importing_and_exporting_security_group_rules.rst b/umn/source/operation_guide_old_console_edition/security/security_group/importing_and_exporting_security_group_rules.rst new file mode 100644 index 0000000..88be7f2 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/importing_and_exporting_security_group_rules.rst @@ -0,0 +1,76 @@ +:original_name: vpc_SecurityGroup02_0010.html + +.. _vpc_SecurityGroup02_0010: + +Importing and Exporting Security Group Rules +============================================ + +Scenarios +--------- + +If you want to quickly apply the rules of one security group to another, or if you want to modify multiple rules of the current security group at once, you can import or export existing rules. + +Security group rules are imported or exported to an Excel file. + +Notes and Constraints +--------------------- + +When modifying exported security group rules, you can only modify existing fields in the exported file based on the template and cannot add new fields or modify the field names. Otherwise, the file will fail to be imported. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click the security group name. +6. Export and import security group rules. + + - Click |image2| to export all rules of the current security group to an Excel file. + + - Click |image3| to import security group rules from an Excel file into the current security group. + + :ref:`Table 1 ` describes the parameters in the template for importing rules. + + .. _vpc_securitygroup02_0010__en-us_topic_0123534210_table111445216564: + + .. table:: **Table 1** Template parameters + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=========================================================================================================================================================================================+=======================+ + | Direction | The direction in which the security group rule takes effect. | Inbound | + | | | | + | | - Inbound rules control incoming traffic to cloud resources in the security group. | | + | | - Outbound rules control outgoing traffic from cloud resources in the security group. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source of the security group rule. The value can be a single IP address or a security group to allow access from the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination of the security group rule. The value can be a single IP address or a security group to allow access to the IP address or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | - | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Last Modified | The time when the security group was modified. | - | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0142360062.png +.. |image3| image:: /_static/images/en-us_image_0142360094.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/index.rst b/umn/source/operation_guide_old_console_edition/security/security_group/index.rst new file mode 100644 index 0000000..74ad6be --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/index.rst @@ -0,0 +1,42 @@ +:original_name: vpc_SecurityGroup02_0000.html + +.. _vpc_SecurityGroup02_0000: + +Security Group +============== + +- :ref:`Security Group Overview ` +- :ref:`Default Security Groups and Security Group Rules ` +- :ref:`Security Group Configuration Examples ` +- :ref:`Creating a Security Group ` +- :ref:`Adding a Security Group Rule ` +- :ref:`Fast-Adding Security Group Rules ` +- :ref:`Replicating a Security Group Rule ` +- :ref:`Modifying a Security Group Rule ` +- :ref:`Deleting a Security Group Rule ` +- :ref:`Importing and Exporting Security Group Rules ` +- :ref:`Deleting a Security Group ` +- :ref:`Adding Instances to and Removing Them from a Security Group ` +- :ref:`Modifying a Security Group ` +- :ref:`Viewing the Security Group of an ECS ` +- :ref:`Changing the Security Group of an ECS ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + security_group_overview + default_security_groups_and_security_group_rules + security_group_configuration_examples + creating_a_security_group + adding_a_security_group_rule + fast-adding_security_group_rules + replicating_a_security_group_rule + modifying_a_security_group_rule + deleting_a_security_group_rule + importing_and_exporting_security_group_rules + deleting_a_security_group + adding_instances_to_and_removing_them_from_a_security_group + modifying_a_security_group + viewing_the_security_group_of_an_ecs + changing_the_security_group_of_an_ecs diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/modifying_a_security_group.rst b/umn/source/operation_guide_old_console_edition/security/security_group/modifying_a_security_group.rst new file mode 100644 index 0000000..9a3688a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/modifying_a_security_group.rst @@ -0,0 +1,41 @@ +:original_name: vpc_SecurityGroup02_0013.html + +.. _vpc_SecurityGroup02_0013: + +Modifying a Security Group +========================== + +**Scenarios** +------------- + +Modify the name and description of a created security group. + +Procedure +--------- + +**Method 1** + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +#. On the **Security Groups** page, locate the target security group and choose **More** > **Modify** in the **Operation** column. +#. Modify the name and description of the security group as required. +#. Click **OK**. + +**Method 2** + +#. Log in to the management console. +#. Click |image2| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +#. On the **Security Groups** page, click the security group name. +#. On the displayed page, click |image3| on the right of **Name** and edit the security group name. +#. Click **Y** to save the security group name. +#. Click |image4| on the right of **Description** and edit the security group description. +#. Click **Y** to save the security group description. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png +.. |image3| image:: /_static/images/en-us_image_0239476777.png +.. |image4| image:: /_static/images/en-us_image_0239476777.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/modifying_a_security_group_rule.rst b/umn/source/operation_guide_old_console_edition/security/security_group/modifying_a_security_group_rule.rst new file mode 100644 index 0000000..c4248f0 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/modifying_a_security_group_rule.rst @@ -0,0 +1,25 @@ +:original_name: vpc_SecurityGroup02_0008.html + +.. _vpc_SecurityGroup02_0008: + +Modifying a Security Group Rule +=============================== + +Scenarios +--------- + +You can modify the port, protocol, and IP address of a security group rule to meet your specific requirements. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +5. On the **Security Groups** page, click the security group name. +6. On the displayed page, locate the row that contains the security group rule to be modified, and click **Modify** in the **Operation** column. +7. Modify the rule and click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/replicating_a_security_group_rule.rst b/umn/source/operation_guide_old_console_edition/security/security_group/replicating_a_security_group_rule.rst new file mode 100644 index 0000000..a1bac05 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/replicating_a_security_group_rule.rst @@ -0,0 +1,32 @@ +:original_name: vpc_SecurityGroup02_0007.html + +.. _vpc_SecurityGroup02_0007: + +Replicating a Security Group Rule +================================= + +**Scenarios** +------------- + +Replicate an existing security group rule to generate a new rule. When replicating a security group rule, you can make changes so that it is not a perfect copy. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + +5. On the **Security Groups** page, click the security group name. + +6. On the displayed page, locate the row that contains the security group rule to be replicated, and click **Replicate** in the **Operation** column. + + You can also modify the security group rule as required to quickly generate a new rule. + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/security_group_configuration_examples.rst b/umn/source/operation_guide_old_console_edition/security/security_group/security_group_configuration_examples.rst new file mode 100644 index 0000000..e7a0e25 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/security_group_configuration_examples.rst @@ -0,0 +1,195 @@ +:original_name: vpc_SecurityGroup02_0003.html + +.. _vpc_SecurityGroup02_0003: + +Security Group Configuration Examples +===================================== + +Common security group configurations are presented here. The examples in this section allow all outgoing data packets by default. This section will only describe how to configure inbound rules. + +- .. _vpc_securitygroup02_0003__en-us_topic_0118534011_li2921164192410: + + :ref:`Allowing External Access to a Specified Port ` + +- :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network ` + +- :ref:`Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group ` + +- :ref:`Remotely Connecting to Linux ECSs Using SSH ` + +- :ref:`Remotely Connecting to Windows ECSs Using RDP ` + +- :ref:`Enabling Communication Between ECSs ` + +- :ref:`Hosting a Website on ECSs ` + +- :ref:`Enabling an ECS to Function as a DNS Server ` + +- :ref:`Uploading or Downloading Files Using FTP ` + +You can use the default security group or create a security group in advance. For details, see sections :ref:`Creating a Security Group ` and :ref:`Adding a Security Group Rule `. + +Allowing External Access to a Specified Port +-------------------------------------------- + +- Example scenario: + + After services are deployed, you can add security group rules to allow external access to a specified port (for example, 1100). + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound TCP 1100 0.0.0.0/0 + ========= ======== ==== ========= + +.. _vpc_securitygroup02_0003__en-us_topic_0118534011_section14197522283: + +Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network +----------------------------------------------------------------------------------------------------- + +- Example scenario: + + Resources on an ECS in a security group need to be copied to an ECS associated with another security group. The two ECSs are in the same VPC. We recommend that you enable private network communication between the ECSs and then copy the resources. + +- Security group configuration: + + Within a given VPC, ECSs in the same security group can communicate with one another by default. However, ECSs in different security groups cannot communicate with each other by default. To enable these ECSs to communicate with each other, you need to add certain security group rules. + + You can add an inbound rule to the security groups containing the ECSs to allow access from ECSs in the other security group. The required rule is as follows. + + +-----------+----------------------------------------------------+--------------------+------------------------------+ + | Direction | Protocol/Application | Port | Source | + +===========+====================================================+====================+==============================+ + | Inbound | Used for communication through an internal network | Port or port range | ID of another security group | + +-----------+----------------------------------------------------+--------------------+------------------------------+ + +.. _vpc_securitygroup02_0003__en-us_topic_0118534011_section17693183118306: + +Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group +--------------------------------------------------------------------------- + +- Example scenario: + + To prevent ECSs from being attacked, you can change the port for remote login and configure security group rules that allow only specified IP addresses to remotely access the ECSs. + +- Security group configuration: + + To allow IP address **192.168.20.2** to remotely access Linux ECSs in a security group over the SSH protocol (port 22), you can configure the following security group rule. + + +-----------------+-----------------+-----------------+-------------------------------------------------+ + | Direction | Protocol | Port | Source | + +=================+=================+=================+=================================================+ + | Inbound | SSH | 22 | IPv4 CIDR block or ID of another security group | + | | | | | + | | | | For example, 192.168.20.2/32 | + +-----------------+-----------------+-----------------+-------------------------------------------------+ + +.. _vpc_securitygroup02_0003__en-us_topic_0118534011_section115069253338: + +Remotely Connecting to Linux ECSs Using SSH +------------------------------------------- + +- Example scenario: + + After creating Linux ECSs, you can add a security group rule to enable remote SSH access to the ECSs. + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound SSH 22 0.0.0.0/0 + ========= ======== ==== ========= + +.. _vpc_securitygroup02_0003__en-us_topic_0118534011_section168046312349: + +Remotely Connecting to Windows ECSs Using RDP +--------------------------------------------- + +- Example scenario: + + After creating Windows ECSs, you can add a security group rule to enable remote RDP access to the ECSs. + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound RDP 3389 0.0.0.0/0 + ========= ======== ==== ========= + +.. _vpc_securitygroup02_0003__en-us_topic_0118534011_section34721049193411: + +Enabling Communication Between ECSs +----------------------------------- + +- Example scenario: + + After creating ECSs, you need to add a security group rule so that you can run the **ping** command to test communication between the ECSs. + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound ICMP All 0.0.0.0/0 + ========= ======== ==== ========= + +.. _vpc_securitygroup02_0003__en-us_topic_0118534011_section1517991516357: + +Hosting a Website on ECSs +------------------------- + +- Example scenario: + + If you deploy a website on your ECSs and require that your website be accessed over HTTP or HTTPS, you can add rules to the security group used by the ECSs that function as the web servers. + +- Security group rule: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound HTTP 80 0.0.0.0/0 + Inbound HTTPS 443 0.0.0.0/0 + ========= ======== ==== ========= + +.. _vpc_securitygroup02_0003__en-us_topic_0118534011_section2910346123520: + +Enabling an ECS to Function as a DNS Server +------------------------------------------- + +- Example scenario: + + If you need to use an ECS as a DNS server, you must allow TCP and UDP access from port 53 to the DNS server. You can add the following rules to the security group associated with the ECS. + +- Security group rules: + + ========= ======== ==== ========= + Direction Protocol Port Source + ========= ======== ==== ========= + Inbound TCP 53 0.0.0.0/0 + Inbound UDP 53 0.0.0.0/0 + ========= ======== ==== ========= + +.. _vpc_securitygroup02_0003__en-us_topic_0118534011_section5964121693610: + +Uploading or Downloading Files Using FTP +---------------------------------------- + +- Example scenario: + + If you want to use File Transfer Protocol (FTP) to upload files to or download files from ECSs, you need to add a security group rule. + + .. note:: + + You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly. + +- Security group rule: + + ========= ======== ===== ========= + Direction Protocol Port Source + ========= ======== ===== ========= + Inbound TCP 20-21 0.0.0.0/0 + ========= ======== ===== ========= diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/security_group_overview.rst b/umn/source/operation_guide_old_console_edition/security/security_group/security_group_overview.rst new file mode 100644 index 0000000..2f2527d --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/security_group_overview.rst @@ -0,0 +1,52 @@ +:original_name: vpc_SecurityGroup02_0001.html + +.. _vpc_SecurityGroup02_0001: + +Security Group Overview +======================= + +Security Group +-------------- + +A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted within a VPC. After a security group is created, you can create various access rules for the security group, these rules will apply to all cloud resources added to this security group. + +Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between cloud resources in the group. Your cloud resources in this security group can communicate with each other already without adding additional rules. You can directly use the default security group. For details, see :ref:`Default Security Groups and Security Group Rules `. + +You can also create custom security groups to meet your specific service requirements. For details, see :ref:`Creating a Security Group `. + +Security Group Basics +--------------------- + +- You can associate instances, such as servers and extension NICs, with one or more security groups. + + You can change the security groups that are associated with instances, such as servers or extension NICs. By default, when you create an instance, it is associated with the default security group of its VPC unless you specify another security group. + +- You need to add security group rules to allow instances in the same security group to communicate with each other. + +- Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. + + Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. If you add, modify, or delete a security group rule, or create or delete an instance in the security group, the connection tracking of all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic. + + In addition, if the inbound or outbound traffic of an instance has no packets for a long time, the traffic will be considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both directions, the connection tracking timeout period is 180s. If one or more packets are received in one direction but no packet is received in the other direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked. + +.. note:: + + If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs. + +Security Group Rules +-------------------- + +After you create a security group, you can add rules to the security group. A rule applies either to inbound traffic or outbound traffic. After you add cloud resources to the security group, they are protected by the rules of the group. + +Each security group has its default rules. For details, see :ref:`Table 1 `. You can also customize security group rules. For details, see :ref:`Adding a Security Group Rule `. + +Security Group Constraints +-------------------------- + +- By default, you can create a maximum of 100 security groups in your cloud account. +- By default, you can add up to 50 security group rules to a security group. +- By default, you can add an ECS or an extension NIC to a maximum of five security groups. In such a case, the rules of all the selected security groups are aggregated to take effect. +- When creating a private network load balancer, you need to select a desired security group. Do not delete the default security group rules or ensure that the following requirements are met: + + - Outbound rules: only allow data packets to the selected security group or only data packets from the peer load balancer. + - Inbound rules: only allow data packets from the selected security group or only data packets from the peer load balancer. diff --git a/umn/source/operation_guide_old_console_edition/security/security_group/viewing_the_security_group_of_an_ecs.rst b/umn/source/operation_guide_old_console_edition/security/security_group/viewing_the_security_group_of_an_ecs.rst new file mode 100644 index 0000000..123b31a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/security/security_group/viewing_the_security_group_of_an_ecs.rst @@ -0,0 +1,23 @@ +:original_name: vpc_SecurityGroup02_0014.html + +.. _vpc_SecurityGroup02_0014: + +Viewing the Security Group of an ECS +==================================== + +Scenarios +--------- + +View inbound and outbound rules of a security group used by an ECS. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. Under **Compute**, click **Elastic Cloud Server**. +4. On the **Elastic Cloud Server** page, click the name of the target ECS. +5. Click the **Security Groups** tab and view information about the security group used by the ECS. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst b/umn/source/operation_guide_old_console_edition/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst new file mode 100644 index 0000000..6bd003d --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst @@ -0,0 +1,42 @@ +:original_name: vpc_bandwidth02_0003.html + +.. _vpc_bandwidth02_0003: + +Adding EIPs to a Shared Bandwidth +================================= + +Scenarios +--------- + +Add EIPs to a shared bandwidth and the EIPs can then share that bandwidth. You can add multiple EIPs to a shared bandwidth at the same time. + +Notes and Constraints +--------------------- + +- After an EIP is added to a shared bandwidth, the original bandwidth used by the EIP will become invalid and the EIP will start to use the shared bandwidth. +- The EIP's original dedicated bandwidth will be deleted. +- Do not add EIPs of the dedicated load balancer type and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Elastic IP**. + +4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. + +5. In the shared bandwidth list, locate the row that contains the shared bandwidth to which you want to add EIPs. In the **Operation** column, choose **More** > **Add EIP**, and select the EIPs to be added. + + + .. figure:: /_static/images/en-us_image_0000001211006359.png + :alt: **Figure 1** Add EIP + + + **Figure 1** Add EIP + +6. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/shared_bandwidth/assigning_a_shared_bandwidth.rst b/umn/source/operation_guide_old_console_edition/shared_bandwidth/assigning_a_shared_bandwidth.rst new file mode 100644 index 0000000..29718f2 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/shared_bandwidth/assigning_a_shared_bandwidth.rst @@ -0,0 +1,47 @@ +:original_name: vpc_bandwidth02_0002.html + +.. _vpc_bandwidth02_0002: + +Assigning a Shared Bandwidth +============================ + +Scenarios +--------- + +Assign a shared bandwidth for use with EIPs. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Elastic IP**. + +#. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. + +#. In the upper right corner, click **Assign Shared Bandwidth**. On the displayed page, configure parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0000001163949251.png + :alt: **Figure 1** Assigning Shared Bandwidth + + + **Figure 1** Assigning Shared Bandwidth + + .. table:: **Table 1** Parameter descriptions + + +----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+ + | Parameter | Description | Example Value | + +================+=========================================================================================================================================================================================================================================================================================================+===============+ + | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+ + | Bandwidth | The bandwidth size in Mbit/s. The value ranges from starting with 5 Mbit/s. The maximum bandwidth can be 1000 Mbit/s. | 10 | + +----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+ + | Bandwidth Name | The name of the shared bandwidth. | Bandwidth-001 | + +----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+ + +#. Click **Create Now**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/shared_bandwidth/deleting_a_shared_bandwidth.rst b/umn/source/operation_guide_old_console_edition/shared_bandwidth/deleting_a_shared_bandwidth.rst new file mode 100644 index 0000000..2568a70 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/shared_bandwidth/deleting_a_shared_bandwidth.rst @@ -0,0 +1,29 @@ +:original_name: vpc_bandwidth02_0006.html + +.. _vpc_bandwidth02_0006: + +Deleting a Shared Bandwidth +=========================== + +Scenarios +--------- + +Delete a shared bandwidth when it is no longer required. + +Prerequisites +------------- + +Before deleting a shared bandwidth, remove all the EIPs associated with it. For details, see :ref:`Removing EIPs from a Shared Bandwidth `. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Elastic IP**. +4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. +5. In the shared bandwidth list, locate the row that contains the shared bandwidth you want to delete, click **More** in the **Operation** column, and then click **Delete**. +6. In the displayed dialog box, click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/shared_bandwidth/index.rst b/umn/source/operation_guide_old_console_edition/shared_bandwidth/index.rst new file mode 100644 index 0000000..12d366d --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/shared_bandwidth/index.rst @@ -0,0 +1,24 @@ +:original_name: vpc_bandwidth02_0000.html + +.. _vpc_bandwidth02_0000: + +Shared Bandwidth +================ + +- :ref:`Shared Bandwidth Overview ` +- :ref:`Assigning a Shared Bandwidth ` +- :ref:`Adding EIPs to a Shared Bandwidth ` +- :ref:`Removing EIPs from a Shared Bandwidth ` +- :ref:`Modifying a Shared Bandwidth ` +- :ref:`Deleting a Shared Bandwidth ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + shared_bandwidth_overview + assigning_a_shared_bandwidth + adding_eips_to_a_shared_bandwidth + removing_eips_from_a_shared_bandwidth + modifying_a_shared_bandwidth + deleting_a_shared_bandwidth diff --git a/umn/source/operation_guide_old_console_edition/shared_bandwidth/modifying_a_shared_bandwidth.rst b/umn/source/operation_guide_old_console_edition/shared_bandwidth/modifying_a_shared_bandwidth.rst new file mode 100644 index 0000000..9f3aa71 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/shared_bandwidth/modifying_a_shared_bandwidth.rst @@ -0,0 +1,37 @@ +:original_name: vpc_bandwidth02_0005.html + +.. _vpc_bandwidth02_0005: + +Modifying a Shared Bandwidth +============================ + +Scenarios +--------- + +You can modify the name and size of a shared bandwidth as required. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Elastic IP**. + +4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. + +5. In the shared bandwidth list, locate the row that contains the shared bandwidth you want to modify, click **Modify Bandwidth** in the **Operation** column, and modify the bandwidth settings. + + + .. figure:: /_static/images/en-us_image_0000001117669524.png + :alt: **Figure 1** Modify Bandwidth + + + **Figure 1** Modify Bandwidth + +6. Click **Next**. + +7. Click **Submit**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/shared_bandwidth/removing_eips_from_a_shared_bandwidth.rst b/umn/source/operation_guide_old_console_edition/shared_bandwidth/removing_eips_from_a_shared_bandwidth.rst new file mode 100644 index 0000000..0474ac1 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/shared_bandwidth/removing_eips_from_a_shared_bandwidth.rst @@ -0,0 +1,35 @@ +:original_name: vpc_bandwidth02_0004.html + +.. _vpc_bandwidth02_0004: + +Removing EIPs from a Shared Bandwidth +===================================== + +Scenarios +--------- + +Remove EIPs that are no longer required from a shared bandwidth if needed. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Elastic IP**. + +4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. + +5. In the shared bandwidth list, locate the row that contains the bandwidth from which EIPs are to be removed, choose **More** > **Remove EIP** in the **Operation** column, and select the EIPs to be removed in the displayed dialog box. + + + .. figure:: /_static/images/en-us_image_0000001211445065.png + :alt: **Figure 1** Remove EIP + + + **Figure 1** Remove EIP + +6. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/shared_bandwidth/shared_bandwidth_overview.rst b/umn/source/operation_guide_old_console_edition/shared_bandwidth/shared_bandwidth_overview.rst new file mode 100644 index 0000000..1ae3230 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/shared_bandwidth/shared_bandwidth_overview.rst @@ -0,0 +1,18 @@ +:original_name: vpc_bandwidth02_0001.html + +.. _vpc_bandwidth02_0001: + +Shared Bandwidth Overview +========================= + +Shared bandwidth allows multiple EIPs to share the same bandwidth. All ECSs, BMSs, and load balancers that have EIPs bound in the same region can share a bandwidth. + +When you host a large number of applications on the cloud, if each EIP uses an independent bandwidth, a lot of bandwidths are required, increasing O&M workload. If all EIPs share the same bandwidth, VPCs and the region-level bandwidth can be managed in a unified manner, simplifying O&M statistics and network operations cost settlement. + +- Easy to Manage + + Region-level bandwidth sharing and multiplexing simplify O&M statistics, management, and operations cost settlement. + +- Flexible Operations + + You can add EIPs to a shared bandwidth or remove them from a shared bandwidth regardless of the instances to which they are bound. diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/assigning_a_virtual_ip_address.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/assigning_a_virtual_ip_address.rst new file mode 100644 index 0000000..fade059 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/assigning_a_virtual_ip_address.rst @@ -0,0 +1,34 @@ +:original_name: vpc_vip02_0002.html + +.. _vpc_vip02_0002: + +Assigning a Virtual IP Address +============================== + +Scenarios +--------- + +If an ECS requires a virtual IP address or if a virtual IP address needs to be reserved, you can assign a virtual IP address from the subnet. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Virtual Private Cloud**. +5. On the **Virtual Private Cloud** page, locate the VPC containing the subnet where a virtual IP address is to be assigned, and click the VPC name. +6. On the **Subnets** tab, click the name of the subnet where a virtual IP address is to be assigned. +7. Click the **Virtual IP Addresses** tab and click **Assign Virtual IP Address**. +8. Select a virtual IP address assignment mode. + + - **Automatic**: The system assigns an IP address automatically. + - **Manual**: You can specify an IP address. + +9. Select **Manual** and enter a virtual IP address. +10. Click **OK**. + +You can then query the assigned virtual IP address in the IP address list. + +.. |image1| image:: /_static/images/en-us_image_0226223279.png diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst new file mode 100644 index 0000000..56ea6c7 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst @@ -0,0 +1,29 @@ +:original_name: vpc_vip02_0004.html + +.. _vpc_vip02_0004: + +Binding a Virtual IP Address to an EIP +====================================== + +Scenarios +--------- + +This section describes how to bind a virtual IP address to an EIP. + +Prerequisites +------------- + +- You have assigned an EIP. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Elastic IP**. +4. Locate the row that contains the EIP to be bound to the virtual IP address, and click **Bind** in the **Operation** column. +5. In the **Bind EIP** dialog box, set **Instance Type** to **Virtual IP address**. +6. In the virtual IP address list, select the virtual IP address to be bound and click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst new file mode 100644 index 0000000..7de7452 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst @@ -0,0 +1,140 @@ +:original_name: vpc_vip02_0003.html + +.. _vpc_vip02_0003: + +Binding a Virtual IP Address to an EIP or ECS +============================================= + +Scenarios +--------- + +You can bind a virtual IP address to an EIP so that you can access the ECSs bound with the same virtual IP address from the Internet. These ECSs can work in the active/standby mode to improve fault tolerance. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +5. On the **Virtual Private Cloud** page, locate the VPC containing the virtual IP address and click the VPC name. + +6. On the **Subnets** tab, click the name of the subnet that the virtual IP address belongs to. + +7. Click the **Virtual IP Addresses** tab. + + - To bind a virtual IP address to an EIP, locate the row that contains the virtual IP address and click **Bind to EIP** in the **Operation** column. + - To bind a virtual IP address to an ECS, locate the row that contains the virtual IP address and click **More** > **Bind to Server** in the **Operation** column. + +8. Select the desired EIP, or ECS and its NIC. + + .. note:: + + - If the ECS has multiple NICs, bind the virtual IP address to the primary NIC. + - Multiple virtual IP addresses can be bound to an ECS NIC. + +9. Click **OK**. + +10. Manually configure the virtual IP address bound to an ECS. + + After a virtual IP address is bound to an ECS NIC, you need to manually configure the virtual IP address on the ECS. + + **Linux OS** (CentOS 7.2 64bit is used as an example.) + + a. .. _vpc_vip02_0003__en-us_topic_0118499077_li528316578916: + + Run the following command to obtain the NIC to which the virtual IP address is to be bound and the connection of the NIC: + + **nmcli connection** + + Information similar to the following is displayed: + + |image2| + + The command output in this example is described as follows: + + - **eth0** in the **DEVICE** column indicates the NIC to which the virtual IP address is to be bound. + - **Wired connection 1** in the **NAME** column indicates the connection of the NIC. + + b. Run the following command to add the virtual IP address for the target connection: + + **nmcli connection modify "**\ *CONNECTION*\ **" ipv4.addresses** *VIP* + + Configure the parameters as follows: + + - CONNECTION: connection of the NIC obtained in :ref:`10.a `. + - VIP: virtual IP address to be added. + + - If you add multiple virtual IP addresses at a time, separate them with commas (,). + - If a virtual IP address already exists and you need to add a new one, the command must contain both the new and original virtual IP addresses. + + Example commands: + + - Adding a single virtual IP address: **nmcli connection modify "Wired connection 1" ipv4.addresses** **172.16.0.125** + - Adding multiple virtual IP addresses: **nmcli connection modify "Wired connection 1" ipv4.addresses** **172.16.0.125,172.16.0.126** + + c. Run the following command to make the configuration take effect: + + **nmcli connection up "**\ *CONNECTION*\ **"** + + In this example, run the following command: + + **nmcli connection up "Wired connection 1"** + + Information similar to the following is displayed: + + |image3| + + d. Run the following command to check whether the virtual IP address has been bound: + + **ip a** + + Information similar to the following is displayed. In the command output, the virtual IP address 172.16.0.125 is bound to NIC eth0. + + |image4| + + **Windows OS** (Windows Server is used as an example here.) + + a. In **Control Panel**, click **Network and Sharing Center**, and click the corresponding local connection. + + b. On the displayed page, click **Properties**. + + c. On the **Network** tab page, select **Internet Protocol Version 4 (TCP/IPv4)**. + + d. Click **Properties**. + + e. Select **Use the following IP address** and set **IP address** to the private IP address of the ECS, for example, 10.0.0.101. + + + .. figure:: /_static/images/en-us_image_0000001179761510.png + :alt: **Figure 1** Configuring private IP address + + + **Figure 1** Configuring private IP address + + f. Click **Advanced**. + + g. On the **IP Settings** tab, click **Add** in the **IP addresses** area. + + Add the virtual IP address. For example, 10.0.0.154. + + + .. figure:: /_static/images/en-us_image_0000001225081545.png + :alt: **Figure 2** Configuring virtual IP address + + + **Figure 2** Configuring virtual IP address + + h. Click **OK**. + + i. In the **Start** menu, open the Windows command line window and run the following command to check whether the virtual IP address has been configured: + + **ipconfig /all** + + In the command output, **IPv4 Address** is the virtual IP address 10.0.0.154, indicating that the virtual IP address of the ECS NIC has been correctly configured. + +.. |image1| image:: /_static/images/en-us_image_0226223279.png +.. |image2| image:: /_static/images/en-us_image_0000001281210233.png +.. |image3| image:: /_static/images/en-us_image_0000001237328110.png +.. |image4| image:: /_static/images/en-us_image_0000001237013856.png diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst new file mode 100644 index 0000000..f1e724a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst @@ -0,0 +1,16 @@ +:original_name: vpc_vip02_0009.html + +.. _vpc_vip02_0009: + +Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) +=========================================================================== + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. Under **Compute**, click **Elastic Cloud Server**. +4. In the ECS list, click the ECS name. +5. On the displayed ECS details page, click the **NICs** tab. +6. Check that **Source/Destination Check** is disabled. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/index.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/index.rst new file mode 100644 index 0000000..2069f55 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/index.rst @@ -0,0 +1,30 @@ +:original_name: vpc_vip02_0000.html + +.. _vpc_vip02_0000: + +Virtual IP Address +================== + +- :ref:`Virtual IP Address Overview ` +- :ref:`Assigning a Virtual IP Address ` +- :ref:`Binding a Virtual IP Address to an EIP or ECS ` +- :ref:`Binding a Virtual IP Address to an EIP ` +- :ref:`Using a VPN to Access a Virtual IP Address ` +- :ref:`Using a Direct Connect Connection to Access the Virtual IP Address ` +- :ref:`Using a VPC Peering Connection to Access the Virtual IP Address ` +- :ref:`Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) ` +- :ref:`Releasing a Virtual IP Address ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + virtual_ip_address_overview + assigning_a_virtual_ip_address + binding_a_virtual_ip_address_to_an_eip_or_ecs + binding_a_virtual_ip_address_to_an_eip + using_a_vpn_to_access_a_virtual_ip_address + using_a_direct_connect_connection_to_access_the_virtual_ip_address + using_a_vpc_peering_connection_to_access_the_virtual_ip_address + disabling_source_and_destination_check_ha_load_balancing_cluster_scenario + releasing_a_virtual_ip_address diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/releasing_a_virtual_ip_address.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/releasing_a_virtual_ip_address.rst new file mode 100644 index 0000000..51e0ae5 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/releasing_a_virtual_ip_address.rst @@ -0,0 +1,37 @@ +:original_name: vpc_vip02_0010.html + +.. _vpc_vip02_0010: + +Releasing a Virtual IP Address +============================== + +Scenarios +--------- + +If you no longer need a virtual IP address or a reserved virtual IP address, you can release it to avoid wasting resources. + +Prerequisites +------------- + +Before deleting a virtual IP address, ensure that the virtual IP address has been unbound from the following resources: + +- ECS +- EIP +- CCE cluster + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Virtual Private Cloud**. + +5. On the **Virtual Private Cloud** page, locate the VPC containing the subnet from which a virtual IP address is to be released, and click the VPC name. +6. On the **Subnets** tab, click the name of the subnet from which a virtual IP address is to be released. +7. Click the **Virtual IP Addresses** tab, locate the row that contains the virtual IP address to be released, click **More** in the **Operation** column, and select **Release**. +8. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0226223279.png diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_direct_connect_connection_to_access_the_virtual_ip_address.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_direct_connect_connection_to_access_the_virtual_ip_address.rst new file mode 100644 index 0000000..a46e893 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_direct_connect_connection_to_access_the_virtual_ip_address.rst @@ -0,0 +1,14 @@ +:original_name: vpc_vip02_0006.html + +.. _vpc_vip02_0006: + +Using a Direct Connect Connection to Access the Virtual IP Address +================================================================== + +Procedure +--------- + +#. Configure the ECS networking based on :ref:`Networking `. +#. Create a Direct Connect connection. + +The created Direct Connect connection can be used to access the virtual IP address of the ECS. diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_vpc_peering_connection_to_access_the_virtual_ip_address.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_vpc_peering_connection_to_access_the_virtual_ip_address.rst new file mode 100644 index 0000000..402026e --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_vpc_peering_connection_to_access_the_virtual_ip_address.rst @@ -0,0 +1,14 @@ +:original_name: vpc_vip02_0007.html + +.. _vpc_vip02_0007: + +Using a VPC Peering Connection to Access the Virtual IP Address +=============================================================== + +Procedure +--------- + +#. Configure the ECS networking based on :ref:`Networking `. +#. Create a VPC peering connection. + +You can access the virtual IP address of the ECS through the VPC peering connection. diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_vpn_to_access_a_virtual_ip_address.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_vpn_to_access_a_virtual_ip_address.rst new file mode 100644 index 0000000..ea0a27e --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/using_a_vpn_to_access_a_virtual_ip_address.rst @@ -0,0 +1,14 @@ +:original_name: vpc_vip02_0005.html + +.. _vpc_vip02_0005: + +Using a VPN to Access a Virtual IP Address +========================================== + +Procedure +--------- + +#. Configure the ECS networking based on :ref:`Networking `. +#. Create a VPN. + +The VPN can be used to access the virtual IP address of the ECS. diff --git a/umn/source/operation_guide_old_console_edition/virtual_ip_address/virtual_ip_address_overview.rst b/umn/source/operation_guide_old_console_edition/virtual_ip_address/virtual_ip_address_overview.rst new file mode 100644 index 0000000..c7a386a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/virtual_ip_address/virtual_ip_address_overview.rst @@ -0,0 +1,92 @@ +:original_name: vpc_vip02_0001.html + +.. _vpc_vip02_0001: + +Virtual IP Address Overview +=========================== + +What Is a Virtual IP Address? +----------------------------- + +A virtual IP address can be shared among multiple ECSs. An ECS can have both private and virtual IP addresses, and you can access the ECS through either IP address. A virtual IP address has the same network access capabilities as a private IP address, including layer 2 and layer 3 communication in VPCs, access between VPCs using VPC peering connections, as well as access through EIPs, VPN connections, and Direct Connect connections. + +You can bind ECSs deployed in active/standby mode with the same virtual IP address, and then bind an EIP to the virtual IP address. Virtual IP addresses can work together with Keepalived to ensure high availability and disaster recovery. If the active ECS is faulty, the standby ECS automatically takes over services from the active one. + +Networking +---------- + +Virtual IP addresses are used for high availability and can work together with Keepalived to make active/standby ECS switchover possible. This way if one ECS goes down for some reason, the other one can take over and services continue uninterrupted. ECSs can be configured for HA or as load balancing clusters. + +- **Networking mode 1**: HA + + If you want to improve service availability and avoid single points of failure, you can deploy ECSs in the active/standby mode or deploy one active ECS and multiple standby ECSs. In this arrangement, the ECSs all use the same virtual IP address. If the active ECS becomes faulty, a standby ECS takes over services from the active ECS and services continue uninterrupted. + + + .. figure:: /_static/images/en-us_image_0209608153.png + :alt: **Figure 1** Networking diagram of the HA mode + + + **Figure 1** Networking diagram of the HA mode + + - In this configuration, a single virtual IP address is bound to two ECSs in the same subnet. + - Keepalived is then used to configure the two ECSs to work in the active/standby mode. Follow industry standards for configuring Keepalived. The details are not included here. + +- **Networking mode 2**: HA load balancing cluster + + If you want to build a high-availability load balancing cluster, use Keepalived and configure LVS nodes as direct routers. + + + .. figure:: /_static/images/en-us_image_0209608154.png + :alt: **Figure 2** HA load balancing cluster + + + **Figure 2** HA load balancing cluster + + - Bind a single virtual IP address to two ECSs. + - Configure the two ECSs as LVS nodes working as direct routers and use Keepalived to configure the nodes in the active/standby mode. The two ECSs will evenly forward requests to different backend servers. + - Configure two more ECSs as backend servers. + - Disable the source/destination check for the two backend servers. + + Follow industry standards for configuring Keepalived. The details are not included here. + +Application Scenarios +--------------------- + +- Accessing the virtual IP address through an EIP + + If your application has high availability requirements and needs to provide services through the Internet, it is recommended that you bind an EIP to a virtual IP address. + +- Using a VPN, Direct Connect, or VPC peering connection to access a virtual IP address + + To ensure high availability and access to the Internet, use a VPN for security and Direct Connect for a stable connection. The VPC peering connection is needed so that the VPCs in the same region can communicate with each other. + +Precautions +----------- + +- Virtual IP addresses are not recommended when multiple NICs in the same subnet are configured on an ECS. It is too easy for there to be route conflicts on the ECS, which would cause communication failure using the virtual IP address. +- IP forwarding must be disabled on the standby ECS. Perform the following operations to confirm whether the IP forwarding is disabled on the standby ECS: + + #. Log in to standby ECS and run the following command to check whether the IP forwarding is enabled: + + cat /proc/sys/net/ipv4/ip_forward + + In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. + + - If the command output is **1**, perform :ref:`2 ` and :ref:`3 ` to disable the IP forwarding. + - If the command output is **0**, no further action is required. + + #. .. _vpc_vip02_0001__en-us_topic_0118498951_en-us_topic_0206027322_en-us_topic_0095139658_li1473585332417: + + Use the vi editor to open the **/etc/sysctl.conf** file, change the value of **net.ipv4.ip_forward** to **0**, and enter **:wq** to save the change and exit. You can also use the **sed** command to modify the configuration. A command example is as follows: + + sed -i '/net.ipv4.ip_forward/s/1/0/g' /etc/sysctl.conf + + #. .. _vpc_vip02_0001__en-us_topic_0118498951_en-us_topic_0206027322_en-us_topic_0095139658_li88984711254: + + Run the following command to make the change take effect: + + sysctl -p /etc/sysctl.conf + +- The virtual IP address can use only the default security group, which cannot be changed to a custom security group. +- It is recommended that no more than eight virtual IP addresses be bound to an ECS. +- It is recommended that no more than 10 ECSs be bound to a virtual IP address. diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/creating_a_subnet_for_the_vpc.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/creating_a_subnet_for_the_vpc.rst new file mode 100644 index 0000000..b98a485 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/creating_a_subnet_for_the_vpc.rst @@ -0,0 +1,106 @@ +:original_name: vpc_vpc02_0004.html + +.. _vpc_vpc02_0004: + +Creating a Subnet for the VPC +============================= + +Scenarios +--------- + +A VPC comes with a default subnet. If the default subnet cannot meet your requirements, you can create one. + +The subnet is configured with DHCP by default. When an ECS in this subnet starts, the ECS automatically obtains an IP address using DHCP. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. On the **Virtual Private Cloud** page, locate the VPC for which a subnet is to be created and click the VPC name. + +#. On the displayed **Subnets** tab, click **Create Subnet**. + +#. Set the parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0226222517.png + :alt: **Figure 1** Create Subnet + + + **Figure 1** Create Subnet + + .. table:: **Table 1** Parameter description + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================================================================================================================================+=======================+ + | Name | Specifies the subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | CIDR Block | Specifies the CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Gateway | Specifies the gateway address of the subnet. | 192.168.0.1 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | NTP Server Address | Specifies the IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Tag | Specifies the subnet tag, which consists of a key and value pair. You can add a maximum of ten tags to each subnet. | - Key: subnet_key1 | + | | | - Value: subnet-01 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + + .. _vpc_vpc02_0004__table42131827173915: + + .. table:: **Table 2** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +Precautions +----------- + +When a subnet is created, there are five reserved IP addresses, which cannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP addresses are reserved: + +- 192.168.0.0: Network ID. This address is the beginning of the private IP address range and will not be assigned to any instance. +- 192.168.0.1: Gateway address. +- 192.168.0.253: Reserved for the system interface. This IP address is used by the VPC for external communication. +- 192.168.0.254: DHCP service address. +- 192.168.0.255: Network broadcast address. + +If you configured the default settings under **Advanced Settings** during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings. + +.. |image1| image:: /_static/images/en-us_image_0226223279.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/creating_a_vpc.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/creating_a_vpc.rst new file mode 100644 index 0000000..5845341 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/creating_a_vpc.rst @@ -0,0 +1,130 @@ +:original_name: vpc_vpc02_0002.html + +.. _vpc_vpc02_0002: + +Creating a VPC +============== + +Scenarios +--------- + +A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required. + +You can create a VPC by following the procedure provided in this section. Then, create subnets, security groups, and assign EIPs by following the procedure provided in subsequent sections based on your actual network requirements. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. Click **Create VPC**. + +#. On the **Create VPC** page, set parameters as prompted. + + A default subnet will be created together with a VPC and you can also click **Add Subnet** to create more subnets for the VPC. + + .. table:: **Table 1** VPC parameter descriptions + + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Category | Parameter | Description | Example Value | + +==================================+========================+=========================================================================================================================================================================================================================================================================================================+=====================+ + | Basic Information | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Name | The VPC name. | VPC-001 | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | + | | | | | + | | | The following CIDR blocks are supported: | | + | | | | | + | | | 10.0.0.0/8-24 | | + | | | | | + | | | 172.16.0.0/12-24 | | + | | | | | + | | | 192.168.0.0/16-24 | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Name | The subnet name. | Subnet | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | | + | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | | + | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | | - Value: subnet-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | + | | | | | + | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +----------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + + .. table:: **Table 2** VPC tag key and value requirements + + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+============================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for the same VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + + .. _vpc_vpc02_0002__en-us_topic_0118498861_table6536185812515: + + .. table:: **Table 3** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +#. Click **Create Now**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/deleting_a_subnet.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/deleting_a_subnet.rst new file mode 100644 index 0000000..18af104 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/deleting_a_subnet.rst @@ -0,0 +1,45 @@ +:original_name: vpc_vpc02_0006.html + +.. _vpc_vpc02_0006: + +Deleting a Subnet +================= + +Scenarios +--------- + +You can delete a subnet to release network resources if the subnet is no longer required. + +Prerequisites +------------- + +You can delete a subnet only if there are no resources in the subnet. If there are resources in the subnet, you must delete those resources before you can delete the subnet. + +You can view all resources of your account on the console homepage and check the resources that are in the subnet you want to delete. + +The resources may include: + +- ECS +- BMS +- CCE cluster +- RDS instance +- MRS cluster +- DCS instance +- Load balancer +- VPN +- Private IP address +- Custom route +- NAT gateway + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. On the **Virtual Private Cloud** page, locate the VPC from which a subnet is to be deleted and click the VPC name. +#. On the **Subnets** page, locate the target subnet and click **Delete**. +#. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0226223279.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/deleting_a_vpc.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/deleting_a_vpc.rst new file mode 100644 index 0000000..345ed69 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/deleting_a_vpc.rst @@ -0,0 +1,39 @@ +:original_name: vpc_vpc02_0007.html + +.. _vpc_vpc02_0007: + +Deleting a VPC +============== + +Scenarios +--------- + +You can delete a VPC if the VPC is no longer required. + +You can delete a VPC only if there are no resources in the VPC. If there are resources in the VPC, you must delete those resources before you can delete the VPC. + +A VPC cannot be deleted if it contains subnets, Direct Connect connections, custom routes, VPC peering connections, or VPNs. To delete the VPC, you must first delete or disable the following resources. + +- Subnets. For details, see section :ref:`Deleting a Subnet `. +- VPNs. For details, see *Virtual Private Network User Guide*. +- Direct Connect connections. For details, see the *Direct Connect User Guide*. +- Custom routes. For details, see section :ref:`Deleting a Route `. +- VPC peering connections. For details, see section :ref:`Deleting a VPC Peering Connection `. + +Notes and Constraints +--------------------- + +If there are any EIPs or security groups, the last VPC cannot be deleted. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, click **Virtual Private Cloud**. +5. On the **Virtual Private Cloud** page, locate the row that contains the VPC to be deleted and click **Delete** in the **Operation** column. +6. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/exporting_vpc_list.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/exporting_vpc_list.rst new file mode 100644 index 0000000..560b1ff --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/exporting_vpc_list.rst @@ -0,0 +1,29 @@ +:original_name: vpc_vpc02_0010.html + +.. _vpc_vpc02_0010: + +Exporting VPC List +================== + +Scenarios +--------- + +Information about all VPCs under your account can be exported as an Excel file to a local directory. This file records the names, ID, status, IP address ranges of VPCs, and the number of subnets. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **Virtual Private Cloud**. + +5. In the upper right corner of the VPC list, click |image2|. + + The system will automatically export information about all VPCs under your account in the current region. They will be exported in Excel format. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0233469654.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/index.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/index.rst new file mode 100644 index 0000000..4d69f5f --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/index.rst @@ -0,0 +1,30 @@ +:original_name: vpc_vpc02_0000.html + +.. _vpc_vpc02_0000: + +VPC and Subnet +============== + +- :ref:`Creating a VPC ` +- :ref:`Modifying a VPC ` +- :ref:`Creating a Subnet for the VPC ` +- :ref:`Modifying a Subnet ` +- :ref:`Deleting a Subnet ` +- :ref:`Deleting a VPC ` +- :ref:`Managing VPC Tags ` +- :ref:`Managing Subnet Tags ` +- :ref:`Exporting VPC List ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + creating_a_vpc + modifying_a_vpc + creating_a_subnet_for_the_vpc + modifying_a_subnet + deleting_a_subnet + deleting_a_vpc + managing_vpc_tags + managing_subnet_tags + exporting_vpc_list diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/managing_subnet_tags.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/managing_subnet_tags.rst new file mode 100644 index 0000000..28d06a1 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/managing_subnet_tags.rst @@ -0,0 +1,97 @@ +:original_name: vpc_vpc02_0009.html + +.. _vpc_vpc02_0009: + +Managing Subnet Tags +==================== + +Scenarios +--------- + +A subnet tag identifies a subnet. Tags can be added to subnets to facilitate subnet identification and administration. You can add a tag to a subnet when creating the subnet, or you can add a tag to a created subnet on the subnet details page. A maximum of 20 tags can be added to each subnet. + +A tag consists of a key and value pair. :ref:`Table 1 ` lists the tag key and value requirements. + +.. _vpc_vpc02_0009__en-us_topic_0118498932_ted9687ca14074ef785241145365a6175: + +.. table:: **Table 1** Subnet tag key and value requirements + + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+=====================================================================+=======================+ + | Key | - Cannot be left blank. | subnet_key1 | + | | - Must be unique for each subnet. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | subnet-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+---------------------------------------------------------------------+-----------------------+ + +Procedure +--------- + +**Search for subnets by tag key and value on the page showing the subnet list.** + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. Under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. On the **Virtual Private Cloud** page, locate the VPC containing the target subnet and click the VPC name. + +#. In the upper right corner of the subnet list, click **Search by Tag**. + +#. Enter the tag key of the subnet to be queried. + + Both the tag key and value must be specified. The system automatically displays the subnets you are looking for if both the tag key and value are matched. + +#. Click **+** to specify additional tag keys and values. + + You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for subnets, the subnets containing all specified tags will be displayed. + +#. Click **Search**. + + The system displays the subnets you are looking for based on the entered tag keys and values. + +**Add, delete, edit, and view tags on the Tags tab of a subnet.** + +#. Log in to the management console. +#. Click |image2| in the upper left corner and select the desired region and project. +#. Under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. On the **Virtual Private Cloud** page, locate the VPC containing the target subnet and click the VPC name. +#. Click the name of the target subnet. +#. On the subnet details page, click the **Tags** tab and perform desired operations on tags. + + - View tags. + + On the **Tags** tab, you can view details about tags added to the current subnet, including the number of tags and the key and value of each tag. + + - Add a tag. + + Click **Add Tag** in the upper left corner. In the displayed **Add Tag** dialog box, enter the tag key and value, and click **OK**. + + - Edit a tag. + + Locate the row that contains the tag to be edited, and click **Edit** in the **Operation** column. Enter the new tag key and value, and click **OK**. + + - Delete a tag. + + Locate the row that contains the tag to be deleted, and click **Delete** in the **Operation** column. In the displayed **Delete Tag** dialog box, click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0226829589.png +.. |image2| image:: /_static/images/en-us_image_0226829587.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/managing_vpc_tags.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/managing_vpc_tags.rst new file mode 100644 index 0000000..c5bbacb --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/managing_vpc_tags.rst @@ -0,0 +1,101 @@ +:original_name: vpc_vpc02_0008.html + +.. _vpc_vpc02_0008: + +Managing VPC Tags +================= + +Scenarios +--------- + +A VPC tag identifies a VPC. Tags can be added to VPCs to facilitate VPC identification and management. You can add a tag to a VPC when creating the VPC, or you can add a tag to a created VPC on the VPC details page. A maximum of 20 tags can be added to each VPC. + +A tag consists of a key and value pair. :ref:`Table 1 ` lists the tag key and value requirements. + +.. _vpc_vpc02_0008__en-us_topic_0118498924_ted9687ca14074ef785241145365a6175: + +.. table:: **Table 1** VPC tag key and value requirements + + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+============================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for the same VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+----------------------------------------------------------------------------+-----------------------+ + +Procedure +--------- + +**Search for VPCs by tag key and value on the page showing the VPC list.** + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. In the upper right corner of the VPC list, click **Search by Tag**. + +#. In the displayed area, enter the tag key and value of the VPC you are looking for. + + Both the tag key and value must be specified. The system automatically displays the VPCs you are looking for if both the tag key and value are matched. + +#. Click + to add more tag keys and values. + + You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for VPCs, the VPCs containing all specified tags will be displayed. + +#. Click **Search**. + + The system displays the VPCs you are looking for based on the entered tag keys and values. + +**Add, delete, edit, and view tags on the Tags tab of a VPC.** + +#. Log in to the management console. + +#. Click |image2| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. On the **Virtual Private Cloud** page, locate the VPC whose tags are to be managed and click the VPC name. + + The page showing details about the particular VPC is displayed. + +#. Click the **Tags** tab and perform desired operations on tags. + + - View tags. + + On the **Tags** tab, you can view details about tags added to the current VPC, including the number of tags and the key and value of each tag. + + - Add a tag. + + Click **Add Tag** in the upper left corner. In the displayed **Add Tag** dialog box, enter the tag key and value, and click **OK**. + + - Edit a tag. + + Locate the row that contains the tag you want to edit and click **Edit** in the **Operation** column. In the **Edit Tag** dialog box, change the tag value and click **OK**. + + - Delete a tag. + + Locate the row that contains the tag you want to delete, and click **Delete** in the **Operation** column. In the displayed dialog box, click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/modifying_a_subnet.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/modifying_a_subnet.rst new file mode 100644 index 0000000..c3fa6d5 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/modifying_a_subnet.rst @@ -0,0 +1,60 @@ +:original_name: vpc_vpc02_0005.html + +.. _vpc_vpc02_0005: + +Modifying a Subnet +================== + +Scenarios +--------- + +Modify the subnet name, NTP server address, and DNS server address. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. On the **Virtual Private Cloud** page, locate the VPC for which a subnet is to be modified and click the VPC name. + +#. In the subnet list, locate the target subnet and click **Modify**. Modify the parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0226829586.png + :alt: **Figure 1** Modify Subnet + + + **Figure 1** Modify Subnet + + .. table:: **Table 1** Parameter description + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================================================================================================================================+=======================+ + | Name | Specifies the subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | NTP Server Address | Specifies the IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + | | | | + | | .. note:: | | + | | | | + | | - If you add or change the NTP server addresses of a subnet, you need to renew the DHCP lease for or restart all the ECSs in the subnet to make the change take effect immediately. | | + | | - If the NTP server addresses have been cleared out, restarting the ECSs will not help. You must renew the DHCP lease for all ECSs to make the change take effect immediately. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0226829591.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_and_subnet/modifying_a_vpc.rst b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/modifying_a_vpc.rst new file mode 100644 index 0000000..ce108a6 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_and_subnet/modifying_a_vpc.rst @@ -0,0 +1,71 @@ +:original_name: vpc_vpc02_0003.html + +.. _vpc_vpc02_0003: + +Modifying a VPC +=============== + +Scenarios +--------- + +Change the VPC name and CIDR block. + +If the VPC CIDR block conflicts with the CIDR block of a VPN created in the VPC, you can modify its CIDR block. + +Notes and Constraints +--------------------- + +- When modifying the VPC CIDR block: + + - The VPC CIDR block to be modified must be in the supported CIDR blocks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255 + - If the VPC has subnets, the VPC CIDR block to be modified must contain all subnet CIDR blocks. + +When modifying the VPC CIDR block: + +- The VPC CIDR block to be modified must be in the supported CIDR blocks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255 +- If the VPC has subnets, the VPC CIDR block to be modified must contain all subnet CIDR blocks. + +Procedure +--------- + +**Modifying the VPC CIDR Block** + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **Virtual Private Cloud**. + +#. On the **Virtual Private Cloud** page, locate the row that contains the VPC to be modified and click **Edit CIDR Block** in the **Operation** column. + +#. Set a new CIDR block. + + + .. figure:: /_static/images/en-us_image_0000001286573614.png + :alt: **Figure 1** Edit CIDR Block + + + **Figure 1** Edit CIDR Block + +#. Click **OK**. + +**Modifying a VPC** + +#. Log in to the management console. +#. Click |image2| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. Modify the basic information about a VPC using either of the following methods : + + - In the VPC list, click |image3| on the right of the VPC name to change the VPC name. + + - In the VPC list, click the VPC name. + + On the VPC details page, click |image4| next to the VPC name or description to change the VPC name or description. + +.. |image1| image:: /_static/images/en-us_image_0000001338933333.png +.. |image2| image:: /_static/images/en-us_image_0141273034.png +.. |image3| image:: /_static/images/en-us_image_0000001222749226.png +.. |image4| image:: /_static/images/en-us_image_0000001222749910.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_flow_log/creating_a_vpc_flow_log.rst b/umn/source/operation_guide_old_console_edition/vpc_flow_log/creating_a_vpc_flow_log.rst new file mode 100644 index 0000000..89096d4 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_flow_log/creating_a_vpc_flow_log.rst @@ -0,0 +1,79 @@ +:original_name: vpc_FlowLog02_0002.html + +.. _vpc_FlowLog02_0002: + +Creating a VPC Flow Log +======================= + +Scenarios +--------- + +A VPC flow log records information about the traffic going to and from a VPC. + +Prerequisites +------------- + +Ensure that the following operations have been performed on the LTS console: + +- Create a log group. +- Create a log topic. + +For more information about the LTS service, see the *Log Tank Service User Guide*. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **VPC Flow Logs**. + +5. In the upper right corner, click **Create VPC Flow Log**. On the displayed page, configure parameters as prompted. + + + .. figure:: /_static/images/en-us_image_0191544038.png + :alt: **Figure 1** Create VPC Flow Log + + + **Figure 1** Create VPC Flow Log + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+============================================================================================================================================================================================================================================================+=======================+ + | Name | The VPC flow log name. | flowlog-495d | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Resource Type | The type of resources whose traffic is to be logged. You can select **NIC**, **Subnet**, or **VPC**. | NIC | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Resource | The specific NIC whose traffic is to be logged. | N/A | + | | | | + | | .. note:: | | + | | | | + | | We recommend that you select an ECS that is in the running state. If an ECS in the stopped state is selected, restart the ECS after creating the VPC flow log for accurately recording the information about the traffic going to and from the ECS NIC. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Filter | - **All traffic**: specifies that both accepted and rejected traffic of the specified resource will be logged. | All | + | | - **Accepted traffic**: specifies that only accepted traffic of the specified resource will be logged. Accepted traffic refers to the traffic permitted by the security group or firewall. | | + | | - **Rejected traffic**: specifies that only rejected traffic of the specified resource will be logged. Rejected traffic refers to the traffic denied by the firewall. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Log Group | The log group created in LTS. | lts-group-wule | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Log Topic | The log topic created in LTS. | LogTopic1 | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the VPC flow log. This parameter is optional. | N/A | + | | | | + | | The VPC flow log description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + + .. note:: + + Only two flow logs, each with a different filter, can be created for a single resource under the same log group and log topic. Each VPC flow log must be unique. + +6. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_flow_log/deleting_a_vpc_flow_log.rst b/umn/source/operation_guide_old_console_edition/vpc_flow_log/deleting_a_vpc_flow_log.rst new file mode 100644 index 0000000..f20ed5a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_flow_log/deleting_a_vpc_flow_log.rst @@ -0,0 +1,39 @@ +:original_name: vpc_FlowLog02_0005.html + +.. _vpc_FlowLog02_0005: + +Deleting a VPC Flow Log +======================= + +Scenarios +--------- + +Delete a VPC flow log that is not required. Deleting a VPC flow log will not delete the existing flow log records in LTS. + +.. note:: + + If a NIC that uses a VPC flow log is deleted, the flow log will be automatically deleted. However, the flow log records are not deleted. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **VPC Flow Logs**. + +5. Locate the row that contains the VPC flow log to be deleted and click **Delete** in the **Operation** column. + + + .. figure:: /_static/images/en-us_image_0191594527.png + :alt: **Figure 1** Deleting a VPC flow log + + + **Figure 1** Deleting a VPC flow log + +6. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst b/umn/source/operation_guide_old_console_edition/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst new file mode 100644 index 0000000..c4af0ed --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst @@ -0,0 +1,25 @@ +:original_name: vpc_FlowLog02_0004.html + +.. _vpc_FlowLog02_0004: + +Enabling or Disabling VPC Flow Log +================================== + +Scenarios +--------- + +After a VPC flow log is created, the VPC flow log is automatically enabled. If you do not need to record traffic data, you can disable the corresponding VPC flow log. The disabled VPC flow log can be enabled again. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, choose **VPC Flow Logs**. +5. Locate the VPC flow log to be enabled or disabled, and click **Enable** or **Disable** in the **Operation** column. +6. Click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_flow_log/index.rst b/umn/source/operation_guide_old_console_edition/vpc_flow_log/index.rst new file mode 100644 index 0000000..396b0a7 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_flow_log/index.rst @@ -0,0 +1,22 @@ +:original_name: vpc_FlowLog02_0000.html + +.. _vpc_FlowLog02_0000: + +VPC Flow Log +============ + +- :ref:`VPC Flow Log Overview ` +- :ref:`Creating a VPC Flow Log ` +- :ref:`Viewing a VPC Flow Log ` +- :ref:`Enabling or Disabling VPC Flow Log ` +- :ref:`Deleting a VPC Flow Log ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + vpc_flow_log_overview + creating_a_vpc_flow_log + viewing_a_vpc_flow_log + enabling_or_disabling_vpc_flow_log + deleting_a_vpc_flow_log diff --git a/umn/source/operation_guide_old_console_edition/vpc_flow_log/viewing_a_vpc_flow_log.rst b/umn/source/operation_guide_old_console_edition/vpc_flow_log/viewing_a_vpc_flow_log.rst new file mode 100644 index 0000000..6adf6dc --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_flow_log/viewing_a_vpc_flow_log.rst @@ -0,0 +1,123 @@ +:original_name: vpc_FlowLog02_0003.html + +.. _vpc_FlowLog02_0003: + +Viewing a VPC Flow Log +====================== + +Scenarios +--------- + +View information about your flow log record. + +The capture window is approximately 10 minutes, which indicates that a flow log record will be generated every 10 minutes. After creating a VPC flow log, you need to wait about 10 minutes before you can view the flow log record. + +.. note:: + + If an ECS is in the stopped state, its flow log records will not be displayed. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, choose **VPC Flow Logs**. + +5. Locate the target VPC flow log and click **View Log Record** in the **Operation** column to view information about the flow log record in LTS. + + + .. figure:: /_static/images/en-us_image_0191577030.png + :alt: **Figure 1** Viewing a log record + + + **Figure 1** Viewing a log record + + + .. figure:: /_static/images/en-us_image_0191588554.png + :alt: **Figure 2** Flow log record + + + **Figure 2** Flow log record + + The flow log record is in the following format: + + .. code-block:: + + + + Example 1: The following is an example of a flow log record in which data was recorded during the capture window: + + .. code-block:: + + 1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd 192.168.0.154 192.168.3.25 38929 53 17 1 96 1548752136 1548752736 ACCEPT OK + + Value **1** indicates the VPC flow log version. Traffic with a size of 96 bytes to NIC **1d515d18-1b36-47dc-a983-bd6512aed4bd** during the past 10 minutes (from 16:55:36 to 17:05:36 on January 29, 2019) was allowed. A data packet was transmitted over the UDP protocol from source IP address **192.168.0.154** and port **38929** to destination IP address **192.168.3.25** and port **53**. + + Example 2: The following is an example of a flow log record in which no data was recorded during the capture window: + + .. code-block:: + + 1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd - - - - - - - 1431280876 1431280934 - NODATA + + Example 3: The following is an example of a flow log record in which data was skipped during the capture window: + + .. code-block:: + + 1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd - - - - - - - 1431280876 1431280934 - SKIPDATA + + :ref:`Table 1 ` describes the fields of a flow log record. + + .. _vpc_flowlog02_0003__en-us_topic_0151016582_table1313851722313: + + .. table:: **Table 1** Log field description + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Field | Description | Example Value | + +=======================+===============================================================================================================================================================================================================================================================================================================================================+======================================+ + | version | The VPC flow log version. | 1 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | project-id | The project ID. | 5f67944957444bd6bb4fe3b367de8f3d | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | interface-id | The ID of the NIC for which the traffic is recorded. | 1d515d18-1b36-47dc-a983-bd6512aed4bd | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | srcaddr | The source IP address. | 192.168.0.154 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | dstaddr | The destination IP address. | 192.168.3.25 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | srcport | The source port. | 38929 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | dstport | The destination port. | 53 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | protocol | The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. For details, see `Assigned Internet Protocol Numbers `__. | 17 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | packets | The number of packets transferred during the capture window. | 1 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | bytes | The number of bytes transferred during the capture window. | 96 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | start | The time, in Unix seconds, of the start of the capture window. | 1548752136 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | end | The time, in Unix seconds, of the end of the capture window. | 1548752736 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | action | The action associated with the traffic: | ACCEPT | + | | | | + | | - **ACCEPT**: The recorded traffic was allowed by the security groups or firewalls. | | + | | - **REJECT**: The recorded traffic was denied by the firewalls. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | log-status | The logging status of the VPC flow log: | OK | + | | | | + | | - **OK**: Data is logging normally to the chosen destinations. | | + | | - **NODATA**: There was no traffic of the **Filter** setting to or from the NIC during the capture window. | | + | | - **SKIPDATA**: Some flow log records were skipped during the capture window. This may be caused by an internal capacity constraint or an internal error. | | + | | | | + | | Example: | | + | | | | + | | When **Filter** is set to **Accepted traffic**, if there is accepted traffic, the value of **log-status** is **OK**. If there is no accepted traffic, the value of **log-status** is **NODATA** regardless of whether there is rejected traffic. If some accepted traffic is abnormally skipped, the value of **log-status** is **SKIPDATA**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + +You can enter a keyword on the log topic details page on the LTS console to search for flow log records. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_flow_log/vpc_flow_log_overview.rst b/umn/source/operation_guide_old_console_edition/vpc_flow_log/vpc_flow_log_overview.rst new file mode 100644 index 0000000..f638549 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_flow_log/vpc_flow_log_overview.rst @@ -0,0 +1,25 @@ +:original_name: vpc_FlowLog02_0001.html + +.. _vpc_FlowLog02_0001: + +VPC Flow Log Overview +===================== + +A VPC flow log records information about the traffic going to and from a VPC. VPC flow logs help you monitor network traffic, analyze network attacks, and determine whether security group and firewall rules require modification. + +VPC flow logs must be used together with the Log Tank Service (LTS). Before you create a VPC flow log, you need to create a log group and a log topic in LTS. :ref:`Figure 1 ` shows the process for configuring the VPC flow log function. + +.. _vpc_flowlog02_0001__en-us_topic_0151014680_fig1535115691415: + +.. figure:: /_static/images/en-us_image_0162336264.png + :alt: **Figure 1** Configuring the VPC flow log function + + + **Figure 1** Configuring the VPC flow log function + +Notes and Constraints +--------------------- + +- Currently, only C3, M3, and S2 ECSs support VPC flow logs. +- By default, you can create a maximum of 10 VPC flow logs. +- By default, a maximum of 400,000 flow log records are supported. diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst new file mode 100644 index 0000000..16b581d --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst @@ -0,0 +1,158 @@ +:original_name: vpc_peering02_0004.html + +.. _vpc_peering02_0004: + +Creating a VPC Peering Connection with a VPC in Another Account +=============================================================== + +Scenarios +--------- + +The VPC service also allows you to create a VPC peering connection with a VPC in another account. The two VPCs must be in the same region. If you request a VPC peering connection with a VPC in another account in the same region, the owner of the peer account must accept the request to activate the connection. + +Creating a VPC Peering Connection +--------------------------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **VPC Peering**. + +#. In the right pane displayed, click **Create VPC Peering Connection**. + +#. Configure parameters as prompted. You must select **Another account** for **Account**. + + + .. figure:: /_static/images/en-us_image_0226829595.png + :alt: **Figure 1** Create VPC Peering Connection + + + **Figure 1** Create VPC Peering Connection + + .. table:: **Table 1** Parameter description + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Parameter | Description | Example Value | + +=======================+============================================================================================================================================+======================================+ + | Name | Specifies the name of the VPC peering connection. | peering-001 | + | | | | + | | The name contains a maximum of 64 characters, which consist of letters, digits, hyphens (-), and underscores (_). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC | Specifies the local VPC. You can select one from the drop-down list. | vpc_002 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Account | Specifies the account to which the VPC to peer with belongs. | Another account | + | | | | + | | - **My account**: The VPC peering connection will be created between two VPCs, in the same region, in your account. | | + | | - **Another account**: The VPC peering connection will be created between your VPC and a VPC in another account, in the same region. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer Project ID | This parameter is available only when **Another account** is selected. | - | + | | | | + | | For details about how to obtain the peer project ID, see :ref:`Obtaining the Peer Project ID `. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer VPC ID | This parameter is available only when **Another account** is selected. | 65d062b3-40fa-4204-8181-3538f527d2ab | + | | | | + | | For details about how to obtain the peer VPC ID, see :ref:`Obtaining the Peer VPC ID `. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + +#. Click **OK**. + +Accepting a VPC Peering Connection Request +------------------------------------------ + +To request a VPC peering connection with a VPC in another account, the owner of the peer account must accept the request to activate the connection. + +#. The owner of the peer account logs in to the management console. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **VPC Peering**. + +#. In the VPC peering connection list, locate the row that contains the target VPC peering connection and click **Accept Request** in the **Operation** column. + + + .. figure:: /_static/images/en-us_image_0162391155.png + :alt: **Figure 2** VPC peering connection list + + + **Figure 2** VPC peering connection list + +#. Click **Yes** in the displayed dialog box. + +Refusing a VPC Peering Connection +--------------------------------- + +The owner of the peer account can reject any VPC peering connection request that they receive. If a VPC peering connection request is rejected, the connection will not be established. You must delete the rejected VPC peering connection request before creating a VPC peering connection between the same VPCs as those in the rejected request. + +#. The owner of the peer account logs in to the management console. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **VPC Peering**. +#. In the VPC peering connection list, locate the row that contains the target VPC peering connection and click **Reject Request** in the **Operation** column. +#. Click **Yes** in the displayed dialog box. + +Adding Routes for the VPC Peering Connection +-------------------------------------------- + +If you request a VPC peering connection with a VPC in another account, the owner of the peer account must accept the request. To enable communication between the two VPCs, you need to add routes for the VPC peering connection. The owner of the local account can add only the local route because the owner does not have the required permission to perform operations on the peer VPC. The owner of the peer account must add the peer route. The procedure for adding a local route and a peer route is the same. + +#. Log in to the management console. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **VPC Peering**. + +#. Locate the target VPC peering connection in the connection list. + +#. Click the name of the VPC peering connection to switch to the page showing details about the connection. + +#. On the displayed page, click the **Local Routes** tab. + +#. In the displayed **Local Routes** area, click **Add Local Route**. In the displayed dialog box, add a local route. :ref:`Table 2 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0226820459.png + :alt: **Figure 3** Add Local Route + + + **Figure 3** Add Local Route + + .. _vpc_peering02_0004__en-us_topic_0118498933_en-us_topic_0118498960_table1626072032518: + + .. table:: **Table 2** Route parameter description + + +-------------+-------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Parameter | Description | Example Value | + +=============+=============================================================================================================+======================================+ + | Destination | Specifies the destination address. Set it to the peer VPC or subnet CIDR block. | 192.168.2.0/24 | + +-------------+-------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Next Hop | Specifies the next hop address. The default value is the VPC peering connection ID. Keep the default value. | d1a7863b-9d5e-4d27-8eaf-ab14d2a9148b | + +-------------+-------------------------------------------------------------------------------------------------------------+--------------------------------------+ + +#. Click **OK**. + +After the VPC peering connection is created, the two VPCs can communicate with each other through private IP addresses. You can run the **ping** command to check whether the two VPCs can communicate with each other. + +If two VPCs cannot communicate with each other, check the configuration by following the instructions provided in :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? ` + +.. _vpc_peering02_0004__section41291933224121: + +Obtaining the Peer Project ID +----------------------------- + +#. The owner of the peer account logs in to the management console. +#. Select **My Credentials** from the username drop-down list. +#. On the **Projects** tab, obtain the required project ID. + +.. _vpc_peering02_0004__section19734314164713: + +Obtaining the Peer VPC ID +------------------------- + +#. The owner of the peer account logs in to the management console. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **Virtual Private Cloud**. +#. Click the target VPC name and view VPC ID on the VPC details page. + +.. |image1| image:: /_static/images/en-us_image_0226829583.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst new file mode 100644 index 0000000..e1fedb0 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst @@ -0,0 +1,124 @@ +:original_name: vpc_peering02_0003.html + +.. _vpc_peering02_0003: + +Creating a VPC Peering Connection with Another VPC in Your Account +================================================================== + +Scenarios +--------- + +To create a VPC peering connection, first create a request to peer with another VPC. You can request a VPC peering connection with another VPC in your account, but the two VPCs must be in the same region. The system automatically accepts the request. + +Prerequisites +------------- + +Two VPCs in the same region have been created. + +Creating a VPC Peering Connection +--------------------------------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the right pane displayed, click **Create VPC Peering Connection**. + +6. Configure parameters as prompted. You must select **My account** for **Account**. :ref:`Table 1 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0167839112.png + :alt: **Figure 1** Create VPC Peering Connection + + + **Figure 1** Create VPC Peering Connection + + .. _vpc_peering02_0003__en-us_topic_0118498960_table1215761020244: + + .. table:: **Table 1** Parameter descriptions + + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+==========================================================================================================================================================+=======================+ + | Name | The name of the VPC peering connection. | peering-001 | + | | | | + | | The name contains a maximum of 64 characters, which consist of letters, digits, hyphens (-), and underscores (_). | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Local VPC | The local VPC. You can select one from the drop-down list. | vpc_002 | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Local VPC CIDR Block | The CIDR block for the local VPC. | 192.168.10.0/24 | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Account | The account to which the peer VPC belongs. | My account | + | | | | + | | - **My account**: The VPC peering connection will be created between two VPCs, in the same region, in your account. | | + | | - **Another account**: The VPC peering connection will be created between your VPC and a VPC in another account, in the same region. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Peer Project | The peer project name. The project name of the current project is used by default. | aaa | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Peer VPC | The peer VPC. You can select one from the drop-down list if the VPC peering connection is created between two VPCs in your own account. | vpc_fab1 | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Peer VPC CIDR Block | The CIDR block for the peer VPC. | 192.168.2.0/24 | + | | | | + | | The local and peer VPCs cannot have matching or overlapping CIDR blocks. Otherwise, the routes added for the VPC peering connection may not take effect. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +7. Click **OK**. + +Adding Routes for the VPC Peering Connection +-------------------------------------------- + +If you request a VPC peering connection with another VPC in your own account, the system automatically accepts the request. To enable communication between the two VPCs, you need to add local and peer routes for the VPC peering connection. + +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +#. In the navigation pane on the left, click **VPC Peering**. + +#. Locate the target VPC peering connection in the connection list. + + + .. figure:: /_static/images/en-us_image_0226820452.png + :alt: **Figure 2** VPC peering connection list + + + **Figure 2** VPC peering connection list + +#. Click the name of the VPC peering connection to switch to the page showing details about the connection. + +#. In the displayed **Local Routes** area, click **Add Local Route**. In the displayed dialog box, add a local route. :ref:`Table 2 ` lists the parameters to be configured. + + + .. figure:: /_static/images/en-us_image_0226820455.png + :alt: **Figure 3** Add Local Route + + + **Figure 3** Add Local Route + + .. _vpc_peering02_0003__en-us_topic_0118498960_table1626072032518: + + .. table:: **Table 2** Route parameter description + + +-------------+-------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Parameter | Description | Example Value | + +=============+=============================================================================================================+======================================+ + | Destination | Specifies the destination address. Set it to the peer VPC or subnet CIDR block. | 192.168.2.0/24 | + +-------------+-------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Next Hop | Specifies the next hop address. The default value is the VPC peering connection ID. Keep the default value. | d1a7863b-9d5e-4d27-8eaf-ab14d2a9148b | + +-------------+-------------------------------------------------------------------------------------------------------------+--------------------------------------+ + +#. Click **OK** to switch to the page showing the VPC peering connection details. + +#. On the displayed page, click the **Peer Routes** tab. + +#. In the displayed **Peer Routes** area, click **Add Peer Route** and add a route. + +#. Click **OK**. + +After a VPC peering connection is created, the two VPCs can communicate with each other through private IP addresses. You can run the **ping** command to check whether the two VPCs can communicate with each other. + +If two VPCs cannot communicate with each other, check the configuration by following the instructions provided in :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? ` + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/deleting_a_vpc_peering_connection.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/deleting_a_vpc_peering_connection.rst new file mode 100644 index 0000000..5410d42 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/deleting_a_vpc_peering_connection.rst @@ -0,0 +1,37 @@ +:original_name: vpc_peering02_0007.html + +.. _vpc_peering02_0007: + +Deleting a VPC Peering Connection +================================= + +Scenarios +--------- + +The owners of both the local and peer accounts can delete a VPC peering connection in any state. After a VPC peering connection is deleted, routes configured for the connection will be automatically deleted as well. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name. + + + .. figure:: /_static/images/en-us_image_0162391187.png + :alt: **Figure 1** VPC peering connection list + + + **Figure 1** VPC peering connection list + +6. Locate the target VPC peering connection and click **Delete** in the **Operation** column. + +7. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/deleting_a_vpc_peering_route.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/deleting_a_vpc_peering_route.rst new file mode 100644 index 0000000..e285ba4 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/deleting_a_vpc_peering_route.rst @@ -0,0 +1,29 @@ +:original_name: vpc_peering02_0010.html + +.. _vpc_peering02_0010: + +Deleting a VPC Peering Route +============================ + +Scenarios +--------- + +After routes are added for a VPC peering connection, the owners of both the local and peer accounts can delete the routes on the page showing details about the peering connection. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. On the console homepage, under **Network**, click **Virtual Private Cloud**. +#. In the navigation pane on the left, click **VPC Peering**. +#. Locate the target VPC peering connection in the connection list. +#. Click the name of the VPC peering connection to switch to the page showing details about the connection. +#. On the displayed page, click the **Local Routes** tab and view information about the local route added for the VPC peering connection. +#. On the **Local Routes** page, locate the target local route, and click **Delete** in the **Operation** column. +#. Click **Yes** in the displayed dialog box. +#. On the page showing details about the VPC peering connection, click the **Peer Routes** tab and view information about the peer route added for the VPC peering connection. +#. On the **Peer Routes** page, locate the target peer route, and click **Delete** in the **Operation** column. +#. Click **Yes** in the displayed dialog box. + +.. |image1| image:: /_static/images/en-us_image_0226820796.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/index.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/index.rst new file mode 100644 index 0000000..2226b57 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/index.rst @@ -0,0 +1,30 @@ +:original_name: vpc_peering02_0000.html + +.. _vpc_peering02_0000: + +VPC Peering Connection +====================== + +- :ref:`VPC Peering Connection Creation Procedure ` +- :ref:`VPC Peering Connection Configuration Plans ` +- :ref:`Creating a VPC Peering Connection with Another VPC in Your Account ` +- :ref:`Creating a VPC Peering Connection with a VPC in Another Account ` +- :ref:`Viewing VPC Peering Connections ` +- :ref:`Modifying a VPC Peering Connection ` +- :ref:`Deleting a VPC Peering Connection ` +- :ref:`Viewing Routes Configured for a VPC Peering Connection ` +- :ref:`Deleting a VPC Peering Route ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + vpc_peering_connection_creation_procedure + vpc_peering_connection_configuration_plans + creating_a_vpc_peering_connection_with_another_vpc_in_your_account + creating_a_vpc_peering_connection_with_a_vpc_in_another_account + viewing_vpc_peering_connections + modifying_a_vpc_peering_connection + deleting_a_vpc_peering_connection + viewing_routes_configured_for_a_vpc_peering_connection + deleting_a_vpc_peering_route diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/modifying_a_vpc_peering_connection.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/modifying_a_vpc_peering_connection.rst new file mode 100644 index 0000000..2abe7e3 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/modifying_a_vpc_peering_connection.rst @@ -0,0 +1,37 @@ +:original_name: vpc_peering02_0006.html + +.. _vpc_peering02_0006: + +Modifying a VPC Peering Connection +================================== + +Scenarios +--------- + +The owners of both the local and peer accounts can modify a VPC peering connection in any state. The VPC peering connection name can be changed. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name. + + + .. figure:: /_static/images/en-us_image_0162391187.png + :alt: **Figure 1** VPC peering connection list + + + **Figure 1** VPC peering connection list + +6. Locate the target VPC peering connection and click **Modify** in the **Operation** column. In the displayed dialog box, modify information about the VPC peering connection. + +7. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst new file mode 100644 index 0000000..1bff595 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst @@ -0,0 +1,26 @@ +:original_name: vpc_peering02_0008.html + +.. _vpc_peering02_0008: + +Viewing Routes Configured for a VPC Peering Connection +====================================================== + +Scenarios +--------- + +After routes are added for a VPC peering connection, the owners of both the local and peer accounts can view information about the routes on the page showing details about the VPC peering connection. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +4. In the navigation pane on the left, click **VPC Peering**. +5. Locate the target VPC peering connection in the connection list. +6. Click the name of the VPC peering connection to switch to the page showing details about the connection. +7. On the displayed page, click the **Local Routes** tab and view information about the local route added for the VPC peering connection. +8. On the page showing details about the VPC peering connection, click the **Peer Routes** tab and view information about the peer route added for the VPC peering connection. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/viewing_vpc_peering_connections.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/viewing_vpc_peering_connections.rst new file mode 100644 index 0000000..b48ead2 --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/viewing_vpc_peering_connections.rst @@ -0,0 +1,35 @@ +:original_name: vpc_peering02_0005.html + +.. _vpc_peering02_0005: + +Viewing VPC Peering Connections +=============================== + +Scenarios +--------- + +The owners of both the local and peer accounts can view information about the created VPC peering connections and those that are still waiting to be accepted. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. On the console homepage, under **Network**, click **Virtual Private Cloud**. + +4. In the navigation pane on the left, click **VPC Peering**. + +5. In the displayed pane on the right, view information about the VPC peering connections. You can search for specific VPC peering connections by connection status or by name. + + + .. figure:: /_static/images/en-us_image_0162391187.png + :alt: **Figure 1** VPC peering connection list + + + **Figure 1** VPC peering connection list + +6. Click the VPC peering connection name. On the displayed page, view detailed information about the VPC peering connection. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/vpc_peering_connection_configuration_plans.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/vpc_peering_connection_configuration_plans.rst new file mode 100644 index 0000000..3ad5f3a --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/vpc_peering_connection_configuration_plans.rst @@ -0,0 +1,78 @@ +:original_name: vpc_peering02_0002.html + +.. _vpc_peering02_0002: + +VPC Peering Connection Configuration Plans +========================================== + +To enable two VPCs in the same region to communicate with each other, you can create a VPC peering connection between them. The VPC and subnet CIDR blocks must meet the requirements in :ref:`Table 1 `. + +.. _vpc_peering02_0002__en-us_topic_0118499087_table461583720304: + +.. table:: **Table 1** Requirements for VPC and subnet CIDR blocks + + +-----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------+ + | Requirement | Description | + +=============================================================================+=================================================================================================================================================+ + | - VPC CIDR blocks do not overlap. | A VPC peering connection can enable communications between the entire VPC CIDR blocks. The destination of a route is a VPC CIDR block. | + | - There are no requirements on subnet CIDR blocks. | | + | | For details, see :ref:`Route Configurations for Connecting Entire VPCs `. | + +-----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------+ + | - VPC CIDR blocks overlap. | A VPC peering connection can enable communications between subnets in the VPCs. The destination of a route is a subnet CIDR block. | + | - Subnet CIDR blocks connected by a VPC peering connection cannot overlap. | | + | | For details, see :ref:`Route Configurations for Connecting Specific Subnets `. | + +-----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------+ + +.. _vpc_peering02_0002__en-us_topic_0118499087_section11900751101219: + +Route Configurations for Connecting Entire VPCs +----------------------------------------------- + +- Connections can be: + + - Between two VPCs + - Among multiple VPCs + +- If you need to configure routes that point to entire VPCs, none of the VPCs involved in VPC peering connections can overlap. Otherwise, VPC peering connections will not take effect because the routes will be unreachable. +- The destination of the route that points to an entire VPC is the CIDR block of the peer VPC, and the next hop is the VPC peering connection ID. + +.. _vpc_peering02_0002__en-us_topic_0118499087_section1370341061310: + +Route Configurations for Connecting Specific Subnets +---------------------------------------------------- + +If VPCs connected by a VPC peering connection have overlapping CIDR blocks, the connection can only enable communications between non-overlapping subnets in the VPCs. If subnets in the two VPCs of a VPC peering connection overlap with each other, the connection will not take effect. When you create a VPC peering connection, ensure that the VPCs involved do not contain overlapping subnets. + +For example, VPC 1 and VPC 2 have matching CIDR blocks, but the subnets in the two VPCs do not overlap. A VPC peering connection can be created between pairs of subnets that do not overlap with each other. The route table is used to control the specific subnets that the VPC peering connection is created for. :ref:`Figure 1 ` shows a VPC peering connection created between two subnets. Routes are required to enable communication between Subnet A in VPC 1 and Subnet X in VPC 2. + +.. _vpc_peering02_0002__en-us_topic_0118499087_fig95191521148: + +.. figure:: /_static/images/en-us_image_0194358487.png + :alt: **Figure 1** VPC peering connection between Subnet A and Subnet X + + + **Figure 1** VPC peering connection between Subnet A and Subnet X + +:ref:`Figure 2 ` shows the routes configured for the VPC peering connection between Subnet A and Subnet X. After the routes are configured, Subnet A and Subnet X can communicate with each other. + +.. _vpc_peering02_0002__en-us_topic_0118499087_fig13211186151514: + +.. figure:: /_static/images/en-us_image_0194358495.png + :alt: **Figure 2** Route tables for the VPC peering connection between Subnet A and Subnet X + + + **Figure 2** Route tables for the VPC peering connection between Subnet A and Subnet X + +If two VPCs have overlapping subnets, a VPC peering connection created between the two subnets will not take effect, and the subnets cannot communicate with each other. + +As shown in :ref:`Figure 3 `, a VPC peering connection is created between subnet A of VPC1 and subnet X of VPC2. Subnet B of VPC1 and subnet X of VPC2 overlap with each other. If the destination of a route in the route table of VPC1 is set to the CIDR block of subnet X in VPC2, this route will conflict with the system route of subnet B in VPC1. Subnet A preferentially accesses subnet B and the VPC peering connection does not take effect. + +.. _vpc_peering02_0002__en-us_topic_0118499087_fig1253173812157: + +.. figure:: /_static/images/en-us_image_0194358504.png + :alt: **Figure 3** Invalid VPC peering connection + + + **Figure 3** Invalid VPC peering connection + +If peering connections are used to link VPC 1 to multiple VPCs, for example, VPC 2, VPC 3, and VPC 4, the subnets of VPC 1 cannot overlap with those of VPC 2, VPC 3, and VPC 4. If VPC 2, VPC 3, and VPC 4 have overlapping subnets, a VPC peering connection can be created between only one of these overlapping subnets and a subnet of VPC 1. If a VPC peering connection is created between a subnet and the other *N* subnets, none of the subnets can overlap. diff --git a/umn/source/operation_guide_old_console_edition/vpc_peering_connection/vpc_peering_connection_creation_procedure.rst b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/vpc_peering_connection_creation_procedure.rst new file mode 100644 index 0000000..f9e06bd --- /dev/null +++ b/umn/source/operation_guide_old_console_edition/vpc_peering_connection/vpc_peering_connection_creation_procedure.rst @@ -0,0 +1,34 @@ +:original_name: vpc_peering02_0001.html + +.. _vpc_peering02_0001: + +VPC Peering Connection Creation Procedure +========================================= + +A VPC peering connection is a network connection between two VPCs in one region that enables you to route traffic between them using private IP addresses. ECSs in either VPC can communicate with each other just as if they were in the same region. You can create a VPC peering connection between your own VPCs, or between your VPC and another account's VPC within the same region. However, you cannot create a VPC peering connection between VPCs in different regions. + +- Creating a VPC peering connection between VPCs in your account + + + .. figure:: /_static/images/en-us_image_0162335561.png + :alt: **Figure 1** Creating a VPC peering connection between VPCs in your account + + + **Figure 1** Creating a VPC peering connection between VPCs in your account + + If you create a VPC peering connection between two VPCs in your account, the system accepts the connection by default. You need to add routes for the local and peer VPCs to enable communication between the two VPCs. + +- Creating a VPC peering connection with a VPC in another account + + + .. figure:: /_static/images/en-us_image_0162335565.png + :alt: **Figure 2** Creating a VPC peering connection with a VPC in another account + + + **Figure 2** Creating a VPC peering connection with a VPC in another account + + If you create a VPC peering connection between your VPC and a VPC that is in another account, the VPC peering connection will be in the **Awaiting acceptance** state. After the owner of the peer account accepts the connection, the connection status changes to **Accepted**. The owners of both the local and peer accounts must configure the routes required by the VPC peering connection to enable communication between the two VPCs. + + If the local and peer VPCs have overlapping CIDR blocks, the routes added for the VPC peering connection may become invalid. Before creating a VPC peering connection between two VPCs that have overlapping CIDR blocks, ensure that none of the subnets in the two VPCs overlap. If none of the subnets in the two VPCs overlap, the VPC peering connection you created enables communication between subnets in the two VPCs. + + After a VPC peering connection is created, you can use the ping command to check whether the local network is connected. The ping command cannot be used to check whether the gateway of the peer subnet is connected. diff --git a/umn/source/service_overview/application_scenarios.rst b/umn/source/service_overview/application_scenarios.rst new file mode 100644 index 0000000..ffd6f2e --- /dev/null +++ b/umn/source/service_overview/application_scenarios.rst @@ -0,0 +1,18 @@ +:original_name: overview_0002.html + +.. _overview_0002: + +Application Scenarios +===================== + +- Hosting web applications + + You can host web applications and websites in a VPC and use the VPC as a regular network. With EIPs, you can connect ECSs running your web applications to the Internet. A VPN gateway is used to establish a VPN tunnel between the web applications and the service system on the cloud, ensuring high-speed communication between the website and the service system. + +- Hosting services that demand high security + + You can create a VPC and security groups to host multi-tier web applications in different security zones. You can associate web servers and database servers with different security groups and configure different access control rules for security groups. You can launch web servers in a publicly accessible subnet, and also run database servers in subnets that are not publicly accessible. In this way, you can ensure high security. + +- Extending your corporate network into the cloud + + You can establish a VPN connection between a VPC and a traditional data center to use the ECSs and block storage resources. Applications can be migrated to the cloud and additional web servers can be quickly deployed as needed when there is a spike in demand for computing resources. This way, less money has to be spent on IT and O&M and data is kept safer than in a traditional arrangement. A VPC can span multiple AZs, protecting from single points of failure and ensuring high availability for e-commerce systems. diff --git a/umn/source/service_overview/basic_concepts/elastic_ip.rst b/umn/source/service_overview/basic_concepts/elastic_ip.rst new file mode 100644 index 0000000..9db204e --- /dev/null +++ b/umn/source/service_overview/basic_concepts/elastic_ip.rst @@ -0,0 +1,17 @@ +:original_name: vpc_Concepts_0003.html + +.. _vpc_Concepts_0003: + +Elastic IP +========== + +The Elastic IP (EIP) service enables your cloud resources to communicate with the Internet using static public IP addresses and scalable bandwidths. EIPs can be bound to or unbound from ECSs, BMSs, virtual IP addresses, NAT gateways, or load balancers. + +Each EIP can be used by only one cloud resource at a time. + + +.. figure:: /_static/images/en-us_image_0209583952.png + :alt: **Figure 1** Accessing the Internet using an EIP + + + **Figure 1** Accessing the Internet using an EIP diff --git a/umn/source/service_overview/basic_concepts/firewall.rst b/umn/source/service_overview/basic_concepts/firewall.rst new file mode 100644 index 0000000..7580aca --- /dev/null +++ b/umn/source/service_overview/basic_concepts/firewall.rst @@ -0,0 +1,8 @@ +:original_name: en-us_topic_0051746676.html + +.. _en-us_topic_0051746676: + +Firewall +======== + +A firewall is an optional layer of security for your subnets. After you associate one or more subnets with a firewall, you can control traffic in and out of the subnets. diff --git a/umn/source/service_overview/basic_concepts/index.rst b/umn/source/service_overview/basic_concepts/index.rst new file mode 100644 index 0000000..48b47af --- /dev/null +++ b/umn/source/service_overview/basic_concepts/index.rst @@ -0,0 +1,32 @@ +:original_name: vpc_Concepts_0001.html + +.. _vpc_Concepts_0001: + +Basic Concepts +============== + +- :ref:`Subnet ` +- :ref:`Elastic IP ` +- :ref:`Route Table ` +- :ref:`SNAT ` +- :ref:`Security Group ` +- :ref:`Shared SNAT ` +- :ref:`VPC Peering Connection ` +- :ref:`Firewall ` +- :ref:`Virtual IP Address ` +- :ref:`Region and AZ ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + subnet + elastic_ip + route_table + snat + security_group + shared_snat + vpc_peering_connection + firewall + virtual_ip_address + region_and_az diff --git a/umn/source/service_overview/basic_concepts/region_and_az.rst b/umn/source/service_overview/basic_concepts/region_and_az.rst new file mode 100644 index 0000000..8eef7cd --- /dev/null +++ b/umn/source/service_overview/basic_concepts/region_and_az.rst @@ -0,0 +1,42 @@ +:original_name: overview_region.html + +.. _overview_region: + +Region and AZ +============= + +Concept +------- + +A region and availability zone (AZ) identify the location of a data center. You can create resources in a specific region and AZ. + +- A region is a physical data center, which is completely isolated to improve fault tolerance and stability. The region that is selected during resource creation cannot be changed after the resource is created. +- An AZ is a physical location where resources use independent power supplies and networks. A region contains one or more AZs that are physically isolated but interconnected through internal networks. Because AZs are isolated from each other, any fault that occurs in one AZ will not affect others. + +:ref:`Figure 1 ` shows the relationship between regions and AZs. + +.. _overview_region__en-us_topic_0171382832_en-us_topic_0184026189_fig8747114281212: + +.. figure:: /_static/images/en-us_image_0184026531.png + :alt: **Figure 1** Regions and AZs + + + **Figure 1** Regions and AZs + +Selecting a Region +------------------ + +Select a region closest to your target users for lower network latency and quick access. + +Selecting an AZ +--------------- + +When deploying resources, consider your applications' requirements on disaster recovery (DR) and network latency. + +- For high DR capability, deploy resources in different AZs within the same region. +- For lower network latency, deploy resources in the same AZ. + +Regions and Endpoints +--------------------- + +Before you use an API to call resources, specify its region and endpoint. For more details, see `Regions and Endpoints `__. diff --git a/umn/source/service_overview/basic_concepts/route_table.rst b/umn/source/service_overview/basic_concepts/route_table.rst new file mode 100644 index 0000000..0cc3a55 --- /dev/null +++ b/umn/source/service_overview/basic_concepts/route_table.rst @@ -0,0 +1,156 @@ +:original_name: en-us_topic_0038263963.html + +.. _en-us_topic_0038263963: + +Route Table +=========== + +Background +---------- + +VPC has old and new console editions. You can click |image1| in the lower right corner of the console to switch between the old and new consoles. + +- On the new console, the route table module is accessible from the navigation pane on the left, as shown in :ref:`Figure 1 `. For details, see :ref:`Route Table (New Console Edition) `, :ref:`Default Route Table and Custom Route Table `, and :ref:`Route `. + + .. _en-us_topic_0038263963__en-us_topic_0118498988_fig166812264154: + + .. figure:: /_static/images/en-us_image_0000001206933138.png + :alt: **Figure 1** New console + + + **Figure 1** New console + +- On the old console, the route table module is accessible from the VPC details page, as shown in :ref:`Figure 2 `. For details, see :ref:`Route Table (Old Console Edition) `. + + .. _en-us_topic_0038263963__en-us_topic_0118498988_fig1118575931512: + + .. figure:: /_static/images/en-us_image_0000001251773147.png + :alt: **Figure 2** Old console + + + **Figure 2** Old console + +.. _en-us_topic_0038263963__en-us_topic_0118498988_section22531339489: + +Route Table (New Console Edition) +--------------------------------- + +A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. You can associate a subnet with only one route table at a time, but you can associate multiple subnets with the same route table. + + +.. figure:: /_static/images/en-us_image_0000001229959315.png + :alt: **Figure 3** Route Table + + + **Figure 3** Route Table + +.. _en-us_topic_0038263963__en-us_topic_0118498988_section29931443171216: + +Default Route Table and Custom Route Table +------------------------------------------ + +When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. You can add, delete, and modify routes in the default route table, but you cannot delete the route table. When you create a VPN, Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. If you want to modify or delete the route, you can associate your subnet with a custom route table and replicate the route to the custom route table to modify or delete it. + +If you do not want to use the default route table, you can now create a custom route table and associate it with the subnet. Custom route tables can be deleted if they are no longer required. + +.. _en-us_topic_0038263963__en-us_topic_0118498988_section16240184933120: + +Route +----- + +A route is configured with the destination, next hop type, and next hop to determine where network traffic is directed. Routes are classified into system routes and custom routes. + +- System routes: These routes are automatically added by the system and cannot be modified or deleted. + + After a route table is created, the system automatically adds the following system routes to the route table, so that instances in a VPC can communicate with each other. + + - Routes whose destination is 100.64.0.0/10 or 198.19.128.0/20. + - Routes whose destination are the IPv4 and IPv6 CIDR blocks of subnets in the VPC. + + .. note:: + + In addition to the preceding system routes, the system automatically adds a route whose destination is 127.0.0.0/8. This is the local loopback address. + +- Custom routes: These are routes that you can add, modify, and delete. The destination of a custom route cannot overlap with that of a system route. + + You can add a custom route and configure the destination, next hop type, and next hop in the route to determine where network traffic is directed. :ref:`Table 1 ` lists the supported types of next hops. + + .. _en-us_topic_0038263963__en-us_topic_0118498988_en-us_topic_0121831807_table1727714140542: + + .. table:: **Table 1** Next hop type + + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Next Hop Type | Description | Supported Route Table | + +========================+==============================================================================================================================================================+========================+ + | Server | Traffic intended for the destination is forwarded to an ECS in the VPC. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Extension NIC | Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | VPN connection | Traffic intended for the destination is forwarded to a VPN gateway. | Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Direct Connect gateway | Traffic intended for the destination is forwarded to a Direct Connect gateway. | Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | NAT gateway | Traffic intended for the destination is forwarded to a NAT gateway. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | VPC peering connection | Traffic intended for the destination is forwarded to a VPC peering connection. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + | Virtual IP address | Traffic intended for the destination is forwarded to a virtual IP address and then sent to active and standby ECSs to which the virtual IP address is bound. | - Default route table | + | | | - Custom route table | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ + + .. note:: + + If you specify the destination when creating a resource, a system route is delivered. If you do not specify a destination when creating a resource, a custom route that can be modified or deleted is delivered. + + For example, when you create a NAT gateway, the system automatically delivers a custom route without a specific destination (0.0.0.0/0 is used by default). In this case, you can change the destination. However, when you create a VPN connection or Direct Connect gateway, you need to specify the remote subnet, that is, the destination of a route. In this case, the system delivers this system route. Do not modify the route destination on the **Route Tables** page. If you do, the destination will be inconsistent with the configured remote subnet. To modify the route destination, go to the specific resource page and modify the remote subnet, then the route destination will be changed accordingly. + +.. _en-us_topic_0038263963__en-us_topic_0118498988_section1155203705018: + +Route Table (Old Console Edition) +--------------------------------- + +A route table contains a set of rules that determine where network traffic is directed. You can add routes to a route table to enable other ECSs in a VPC to access the Internet through the ECS that has a bound EIP. + +You can use a route table configured in standalone mode or active/standby mode. + +- :ref:`Figure 4 ` shows the route table configured in standalone mode. + + .. _en-us_topic_0038263963__en-us_topic_0118498988_fig15091812119: + + .. figure:: /_static/images/en-us_image_0209273220.png + :alt: **Figure 4** Route table configured in standalone mode + + + **Figure 4** Route table configured in standalone mode + + In standalone mode, ECSs in a VPC that do not have EIPs bound access the Internet through an ECS that has an EIP bound and has the SNAT function configured. + + You can create a route table for the VPC used by ECSs that do not have EIPs bound to enable these ECSs to access the Internet. The next hop in the route table is the private IP address of the ECS that has an EIP bound (that is the private IP address of the SNAT server). + +- :ref:`Figure 5 ` shows the route table configured in active/standby mode. + + .. _en-us_topic_0038263963__en-us_topic_0118498988_fig1588016299143: + + .. figure:: /_static/images/en-us_image_0118498947.png + :alt: **Figure 5** Route table configured in active/standby mode + + + **Figure 5** Route table configured in active/standby mode + + In active/standby mode, ECSs in a VPC that do not have EIPs bound access the Internet through two ECSs that have EIPs bound and have the SNAT function configured. + + In active/standby mode, you can add a route table for the VPC used by ECSs that do not have EIPs bound, to enable these ECSs to access the Internet. The next hop in the route table is the virtual IP address of the two ECSs that have EIPs bound. + +In both the standalone and active/standby modes, the ECSs that have EIPs bound must have the SNAT function. For details about the SNAT function, see :ref:`SNAT `. For details about how to configure an ECS as the SNAT server, see :ref:`Configuring an SNAT Server `. + +.. important:: + + - Before using the route table function, you need to deploy the SNAT server. For details, see section :ref:`Configuring an SNAT Server `. + - The ECS providing SNAT function can have only one NIC. + - The ECS providing SNAT function must have the source/destination check function disabled. + +.. |image1| image:: /_static/images/en-us_image_0000001207093220.png diff --git a/umn/source/service_overview/basic_concepts/security_group.rst b/umn/source/service_overview/basic_concepts/security_group.rst new file mode 100644 index 0000000..cb40f2c --- /dev/null +++ b/umn/source/service_overview/basic_concepts/security_group.rst @@ -0,0 +1,10 @@ +:original_name: vpc_Concepts_0005.html + +.. _vpc_Concepts_0005: + +Security Group +============== + +A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted within a VPC. After a security group is created, you can create various access rules for the security group, these rules will apply to all cloud resources added to this security group. + +Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between cloud resources in the group. Your cloud resources in this security group can communicate with each other already without adding additional rules. diff --git a/umn/source/service_overview/basic_concepts/shared_snat.rst b/umn/source/service_overview/basic_concepts/shared_snat.rst new file mode 100644 index 0000000..288b782 --- /dev/null +++ b/umn/source/service_overview/basic_concepts/shared_snat.rst @@ -0,0 +1,62 @@ +:original_name: vpc_Concepts_0010.html + +.. _vpc_Concepts_0010: + +Shared SNAT +=========== + +The VPC service provides free SNAT function, which allows ECSs to use a limited number of public IP addresses to gain one-way access to the Internet for operations, such as updating software. However, Internet users cannot directly access the ECSs. + +:ref:`Figure 1 ` shows how shared SNAT works. The SNAT device forwards traffic from ECSs to the Internet and the response traffic from the Internet to the ECSs. When forwarding ECS traffic to the Internet, the SNAT device converts the source IP addresses (ECS private IP addresses) in the data packets into the public IP addresses set on the SNAT device. When processing the response packets from the Internet to the ECSs, the SNAT device changes the public IP addresses in the response data packets to the private IP addresses of the ECSs. + +.. _vpc_concepts_0010__en-us_topic_0118499016_f04fc5d5739d142e5b38d73f3746f6cad: + +.. figure:: /_static/images/en-us_image_0118499140.png + :alt: **Figure 1** SNAT function + + + **Figure 1** SNAT function + +- To enable shared SNAT using the API, set **enable_snat** to **true** by following the instructions provided in **Neutron** > **Routers** > **Update router** in the *Native OpenStack API Reference*. +- To enable shared SNAT on the management console: + + #. Log in to the management console. + #. On the console homepage, under **Network**, click **Virtual Private Cloud**. + #. On the **Virtual Private Cloud** page, locate the VPC for which shared SNAT is to be enabled, and click **Modify**. + #. In the displayed dialog box, enable **Shared SNAT**. + #. Click **OK**. + +After being configured for a VPC, shared SNAT takes effect for the whole VPC. If EIPs are bound to ECSs in a VPC for which shared SNAT is configured, Internet traffic is preferentially forwarded using the EIPs. If you want to prevent an ECS from connecting to the Internet, you can configure an outbound rule for the security group associated with the ECS. + +For example: + +To prevent an ECS from connecting to the Internet but allow the ECS to access 192.168.10.0/24, configure the following rule for the security group associated with the ECS: + +#. Delete the default outbound rule that allows all outgoing data packets from the security group. + + After this rule is deleted, ECSs associated with this security group are not allowed to access any network, including the internal networks in the VPC of the ECSs. + + + .. figure:: /_static/images/en-us_image_0152667656.png + :alt: **Figure 2** Deleting the default outbound rule from the security group + + + **Figure 2** Deleting the default outbound rule from the security group + +#. Add the required outbound rule. + + The following shows the added outbound rule that allows the ECS to access the 192.168.10.0/24 CIDR block. + + + .. figure:: /_static/images/en-us_image_0152668782.png + :alt: **Figure 3** Adding an outbound rule for the security group + + + **Figure 3** Adding an outbound rule for the security group + + The differences between shared SNAT and custom routes are as follows: + + - Shared SNAT provides the SNAT function for a specified VPC through an API or the management console and enables all ECSs in the VPC to gain one-way access to the Internet. + - A custom route enables ECSs to access the Internet through an SNAT server that has an EIP bound. The ECSs' access requests are routed to the SNAT server based on the route table. + - Shared SNAT takes effect for the whole VPC by default, while a custom route takes effect for the VPC or subnet for which routes have been configured. + - A custom route has a higher priority than a shared SNAT. diff --git a/umn/source/service_overview/basic_concepts/snat.rst b/umn/source/service_overview/basic_concepts/snat.rst new file mode 100644 index 0000000..7c5a8a2 --- /dev/null +++ b/umn/source/service_overview/basic_concepts/snat.rst @@ -0,0 +1,12 @@ +:original_name: vpc_Concepts_0004.html + +.. _vpc_Concepts_0004: + +SNAT +==== + +In addition to services provided by the system, some ECSs need to access the Internet to obtain information or download software. You can bind EIPs to virtual NICs (ports) of ECSs to enable the ECSs to access the Internet. However, assigning an EIP to each ECS consumes already-limited IPv4 addresses, incurs additional costs, and may increase the attack surface for a virtual environment. Therefore, SNAT is introduced to enable multiple ECSs to share one EIP. + +On a public cloud, an EIP can be assigned to an ECS that serves as the SNAT router or gateway for other ECSs from the same subnet or VPC. + +For details about how to configure SNAT, see :ref:`Configuring an SNAT Server `. diff --git a/umn/source/service_overview/basic_concepts/subnet.rst b/umn/source/service_overview/basic_concepts/subnet.rst new file mode 100644 index 0000000..39e5eaf --- /dev/null +++ b/umn/source/service_overview/basic_concepts/subnet.rst @@ -0,0 +1,20 @@ +:original_name: en-us_topic_0030969424.html + +.. _en-us_topic_0030969424: + +Subnet +====== + +A subnet is a unique CIDR block with a range of IP addresses in a VPC. All resources in a VPC must be deployed on subnets. + +- By default, ECSs in all subnets of the same VPC can communicate with one another, but ECSs in different VPCs cannot. + + You can create VPC peering connections to enable ECSs in different VPCs but in the same region to communicate with one another. For details, see :ref:`VPC Peering Connection Creation Procedure `. + +- After a subnet is created, its CIDR block cannot be modified. + + The subnets used to deploy your resources must reside within your VPC, and the subnet masks used to define them can be between the netmask of its VPC CIDR block and /29 netmask. + + - 10.0.0.0 – 10.255.255.255 + - 172.16.0.0 – 172.31.255.255 + - 192.168.0.0 – 192.168.255.255 diff --git a/umn/source/service_overview/basic_concepts/virtual_ip_address.rst b/umn/source/service_overview/basic_concepts/virtual_ip_address.rst new file mode 100644 index 0000000..856f174 --- /dev/null +++ b/umn/source/service_overview/basic_concepts/virtual_ip_address.rst @@ -0,0 +1,58 @@ +:original_name: vpc_Concepts_0012.html + +.. _vpc_Concepts_0012: + +Virtual IP Address +================== + +A virtual IP address can be shared among multiple ECSs. An ECS can have both private and virtual IP addresses, and you can access the ECS through either IP address. A virtual IP address has the same network access capabilities as a private IP address, including layer 2 and layer 3 communication in VPCs, access between VPCs using VPC peering connections, as well as access through EIPs, VPN connections, and Direct Connect connections. + +You can bind ECSs deployed in active/standby mode with the same virtual IP address, and then bind an EIP to the virtual IP address. Virtual IP addresses can work together with Keepalived to ensure high availability and disaster recovery. If the active ECS is faulty, the standby ECS automatically takes over services from the active one. + +Networking +---------- + +Virtual IP addresses are used for high availability and can work together with Keepalived to make active/standby ECS switchover possible. This way if one ECS goes down for some reason, the other one can take over and services continue uninterrupted. ECSs can be configured for HA or as load balancing clusters. + +- **Networking mode 1**: HA + + If you want to improve service availability and avoid single points of failure, you can deploy ECSs in the active/standby mode or deploy one active ECS and multiple standby ECSs. In this arrangement, the ECSs all use the same virtual IP address. If the active ECS becomes faulty, a standby ECS takes over services from the active ECS and services continue uninterrupted. + + + .. figure:: /_static/images/en-us_image_0209608153.png + :alt: **Figure 1** Networking diagram of the HA mode + + + **Figure 1** Networking diagram of the HA mode + + - In this configuration, a single virtual IP address is bound to two ECSs in the same subnet. + - Keepalived is then used to configure the two ECSs to work in the active/standby mode. Follow industry standards for configuring Keepalived. The details are not included here. + +- **Networking mode 2**: HA load balancing cluster + + If you want to build a high-availability load balancing cluster, use Keepalived and configure LVS nodes as direct routers. + + + .. figure:: /_static/images/en-us_image_0209608154.png + :alt: **Figure 2** HA load balancing cluster + + + **Figure 2** HA load balancing cluster + + - Bind a single virtual IP address to two ECSs. + - Configure the two ECSs as LVS nodes working as direct routers and use Keepalived to configure the nodes in the active/standby mode. The two ECSs will evenly forward requests to different backend servers. + - Configure two more ECSs as backend servers. + - Disable the source/destination check for the two backend servers. + + Follow industry standards for configuring Keepalived. The details are not included here. + +Application Scenarios +--------------------- + +- Accessing the virtual IP address through an EIP + + If your application has high availability requirements and needs to provide services through the Internet, it is recommended that you bind an EIP to a virtual IP address. + +- Using a VPN, Direct Connect, or VPC peering connection to access a virtual IP address + + To ensure high availability and access to the Internet, use a VPN for security and Direct Connect for a stable connection. The VPC peering connection is needed so that the VPCs in the same region can communicate with each other. diff --git a/umn/source/service_overview/basic_concepts/vpc_peering_connection.rst b/umn/source/service_overview/basic_concepts/vpc_peering_connection.rst new file mode 100644 index 0000000..68837df --- /dev/null +++ b/umn/source/service_overview/basic_concepts/vpc_peering_connection.rst @@ -0,0 +1,18 @@ +:original_name: vpc_Concepts_0011.html + +.. _vpc_Concepts_0011: + +VPC Peering Connection +====================== + +A VPC peering connection is a network connection between two VPCs in one region that enables you to route traffic between them using private IP addresses. ECSs in either VPC can communicate with each other just as if they were in the same region. You can create a VPC peering connection between your own VPCs, or between your VPC and another account's VPC within the same region. However, you cannot create a VPC peering connection between VPCs in different regions. + +Each account can have a maximum of 50 VPC peering connections in each region by default. + +- VPC peering connections between VPCs in one account: Each account can create a maximum of 50 VPC peering connections in one region. + +- VPC peering connections between VPCs of different accounts: Accepted VPC peering connections use the quotas of both accounts. To-be-accepted VPC peering connections only use the quotas of accounts that request the connections. + + An account can create VPC peering connections with different accounts if the account has enough quota. + +For details about VPC peering connections, see :ref:`VPC Peering Connection `. diff --git a/umn/source/service_overview/document_usage_instructions.rst b/umn/source/service_overview/document_usage_instructions.rst new file mode 100644 index 0000000..c50beed --- /dev/null +++ b/umn/source/service_overview/document_usage_instructions.rst @@ -0,0 +1,22 @@ +:original_name: vpc_use_0001.html + +.. _vpc_use_0001: + +Document Usage Instructions +=========================== + +Instructions for using this document are as follows: + +- To facilitate your operations, the management console may provide more than one way for you to perform a task or an operation. This document describes only the main way. + +- You can click |image1| next to some parameter values to quickly edit the values. This document does not describe this function. + +- Click |image2| in the lower right corner of the console to switch between the new and the old consoles. The old edition does not have the function of associating a subnet with a route table. + + This document provides two sets of operation guides. (The "Getting Started" chapter uses the new console edition as an example.) + + - If you use the new console edition, see :ref:`Operation Guide (New Console Edition) `. + - If you use the old console edition, see :ref:`Operation Guide (Old Console Edition) `. + +.. |image1| image:: /_static/images/en-us_image_0239476777.png +.. |image2| image:: /_static/images/en-us_image_0226788663.png diff --git a/umn/source/service_overview/index.rst b/umn/source/service_overview/index.rst new file mode 100644 index 0000000..bbc3f01 --- /dev/null +++ b/umn/source/service_overview/index.rst @@ -0,0 +1,26 @@ +:original_name: vpc_pro_0000.html + +.. _vpc_pro_0000: + +Service Overview +================ + +- :ref:`What Is Virtual Private Cloud? ` +- :ref:`Application Scenarios ` +- :ref:`VPC Connectivity ` +- :ref:`VPC and Other Services ` +- :ref:`User Permissions ` +- :ref:`Basic Concepts ` +- :ref:`Document Usage Instructions ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + what_is_virtual_private_cloud + application_scenarios + vpc_connectivity + vpc_and_other_services + user_permissions + basic_concepts/index + document_usage_instructions diff --git a/umn/source/service_overview/user_permissions.rst b/umn/source/service_overview/user_permissions.rst new file mode 100644 index 0000000..6cb8791 --- /dev/null +++ b/umn/source/service_overview/user_permissions.rst @@ -0,0 +1,10 @@ +:original_name: vpc_permissions_0001.html + +.. _vpc_permissions_0001: + +User Permissions +================ + +The cloud system provides two types of user permissions by default: user management and resource management. User management refers to the management of users, user groups, and user group rights. Resource management refers to the control operations that can be performed by users on cloud service resources. + +For further details, see `Permissions `__. diff --git a/umn/source/service_overview/vpc_and_other_services.rst b/umn/source/service_overview/vpc_and_other_services.rst new file mode 100644 index 0000000..ce46e7b --- /dev/null +++ b/umn/source/service_overview/vpc_and_other_services.rst @@ -0,0 +1,18 @@ +:original_name: vpc_relationship_0001.html + +.. _vpc_relationship_0001: + +VPC and Other Services +====================== + +- ECS + + The VPC service provides an isolated virtual network for ECSs. You can configure and manage the network as required. There are multiple connectivity options for ECSs to access the Internet. You can also define rules for communication between ECSs in the same security group or in different security groups. + +- ELB + + ELB uses the EIPs and bandwidths associated with the VPC service. + +- Cloud Eye + + You can use Cloud Eye to monitor the status of your VPCs without adding plug-ins. diff --git a/umn/source/service_overview/vpc_connectivity.rst b/umn/source/service_overview/vpc_connectivity.rst new file mode 100644 index 0000000..5d8c488 --- /dev/null +++ b/umn/source/service_overview/vpc_connectivity.rst @@ -0,0 +1,24 @@ +:original_name: overview_0001.html + +.. _overview_0001: + +VPC Connectivity +================ + +You can use EIPs, load balancers, NAT gateways, VPN connections, and Direct Connect connections to access the Internet if required. + +- **Use EIPs to Enable a Small Number of ECSs to Access the Internet** + + When only a few ECSs need to access the Internet, you can bind the EIPs to the ECSs. This will provide them with Internet access. You can also dynamically unbind the EIPs from the ECSs and bind them to NAT gateways and load balancers instead, which will also provide Internet access. The process is not complicated. + +- **Use NAT Gateways to Enable a Large Number of ECSs to Access the Internet** + + When a large number of ECSs need to access the Internet, the public cloud provides NAT gateways for the ECSs. With NAT gateways, you do not need to assign an EIP to each ECS, which reduces management costs incurred by an excessive number of EIPs. A NAT gateway offers both the SNAT and DNAT functions. SNAT allows multiple ECSs in the same VPC to share one or more EIPs to access the Internet. SNAT prevents the EIPs of ECSs from being exposed to the Internet. SNAT supports up to 1 million concurrent connections and 30,000 new connections. DNAT can implement port-level data forwarding. It maps EIP ports to ECS ports so that the ECSs in a VPC can share the same EIP and bandwidth to provide Internet-accessible services. + +- Use ELB to Connect to the Internet If There Are a Large Number of Concurrent Requests + + In high-concurrency scenarios, such as e-commerce, you can use load balancers provided by the ELB service to evenly distribute incoming traffic across multiple ECSs, allowing a large number of users to concurrently access your business system or application. ELB is deployed in the cluster mode. It provides fault tolerance for your applications by automatically balancing traffic across multiple AZs. You can also take advantage of deep integration with Auto Scaling (AS), which enables automatic scaling based on service traffic and ensures service stability and reliability. + +- Use VPN or Direct Connect to Extend Your On-premises Data Center into the Cloud over the Internet + + For customers with equipment rooms in their on-premises data centers, not all businesses of the customers will be migrated to the cloud because the customers want to reuse their legacy devices and require smooth business evolution. Then, you can use VPN or Direct Connect to interconnect your VPC and on-premises data center. A VPN connection routes traffic through the Internet, which allows you to use a private network with the price of the public network. A Direct Connect connection is a dedicated, private network connection that provides you with more efficient data transmission and more consistent network experience than Internet-based connections. diff --git a/umn/source/service_overview/what_is_virtual_private_cloud.rst b/umn/source/service_overview/what_is_virtual_private_cloud.rst new file mode 100644 index 0000000..9c20c06 --- /dev/null +++ b/umn/source/service_overview/what_is_virtual_private_cloud.rst @@ -0,0 +1,56 @@ +:original_name: en-us_topic_0013748729.html + +.. _en-us_topic_0013748729: + +What Is Virtual Private Cloud? +============================== + +Overview +-------- + +The Virtual Private Cloud (VPC) service enables you to provision logically isolated, configurable, and manageable virtual networks for Elastic Cloud Servers (ECSs), improving cloud resource security and simplifying network deployment. + +Within your own VPC, you can create security groups and VPNs, configure IP address ranges, specify bandwidth sizes, manage the networks in the VPC, and make changes to these networks as needed, quickly and securely. You can also define rules for communication between ECSs in the same security group or in different security groups. + + +.. figure:: /_static/images/en-us_image_0209606948.png + :alt: **Figure 1** VPC components + + + **Figure 1** VPC components + +Advantages +---------- + +- Flexible configuration + + You can create VPCs, add subnets, specify IP address ranges, and configure route tables. You can configure the same VPC for ECSs that are in different availability zones (AZs). + +- Secure and reliable + + Each VPC is completely logically isolated from other VPCs using the tunneling technology. By default, different VPCs cannot communicate with each other. You can use firewalls to protect subnets and use security groups to protect instances, such as cloud servers, containers, and databases. The firewalls and security groups add additional layers of security to your VPCs, making your network secure. + +- Interconnectivity + + By default, instances in a VPC cannot access the Internet. You can leverage Elastic IP (EIP), Elastic Load Balancing (ELB), NAT Gateways, Virtual Private Network (VPN), and Direct Connect to enable access to or from the Internet. + + By default, instances in two VPCs cannot communicate with each other. You can create a VPC peering connection to enable the instances in the two VPCs in the same region to communicate with each other using private IP addresses. + + Multiple connectivity options are provided to meet diverse service requirements for the cloud, enabling you to deploy enterprise applications with ease and lower enterprise IT operation and maintenance (O&M) costs. + +- High-speed access + + Dynamic Border Gateway Protocol (BGP) is used to provide access to various carrier networks. For example, up to 21 dynamic BGP connections are established to multiple carriers. The dynamic BGP connections enable real-time failover based on preset routing protocols, ensuring high network stability, low network latency, and smooth access to services on the cloud. + +Accessing the VPC Service +------------------------- + +You can access the VPC service through the management console or using HTTPS-based APIs. + +- Management console + + You can use the console to directly perform operations on VPC resources. To access the VPC service, log in to the management console and select **Virtual Private Cloud** from the console homepage. + +- API + + If you need to integrate the VPC service provided by the cloud system into a third-party system for secondary development, you can use APIs to access the VPC service. For details, see the *Virtual Private Cloud API Reference*.